12 November 2020

U.S. Tried a More Aggressive Cyberstrategy, and the Feared Attacks Never Came

David E. Sanger

From its sprawling new war room inside Fort Meade, not far from Baltimore-Washington International Airport in Maryland, United States Cyber Command dived deep into Russian and Iranian networks in the months before the election, temporarily paralyzing some and knocking ransomware tools offline.

Then it stole Iran’s game plan and, without disclosing the intelligence coup behind the theft, made public a part of Tehran’s playbook when the Iranians began to carry it out.

Now, nearly a week after the polls closed, it is clear that all the warnings of a crippling cyberattack on election infrastructure, or an overwhelming influence operation aimed at American voters, did not come to pass. There were no breaches of voting machines and only modest efforts, it appears, to get inside registration systems.

Interviews with government officials and other experts suggest a number of reasons for the apparent success.

One may be that the United States’ chief adversaries were deterred, convinced that the voting infrastructure was so hardened, Facebook and Twitter were so on alert, and Cyber Command and a small group of American companies were so on the offensive that it was not worth the risk.

But there is another explanation as well: In the 2020 election the distinction between foreign and domestic interference blurred. From early in the campaign, President Trump did more to undermine confidence in the system’s integrity than America’s rivals could have done themselves.

And in the aftermath, Mr. Trump’s baseless accusations, amplified by conservative news media outlets, have only intensified, leaving the Russians and the Iranians with the relatively easy task of bouncing his messages back into the echo chamber of social media.

“A lot of the disinformation that voters consume originates from within our own country,” said Jeh C. Johnson, a secretary of homeland security under President Barack Obama. “All foreign adversaries need to do is aid and abet and amplify.”

Mr. Trump and his allies, it turns out, were the chief purveyors of the kind of election misinformation that the F.B.I., the Department of Homeland Security and American intelligence officials were warning about. He was also the one actor they could not mention, much less try to neutralize. That was left to the online platforms, mostly Twitter, which placed warnings on many of his posts.

In an Election Day conversation with journalists, Gen. Paul M. Nakasone, the commander of Cyber Command and the director of the National Security Agency, said he was “very confident in the actions that have been taken against adversaries over the last several weeks and several months to ensure they are not going to interfere in our elections.”

He said the National Security Agency was also watching for efforts by foreign adversaries to prod extremist groups to violence — a concern that remains.

Yetover the subsequent few days, before the election was called in favor of Joseph R. Biden Jr., General Nakasone and other officials avoided questions about whether their commander in chief was feeding the very forces they were working to defeat.

In interviews, Democrats and Republicans who have been deeply involved in the effort to harden American defenses and put the United States on offense say it is possible that the country is beginning to figure out what works to deter cyberattacks.

They give credit to General Nakasone and Christopher Krebs, the director of the Cybersecurity and Infrastructure Security Agency at the Department of Homeland Security. Mr. Krebs spent the past two years persuading states and social media companies to bolster their defenses against attacks.

ImageGen. Paul M. Nakasone, the commander of U.S. Cyber Command, employed pre-emptive steps to deter cyberattacks from foreign adversaries.Credit...T.J. Kirkpatrick for The New York Times

Once the election is officially certified, the military will complete its “after action” reports. The most interesting will most likely be classified. But in interviews with a variety of key players, a few lessons are already emerging.

The first is that General Nakasone’s aggressive new posture — which Cyber Command describes with terms like “persistent engagement” and “defend forward” — may be working. The phrases refer to going deep inside the computer networks of adversaries, whether that means the Internet Research Agency, the Russia-based group that mounted the 2016 influence campaigns; the G.R.U., Russia’s military intelligence agency; or Iran’s increasingly active cybercorps.

Once inside, Cyber Command can use its access to hunt for operations that are being planned — or to conduct what amount to pre-emptive strikes.

The United States has launched such strikes before, of course, against Iran’s nuclear program, North Korea’s missiles and, during the 2018 elections, the Internet Research Agency, which ran the influence campaign that aided Mr. Trump in 2016. But there was no significant cyberretaliation, at least that became public, ordered by the Obama administration surrounding the 2016 election, even though the administration knew that Russian actors were stealing data and scanning voter registration systems.

