CYBERCOM Apparently Got Half-Baked Ideas for Christmas

Note: This blog has been updated since I wrote it at approximately 3:00 AM.

I am increasingly loathe to write blogs, mostly due to the combination of time required and a lack of stories that generate sufficient interest on my part to get me to overcome the time commitment hurdle — I usually just do an obnoxiously long Twitter thread. But then, I read the Washington Post’s latest on what CYBERCOM is apparently considering as deterrent measures against Russian interference in the 2020 U.S. elections. After going through three attempts to write appropriately substantive, albeit admittedly snarky, Twtter threads, I decided this justified a quick (if not still loosely structured) blow-by-blow of my feelings on this.

I will make a banner statement up top: (1) I do see the value in the tactics described in the article (primarily for offensive counterintelligence as opposed to changing the behavior of an entire government), but not as an election inference deterrent given the reported targeting scope and (2) my thoughts here are going to be incomplete. What follows are chronological block quotes from the article and my immediate reactions to each.

One option being explored by U.S. Cyber Command would target senior leadership and Russian elites, though probably not President Vladimir Putin, which would be considered too provocative, said the current and former officials who spoke on the condition of anonymity because of the issue’s sensitivity. The idea would be to show that the target’s sensitive personal data could be hit if the interference did not stop, though officials declined to be more specific.

Rather than call these “influence operations” or “information operations”, which they are at a very granular level, I am going to just calling this “doxxing” — because at the end of the day it’s designed to employ the same fundamental dynamics against targets. Doxxing any of these targets below Putin in an effort to stop an election interference campaign is, put briefly, a waste of time in 2019–2020. We can be almost certain that Putin himself demanded the current election interference campaign and any underlings (official or unofficial) who hesitate in execution of their respective tasks in this effort will simply be replaced, one way or another. The key decision-maker is Putin and he, along with his national security apparatus, has already seen that if they power through that they can reap major effects from this kind of activity against an American audience.

“When the Russians put implants into an electric grid, it means they’re making a credible showing that they have the ability to hurt you if things escalate,” said Bobby Chesney, a law professor at the University of Texas at Austin. “What may be contemplated here is an individualized version of that, not unlike individually targeted economic sanctions. It’s sending credible signals to key decision-makers that they are vulnerable if they take certain adversarial actions.”

I agree with Bobby Chesney’s view here on what the Russians are doing when they place implants in U.S. critical infrastructure — I’ve even given a talk on it! However, I think drawing similarities between that activity, which is deeply multifaceted in its drivers, and this is not necessarily the best parallel. I like the “targeted economic sanctions” analogy a little bit better, but again only on a functional level. The “sending credible signals to key decision-makers” element I think breaks down because again, Putin and his service chiefs are the key decision-makers. These ops won’t target Putin and any ops that target service chiefs (e.g., Alexander Bortnikov at FSB, Sergey Naryshkin at SVR, Igor Kostyukov at GRU) will be ones they will be expected to ride out if they want to keep their positions. Ops targeting mid-level officials or the heads of specific capacities might create mild operational drag if it leads to personnel replacement because Ivan Ivanovich is spooked by text messages referencing his embezzlement of service funds, but he will be replaced by the next guy on the rung below rather quickly.

Again, the idea of “credible signals” breaks down because it demonstrates on the part of CYBERCOM a lack of understanding of contemporary Russian intelligence strategic culture — another topic I’ve addressed before. Mark Galeotti summed it best in his “wartime mindset” analysis, which he has since expanded on multiple times to include an increasing centrality of active measures, in that operational risk-taking is increasingly the norm for Russian intelligence services. It is a complex calculus to think that this doxxing might deter individual officials when the operational and organizational culture around them demands they accept substantive personal risk in the conduct of their duties. Hang-on-tight thinking is alive and well in the Russian intelligence community.

The intelligence community last month issued a classified update — a “national intelligence estimate” — asserting that Russia’s main goal in the 2020 campaign continues to be to sow discord. “It’s always been about exacerbating fault lines in our society,” one senior U.S. official said.

Image for post
Image for post
We go live to my reaction.

In the past year, Congress and the Trump administration have eased restraints on the military’s use of cyber-operations to thwart foreign adversaries…“[CYBERCOM]’s foray into influence operations reflects an evolution in thinking. “It’s a really big deal because we have not done a good job in the past of integrating traditional information warfare with cyber-operations,” Chesney said.

In the olden times, this would’ve been a Title 50 covert action, meaning it would be run by CIA and subject to an exceptionally rigorous legal and coordination framework by statute. But since we live in the “YOLO CYBER” time of NSC45, these operations would likely be Title 10 clandestine military operations. I am concerned by that shift for the reasons in the above tweets from myself and Jason Kichen, as well as the fact that I think trying to coerce foreign officials outside of wartime by doxxing them should be the responsibility of an intelligence agency rather than a military combatant command. But that’s just me.

