Ramifications of Trump revoking Obama’s cyber offense order
WEAPONS FREE — The Trump administration this week took a major step toward empowering the military to conduct more cyberattacks. President Donald Trump rescinded Presidential Policy Directive 20, an Obama-era document that required high-level discussions between many agencies before the military could conduct significant cyber operations. The change gives the military freer rein to deploy its advanced hacking tools without pushback from the State Department, the Commerce Department and the intelligence community. U.S. Cyber Command can now conduct attacks based on the administration’s strategic decisions without needing to get White House sign-off on individual digital strikes — just like other combatant commands do in the kinetic world. The move is the latest example of Trump’s desire to push decision-making authority down the chain of command.
“There’s a large degree of unhappiness in DoD and in Cyber Command with the interagency process and the structure set up by PPD-20 to approve offensive cyber operations,” a former U.S. official told Eric. The State Department, this person said, “was successful in blocking or slowing Cyber Command in doing things it wanted to do, even against targets you wouldn’t think anyone would have any objection to, like ISIS.” A former FBI official added that “there was not clear guidance” from the Obama administration about using cyber capabilities “against major threats.” PPD-20 created real-world problems — in one case, according to the former U.S. official, the British stopped waiting for the U.S. to prepare for a joint cyber operation and launched it on their own, three months before the U.S. was ready to participate.
But as maligned as it was, PPD-20 also reflected the unavoidable need to weigh legal, economic and diplomatic concerns that the military alone may not sufficiently consider. It also helped balance the equities of the military and the intelligence community; U.S. spies worry about military operations because they sometimes expose its painstakingly deployed surveillance implants. “In military affairs, blaming the lawyers, or the process, is often easier than having good ideas,” said R. David Edelman, who was a National Security Council director for international cyber policy during the Obama administration. “While it's fair to say that U.S. cyber policy was cautious and lawyerly to a fault in the early days, unless we get better at predicting the consequences of cyberattacks, the alternative is recklessly lashing out and crossing our fingers.”
Many cyber conflict experts expressed concern about eliminating PPD-20 without implementing a better policy. “Coordination across competing priorities is tough, especially in this realm,” said New America senior fellow Peter Singer. “Expect many intelligence operations to be blown by this shift.” Christopher Painter, the former State Department coordinator for cyber issues, said, “We need to have & use cyber tools when appropriate & the most effective option, including for [deterrence] … but we also need to take account of all our national equities including working to build coalitions of countries to collectively respond to cyber threats.” The Wall Street Journal talked to additional players and experts.
HAPPY FRIDAY and welcome to Morning Cybersecurity! This is really unfortunate, if true, because a show your MC host was watching out of habit, “The Affair,” just produced the finest episode of its run thanks to a key player’s departure. Send your thoughts, feedback and especially tips to firstname.lastname@example.org, and be sure to follow @POLITICOPro and @MorningCybersec. Full team info below.
AROUND THE WORLD WITH THE IC — America’s cyber competitors haven't used recent foreign policy moves by the Trump administration to crank up their malicious digital activities, Sue Gordon, principal deputy director of national intelligence, told Martin this week. The lack of assaults from nations like Russia, Iran, North Korea and China is at least partly due to countries that have matured their cyber capabilities developing fear of real-world reprisals for their online actions, Gordon said during a one-on-one interview at the end of the Defense Intelligence Agency’s annual IT summit in Omaha, Neb.
Cyber has become “an instrument of national power and national interest” for the states in question, added Gordon, who has served almost 40 years in the intelligence community, including as senior cyber adviser at the CIA. “I would say it causes our adversaries some concern about, can they stay below some sort of threshold” for U.S. retaliation, she said. “But what is that threshold?” Pros can read the full story here.
NEW VERSION OF ELECTION SECURITY BILL — A new version of the Secure Elections Act (S. 2593) would require states to have a cyber response and communication plan in order to receive grants, and in turn require the federal government to provide templates for states to establish cybersecurity incident and communication plans. It would also ask states to provide more detail on the nature of cyber incidents. The Senate Rules Committee posted the manager’s amendment to the bill Thursday evening. It’s expected to mark up the legislation this month.
