It's been known for a while that the Obama administration has been at work on a cybersecurity directive. The executive order would be used to circumvent a Congress that failed numerous times in 2012 to pass a comprehensive cybersecurity law. The only thing we didn't know is what that directive would entail, but a recent report serves to detail at least part of the United States' "cyber arsenal."
In a report Monday morning, The New York Times spoke to senior officials involved in the creation of the White House's cyber warfare directive. The officials reveal that the White House has been developing its cyber warfare rules for the past two years to address the growing threat that nations like China and Russia pose in regards to cyberattacks. These rules will govern how the U.S. military, which just recently expanded its cybersecurity force, can retaliate to cyberattacks and in what ways these new weapons can be used in traditional offensives.
In regards to retaliation, the U.S. military is reportedly being held back by strict rules that state it can not act unless provoked by a major threat. Of course, this could lead to pre-emptive attacks which has some critics concerned that the U.S. would launch a major cyberattack against an innocent party. The officials stated that they understand the concern, and the rules seek to define "what constitutes reasonable and proportionate force" when it comes to pre-emptive or retaliatory attacks.
As for traditional offensives, the use of cyberweapons will be strictly restrained. The officials claimed that the U.S. has the cyber equivalent of a nuclear warhead in its arsenal, but such an attack would be considered a last resort. It would also be deployed much like a nuclear attack, as it would require authorization directly from the president.
Smaller cyberattacks, however, can be used by the military without the authorization of the President. An example would be the military using cyberweapons to disable automated defenses from afar to clear the way for a traditional strike.
Of coures, all of this only applies to the military. What about domestic infrastructure that's targeted by cyberattacks from foreign nations? That responsibility will fall to the Department of Homeland Security. That's what proposed laws like CISPA and CSA would have, and could have, addressed if the bills didn't contain wide spread privacy violations. The Obama administration is expected to issue an executive order for domestic cybersecurity in the near future as well that would free up communications between private and public entities to address cyberattacks.[h/t: techdirt]