The Trump administration came in with a fair bit of cyber-sabre rattling. Last spring, the Department of Defense elevated the status of Cyber Command to let them to do more offensive work. Then there was the August 2018 classified presidential order that made it easier for the military to engage in offensive cyber operations, followed by the new National Cyber Strategy and Department of Defense cyber strategy, both issued in September 2018, which emphasized the importance of taking preemptive actions against adversaries in cyberspace and “defending forward” to “persistently contest malicious cyber activity.” But, so far, the administration’s bark appears to be worse than its byte.
In the Washington Post this week Ellen Nakashima reports on one of the first offensive operations run by Cyber Command under these new policies—an effort to take the Russian Internet Research Agency offline during the 2018 midterm elections. The IRA, based in St. Petersburg, is a private company that, according to an indictment filed last year by Robert Mueller, did extensive social media work for the Russian government during the 2016 U.S. elections to stir up controversy, generate protests, and criticize Hillary Clinton.
For instance, employees of the IRA and other co-conspirators allegedly created the Twitter account “March for Trump” and the Facebook accounts “Clinton FRAUDation” and “Trumpsters United.” They also allegedly ran an Instagram account called “Woke Blacks” and posted on it the message: “[A] particular hype and hatred for Trump is misleading the people and forcing Blacks to vote Killary. We cannot resort to the lesser of two devils. Then we’d surely be better off without voting AT ALL.” The indictment also describes their alleged role in purchasing political advertisements on social media sites, using Paypal accounts created with stolen identities, saying things like “Hillary is a Satan, and her crimes and lies had proved just how evil she is.” The IRA was not named in a separate indictment of GRU Russian intelligence agents who allegedly hacked Democratic National Committee and Democratic Congressional Campaign Committee servers as well as email accounts belonging to Hillary Clinton campaign officials and volunteers during the 2016 election.
Yet it was the IRA that apparently bore the brunt of Cyber Command’s newfound offensive powers during the 2018 midterms, according to Nakashima’s reporting. And the result of the attack was that the organization’s internet access was blocked for a brief window, on the day of the election and “a day or so afterward,” in order to defend against any IRA efforts to “cast doubt on the results.” But most of the IRA disinformation tactics seem designed to sow confusion and influence voters prior to casting their votes.
All of which is just to say: This was a fairly timid operation for an administration that has pushed for some pretty aggressive language and policies. Instead of going after the GRU, the unit that seems to be responsible for actual hacking activities, Cyber Command went after its social media counterpart, the IRA. Instead of actually deleting any of their records or stealing or releasing any of their files, Cyber Command merely interrupted their online access for a brief period. U.S. officials told Nakashima, “The blockage was so frustrating to the [IRA] trolls that they complained to their system administrators about the disruption.” In other words, it was a bit of a nuisance—it prompted a nasty email or two to the company sysadmin. But nothing even close to the kind of national soul-searching and hand-wringing that Russia’s offensive cyber operations have generated in the United States.
That’s not a bad thing. A cautious strategy of forbearance in cyberspace makes a lot of sense given that the United States is not clearly dominant in this domain. In fact, it’s vulnerable because it relies heavily on computer-based infrastructure. We potentially have more to lose than we do to gain by needling adversaries like Russia and North Korea into launching more aggressive attacks directed at those critical infrastructure systems. Still, it’s striking that the Trump administration has chosen to go this temperate route given all its cyber bombast about offensive operations and forward defense.
In October, we learned that Russian intelligence agents had received pop-up messages alerting them to the fact that the U.S. government knows who they are and what they’re up to.
Tactics like that and the brief internet outage may not turn out to be the most effective means of deterring other countries from using online avenues of attack against the United States, but they’re certainly some of the more prudent options in terms of their restraint. In fact, they resemble the kinds of operations that were carried out during the Obama administration’s notably cautious use of cyber tactics, including shutting off internet access for North Korea following the 2014 Sony Pictures breach.
Last September, national security adviser John Bolton said at a press conference that thanks to the Trump administration’s new cyber policies, “Our hands are not tied as they were in the Obama administration.” In practice, however, despite all the aggressive posturing and the flurry of new policies, the Trump administration’s use of offensive cyber operations seems to still be following the Obama-era playbook of judicious, small-scale interventions. The U.S. cyber strategy has certainly gotten more aggressive on paper, but in cyberspace it appears to be the same as it always was—which may be for the best.