by Lisa Vaas
What's the difference between US presidential power to fire drones or to launch a pre-emptive cyberattack?
According to the New York Times, relying on input from unnamed officials, a secret legal review of the US's growing pile of cyberweapons has concluded that President Obama has "broad power to order a pre-emptive strike if the United States detects credible evidence of a major digital attack looming from abroad."
And just as the rules regarding drone strikes have been kept under wraps, so too will the rules about cyber strikes be "highly classified," according to the NYT.
The decision that the president is authorized to launch pre-emptive cyber attacks lays the groundwork for the administration's coming move to create the country's first rules regarding how the military can defend itself or retaliate against a major cyberattack.
Such rules will outline how US intelligence agencies can ransack far-flung computer networks as they try to sniff out coming attacks and how to inject perceived adversaries with destructive code, even in the absence of a declared war, a la the Stuxnet virus.
Stuxnet, in fact, was allegedly authorized by two US presidents.
As Naked Security previously recounted, the Stuxnet virus is largely believed to have been created and launched during the regime of President George W. Bush to target Iran's nuclear facility in Natanz, with the help of Israel.
Subsequently, in spite of the virus going maverick, spinning out of control and escaping to damage systems well beyond Iran, President Barack Obama secretly authorized continued attacks, according to the NYT.
Outside of closed-door, secret legal reviews such as this one, the administration is also gearing up in the next few weeks to publicly strengthen the country's cybersecurity defenses.
President Obama is expected to issue a cybersecurity executive order soon after his Feb. 12 State of the Union address.
The executive order, long in the making, will create a voluntary program wherein companies in critical infrastructure industries will adopt a minimum set of security standards crafted by the government.
Graham Cluley's warning to proceed cautiously when planning attacks on overseas computer systems, given how difficult it is to decisively pin down the origin of an Internet attack, stands as true for the US now as it did for the UK when it rattled its own cyber saber in 2011.
Not to downplay the importance of defending against destructive attacks on the US's critical infrastructure, but as Naked Security often notes, it's easy for adversaries to hide behind a wall of compromised computers when they launch attacks, obscuring the true origin.
Regarding attacks on nations against whom the US has not declared war, the US administration should bear in mind that acts of aggression invite acts of retaliation.
If we don't want Stuxnet or its kin unleashed upon the US, we should tread softly.