This time General Nakasone did not wait for much evidence to roll in before acting.

He went after Trickbot, a widely used set of tools written by Russian-speaking criminal groups that he believed could be used to lock up registration systems or computer sites of secretaries of state, which count ballots.

So did Microsoft, which obtained court orders against Trickbot. Together, the military and private sector actions, which appear to have been largely uncoordinated, disrupted the network of the criminal groups in October, leaving them hampered in any potential attacks against election infrastructure.

Is this helpful?

Officials familiar with the operations say there were also attacks directed at a Russian state-run group called Energetic Bear, or Dragonfly, that has long been inside American electric utilities and has redirected its hacking skills toward state and local governments.

Senator Angus King, a Maine independent who helped lead a bipartisan effort to draw lessons from the rising tempo of cyberattacks, said Cyber Command’s more active approach had an effect.

“I have felt for years what was lacking in our cyberdefense was a deterrent,” Mr. King said. “And we are getting closer to having that deterrent. I want our adversaries to have to think hard about what they are going to do because they know there is going to be some results that will be a cost to be paid.”

General Nakasone would not confirm specific operations. But he said he would take his victories in small doses, by knocking adversaries offline, even temporarily, to make it hard for them to launch an attack. “I look at it more as are we imposing a degree of costs that is making it more difficult for them to do their operations?” he said.

So did Mr. Krebs, who worked on shoring up defenses at home.

Mostly that meant placing federal government sensors on many computer networks and getting cities and states, which were easy targets four years ago, to toughen up.

By the week before the election, Mr. Krebs came to believe that the Russians might want to sit out this election, since everyone was looking for their actions.

“I wouldn’t tell you we are going to stop them,” he said a few weeks ago. “But we can make it a lot harder to attack,” a process that some strategists call “deterrence by denial” because the attackers cannot gain enough access to alter events — or in this case votes.

Image
Christopher Krebs, the director of the Cybersecurity and Infrastructure Security Agency at the Department of Homeland Security, urged states and election authorities to bolster their defenses.Credit...Amr Alfiky for The New York Times

Mr. Krebs, said Senator Mark Warner of Virginia, the top Democrat on the Intelligence Committee, “made the case to registrars and secretaries of state around the country, including some pretty right-wing ones, that the threat was real.”

Another big change in strategy this year was a willingness to expose adversaries publicly. It is something the Obama administration was also reluctant to do in 2016, when it avoided naming China as the country that stole 22 million files on government employees, or Russia as the source of attacks on the Pentagon, the White House and the State Department.

This year, William R. Evanina, the official put in charge of election security by the Office of the Director of National Intelligence, called out Russia, China and Iran for their efforts to interfere in the elections.

Though criticized by Democrats for not being specific enough, and appearing to equate Iran with much more talented cyberadversaries, Mr. Evanina’s releases put both the public and America’s rivals on notice about what was afoot, including warning that Russia was again trying to assist Mr. Trump.

Mr. Evanina’s announcements in July and August were followed by an announcement in October by John Ratcliffe, the director of national intelligence, that Russian groups had probed state and local networks and that Iran had tried to influence the election by sending spoofed emails as part of a campaign he said was intended to hurt Mr. Trump.

“Naming and shaming the bad actors that are trying to mess with us is a key part of a coherent deterrence strategy,” said Representative Mike Gallagher, the Wisconsin Republican who along with Mr. King led the Cybersecurity Solarium Commission.

Mr. Ratcliffe’s announcement was followed by Cyber Command’s secret operations to interfere with the operations of the Russian group and take down, at least temporarily, the Iranian hacking group tied to Tehran’s Islamic Revolutionary Guards Corps.

American officials said that while Iran opposed Mr. Trump’s re-election, its hackers were hardly playing at Russia’s level. The emails and text messages they tried to send to Americans contained so many spelling, syntax and grammatical errors that they seemed unlikely to fool their targets. Even had they not been taken offline, they posed no threat to turn the result of the elections.

It is evidence of why Iran, as multiple U.S. officials noted, remains far less of a threat than Russia.

Iran’s actions were an attempt to “rattle our cage” and not a real attempt to change outcomes, said Glenn S. Gerstell, a former general counsel of the National Security Agency.

No comments: