Ex-DHS official on PPD-20 repeal: Consider potential blowback to private sector

The U.S. government’s new and reportedly more muscular approach to conducting offensive cyber-operations must carefully consider the potential blowback of such actions to the private sector, a former senior Department of Homeland Security official has warned.

“DHS needs to be part of the discussion around the cost-benefit analysis to bring the private sector point of view because we know the private sector often bears the brunt of the retaliation that comes in the wake of more aggressive activity,” Suzanne Spaulding said Wednesday at the Atlantic Council.

Asked what public indication there would that those concerns are being addressed, Spaulding, who served as a DHS undersecretary under President Barack Obama, said the answer lies in the private sector. Private companies will have a sense of “whether their equities were adequately considered” before a U.S. government decision to conduct offensive operations, Spaulding said during a panel discussion. “And my guess is they’ll let us know.”

For years, foreign hackers have targeted U.S. companies in multiple sectors, and a surge in U.S. government hacking against foreign adversaries could invite retaliation against any number of multibillion-dollar American firms.

President Donald Trump in August revoked the Obama-era doctrine governing U.S. hacking operations – known as Presidential Policy Directive 20 – clearing the way for a more offensive approach. PPD-20 had set forth an elaborate interagency legal and policy process for approving U.S. cyberattacks. Critics of the directive said it unnecessarily delayed offensive operations, while advocates said it was an important mechanism for accounting for all of the possible repercussions of a cyberattack.

Little information is available on the document that replaced PPD-20 because it is classified. However, White House national security adviser John Bolton has indicated the administration will take a more aggressive tack to hacking operations while retaining a thorough interagency approval process.

“We’re going to do a lot of things offensively and I think our adversaries need to know that,”  Bolton said in September. “Our hands are not tied as they were in the Obama administration,” he said of the revocation of PPD-20. The successor to PPD-20, he said, is “very different” and “we hope [that it] will provide the necessary coordination and direction, but still enable these operations to be conducted in a timely fashion.”

Michael Daly, CTO of cybersecurity and special missions at Raytheon, said that it wasn’t just U.S. government hacking that could trigger a retaliatory response from foreign hackers.

“The risk to the private sector is real, but that same risk existed regardless of the method of sanction…on another country,” Daly said during the panel discussion. “If it was a financial sanction, then [a foreign country] still might decide to hack back against a U.S. company or some other company.”