Category Archives: Cyber War

Equifax had Evidence of Chinese Espionage Before the Hack

Posted on by

Fascinating that there is always more to the story. Remember, this was/is confidential and personal data. Further, Alibaba is a Chinese international holding company that is a counterpart to Amazon and specializes in artificial intelligence based in Hangzhou, China.

The General Accounting Office issued a report on Equifax. The GAO analysis detailed the steps Atlanta-based Equifax has taken since the breach to prevent similar attacks in the future. Last year, hackers had found a vulnerability in Equifax servers that gave them access to customer login credentials.

The report said the hackers hid in Equifax’s system for more than two months and mined data for credit card numbers, drivers licenses and social security numbers. The breach led the agency to make $200 million in security upgrades.

WSJ: Two years before Equifax Inc. stunned the world with the announcement it had been hacked, the credit-reporting company believed it was the victim of another theft, only this time at the hands of Chinese spies, according to people familiar with the matter.

In the previously undisclosed incident, security officials feared that former employees had removed thousands of pages of proprietary information before leaving and heading to jobs in China. Materials included code for planned new products, human-resources files and manuals.

Equifax went to the Federal Bureau of Investigation and the Central Intelligence Agency. Investigators from the company and the FBI came to view events at Equifax as potentially a huge theft of data—not of consumers’ personal data, as happened with the subsequent 2017 hacking of Equifax’s files, but of confidential business information.

Equifax security officials briefed the then-chief executive, Richard Smith, at a fall 2015 meeting, spreading high stacks of paper across the length of the boardroom table. The voluminous printouts represented what they feared was stolen. Adding to suspicions, the Chinese government had recently asked eight companies to help it build a national credit-reporting system.

At one point, Equifax grew so worried it began building a way to monitor the computer activity of all of its ethnic-Chinese employees, according to people familiar with the investigation. The resource-heavy project, which raised legal concerns internally, was short-lived.

Some investigators believed Equifax’s intense focus on the matter contributed to a delay in the company’s understanding the extent of the 2017 hack of consumers’ information, an event that hammered Equifax’s stock, cost some executives their jobs, including Mr. Smith, and damaged the company’s reputation.

Ultimately, the previously undisclosed investigation undertaken by the FBI stalled. The FBI wanted to pursue a criminal case, believing the theft of trade secrets costs the U.S. hundreds of billions of dollars a year, with China the leading offender, said people familiar with the investigation. Equifax began to worry about legal exposure and how onerous the inquiry could become, according to these people, and eventually reduced its cooperation with law enforcement.

That left many of the questions raised by the investigation, both about Equifax and about China, unresolved.

This account of the events at Equifax is based on people familiar with the investigation.

Equifax, in a written statement, said it became aware in 2015 of “efforts by a former employee to obtain company information, and launched an internal investigation into his activities.” The company “brought the investigation to the attention of U.S. law enforcement authorities and cooperated with the federal agencies,” Equifax said.

“Although this individual had improperly obtained proprietary Equifax information,” the statement said, “the information we determined was accessed was general in nature and not material or harmful to Equifax, consumers or our business clients.” Equifax said the company has “no evidence to suggest that consumer data or other personal information was compromised, or that this individual targeted this type of information.”

Equifax didn’t address in its statement whether it thought other employees were involved. A person familiar with the company’s thinking disputed the notion that Equifax reduced its cooperation with law enforcement in a probe it had itself triggered.

Representatives of the FBI and CIA declined to comment. The Chinese Embassy in Washington didn’t respond to requests for comment.

One of the former employees Equifax and the FBI investigated in connection with a possible business-information theft was Daniel Zou, who worked in Toronto. The company he joined in China was Ant Financial, a fast-growing financial-technology affiliate of Alibaba Group Holding Ltd. , founded by billionaire Jack Ma.

Both Ant and Mr. Zou denied any involvement in taking proprietary Equifax data. Alibaba referred questions to Ant.

Ant, based in Hangzhou, China, said it “has never used Equifax code, scripts or algorithms in the development of its own products and services.”

