On Jan. 29, the heads of six agencies in the U.S. intelligence community delivered annual testimony in front of the Senate intelligence committee about global threats to U.S. national security. As could be expected, the nature and scope of contemporary cyber threats and electoral security was of significant interest at the hearing, which included the director of national intelligence, the CIA director, and the FBI director. The DNI is scheduled to provide similar testimony in front of the Senate Armed Services Committee on Feb. 6.
The annual worldwide threats briefing provides the public with insight into the usually secret world of U.S. intelligence. The majority of intelligence products, assessments, and reports are classified and (excluding leaks) rarely made available to the public. Intelligence briefings to Congress are often conducted in a closed setting to allow for the protection of sensitive and classified information. Even funding of the intelligence community is mostly classified: The public knows the total budget appropriated to the intelligence agencies in a given fiscal year—approximately $81.5 billion in Fiscal 2018—how this budget is allocated among particular programs and activities is classified.
The annual briefing on global threats is one of the few instances where senior intelligence officials respond to questions presented by members of Congress in an open forum. Although the briefing does not include intelligence sources or methods, or other classified information—the hearing is typically followed by an closed session in the afternoon where these issues can be discussed—it does provide a better understanding of how the community understands our adversaries and perceives our own vulnerabilities. Director of National Intelligence Dan Coats submitted a lengthy written statement describing the broad range of threats facing the United States, including the threats posed by the Islamic State, al-Qaeda, homegrown violent extremists, counter-space weaponry, drug trafficking, and the proliferation of weapons of mass destruction. Coats’s written statement also addressed less conventional threats, such as pandemic flu and contagious diseases, human displacement, and weak economic growth.
The Intelligence Community’s Assessment of Cyber Threats
The written statement provided by Coats began with a general discussion on the cyber threats facing the United States. According to Coats, “[o]ur adversaries and strategic competitors will increasingly use cyber capabilities—including cyber espionage, attack, and influence—to seek political, economic, and military advantage over the United States and its allies and partners.” He also briefly addressed how cyber threats have evolved. In that section, Coats concluded that foreign adversaries have expanded their traditional cyber espionage and intelligence activities and “are now becoming more adept at using social media to alter how we think, behave, and decide.” Coats’s written statement reflected the conclusions of the recently published National Intelligence Strategy, which states that “[d]espite growing awareness of cyber threats and improving cyber defenses, nearly all information, communication networks, and systems will be at risk for years to come,” and “[o]ur adversaries are becoming more adept at using cyberspace capabilities to threaten our interests and advance their own strategic and economic objectives.”
Coats identified China and Russia as “pos[ing] the greatest espionage and cyber attack threats” to the country, but also warns of the threats presented by Iran and North Korea. This point does not substantially deviate from the information that Coats provided during his 2017 and 2018 briefings to Congress. In addition, it is consistent with a 2016 statement by former DNI James Clapper, which described these four countries as “leading threat actors.”
China. Unlike recent years, this is the first time the DNI’s written statement at the worldwide threats briefing addresses the cyber threat posed by China prior to addressing the threats posed by Russia. More specifically, Coats indicated that China “presents a persistent cyber espionage threat and a growing attack threat to our core military and critical infrastructure systems” and “remains the most active strategic competitor responsible for cyber espionage” against the U.S. government and American companies and allies. This description was a departure from the content of Coats’s 2018 briefing to Congress, which described China’s cyber operations against the United States as “ongoing,” but “at volumes significantly lower than before the bilateral U.S.-China cyber commitments of September 2015.”
Coats also described one type of cyber threat with particular specificity: “China has the ability to launch cyber attacks that cause localized, temporary disruptive effects on critical infrastructure—such as disruption of a natural gas pipeline for days to weeks.” His reference to pipeline vulnerabilities may be significant, as it came shortly after the GAO issued a report that was highly critical of TSA’s ability to secure domestic pipelines against cyber threats. The GAO report found that “TSA does not have a strategic workforce plan to help ensure it identifies the skills and competencies — such as the required level of cybersecurity expertise — necessary to carry out its pipeline security responsibilities.”
