Behind The White House’s Plan To Be More Aggressive In Cyberspace

For nearly a year, White House leaders had debated the rules for how America should operate in cyberspace. After brazen hacks by the Chinese and Russian governments that targeted millions of Americans and the 2016 presidential election respectively, senior officials believed they needed to stop the raid on American bits and bytes.

Administration leaders broadly fell into two camps. The first blamed Obama-era rules to operate in cyberspace as too timid and the reason America did not have digital options to deter North Korea’s nuclear program. 

Unleashing viruses that could upend North Korea’s rockets would require a wide swath of consensus across US government agencies, which all but stifled many hacking plans.

Other officials, such as then Homeland Security adviser Tom Bossert, disagreed, and over a period of months argued that while the procedures needed to change, loosening the rules of engagement too liberally and without caution would be dangerous.

A Decision Loomed

While the North Korean debate did not lead to immediate policy changes, it was one of several events that helped push the Trump administration toward a new cybersecurity strategy, according to four current and former White House and intelligence officials who were in the room or briefed on the situation. 

When the White House announced the new policy in September, national security adviser John Bolton was blunt: “We’re going to do a lot of things offensively, and I think our adversaries need to know that.”

America enters the Cyber Age

In the early 2010s, Russia was known inside the US intelligence community for its clandestine cyber operations. If White House administrators or National Security Agency analysts spotted Moscow’s cyber-warriors probing American networks before 2014, the Kremlin spies would often suddenly disappear.

“The Russians were known for being stealthy and highly targeted. If you saw them on the network, they would vanish like ghosts and go quiet,” Michael Daniel, the top cybersecurity official at the Obama administration, told Fifth Domain.

One of the first digital disinformation operations against the United States targeted diplomats. Digital sleuths from the Kremlin listened in on a phone call between Victoria Nuland, then the top US American diplomat to Europe, and Geoffrey Pyatt, the US ambassador to Ukraine, according to the State Department. 

Nuland and Pyatt discussed how to support a new government in Ukraine. Nuland believed the Europeans were being too timid and made her position clear in colorful language.

The phone call was being secretly recorded and was posted to YouTube days later.

"It wasn’t their first use of cyber and aggressive tactics, including manipulating emails and leaking things,” said Nuland, who is now head of the Center for a New American Security. “What was new is their targeting of Americans and the United States in a way where their hand was not masked. Obviously, they denied it, but it was transparent what was going on.

Russian hackers breached the White House’s networks and swiped President Obama’s email correspondence in 2014,according to the New York Times. Two days before Christmas in 2015, Russian hackers allegedly used spear-phishing emails and malicious code embedded in Microsoft Word documents to launch the first publicly acknowledged cyberattack in the world to cause power outages against Ukraine.

But the Russian government was not the only country developing a playbook for hacking. China was revving up a campaign to infiltrate the US government as well.

In April 2015, US officials say that China hacked records of 22 million government officials that were stored by the Office of Personnel Management. That included copies of all US government security clearances. 

Election Meddling

It took less than a year for another historic breach.

In a cream-colored building with roman arches near the meandering Moscow River, Russian intelligence officials sent a spear-phishing email to Tony Podesta, the campaign chairman for Hillary Clinton on March 19, 2016. The hackers disguised the email as a Google security notification and tricked Podesta into changing his password. 

An accompanying link was a disguised Russian intelligence agency website, and the Kremlin spies soon swiped a trove of emails. Russian officials then passed the emails to WikiLeaks, according to a July 13 indictment from Special Counsel Robert Mueller.

“The Russians were over time perfecting their ability to target social media to specific political objective in their own country, in Ukraine, and across Europe before 2016,” Nuland said during 2018 Senate testimony,

But to leaders inside the US government, Russia’s role was not immediately clear. Former US officials said the assessment of Moscow’s responsibility solidified around June after Americans analyzed the activity of Guccifer 2.0, who claimed to be a digital vigilante but was actually a group of Russian spies, according to the Mueller indictment.

It was then that Russian hackers allegedly broke into the Illinois state election network and stole voter registration information of up to 200,000 people. While the hack remained secret for weeks, it set off alarms within the White House and intelligence agencies, two former US officials said.

Trump in Charge

From the onset of the Trump administration, former and current White House and Pentagon officials were set on changing how the America operated in cyberspace. With information about Russia’s hacking and disinformation becoming clearer by the day, their discussion took a new sense of urgency.

Government officials recalled the shock of the incoming Trump team when they learned how conservative the military was when it came to hacking. “The incoming Trump administration had this assumption that the US was some big gorilla in cyberspace and was actively hacking everyone. There was a little bit of surprise that US policy was very conservative,” a former White House official told Fifth Domain.

The Obama-era rules that governed American cyber operations were called Presidential Policy Directive 20 and said that cyber operations likely to result in “significant consequences” needed presidential approval. Hacking operations also needed to have near unanimous consent between US government agencies.

For some, an inflection point came as the White House considered options to deter North Korea’s nuclear capability. The lines of code honed inside NSA labs to monitor, stop or alter Pyongyang’s nuclear and military capably would likely have to travel through China, which supplies nearly all North Korea’s internet. 

During previous debates, officials feared China might mistakenly believe the Americans were hacking them instead of North Korea. The scenario was deemed too risky by some because it could have unforeseen consequences. 

Advocates for the more aggressive approach in cyberspace argued that the Obama-era rules for cyberspace effectively blocked America from embedding and prepositioning this malware inside of North Korea’s systems. As a result, America was empty-handed when it came to hacking options, according to this line of thinking.

