President Trump made it easier for the military to launch cyber operations against U.S. adversaries by signing a new order that replaces Obama-era rules on how the government uses cyberweapons. But former officials and cybersecurity experts say the new authority could actually make it harder for the government to mount a coordinated response to digital threats.
As my colleague Ellen Nakashima reports, Trump on Wednesday signed an order authorizing the defense secretary to conduct cyber operations that can disrupt or degrade an adversary’s network or choke off attacks underway. The order, she reports, “replaces one issued by President Barack Obama in 2012, called Presidential Policy Directive 20, which laid out a framework for undertaking offensive and defensive cyber actions.”
The decision to roll back the Obama rules, first reported by the Wall Street Journal, removes bureaucratic obstacles that military leaders viewed as overly restrictive, allowing them to move faster to combat cyberthreats from nation-states and other sophisticated actors.
But giving the military too much leeway to decide whether to launch an offensive operation risks interfering with other interests within the government -- including, say, intelligence efforts quietly monitoring threats or diplomatic forays to resolve the conflict. According to Matthew Rhoades, who handled legislative affairs for the National Security Council and the Defense Department during the Obama administration, the order means those things “are less likely to be considered in the decision-making process."
“For example, a Department of Defense operation could theoretically compromise an ongoing intelligence collection effort,” Rhoades told me. “Similarly, a Department of Defense operation could frustrate an international partner that wasn't consulted, leading to negative diplomatic ramifications.... The problem with short-circuiting the process is you may not even thoroughly consider those choices, much less answer them."
With its new order, the Trump administration is “basically saying, ‘Talk amongst yourselves,' " said Chris Finan, who served as director for cybersecurity legislation and policy on the National Security Council during the Obama administration. “It’ll fall to a bunch of [intelligence community] and military folks to do ad hoc coordination and will make their jobs a lot harder. This is the kind of thing that burns out our operators.”
Other experts raised similar concerns. “Coordination across competing priorities is tough, especially in this realm. Expect many intelligence operations to be blown by this shift,” tweeted Peter Singer, a strategist at the New America think tank. “Being aggressive feels good, but can give away sometimes more valuable monitoring, awareness, etc.” He added:
So this is yet another area where moving policy away from Trump White House is bad for proper oversight, coordination, and longterm civil military relations, but better for shortterm security and respect for law, given the extraordinary times and awful team he’s appointed.— Peter W. Singer (@peterwsinger) August 16, 2018
From Jason Healey, a cyber conflict expert and senior researcher at Columbia University’s School for International and Public Affairs:
But if POTUS delegates authority down, big question is where that coordination and deconfliction happens and what if there are disagreements. If not NSC and the Sit Room, then where and how? https://t.co/CNyohCfSqJ— Jason Healey (@Jason_Healey) August 16, 2018
From Christopher Painter, the former top cyber diplomat at the State Department:
That is the crux. We need to have & use cyber tools when appropriate & the most effective option, including for detterence, but we also need to take account of all our national equities including working to build coalitions of countries to collectively respond to cyber threats https://t.co/9GCjRo2IP2— Chris Painter (@C_Painter) August 16, 2018
And Camille Stewart, former senior adviser for cyber infrastructure and resilience policy at the Department of Homeland Security:
PPD-20 was a checks & balances and made sure agencies were not stepping on each others inflight efforts. Reconizing the need/desire to be agile, I am interested to see what is put in place to fill the gap. Lack of coordination on #cyber will only leave us vulnerable to #attack— Camille Stewart (@CamilleEsq) August 16, 2018
It’s no surprise that the White House is trying to speed up operations in cyberspace. The administration has faced immense pressure to thwart Russian interference in midterm elections and develop a comprehensive strategy for deterring cyberattacks, which lawmakers from both parties say it lacks.
And Trump's new directive is part of a broader push by the White House to grant commanders more leeway to make battlefield decisions, as Ellen reports. It comes as Gen. Paul Nakasone, who heads both the National Security Agency and U.S. Cyber Command, has recommended to Pentagon leaders that the two organizations remain under one head for at least two years. “Taken together, these moves show a strengthened focus on military cyber capabilities,” Ellen writes, “and reflect a mounting concern on the part of senior security officials about the severity of the threat from foreign adversaries, especially Russia.”
|You are reading The Cybersecurity 202, our must-read newsletter on cybersecurity policy news.|
|Not a regular subscriber?|
PINGED: “FCC Chairman Ajit Pai told a Senate committee Thursday that he did not update Congress or the public about the true nature of a website malfunction at the agency because he was bound by a confidentiality request by the agency’s inspector general,” my colleague Hamza Shaban reported. “Pai said he initially relied on the agency’s then-chief information officer in claiming that the FCC had suffered a cyberattack after people experienced difficulties filing online comments regarding the future of net neutrality rules — even though Pai suspected that this wasn’t the case.” An FCC inspector general report released last week found that the commission fabricated the cyberattack and misled Congress and the public about it.
Sen. Brian Schatz (D-Hawaii), who with Sen. Ron Wyden (D-Ore.) had previously written a letter to Pai with questions about the cyberattack claims, pressed the FCC chairman for an explanation on Thursday during a Senate Commerce Committee hearing. “It just seems odd that the moment your CIO says something, that you run with it, and you ran with it quite aggressively all the way up until the point where — I guess it was last week or the week before — you say: ‘Well, I was duped,’ ” Schatz said. “That's very hard to digest.”
