From Ellen Nakashima, Washington Post:  President Obama has signed a secret directive that effectively enables the military to act more aggressively to thwart cyberattacks on the nation’s web of government and private computer networks.

Presidential Policy Directive 20 establishes a broad and strict set of standards to guide the operations of federal agencies in confronting threats in cyberspace, according to several U.S. officials who have seen the classified document and are not authorized to speak on the record. The president signed it in mid-October.

The new directive is the most extensive White House effort to date to wrestle with what constitutes an “offensive” and a “defensive” action in the rapidly evolving world of cyberwar and cyberterrorism, where an attack can be launched in milliseconds by unknown assailants utilizing a circuitous route. For the first time, the directive explicitly makes a distinction between network defense and cyber operations to guide officials charged with making often rapid decisions when confronted with threats.

The policy also lays out a process to vet any operations outside government and defense networks and ensure that U.S. citizens’ and foreign allies’ data and privacy are protected and international laws of war are followed.

“What it does, really for the first time, is it explicitly talks about how we will use cyber operations,” a senior administration official said. “Network defense is what you’re doing inside your own networks. . . . Cyber operations is stuff outside that space, and recognizing that you could be doing that for what might be called defensive purposes.”

The new policy, which updates a 2004 presidential directive, is part of a wider push by the Obama administration to confront the growing cyberthreat, which officials warn may overtake terrorism as the most significant threat to the country. . . .

The Pentagon now is expected to finalize new rules of engagement that would guide commanders when and how the military can go outside government networks to prevent a cyberattack that could cause significant destruction or casualties.

The presidential directive attempts to settle years of debate among government agencies about who is authorized to take what sorts of actions in cyberspace and with what level of permission.

An example of a defensive cyber operation that once would have been considered an offensive act, for instance, might include stopping a computer attack by severing the link between an overseas server and a targeted domestic computer.

“That was seen as something that was aggressive,” said one defense official, “particularly by some at the State Department” who often are wary of actions that might infringe on other countries’ sovereignty and undermine U.S. advocacy of Internet freedom. Intelligence agencies are wary of operations that may inhibit intelligence collection. The Pentagon, meanwhile, has defined cyberspace as another military domain — joining air, land, sea and space — and wants flexibility to operate in that realm.

But cyber operations, the officials stressed, are not an isolated tool. Rather, they are an integral part of the coordinated national security effort that includes diplomatic, economic and traditional military measures.

Offensive cyber actions, outside of war zones, would still require a higher level of scrutiny from relevant agencies and generally White House permission.  (photo: White House)

Image: cbs%2011%2014%2012%20obama_debt_bill_signing.jpg