President Barack Obama has the power to order a pre-emptive cyber strike if the United States detects credible evidence of a major digital attack against it from abroad, a secret legal review has concluded amid increased cyberattacks on American firms and critical infrastructure.
Citing unnamed officials involved in the review, the New York Times has reported that in the next few weeks, the Obama administration may approve the nation's first rules for how the US military can defend, or retaliate, against a major cyberattack.
"New policies will also govern how the intelligence agencies can carry out searches of faraway computer networks for signs of potential attacks on the US and, if the president approves, attack adversaries by injecting them with destructive code -- even if there is no declared war," the paper said.
The rules will be highly classified, just as those governing drone strikes have been closely held, it said. Cyberweaponry is the newest and perhaps most complex arms race under way. The Pentagon has created a new Cyber Command, and computer network warfare is one of the few parts of the military budget that is expected to grow.
Under current rules, the military can openly carry out counterterrorism missions in nations where the United States operates under the rules of war, like Afghanistan. But the intelligence agencies have the authority to carry out clandestine drone strikes and commando raids in places like Pakistan and Yemen, which are not declared war zones.
Obama is known to have approved the use of cyberweapons only once, early in his presidency, when he ordered an escalating series of cyberattacks against Iran's nuclear enrichment facilities, the report said.
The attacks on Iran illustrated that a nation's infrastructure can be destroyed without bombing it or sending in saboteurs, it said.
One senior American official said that officials quickly determined that the cyberweapons were so powerful that -- like nuclear weapons -- they should be unleashed only on the direct orders of the commander in chief.
While the rules have been in development for more than two years, they are coming out at a time of greatly increased cyberattacks on American companies and key infrastructure.
The department of homeland security recently announced that an American power station, which it did not name, was crippled for weeks by cyberattacks. The New York Times reported last week that it had been struck, for more than four months, by a cyberattack emanating from China. The Wall Street Journal and The Washington Post have reported similar attacks on their systems.
Under the new guidelines, the Pentagon would not be involved in defending against ordinary cyberattacks on American companies or individuals, even though it has the largest array of cybertools.
Domestically, that responsibility falls to the department of homeland security, and investigations of cyberattacks or theft are carried out by the Federal Bureau of Investigation.