The guidelines approved by President Barack Obama required high-level discussions between many agencies before the military could conduct significant cyber operations. | Getty Images Trump scraps Obama rules on cyberattacks, giving military freer hand

President Donald Trump has eliminated rules governing the process for launching cyberattacks, giving the military freer rein to deploy its advanced hacking tools without pushback from the State Department and the intelligence community, an administration official told POLITICO.

Trump’s decision, the latest example of his desire to push decision-making authority down the chain of command, could empower military officials to launch more frequent and more aggressive cyberattacks against adversaries like Russia and Iran.


The guidelines approved by President Barack Obama, known as Presidential Policy Directive 20, required high-level discussions between many agencies before the military could conduct significant cyber operations. In rescinding PPD-20, Trump put cyberattacks on the same level as kinetic operations, which do not require high-level approval or interagency discussions.

Now, U.S. Cyber Command can conduct attacks based on the administration’s strategic decisions without needing to get White House signoff on individual digital strikes.

“There’s a large degree of unhappiness in DoD and in Cyber Command with the interagency process and the structure set up by PPD-20 to approve offensive cyber operations,” said a former U.S. official, who, like others interviewed for this story, requested anonymity to discuss classified matters.

During the Obama administration, this person said, the State Department “was successful in blocking or slowing Cyber Command in doing things it wanted to do, even against targets you wouldn’t think anyone would have any objection to, like ISIS.”

Morning Cybersecurity A daily briefing on politics and cybersecurity — weekday mornings, in your inbox. Email Sign Up By signing up you agree to receive email newsletters or alerts from POLITICO. You can unsubscribe at any time. This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Under Obama, according to a former FBI official, “there was not clear guidance from the administration” about using cyber capabilities “against major threats.”

The former U.S. official played down the significance of the move, which was first reported by The Wall Street Journal. “It’s not so much to let Cyber Command off the leash as to let [the head of] Cyber Command act like any other combatant commander.”

It remains unclear what new policy has replaced PPD-20, and the White House declined to comment.

A former DoD cyber official said that agencies like State and Commerce, with their understandings of diplomatic and economic consequences, still needed to be involved in major decisions.

“There still need to be checks and balances, given that the internet is a broader ecosystem of which the military is only one actor,” this person said.

Another former DoD official agreed, saying the U.S. needed to be “very careful not to get too far over our skis until our cybersecurity posture as a nation is stronger, because it isn’t the military or government that will bear any response. It will be our soft civilian underbelly.”

The intelligence community has also balked at some military operations, especially ones that risk exposing the eavesdropping software that U.S. spies spend years developing and planting in enemy networks.

The bureaucratic wrangling that resulted from PPD-20 had serious, practical consequences, said the former U.S. official. Last year, Cyber Command and its British counterpart developed a plan to conduct cyber operations, but debates between U.S. agencies delayed the mission.

“The British eventually got bored and went ahead and left without us because our interagency process was so turgid,” said the former official, who declined to specify the target or provide more details. “They started their activities three months before the U.S. was able to come to an agreement — on something that had been a U.S. proposal.”

The Trump White House appears determined not to repeat that scenario. Trump’s decision to give the military a freer hand “is consistent with the administration’s decentralized approach to other military and security actions,” said an official who worked on cyber policy in the George W. Bush administration, “and PPD-20 was seen as a typical Obama-era exercise in group stasis.”

Still, the decision is a significant blow to the State Department, which will now have less sway over whether the military conducts specific digital attacks that could complicate diplomatic negotiations or other international priorities.

State officials “don’t think there was any need for change,” said the former U.S. official. “DoD wants to have less need to consult on every operation. State says, no, they have to, this is so important.”

The White House has been mulling the change for months. While national security adviser John Bolton is typically seen as a hawkish influence inside the administration, discussions about scrapping PPD-20 began before he took over from Lt. Gen. H.R. McMaster.

Homeland security adviser Tom Bossert, whom Bolton pushed out when he arrived, “started a thoughtful, principles-level review” of PPD-20 and the trade-offs of keeping or rescinding it, according to a second former U.S. official.

Eliminating PPD-20 does not erase the constellation of legal challenges to cyber operations that have consumed meetings between Pentagon planners and State Department lawyers.

“That policy piece of paper became a scapegoat for bigger issues,” said the former FBI official. “Whether people liked it or not, the PPD-20 process highlighted some very real legal issues regarding the extent of Cyber [Command’s] authority to take certain actions in cyberspace.”

The latest defense policy bill attempted to address some of those issues, declaring that cyberattacks are “traditional military activities” and do not require the president to sign a “covert action” finding before they can proceed. The former FBI official said there was “an effort underway to remove real and perceived legal and policy hurdles to facilitate Cyber [Command’s] actions.”

R. David Edelman, who served as a director for international cyber policy on the National Security Council during the Obama administration, said that whatever replaced PPD-20, it needed to incorporate non-military considerations.

“In military affairs, blaming the lawyers, or the process, is often easier than having good ideas,” he told POLITICO. “While it's fair to say that U.S. cyber policy was cautious and lawyerly to a fault in the early days, unless we get better at predicting the consequences of cyberattacks, the alternative is recklessly lashing out and crossing our fingers.”

Edelman, now the director of MIT’s Project on Technology, Economy and National Security, noted that after the elimination of both PPD-20 and the White House cyber coordinator role, the need for a broad vision was greater than ever.

“What we need now is to know that a new plan is in place,” he said, “and to understand how it will keep impulsiveness from becoming the norm in our cyber policy, too.”