The Pentagon Prepares A Cyber-Attack On Russia

US military hackers have been given the go-ahead to gain access to Russian cyber systems as part of potential retaliation for any meddling in America’s elections. 

The US intelligence community and the Pentagon have quietly agreed on the outlines of an offensive cyber-attack that the United States would unleash if Russia electronically interferes with the 2018 midterm election on Nov. 6, according to current and former senior US officials who are familiar with the plan.

In preparation for its potential use, US military hackers have been given the go-ahead to gain access to Russian cyber systems that they feel is needed to let the plan unfold quickly, the officials said.

The effort constitutes one of the first major cyber battle plans organised under a new government policy enabling potential offensive operations to proceed more quickly once the parameters have been worked out in advance and agreed among key agencies.

While US national security officials have so far reported only intermittent efforts by Russian sources to compromise political organisations and campaigns, they have been worried, in the aftermath of Russia’s digital contact with US election systems in 2016, that Moscow might unleash more aggressive interference in the hours before voting begins, while the polls are open, or when the votes are being tabulated.

The existence of such a plan means that America is more fully integrating offensive cyber-attacks into its overall military planning systems, a move likely to make cyber combat more likely and eventually more commonplace, sometimes without first gaining specific presidential approval. Cyber-attacks are now on a more obvious path, in short, to becoming a regular currency of warfare.

The plan for retaliation against Russia is one of the first to be organised since President Donald Trump signed an executive order in August that simplifies and shortens the review for such operations. 

It has the effect, according to those familiar with the process, of giving the Pentagon additional prerogatives to prepare for strikes. It also pre-emptively addresses traditional intelligence community concerns that cyber-attacks will compromise ongoing or future intelligence-gathering by exposing US data collection operations. 
The officials declined to provide details about what the United States will do in response to Russian interference in the election. 

But administration officials have made clear that the trigger for a broader response would have to be something more than “malign influence ... trying to sway peoples’ opinion or the way people might vote,” as a senior administration official put it on a call with reporters on October 31 organized by the White House. “This is something that has happened since the dawn of the Republic.”

Social media influence operations, widely used by Russia in 2016 and again over the past two years, were the focus of an indictment by the Justice Department of Russian national Elena Alekseevna Khusyaynova unveiled October 19, in which she was charged with conspiring with others against the United States.

The senior official clarified that it would be direct interference, efforts to tamper with voting registration and recording votes, that would bring “swift and severe action.” The reason, the official said, is “that fundamentally wrecks the natural process that we have established in this country.” That official didn’t describe what the US action would be.

In 2016 Russian hackers tried to break into the election systems of at least 21 states, although some were not notified by Washington until September 2017. In at least one state, Illinois, Russian hackers managed to gain access to voter registration data, although state officials said that none of the information was altered. Several other state systems were rumored to have been breached, although none have publicly confirmed it.

Officials say the new Trump cyber operations order, National Security Presidential Memorandum 13 (NSPM 13), is designed to allow Defense Secretary James Mattis and Director of National Intelligence Dan Coats to approve retaliatory strikes without the approval of others in the government, and in certain cases without White House approval.

It replaces an Obama-era executive order that required more extensive review before cyber weapons could be used offensively, called Presidential Policy Directive 20 (PPD 20). That order was classified but became public when former National Security Agency contractor Edward Snowden leaked it in 2013, as part of a broader effort by him to expose the scale of American cyber spying.

One of the key, unpublicised consequences of the new directive is that military planners can prepare for cyber strikes, as called for in interagency agreements in advance, by gaining access to the computer systems of potential targets well before any order has been given to attack, or even before a foreign attack has occurred, the officials said.

That access is meant to pave the way for deploying and detonating malware – packages of compromising computer instructions, swiftly inside foreign networks and servers, when a decision is made to proceed.

According to the officials’ accounts, military planners in the past were sometimes held back by the intelligence community from hacking into foreign networks for fear of compromising access that spies considered useful for collecting information, particularly when it was uncertain whether any offensive operation would eventually be approved. 

With only a small number of skilled military hackers available, they were also hesitant to invest time in gaining access to systems not explicitly part of an approved strike.

Obama’s order allowed for emergency defensive actions by the heads of US agencies, but required a much more protracted process for the premeditated deployment of cyber weapons. Major attacks had to be directly approved by the president, while other smaller operations required the sign-off of three committees including a policy coordination committee, the National Security Council’s Deputies Committee and the Principals Committee, which military officials complained included agencies without a direct connection to the issues associated with cyber-attacks.

“The Department of Defense (DoD) would get frustrated when Transportation, or another agency would weigh in on things they wanted to do,” a former national security official who worked for both Democratic and Republican presidents said. “If DoD wanted to have access and be ready, they were hamstrung.”

