1 November 2018

Not Cyber Offensive Enough


U.S. Cyber Command has started launching its first offensive operations against Russian operatives trying to hack the midterm elections. Judging from the news accounts so far, I’d say they’re not quite offensive enough.

According to articles this week in the New York Times and Washington Post, Cyber Command has notified oligarch-funded hackers (or perhaps the oligarchs themselves, it’s not clear) that we know who they are and see what they’re doing. Beyond that, the stories report, no direct threats have been made, but it’s implied that the U.S. could indict or sanction the guilty parties.

This may deter further meddling if the contacted hackers like to travel in the West. Last week, U.S. prosecutors filed criminal charges against the chief accountant of a large company run by Yevgeny Prigozhin, an oligarch known as “Putin’s chef.” It’s a good start, but indictments are a limited tool; the Kremlin won’t be extraditing the accountant, much less the oligarch.


Getting serious requires cranking up the volume—melting the hackers’ servers, corrupting their networks, harassing them. Precedents can be found in NATO’s campaign, in the late 1990s, against Serbian dictator Slobodan Milosevic. This was mainly a bombing campaign—an air war to dislodge him from power—but it also involved some very secretive information warfare operations, which I wrote about in my 2016 book, Dark Territory: The Secret History of Cyber War. The ops were run by a joint CIA-NSA organization called the Information Operations Center and a secret unit inside the Pentagon’s Joint Staff called J-39, with some help from Britain’s NSA counterpart, the Government Communications Headquarters.

The piece of this operation that has contemporary relevance was a successful attempt to pressure Milosevic’s business cronies into backing away from him. These cronies were essential to keeping Milosevic in power. J-39 sent a letter to one of them, the owner of a copper mine, warning that his mine would be bombed if he didn’t stop supporting the dictator. The owner didn’t respond. Not long before this, a CIA contractor had invented a device, made from long strands of carbon fiber, that short-circuited electrical wire on contact. This device was dropped on the mine. The damage was short-lived, and the repair was easy, but the message was effective. The donor instantly cut off contact with Milosevic.

Of course that operation was pulled off in the context of a war. We’re not at war with Russia; we’re not going to threaten to bomb a Putin crony engaged in hacking, but there are methods short of physical destruction. In another, especially pertinent case, a European satellite company was carrying the broadcasts of pro-Milosevic TV stations. A senior officer in U.S. Europe Command told the company’s chairman that 80 percent of his board members were from NATO nations. When the chairman recited how much the Serbian stations were paying him, the American officer offered to pay $500,000 more if he shut the stations down. The chairman complied. These days, with the embarrassing publicity about hackers’ easy access to satellite TV and social media, a bribe probably wouldn’t be necessary.
Cyber Command could devise a scheme that put serious pressure on individual operatives without prompting some massive reprisal.

The Times story notes that Cyber Command’s offensive operations to date have been limited, in part to avoid provoking the Kremlin into retaliating by, say, disrupting the U.S. power grid. Information ops and counterops are a delicate business; modern societies are glass houses when it comes to cyber vulnerability, and the United States is glassier than most. During the Serbian campaign, President Bill Clinton considered hacking into Milosevic’s banking accounts—U.S. intelligence agencies knew where he kept his money, just as they almost certainly know today where Vladimir Putin keeps his money—but Cabinet secretaries advised against the move, warning that blowback could roil financial markets.

But the goal here is not to loosen Putin’s hold on power but merely to stop, or significantly reduce, the hacking into our elections. Certainly some imaginative strategists at Cyber Command or one of the associated agencies could devise a scheme that put serious pressure on individual operatives without damaging Putin’s regime and thus prompting some massive reprisal.

One obstacle to taking this campaign a step further may be the Trump administration’s mixed messages on U.S. policy toward Russia broadly. This past summer, President Donald Trump signed a directive that revised orders, in place since George W. Bush’s time in office, requiring presidential approval for all cyber-offensive operations. Under the new directive, the secretary of defense and the commander of Cyber Command have wide latitude to conduct these operations at their own initiative. Nonetheless, Cabinet secretaries and combatant commanders like to stay within the boundaries of the president’s overall strategy; and when it comes to messing with Putin and his oligarchs, it’s not at all clear what that is.

To adapt Clausewitz’s dictum to modern life, war—including cyber-offensive operations short of war—is the continuation of policy by other means. Our current muddle—in all sorts of spheres, not just cyberspace—stems from the mess in the White House.

No comments: