Presidential Policy Directive 20 (PPD-20), provides a framework for U.S. cybersecurity by establishing principles and processes. Signed by President Barack Obama in October 2012, this directive supersedes National Security Presidential Directive NSPD-38. Integrating cyber tools with those of national security,[1] the directive complements NSPD-54/Homeland Security Presidential Directive HSPD-23.
Classified and unreleased by the National Security Agency (NSA), NSPD-54 was authorized by George W. Bush.[1] It gives the U.S. government power to conduct surveillance[2] through monitoring.[1]
Its existence was made public in June 2013 by former intelligence NSA infrastructure analyst Edward Snowden.
Because of private industry, and issues surrounding international and domestic law,[3] public-private-partnership became the, "cornerstone of America's cybersecurity strategy".[4] Suggestions for the private sector were detailed in the declassified 2003,[5] National Strategy to Secure Cyberspace. Its companion document, National Security Presidential Directive (NSPD-38), was signed in secret by George W. Bush the following year.[5]
Although the contents of NSPD 38 are still undisclosed,[1] the U.S. military did not recognize cyberspace as a "theater of operations" until the U.S. National Defense Strategy of 2005.[3] The report declared that the, "ability to operate in and from the global commons-space, international waters and airspace, and cyberspace is important ... to project power anywhere in the world from secure bases of operation."[6] Three years later, George W. Bush formed the classified Comprehensive National Cybersecurity Initiative (CNCI).
Citing economic and national security, the Obama administration prioritized cybersecurity upon taking office.[7] After an in-depth review of the, "communications and information infrastructure,"[8] the CNCI was partially declassified and expanded under President Obama.[9] It outlines "key elements of a broader, updated national U.S. cybersecurity strategy."[10] By 2011, the Pentagon announced its capability to run cyber attacks.[11]
After the U.S. Senate failed to pass the Cybersecurity Act of 2012 that August,[12] Presidential Policy Directive 20 (PPD-20) was signed in secret. The Electronic Privacy Information Center (EPIC) filed a Freedom of Information Request to see it, but the NSA would not comply.[13] Some details were reported in November 2012.[14] The Washington Post wrote that PPD-20, "is the most extensive White House effort to date to wrestle with what constitutes an 'offensive' and a 'defensive' action in the rapidly evolving world of cyberwar and cyberterrorism."[14] The following January,[15] the Obama administration released a ten-point factsheet.[16]
On June 7, 2013, PPD-20 became public.[15] Released by Edward Snowden and posted by The Guardian,[15] it is part of the 2013 Mass Surveillance Disclosures. While the U.S. factsheet claims PPD-20 acts within the law and is, "consistent with the values that we promote domestically and internationally as we have previously articulated in the International Strategy for Cyberspace",[16] it doesn't reveal cyber operations in the directive.[15]
Snowden's disclosure called attention to passages noting cyberwarfare policy and its possible consequences.[15][17] The directive calls both defensive and offensive measures as Defensive Cyber Effects Operations (DCEO) and Offensive Cyber Effects Operations (OCEO), respectively.