U.S. Cyber Command sent a loud and clear message when it shut off the Internet at a Russian troll farm during the midterm elections: The United States won’t be a punching bag in cyberspace, especially when the 2020 election rolls around.
That operation, which was first reported by my colleague Ellen Nakashima on Tuesday, prevented the Internet Research Agency, which spread disinformation during the 2016 election, from mounting similar efforts on Election Day 2018 and for several days after. Russian officials did not confirm the strike but said U.S. cyberattacks routinely target Russian organizations, according to the TASS state-run news service.
The IRA strike marked the first time since 2016 that U.S. officials have acknowledged — even anonymously — launching an offensive cyber operation against their Russian adversaries. And the only other offensive cyber operation the U.S. has ever acknowledged on the record targeted ISIS digital recruiting operations and happened during President Obama's term.
While it was public knowledge that ramping up offensive strikes in cyberspace is a central tenet of the Trump administration’s new cyber strategy, taking credit for a specific move against an adversary takes it up a notch. Former officials say credit-claiming helps set a global precedent for what sort of actions cross a line of unacceptable behavior in cyberspace -- and sends a strong signal to other nations that they risk consequences if they follow suit.
“It’s important for the U.S. government to be more open about the fact it has these capabilities and it has a doctrine about how it’s going to incorporate them into its foreign policy and national security strategy,” Michael Daniel, a former White House cyber coordinator during the Obama administration, told me.
If anything, the Trump administration should be more transparent about offensive cyber operations so U.S. adversaries aren’t confused about what will prompt a U.S. response and what won’t, said Daniel, president of the Cyber Threat Alliance, a cybersecurity information-sharing group.
“This does not mean drawing lines of ‘if you do X, we will immediately do Y,’ but there should be broad statements about the principles we’ll uphold,” according to Daniel, who said he urged similar transparency during the Obama administration.
The general idea behind the Trump administration’s pivot to offense as outlined by national security adviser John Bolton in September was that Russia, China, Iran and North Korea hacked U.S. targets with abandon under President Barack Obama because they didn’t fear the United States would hack them back. By counter-striking in cyberspace at key points, the United States will make those nations more cautious, Bolton said.
But just shutting down a Russian troll farm for a couple days may not be enough to convince Russia not to interfere in the 2020 presidential contest, former officials tell me.
“I think it was worth doing,” said Joel Brenner, a former senior counsel at the National Security Agency. “But it’s likely to have a very slight deterrent effect because I don’t see any penalty that’s being imposed.”
Brenner compared the IRA operation to police making criminals stay home and stop committing crimes for a few days rather than actually locking them up in jail.
“Is that going to stop them from trying again?” he asked.
Thomas Rid, a strategic studies professor at Johns Hopkins University, described the operation to my colleague Ellen as “more of a pinprick that is more annoying than deterring in the long run.”
Jim Lewis, a former State and Commerce Department cyber official, was more bullish on the IRA operation’s deterrent effect on Russia, but warned it may take more such operations before Russia is convinced to steer clear of undermining the 2020 contest.
“Our opponents didn’t think we’d ever do anything to them and they sort of had carte blanche to get away with murder [in cyberspace],” said Lewis, who now leads the Center for Strategic and International Studies think tank’s technology policy program. “You need to show you’re willing to use these capabilities and this does that.”
The IRA counterstrike may do less for the government's broader efforts to deter cyber aggression, Lewis notes. It sends no clear signal, for example, to the United States' other main cyber adversary, China, which engages in a hacking pattern far different from Russia's.
That’s because China’s bad behavior in cyberspace looks very different from Russia’s, which makes it tough to glean clear lessons from the Russia counterstrike. While Russia threatens destructive attacks against U.S. infrastructure and influence operations that undermine elections, China is focused on stealing U.S. companies’ intellectual property and trade secrets.
The United States is also more tightly bound to China through trade relationships, which means punching back in cyberspace could have damaging consequences in other realms.
That said, the IRA operation could have a deterrent effect on the other main U.S. cyber adversaries, Iran and North Korea, whose bad behavior in cyberspace looks more similar to Russia's, Lewis told me.
“If our opponents think it’s an open field, then there’s nothing to stop them, and that’s destabilizing,” he said. “This is a way to draw boundaries, to increase stability. Hopefully by the time of 2020, it’s taken hold.”
|You are reading The Cybersecurity 202, our must-read newsletter on cybersecurity policy news.|
|Not a regular subscriber?|
PINGED: U.S. allies should not use equipment from Huawei and other Chinese telecommunications companies in their networks, the State Department's top cyber official urged at a wireless industry conference in Barcelona. “America is calling on all our security partners to be vigilant and avoid vendors that could compromise the integrity of global communications technology, the privacy and liberty of our citizens, and the security of our critical infrastructure and national security systems,” Robert L. Strayer, the State Department official, said at the MWC Barcelona conference, according to a transcript. He added that the development of 5G will make threats to communications networks even more acute.
Strayer also said that Chinese law requires that Chinese companies comply with Beijing's security demands “without any democratic checks and balances." Huwei has disputed that interpretation of Chinese law. Despite U.S. efforts to persuade allies to stay away from Chinese telecommunications firms, the United Arab Emirates said it plans to use Huawei equipment to build a 5G network, the New York Times's Adam Satariano reported.
