The warnings came from Donald Trump’s predecessor, top spies and Kim Jong Un himself.
So when the North Korean leader promised to tame Trump with “fire,” in September 2017, White House officials considered how to slow the Asian country’s march to developing a nuclear weapon.
During a meeting in late 2017, Secretary of Defense Jim Mattis presented a military strategy and Secretary of State Rex Tillerson presented a diplomatic answer. But when it came time to discuss intelligence and hacking options for the National Security Agency and U.S. Cyber Command, some on Trump’s team were frustrated with the answer. They argued the NSA couldn’t digitally deter Kim.
For nearly a year, White House leaders had debated the rules for how America should operate in cyberspace. After brazen hacks by the Chinese and Russian governments that targeted millions of Americans and the 2016 presidential election respectively, senior officials believed they needed to stop the raid on American bits and bytes.
Administration leaders broadly fell into two camps. The first blamed Obama-era rules to operate in cyberspace as too timid and the reason America did not have digital options to deter North Korea’s nuclear program. Unleashing viruses that could upend North Korea’s rockets would require a wide swath of consensus across U.S. government agencies, which all but stifled many hacking plans.
Other officials, such as then Homeland Security adviser Tom Bossert, disagreed, and over a period of months argued that while the procedures needed to change, loosening the rules of engagement too liberally and without caution would be dangerous.
A decision loomed.
While the North Korean debate did not lead to immediate policy changes, it was one of several events that helped push the Trump administration toward a new cybersecurity strategy, according to four current and former White House and intelligence officials who were in the room or briefed on the situation. When the White House announced the new policy in September, national security adviser John Bolton was blunt: “We’re going to do a lot of things offensively, and I think our adversaries need to know that.”
America enters the cyber age
In the early 2010s, Russia was known inside the U.S. intelligence community for its clandestine cyber operations. If White House administrators or National Security Agency analysts spotted Moscow’s cyberwarriors probing American networks before 2014, the Kremlin spies would often suddenly disappear.
“The Russians were known for being stealthy and highly targeted. If you saw them on the network, they would vanish like ghosts and go quiet,” Michael Daniel, the top cybersecurity official at the Obama administration, told Fifth Domain.
“After 2014 they start becoming much more aggressive. We start detecting them trying to penetrate U.S. government networks and instead of melting away they come right back at us, saying ‘I dare you to try and find us. I dare you to try and kick us off your network.’”
One of the first digital disinformation operations against the United States targeted diplomats. Digital sleuths from the Kremlin listened in on a phone call between Victoria Nuland, then the top U.S. American diplomat to Europe, and Geoffrey Pyatt, the U.S. ambassador to Ukraine, according to the State Department. Nuland and Pyatt discussed how to support a new government in Ukraine. Nuland believed the Europeans were being too timid and made her position clear in colorful language.
The phone call was being secretly recorded and was posted to YouTube days later.
“It wasn’t their first use of cyber and aggressive tactics, including manipulating emails and leaking things,” said Nuland, who is now head of the Center for a New American Security. “What was new is their targeting of Americans and the United States in a way where their hand was not masked. Obviously, they denied it, but it was transparent what was going on.”
“What is most interesting is looking at Putin’s first and second term, where they were still relatively cautious about their espionage and tradecraft, as they were in Soviet Union operations. They used only authorized trade professionals and tried to mask their hand to have real deniability," Nuland said. "Compare that to Putin’s third and fourth term, where they are almost gleeful in their non-denial denials.”
Russian hackers breached the White House’s networks and swiped President Obama’s email correspondence in 2014, according to the New York Times. Two days before Christmas in 2015, Russian hackers allegedly used spear-phishing emails and malicious code embedded in Microsoft Word documents to launch the first publicly acknowledged cyberattack in the world to cause power outages against Ukraine.
But the Russian government was not the only country developing a playbook for hacking. China was revving up a campaign to infiltrate the U.S. government as well.
In April 2015, U.S. officials say that China hacked records of 22 million government officials that were stored by the Office of Personnel Management. That included copies of all U.S. government security clearances. Everything from romantic affairs to undercover assignments to work histories of top-secret programs were pilfered by the Chinese. It was a wakeup call for the U.S. government, Jim Richberg, a national intelligence manager at the Office of the Director of National Intelligence, told Fifth Domain.
