A secret legal review has concluded that the US president has the power to order preemptive cyber strikes if the United States discovers credible evidence of a major digital attack against it is in the offing, The New York Times reported Monday.
Citing unnamed officials involved in the review, the newspaper said the new policy will also govern how the intelligence agencies can carry out searches of overseas computer networks for signs of potential attacks on the United States and, if the president approves, attack adversaries with a destructive code — even if there is no declared war.
The review came as the US Department of Defense approved a five-fold expansion of its cybersecurity force over the coming years in a bid to increase its ability to defend critical computer networks.
The Washington Post reported that the department's Cyber Command, which currently has a staff of about 900, will expand to about 4,900 troops and civilians.
Last November, Defense Secretary Leon Panetta conceded that US cybersecurity needed more financial support and human capital.
The seriousness of the threat has been underscored by a string of sabotage attacks, including one in which a virus was used to wipe data from more than 30,000 computers at a Saudi Arabian state oil company last summer.
According to The Times, John Brennan, who has been nominated to run the Central Intelligence Agency, played a central role in developing the administration's policies regarding cyberwarfare.
Obama is known to have approved the use of cyberweapons only once, when he ordered an escalating series of cyberattacks against Iran's nuclear enrichment facilities, The Times said.
The operation was code-named Olympic Games, and began inside the Pentagon when George W. Bush was still president, according to the paper.
The attacks on Iran illustrated that a nation's infrastructure can be destroyed without bombing it or sending in saboteurs, the report said.
One senior American official said that the reviewers had quickly determined that the cyberweapons were so powerful that — like nuclear weapons — they should be unleashed only on the direct orders of the commander in chief, The Times noted.
International law allows any nation to defend itself from threats, and the United States has applied that concept to conduct preemptive attacks, the paper noted.
Under the new guidelines, the Pentagon would not be involved in defending against ordinary cyberattacks on American companies or individuals, The Times said. That responsibility falls to the Department of Homeland Security.
But the military would become involved in cases of a major cyberattack within the United States, the paper noted.