The CIA can conduct covert cyber attacks against Russia and China. So what happens when they hack us?
Experts say a strong cyber offense can decrease cyber attacks against the homeland. We explore the effects of cyber covert action in the context of the SolarWinds hack and others.
A recent opinion piece by former CIA and NSA director General Michael V. Hayden, former Secretary of Homeland Security Tom Ridge, and others expounded on the theme that a strong national cyber offense can decrease cyber attacks against U.S. critical infrastructure.1 Still reeling from the exceptionally damaging revelations of Russian-backed hacks of U.S. information technology company SolarWinds, this piece arrives at a time Americans are acutely aware of their cyber vulnerabilities and how far nation-states will go to exploit them.
Using the Hayden piece as a starting point, we look at the CIA’s authorities to conduct covert action in the cyber domain to explore nation-state cyber activities writ large and how they impact the status quo, national security, and opportunities for policy development. Buckle up.
It’s hard to obtain (cyber) permission
Yahoo News last year published an account of a 2018 presidential finding that expanded the covert action authorities of the Central Intelligence Agency (CIA) in cyberspace. This reportedly aggressive presidential finding was considered a victory for the CIA, whose unique charter makes the agency the premiere covert action force within the United States Government.
These expanded covert action authorities come at a critical inflection point in the cyber domain, as evidenced by the recent SolarWinds hack:
After years of malicious cyber activity targeting U.S. critical infrastructure, hackers linked to Russia recently infiltrated numerous American companies and federal government agencies, including the Departments of Homeland Security and Commerce, the Treasury and the Pentagon. This attack compromised national security and is costing business and the government untold millions or billions of dollars in damages. This litany of increasingly sophisticated cyber intrusions by Russia, China and others makes it clear that we are in a cyber conflict and our cyber defenses alone are insufficient to protect our critical infrastructure. It is time to reassess our national approach to cyber protection and ensure that our efforts include a strong defense and, importantly, a commitment to using offense capabilities, both cyber and non-cyber, to impose consequences on those who would do us harm.2
While this secret presidential finding was signed in 2018, it remains particularly impactful given the broad authorizations it affords the CIA in the largely unregulated domain of cyber warfare. For us today, that means authorizing the CIA any number of options it can employ in the cyber realm to respond to the SolarWinds hack and other acts that blatantly threaten U.S. national security, as Gen. Hayden and Mr. Ridge advocate.
Much to our chagrin as officers, ensuring our teams had the proper authorities and approvals to conduct intelligence operations was and still is paramount. This finding therefore greatly increases the number of tools available to the CIA necessary for its critical role in shaping policy that covert action typically affects in real-time. And as we’ve seen with how effective cyber attacks can be (“untold millions or billions of dollars in damage”), this ability is prized and also quite difficult to come by. Such bureaucratic freedom to more easily conduct and authorize one’s own covert cyber operations largely removes significant hurdles and restrictions that previously required the CIA to receive authorization from the White House.
If all you have is a hammer, better find the nails
While such presidential findings undoubtedly streamline the bureaucratic processes and procedures in place to authorize and conduct covert action in cyberspace, we absolutely must examine the unintended consequences of such a policy. We are significant supporters of limiting the existence and authority of bloated middle management in government systems but also wish to explore what potential “blowback” effects such policy changes could entail.
For starters, we need to clearly delineate covert action in cyberspace from the more "standard" collection of foreign intelligence that various members of the intelligence community are chartered to conduct. Rather than collect information that informs policy and decision-making, covert action seeks to generate policy effects in foreign nations. Any covert offensive cyber operations the CIA (or others) conducts aim to actively disrupt, degrade, or otherwise impose "costs" on adversary systems or networks — much like several potent examples that have seen the light of day in recent years.
