The Draft Directive
The Pentagon has drafted a classified presidential directive that would authorize U.S. Cyber Command to conduct offensive cyber operations against foreign ransomware groups and their state sponsors, according to three defense officials familiar with the plan. The draft, circulated to the National Security Council on January 15, would loosen existing rules that restrict military hackers to defending Defense Department networks and striking terrorist groups overseas.
Two officials who reviewed portions of the document said the proposal would allow Cyber Command to target ransomware infrastructure even when the affected victims are civilian hospitals, school districts, or municipal governments. The current legal framework, rooted in a 2018 memorandum from the Trump administration and refined under President Biden, treats most ransomware as a law enforcement matter handled by the FBI and international partners.
The new directive would mark the most significant expansion of military cyber authorities since Cyber Command was elevated to a unified combatant command in 2018, said a former Senate Intelligence Committee staffer who has been briefed on the draft. The staffer, speaking on condition of anonymity, said the policy change reflects growing frustration inside the intelligence community that ransomware groups operating from Russia, Iran, and North Korea continue to attack U.S. critical infrastructure with little consequence.
Mechanism and Targets
The draft directive includes a classified annex listing roughly two dozen ransomware groups and affiliated cryptocurrency exchanges that U.S. operators could target, according to two U.S. officials familiar with the matter. One official said the list includes servers in St. Petersburg, Moscow, Pyongyang, and Tehran that have been linked to high-profile attacks on American health systems and water utilities over the past 18 months.
The proposal also requests $340 million in supplemental funding for fiscal year 2026 to stand up a new Cyber Command task force based at Fort Meade, Maryland, the officials said. The unit, temporarily code-named Task Force Silo, would include personnel from the National Security Agency, the FBI, and Treasury Department financial intelligence analysts. A senior defense official, speaking on condition of anonymity, said the funding request is scheduled to be included in a supplemental budget package the White House plans to send to Congress on January 22.
Under the proposed rules, Cyber Command would need approval from the secretary of defense and the attorney general before launching an operation inside a foreign computer network. For strikes against ransomware infrastructure not tied to a recognized nation-state, the directive would allow the commander of Cyber Command, General Timothy Haugh, to approve lower-risk operations after notifying the White House, the officials said. Operations that risk disruption to civilian infrastructure or retaliation against U.S. networks would still require presidential authorization.
The draft also directs the State Department to begin quiet negotiations with NATO allies about a shared cyber retaliation framework, according to a senior diplomat involved in the talks. The diplomat said preliminary discussions took place at a closed-door meeting in Brussels on January 12 and that officials from Britain, Germany, and Estonia raised questions about how the alliance would respond if a member state conducted an offensive cyber strike from shared intelligence.
Internal Opposition and Next Steps
The proposal faces internal opposition from Justice Department lawyers who worry that offensive military action against criminal ransomware groups could complicate FBI-led prosecutions, according to a Justice Department official with knowledge of the filing. The official said Deputy Attorney General Lisa Monaco raised concerns at a January 14 principals committee meeting that preemptive cyber strikes could destroy evidence needed to indict foreign hackers in U.S. courts.
Civil liberties groups are also expected to challenge the expansion. A former intelligence officer now advising a Washington nonprofit said the draft directive appears to blur the line between military and law enforcement authority in ways that could raise constitutional questions if U.S. persons are inadvertently targeted. The former officer said the draft includes a 72-hour review process for any operation that results in access to data belonging to Americans, but the mechanism has not been tested.
The National Security Council is scheduled to hold a final review of the directive on January 21, according to two officials familiar with the schedule. If approved, President Biden would sign a presidential policy memorandum by January 23, with public portions likely released by the end of the month. Cyber Command and the White House National Security Council declined to comment for this story.
Stakes and What to Watch
The policy shift comes as U.S. hospitals and energy firms report a surge in ransomware activity following a lull in late 2025. A December report from the Cybersecurity and Infrastructure Security Agency counted 47 significant ransomware incidents against critical infrastructure operators in the final quarter of 2025, up from 31 in the previous quarter.
Congressional oversight will be the next flashpoint. Two congressional aides briefed on the plan said the House and Senate Armed Services Committees have scheduled classified briefings for January 27 and January 29. The aides said lawmakers expect to demand stricter reporting requirements before approving any supplemental funding for Task Force Silo.
Officials said the administration is weighing whether to declassify a summary of the directive before the February 3 State of the Union address, where the president is expected to mention cyber security. Until then, the most important signals will come from the January 21 NSC meeting, any amendments requested by the Justice Department, and whether allied governments begin issuing their own statements about collective cyber retaliation.