Mr. Zou, in a sworn statement provided by his lawyer, said, “I deny that I worked with or consulted with a network of Equifax colleagues to steal Equifax code for Ant Financial or that I provided any such code to Ant Financial.”

Interviewed by The Wall Street Journal in Washington, Mr. Zou, a 35-year-old Chinese-born Canadian citizen who graduated from the University of Toronto, repeated his denial and said that learning from the Journal of Equifax’s suspicions had been “a nightmare.”

Those suspicions arose in 2015, a few months after Mr. Zou left his job as an Equifax product manager to join Ant’s new credit-scoring business, which is known as Sesame Credit in English. Ant was among the companies asked by China’s central bank to develop credit-scoring services. Sesame launched its service in January 2015, several months before Mr. Zou came aboard.

Equifax’s data-loss prevention system, which guards against sensitive information leaving the corporate network, flagged the activities of Mr. Zou, according to people familiar with the investigation. The system alerted that an employee might have taken data off the network, and initially registered it as benign, they said.

Mr. Zou said in his interview with the Journal that, according to his understanding of how the system works, it would warn the person removing the data on the spot. He said he never received such a warning. Equifax declined to say whether that is how the system works or whether Mr. Zou received a warning.

At the same time, Equifax officials also had suspicions about a different employee, in another city. Equifax’s security chief, Susan Mauldin, approached the FBI with a question: What would it look like if we were being targeted by China?

FBI officials told her that in one common technique, a group makes plans to visit a company’s office to pitch a partnership, then at the last minute replaces delegation members with spies.

Around this time, a delegation from a Chinese business visited Equifax and swapped out some members at the last minute, fueling Equifax’s suspicions it was a target.

Company security officials decided to examine Mr. Zou’s computer activity. They discovered he had printed out thousands of pages of company information. The material related to the way credit scores are obtained, what different pieces of data mean and how to apply algorithms to assess troves of data, according to the people familiar with the investigation. They said some was information that could help explain products Equifax was working on.

At around the same time they were examining Mr. Zou’s systems, investigators discovered what they believed to be a major infiltration campaign. They found that other employees had sent code to their personal email accounts and uploaded it to software-development platforms others could access.

According to the people familiar with the probe, the investigators, by talking to Equifax employees and examining email accounts and LinkedIn messages sent to them, saw indications that recruiters purporting to represent Ant affiliate Alibaba had offered to triple salaries for certain ethnically Chinese Equifax employees—and provided instructions on specific Equifax information they should bring along if they jumped ship.

The investigators saw, as well, that Mr. Zou had searched the Equifax human-resources system to look up data analytics teams in the U.S. He had printed out contact information for many ethnic-Chinese employees, according to people familiar with the probe. They said some of those employees told colleagues they were later contacted by recruiters who claimed to be working on behalf of Alibaba.

The investigators found notes on Chinese messaging service WeChat in which another group of Equifax employees in North America, using their company-issued phones, arranged off-hours meetings to discuss work projects and left the company soon after, saying they were going to Ant or Sesame for big raises.

Ant said Mr. Zou is the only former Equifax employee it has hired since it began collecting employment history information in 2011. Ant said Mr. Zou began at its credit-scoring business in May 2015. It listed a five-figure starting salary for Mr. Zou and said he wasn’t promised any large bonuses.

Ant said it didn’t “directly or indirectly through third-party recruiters” encourage job applicants to steal Equifax information. Ant prohibits employees and recruiters from requesting such activity, the company said, adding that third-party recruiters aren’t authorized to make job offers on its behalf.

Ant said it hadn’t been contacted by Equifax or any government investigators about such matters. After receiving an inquiry from the Journal about Mr. Zou, Ant said, it investigated his information-technology activities and found no evidence he had ever provided Ant with any Equifax code, scripts or algorithms.

Mr. Zou said he worked in marketing and didn’t have access to Equifax code, algorithms and other proprietary information; never took any to Ant; wasn’t asked to; and never encouraged others to.

“I deny that I searched an internal Equifax human resources database to recruit Equifax employees to join Ant Financial,” Mr. Zou said in the sworn declaration provided by a lawyer. “I further deny that I printed contact information for ethnic-Chinese Equifax employees as part of an effort to recruit such employees to join Ant Financial.”