Beginning in October 2018, CYBERCOM used emails, pop-ups and texts to target Russian Internet “trolls” who were seeding disinformation on U.S. social media platforms. The trolls worked for the Internet Research Agency, a private entity controlled by a Russian oligarch close to Putin. CYBERCOM also messaged hackers working for Russian military intelligence, indicating that their identities were known and could be publicized. Although the command did not sign its messages, the Americans knew there would be no mistaking who had sent them, officials said at the time.

When the trolls persisted, CYBERCOM, beginning on Election Day and for at least two days afterward, knocked their servers offline, The Washington Post previously reported. The Americans also sent messages aimed at spreading confusion and discord among research agency operatives, including computer system administrators. Some workers were so perturbed that they launched an internal investigation to root out what they thought were insiders leaking personnel information, according to U.S. officials.

I stand by my take from when the 2018 activity story originally broke:

My further thoughts can be found in that thread and its replies, but a targeted campaign of aggressive texting and LAN shutdowns doesn’t equate to disrupting key assets the roles of which would have essentially been completed by the operational dates described in reporting. Also, mean-texting a GRU officer isn’t going get them to stop operating; being exposed is literally a core element of the risk model they accept when they become intelligence officers. I have yet to see any evidence to suggest the 2018 activity by CYBERCOM did anything meaningful besides generate political dividends for the administration and CYBERCOM itself.

The new options contemplate targeting key leaders in the security services and the military and potentially some oligarchs. The messaging would be accompanied by a limited cyber-operation that demonstrates the Americans’ access to a particular system or account and the capability to inflict a cost, said individuals familiar with the matter. The message would implicitly warn the target that if the election interference did not cease, there would be consequences.

Like I’ve repeated above, doxxing people below Putin here is not likely to generate any effects besides maybe some personnel shuffles and accompanying low-grade operational degradation. As long as Putin wants 2020 election interference to happen, he will find people who will make it happen regardless of personal risk. As to the “limited cyber-operation” described, that is the only measure I saw in the whole article that seemed to might have the desired impact, but it would depend on the target and nature of the intrusion.

The options do not envision any attempt to influence Russian society at large, which officials saw as having limited success given Putin’s control of the country, including much of the media.

Some see the new options as potentially effective at altering a key official’s decision-making calculus without being hugely escalatory because they do not seek to foment a popular uprising, which is Putin’s big fear, analysts note.

This is ceding ground to Putin on his biggest fears. He fears nothing more than loss of control and desires nothing more than preservation of his regime. While it is true that state control/influence over the Russian public’s information is substantial, it is not complete. Do you really want to deter Putin’s desire to meddle in 2020? Figure out a way to let him know that the size of his private wealth and how he acquired it can be made common knowledge to the average Muscovite. That is a cost he will actually have to consider before deciding to incur.

[Addendum: Since I first published this blog, I was offered some thoughtful critiques about the tone and language I used in this section in particular. I did not mean to imply that the “wealth option” of operations would shake the foundations of Putin’s rule. Rather, that it — despite being a weak option — is more likely to be meaningful as a potential deterrent since it would impact Putin directly and create concerns about what other information had been acquired on him that could be potentially released. Still, I don’t think targeting Putin would necessarily work in this context either, because the key logic there is sending a message suggesting the ability to degrade his praetorian interests but a lack of desire to truly follow through unless he does something particularly egregious. Not only is figuring out how to convey that a messaging and planning nightmare, but the definition of “something particularly egregious” remains an unformed U.S. red line the crossing of which would lead to concentrated effects-based operations against a foreign head of state.]

Another possibility involves disinformation aimed at exploiting rivalries within the Russian government and power elites.

It appears that Fiona Hill left the NSC and everyone forgot about the truth of the “mutually assured incrimination” dynamic she described as Putin deploying to control power elites. The resultant control model is enforced by the entire praetorian power structure of the Putin government, particularly the FSO and the FSB’s Economic Security Service. Good luck with accomplishing that kind of rivalry exploitation on such a scale that it can meaningfully degrade Russia’s ability to capitalize on oligarch resources to engage in election interference.

Image for post
Image for post
Circumstances wherein I’d believe this is meaningfully feasible.

Any operation would be reviewed by other agencies, including the State Department and CIA, and require the defense secretary’s approval. It would be aligned with other potential U.S. efforts, such as sanctions or indictments, officials said.

So…is this supposed to describe a covert action coordination framework just ending up at the Pentagon rather than the White House-by-way-of-Langley? Why not just do it via the existing covert action statutory framework and let this be an opportunity for CYBERCOM to slipstream effectively with CIA’s Center for Cyber Intelligence?

Cyber-operations alone are usually not sufficient to transform an adversary’s behavior.

Can we swap “usually not” for “essentially never”?

No single office within the Defense Department oversees cyber, electronic warfare and psychological operations. So this month, Congress created a Senate-confirmed position of principal information operations adviser to coordinate strategy and policy in this area across the Pentagon and with other agencies.

Image for post
Image for post
Fitting image to end on.

Happy holidays.

Written by

Open source counterintelligence referent. Views here are personal, not my employer’s. All original content © Alex Orleans, 2014–2021.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store