The Washington PostDemocracy Dies in Darkness

At nations’ request, U.S. Cyber Command probes foreign networks to hunt election security threats

May 7, 2019 at 10:00 p.m. EDT
Voters cast ballots in Hinsdale, Ill. As U.S. officials look ahead to securing the 2020 election, they are increasingly focused on the activities of Russia, China, North Korea and Iran. (M. Spencer Green/AP)

In the wake of a military cyberoperation that defense officials have credited with helping safeguard last year’s midterm elections, the Pentagon’s Cyber Command is hunting inside other countries’ networks for threats and to gain insights to thwart foreign interference in the 2020 campaign, officials said.

Code-named Synthetic Theology, last year’s operation leveraged new authorities, granted by the president and Congress, enabling U.S. agencies to become more aggressive in foreign cyberspace in defense of the nation.

Cybercom operation disrupted Russian troll factory during midterm elections

Though the operation has ended, Cybercom is continuing its close relationship with the National Security Agency and working to build partnerships with other nations, other U.S. agencies and American industry, senior Cybercom officials said Tuesday in their first extensive public briefing on efforts to combat election interference and other threats.

“Our goal is to have no interference in our elections,” said Air Force Maj. Gen. Tim Haugh, who heads the command’s cyber national mission force. “We’re going to support [the Department of Homeland Security ] and FBI in the missions they’ve been assigned. But ideally, no foreign actor is going to target our electoral process.”

His remarks came on the first anniversary of the command’s elevation to a full combatant command on a par with Central Command or Special Operations Command. The organization is led by Army Gen. Paul Nakasone, who also heads the NSA, the world’s largest and most powerful electronic surveillance agency.

The two entities work side by side, sharing intelligence and coordinating operations, in a sophisticated facility that opened in September at Fort Meade, Md. Inside the joint operations center, American civilian and military personnel partner alongside representatives from other agencies and from the United States’ closest allies, including Britain and Australia, charting cyber-forces and targets worldwide.

Aided by NSA intelligence, Cybercom’s midterm operation successfully blocked Russian trolls working at the infamous Internet Research Agency from posting divisive messages on U.S. social media in an effort to sow discord among Americans as they went to the polls in November. The several-day operation to knock out the trolls’ Internet access so frustrated them that they complained to their system administrators about the disruption.

The U.S. effort also entailed Cybercom personnel last October “direct messaging” Russian trolls as well as Russian military hackers to obliquely warn them not to interfere in other nations’ affairs.

Though Cybercom officials did not comment Tuesday on operational details, they made clear that their midterm election security efforts were part of the command’s new strategy of “persistent engagement.”

Said Haugh: “To compete in this space against the adversaries, malicious cyber actors, we’ve got to be out there every day and we have to be in contact with them.”

That means gaining insight into U.S. adversaries — principally Russia, China, North Korea and Iran — to understand what and who they’re targeting, and sharing that information with partners, he said.

It means enabling non-Defense Department networks to protect themselves, whether they belong to private critical infrastructure operators or foreign allies. And it also means being prepared “to impose costs” through offensive cyberoperations if directed, he said.

But defense is also critical to the strategy, officials said.

Last year, Cybercom personnel operated in the networks of Ukraine, Macedonia and Monte­negro, which were being targeted by Russia, to help those countries identify foreign malicious activity. That “malware” was then shared by Cybercom with U.S. industry through a malware-sharing platform called Virus Total.

“We viewed that as a really good way for us at low cost to gain a deep understanding of how our adversaries are operating, but also to raise costs for them and simultaneously protect some of our allies,” Haugh said, noting that “it was something we had not done before.”

Before Congress changed the law last year, Cybercom was not authorized to take actions inside a non-Defense Department network overseas as part of traditional defensive military activity.

Haugh said Cybercom continues to work with some of the same countries it did last year. And in partnership with DHS, the command is now working to identify threats outside the United States aimed at the U.S. financial sector, and pass them to DHS to share with the firms.

Cybercom operation to degrade ISIS sparked heated debate over alerting allies

Separately, the military’s battle against the Islamic State has a cyber component, led by Cybercom’s Joint Task Force Ares, set up in 2016 to support Central Command. After a slow start, it began having some success at sabotaging ISIS videos and other online propaganda.

The effort has now expanded. In September, Nakasone gave Maj. Gen. Matthew Glavy , who heads Marine Forces Cyber Command, leadership of JTF-Ares as well as the job of coordinating the cyber effort to counter violent extremism globally.

ISIS’ cyber capabilities are “degraded,” Glavey said. But “we certainly don’t underestimate the adversary . . . They’ve been able to maximize the use of the cyber domain to create their messages and disseminate them.”