Pai said he “did have doubts” that the disruption of the FCC's comment system resulted from distributed denial-of-service attacks. He also said that he did not amend the commission's position on the matter sooner because the FCC's Office of Inspector General had referred the matter to the Justice Department for potential criminal prosecution and had requested that Pai remain silent. “The FCC ‘wanted you to get this information sooner,’ Pai said, but the inspector general requested that he not comment publicly on the matter while the investigation was conducted,” Hamza wrote.
PATCHED: A majority of states have installed technology known as Albert sensors in their election systems to allow federal authorities to monitor hacking attempts, Reuters's Christopher Bing reported Thursday. “As of August 7, 36 of 50 states had installed Albert at the ‘elections infrastructure level,’ according to a Department of Homeland Security official,” Bing wrote. “The official said that 74 individual sensors across 38 counties and other local government offices have been installed. Only 14 such sensors were installed before the U.S. presidential election in 2016.”
The Albert sensors were developed by the nonprofit Center for Internet Security, and the government approves of their deployment. “The 14 states that do not have a sensor installed ahead of the 2018 midterm elections have either opted for another solution, are planning to do so shortly or have refused the offer because of concerns about federal government overreach. Those 14 states were not identified by officials,” Reuters reported. “But enough have installed them that cybersecurity experts can begin to track intrusions and share that information with all states. The technology directly feeds data about cyber incidents through a non-profit cyber intelligence data exchange and then to DHS.”
PWNED: Discontent over Google's Dragonfly project is brewing within the company's ranks. “Hundreds of Google employees, upset at the company’s decision to secretly build a censored version of its search engine for China, have signed a letter demanding more transparency to understand the ethical consequences of their work,” the New York Times's Kate Conger and Daisuke Wakabayashi reported on Thursday. “In the letter, which was obtained by The New York Times, employees wrote that the project and Google’s apparent willingness to abide by China’s censorship requirements ‘raise urgent moral and ethical issues.’”
“We urgently need more transparency, a seat at the table, and a commitment to clear and open processes: Google employees need to know what we’re building,” the letter said, as quoted by the Times. It was signed by about 1,400 employees. “The letter also called on Google to allow employees to participate in ethical reviews of the company’s products, to appoint external representatives to ensure transparency and to publish an ethical assessment of controversial projects,” Conger and Wakabayashi wrote. “The document referred to the situation as a ‘code yellow,’ a process used in engineering to address critical problems that impact several teams.”
Additionally on Thursday, “Google Chief Executive Officer Sundar Pichai defended to employees the internet giant’s controversial push to do more business in China but said the company is ‘not close to launching a search product’ in the country, according to a person briefed on the comments,” the Wall Street Journal's Douglas MacMillan reported. Pichai addressed employees during a weekly meeting. “I think if we were to do our mission well, I think we have to think seriously about how we do more in China,” he said, as quoted by the Journal.
Google has also faced criticism emanating from outside the company. On Wednesday, the Electronic Frontier Foundation chided Google for its silence over the Dragonfly project. “Avoiding internal oversight and criticism will not evade the backlash that will come from launching a complicit service, or the damaging consequences to Chinese users when Google’s compromises are used against them,” Sydney Li, a staff technologist at the EFF, wrote in a blog post. “It is better to have this debate now, in public, than to pick up the pieces when the damage has been done.”
— Rep. Emanuel Cleaver II (D-Mo.) has asked the Justice Department's civil rights division to investigate whether the way law enforcement agencies use facial recognition technology violates civil rights protections. In a letter Wednesday to John Gore, the acting assistant attorney general for the department's civil rights division, Cleaver said he is “extremely concerned that facial recognition technologies will disproportionately burden African American communities.”
In addition to worries over racial bias in the implementation of facial recognition, he said that “the potential to monitor and enroll identified Americans into databases without their knowledge poses critical legal concerns — particularly if deployed to monitor peaceful protesters.” Cleaver noted that facial recognition can be an effective tool in the hands of law enforcement agencies and help improve public safety, but he warned that misusing the technology “may threaten the life and liberty of Americans with crushing force.”
— “Republican gubernatorial nominee Brian Kemp says Georgia’s aging electronic voting machines should be replaced, coming around to a position critics say he's resisted for eight years as the state’s top elections official,” the Associated Press's Ben Nadler reported on Thursday. “There’s just one thing — Kemp says it can’t be done in time for his own election this November. The secretary of state is asking companies for proposals to implement new machines that produce verifiable paper records in time for the next presidential election in 2020.”
— More cybersecurity news from the public sector:
— “A Melbourne private schoolboy who repeatedly broke into Apple’s secure computer systems is facing criminal charges after the technology giant called in the FBI,” Erin Pearson of the Australian newspaper the Age reported Thursday. “The teen, who cannot be named for legal reasons, broke into Apple’s mainframe from his suburban home on multiple occasions over a year because he was such a fan of the company, according to his lawyer.” Pearson also wrote that the teenager kept “a litany of hacking files and instructions all saved in a folder titled ‘hacky hack hack.’”
— More news about security incidents:
- Usenix Security Symposium in Baltimore.
- Senate Rules and Administration Committee business meeting about the Secure Elections Act on Aug. 22.
The life of Aretha Franklin, in her own words:
How “Respect,” Aretha Franklin's iconic song, came to be:
Four times scientists took on questions you didn’t know you had: