Presidential Policy Directive 20

From Wikipedia, the free encyclopedia
Jump to navigation Jump to search

Presidential Policy Directive 20 (PPD-20), provides a framework for U.S. cybersecurity by establishing principles and processes. Signed by President Barack Obama in October 2012, this directive supersedes National Security Presidential Directive NSPD-38. Integrating cyber tools with those of national security,[1] the directive complements NSPD-54/Homeland Security Presidential Directive HSPD-23.

Classified and unreleased by the National Security Agency (NSA), NSPD-54 was authorized by George W. Bush.[1] It gives the U.S. government power to conduct surveillance[2] through monitoring.[1]

Its existence was made public in June 2013 by former intelligence NSA infrastructure analyst Edward Snowden.


Because of private industry, and issues surrounding international and domestic law,[3] public-private-partnership became the, "cornerstone of America's cybersecurity strategy".[4] Suggestions for the private sector were detailed in the declassified 2003,[5] National Strategy to Secure Cyberspace. Its companion document, National Security Presidential Directive (NSPD-38), was signed in secret by George W. Bush the following year.[5]

Although the contents of NSPD 38 are still undisclosed,[1] the U.S. military did not recognize cyberspace as a "theater of operations" until the U.S. National Defense Strategy of 2005.[3] The report declared that the, "ability to operate in and from the global commons-space, international waters and airspace, and cyberspace is important ... to project power anywhere in the world from secure bases of operation."[6] Three years later, George W. Bush formed the classified Comprehensive National Cybersecurity Initiative (CNCI).

Citing economic and national security, the Obama administration prioritized cybersecurity upon taking office.[7] After an in-depth review of the, "communications and information infrastructure,"[8] the CNCI was partially declassified and expanded under President Obama.[9] It outlines "key elements of a broader, updated national U.S. cybersecurity strategy."[10] By 2011, the Pentagon announced its capability to run cyber attacks.[11]


After the U.S. Senate failed to pass the Cybersecurity Act of 2012 that August,[12] Presidential Policy Directive 20 (PPD-20) was signed in secret. The Electronic Privacy Information Center (EPIC) filed a Freedom of Information Request to see it, but the NSA would not comply.[13] Some details were reported in November 2012.[14] The Washington Post wrote that PPD-20, "is the most extensive White House effort to date to wrestle with what constitutes an 'offensive' and a 'defensive' action in the rapidly evolving world of cyberwar and cyberterrorism."[14] The following January,[15] the Obama administration released a ten-point factsheet.[16]


On June 7, 2013, PPD-20 became public.[15] Released by Edward Snowden and posted by The Guardian,[15] it is part of the 2013 Mass Surveillance Disclosures. While the U.S. factsheet claims PPD-20 acts within the law and is, "consistent with the values that we promote domestically and internationally as we have previously articulated in the International Strategy for Cyberspace",[16] it doesn't reveal cyber operations in the directive.[15]

Snowden's disclosure called attention to passages noting cyberwarfare policy and its possible consequences.[15][17] The directive calls both defensive and offensive measures as Defensive Cyber Effects Operations (DCEO) and Offensive Cyber Effects Operations (OCEO), respectively.

Notable points[edit]

  • "Loss of life, significant responsive actions against the United States, significant damage to property, serious adverse US foreign policy consequences, or serious economic impact on the United States."
  • "OCEO can offer unique and unconventional capabilities to advance U.S. national objectives around the world with little or no warning to the adversary or target and with potential effects ranging from subtle to severely damaging. The development and sustainment of OCEO capabilities, however, may require considerable time and effort if access and tools for a specific target do not already exist."
  • "The United States Government shall identify potential targets of national importance where OCEO can offer a favorable balance of effectiveness and risk as compared with other instruments of national power, establish and maintain OCEO capabilities integrated as appropriate with other U.S. offensive capabilities, and execute those capabilities in a manner consistent with the provisions of this directive."

Further reading[edit]

External links[edit]

See also[edit]


  1. ^ a b c d EPIC. (n.d.). Presidential directives and cybersecurity. EPIC. Retrieved from
  2. ^ Electronic Privacy Information Center. (n.d.). EPIC v. NSA - Cybersecurity Authority. EPIC. Retrieved from
  3. ^ a b Barnard-Wills, D. & Ashenden, D. (2012). Securing virtual space cyber war, cyber terror, and risk. Space and culture, 15(2), p. 110-123. doi:10.1177/1206331211430016.
  4. ^ White House. (2003, February). The National Strategy to Secure Cyberspace (Rep.). Retrieved from
  5. ^ a b Scahill, J. (2013). The world is a battlefield. Nation Books.
  6. ^ The National Defense Strategy of the United States of America (Rep.) (2005, March). Retrieved from
  7. ^ Krebs B. (2009, May 29). Obama: Cyber security is a national priority. Washington Post. Retrieved from
  8. ^ White House, Office of the Press Secretary. (2009, April 17). Statement by the Press Secretary on conclusion of the cyberspace review Archived 2009-05-21 at the Wayback Machine [Press release]. Retrieved from
  9. ^ Vijayan, J. (2010, March 2). Obama administration partially lifts secrecy on classified cybersecurity project Computerworld. Retrieved from
  10. ^ White House. (n.d.). The Comprehensive National Cybersecurity Initiative Archived 2013-09-10 at the Wayback Machine. The White House. Retrieved from .
  11. ^ Nakashima, E. (2011, November 15). Pentagon: Cyber offense part of U.S. strategy. Washington Post. Retrieved from
  12. ^ Rizzo, J. (2012, August 02). Cybersecurity bill fails in Senate. CNN. Retrieved from
  13. ^ Electronic Privacy Information Center. (n.d.). EPIC v. DHS - Defense Contractor Monitoring: Classified NSA Cybersecurity Directive Sought by EPIC Establishes NSA Cyberattack Authority. EPIC. Retrieved from
  14. ^ a b Nakashima, E. (2012, November 14). Obama signs secret directive to help thwart cyberattacks. Washington Post. Retrieved from
  15. ^ a b c d e Greenwald, G. & MacAskill, E. (2013, June 7). Obama orders US to draw up overseas target list for cyber-attacks The Guardian. Retrieved from
  16. ^ a b Federation of American Scientists. (2013, January). Presidential Policy Directives [PPDs] Barack Obama Administration. FAS. Retrieved from
  17. ^ Schneier, B. (2013, June 18). Has U.S. started an Internet war? CNN. Retrieved from