Trump is rattling sabers in cyberspace — but is the U.S. ready?

By Tim Starks, Gavin Bade and Michael B. Farrell
While cyber defenses are improving, some experts worry about how the U.S. would recover from an even larger strike.

The Trump administration is sending aggressive messages about the United States' willingness to hack its adversaries — alarming lawmakers and experts who fear the president is provoking a global cyberconflict that the U.S. may not be prepared to face.

A U.S. cyberattack on Iranian military and intelligence targets last month was one of the most prominent signs of the new approach, which comes after a reported effort to implant hostile computer code in Russia's electrical grid and a temporary takedown of a notorious Kremlin-backed troll operation last fall.

To supporters, the tactics are a sign the U.S. may finally be getting out of its defensive crouch in cyberspace — as advocated by hawks such as national security adviser John Bolton.

But the moves also lay the potential groundwork for a tit for tat of cyberattacks that could inflict significant damage on bystanders. Targets such as banks, hospitals, oil companies and electric utilities in the U.S. and elsewhere have already proved vulnerable, as seen in recent criminal hacks that paralyzed entities such as Baltimore's city government.

Now, both Republican and Democratic members of Congress are pressing the White House for details about its offensive cyber strategies, worried that unchecked operations could be dangerously destabilizing for the U.S.

“It’s essential that Congress have its ability to conduct proper oversight. It’s our constitutional responsibility,” Rep. Jim Langevin (D-R.I.) told POLITICO. “I support the administration’s plan to be more forward-leaning in cyberspace, on balance. But with that comes the responsibility to make sure we’re not undermining stability in cyberspace.”

Langevin added an amendment to the National Defense Authorization Act, which the House passed Friday, to compel the White House to provide details of its new cyber strategy to the House Armed Services Committee. Despite repeated requests from the committee, the administration has not shared a secret presidential directive, National Security Presidential Memorandum 13, that President Donald Trump signed last year to give U.S. Cyber Command more authority to carry out digital attacks.

Langevin, along with Republican and Democratic members of the committee, complained to the White House in a February letter that the committee has been in the dark about the Pentagon’s growing use of digital weapons.

“This is my first time in 19 years of Congress that a document this major has not been provided to Congress. I can’t understand what the hold up is,” Langevin said. “I just want to make sure the authorities being delegated are appropriate and our cyber missions are staying within those parameters.”

While U.S. cyber defenses are improving, some experts worry about how the nation would recover from an even larger strike — such as one on the scale of the suspected Russian cyberassault that blacked out power to more than 200,000 Ukrainians in 2015.

"We are clearly not ready to recover from a cyberattack" of that magnitude, said Art House, the chief cybersecurity risk officer for Connecticut and the former chairman of the state's utilities commission. "Very few states have ever simulated a cyberattack on their public infrastructure. It poses challenges we haven't faced before."

Industries are already bracing for an uptick in cyberattacks after last month's news that U.S. Cyber Command had launched digital strikes on targets in Iran, including missile-launching computer systems that may have been involved in attacks on oil tankers in the Persian Gulf.

Last month, a division of the Treasury Department issued a rare warning to the financial sector to increase protections against destructive Iranian attacks. That came after similar warnings to U.S. companies from the Department of Homeland Security and private cybersecurity firms.

Businesses and government agencies are already on the front lines of global cyberconflicts, which have seen Chinese hackers steal valuable trade secrets from companies such as Hewlett-Packard and IBM, Russian and Iranian attacks designed to implant malicious software inside the electrical grid, and "ransomware" assaults such as the one on the city of Baltimore.

The worst-case scenario, House said, is that the U.S. gets into an escalating round of hacking attacks that spins out of control with some hostile power — with no plan for what to do next.

"We have not had that conversation about what happens when you knock out public infrastructure and you take out a water system or a heating system or electric generation and distribution systems," said House, who led communications at the Office of the Director of National Intelligence during the Obama administration. In that case, he said, "There would be a whole new area of civilian casualties — intended or not intended."

Iran has already been linked to so-called wiper attacks, in which malicious software erases the hard drives of infected computers. One of the best-known examples is a massive 2012 hack that struck the Saudi oil company Saudi Aramco and is reported to have debilitated an estimated 30,000 computers.

"We've seen Iran for years and years use destructive capabilities, where they destroyed data and rendered computer systems inoperable, including against the American private sector," said Jamil Jaffer, former senior counsel for the House Intelligence Committee who is now a vice president at the firm IronNet Cybersecurity.

"It's not a particularly unique capability, but what is unique about Iran's particular use of it is that they're willing to use it to actually do damage," he said.