EXPANDED AWARENESS — Thirty-six of 50 states have installed a specific type of cyber monitoring hardware on their election systems, a DHS official told Reuters, giving the agency visibility into a wide swath of U.S. election infrastructure. The device, known as Albert, is also installed on systems in 38 counties and other local governments. According to Reuters, only 14 state and local governments used Albert prior to the 2016 election. “We have more than quadrupled the number of sensors on state and county networks since 2016, giving the election community as a whole far greater visibility into potential threats than we’ve ever had in the past,” DHS senior cybersecurity adviser Matthew Masterson told Reuters. Those states also want more access to classified cyber threat data.
In the election security grab bag, meanwhile: Rep. Randy Hultgren discussedthe importance of well-trained poll workers to election security at a recent town hall; the election director in Fulton County, Ga., dismissed concerns about Russian hackers probing his county’s public website and said switching to paper ballots before November was “almost impossible”; and Cloudflare CEO Matthew Prince touted the Athenian Project, the company’s free website security program for state and local election offices. Meanwhile, Florida’s secretary of state still wants Sen. Bill Nelson to explain what the heck he was talking about when he said hackers had penetrated the state’s election system.
AN UNUSUAL KIND OF ELECTION FREE-FOR-ALL CONTINUES — The big tech and cybersecurity names just keep offering up free stuff to campaigns and election officials. Cylance joined in Thursday, offering its antivirus services to midterm candidates at no charge. “Cybersecurity is an increasingly serious concern for all Americans, and election seasons heighten the importance of keeping information safe,” said Stuart McClure, founder and chief executive at Cylance. “Our software can help protect everyone, but safeguarding the integrity of the democratic process from the unprecedented number of threats is especially important to us.” It comes one day after McAfee did the same, following the lead of others.
KOCHS AGAINST ‘BACKDOORS’ — Americans for Prosperity, the political arm of billionaire brothers Charles and David Koch, came out against building “backdoors” in data encryption. In an op-ed, David Barnes, the group’s policy manager, calls on Congress to pass the bipartisan Secure Data Act, H.R.5823, which would prohibit federal agencies or courts from forcing tech companies to build backdoors into encrypted devices or services. “In an age where data privacy is constantly in jeopardy, passing legislation that protects encrypted services would be a significant step to safeguard the privacy and security of every American,” Barnes argued.
RECENTLY ON PRO CYBERSECURITY — In a court fight over Georgia’s planned use of paperless electronic voting machines this fall, state election officials disputed activists’ assertions that they pose a significant hacking risk. … Hackers apparently based in China conducted cyber espionage against the state of Alaska’s government, German carmaker Daimler AG and others during times of sensitive economic discussions, Recorded Future reported. … FCC Commissioner Ajit Pai said he knew since January that it wasn’t true that the commission suffered a cyberattack, as he had earlier said, but the inspector general asked him to keep it quiet because the issue was referred for possible criminal prosecution.
TWEET OF THE DAY — The PPD-20 news really eel-evated this conversation.
PEOPLE ON THE MOVE
— The General Services Administration has moved Bill Zielinski into the position of acting assistant commissioner of the IT category at the Federal Acquisition Service. Before serving in the deputy position, Zielinski was the chief information officer at the Social Security Administration. He's replacing Kay Ely. FCW first reported the news.
— Nils Puhlmann has joined cloud company Twilio, where he will serve as the chief trust and security officer, the company announced Thursday. Puhlmann has been an adviser to Twilio since 2014, and has served in tech and security positions at Endgame, Zynga, Qualys and Electronic Arts. He also is a co-founder of the Cloud Security Alliance.
— The Hill digs into the reasons Congress hasn’t approved a name change for DHS’s main cyber division.
— Chinese "police stations in almost every province have sought to buy the data-extraction devices for smartphones since the beginning of 2016, coinciding with a sharp rise in spending on internal security and a crackdown on dissent." Reuters
— Former intelligence official Steve Slick argued in favor of Sen. Ben Sasse’s “cyber solarium.” War on the Rocks
— An Australian teen who hacked into Apple’s internal network got caught with a folder labeled “hacky hack hack.” The Age
— Australia also opened a new cybersecurity center. iTnews
— MIT Technology Review interviewed election security expert Alex Halderman.
— “Attackers Insert Themselves into the Email Conversation to Spread Malware.” Minerva Labs
That’s all for today. Uncool.