In the Journal interview, Mr. Zou said, “I think [where] this might come from is that during my time at Equifax I had a habit of sending work-related documents to my own email so that I could work at home. If any of those contain [any] of what they call the alleged proprietary information, right after I left Equifax and before I went back to China, I deleted them all. And I did not share that with anybody.”

If investigators were alarmed by his email practices, Mr. Zou said, “I think that’s a huge misunderstanding.”

Mr. Zou also said he printed out employee contact information for projects that required him to work with global colleagues. “Equifax Canada did not want to reinvent the wheel from beginning,” he said, “so my job was to piggyback the success case” from the company’s U.S., U.K. and Latin American regions.

He said he disposed of all the documents before moving to China and joining Ant, and he denied targeting any ethnicity. “If you search a data analytics team, the likelihood is high that you will reach a Chinese employee,” he said.

Mr. Zou said he had never been contacted by Equifax or any government authorities about data theft, and learning he was suspected caused him “emotional turmoil.”

Although Equifax had gone to the FBI—and although the bureau was eager to pursue the matter—Equifax officials by the middle of 2016 had grown wary of providing more information to federal investigators.

Equifax worried that doing so could trigger requirements under securities law for disclosure of material information, said the people familiar with the investigation. They said Equifax also was concerned that handing over access to its entire network, including international operations, as the FBI had requested, could run afoul of obligations in some countries where Equifax operates.

Around the middle of 2016, Equifax told its internal investigators to comply with any potential subpoenas but to stop proactively providing information to law enforcement, said the people familiar with the investigation.

The person familiar with Equifax who disputed the notion the company directed employees to be uncooperative said: “As the investigation progressed, we did ask that requests for information be passed through our legal office to ensure we were adhering to standard legal protocols.”

Equifax continued to monitor certain employees through 2016 and 2017. It eventually confronted several ethnically Chinese employees over activities found in its investigation, who left before the company took further action, according to people familiar with the probe.

FBI officials in Atlanta got the impression from Equifax’s then-CEO, Mr. Smith, and legal staff that the company didn’t believe it generally had information valuable enough to be the target of a major Chinese campaign.

Mr. Smith told colleagues even if thieves had taken code, they didn’t have Equifax’s consumer data, which meant the theft wouldn’t pose a competitive threat. Moreover, Equifax didn’t see a material impact on current operations because the information that appeared to have been stolen related to products in development, not to existing ones.

The U.S. attorney’s office in Atlanta ultimately determined it didn’t have evidence the suspected thefts were directed by the Chinese government, a top priority for law enforcement. The prosecutors decided they wouldn’t pursue a case against any individual, since Equifax wasn’t eager to do so, and since what former employees were suspected of taking was corporate information, rather than anything directly affecting U.S. consumers.

The U.S. attorney’s office declined to comment.

Then, in September 2017, came blockbuster news from Equifax: the disclosure that a hacking of its files had exposed highly sensitive personal data on more than 140 million Americans.

Equifax had learned six months earlier, in March 2017, of a software vulnerability, but waited months to fully check its encrypted traffic to see whether it had been breached. Only in July 2017 did Equifax realize the hack had exposed personal information, including Social Security numbers and dates of birth, of nearly half the U.S. population.

This delay was partially due to Equifax’s failure to resolve a dispute between its technology and information-security staffs at a time when top security people were focused on possible infiltration from China, in the opinion of some of the people familiar with the investigation.

The person familiar with Equifax’s thinking said the hack involved both human error and technological failure, and Equifax has been forthcoming about the causes.

In the weeks following the disclosure of that giant 2017 breach, Mr. Smith resigned, as did Ms. Mauldin and Equifax’s chief information officer, David Webb. All either couldn’t be reached or didn’t respond to requests for comment.

In January 2018, Chinese officials rolled out a state-backed credit-scoring company and gave Ant Financial an 8% stake.

Mr. Zou has returned to Canada. Ant transferred him from Sesame Credit to its Alipay international business unit in Hangzhou in mid-2017. On June 1 of this year, he moved to Alipay Canada in Vancouver.