And by some accounts there was also evidence that America already had effective hacking programs to deter North Korea’s nuclear ambitions.

According to Bob Woodward’s book “Fear,” during the Obama administration, the United States was able to infect the North Korean government’s missile telemetry with malware that caused errors in their launch sequence. 

Two former intelligence officials said that North Korea offers limited cyber options because a majority of the country does not have internet access. And by cutting off North Korea’s Internet, US officials feared they could also lose intelligence capabilities.

Both the Pentagon and the NSA declined to comment and respond to questions.

Publicly, support for more offensive cyber operations came in the form of congressional testimony from Adm. Michael Rogers, the head of the NSA, and the incoming commander, Gen. Paul Nakasone.

“President Putin has clearly come to the conclusion there is little price to pay here … and that therefore I can continue this activity,” Rogers told Congress in February 2018.

‘Our hands are not tied’

After Trump’s national security adviser H.R. McMaster left the White House in March 2018, Trump replaced him with John Bolton. Days later, Bossert was pushed out of the White House, along with the White House cybersecurity coordinator Rob Joyce.

At the time, a senior Pentagon cyber official described the administration's cyber policy as "a potential catastrophe.” The official explained how critical cyber issues were not being coordinated and briefings were either being missed or not even taking place.

That summer, the White House finalised its strategy to overhaul the Obama rules from cyberspace. Mattis was given the ability to conduct cyber operations without authority from the president except if it could interfere with the “national interest” of the United States. After Trump rescinded the Obama-era rules Aug. 15, Bolton described the changes in drastic terms.

“Our hands are not tied as they were in the Obama administration,” Bolton said. “Our presidential directive effectively reversed those restraints, enabling offensive cyber operations through the relevant departments.”

Still, some current and former US officials caution that greater authority in cyberspace might not actually deter hacking from foreign nations in some situations.

And there are questions about if the new cyber authorities will have any effect at all on offensive operations. Some experts argue that the officials making a decision about whether to hack another country are more important than the process they use.

“What the Russians did is a little bit like 9/11,” Michael Hayden, the former director of the CIA and the NSA under the Bush administration, told Fifth Domain. “It was an attack from an unexpected direction against a previously unappreciated target.”

Hayden believes that America has encountered a new threat, and like the September 11th attacks, the US government needs a dedicated effort to respond to Russia’s hacking. 

“President Bush did that. A lot of it was controversial, but you can’t argue it wasn’t extraordinary. President Trump has never called on us to go extraordinary. Everyone is doing their best, but they are playing traditional positions.”

Fifth Domain:

You Might Also Read:

White House To Step Up Cyber Counter-Offensive

US Senator Calls For New Cyber Doctrine

« 10 Cyber Security Trends To Look Out For In 2019
The NSA Is Spying On You Now »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

Resecurity, Inc.

Resecurity, Inc.

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

Watch this webinar to hear security experts from Amazon Web Services (AWS) and SANS break down the myths and realities of what an NGFW is, how to use one, and what it can do for your security posture.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

Napatech

Napatech

Napatech develops and manufactures high speed network accelerators specifically designed for real-time network monitoring and analysis applications.

KPN Security

KPN Security

KPN Security is the largest and most complete provider of IT security services in the Netherlands.

BioCatch

BioCatch

BioCatch uses behavioral biometrics for fraud prevention and detection. Continuous authentication for web and mobile applications to prevent new account fraud.

Duo Security

Duo Security

Duo combines security expertise with a user-centered philosophy to provide two-factor authentication, endpoint remediation and secure single sign-on tools.

Open Systems International (OSI)

Open Systems International (OSI)

Our innovative Operations Technology (OT) solutions are highly scalable and can be deployed by various utility companies to monitor, control and optimize their real-time operations.

CARICERT

CARICERT

CARICERT is the National Cyber Emergency Response Team of Curacao in the Caribbean.

UNIDIR Cyber Policy Portal

UNIDIR Cyber Policy Portal

The UNIDIR Cyber Policy Portal is an online reference tool that maps the cybersecurity and cybersecurity-related policy landscape.

DDOS-Guard

DDOS-Guard

DDoS-GUARD is one of the leading service providers on the global DDoS protection and content delivery markets.

ProofID

ProofID

ProofID is a specialist provider of Identity Access Management (IAM) solutions. We focus on the solving the complex needs of the modern enterprise.

ConnectWise

ConnectWise

The Unified ConnectWise Platform offers intelligent software and expert services to easily run your business, deliver your services, secure your clients, and build your staff.

US Fleet Cyber Command (FLTCYBER)

US Fleet Cyber Command (FLTCYBER)

US Fleet Cyber Command is responsible for Navy information network operations, offensive and defensive cyberspace operations, space operations and signals intelligence.

comforte AG

comforte AG

comforte AG is a leading provider of data-centric security technology. Organizations worldwide rely on our tokenization and format-preserving encryption capabilities to secure personal, sensitive data

DeXpose

DeXpose

DeXpose is a hybrid dark/deep web monitoring and attack surface mapping platform to help you find compromised data or exposed assets related to your organization way before threat actors.

Boston Government Services (BGS)

Boston Government Services (BGS)

Boston Government Services is an engineering, technology, and security firm providing mission-focused solutions for the clean energy, nuclear, and federal programs markets.

Argenta Talent Acquisition

Argenta Talent Acquisition

Argenta Talent Acquisition is a recruitment partner specializing in Space and Defense, Intelligence Community, all things Technical, Cyber, and Logistics.

M6iT Consulting

M6iT Consulting

M6iT Consulting is an industry-leading solution partner managing the IT requirements for a full range of companies.