Christopher Krebs, director of DHS' Cybersecurity and Infrastructure Security Agency, said in a statement that attacks that "might start as account compromise, where you think you might just lose data, can quickly become a situation where you've lost your whole network."

But that shouldn't stop the U.S. from hitting back in cyberspace, Jaffer argued, even if those actions risk collateral damage.

"We've long been taking a lot of punches in cyberspace, and haven't really hit back," he said. "That hasn't really worked out too well for us; we've seen an increase in the scope and scale of attacks — and the destructive nature of such attacks, including against the private sector — as our opponents test us with relative impunity."

Now that "we've shown the willingness to hit back," he said, "our opponents are increasingly being [given a] much harder choice: Do I escalate and run the risk that the United States might hit me back even harder? I think a lot of countries correctly assess that they can't win that fight."

The U.S. has hit hard in cyberspace before, most notably with the Stuxnet computer worm credited with destroying hundreds of centrifuges in Iran's nuclear program. Stuxnet resulted from a plan hatched under George W. Bush's presidency and continued during the Obama administration. It appeared to be a success, but it also escaped onto the internet.

However, concerns in the Obama administration that U.S. cyberattacks would spark uncontrollable escalation curtailed its cyber operations, and military strategists have long worried that the damage from a cyberconflict could quickly spread far beyond the intended targets.

"The U.S. military and U.S. government traditionally has been pretty cautious," said Jon Bateman, a Cyber Policy Initiative fellow at the Carnegie Endowment for International Peace and a former aide to Gen. Joseph Dunford, chairman of the Joint Chiefs of Staff. "The Obama administration specifically in cyber was known for weighing every possible consideration before taking action."

Now, he said, "there's a gloves-off mentality."

Bolton has said publicly that the U.S. is looking at digital targets as a way to say to "Russia, or anybody else that's engaged in cyberoperations against us, 'You will pay a price.'"

The White House did not respond to a request for comment about its internal discussions regarding the risk of escalation related to offensive cyberattacks.

The first known realization of Trump’s cyber directive was a U.S. digital strike during the 2018 midterm elections, later reported by The Washington Post, that knocked out the online access of the Internet Research Agency, a Russian troll farm that had disrupted the 2016 presidential race.

The New York Times also reported that U.S. forces have taken steps to plant malware inside Russia's power grid in retaliation for the Kremlin's operations in the United States. Trump initially called the story treasonous but later said it was false.

Offensive cyberoperations can wreak a ton of collateral damage, as seen in what happened after Russia unleashed a potent strain of malware known as NotPetya on Ukraine. The cyberweapon quickly spread globally, locking up computers and erasing valuable data inside corporations such as the pharmaceutical giant Merck and the shipping line Maersk.

"We don't really understand what collateral damage really looks like," said Michael Daniel, President Barack Obama's former cybersecurity adviser and current CEO of the Cyber Threat Alliance. "Think back to the NotPetya malware. That was aimed at Ukraine, but it had impacts outside of Ukraine that were completely unanticipated and unforeseen."

A cyberattack on Iran could have similar consequences, he said, especially if Tehran responds by using malware similar to NotPetya on American targets. "They have certainly shown themselves to be willing to use destructive malware in the form of wiper viruses," he said.

Cybersecurity experts have said Tehran has vastly increased its cyber capabilities since the Stuxnet attack.

"Iran is obviously a pretty capable actor in cyberspace," one that probably could execute more severe ransomware attacks or even a successful attack on the power grid, Bateman said.

Beyond costly attacks on businesses, however, cybersecurity experts worry that the growing severity of digital attacks could eventually result in physical injury or even death — for instance if hackers shut down a hospital.

"Killing someone would be the most serious thing that could happen," Bateman said. "It's plausible that Iran could do something like that. That could really create pressure for a U.S. military response."

While the threat of escalation is one risk of Trump's more aggressive posture in cyberspace, a harsher U.S. cyber response to Iranian or Russian hacks may succeed in sending the message that Washington will no longer tolerate nation-state hacking, Jaffer argued.

Still, he said, if the U.S. is going to continue its more aggressive course, "the government has got to do significantly more to empower the private sector to defend itself." For starters, he said, it can share more classified information about threats in real time.

Power utilities are often blind to the threats they face, said House, the Connecticut official, because few regulators have security clearances. That means they don't have the actionable information they need from DHS and other agencies about the most recent and dangerous threats.

"The intelligence apparatus of the United States could warn utilities: 'We are finding this malware, check it out,'" House said.

Martin Matishak and Daniel Lippman contributed to this report.