N Korean, Park Jin hyok Charged with Global Cyber Attacks

Posted on by

U.S. CHARGES NORTH KOREAN HACKER

Federal prosecutors charged a North Korean man, Park Jin-hyok, with crimes in connection with a series of costly cyberattacks around the globe, including the WannaCry ransomware attack in 2018, the heist of Bangladesh’s central bank in 2017, and the hack of Sony Pictures in 2014. It is the first time the Justice Department has explicitly charged a North Korean hacker backed by the government. Park was allegedly working as a programmer for a North Korean front company in China called Chosun Expo, which had ties to North Korea’s military intelligence.

Legal analysts say the complaint is the most detailed public accounting yet of North Korea’s cyberattacks against foreign adversaries. The Justice Department has now brought hacking-related charges against North Korea, China, Iran, and Russia. (WSJ, NYT, Reuters, DOJ)

Park Jin Hyok, named by officials as a member of the so-called Lazarus Group hacking team behind last year’s WannaCry global ransomware attack and the 2014 digital attack on Sony, apparently used not only advanced technology, but elaborate reconnaissance work to digitally steal money and sensitive information.

First, Park would obtain a number of email addresses of people affiliated with target businesses from traders dealing in large amounts of personal information. Then he would use the emails to gain an understanding of company employees’ fields of interest and personal relationships.

That would let him craft emails that could pass as genuine messages from major companies in content and style, a tactic known as spear phishing. After spending some time building trust, he would send the malicious links to websites that would infect a target’s computer.

In one case, Park apparently masqueraded as a human resources official at a U.S. defense-linked company to exchange messages with workers at one of the company’s competitors.

Last week’s charges were said to be the first in years against a North Korean hacker related to high-profile attacks linked to the state. The attack on Sony came as the company was preparing to release a movie called “The Interview,” which depicted the assassination of a character resembling North Korean leader Kim Jong Un. The group also allegedly stole $81 million from the central bank of Bangladesh in 2016.

A North Korean suspect is wanted by U.S. authorities on suspicion of hacking. (Courtesy of the U.S. Federal Bureau of Investigation)

“We stand with our partners to name the North Korean government as the force behind this destructive global cyber campaign,” Christopher Wray, director of the Federal Bureau of Investigation, said in a statement on Sept. 6.

The U.S. Treasury also imposed sanctions on Park and a Chinese business he was affiliated with. “We will not allow North Korea to undermine global cybersecurity to advance its interests and generate illicit revenues in violation of our sanctions,” Treasury Secretary Steven Mnuchin said in his own statement.

Under Kim, the North has consolidated its cyber forces under its Reconnaissance General Bureau, which handles overseas spying. The state has a team of 6,800, according to the South Korean government, and is counted as one of the five cyber powers along with the U.S., Russia, China and Israel.

The core of cyber operations is a team known as “Bureau 121,” established in 1998 by Kim’s father, then-leader Kim Jong Il. Bureau 121 is known for its willingness to commit crimes for the sake of bringing in cash.

“The technology behind North Korea’s cybercrimes is some of the most advanced in the world,” said a source with the U.S. State Department.

Governments and businesses around the world are hurrying to guard themselves from the North’s attacks even as its methods grow more sophisticated. Further cooperation between countries’ cyberdefense authorities may be key to finding effective solutions.

British Airways: The airline said a “very sophisticated” hacker stole credit card details of hundreds of thousands of its customers in recent days. Anyone who lost out financially as a result of the breach would be compensated, BA officials said. (Reuters)

JPMorgan Hacker: A Russian man, Andrei Tyurin, has been extradited by Georgia to the United States on charges that he participated in the 2014 hack of JPMorgan Chase and other U.S. companies. (Reuters)

Iran Using Same ‘Active Measure’ Tactics Against the U.S.

Posted on by

When traveling internet sites, social media accounts and various news aggregator services, one needs to be even more suspect of what information is out there. Russia has been applying propaganda ‘active measure’ tactics for decades and due to the global internet system, the volume has gone beyond measure.

