Walter Pincus is a contributing senior national security columnist for The Cipher Brief. He spent forty years at The Washington Post, writing on topics from nuclear weapons to politics.
OPINION — “How do we establish deterrence in the cyber space?” “How do we raise costs on our adversaries so that these [cyber] attacks get down to a manageable level?”
These questions, similar to what I and many people have been raising, will be part of the conversation between President Joe Biden and Russian President Vladimir Putin when they meet in Geneva on Wednesday. More on that in a moment.
Let’s first go back to last Thursday, when those exact questions were asked by Rep. Mike Waltz (R-Fla.) during the Fiscal 2022 Defense Intelligence Posture Hearing of the House Armed Services Subcommittee on Intelligence and Special Operations.
Waltz, a former Green Beret Army officer who has also served as counterterrorism advisor to Vice President Dick Cheney, used the last five minutes of a one-hour-and-thirty-minute virtual hearing to get some answers during a dialogue with Gen. Paul Nakasone, Commander, U.S. Cyber Command and Director of the National Security Agency (NSA), one of three witnesses at the session.
Earlier in the hearing, Waltz pointed out that terrorist attacks in the mid-to-late 1990s were “viewed as a criminal issue and we [the military] couldn’t apply Title 10,” which outlines the legal role of the armed forces under statutes. As a result, Waltz said, it was not until the 9/11 attacks on the Pentagon and the World Trade Center towers when “obviously we changed our view.” He added, “It seems to me we may need to do the same – that these [cyber hackers] are dual-use criminal entities.”
Waltz later made clear what he meant by saying, “That [after 9/11] was a whole sea change transition that we had to make against terrorist groups, where we were trying to arrest Osama bin Laden’s inner circle around the world rather than take action and target them militarily.”
“Whether this [cyber hacking] is a criminal activity or whether this is an attack on the United States, I don’t think many American people see a big distinction. If the interface or control center for a pipeline [as with Colonial Pipeline] is taken out from a missile, sabotage or cyber.” Waltz indicated the American public’s concern is “who’s on the other end of it; if it’s coming from a foreign actor, many of whom moonlight as criminals but are also [foreign] intelligence officers or even have military affiliations or could be surrogates.”
Waltz then said to Nakasone, “The question is: do you have the authority to take action militarily if given the order?”
Nakasone replied that as head of Cyber Command, he has the authority to collect intelligence outside the United States and has the authorities to operate outside the United States. “I have all that I need,” he said referring to National Security Presidential Memorandum 13 (NSPM 13) of 2018, and legislative language adopted in the fiscal 2019 National Defense Authorization Act.
NSPM 13 essentially allows for presidential delegation of defined authorities to the Defense Secretary to conduct sensitive military operations in cyberspace. Congress reinforced that in legislation that gave the Defense Secretary authority to “develop, prepare, and coordinate; make ready to…conduct, military cyber activities or operations in cyberspace, including clandestine military activities or operations in cyberspace, to defend the United States and its allies, including in response to malicious cyber activity carried out against the United States or a United States person by a foreign power.”
In March 2020, DoD General Counsel Paul C. Ney, Jr. explained how these two authorities that Nakasone cited would work — and note that this explanation came early in the 2020 Presidential election time frame.
Ney said, “A core part of DoD’s mission to defend U.S. elections consists of defending against covert foreign government malign influence operations targeting the U.S. electorate.” Much of NSA’s effort, he said, involves defensive actions such as sharing collected intelligence about adversary cyber activities with the Department of Homeland Security (DHS) and the FBI.
On the offense side, Ney raised the question: “What about a U.S. military cyber operation to disrupt a foreign government’s ability to disseminate covertly, information to U.S. audiences via the Internet by pretending that the information has been authored by Americans inside the United States? Can we conduct such an operation in a manner that contributes to the defense of our elections but avoids impermissible interference with the right of free expression under the First Amendment—including the right to receive information?”
Ney answered, “We believe we can.” And Cyber Command apparently did, as Nakasone pointed out last Thursday, saying there was no Russian interference in the 2020 election as there had been in 2016. That was the result of what Ney earlier described as DoD’s adoption of the “defend forward” strategy where the U.S. “will defend forward to disrupt or halt malicious cyber activity at its source, including activity that falls below the level of armed conflict.” Nakasone had nine teams abroad during the 2019-2020 election period working to prevent interference with the presidential election.
On Thursday, referring specifically to the issue of ransomware, Nakasone said, “How do we do what we are already doing outside the United States, being able to share that with the FBI, DHS, private sector…[and] be able to get after our adversaries who are targeting our critical infrastructure like we’ve seen over the past several months? This is the area right now that the [Biden} administration’s working toward in terms of understanding who’s going to have the lead and how are going to deal with this…DoD will certainly have a role operating outside the United States, I would imagine.”
Waltz’s view was, “Until we go on offense, we will not be able to establish deterrence.” He later added, “This is obviously a matter of policy and political will…should we decide to, as a country, should the administration decide to, take military action against what some are classifying as criminal actors.”
Nakasone responded, “My role is obviously as the commander of U.S. Cyber Command is to provide a series of options, just like any other combatant commander.”
Back to this week’s meeting between President Biden and President Putin.
Secretary of State Anthony Blinken, appearing Sunday on CBS’ Face the Nation, made clear that he expected that Russian-based ransomware attacks on U.S. entities would come up in the discussions with Putin and that the plan is “to make clear that any country that harbors these groups – that that is not a sustainable position – and we are going to need to take action to stop that. On ABC’s This Week, Blinken said Biden “is going to make…very clear to President Putin, we are looking for Russian cooperation in dealing with these criminal organizations to the extent they’re operating from Russian territory.”
Putin has already prepared his response. Appearing on Russian state TV channel Rossiya-1 on Sunday, Putin said Moscow and Washington must “assume equal commitments” in transferring suspects, saying, “Russia will naturally do that but only if the other side, in this case the United States, agrees to the same and will also extradite corresponding criminals to the Russian Federation.”
My bet is that dealing with ransomware attacks operating from Russia will turn out to be a job for U.S. Cyber Command and the FBI.
Read more expert-driven national security opinions, insight and perspective in The Cipher Brief