The White House today issued the US government's first emergency response manual for a major cyber attack, but officials acknowledged it lacked clear guidance on possible retaliation against hacker adversaries.
The Obama administration, which created a federal cyber chief position in February that has not yet been filled, published a "presidential policy directive" that includes a five-level grading system.
No hack attack so far has hit level five, a source familiar with the policy discussions said. That would be reserved for a threat to infrastructure, government stability, or American lives.
The recent hack on the Democratic National Committee (DNC), which the FBI is investigating, would likely earn a lower grade, depending on any foreign government involvement or intent to meddle in the presidential election.
Cyber security experts and US officials said there was evidence Russia engineered the release of sensitive DNC emails to influence the Nov. 8 election between Democrat Hillary Clinton and Republican Donald Trump. The Kremlin dismissed the allegations that it was involved as absurd.
The presidential directive was years in the making and provides the first public guidance on specific roles for federal agencies in responding to a major breach that, for instance, could disrupt a large big bank or knock an urban power grid offline.
Cyber threats are "growing more persistent, more diverse, more frequent and more dangerous every day," White House counter-terrorism adviser Lisa Monaco said today.
She said the directive "will help answer a question heard too often from corporations and citizens alike - 'in the wake of an attack, who do I call for help?'"
But officials within the administration of President Barack Obama said the guidelines fall short of describing how Washington should hit back against significant attacks that do not kill anyone, but cripple an electrical grid or the financial system.
Three current US national security officials, who spoke on condition of anonymity, said that so far the administration has not defined the point at which a cyber attack justifies a military response.
"Is it worse than what a bomb could do, and if we decide it is, what’s the appropriate response?" one of the officials asked.
The directive defines a significant cyber incident as one likely to harm national security or economic interests, foreign relations, public confidence, health safety or civil liberties, according to a White House fact sheet.
Obama has focused on cyber security in his second term, marked by hacks on government agencies and private companies that exposed personal information of millions of people.
Crafting clear rules for hitting back at a cyber adversary has been inhibited by how hard it is to definitively attribute an attack, officials said, and over concerns that a proportionate response could escalate into an all-out cyberwar.
"Those are not necessarily conversations we’re going to have in public," a senior administration official said when asked about why the directive does not specify countermeasures.
The magnitude of any response will be determined by the severity assigned to an attack, Monaco said.
Obama signed an executive order in April 2015 that allows for the US to levy economic sanctions directly in response to cyber attacks. That authority has never been used.
The new directive largely codifies existing practices and norms, rather than changing policy, said Ari Schwartz, a former top cyber security adviser at the White House who is now with the law firm Venable.
The Department of Justice, working through the FBI and the National Cyber Investigative Joint Task Force, will be the lead agency for investigating criminal intrusions or those that could affect national security, according to the policy.
The Department of Homeland Security will serve as the lead contact in helping companies respond to breaches of their networks. Intelligence agencies will be in charge of gathering information in order to identify who is behind an attack.