The intelligence community needed to re-think what was a target for foreign hackers. “It was kind of a eureka moment of, ‘Oh my goodness, look what can be done and look at the value of data like that.’ That was a watershed,” Richberg said. “There is no dataset too big to talk about potentially exposing.”
It took less than a year for another historic breach.
In a cream-colored building with roman arches near the meandering Moscow River, Russian intelligence officials sent a spear-phishing email to Tony Podesta, the campaign chairman for Hillary Clinton on March 19, 2016. The hackers disguised the email as a Google security notification and tricked Podesta into changing his password. An accompanying link was a disguised Russian intelligence agency website, and the Kremlin spies soon swiped a trove of emails. Russian officials then passed the emails to WikiLeaks, according to a July 13 indictment from Special Counsel Robert Mueller.
“The Russians were over time perfecting their ability to target social media to specific political objective in their own country, in Ukraine, and across Europe before 2016,” Nuland said during 2018 Senate testimony,
But to leaders inside the U.S. government, Russia’s role was not immediately clear. Former U.S. officials said the assessment of Moscow’s responsibility solidified around June after Americans analyzed the activity of Guccifer 2.0, who claimed to be a digital vigilante but was actually a group of Russian spies, according to the Mueller indictment.
It was then that Russian hackers allegedly broke into the Illinois state election network and stole voter registration information of up to 200,000 people. While the hack remained secret for weeks, it set off alarms within the White House and intelligence agencies, two former U.S. officials said.
Jeh Johnson, Obama’s head of the Department of Homeland Security, began contacting state election officials to encourage them to strengthen their cybersecurity efforts, but the effort had mixed success. Some state and local election officials did not trust the Department of Homeland Security and inaccurately believed they were embarking on a federal takeover of the voting process, Suzanne Spaulding, then an undersecretary at the agency, told Fifth Domain. In terse phone calls with Johnson, Georgia Secretary of State Brian Kemp refused help from the federal government. Kemp, now the governor-elect in Georgia, did not respond to a request for comment.
Trump in charge
From the onset of the Trump administration, former and current White House and Pentagon officials were set on changing how the America operated in cyberspace. With information about Russia’s hacking and disinformation becoming clearer by the day, their discussion took a new sense of urgency.
Government officials recalled the shock of the incoming Trump team when they learned how conservative the military was when it came to hacking. “The incoming Trump administration had this assumption that the U.S. was some big gorilla in cyberspace and was actively hacking everyone. There was a little bit of surprise that U.S. policy was very conservative,” a former White House official told Fifth Domain.
The Obama-era rules that governed American cyber operations were called Presidential Policy Directive 20 and said that cyber operations likely to result in “significant consequences” needed presidential approval. Hacking operations also needed to have near unanimous consent between U.S. government agencies.
In memos and long email chains, officials from the State Department, CIA and the NSA often argued to take a more cautious approach for hacking operations, according to former Obama administration officials. Those officials argued that destroying a server that an enemy like the Islamic State used would eliminate valuable intelligence. This was counterproductive, these officials argued, because the NSA wanted to silently sit on an enemy’s computer network and collect intelligence.
Former Secretary of Defense Ash Carter was among those who expressed frustration with America’s cyber operations, particularly against the Islamic State. Whenever Cyber Command had a plan to hack the Islamic State, “the intelligence community tended to delay or try to prevent its use, claiming cyber operations would hinder intelligence collection. In short, none of our agencies showed very well in the cyber fight,” Carter wrote in a Harvard University paper in 2017.
The clash of philosophies meant gridlock. “Sometimes we would meet for 90 minutes to two hours, and then at the end decide that we need to come back tomorrow for part two,” an Obama White House official told Fifth Domain.
Current and former officials recalled a rough beginning to the Trump administration’s cyber planning. National security adviser Michael Flynn brought in a team of staffers who had a hawkish view on cybersecurity, according to four current and former White House and Pentagon officials. When White House officials drafted the first executive order on cybersecurity it was sloppy, according to two former White House officials, with one adding that it included a potentially hostile and unexpected reference to nuclear weapons. And when intelligence agencies asked for permission to partner with European governments, they were given carte blanche to operate without raising the policy to senior Trump administration officials, one former official said.
But most conversations led back to changing America’s offensive cyber operations.
Leaders in the Trump administration were set on changing how the United States operated in cyberspace. The question was whether the White House was going to modify the Obama rules or throw them out completely. Bossert, Trump’s clean-cut homeland security adviser, was respected by U.S. officials because of his experience in the Bush administration.
“What we need to do, living in the largest cyber glass house in the world, is to figure out how to increase our defenses and put in place a rational strategy before we go out and do things that are going to make us – and our private critical infrastructure owners – more vulnerable,” Bossert said during the July 2017 Aspen Security Forum.
Mattis embraced the rising role of cyber and digital warfare, and his office pushed to have more authority. Pentagon leaders said they needed to conduct cyber operations just like they could with land, air and sea, creating a lethal swarm of digital and physical attacks. Other officials also argued that more offensive cyber operations would be a deterrent for nations hacking America, like Russia and China.
For some, an inflection point came as the White House considered options to deter North Korea’s nuclear capability. The lines of code honed inside NSA labs to monitor, stop or alter Pyongyang’s nuclear and military capably would likely have to travel through China, which supplies nearly all North Korea’s internet. During previous debates, officials feared China might mistakenly believe the Americans were hacking them instead of North Korea. The scenario was deemed too risky by some because it could have unforeseen consequences. Advocates for the more aggressive approach in cyberspace argued that the Obama-era rules for cyberspace effectively blocked America from embedding and prepositioning this malware inside of North Korea’s systems. As a result, America was empty-handed when it came to hacking options, according to this line of thinking.
But other officials disagreed. Rather, some in the administration, such as Bossert, believed that the Obama rules in cyberspace were being unfairly scapegoated, as if the nuances of hacking another nation would disappear with more authority. According to this view, America needed to take more aggressive actions in cyberspace to deter foreign countries, but glossing over the nuances of hacking was also dangerous.
And by some accounts there was also evidence that America already had effective hacking programs to deter North Korea’s nuclear ambitions.
According to Bob Woodward’s book “Fear,” during the Obama administration, the United States was able to infect the North Korean government’s missile telemetry with malware that caused errors in their launch sequence. Two former intelligence officials said that North Korea offers limited cyber options because a majority of the country does not have internet access. And by cutting off North Korea’s internet, U.S. officials feared they could also lose intelligence capabilities.
Both the Pentagon and the NSA declined to comment and respond to questions.
Publicly, support for more offensive cyber operations came in the form of congressional testimony from Adm. Michael Rogers, the head of the NSA, and the incoming commander, Gen. Paul Nakasone.
“President Putin has clearly come to the conclusion there is little price to pay here … and that therefore I can continue this activity,” Rogers told Congress in February 2018.
‘Our hands are not tied’
After Trump’s national security adviser H.R. McMaster left the White House in March 2018, Trump replaced him with John Bolton. Days later, Bossert was pushed out of the White House, along with the White House cybersecurity coordinator Rob Joyce.
At the time, a senior Pentagon cyber official described the administration's cyber policy as "a potential catastrophe.” The official explained how critical cyber issues were not being coordinated and briefings were either being missed or not even taking place.
That summer, the White House finalized its strategy to overhaul the Obama rules from cyberspace. Mattis was given the ability to conduct cyber operations without authority from the president except if it could interfere with the “national interest” of the United States. After Trump rescinded the Obama-era rules Aug. 15, Bolton described the changes in drastic terms.
“Our hands are not tied as they were in the Obama administration,” Bolton said. “Our presidential directive effectively reversed those restraints, enabling offensive cyber operations through the relevant departments.”
Still, some current and former U.S. officials caution that greater authority in cyberspace might not actually deter hacking from foreign nations in some situations.
And there are questions about if the new cyber authorities will have any effect at all on offensive operations. Some experts argue that the officials making a decision about whether to hack another country are more important than the process they use.
“What the Russians did is a little bit like 9/11,” Michael Hayden, the former director of the CIA and the NSA under the Bush administration, told Fifth Domain. “It was an attack from an unexpected direction against a previously unappreciated target.”
Hayden believes that America has encountered a new threat, and like the September 11th attacks, the U.S. government needs a dedicated effort to respond to Russia’s hacking. “President Bush did that. A lot of it was controversial, but you can’t argue it wasn’t extraordinary. President Trump has never called on us to go extraordinary. Everyone is doing their best, but they are playing traditional positions.”
Justin Lynch is the Associate Editor at Fifth Domain. He has written for the New Yorker, the Associated Press, Foreign Policy, the Atlantic, and others. Follow him on Twitter @just1nlynch.