Russia. With regard to Russia’s cyber capabilities and intentions, Coats’s written statement largely mirrored his testimony from previous years. “Russia poses a cyber espionage, influence, and attack threat to the United States and our allies,” he testified, and “Moscow continues to be a highly capable and effective adversary, integrating cyber espionage, attack, and influence operations to achieve its political and military objectives.” Coats discussed Russia’s ability to use cyber tactics to successfully attack domestic critical infrastructure, such as disrupting the electric grid, and he emphasized Russia’s previous cyber attacks against Ukraine’s electric infrastructure in 2015 and 2016 as evidence of Russia’s capability and willingness to do so.
Iran. Coats’s written statement stated that the Iranian government continues to present a threat from both a cyber espionage and cyber attack perspective. Coats also noted that Tehran uses increasingly sophisticated cyber techniques to conduct espionage, though he did not describe them in any detail. Similar to his assessment on Russia, Coats informed the senators that Iran is seeking “to deploy cyber attack capabilities that would enable attacks against critical infrastructure in the United States and allied countries.”
North Korea. Unlike previous years, North Korea received the least attention in the DNI’s cyber threat assessment. Coats reiterated conclusions from previous years and stated that North Korea has the ability to conduct disruptive cyber attacks against the United States and others. He also emphasized that North Korea focuses its cyber operations against financial institutions as a means for the revenue-strained government to generate funding. For analytical support, Coats cited Pyongyang’s 2016 cyber theft of approximately $81 million from Bangladesh’s central bank, the same North Korean cyber operation he cited in his 2017 briefing to Congress. On the other hand, Coats did not make any reference to the June 2018 indictment of North Korean hacker Park Jin Hyok, who is alleged to have been involved in the Bank of Bangladesh heist, as well as other cyber operations that Coats has addressed in previous briefings to Congress, such as the 2017 WannaCry ransomware attack and the 2014 Sony Pictures breach.
Non-State Actors. Last, Coats’s written statement addresses the cyber threats posed by non-state and unattributed actors, such as criminals and terrorists. As in years past, the DNI indicated that cyber criminals will continue to conduct cyber operations against domestic organizations to seek monetary gains. Although Coats focused on the threat from ransomware in his 2016 briefing to Congress, this year’s written statement did not discuss any particular cyber tactics or techniques. It did, however, address who the intelligence community expects cybercriminals to target. Here, the community “anticipate[s] that financially motivated cyber criminals very likely will expand their targets in the United States in the next few years,” and “[t]heir actions could increasingly disrupt US critical infrastructure in the health care, financial, government, and emergency service sectors.”
Coats indicated that terrorists “could obtain and disclose compromising or personally identifiable information through cyber operations, and they may use such disclosures to coerce, extort, or to inspire and enable physical attacks against their victims.” This was such a significant issue in 2014 that DHS and the FBI reportedly issued a joint intelligence assessment urging military personnel to remove or minimize any personal information on their public-facing social media accounts that could be used by terrorist organizations to identify and try to locate them.
Online Influence and Election Security
This is the first year that the written statement provided by the director of national intelligence, in connection with the annual briefing on global threats, contained a standalone section on how foreign adversaries use social media to influence public opinion and impact U.S. elections. Unfortunately, this section only provides a limited amount of information on the issue. The intelligence community’s 2017 assessment on Russian activities in the 2016 election and the 2018 indictment against Russian intelligence officers provide more detail on Russia’s motivations and tactics for conducting its social media influence campaign.
The key finding is that Russia, China and Iran will continue to use social media as a tool to spread propaganda, create conflict domestically and undermine their adversaries, so long as they determine it is in their interest to do so. Coats’s written statement noted that foreign adversaries “probably will attempt to use deep fakes or similar machine-learning technologies to create convincing—but false—image, audio, and video files to augment influence campaigns directed against the United States and our allies and partners.” However, it is surprising that this conclusion is caveated with the term “probably,” and the intelligence community is not willing to say that the use of such tactics to spread false information online is “likely” (or even “highly likely”) to occur.