WASHINGTON ― U.S. Cyber Command is working in foreign networks to disrupt malicious activity and share intelligence with partners as a way to protect the integrity of the Nov. 3 presidential election.

Gen. Paul Nakasone, the head of Cyber Command and the National Security Agency, has said the defense of the 2020 election is his No. 1 priority. Following allegations by U.S. intelligence agencies that Russia tried to interfere in the 2016 election — a fact the Kremlin denies — there has been consternation about what the broader U.S. government, and especially the Department of Defense, can do to protect the democratic process. Furthermore, the defense secretary, Mark Esper, has said that securing America’s elections is now an enduring mission for his department.

Now, the Defense Department is part of an integrated and multipronged approach to protect the election from foreign adversaries trying to manipulate voters and voter tallies.

Nakasone has outlined three ways his organizations are looking at this problem:

  • By generating insights of adversaries.
  • By sharing insights with partners across the U.S. government to prevent influence and interference.
  • By acting against adversaries attempting to interfere with the election.

“I would just say across all three, I’m very confident,” he said in remarks during a virtual conference in September.

The DoD’s role is to play the “away game,” according to Brig. Gen. William Hartman, commander of the Cyber National Mission Force at Cyber Command.

“We’re the part of the U.S. government that focuses on the away game. We’re looking at foreign adversaries: Russia, China, Iran, any other foreign adversary who’s attempting to interfere with our elections,” Hartman said during an August virtual panel as part of the hacker conference DEFCON. “We’re looking for them in foreign space.”

The new “defend forward” concept outlined in the DoD’s 2018 cyber strategy charges Cyber Command to get as close to adversaries in networks outside the United States before they reach the nation. The command uses its authorities to operate in networks abroad to discover malware and enemy tactics that could be used against the American people or election infrastructure.

The command can either share that with relevant partners — such as the Department of Homeland Security, the FBI or private companies — so they can take necessary measures, or the command can unilaterally take action thwart malicious activities before they impact American networks.

This action, which officials refer to as imposing costs, can take a number of forms, to include exposing adversary capabilities, tactics or code, all as a means to cause the adversary some type of friction, either in time, money or their freedom to move.

“We are just one part of a whole-of-government effort. We work closely with our interagency partners to enable defense of the homeland through FBI and DHS. We enable DHS with information to help feed their engagement with state, local, territory and tribal organizations. We also provide actor-centric information to FBI to enable their engagements with social media companies,” a Cyber Command spokesperson said.

Following the success of the Russia Small Group created during the 2018 election cycle, Cyber Command and the NSA formed the Election Security Group, which synchronizes resources between the two organizations and is focused on all threats to elections from a variety of actors. The group is made up of civilian and military personnel who perform the duties of analysts, developers, operations specialists, public affairs and liaisons to other agencies.

Officials previously said the partnership between the two — the NSA drives intelligence to Cyber Command operators — and the existence of a dual-hatted commander was critical for securing the 2018 election.

“It’s not enough to just know and understand what our adversaries are doing,” David Imbordino, election security lead for the NSA, said earlier this year. “The nation expects us to do something about it. Enabling our partners with the right information at the right classification level [so they can] take action to defend our democracy against these threats is essential and allows all of the tools of the government to be employed in this fight.”

What has Cyber Command done, and what can it do?

As a military entity, Cyber Command is somewhat limited in what it can do regarding election security.

“When it comes down to it, all the military can really do is spy on stuff and disrupt stuff,” Jason Healey, senior research scholar at Columbia University’s School for International and Public Affairs, told C4ISRNET. “They don’t really have tools that can do anything else in normal cybersecurity compared to the private sector. Microsoft has all sorts of things that it can do because they own the underlying infrastructure … they can bend cyberspace if they need to in ways that government just can’t.”

During the 2018 midterm elections, Cyber Command shut out a Russian troll farm from the internet, which President Donald Trump confirmed. It also sent targeted messages to certain Russian cyber operatives and Russian elites believed to be gearing up to conduct operations against the elections.

"Cyber Command also executed offensive cyber and information operations. Each featured thorough planning and risk assessments of escalation and other equities,” Nakasone wrote in congressional testimony in March. “Each was coordinated across the interagency. And each was skillfully executed by our professional forces. Collectively, they imposed costs by disrupting those planning to undermine the integrity of the 2018 midterm elections.”

Details remain scarce, but officials have noted that Air Force cyber teams — responsible for conducting cyber operations for European Command — conducted operations to defeat Russian influence attempts in the 2018 midterm elections.

And it appears these authorities and responsibilities have been extended into 2020, and that Congress is backing these efforts.

“As a component to U.S. Cyber Command, I’ve been given very clear roles and missions that are in support of the 2020 elections,” Lt. Gen. Timothy Haugh, commander of 16th Air Force/Air Forces Cyber, said in July. “With that, our cyber units have been given some responsibilities, whether that be to be able to do specific defensive actions or to understand adversary activities as well as within our [intelligence, surveillance and reconnaissance] enterprise. We have leveraged them to also be able to look [at] what’s occurring in the information environment and to develop public disclosure packages to be able to disclose malign activity through any of those mission partners.”

