By Zachary Fryer-Biggs, Center for Public Integrity
The U.S. intelligence community and the Pentagon have quietly agreed on the outlines of an offensive cyberattack that the United States would unleash if Russia electronically interferes with the 2018 midterm election on Nov. 6, according to current and former senior U.S. officials who are familiar with the plan.
In preparation for its potential use, U.S. military hackers have been given the go-ahead to gain access to Russian cybersystems that they feel is needed to let the plan unfold quickly, the officials said.
The effort constitutes one of the first major cyberbattle plans organized under a new government policy enabling potential offensive operations to proceed more quickly once the parameters have been worked out in advance and agreed among key agencies.
While U.S. national-security officials have so far reported only intermittent efforts by Russian sources to compromise political organizations and campaigns, they have been worried—in the aftermath of Russia’s digital contact with U.S. election systems in 2016—that Moscow might unleash more aggressive interference in the hours before voting begins, while the polls are open, or when the votes are being tabulated.
The existence of such a plan means that America is more fully integrating offensive cyberattacks into its overall military planning systems, a move likely to make cybercombat more likely and eventually more commonplace, sometimes without first gaining specific presidential approval. Cyberattacks are now on a more obvious path, in short, to becoming a regular currency of warfare.
The plan for retaliation against Russia is one of the first to be organized since President Donald Trump signed an executive order in August that simplifies and shortens the review for such operations. It has the effect—according to those familiar with the process—of giving the Pentagon additional prerogatives to prepare for strikes. It also preemptively addresses traditional intelligence community concerns that cyberattacks will compromise ongoing or future intelligence-gathering by exposing U.S. data collection operations.
The officials declined to provide details about what the United States will do in response to Russian interference in the election. But administration officials have made clear that the trigger for a broader response would have to be something more than “malign influence... trying to sway peoples’ opinion or the way people might vote,” as a senior administration official put it on a call with reporters on Oct. 31 organized by the White House. “This is something that has happened since the dawn of the republic.”
Social-media influence operations, widely used by Russia in 2016 and again over the past two years, were the focus of an indictment by the Justice Department of Russian national Elena Alekseevna Khusyaynova unveiled Oct. 19, in which she was charged with conspiring with others against the United States.
The senior official clarified that it would be direct interference—efforts to tamper with voting registration and recording votes—that would bring “swift and severe action.” The reason, the official said, is “that fundamentally wrecks the natural process that we have established in this country.” That official didn’t describe what the U.S. action would be.
In 2016 Russian hackers tried to break into the election systems of at least 21 states, although some were not notified by Washington until September 2017. In at least one state, Illinois, Russian hackers managed to gain access to voter registration data, although state officials said that none of the information was altered. Several other state systems were rumored to have been breached, although none have publicly confirmed it.
Officials say the new Trump cyberoperations order, National Security Presidential Memorandum 13 (NSPM 13), is designed to allow Defense Secretary James Mattis and Director of National Intelligence Dan Coats to approve retaliatory strikes without the approval of others in the government, and in certain cases without White House approval.
It replaces an Obama-era executive order that required more extensive review before cyberweapons could be used offensively, called Presidential Policy Directive 20 (PPD 20). That order was classified but became public when former National Security Agency contractor Edward Snowden leaked it in 2013, as part of a broader effort by him to expose the scale of American cyberspying.
One of the key, unpublicized consequences of the new directive is that military planners can prepare for cyberstrikes—as called for in interagency agreements in advance—by gaining access to the computer systems of potential targets well before any order has been given to attack, or even before a foreign attack has occurred, the officials said. That access is meant to pave the way for deploying malware—packages of compromising computer instructions—swiftly inside foreign networks and servers, when a decision is made to proceed.
According to the officials’ accounts, military planners in the past were sometimes held back by the intelligence community from hacking into foreign networks for fear of compromising access that spies considered useful for collecting information, particularly when it was uncertain whether any offensive operation would eventually be approved. With only a small number of skilled military hackers available, they were also hesitant to invest time in gaining access to systems not explicitly part of an approved strike.
Obama’s order allowed for emergency defensive actions by the heads of U.S. agencies, but required a much more protracted process for the premeditated deployment of cyberweapons. Major attacks had to be directly approved by the president, while other smaller operations required the signoff of three committees including a policy coordination committee, the National Security Council’s Deputies Committee and the Principals Committee, which military officials complained included agencies without a direct connection to the issues associated with cyberattacks.
“The Department of Defense (DoD) would get frustrated when Transportation, or another agency, would weigh in on things they wanted to do,” a former national security official who worked for both Democratic and Republican presidents said. “If DoD wanted to have access and be ready, they were hamstrung.”
One of the U.S. officials used an analogy to describe the new approach: Spy agencies, the official said, sometimes try to place an agent in a service position at a facility run by an adversary. That agent’s assignment would be to learn access codes, map the facility and conduct wide surveillance of its operations, copy sets of keys, and perhaps unlock doors. That information and access would allow the intelligence agency, in theory, to sneak a bomb into the facility when it wants to.
This is what the military is now authorized to do after an interagency agreement has been reached that a particular major threat exists that might warrant a swift and effective cyberresponse, the officials said. It essentially is meant to ensure that U.S. cyberwarriors can quickly drop off weapons when needed. “You don’t need to pre-position something if you have the right access,” said one of the officials.
While some officials and cyberexperts have said that certain offensive cyberoperations risk violating international law, because of the possibility they might cause collateral damage and harm civilians outside target networks, government lawyers have approved the new approach after deciding that letting the military hack into a foreign system is not an act of war, so long as a cyberweapon hasn’t yet been emplaced and the specific system being targeted isn’t actually destroyed.
While declining to discuss specifics about the new directive or any potential cyberoperations, Grant Schneider, a senior director for cybersecurity at the National Security Council, said in an interview after an appearance at a public event that advance military planning would help speed up cyber-responses. “It allows for agencies to start making plans sooner, start identifying potential targets sooner, and start being able to have impacts sooner,” he said.
NSPM 13, which remains classified, was the backbone of Trump’s new National Cyber Strategy, a mostly unclassified public document which was released in September.
That strategy was rolled out with descriptions from National Security Adviser John Bolton of a more aggressive use of cyberweapons, consistent with his general foreign-policy stance since taking the job in April. At that time officials declined to provide any specifics on how the new policy would make cyber-response faster, or cut down on red tape, but claimed it would do both.
During a press conference on September 20 to roll out the new cyberstrategy, Bolton said that “for any nation that’s taking cyberactivity against the United States, they should expect, and this is part of creating structures of deterrence, so that it's publicly known as well, we will respond offensively as well as defensively.” During a speech on Oct. 31, he said the United States was “right now undertaking offensive cyberoperations” to safeguard the election, without detailing what those are.
According to sources, the new executive order, NSPM 13, is designed around the idea of pre-approved Concepts of Operation—one of the first of which is the plan to act against Russia if key red lines are crossed. The concepts set the types of targets and the boundaries for types of action through coordination between agencies.
It doesn’t require a full meeting of Cabinet officials and can exclude some of the decision makers who were part of the PPD 20 process. Most of the coordination will take place between the Office of the Director of National Intelligence, the Pentagon, and the Department of Homeland Security, according to sources.
“The concept is that you would approve a category of activities against a defined adversary, that would be pre-approved by the appropriate people, within some left-and-right bounds,” one of the officials said. Once a concept is approved, an agency can scout a target and gain access, and sometimes might go ahead and take action with limited notice to other coordinating agencies.
While several Obama-era officials said that the new approach sounded like a step in the right direction, others cautioned that a procedure providing earlier approval with fewer consulting officials could mean that larger concerns about an offensive cyberoperation won’t be heard.
“We’re in a really deep deterrence hole to Russia right now. The costs we have imposed have been flea bites, and so we’re not affecting [Russia’s] calculus,” Michèle Flournoy, a former Pentagon policy chief and co-founder of the Center for a New American Security think tank, said in an interview. “They aren’t feeling very threatened.” But she added that “where I would be concerned is if authorities [for offensive operations] were delegated down to a low level, and it was absent a larger strategy.”
A former senior official who served in the Trump White House separately expressed concerns that the military might not understand that cyberweapons are only one of many tools available for responding to a cyberattack. “They have to have some understanding that we don’t just build tools to wreak havoc,” the official said.
Chris Painter, who served as the top U.S. “cyber diplomat” at the State Department from 2011 to 2017, said the Obama administration deliberately sought extensive interagency consultation “to make sure that we were considering all the different policy aspects.” But he agrees that the procedures could have been streamlined.
Schneider, the NSC official, said that the perception was that PPD 20 slowed down the potential use of cyberweapons. “The old process, in PPD 20, whether it was in reality or in lore, was that everything was going to have to go to the president’s desk in order to do anything. And getting on the president’s desk is a challenge, and so that sapped time away from what they wanted,” he said.
But the biggest fights, according to several former officials, came between intelligence leaders trying to protect streams of information coming from adversary’s networks and military leaders looking to strike.
“In practice, whenever we came up with a scenario where we wanted to take action, they [intelligence officials] spent most of their time arguing that any action could harm their access,” one of the former national-security officials said.
Asked about protection against Russian election meddling during the rollout of the new cyberstrategy, Bolton pointed to the new executive order as helping unleash U.S. capability. “It’s one of the reasons why our decision to reverse this PPD 20 from the Obama administration on offensive cyberactions, we think, is so important,” Bolton said. “Our hands are not tied as they were in the Obama administration.”
Here’s how the process works: Military planners and cyberexperts from the civilian intelligence agencies start by finding weaknesses in software security as part of something called the Vulnerabilities Equities Process.
Its general outlines were disclosed in late 2017, when public documents stated that government hackers tell software makers about roughly 90 percent of the vulnerabilities they find while testing nearly every widely used piece of software. A former official familiar with the program confirmed that figure, noting that there is some monthly fluctuation, and saying that many of the public security fixes included in operating system updates are actually first uncovered by government hackers.
“The 10 percent we keep is for our national security purposes,” a former White House official said. “We keep them for a reason.”
The military and intelligence agencies then deploy those vulnerabilities whenever they need to break into systems. The public got a hint of the types of inroads government hackers can make when some pathways stockpiled by the National Security Agency were collected by a group calling itself the Shadow Brokers, which released them publicly beginning in 2016. One of those vulnerabilities served as the backbone of the WannaCry attack, which the Trump administration publicly blamed on North Korean hackers, and which eventually spread to 300,000 computers in 150 countries in 2017.
U.S. officials have never publicly claimed responsibility for the use of cyber weapons, although reports have tied U.S. government hackers to disruption of North Korea and Iran’s nuclear programs.
The Center for Public Integrity is a nonprofit investigative news organization in Washington, D.C.