Offensive cyber operations

What to Make of Cyber Command’s Operation Against the Internet Research Agency

By Ben Buchanan
Thursday, February 28, 2019, 1:02 PM

On February 26, Ellen Nakashima of the Washington Post reported what had been speculated for some weeks: that U.S. Cyber Command undertook an offensive cyber campaign to protect the 2018 midterm elections. An unnamed government official told her that on the day of the 2018 midterm election, Cyber Command shut down internet access at the Internet Research Agency (IRA), the Russian troll farm that ran an influence operation targeting Americans before the 2016 presidential elections. The American hackers “shut them down.” The purpose of doing so, Nakashima reported, was “to prevent the Russians from mounting a disinformation campaign that casts doubt on the results.”

While the public does not know exactly what kind of operation Cyber Command conducted, it is likely that it included an effort designed to degrade the Russian operational ability. By disrupting the IRA’s internet connectivity and/or interfering with their operators’ computers, the United States might have inhibited the Russian capacity to act during a critical moment. Indeed, the Post reports that the operation was timed “to prevent the Russians from mounting a disinformation campaign that cast doubt on the results.”

In some sense, an election protection program of this sort offered Cyber Command a ripe opportunity. The IRA was, by the midterm election, an organization known to work against American interests. The agency is likely far easier to hack than more advanced parts of the Russian intelligence apparatus. The time-sensitivity of the election meant that the American effort only had to be successful in disrupting Russian activity for two days and did not need to create lasting change. After 2016’s debacle, the 2018 vote was in the spotlight of those who wanted to know what the United States’ cyber capabilities could do. Based on the Post’s report, Cyber Command seems to have capitalized on the moment.

It has not always been that way. This is not the first time that the United States has deployed Cyber Command’s offensive capabilities against a foreign adversary. In 2016, the Obama administration announced, with great fanfare, its cyber campaign against the Islamic State, including the memorable line from then-Deputy Secretary of Defense Robert Work that the United States was “dropping cyber-bombs.” Ultimately, though, that campaign resulted in questionable results, with then-Defense Secretary Ash Carter later reflecting that Cyber Command “never really produced any effective cyber weapons or techniques.”

And yet, even though the election protection effort in 2018 seems to have been a welcome success, it is worth exercising a bit of caution before giving Cyber Command full credit for the lack of Russian disruption. As the Mueller indictment of the GRU operatives allegedly involved in hacking the DNC makes clear, various components of the Russian intelligence apparatus worked to interfere in the 2016 election. It seems that all of those components were mostly silent or scaled back during 2018. The question is why.

Three possibilities exist. The first is that Russia chose only to use the IRA for its planned 2018 efforts, and that Cyber Command’s activity thwarted its plans. The second is that Russia planned to employ multiple facets of its intelligence apparatus in a campaign, as they did in 2016, and that Cyber Command thwarted all of them, including in some operations still unknown to the American public. The third is that the Russians chose to stand down (with the exception of some minor activities), perhaps because U.S. political parties were doing a fine job being divisive on their own and perhaps also to bide their time for the much bigger prize of the 2020 presidential election. In this last view, Cyber Command’s activities may have reduced the Russian freedom of action or interfered with normal IRA operations but did not meaningfully change the outcome of the 2018 election and Russian interference in it.

Senator Mike Rounds, for his part,strongly suggested that Cyber Command’s actions made a difference, arguing that without them there “would have been some very serious cyber-incursions.” Yet his statement does not quite square with the operational realities of the cyber domain. Any actual intrusions (as opposed to online trolling and propaganda) are almost certain to have occurred months before Election Day; it seems much more likely that the thwarted Russian activity, if there was any, would have taken the form of an influence campaign rather than “incursions.” But drawing any conclusions about which of the three possibilities I describe based on public information  is impossible. The operational details are classified, and with good reason.

Regardless of the actual impact of Cyber Command’s operation, one final question lingers: How, if at all, should it modify the public understanding of how nations use cyber operations? Put simply, the Post’s story seems to confirm an argument that I have made for years: Cyber operations, on offense and defense, are tools of statecraft and geopolitics. Nations deploy them to try to gain a practical edge in the never-ending struggle for advantage over others. Many of the well-worn and foundational concepts of modern international relations—ideas like deterrence, bargaining theories of war, and norms-building—are less relevant when it comes to government-backed computer hacking. The Election Day operation against Russia  shows the comparative recession of these ideas: It was not an attempt to deter, bargain, or reach shared consensus. Rather, it was an attempt to deny, temporarily removing an arrow from the Russian’s quiver.

Cyber Command and academics like Richard Harknett are fond of calling these sorts of operations “persistent engagement.” Their view, which I share, is that much of the geopolitical activity taken by governments in cyberspace is likely to fall short of the threshold of armed conflict. Instead, states will continually hack to try to gain an operational edge over each other. The activity reported by the Washington Post seems to be a step in that direction. It shows what one part of what persistent engagement might look like in practice and makes the case to policymakers that Cyber Command has something to offer. In this sense, the operation might have more of a long-term impact in the United States than it did in Russia. Clarifying the art of the possible might be the operation’s real lasting success.