Because of private industry, and issues surrounding international and domestic law, public-private-partnership became the, "cornerstone of America's cybersecurity strategy". Suggestions for the private sector were detailed in the declassified 2003, National Strategy to Secure Cyberspace. Its companion document, National Security Presidential Directive, was signed in secret by George W. Bush the following year. Although the contents of NSPD 38 are still undisclosed, the U.S. military did not recognize cyberspace as a "theater of operations" until the U.S. National Defense Strategy of 2005. The report declared that the, "ability to operate in and from the global commons-space, international waters and airspace, and cyberspace is important... to project power anywhere in the world from secure bases of operation." Three years later, George W. Bush formed the classified Comprehensive National Cybersecurity Initiative. Citing economic and national security, the Obama administration prioritized cybersecurity upon taking office. After an in-depth review of the, "communications and information infrastructure," the CNCI was partially declassified and expanded under President Obama. It outlines "key elements of a broader, updated national U.S. cybersecurity strategy." By 2011, the Pentagon announced its capability to run cyber attacks.
General
After the U.S. Senate failed to pass the Cybersecurity Act of 2012 that August, Presidential Policy Directive 20 was signed in secret. The Electronic Privacy Information Center filed a Freedom of Information Request to see it, but the NSA would not comply. Some details were reported in November 2012. The Washington Post wrote that PPD-20, "is the most extensive White House effort to date to wrestle with what constitutes an 'offensive' and a 'defensive' action in the rapidly evolving world of cyberwar and cyberterrorism." The following January, the Obama administration released a ten-point factsheet.
Controversy
On June 7, 2013, PPD-20 became public. Released by Edward Snowden and posted by The Guardian, it is part of the 2013 Mass Surveillance Disclosures. While the U.S. factsheet claims PPD-20 acts within the law and is, "consistent with the values that we promote domestically and internationally as we have previously articulated in the International Strategy for Cyberspace", it doesn't reveal cyber operations in the directive. Snowden's disclosure called attention to passages noting cyberwarfare policy and its possible consequences. The directive calls both defensive and offensive measures as Defensive Cyber Effects Operations and Offensive Cyber Effects Operations, respectively.
Notable points
"Loss of life, significant responsive actions against the United States, significant damage to property, serious adverse US foreign policy consequences, or serious economic impact on the United States."
"OCEO can offer unique and unconventional capabilities to advance U.S. national objectives around the world with little or no warning to the adversary or target and with potential effects ranging from subtle to severely damaging. The development and sustainment of OCEO capabilities, however, may require considerable time and effort if access and tools for a specific target do not already exist."
"The United States Government shall identify potential targets of national importance where OCEO can offer a favorable balance of effectiveness and risk as compared with other instruments of national power, establish and maintain OCEO capabilities integrated as appropriate with other U.S. offensive capabilities, and execute those capabilities in a manner consistent with the provisions of this directive."