Take the famous alleged U.S. - Israeli Stuxnet attack against Iran in 2009, for example — a covert cyber operation that generated tangible (and deliberately harmful) effects against its intended target. In the Stuxnet attack, Iranian centrifuges used to enrich uranium for its nuclear weapons program were physically destroyed through precise application of offensive cyber capabilities (paired with other intelligence disciplines as well, of course, but we’re mostly concerned with cyber here). This happened by allegedly introducing advanced malware to nuclear sites that slightly manipulated centrifuge speeds with destructive effects. Pretty neat, but also pretty damaging.
And such covert cyber operations are not new. The U.S. itself has experienced the negative — and highly intangible yet destructive — effects of covert cyber operations when the 2016 U.S. presidential election was targeted. In that instance, malign actors operating at the behest or direction of Russian intelligence services conducted an offensive cyber operation that stole troves of sensitive documents from the U.S. Democratic Party and leaked them to Wikileaks.
While the effects of such covert action are still being politicized, debated, and discussed in U.S. public discourse in the aftermath of the election, they ultimately impose intangible costs on U.S. democracy, its processes, and its national sentience.
Additional insights of covert action undertaken by nation-states in cyberspace can be gleaned from extensive Israeli actions to battle Iranian attempts at regional hegemony, by way of targeting various facets of the Iranian nuclear program (in addition to Stuxnet). Beginning with the assassination of Iranian nuclear scientists over the years, Israeli covert action has evolved to generate tangible effects from the cyber domain that are beneficial to maintaining the balance of power in the region.
Such is the inherent and hidden risk in the realm of cyber warfare: It is an unregulated, complexly interdependent, fragile, and largely vulnerable domain that does not even require a state-level of sophistication or capability to disrupt. Indeed, disruptive cyber actions create second and third-order effects, thereby multiplying the damage caused.
Indeed, the Iranian regime at one point last year was scrambling to characterize a number of unexplained explosions, fires, and other suspected acts of sabotage that struck various infrastructure across the country. Specifically, Iran experienced damage to a structure at the nation's top nuclear facility in Natanz, where centrifuges required for uranium enrichment were assembled. It also experienced an explosion at a missile production facility, a chlorine gas leak at a chemical plant, and explosions at two power plants. At one point, an aluminum factory in an industrial city also caught fire, in addition to a fire that broke out at a petrochemical plant in a different province.
But it’s not just Iran. A small town in Florida recently made headlines after a hacker attempted to manipulate certain chemicals in the city’s automated water treatment facility, raising many questions as to the security and vulnerabilities of other U.S. critical infrastructure across the nation. From AP News:
A hacker’s botched attempt to poison the water supply of a small Florida city is raising alarms about just how vulnerable the nation’s water systems may be to attacks by more sophisticated intruders. Treatment plants are typically cash-strapped, and lack the cybersecurity depth of the power grid and nuclear plants. A local sheriff’s startling announcement Monday [9 February 2021] that the water supply of Oldsmar, population 15,000, was briefly in jeopardy last week exhibited uncharacteristic transparency. Suspicious incidents are rarely reported, and usually chalked up to mechanical or procedural errors, experts say. No federal reporting requirement exists, and state and local rules vary widely.3
While events in Iran have likely been minimized (or attributed to Israel), and could very well not be acts of sabotage but mere accidents, they still speak to the very real and damaging potential effects of covert cyber warfare conducted with the resources and power of nation-states. And while likely the work of a single amateur individual, the water treatment plant vulnerability in Florida is a potentially grave reminder of cyber’s potency at home.
What happens when everyone uses offensive cyber?
Such is the inherent and hidden risk in the realm of cyber warfare: it is an unregulated, complexly interdependent, fragile, and largely vulnerable domain that does not even require a state-level of sophistication or capability to disrupt. Indeed, disruptive cyber actions create second and third-order effects, thereby multiplying the damage caused.