PATCHED: Nation-state hackers are increasingly targeting the control systems and business operations of pipelines across the United States, atop Cybersecurity and Infrastructure Security Agency official told Congress. Cyberattacks against pipelines could have dangerous consequences, Robert Kolasky, the director of CISA's National Risk Management Center, said in prepared remarks at a congressional hearing. “If this pipeline infrastructure is intentionally attacked, control valves and pressure regulators could be affected,” Kolasky said. “Failure of these technologies could lead to pressure surges causing emergency shutdowns, unexpected explosions and fires, and other serious consequences.”
Kolasky also told lawmakers that threats to the supply chain could affect “essential government or critical infrastructure systems.” He noted that CISA has launched a task force that includes several federal agencies and private companies to find ways to reduce supply-chain threats. Members of the group, which is called the Information and Communications Technology Supply Chain Risk Management Task Force, met this week and last week in Washington, CISA announced in a news release yesterday. The task force is focusing part of its efforts on developing a framework for the public and private sectors to share threat information.
PWNED: The South Korean company ESTsecurity said hackers with links to North Korea sent spearphishing emails to Korean speakers ahead of the summit between Trump and North Korean leader Kim Jong Un, CyberScoop's Sean Lyngaas reported. The company said the spearphishing document, which claimed to originate from a nongovernmental organization calling itself “Korea-U. S. Friendship Society,” included malicious code that has been tied to North Korean hackers. “It is unclear whom, exactly, the spearphishing targeted; the ESTsecurity report did not say,” according to CyberScoop. “However, hackers associated with the North Korean government have a history of going after analysts who follow Korean affairs, including through lures related to Korean unification.”
Diplomatic events tend to attract hacking activity, cybersecurity experts told Lyngaas. “There’s no delineation between which threat actor takes advantage of which high profile diplomatic event,” said Jason Kichen, vice president of the cybersecurity firm eSentire and a former U.S. intelligence official, according to CyberScoop. “It’s an arena where everyone is expected to be playing against each other at the same time.”
— The House Administration Committee approved H.R. 1, a Democratic bill that includes several election security provisions such as the use of voter-verifiable paper ballots, according to a news release from the committee. The bill also includes measures related to campaign finance and voting rights. “By passing this legislation out of committee today, House Democrats are delivering on our promise to bring accountability and transparency to Washington DC,” Rep. Zoe Lofgren (D-Calif.), the committee's chair, said in a statement. The panel approved the bill in a 6-to-3 vote. It's expected to reach the House floor in coming weeks where it has enough Democratic co-sponsors to pass easily, according to a Politico report. The bill is nearly gauranteed to be ignored by the Republican-controlled Senate.
— The Democratic Party chairs of four early-primary states want presidential hopefuls to commit not to use online disinformation tactics against their opponents, Politico's Natasha Korecki reported. The initiative from the chairs of the Democratic Party in Iowa, New Hampshire, Nevada and South Carolina seeks to establish rules on disinformation and cybersecurity that campaigns would have to respect. Under such potential agreement, candidates would have to refrain from using hacked material, spreading disinformation or resorting to fake accounts on social media platforms, Politico reported.
— The Georgia House of Representatives approved a bill to adopt touch screen voting machines printing paper ballots, the Associated Press’s Ben Nadler reported. The state of Georgia previously used paperless direct-recording electronic voting machines, which election security experts say can be vulnerable to hacking. But cybersecurity experts and activists say hand-marked paper ballots are a more secure option than using electronic ballot-marking machines.
“The bill’s author, Republican state Rep. Barry Fleming of Harlem, said he believed electronic ballot markers better captured voter intent, citing the possibility of stray marks throwing off tabulation of hand-marked paper ballots,” the AP reported. “Fleming also said electronic ballot markers are the only way to accommodate all Georgians, including disabled voters, with one system.” The bill now goes to the state Senate.
— More cybersecurity news from the public sector:
— A hacking group linked to China called BRONZE UNION has targeted political and humanitarian organizations as well as manufacturing and technology companies since 2016, according to research from the cybersecurity company Secureworks released today. The group, which is also known as Emissary Panda, APT27 and LuckyMouse, has spied on dissidents and stolen data about weapon technologies, according to the Secureworks Counter Threat Unit. The researchers called BRONZE UNION “one of the most prolific and active” groups that they are tracking.
— More cybersecurity news from the private sector:
— Major technology companies including Facebook and Apple are opposing efforts in several foreign countries to require companies to hand over data that authorities may be unable to access due to encryption, the Wall Street Journal's Robert McMillan and Dustin Volz reported. Britain in 2016 passed legislation that can require tech companies to turn in data to law enforcement. Australia has passed a law that critics say could result in weakening encryption and India is mulling rules that would give authorities access to some WhatsApp data, the Journal reported. Amy Hess, executive assistant director at the FBI, told the Journal that the bureau is “very curious to see how the Australian law, now that it is passed, will be implemented and what will be the impact.”
— More cybersecurity news from abroad:
- House Appropriations subcommittee hearing on election security.
- Senate Commerce Committee hearing on “policy principles for a federal data privacy framework.”
- The Atlantic Council holds a discussion on “operationalizing cyber strategies.”
- The Center for Strategic and International Studies holds an event on “China's pursuit of semiconductor independence” tomorrow.
- The Center for Strategic and International Studies holds an event on “digital governance and the pursuit of technological leadership” on March 4.
Cohen testimony: 5 things to expect:
Albright apologizes to Romney over Russia remarks:
British lawmakers discuss possible second Brexit vote: