Beginning last fall, before the midterm elections, Cyber Command began directly contacting Russians who were linked to operations, such the Internet Research Agency, that allegedly helped coordinate Moscow’s campaign to subvert the 2016 presidential election. The apparent aim was to put people on notice that their covers had been blown, and that their ability to work and travel freely might be affected.
U.S. officials believe the disruption effort has frazzled some of the Russian targets and may have deterred some interference during the midterms. The operation was first reported by the New York Times on Oct. 23, and additional details have emerged from public and private sources.
One unlikely public confirmation of the warning campaign came from Yevgeny Zubarev, the director of the St. Petersburg-based Federal News Agency . Justice Department prosecutors have alleged that Zubarev’s information website, known by the acronym FAN, was part of the same covert-action network as the Internet Research Agency.
“The United States Cyber Command writes to me to say that what I am doing is wrong, that their job is to fight trolls,” Zubarev told the Daily Beast in December. “We are defending the motherland on the information fronts.” But he denied he was involved with any alleged “troll farm.”
A catalogue of potential Russian operatives, who might be targets of similar Cyber Command warnings, came in an indictment unsealed in October describing a Russian bookkeeper’s role in managing a “conspiracy . . . to sow division and discord in the U.S. political system.”
A dozen fronts for this alleged political-interference operation, including FAN, are cited in the indictment, along with 14 companies that maintained bank accounts to finance operations. Prosecutors alleged that the bookkeeper prepared “hundreds of financial vouchers, budgets, and payment requests,” and the indictment listed precise figures from a series of monthly budgets from February 2017 to July 2018.
This was the covert world’s version of a “gotcha.” The implication was that U.S. intelligence had the names, dates, Web addresses and other details of anyone touched by the bookkeeper’s electronic connections. Some of these operatives and contractors may have been among those pinged by Cyber Command. The message, in part, was that their ability to operate in secret had vanished.
This tactic of outing Russian cyberoperatives may have a “deterrent effect,” argues Thomas Rid, a Johns Hopkins University professor and author of the forthcoming book “Active Measures: A History of Disinformation.” He explained during an interview: “We know from history that when intelligence officers who have prized secrecy their entire careers are exposed, it is a punch in the gut.”
Cyber Command’s doctrine in more aggressively targeting Russian manipulation was outlined by Gen. Paul Nakasone, the unit’s commander, in the current issue of Joint Force Quarterly. He said that past efforts to combat adversaries who penetrated U.S. networks or Internet sites “have not worked,” and that the United States instead needed to take the offensive and “persistently engage” these adversaries through what he called “defending forward.”
Describing the activities of the Russia Small Group, a joint intelligence community effort to combat Russian interference in the 2018 midterm elections, Nakasone explained: “We are in constant contact with our adversaries in cyberspace. . . . How do we warn, how do we influence our adversaries, how do we position ourselves in case we have to achieve outcomes in the future?” The direct messaging to Russian operatives was part of that warning effort.
In combating Russian information operations last year, Cyber Command and the National Security Agency are said to have furnished information they had obtained about Russian trolling and passed it to the FBI and Department of Homeland Security, which then warned social media platforms and other organizations to counter the threats. Facebook, Twitter and other companies have recently announced steps to curtail foreign manipulation through fake accounts, but they’ve said little about how they obtained their evidence.
Nakasone’s new doctrine moves the United States closer to Russia’s approach of treating cyberspace as part of a continuum of warfare. Rather than a binary on/off switch, conflict is now seen as something closer to a rheostat, which can be dialed up or down as conditions require. In the cyberwar ladder of escalation, operations range from “shaping the battlespace” in preparation for conflict (zero), to deterring (one), seizing the initiative (two), dominating the adversary (three) and transitioning back to normal activities (four).
In combating Russian election interference, Cyber Command evidently restricted its operations to phases one and two.
Nakasone has likened his “defend forward” approach to the way Navy ships operate at sea, rather than staying in port, or the way Air Force planes patrol the skies, instead of remaining at airfields.
Nakasone warned that, rather than hoping to deter cyber adversaries through the threat of retaliation, “we will operate continuously to present our decision-makers with up-to-date options.” One cyber expert bluntly explained the strategy this way: “We’d rather kill the archer than dodge arrows.”
We’ve repeated so often that a new age of warfare is dawning, with cyber and other forms of high-tech conflict, that it’s easy to miss the importance of this inflection point. A foreign adversary conspired to undermine the American political system. The United States has responded, after initial uncertainty, by taking its cyberdefense into the heart of the adversary’s networks of covert manipulation.
Now that the battle has been joined, the world will be living in a contested information space, indefinitely.