Cyber Command probes foreign networks to hunt election security threats
By ELLEN NAKASHIMA | The Washington Post | Published: May 8, 2019
WASHINGTON — In the wake of a first-of-its-kind military operation that defense officials have credited with helping safeguard last year's midterm elections, the Pentagon's Cyber Command is hunting inside other countries' networks for threats and to gain insights to thwart foreign interference in the 2020 campaign, officials said.
Code-named Synthetic Theology, last year's operation leveraged new authorities, granted by the president and Congress, enabling U.S. agencies to become more aggressive in foreign cyberspace in defense of the nation.
Though the operation has ended, Cybercom is continuing its close relationship with the National Security Agency and working to build partnerships with other nations, other U.S. agencies and American industry, senior Cybercom officials said Tuesday in their first extensive public briefing on efforts to fight election interference and other threats.
"Our goal is to have no interference in our elections," said Maj. Gen. Tim Haugh, who heads the command's cyber national mission force. "We're going to support (the Department of Homeland Security) and FBI in the missions they've been assigned. But ideally, no foreign actor is going to target our electoral process."
His remarks came on the first anniversary of the command's elevation to a full combatant command on a par with Central Command or Special Operations Command. The organization is led by Gen. Paul Nakasone, who also heads the NSA, the world's largest and most powerful electronic surveillance agency.
The two entities work side by side, sharing intelligence and coordinating operations, in a sophisticated facility that opened in September at Fort Meade, Maryland. Inside the joint operations center, American civilian and military personnel partner alongside representatives from other agencies and from the United States' closest allies, including Britain and Australia, charting cyberforces and targets worldwide.
Aided by NSA intelligence, Cybercom's midterm operation successfully blocked Russian trolls working at the infamous Internet Research Agency from posting divisive messages on U.S. social media in an effort to sow discord among Americans as they went to the polls in November. The several-day operation to knock out the trolls' internet access so frustrated them that they complained to their system administrators about the disruption.
The U.S. effort also entailed Cybercom personnel "direct messaging" Russian and Russian military hackers trolls in October to obliquely warn them not to interfere in other nations' affairs.
Though Cybercom officials did not comment Tuesday on operational details, they made clear that their midterm election security efforts were part of the command's new strategy of "persistent engagement."
Said Haugh: "To compete in this space against the adversaries, malicious cyberactors, we've got to be out there every day and we have to be in contact with them."
That means gaining insight into U.S. adversaries - principally Russia, China, North Korea and Iran - to understand what and who they're targeting, and sharing that information with partners, he said.
It means enabling non-Defense Department networks to protect themselves, whether they belong to private critical infrastructure operators or foreign allies. And it also means being prepared "to impose costs" through offensive cyberoperations if directed, he said.
But defense is also critical to the strategy, officials said.
Last year, Cybercom personnel operated in the networks of Ukraine, Macedonia and Montenegro, which were being targeted by Russia, to help those countries identify foreign malicious activity. That "malware" was then shared by Cybercom with U.S. industry through a malware-sharing platform called Virus Total.
"We viewed that as a really good way for us at low cost to gain a deep understanding of how our adversaries are operating, but also to raise costs for them and simultaneously protect some of our allies," Haugh said, noting that "it was something we had not done before."
Before Congress changed the law last year, Cybercom was not authorized to take actions inside a non-Defense Department network overseas as part of traditional defensive military activity.
Haugh said Cybercom continues to work with some of the same countries it did last year. And in partnership with DHS, the command is now working to identify threats outside the United States aimed at the U.S. financial sector, and to pass them to the DHS to share with the firms.
Separately, the military's battle against the Islamic State has a cybercomponent, led by Cybercom's Joint Task Force Ares, set up in 2016 to support Central Command. After a slow start, it began having some success at sabotaging ISIS videos and other online propaganda.
The effort has now expanded. In September, Nakasone gave Maj. Gen. Matthew Glavy, who heads Marine Forces Cyber Command, leadership of JTF-Ares as well as the job of coordinating the cybereffort to counter violent extremism globally.
ISIS' cyber capabilities are "degraded," Glavey said. But "we certainly don't underestimate the adversary. . . . They've been able to maximize the use of the cyberdomain to create their messages and disseminate them."