One of the US officials used an analogy to describe the new approach: Spy agencies, the official said, sometimes try to place an agent in a service position at a facility run by an adversary. That agent’s assignment would be to learn access codes, map the facility and conduct wide surveillance of its operations, copy sets of keys, and perhaps unlock doors. That information and access would allow the intelligence agency, in theory, to sneak a bomb into the facility when it wants to.

This is what the military is now authorized to do after an interagency agreement has been reached that a particular major threat exists that might warrant a swift and effective cyber response, the officials said. It essentially is meant to ensure that US cyber warriors can quickly drop off weapons when needed. “You don’t need to pre-position something if you have the right access,” said one of the officials.

While some officials and cyber experts have said that certain offensive cyber operations risk violating international law, because of the possibility they might cause collateral damage and harm civilians outside target networks, government lawyers have approved the new approach after deciding that letting the military hack into a foreign system is not an act of war, so long as a cyber weapon hasn’t yet been emplaced and the specific system being targeted isn’t actually destroyed.

While declining to discuss specifics about the new directive or any potential cyber operations, Grant Schneider, a senior director for cybersecurity at the National Security Council, said in an interview after an appearance at a public event that advance military planning would help speed up cyber responses. “It allows for agencies to start making plans sooner, start identifying potential targets sooner, and start being able to have impacts sooner,” he said.

NSPM 13, which remains classified, was the backbone of Trump’s new National Cyber Strategy, a mostly unclassified public document which was released in September.

That strategy was rolled out with descriptions from National Security Advisor John Bolton of a more aggressive use of cyber weapons, consistent with his general foreign policy stance since taking the job in April. At that time officials declined to provide any specifics on how the new policy would make cyber response faster, or cut down on red tape, but claimed it would do both.
During a press conference on September 20 to roll out the new cyber strategy, Bolton said that “for any nation that's taking cyber activity against the United States, they should expect, and this is part of creating structures of deterrence, so that it's publicly known as well, we will respond offensively as well as defensively.” During a speech on Oct. 31, he said the United States was “right now undertaking offensive cyber operations” to safeguard the election, without detailing what those are.

According to sources, the new executive order, NSPM 13, is designed around the idea of pre-approved Concepts of Operations, one of the first of which is the plan to act against Russia if key red lines are crossed. The concepts set the types of targets and the boundaries for types of action through coordination between agencies.

It doesn’t require a full meeting of cabinet officials and can exclude some of the decision makers who were part of the PPD 20 process. Most of the coordination will take place between the Office of the Director of National Intelligence, the Pentagon, and the Department of Homeland Security, according to sources.

“The concept is that you would approve a category of activities against a defined adversary, that would be pre-approved by the appropriate people, within some left-and-right bounds,” one of the officials said. Once a concept is approved, an agency can scout a target and gain access, and sometimes might go ahead and take action with limited notice to other coordinating agencies.

While several Obama-era officials said that the new approach sounded like a step in the right direction, others cautioned that a procedure providing earlier approval with fewer consulting officials could mean that larger concerns about an offensive cyber operation won’t be heard.

“We’re in a really deep deterrence hole to Russia right now. The costs we have imposed have been flea bites, and so we’re not affecting Russia’s calculus,” Michèle Flournoy, a former Pentagon policy chief and co-founder of the Center for a New American Security think tank, said in an interview. 

“They aren’t feeling very threatened.” But she added that “where I would be concerned is if authorities [for offensive operations] were delegated down to a low level, and it was absent a larger strategy.”

A former senior official who served in the Trump White House separately expressed concerns that the military might not understand that cyber weapons are only one of many tools available for responding to a cyber-attack. “They have to have some understanding that we don’t just build tools to wreak havoc,” the official said.

Chris Painter, who served as the top US cyber diplomat at the State Department from 2011 to 2017, said the Obama administration deliberately sought extensive interagency consultation “to make sure that we were considering all the different policy aspects.” But he agrees that the procedures could have been streamlined.

Schneider, the NSC official, said that the perception was that PPD 20 slowed down the potential use of cyber weapons. “The old process, in PPD 20, whether it was in reality or in lore, was that everything was going to have to go to the president’s desk in order to do anything. And getting on the president’s desk is a challenge, and so that sapped time away from what they wanted,” he said.

But the biggest fights, according to several former officials, came between intelligence leaders trying to protect streams of information coming from adversary’s networks and military leaders looking to strike.

“In practice, whenever we came up with a scenario where we wanted to take action, they [intelligence officials] spent most of their time arguing that any action could harm their access,” one of the former national security officials said.