Following the midterm elections, Sen. Mike Rounds, R-S.D., told The Washington Post: “The fact that the 2018 election process moved forward without successful Russian intervention was not a coincidence.”

There “would have been some very serious cyber-incursions” if Cyber Command didn’t act, he said at the time.

Cyber Command has also physically deployed teams to foreign nations in what it calls “hunt forward” operations. These efforts seek to assist partner nations in network defense, which can provide Cyber Command unique insights to adversary tactics or malware that can then be used to counter their effectiveness.

“The net effect of the many hunt forward missions that Cyber Command has conducted in recent years has been the mass inoculation of millions of systems, which has reduced the future effectiveness of the exposed malware and our adversaries,” Nakasone and his senior adviser, Michael Sulmeyer, wrote in Foreign Affairs in August.

According to the U.S. government, Cyber Command has identified more than 40 malware samples since 2018 by working with these foreign governments.

“Thanks to these [hunt forward operations] and other efforts, the United States disrupted a concerted effort to undermine the midterm elections. Together with its partners, Cyber Command is doing all of this and more for the 2020 elections,” Nakasone and Sulmeyer wrote.

In the run-up to the 2020 elections, The Washington Post reported that Cyber Command has targeted the largest botnet in the world, which officials said could be used to spread ransomware on election systems. The Post also reported the command has targeted Russian spies in an attempt to disrupt their plans and tools.

A full partnership

Most of the activities that targeted the 2016 election were influence operations launched via social media. This area poses thorny constitutional and legal questions about a U.S. military intervention, but U.S. government officials say they are working alongside the private sector.

“We’re relying on private industry to help us in this space. There’s a close partnership between the U.S. government and social media companies to ensure that they can identify these types of activities and they can prevent those activities, they can shut down those networks, they can shut down those accounts,” Wendy Noble, executive director of the NSA, said at a September conference. “I think we’ve learned a lot through 2016, 2018 with the Russia small group. And as we roll into 2020, as NSA’s No. 1 priority is the safety and security of the elections, it’s going to take the entire U.S. government to be marshalled to make sure that our democratic processes are not impeded by malicious cyber activity.”

The DoD and federal agencies used Super Tuesday, the biggest day during state primary election season, as a dress rehearsal for Nov. 3 — Election Day.

Hartman, the head of the Cyber National Mission Force and election security lead for Cyber Command, described a “mission center” occupied by Cyber Command and NSA personnel connected to all federal agencies involved in election security via a chat room.

“They were talking about, in almost real time, if something goes on state election infrastructure in North Carolina, there is an unclassified chat going up [with] DHS, who drops it in a classified chat room. You’ve got analysts from NSA and CYBERCOM and other government agencies immediately combing their databases,” Hartman described. “Then almost instantaneously providing information back that says, ‘Hey, this is something you should be concerned about,' or 'This is just normal traffic that we see on any day on the internet, it looks anomalous.’ ”

Hartman also explained there were “defensive cyber elements” sitting in “war rooms” waiting on a call from DHS in case something happens. Simultaneously, personnel in another operations center were prepared to act against adversaries if they attempt to interfere in the election, he added.

"If there is a threat identified in foreign space, we will have cyber teams on standby in operations centers, and defensive teams on standby, ready to deploy in the event there is a request to do so,” a Cyber Command spokesperson said. "We won’t stop defending forward after the elections — we will continue to enable our partners, and continue to act in defense of our nation in cyberspace.”

Healey, the researcher at Columbia University, was curious how close the Cyber Command-DHS relationship is, equating it to supporting troops on the battlefield under fire: The supporting reinforcements must know what to target and where.

“If someone in the elections was saying, ‘We need this Russian botnet taken down or they’re going to totally screw up the vote count in Pennsylvania. We see them mucking around, you got to take them down,’ is there a way for that to get passed to Cyber Command?" he wondered. "Is Cyber Command going to take that shot without getting input?”

Outsiders continue to caution that Cyber Command can’t be the panacea for election security, but rather it must work with the rest of the government.

The DoD’s efforts must be “a small piece of the puzzle because so much of this activity is happening domestically and the concept of defend forward isn’t or it shouldn’t be a solution for every type of cyber-related or information-related challenge that the United States faces,” according to Erica Borghard, senior fellow with the New American Engagement Initiative at the Atlantic Council.

“I do think those limited counter-cyber, disruptive type of operations are also useful, but they’re not the panacea. That’s the role of Cyber Command, and behind that there are other elements in the interagency that should play more of a role domestically,” Borghard told C4ISRNET.

Borghard’s concerns are especially poignant in a world with limited resources and growing missions.

“I worry that if we try to take Cyber Command and use it as the solution for everything and the tool for everything, then you’re detracting resources from other really valuable missions that Cyber Command is working on in cyberspace,” she said. “We have to make sure we’re matching the right tools for the right challenges given the unique capabilities across the government, also given appropriate authorities and responsibilities.”

Mark Pomerleau is a reporter for C4ISRNET, covering information warfare and cyberspace.

More In Daily Brief