On the effectiveness of “offensive” cyber operations and what it means for the November 2020 election

Avid watchers of Game of Thrones will recall the Night’s Watch didn’t just huddle inside their Castle Black garrison at The Wall: a mammoth defensive fortification against the North and its various threats, both human and not-so-human. Despite their shorthanded forces, the Night’s Watch had an extensive history of launching scouting expeditions, to learn about their enemies’ strengths and movements. Get in, learn what you can, and don’t be seen. Good threat intelligence is essential to defending yourself from the inevitable attacks to come.

This same sort of entirely reasonable logic is driving the U.S. Cyber Command to “hunt forward” for cyber threats. In an editorial, published today in Foreign Affairs, by Paul Nakasone (Commander, U.S. Cyber Command) and Michael Sulmeyer (a senior advisor), they explicitly discuss what they’re doing and why they’re doing it. It’s very rare that we see public statements like this, so what can we learn?

Their article points to Montenegro, a recent NATO member, being on the receiving end of Russian cyber-harassment. The U.S. was invited to send a team to help defend them. The real prize is learning the tactics, techniques, and procedures (TTPs) used by the Russians, which can then help us set up our own defenses, which includes helping important U.S. software vendors like Microsoft generate security patches and distribute them to everybody.

This represents a significant shift from the way the defensive cyber-world used to think about the problem. Back in the old days, the best an organization might do would be to build a strong defense: manage firewalls and intrusion detection/prevention systems, require two-factor authentication for every user, regularly install security patches, and other such things. And all of that is still very much important and relevant, but if you know your adversaries’ TTPs, you can install additional defenses tailored to them, such as firewall rules to block specific ranges of IP addresses known to be used by the adversary, or customized anti-malware patterns for email scanners.

Our new cyber-doctrine goes beyond just accepting polite invitations to help our allies. Nakasone writes that “cyber effects operations allow Cyber Command to disrupt and degrade the capabilities our adversaries use to conduct attacks.” That’s a polite way of saying that we’ve hacked into their networks, and we’re messing with them at the same time that they’re trying to mess with us. In particular, our cyber operations went to significant lengths to disrupt Russia’s Internet Research Agency (IRA) during the November 2018 midterm election (Washington Post, New York Times):

“They basically took the IRA offline,” according to one individual familiar with the matter who, like others, spoke on the condition of anonymity to discuss classified information. “They shut them down.”

Was this effective? We don’t really know, but:

“The fact that the 2018 election process moved forward without successful Russian intervention was not a coincidence,” said Sen. Mike Rounds (R-S.D.), who did not discuss the specific details of the operation targeting the St. Petersburg group. Without Cybercom’s efforts, he said, there “would have been some very serious cyber-incursions.”

Anonymous defense officials appear to have mixed opinions:

“The calculus for us here was that you’re just pushing back in the same way that the adversary has for years,” a second defense official said. “It’s not escalatory. In fact, we’re finally in the game” (emphasis mine).

Other officials were more circumspect.

“Causing consternation or throwing sand in the gears may raise the cost of engaging in nefarious activities, but it is not going to cause a nation state to just drop their election interference or their malign influence in general,” a third official said. “It’s not going to convince the decision-maker at the top.”

If Russia, China, or anybody else wants to mess with our country, whether tampering with election systems or posting propaganda on social media, it’s important that we have the most effective defenses, that we degrade the effectiveness of these attacks, and that we introduce some sort of consequences for our adversaries. Computer hacking might seem like the perfect attack, unlike traditional “kinetic” warfare, because your hackers are never at personal risk. Part of our counter-offensive seems to be raising those stakes:

Another element of the Cyber Command campaign, first reported by the New York Times, involved “direct messaging” that targeted the trolls as well as hackers who work for the Russian military intelligence agency, the GRU. Using emails, pop-ups, texts or direct messages, U.S. operatives beginning in October [2018] let the Russians know that their real names and online handles were known and that they should not interfere in other nations’ affairs, defense officials said.

What’s perhaps most fascinating about our military’s cyber-doctrine is that it places the military in a position where their civilian counterparts could never go. No Fortune 500 IT shop would ever be willing to assume the risks of mounting a remote offensive. Could there be legal liabilities if they hacked the wrong organization? Could their personnel in other countries risk arrest? For contrast, these and other risks are part and parcel of any military operation, kinetic or otherwise, and we (hopefully) have suitable controls to ensure that these operations are carefully managed.

So, how’s the lead-up to the November 2020 election going? We seem to have enough domestic propaganda going around that it’s not immediately clear how much foreign propaganda is making it through these days. Look at any tweet from a popular politician and you’ll see replies from users with nonsense letters and digits in their handles; many are bots which always seem to be operating one step ahead of Twitter and Facebook’s abilities to remove them. Are those bots being driven by Russians or Americans? This makes a real difference, since the U.S. military cannot operate against its own citizens, but it might take a significant effort to figure that out in the first place. A collaboration with a domestic law enforcement agency would presumably enable such cases to be handled, but none of the articles describe this in any detail.

At least for the operations of our elections themselves—from voter registration through election-night reporting— we’re reaping the benefits of the Election Infrastructure ISAC (Information Sharing and Analysis Center), established in the wake of the 2016 election with a designation that election infrastructure was “critical infrastructure” for our nation. That designation, and the ISAC, has ultimately led to what amounts to highly skilled consultants from DHS and elsewhere assisting state and local election officials to improve their game.

Does that mean it will be smooth sailing for this November? Even without all the procedural turmoil being caused by COVID-19—whether the higher demand for voting by mail, or many poll workers to decline to serve this year—we can and must still expect a full spectrum of cyber operations from foreign adversaries. It’s at least somewhat reassuring to know that our own cyber operations are working inventively to defend us.