Memo to POTUS: Responding to Cyber Attacks and PPD-20

By Jason Healey

Jason Healey is a Cipher Brief Cyber Advisor and Senior Research Scholar at Columbia University’s School for International and Public Affairs, and Visiting Scholar at the Hoover Institution at Stanford University, specializing in cyber conflict and risk. He started his career as a U.S. Air Force intelligence officer, before moving to cyber response and policy jobs at the White House and Goldman Sachs. Healey was founding director for cyber issues at the Atlantic Council where he remains a Senior Fellow and is the editor of the first history of conflict in cyberspace, A Fierce Domain: Cyber Conflict, 1986 to 2012. He is on the DEF CON review board and served on the Defense Science Board task force on cyber deterrence.

Mr. President, as you know the United States has faced cyber attacks of increasing frequency and viciousness from our adversaries. Your NSC is about to bring you both a new cyber strategy and a proposal to modify a previous NSC document called PPD-20 to give US Cyber Command more authority to interfere with these adversary attacks without checking back with you and the NSC as much.

You should approve these changes but with some very important conditions or else the Department of Defense might just drag you into more unwanted fights.


US cyber operations for offensive or intelligence purposes goes back decades – the first combat unit was formed by the Air Force in 1995. It is nothing new. What is new is the attacks from all sides with increasingly little respect for restraint or norms. At some point one of these attacks – such as WannaCry (North Korea), WannaCry (Russia) or one from Iran or China – will kill people and drag nations into a real war.

US Cyber Command has a new vision of wanting to “defend forward” with more agility to prevail in the “persistent engagement” of cyber conflict. Generally it is the right vision, though not without risks.

Your primary means to control escalation is a document called PPD-20. It is still classified, though leaked in its entirety on the Internet, so we won’t quote from it here. But it generally allows the military only limited flexibility to respond to cyber attacks, such as by disrupting the enemy’s command and control networks before they have a chance to attack us. You, or your designee, has to approve these.

Your NSC and DoD will be pushing for changes to PPD-20 for more agility and to defend forward, per the new vision from Cyber Command, so that these operations can be approved at lower levels. These changes are also likely to be in your new national cyber strategy.


It is a common view that if only we use more force against our adversaries they will back down – this is often called active defense, or deterrence, or raising their costs. But it might not be true; maybe cyber conflict is more like the irregular warfare in Iraq or Afghanistan where three presidents have been told “with just a bit more force we can win this thing.”

Cyber conflict be similar to irregular warfare, where more force causes the other side to rise up, not back down, unless we team with those most affected. In this case, that’s the private sector.

Or maybe it will work just as DoD says and pushing back on adversaries will bring everyone back to sanity. Either way, it is an experiment, so you need to be careful lest you create more crises that distract you from your agenda.

The US has been giving perhaps as well as we’ve been getting. Your military officials correctly note that our adversaries are ignoring restraint and norms and “extending their influence without resorting to physical aggression,” but that is exactly what our adversaries think we are up to. We don’t have to agree but remember about the reaction of many here and abroad to the Snowden revelations and Stuxnet attack on Iran.

Our military has been restrained (what we call Title 10) but certainly not our espionage or covert operations (Title 50). Your NSC needs to keep adversary views of our operations in mind or we’re likely to cause more problems than we solve.


Adversary attacks like WannaCry and NotPetya have been well beyond international norms – and you have promised to stand up for America – so it is worth approving these changes to delegate authority for more forward defense and agility.

But just as you wouldn’t fully trust sub-contractors to deliver on what they promise without proving it to you, the same goes here. Write them an initial check but be sure they have to keep coming back to you to show improvement and keep getting more checks. Here are four key items to press for:

  • Criteria and timeline for success: Cyber Command asserts more agility will increase adversary’s costs and bring them back towards global norms. Okay. How long will that take and how will we know it when we see it? If this cannot be answered, then it cannot be approved, lest we create another open-ended conflict like Iraq, Syria, or Afghanistan.
  • Criteria for failure: We likewise need to have specific criteria for measuring if more agility is definitely not working. This needs to be directly addressed, or DoD can continually come back and say “almost there” and “we just need to be a bit more agile and aggressive,” while ignoring clear indicators of failure.
  • Political throttle: Militaries hate letting politicians decide the direction or pace of military operations, yet there are numerous examples of commanders conducing exceptionally risky actions in the midst of sensitive presidential negotiations (such as when President Kennedy was talking to the Soviet premier Khrushchev during the Cuban Missile Crisis, Navy commanders were dropping depth charges to harass Soviet nuclear-armed submarines). If you’re meeting President Xi or Chancellor Merkel, it is not unfair for your NSC to know what US Cyber Command is up to and develop options to slow down (or speed up) such operations to send diplomatic signals or reducing the chances of a mistake which weakens your negotiating position.
  • Sunset: Changes to PPD-20 to allow more agility should have a specific date when the authorizations will expire – perhaps one year—to give you and NSC a chance to review the criteria for success and failure and throttle. If the new authorizations are given without a sell-by date, then they will become permanent and hard for you (or future presidents) to withdraw.

Related Articles