The Pentagon Has Prepared a Cyberattack Against Russia

November 2, 2018

U.S. military hackers have been given the go-ahead to gain access to Russian cybersystems as part of potential retaliation for any meddling in America’s elections.

The U.S. intelligence community and the Pentagon have quietly agreed on the outlines of an offensive cyberattack that the United States would unleash if Russia electronically interferes with the 2018 midterm election on Nov. 6, according to current and former senior U.S. officials who are familiar with the plan.

In preparation for its potential use, U.S. military hackers have been given the go-ahead to gain access to Russian cybersystems that they feel is needed to let the plan unfold quickly, the officials said.

The effort constitutes one of the first major cyberbattle plans organized under a new government policy enabling potential offensive operations to proceed more quickly once the parameters have been worked out in advance and agreed among key agencies.

While U.S. national-security officials have so far reported only intermittent efforts by Russian sources to compromise political organizations and campaigns, they have been worried—in the aftermath of Russia’s digital contact with U.S. election systems in 2016—that Moscow might unleash more aggressive interference in the hours before voting begins, while the polls are open, or when the votes are being tabulated.

The existence of such a plan means that America is more fully integrating offensive cyberattacks into its overall military planning systems, a move likely to make cybercombat more likely and eventually more commonplace, sometimes without first gaining specific presidential approval. Cyberattacks are now on a more obvious path, in short, to becoming a regular currency of warfare.

The plan for retaliation against Russia is one of the first to be organized since President Donald Trump signed an executive order in August that simplifies and shortens the review for such operations. It has the effect—according to those familiar with the process—of giving the Pentagon additional prerogatives to prepare for strikes. It also preemptively addresses traditional intelligence community concerns that cyberattacks will compromise ongoing or future intelligence-gathering by exposing U.S. data collection operations.

The officials declined to provide details about what the United States will do in response to Russian interference in the election. But administration officials have made clear that the trigger for a broader response would have to be something more than “malign influence... trying to sway peoples’ opinion or the way people might vote,” as a senior administration official put it on a call with reporters on Oct. 31 organized by the White House. “This is something that has happened since the dawn of the republic.”

Social-media influence operations, widely used by Russia in 2016 and again over the past two years, were the focus of an indictment by the Justice Department of Russian national Elena Alekseevna Khusyaynova unveiled Oct. 19, in which she was charged with conspiring with others against the United States.

The senior official clarified that it would be direct interference—efforts to tamper with voting registration and recording votes—that would bring “swift and severe action.” The reason, the official said, is “that fundamentally wrecks the natural process that we have established in this country.” That official didn’t describe what the U.S. action would be.

In 2016 Russian hackers tried to break into the election systems of at least 21 states, although some were not notified by Washington until September 2017. In at least one state, Illinois, Russian hackers managed to gain access to voter registration data, although state officials said that none of the information was altered. Several other state systems were rumored to have been breached, although none have publicly confirmed it.

Officials say the new Trump cyberoperations order, National Security Presidential Memorandum 13 (NSPM 13), is designed to allow Defense Secretary James Mattis and Director of National Intelligence Dan Coats to approve retaliatory strikes without the approval of others in the government, and in certain cases without White House approval.

It replaces an Obama-era executive order that required more extensive review before cyberweapons could be used offensively, called Presidential Policy Directive 20 (PPD 20). That order was classified but became public when former National Security Agency contractor Edward Snowden leaked it in 2013, as part of a broader effort by him to expose the scale of American cyberspying.

One of the key, unpublicized consequences of the new directive is that military planners can prepare for cyberstrikes—as called for in interagency agreements in advance—by gaining access to the computer systems of potential targets well before any order has been given to attack, or even before a foreign attack has occurred, the officials said. That access is meant to pave the way for deploying malware—packages of compromising computer instructions—swiftly inside foreign networks and servers, when a decision is made to proceed.

According to the officials’ accounts, military planners in the past were sometimes held back by the intelligence community from hacking into foreign networks for fear of compromising access that spies considered useful for collecting information, particularly when it was uncertain whether any offensive operation would eventually be approved. With only a small number of skilled military hackers available, they were also hesitant to invest time in gaining access to systems not explicitly part of an approved strike.

Obama’s order allowed for emergency defensive actions by the heads of U.S. agencies, but required a much more protracted process for the premeditated deployment of cyberweapons. Major attacks had to be directly approved by the president, while other smaller operations required the signoff of three committees including a policy coordination committee, the National Security Council’s Deputies Committee and the Principals Committee, which military officials complained included agencies without a direct connection to the issues associated with cyberattacks.

“The Department of Defense (DoD) would get frustrated when Transportation, or another agency, would weigh in on things they wanted to do,” a former national security official who worked for both Democratic and Republican presidents said. “If DoD wanted to have access and be ready, they were hamstrung.”

One of the U.S. officials used an analogy to describe the new approach: Spy agencies, the official said, sometimes try to place an agent in a service position at a facility run by an adversary. That agent’s assignment would be to learn access codes, map the facility and conduct wide surveillance of its operations, copy sets of keys, and perhaps unlock doors. That information and access would allow the intelligence agency, in theory, to sneak a bomb into the facility when it wants to.

This is what the military is now authorized to do after an interagency agreement has been reached that a particular major threat exists that might warrant a swift and effective cyberresponse, the officials said. It essentially is meant to ensure that U.S. cyberwarriors can quickly drop off weapons when needed. “You don’t need to pre-position something if you have the right access,” said one of the officials.

While some officials and cyberexperts have said that certain offensive cyberoperations risk violating international law, because of the possibility they might cause collateral damage and harm civilians outside target networks, government lawyers have approved the new approach after deciding that letting the military hack into a foreign system is not an act of war, so long as a cyberweapon hasn’t yet been emplaced and the specific system being targeted isn’t actually destroyed.

While declining to discuss specifics about the new directive or any potential cyberoperations, Grant Schneider, a senior director for cybersecurity at the National Security Council, said in an interview after an appearance at a public event that advance military planning would help speed up cyber-responses. “It allows for agencies to start making plans sooner, start identifying potential targets sooner, and start being able to have impacts sooner,” he said.

NSPM 13, which remains classified, was the backbone of Trump’s new National Cyber Strategy, a mostly unclassified public document which was released in September.

That strategy was rolled out with descriptions from National Security Adviser John Bolton of a more aggressive use of cyberweapons, consistent with his general foreign-policy stance since taking the job in April. At that time officials declined to provide any specifics on how the new policy would make cyber-response faster, or cut down on red tape, but claimed it would do both.

During a press conference on September 20 to roll out the new cyberstrategy, Bolton said that “for any nation that’s taking cyberactivity against the United States, they should expect, and this is part of creating structures of deterrence, so that it's publicly known as well, we will respond offensively as well as defensively.” During a speech on Oct. 31, he said the United States was “right now undertaking offensive cyberoperations” to safeguard the election, without detailing what those are.

Source