Walter Pincus is a contributing senior national security columnist for The Cipher Brief. He spent forty years at The Washington Post, writing on topics from nuclear weapons to politics. In 2002, he and a team of Post reporters won the Pulitzer Prize for national reporting.
OPINION — The worldwide cyber war was on full display last Tuesday during the Senate Armed Services Committee’s confirmation hearing for Kathleen H. Hicks to be Deputy Secretary of Defense.
In the set of pre-hearing written questions to Hicks by Senate Armed Services members and staff, one focus was on the so-called SolarWinds cyber hack. One committee question stated that a U.S. adversary, apparently Russia, used “covertly acquired infrastructure in the United States to communicate with the malware implanted in the targeted U.S. networks. This adversary-controlled infrastructure could communicate with infected machines [inside the U.S.] without arousing suspicion because the domain names and Internet Protocol addresses appeared to be benign.”
Hicks was asked, “Does it concern you that adversary nation states’ military and intelligence agencies control extensive computer network resources inside the United States and use them to evade detection while conducting hostile actions against our government, economy, and social fabric?”
Hicks, in her written response, said, “Yes, it concerns me. Our adversaries are increasingly targeting the seams of our institutions and exploiting gaps in authorities in order to evade detection and increase the effectiveness of their malicious cyber campaigns. This is an urgent and challenging issue, and, if confirmed, I will work with our DoD [Defense Department] components, interagency partners, and Congress to develop further options for eliminating the seams and gaps in our national defenses that our adversaries exploit.”
On January 5, the Trump administration’s National Security Council released a statement jointly from the FBI, Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA), the Office of the Director of National Intelligence (ODNI) and the National Security Agency (NSA), which said they believed at that time, that the “ongoing cyber compromises of both government and non-governmental networks…was, and continues to be, an intelligence gathering effort.”
In another pre-hearing question to Hicks, the Armed Services writer took that idea a step further, saying that although SolarWinds “was intended as an espionage operation rather than as preparation for a destructive attack on government and industry networks, in addition, a malicious ‘back door’ was installed on 18,000 government and industry enterprises.”
While it still is not clear how the Russians gained access to these thousands of networks in the SolarWinds operation, the federal target list is said to include the Departments of Defense, State, Energy [including the Nuclear National Security Administration], Homeland Security, Treasury, Commerce and the National Institutes of Health.
Relatively few of the SolarWinds targets seem to have been exploited for intelligence, so another committee question to Hicks was, “Because DoD is an extremely important intelligence target for Russia, does it concern you that the intruders apparently chose not to exploit the back doors installed inside DoD?”
In her written reply Hicks said, “Yes, I am concerned. DoD has been, for several decades, and remains a primary target for nation-state cyber operations. The need for effective cyber defense and counterintelligence capabilities is clear.”
However, at last Tuesday’s public hearing when the question about SolarWinds came up, Hicks expanded on her earlier, written response saying, “The way in which adversaries can come at our systems, and the recent Russian hacks to include through SolarWinds demonstrated…they [the alleged Russian hackers] can live in our systems for some time. They can undertake espionage, extract information, and then can turn in many cases, onto what we would think of as offensive approaches.”
Hicks added, “In order for the U.S. to prevent that and deter that, it [the U.S.] also sometimes has to defend forward. That is to say, it has to be living in [adversaries’] systems so that it has the warning, the indicators and warning to know that an attack is imminent. And that’s where this offensive piece becomes important.”
Sen. Angus King (I-Maine) is a member of Armed Services and Co-Chairman of the Cyberspace Solarium Commission which last year filed a report on strategic approaches to defending the United States in cyberspace against cyber attacks of significant consequences. He told Hicks that “actual attacks…are taking place at this very moment,” and “the problem of cyber and deterrence is something that we really haven’t wrestled with very well.”
King continued, “We’re spending billions to deter potential attacks and I don’t think enough attention is being paid to deterring and managing actual attacks that are underway at this very moment.”
The Defense Department’s 2018 Cyber Strategy said, “We will defend forward to disrupt or halt malicious cyberactivity at its source, including activity that falls below the level of armed conflict.” The Trump administration, through a 2018 National Security Presidential Memorandum offered more authority to Gen. Paul Nakasone, the commander of U.S. Cyber Command, easing earlier limits to conduct offensive cyber operations established during the Obama administration.
There are 133 Cyber Mission Force teams made up of 6,200 personnel, conducting operations — 13 national mission teams that defend the nation; 25 support teams providing analytic and planning support to the national mission teams; 68 cyber protection teams defending DoD networks; and 27 combat mission teams supporting operational plans and contingencies for combatant commanders.
During a May 2019 briefing of reporters, Army Maj. Gen. Karl Gingrich, the Cyber Command director of capability and resource integration, admitted “we lace malware abroad,” meaning invade foreign networks. He further explained how such an “offensive mission” requires a formal approval process that includes “what does our footprint [trackable material] in that context look like” and a “gain/loss perspective.”
“These processes and authorities enabled Cyber Command to actively defend against foreign interference in the elections of 2018 and 2020,” according to another Armed Services Committee statement.
Cyber Command specialists from the U.S., referred to as “Hunt Forward” teams, play a crucial role abroad in the persistent engagement effort aimed at countering malicious cyber activity below the level of warfare. Such teams have partnered in abroad operations with various countries throughout Europe.
For two weeks last fall, such a team conducted a defensive cyber-operation in Estonia with personnel from that country’s Defense Forces Cyber Command. Together, U.S. and Estonian teams hunted for, identified and mitigated malware and malicious cyber actors on critical networks and platforms, according to a December Cyber Command press release. “We then share that malware broadly, not just with the U.S. government but with private cyber security industry and allies, which directly increases the overall security of U.S. critical infrastructure and related networks,” said U.S. Army Brig. Gen. Joe Hartman, Commander, Cyber National Mission Force.
The last pre-hearing cyber question to Hicks was how will employment of “‘defend forward, shape the day-to-day competition, and prepare for war’ concepts deter and disrupt Russia and China’s aggression in cyberspace?”
She replied: “The Department must be proactive to understand an adversary’s cyber operations and capabilities. It must ensure we have better defenses against those capabilities, and when necessary, take action to disrupt an adversary’s malicious activities.”
The cyber war continues with no end in sight.