Asked about protection against Russian election meddling during the rollout of the new cyber strategy, Bolton pointed to the new executive order as helping unleash US capability. “It's one of the reasons why our decision to reverse this PPD 20 from the Obama administration on offensive cyber actions, we think, is so important,” Bolton said. “Our hands are not tied as they were in the Obama administration.”

Here’s how the process works: Military planners and cyber experts from the civilian intelligence agencies start by finding weaknesses in software security as part of something called the Vulnerabilities Equities Process. Its general outlines were disclosed in late 2017, when public documents stated that government hackers tell software makers about roughly 90 percent of the vulnerabilities they find while testing nearly every widely used piece of software. A former official familiar with the program confirmed that figure, noting that there is some monthly fluctuation, and saying that many of the public security fixes included in operating system updates are actually first uncovered by government hackers.

“The 10 percent we keep is for our national security purposes,” a former White House official said. “We keep them for a reason.”

The military and intelligence agencies then deploy those vulnerabilities whenever they need to break into systems. The public got a hint of the types of inroads government hackers can make when some pathways stockpiled by the National Security Agency were collected by a group calling itself the Shadow Brokers, which released them publicly beginning in 2016. 

One of those vulnerabilities served as the backbone of the WannaCry attack, which the Trump administration publicly blamed on North Korean hackers, and which eventually spread to 300,000 computers in 150 countries in 2017. 

US officials have never publicly claimed responsibility for the use of cyber weapons, although reports have tied US government hackers to disruption of North Korea and Iran’s nuclear programs.

PublicIntegrity.org

You Might Also Read: 

Former MI5 Chief Wants Retaliatory Attacks On Russia:

Pentagon Considers Nuclear Retaliation To Big Cyber Attacks:

 

 

« Election Hacking Threatens US Mid-Terms
British Policing Faces The Future »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

Perimeter 81 / How to Select the Right ZTNA Solution

Perimeter 81 / How to Select the Right ZTNA Solution

Gartner insights into How to Select the Right ZTNA offering. Download this FREE report for a limited time only.

Cyber Security Supplier Directory

Cyber Security Supplier Directory

Our Supplier Directory lists 6,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

Digital Forensics Inc (DFI)

Digital Forensics Inc (DFI)

Digital Forensics Inc. is a nationally recognized High Technology Forensic Investigations and Information System Security firm

Aptive Consulting

Aptive Consulting

Aptive is a cyber security consultancy providing Penetration Testing and Vulnerability Assessment services.

REVI-IT

REVI-IT

REVI-IT is a Danish state-owned audit firm focusing on enterprise IT business processes and compliance,

Cybraics

Cybraics

Cybraics nLighten platform implements a unique and sophisticated artificial intelligence engine that rapidly learns your environment and alerts security teams to threats and vulnerabilities.

Post-Quantum

Post-Quantum

Post-Quantum offer a unique, patented quantum-resistant encryption algorithm that can be applied to existing products and networks.

SKOUT Secure Intelligence

SKOUT Secure Intelligence

SkOUT Secure Intelligence (formerly Oxford Solutions) provides cyber security monitoring services to organizations around the globe.

Red Points

Red Points

Red Points protects your brand and content in the digital environment.

Sylint

Sylint

Sylint is an internationally recognized cyber security and digital data forensics firm with extensive experience discretely addressing some of today’s biggest cyber breaches.

HB-Technologies

HB-Technologies

HB-Technologies is pioneer in Africa, in digital security, embedded electronic and IT solutions based on highly secure smart cards that comply with international standards and norms.

Brookcourt Solutions

Brookcourt Solutions

Brookcourt Solutions delivers cyber security, network monitoring technologies and managed security services to help secure and protect your organisation’s critical infrastructure.

WithSecure

WithSecure

WithSecure (formerly F-Secure Business) is your reliable cyber security partner, providing outcome-based cyber security that protects and enables operations.

Halogen Group

Halogen Group

Halogen Group is the leading Security Solutions Provider in West Africa. Services encompass Physical Security, Electronic Security, Virtual & Cyber Security, Risk Assessments and Training.

Staley Technologies

Staley Technologies

Staley Technologies is a US nationwide structured cabling, technology integrator, and Managed IT & Cyber Security provider.

Incode

Incode

Incode is the leading provider of world-class identity solutions that is reinventing the way humans authenticate and verify their identities online.

CelcomDigi

CelcomDigi

CelcomDigi aspire to be Malaysia’s top Telco-Tech company, transforming beyond core connectivity to lead digitalization and innovation as part of nation-building.

RedLattice

RedLattice

RedLattice are at the cutting edge of tool development and AI-assisted vulnerability research in cybersecurity.