This is the realistic lens through which the expanded CIA covert action authorities — and indeed, any nation-state cyber activity — must be examined. While we could argue that the proverbial cat is already well "out of the bag," entrance into the global fray of yet another highly capable nation-state will almost certainly lead to unquantifiably higher levels of disruption and escalations across cyberspace (and easily across "borders"). This disruption will grow as operational capacity builds (or as actors gain or steal the expertise required), given the difficulty in isolating effects across such an amorphous and interdependent domain.
Increasing Russian reliance on the use of cyber attacks as an effective means of power projection serves as an exemplar for such a phenomenon, as do rapidly expanding Iranian, North Korean, and Chinese malign cyber activities. This is not a new observation, nor is it that revelatory. Yet, such is the challenge facing policy-makers as national mechanisms of power are increasingly leveraged in the cyber domain. More players, more noise, more opportunities for catastrophic occurrences.
As we can observe across the world stage, the nature of cyberspace brings inherent difficulties when viewed through traditional lenses. The following are some problematic concepts when it comes to cyberspace and cyber warfare: the definition of property and infrastructure; delineating "borders”; implementing effective deterrence; mitigating vulnerabilities in national infrastructure; and defining of roles and responsibilities for defense against cyber warfare.
It is our present opinion (subject to change) that the expanded CIA covert authorities, while a well-intentioned, necessary, and even slightly delayed measure when compared to the practices of chief adversaries such as China and Russia, will ultimately only contribute to the introduction of more "noise" into the global domain of cyber warfare.
This means that cyber, as an expression of state power, is almost a double bind tool for its users: necessary and effective in the short-term but comes with unintended and immeasurable consequences that only help to further redefine and expand previously established norms surrounding its use. Much like the proliferation of nuclear expertise and weaponry, a nation-state’s cyber capability will have vast effects on the Internet, its use, and how the domain functions for years to come.
When the gloves come off: total cyber war
As it stands, U.S. statecraft appears to largely apply arguably outdated policies of deterrence as a means to ensure national cyber defense. Indeed, nations are still forming their cyber policies in real-time, informed partially by their cyber “engagements” with other nations on the global stage. Arguably, it is the threat of unknown costs and consequences that so far appears to restrain most states from entering into total cyber war with an adversary. Thus, most cyber actors seek to mis-attribute or conceal their operations, as we saw with the Stuxnet attack or the recent SolarWinds hack. However, we don’t expect this norm to last.
It will be critical for the United States and Western nations to rapidly expand and improve their defensive cyber capabilities, and to use offensive cyber warfare for extremely limited, precise, and deliberate purposes — restraint is the name of the game. As Gen. Hayden and Mr. Ridge identify, we are most certainly already in the throes of undeclared cyber conflict, and iterating towards whatever real-time policy constitutes as an open or declared cyber war with a nation-state adversary.
We are in a time of global policy development and growth, where maintaining cyber primacy is a necessary but exhausting national-level race amongst 21st century adversaries — not unlike that of the Cold War arms or space races. And we can expect both the private and public sectors to have to jump on board — along with any other entity that maintains a presence online. Given the interconnected nature of internet devices (e.g. Internet of Things, 5G, etc.), a vulnerability anywhere is but another thread on which an adversary can pull to potentially yield damaging effects elsewhere against a harder target.
Critically, the balance between offensive and defensive cyber operations as expressions of state power must be explored and formed into coherent policy — yesterday. Such intentional policy guidance is needed in order to maintain sufficiently low levels of nation-state conflict that decrease the propensity for total war in the cyber domain.
Enjoy Privacy Matters? Brief your friends, colleagues, and others (including grandmothers, who are avid consumers of intelligence). Have a tip or article you want us to cover? Send it our way by leaving a comment below.
We are an informal publication of Signature Management Unit, a private intelligence, risk, and security firm from Milwaukee, Wisconsin.
https://thehill.com/opinion/cybersecurity/539085-a-strong-offense-can-decrease-cyber-attacks-on-critical-infrastructure
Ibid.
https://apnews.com/article/business-water-utilities-florida-coronavirus-pandemic-utilities-e783b0f1ca2af02f19f5a308d44e6abb