USCYBERCOM Strikes Back

For the first time, it seems the United States has executed an open, offensive cyber campaign against a foreign target. Multiple sources have reported over the past few days, and are reporting today, that the US Cyber Command attacked the Internet Research Agency during the mid-term elections to prevent Russian manipulation of social media.

Overall, this aligns with the Trump administration's hawkish position on offensive cyber capabilities. In August of 2018, president Trump signed an order reversing Presidential Rule 20. Presidential Rule 20, enacted by the Obama administration, assembled a large, complex network of approvals needed for cyber operation approval, essentially making offensive cyber operations bureaucratically impossible. The Trump administration, guided by John Bolton, removed many of these restrictions and vastly simplified the process, leading us to where we are today.

Interestingly, both the United States and Russia have confirmed these operations, which seemed to target the ability of the Internet Research Agency, an organization widely regarded to be an Internet propaganda arm of the Russian government, to effectively execute offensive propaganda operations. These operations are widely believed to have changed the dynamics of the last presidential race while also fanning the flames of domestic partisan political division.

The attacks themselves seem to have been targeted, information destruction attacks. The impact of the attacks is difficult to define, but there did seem to be much less interference in the congressional mid-term elections in the United States than there had been previously. That said, however, major social media and technology companies have increased efforts to curtail this kind of thing as well, making attribution for the shortfall in Internet social manipulation difficult to define.

The attacks do seem to be a measured response to ongoing cyber/social attacks engineered by and executed from the Internet Research Agency. As such, they are unlikely to unleash anything but a proportionate response. That said, advanced threat groups, like APT28 and 29, have been persecuting more destructive attacks against western organizations and infrastructure over the past decade, so proportionate is difficult to define.

This is the biggest risk of cyber engagement today.

These kinds of cyber interactions are persecuted in a grey area of first-of-breed nation-state interaction. Internationally, we have yet to collectively define appropriate responses for cyber attacks, and this makes this kind of interaction, even in relatively benign cases like this, risky. In this case, it seems clear that no specific retribution is warranted, and escalation is very unlikely. But this becomes much less clear if countries start attacking critical physical or economic infrastructure, especially at scale. Large scale system degradation of this kind can easily escalate into the kinetic realm, particularly if cyber attacks generate physical casualties. After all, hospitals need power too, as do plumbing systems in large urban areas. The city I live in, for example, is built on the side of a mountain, and all water is pumped from lower areas to higher. A week without power, especially in the summer, will lead to fatalities.

Though not widely reported, this is a significant step forward in cyber-political interaction and heralds a widespread recognition of cyber as a policy tool.