With all things Russia going on in Washington DC and in media, the success of active measures has been noticed by both China and Iran. Both have launched robust propaganda operations forcing the West and citizens to question authenticity of sites, articles and posts of all forms.

Watch out for those hashtags….influencing voters and fake/false news goes back to at least 2016. The operations are so effective that even big media has been duped and corrections are printed or made often when recognized. Some items are never corrected.

Iran’s Anti-US Propaganda Reflects regime’s instability photo

(Reuters) – Alphabet Inc’s (GOOGL.O) Google said on Thursday it had identified and terminated 39 YouTube channels linked to state-run Islamic Republic of Iran Broadcasting.

Google has also removed 39 YouTube channels and six blogs on Blogger and 13 Google+ accounts.

“Our investigations on these topics are ongoing and we will continue to share our findings with law enforcement and other relevant government entities in the U.S. and elsewhere,” Google said in a blog post here 

On Tuesday, Facebook Inc (FB.O), Twitter Inc (TWTR.N) and Alphabet Inc (GOOGL.O) collectively removed hundreds of accounts tied to an alleged Iranian propaganda operation.

Google, which had engaged cyber-security firm FireEye Inc (FEYE.O) to provide the company with intelligence, said it has detected and blocked attempts by “state-sponsored actors” in recent months.

FireEye said here it has suspected “influence operation” that appears to originate from Iran, aimed at audiences in the United States, the U.K., Latin America, and the Middle East.

Shares of FireEye rose as much as 10 percent to $16.38 after Google identified the company as a consultant.

***

The Daily Beast went for a deeper dive on the tactics by Iran and explained a few cases.

An Iranian propaganda campaign created fake Bernie Sanders supporters online, Facebook disclosed Tuesday.

In a press release, the social-media giant said it had removed 652 pages associated with political-influence campaigns traced to Iran, including coordinated inauthentic behavior that originated in Iran and targeted people across multiple internet services in the Middle East, Latin America, U.K., and U.S.”

The cybersecurity company FireEye, which first alerted Facebook to the influence campaign months ago, wrote in a separate posting on its site that it had traced the campaign—including posts from supposed “American liberals supportive of U.S. Senator Bernie Sanders”—to Iran through email addresses and phone numbers associated with the “inauthentic” accounts.

The investigation began with FireEye’s discovery of a fake U.S. news outlet called Liberty Front Press, which Facebook says was created in 2013. The actors behind that site over time branched out into different personas intended to appeal to different audiences including “anti-Saudi, anti-Israeli, and pro-Palestinian themes.” Examples included accounts like The British Left, which published content in support of U.K. Labour party leader Jeremy Corbyn, and the pro-Palestinian Patriotic Palestinian Front. FireEye also says it “identified multiple Arabic-language, Middle East-focused sites” as part of the effort.

Unlike the Russian cyberinfluence campaign in 2016, FireEye didn’t find a complementary hacking campaign attached to the propaganda activity. Iran has spent big on developing its offensive online capabilities, but FireEye said it found no links to APT35—a hacking group that has targeted U.S. defense companies and Saudi energy firms. Instead, the security firm found links between the campaign and Iran’s state-run TV propaganda channel, PressTV.

The Iranian actors behind the campaign expanded beyond Facebook and Instagram and onto Twitter, according to FireEye. In a separate statement late Tuesday, Twitter announced it had suspended 284 accounts for what it said was “coordinated manipulation” and that “it appears many of these accounts originated from Iran.”

The Daily Beast recovered tweets from what appears to be an account associated with the campaign. @libertyfrontpr has since been deleted, but Google cache results show it linked back to the LibertyFrontPress.com website FireEye attributed to be part of the propaganda effort. The account was active as of at least Tuesday and is not listed as suspended on the platform.

The account used hashtags like “#Resist” and #NotMyPresident when tweeting out anti-Trump sentiments. It also weighed in against the Supreme Court nomination of Judge Brett Kavanaugh. “The #Senate has a responsibility to reject any nominee who would fail to be a fair-minded constitutionalist. That is #BrettKavanaugh. We must #StopKavanaugh.”

In a rare move for Holocaust-denying Iranian propaganda, @libertypr slammed the Republican Party for allowing anti-Semite and Holocaust denier John Fitzgerald to run for a seat in the California legislature.

In addition to the U.S. themes, Liberty’s Twitter account also targeted opponents of the Iranian government, including the Mujahedeen Khalq exile group, or MEK, which advocates the overthrow of Iran’s clerical government, with hashtags like “#BanTerrorOrg.”

The takedown marks the second time since the 2016 election that Facebook has appeared to act without U.S. government pressure to stop an alleged political-influence campaign. In late July, Facebook took down a handful of sock-puppet accounts purporting to be black, Hispanic, and #Resistance activists. Facebook didn’t attribute that campaign to a specific country or group, but it did note that some of the accounts had links to the infamous Russian Internet Research Agency troll farm.

Facebook said Tuesday that it had taken down the new batch of pages only after waiting “many months” after being alerted to the campaign by FireEye. The delay allowed the company to further investigate the campaign and improve its defenses against future efforts.

Securing the Elections, FBI Investigating Hacks

Posted on by

Securing the vote.

The states, which under the US system are responsible for conducting elections, remain concerned about the integrity of the ballot. Thirty-six  states have now deployed Albert sensors on their voting infrastructure to allow the Department of Homeland Security to observe state systems that manage either voter information or voting devices (Reuters).

The states also want the Feds to share more threat intelligence. Forty-four states and the District of Columbia took part in a Department of Homeland Security exercise this week  (US Department of Homeland Security). The states appear to have gained enough insight into the value of threat intelligence to decide that they want more of it (Reuters). Some advocate Federal standards for the conduct of elections, perhaps even mandatory standards (Atlantic Council). More here.

Meanwhile:

Then there is the matter the FBI is investigating in California.

The FBI launched investigations after two Southern California Democratic U.S. House candidates were targeted by computer hackers, though it’s unclear whether politics had anything to do with the attacks.

A law enforcement official told The Associated Press the FBI looked into hacks involving David Min in the 45th Congressional District and Hans Keirstead in the adjacent 48th District. Both districts are in Orange County and are seen as potential pickups as the Democratic Party seeks to win control of the Congress in November.

A person with knowledge of the Min investigation told the AP on Monday that two laptops used by senior staffers for the candidate were found infected with malware in March. It’s not clear what, if any, data was stolen, and there is no evidence the breach influenced the contest.

The CEO of a biomedical research company, Keirstead last summer was the victim of a broad “spear-phishing” attack, in which emails that appear to come from a friend or familiar source are designed to help hackers snatch sensitive or confidential information, the law enforcement official said. There is no evidence Keirstead lost valuable information.

The investigations so far have not turned up evidence the two candidates in Orange County were political targets.

The official and the knowledgeable person were not authorized to discuss the cases publicly and spoke only on condition of anonymity.

Keirstead was narrowly defeated in the June primary for the seat held by Republican Rep. Dana Rohrabacher. Min came in third in the contest to unseat Republican Rep. Mimi Walters.

Min’s staff was alerted to a potential cyberattack by a facility manager in the software incubator where his campaign rented space. It was later found the computers were infected with software that records and sends keystrokes, with additional software that concealed it from conventional anti-virus tools used by the campaign.

Hackers also used a broad spear-phishing attack in an attempt to gain access, and FBI investigators are still piecing together additional details, the official said.

The two laptops were replaced, and Min’s computer was not infected. The attack on the computers was first reported by Reuters.

Keirstead campaign officials detected repeated attempts to access the campaign’s website.

Rolling Stone magazine, which first reported that cyberattack, said hackers or bots tried different username-password combinations in a rapid-fire sequence over a two-and-a-half-month period to get inside the campaign’s WordPress-hosted website.

According to the campaign, there were also more than 130,000 so-called brute force attempts over a monthlong period to gain access to the campaign’s server through the cloud-server company that hosted the Keirstead campaign’s website, Rolling Stone said.

Computer security experts say that many attempts to gain access to a site hosted with the popular and free WordPress software is not unusual.

