Obama has the authority to order first strikes against those who pose, or are engaging in, major cyber threats, officials say.
WASHINGTON - A secret legal review on the use of America's growing arsenal of cyber weapons has concluded that President Obama has the power to order a pre-emptive strike if the United States detects credible evidence of a major digital attack looming from abroad, according to officials involved in the review.
That decision is among several reached in recent months as the administration moves, in the next few weeks, to approve the nation's first rules for how to defend, or retaliate, against a major cyber attack.
New policies will also govern how the intelligence agencies can carry out searches of faraway computer networks for signs of potential attacks on the nation and, if the president approves, strike adversaries by injecting them with destructive code -- even if there is no declared war.
The rules will be highly classified, just as those governing drone strikes have been closely held. John Brennan, Obama's chief counterterrorism adviser and his nominee to run the CIA, played a central role in developing the policies regarding both drones and cyber warfare.
Cyber weaponry is the newest and perhaps most complex arms race under way. The Pentagon has created a Cyber Command, and computer network warfare is one of the few parts of the military budget that is expected to grow. Officials said the new cyber policies have been guided by a decade of evolution in counterterrorism policy, particularly on the division of authority between the military and the intelligence agencies in deploying cyber weapons.
Officials spoke on condition of anonymity because they were not authorized to speak publicly..
Under current rules, the military can openly carry out counterterrorism missions in nations where the U.S. operates under the rules of war, like Afghanistan. But the intelligence agencies have the authority to carry out clandestine drone strikes and commando raids in places like Pakistan and Yemen, which are not declared war zones. The results have provoked wide protests.
Obama is known to have approved use of cyber weapons once, early in his presidency, when he ordered an escalating series of cyber attacks against Iran's nuclear enrichment facilities. The operation was code-named Olympic Games, and while it began in the Pentagon under George W. Bush, it was taken over by the National Security Agency, largest of the intelligence agencies, under Obama's authority to conduct covert action.
"There are levels of cyber warfare that are far more aggressive than anything that has been used or recommended to be done," one senior administration official said.
Another senior official said it was quickly determined that the cyber weapons were so powerful that -- like nuclear weapons -- they should be unleashed only on the direct orders of the commander in chief.
"There are very, very few instances in cyber operations in which the decision will be made at a level below the president," the official said. That means the administration has ruled out the use of "automatic" retaliation if a cyber attack on America's infrastructure is detected, even if the virus is traveling at network speeds.
One major issue, according to an official involved, was defining "what constitutes reasonable and proportionate force" in halting or retaliating against a cyber attack.
During the attacks on Iran's facilities, which the U.S. never acknowledged, Obama insisted that cyber weapons be targeted narrowly, so that they did not affect hospitals or power supplies. Obama frequently voiced concerns that America's use of cyber weapons could be used by others to justify attacks on the U.S.
The U.S. effort was exposed when the cyber weapon used to attack an Iranian enrichment center leaked out of the center. The weapon was known as "Stuxnet," and its code was replicated millions of times on the Internet.