WASHINGTON — The Pentagon has quietly empowered the United States Cyber Command to take a far more aggressive approach to defending the nation against cyberattacks, a shift in strategy that could increase the risk of conflict with the foreign states that sponsor malicious hacking groups.
Until now, the Cyber Command has assumed a largely defensive posture, trying to counter attackers as they enter American networks. In the relatively few instances when it has gone on the offensive, particularly in trying to disrupt the online activities of the Islamic State and its recruiters in the past several years, the results have been mixed at best.
But in the spring, as the Pentagon elevated the command’s status, it opened the door to nearly daily raids on foreign networks, seeking to disable cyberweapons before they can be unleashed, according to strategy documents and military and intelligence officials.
The change in approach was not formally debated inside the White House before it was issued, according to current and former administration officials. But it reflects the greater authority given to military commanders by President Donald Trump, as well as a widespread view that the United States has mounted an inadequate defense against the rising number of attacks aimed at America.
It is unclear how carefully the administration has weighed the various risks involved if the plan is acted on in classified operations. Adversaries like Russia, China and North Korea, all nuclear-armed states, have been behind major cyberattacks, and the United States has struggled with the question of how to avoid an unforeseen escalation as it wields its growing cyberarsenal.
Another complicating factor is that taking action against an adversary often requires surreptitiously operating in the networks of an ally, like Germany — a problem that often gave the Obama administration pause.
The new strategy envisions constant, disruptive “short of war” activities in foreign computer networks. It is born, officials said, of more than a decade of counterterrorism operations, where the United States learned that the best way to take on al-Qaida or the Islamic State was by destroying the militants inside their bases or their living rooms.
The objective, according to the new “vision statement” quietly issued by the command, is to “contest dangerous adversary activity before it impairs our national power.”
Pushing U.S. defenses “as close as possible to the origin of adversary activity extends our reach to expose adversaries’ weaknesses, learn their intentions and capabilities, and counter attacks close to their origins,” the document says. “Continuous engagement imposes tactical friction and strategic costs on our adversaries, compelling them to shift resources to defense and reduce attacks.”
Another Pentagon document, dated May 2017, provides a legal basis for attacking nuclear missiles on the launchpad using “nonkinetic options” — meaning a cyberattack or some other means that does not involve bombing a missile on the pad or otherwise blowing it up.
The policy was issued two months after The New York Times revealed that the Obama administration had developed an extensive “left of launch” capability to attack North Korea’s missiles using cyber and electronic warfare, though it was unclear how well the strategy was working. The new Pentagon legal strategy was first reported by The Daily Beast.
As the Defense Department elevated the Cyber Command to a status equal to the Indo-Pacific Command, the European Command, the Space Command and the Joint Special Operations Command, among others, it declared that most of its 133 “cyber mission teams” were combat-ready after years of development.
But most of those teams protect Defense Department networks. Offensive cyberaction by the United States has been relatively rare, a reflection of the time it takes to mount operations and the fact that only the president can approve any use of a cyberweapon that is likely to have significant effects. Those operations have included disabling another nation’s nuclear facilities or its missiles, as the United States has attempted in Iran and North Korea, or disrupting the communications of groups like the Islamic State.
The president’s sole authority to authorize the use of those weapons is similar to his authority to launch nuclear weapons, a recognition that cyberweapons, even if less powerful than nuclear arms, can have broad, unintended effects.
Under the Trump administration, the traditional structure of White House oversight of U.S. offensive and defensive cyberactivities is being dismantled. Days after taking office in April, the new national security adviser, John R. Bolton, forced out the homeland security adviser, Thomas P. Bossert, in part because of his discomfort that Bossert had direct access to the president. Bolton then eliminated the position of White House cybercoordinator, who had overseen the complex mix of cyberactivities run by the U.S. government.
The last person who held the job, Rob Joyce, had previously run the Tailored Access Operations unit of the National Security Agency — the covert “special forces” of America’s cyberoperations, which has mounted attacks on critical foreign targets, from Iran’s nuclear facilities to North Korean missile testing sites. Joyce returned to the NSA.
U.S. intelligence agencies have identified cyberthreats as the No. 1 risk facing the United States — it has ranked ahead of terrorism for years now in the annual assessment provided to Congress, even before the Russian intrusion into the election. But the White House declared that it did not need a separate cybercoordinator because the issues are included in many other programs. A young National Security Council staff member, with scant experience in the topic, now oversees offensive cyberissues.
The U.S. Cyber Command was created partly in response to a Russian hacking attack that long predated the 2016 election. In the fall of 2008, Russian intelligence agencies penetrated SIPRNet, the Pentagon’s secret internal network; that led to a rush to consolidate several cyberprograms into a command. The Chinese, meanwhile, were stealing weapons designs, including blueprints for the F-35, America’s most expensive fighter jet.
Cyber Command is placed at Fort Meade, Maryland, home of the National Security Agency, but it has been criticized for being far too dependent on the NSA’s hacking skills.
A decade later, it is under new command, led by Gen. Paul Nakasone. He was a junior officer in the command’s early days and was deeply involved in one of its first big classified projects, “Nitro Zeus”: the plan to use cybertools, among other things, to take down Iran’s air defenses, its communications systems and its power grid if a conflict broke out. To prepare for that day, if it ever happened, the United States tunneled deep inside Iran’s grids, and even Revolutionary Guards Corps command-and-control systems. It was a huge mission, involving hundreds of troops and civilians.
The program was never activated; the 2015 Iran nuclear agreement avoided conflict. But now that Trump has announced that he is abandoning the accord, many of those plans are being dusted off, according to several officials.
Nakasone, in his confirmation hearings in March, made clear that a more aggressive approach to opponents in cyberspace would be needed, though he gave few details. “By conducting operations to frustrate and counter adversary cyberactivities to decrease will, increase cost and deny benefits,” he said, the United States could begin to deliver more decisive blows with its attacks.
The same month, Gen. John E. Hyten, head of Strategic Command, said in testimony that if the United States was going to defend itself in cyberspace, it needed clear rules of day-to-day engagement.
“Cyberspace needs to be looked at as a warfighting domain,” he said, “and if somebody threatens us in cyberspace, we need to have the authorities to respond.” His statement seemed to reflect a view that the current legal authority is too slow.
There is little debate inside the government’s sprawling community of cyberwarriors and defenders that the United States needs to step up its game: It did not see the Russian hack of the 2016 election coming, or North Korea’s “WannaCry” attack last year, which crippled the National Health Service in Britain and rippled around the world, partly driven by stolen U.S. cyberweapons.
But the risks of escalation — of U.S. action in foreign networks leading to retaliatory strikes against U.S. banks, dams, financial markets or communications networks — are considerable, according to current and former officials. Trump has shown only a cursory interest in the subject, former aides say, not surprising for a man who does not use a computer and came of age as a business executive in a predigital era. Efforts to rewrite the main document governing the presidential authorities in the cyberarena — Presidential Policy Directive 20, signed by Barack Obama — have faltered in the chaos of Bolton’s decision to oust the key players.
“It is essentially a ‘forward defense’ approach,” Jason Healey, who runs the cyber initiative at Columbia University in New York, said recently. “Clearly, what we have been doing so far isn’t working. But you want to think through the consequences carefully.”
The chief risk is that the internet becomes a battleground of all-against-all, as nations not only place “implants” in the networks of their adversaries — something the United States, China, Russia, Iran and North Korea have done with varying levels of sophistication — but also begin to engage in daily attack and counterattack.