“Every WordPress hosted website sees 130,000 brute force attempts over a monthlong period, regardless whether it’s Bohemian basket weaving, a blog about furry costume construction, or a politician website,” said Robert Graham, a cybersecurity expert who created the BlackICE personal firewall.

“Hackers don’t know or care who you are: they only care that you use WordPress,” Graham said in a text message.

Min finished third behind fellow Democrat Katie Porter, who faces Walters in November. In the 48th District, Rohrabacher will face Democrat Harley Rouda, who snagged the second runoff spot by defeating Keirstead by 125 votes.

Trump Admin Seeking Global Cyber Dominance

Posted on by

Finally!

https://archive.org/services/img/2007NSAProceduresUsedToTargetNonUSPersons Archivo:Presidential-policy-directive 20.pdf - Wikipedia ...

President Trump signed an order that reverses the classified rules and cyber processes from the Obama administration, known as IVE PPD 20. It was signed in October 2012, and this directive supersedes National Security Presidential Directive NSPD-38. Integrating cyber tools with those of national security, the directive complements NSPD-54/Homeland Security Presidential Directive HSPD-23.

Per WikiPedia:

After the U.S. Senate failed to pass the Cybersecurity Act of 2012 that August,[12] Presidential Policy Directive 20 (PPD-20) was signed in secret. The Electronic Privacy Information Center (EPIC) filed a Freedom of Information Request to see it, but the NSA would not comply.[13] Some details were reported in November 2012.[14] The Washington Post wrote that PPD-20, “is the most extensive White House effort to date to wrestle with what constitutes an ‘offensive’ and a ‘defensive’ action in the rapidly evolving world of cyberwar and cyberterrorism.”[14] The following January,[15] the Obama administration released a ten-point factsheet.[16]

On June 7, 2013, PPD-20 became public.[15] Released by Edward Snowden and posted by The Guardian,[15] it is part of the 2013 Mass Surveillance Disclosures. While the U.S. factsheet claims PPD-20 acts within the law and is, “consistent with the values that we promote domestically and internationally as we have previously articulated in the International Strategy for Cyberspace”,[16] it doesn’t reveal cyber operations in the directive.[15]

Snowden’s disclosure called attention to passages noting cyberwarfare policy and its possible consequences.[15][17] The directive calls both defensive and offensive measures as Defensive Cyber Effects Operations (DCEO) and Offensive Cyber Effects Operations (OCEO), respectively.

President Trump has taken this action to aid not only the military, but it would work to deter foreign actors, impede election influence and apply new penalties for violations. There have been high worries by officials due to electric utilities and the brute cyber attacks.

***

Some lawmakers have raised questions in recent months about whether U.S. Cyber Command, the chief agency responsible for conducting offensive cyber missions, has been limited in its ability to respond to alleged Russian efforts to interfere in U.S. elections due to layers of bureaucratic hurdles.

The policy applies to the Defense Department as well as other federal agencies, the administration official said, while declining to specify which specific agencies would be affected. John Bolton, Mr. Trump’s national security adviser, began an effort to remove the Obama directive when he arrived at the White House in April, the official said.

As designed, the Obama policy required U.S. agencies to gain approval for offensive operations from an array of stakeholders across the federal government, in part to avoid interfering with existing operations such as digital espionage.

Critics for years have seen Presidential Policy Directive 20 as a particular source of inertia, arguing that it handicaps or prevents important operations by involving too many federal agencies in potential attack plans. But some current and former U.S. officials have expressed concern that removing or replacing the order could sow further uncertainty about what offensive cyber operations are allowed.

One former senior U.S. official who worked on cybersecurity issues said there were also concerns that Mr. Trump’s decision will grant the military new authority “which may allow them to have a domestic mission.”

The Obama directive, which replaced an earlier framework adopted during the George W. Bush administration, was “designed to ensure that all the appropriate equities got considered when you thought about doing an offensive cyber operation,” said Michael Daniel, who served as the White House cybersecurity coordinator during the Obama administration. “The idea that this is a simple problem is a naive one.”  More here from the WSJ.