The more we learn about the Trump administration’s new push to hack back against adversaries that target the United States in cyberspace, the less audacious it sounds.
When national security adviser John Bolton announced the policy shift in September, he sold it as an antidote to the Obama administration, which was highly cautious about launching offensive cyber operations and concerned that a tit-for-tat hacking exchange with Russia or North Korea could escalate out of control.
“Our hands are not tied as they were in the Obama administration,” Bolton said. “We’re going to do a lot of things offensively and I think our adversaries need to know that.”
The goal of these offensive operations, Bolton said, is to “demonstrate to our adversaries that the cost of their engaging in operations against us is higher than they want to bear.”
But when Assistant Secretary of Defense Kenneth Rapuano on Wednesday gave the fullest explanation to date of how the policy works in practice, his explanation sounded nearly Obamian.
The process, as Rapuano described it, includes a “risk-benefit assessment,” a “coordination process” among numerous federal agencies and a “deconfliction process” during which everyone hammers out what might go wrong and how to deal with it — including the risk that an adversary might respond to a digital counterstrike by hitting back harder.
The carefully worded answer during a House Armed Services panel hearing goes a long way toward explaining why the offensive operations that have come to light — most importantly, one that shut off the Internet at the most prominent Russian troll farm during the 2018 midterm elections — have generally won wide praise from cyber policy experts — and even from former top Obama administration officials.
Rep. Jim Langevin (D-R.I.), the co-founder of the Congressional Cybersecurity Caucus, chairs the emerging threats subcommittee that Rapuano testified before. He praised the pivot to offense, telling Rapuano and head of U.S. Cyber Command Gen. Paul Nakasone to “run the board” on the nation’s digital adversaries.
“Whether it’s election operations or other operations … I think it’s important that we meet them at every challenge,” Langevin said. “We ignore those activities at our detriment.”
The basic premise of the Trump administration’s offensive hacking push is that U.S. adversaries, — primarily Russia, China, Iran and North Korea — were using hacking to exploit a “gray zone” of U.S. defenses.
In other words, the hacks weren’t so bad they justified responding with conventional military force, but the United States couldn’t ignore them either. And nonmilitary retaliations — such as targeted sanctions against the government hackers and the groups that support them — made little difference in places such as Russia and North Korea that were sanctioned to the hilt.
Hacking back against those nations might seem like an obvious middle-ground solution, but the Obama administration always worried that might lead to an escalating series of cyberattacks. With the United States more reliant on the Internet than other nations, it might also be more vulnerable in a major digital conflict.
Rep. Elise Stefanik (N.Y.), the ranking Republican on the Armed Services panel, questioned Rapuano about whether the Trump team ratcheting up its offensive cyberstrikes could lead to that sort of escalation. His answer was essentially: Yes, but that’s a gamble we’re willing to take.
“Escalation is a significant concern with all military operations,” Rapuano said. But: “We have come to the conclusion — and that’s what’s informed the strategy — that … if we ignore them, they will continue [hacking] and they will undermine our security.”
The offensive hacking the military has done under the Trump administration that has come to light, however, has been relatively mild. In addition to the midterm elections operation that shut down the Internet Research Agency troll farm — which the government has not officially acknowledged — officials have described sending the equivalent of direct messages to Russian hackers telling them to cut it out.
That is frustrating for some lawmakers who want to see more public evidence the United States is pushing back in cyberspace against Russia and other adversaries.
“It feels like we’re being smacked in the face every single day,” Rep. Elissa Slotkin (D-Mich.), a former top Pentagon policy official, told Nakasone during the hearing. “I want to be able to say we’re not just sitting down and taking it.”
|You are reading The Cybersecurity 202, our must-read newsletter on cybersecurity policy news.|
|Not a regular subscriber?|
PINGED: The Senate’s top cybersecurity official should level with senators about the digital threats they’re facing, Sens. Ron Wyden (D-Ore.) and Tom Cotton (R-Ark.) said in a letter Wednesday.
The pair are asking the Senate Sergeant-at-Arms for an annual report to all senators detailing how many Senate computers have been compromised. They also want briefings within five days to Senate leadership and the Rules and Intelligence committees when a new breach is discovered.
There have been a handful of acknowledged breaches of congressional computers, including then-Rep. Frank Wolf (R-Va.) in 2006 and then-Sen. Bill Nelson (D-Fla.) in 2009, but the actual tally probably is much larger, Wyden and Cotton note, because lawmakers are not required to disclose breaches.
“During the last decade, hackers have successfully infiltrated U.S. government agencies including the Office of Personnel Management, health care firms such as Anthem, and technology giants like Google,” the senators wrote. “Hackers continue to target all manner of government entities, and there is little doubt that Congress is squarely in their sights.”
PATCHED: Sen. Marco Rubio (R-Fla.) introduced two cybersecurity bills Wednesday during a hearing of the Senate Small Business Committee, which he chairs. One bill, the SBA Cybersecurity Awareness Act, would require the Small Business Administration to develop a cybersecurity strategy and probe its computer systems for components from adversary nations, such as Russia and China.
The other bill, the Small Business Cyber Training Act, would require about 10 percent of employees at federally funded small-business development centers to be qualified to counsel small businesses on cybersecurity.
PWNED: The Chinese telecommunications company Huawei can’t be trusted building portions of Germany’s next-generation 5G wireless networks, an intelligence official told the country’s lawmakers, Bloomberg News’s Oiver Sachgau reported.
“Past security-relevant events involving the company are part of the reason, the representative told a federal panel,” according to the Bloomberg report. “Another representative for the foreign affairs ministry, speaking at the same event, said it would be hard to work with a company that cooperates with its national secret service.”
The warning comes after the U.S. ambassador to Germany reportedly told officials there that allowing Huawei into its networks would force the United States to limit the intelligence it shares with Germany.
Cybersecurity news from the public sector.
Cybersecurity news from the private sector.
Cybersecurity news from abroad.