By Dustin Volz
The Trump administration’s move to loosen rules of engagement for U.S. cyberattacks has prompted questions about how the military will carry out offensive digital strikes, and whether hostilities with foreign adversaries will rapidly escalate.
Cybersecurity experts and former officials said it was impossible to determine whether President Trump’s move was a step in the right direction or a mistake because the details of such policies are classified.
“The devil is in the details,” said Tom Bossert, who as Mr. Trump’s homeland security adviser counseled him on cybersecurity, until he was forced out of his job in April by John Bolton, Mr. Trump’s national security adviser.
Mr. Trump on Wednesday reversed an Obama-era set of classified rules dictating an elaborate interagency process that must be followed before cyberweapons can be deployed.
The change was described to The Wall Street Journal as an “offensive step forward” by an administration official briefed on the decision. But few specific details have been divulged about what process Mr. Trump is adopting in place of the previous rules, known as Presidential Policy Directive 20.
Former President Barack Obama’s rules, adopted in 2012, also were classified but leaked in 2013 by former intelligence contractor Edward Snowden.
Mr. Obama’s rules prompted debate, with many former officials from different federal agencies saying the process often produced lengthy interagency discussions about the legal, policy, and diplomatic implications of even modest cyber operations. Other former officials said that cyberweapons were rarely deployed not because of bureaucratic red tape because they were in many cases not ready for real-world deployment.
Mr. Bossert said in an interview that he began reviewing the Obama directive and considering ways it could be changed before he left the Trump administration. But he declined to speculate on what was in new rules adopted by the administration. “The content is classified. I have no insight into the details of that content,” he said.
Some officials offered tentative optimism about steps to unshackle the process for using cyberweapons, a frequent topic in Congress for lawmakers of both parties who have faulted the past three administrations for failing to develop a coherent cybersecurity strategy. Lawmakers have sought to expand their oversight of cybersecurity matters in recent legislation.
“One thing is clear—what we have been doing so far hasn’t worked, and our adversaries believe that they can attack us without any consequences,” said Sen. Mark Warner of Virginia, the top Democrat on the Senate Intelligence Committee and a frequent critic of Mr. Trump’s cybersecurity posture toward Russia, in a statement.
“As a country, we need to have a broader conversation about a cyber doctrine to strengthen our networks and lay out clearly what steps we are willing to take to deter countries from launching cyberattacks—and how we will make them pay for it if they do,” Mr. Warner added.
The rescission of the Obama administration’s framework for launching cyberattacks comes amid concerns that the Trump White House had devalued cybersecurity as an important national security priority.
In May, the White House eliminated the post of cybersecurity coordinator, a move that drew widespread criticism from cybersecurity experts and former government officials. Several Democratic lawmakers, as well as Republican Sen. Susan Collins, wrote letters protesting the decision.
The departure of Mr. Bossert and Rob Joyce, who received high marks as Mr. Trump’s cybersecurity coordinator before returning to the National Security Agency, fueled a perception that there is a dearth of sophisticated cybersecurity knowledge in the White House.
Some former officials said that they agreed with the spirit of Mr. Trump’s action but questioned whether it will be correctly implemented.
“I would have approved this, if I were there, but I would have put a significant amount of restraints on it,” said Jason Healey, a former White House cybersecurity official who in May wrote a set of recommendations for how Mr. Trump could modify Presidential Policy Directive 20.
Mr. Healey’s proposals, published in the online cyber news outlet the Cipher Brief, included installing metrics for measuring the success of the U.S. military’s Cyber Command at deterring adversaries and a sunset clause that forces the White House to revisit the rules and change them as needed.
Mr. Healey, a scholar at Columbia, also said the National Security Council should work in coordination with the U.S. Cyber Command as needed to speed up or slow down cyber operations to send diplomatic signals to foreign heads of state.