To Hack or Not To Hack

The New York Times dropped a fun piece last week asserting a coalition of like-minded national security and intelligence professionals are neck-deep in an offensive cyber operation against the Russian electricity system. The article suggests the hacking was meant to provide a cudgel to beat Russia with should it intervene in American elections again. The real kicker was the assertion made by a host of anonymous sources that not only was U.S. President Donald Trump unaware of the operation, but that the sources were afraid to tell him for fear the White House would shut the operation down.
 
There’s a bit of peeling required for this particular onion:
 
Computerization didn’t happen all at once. At first computers were multi-billion-dollar monuments of circuitry that only major governments could afford, to be used “simply” to compute complicated math (ergo the term computer). They certainly weren’t hooked into civilian infrastructure. Besides, there was nothing to “hook” into. Pre-1980s tech was analogue and manual, not digital and automatic.
 
Fast forward to the 1980s and this changed rapidly. The marriage of now-more-attainable computers to telephony brought us modems long before it brought us smartphones. That linkage enabled the first computer networks to snake through the worlds of finance, media, energy, academia and manufacturing. As computers became ubiquitous, the possibility of extreme damage being inflicted upon the average American citizen expanded exponentially.
 
A new policy was required for this new era.
 
The president at the time was Ronald Reagan. His executive guidance was threefold:
 
First, the U.S. government would provide no cyber protection to any part of the civilian system. Individual firms and citizens were wholly responsible for protecting their computer systems from outside threats.
 
Second, the U.S. government would maintain an absolutely massive hacker corps with standing orders to hack everything and put malware and backdoors into every imaginable foreign system.
 
Third, the U.S. would deign to identify precisely where its red lines were.
 
These three points explain why it is so simple for Nigerians to defraud your grandmother, why the Russians could interfere in the U.S. elections with ease, and why everyone is so afraid to go after the really important stuff: infrastructure in the United States. In essence, America’s cyber policy is a lot like the rest of its armed forces: you can poke and prod the exposed flanks of the behemoth and you might or might not get swiped at for your trouble, but if you ever do something that really draws its attention, well… you’d better have a great bunker.

In the event the U.S. ever did decide to cut loose, it would have a remarkably shitty quarter. The lack of cyberdefense would ensure that power grids would fail, vulnerable city bureaucracies would be left helpless, and all the businesses that forgot to update their Windows operating system from last decade’s would find they no longer have computers. In other words, it would hurt. But whoever the U.S. was going to war with would find themselves facing off against nearly four decades of surveillance, planning, and preparation by skilled, vengeful nerds. In the best-case scenario (for the targets), they would regress a century as everything from power to water to communications to shipping simply seized up, never coming on-line again until a complete computer-free overhaul was completed.  
 
The Reagan administration’s guidance on cyber sat broadly unchanged for the next four presidents. Offensive cyber was used rarely and the U.S. refuses to discuss it. It is only under Donald Trump that some shifts have occurred. In Trump’s early months as executive the U.S. government leaked it had done something I find hilarious:
 
It didn’t simply identify the specific Russian agents who had interfered in the United States’ 2016 presidential elections, it sent cease-and-desist letters to those agents at their home addresses complete with enough personal touches to drive home to the Russian hackers that the U.S. government knew more about their personal lives than the Russian government itself.
 
What all this makes clear is that the U.S. realized it had undersold itself and underutilized its tools, which is quite literally the last thing you want to do with a deterrent. But times are changing and so, it appears, the pace of operations is picking up.
 
These operations involve extremely detailed pre-operational surveillance and planning so that when the time comes, the real break-in can happen easily. It creates options. The operation can go farther and, as the Times claims happened here, an implant ready to hurt critical infrastructure can be left at the ready. It’s a line that until recently the Americans claimed they did not cross except in exceptional cases.
 
The problem, of course, is that none of this, right up until the attack occurs, is public. Which makes deterrence more than a little bit of a problem.

So let’s look at that Times article again:
 
Is the U.S. hacking the Russian power grid? Certainly. The U.S. has been hacking the Russian power grid since before Gorbachev.
 
Is there a conspiracy within the U.S. government against Donald Trump? Certainly not. Anyone hacking the Russian power system is simply doing their job as demanded by Reagan and HW Bush and Clinton and W Bush and Obama… and Trump. It's about planning and, if the Times is right, prepositioning assets. Not executing a broad-scale attack.
 
Is Trump aware that the Russian power grid is being hacked by American agents? Of course. Everything that matters in Russia is being hacked by American agents. Ditto for China. And Iran. And a follow-on list of countries so long I’m not going to go into because of the hate mail it would generate.
 
Does the national security establishment dislike Trump? Well duh. Trump is upending seven decades of tradition. That’s awkward even on a good day.
 
As to the issue with the Times article, however, I’m going to call bullshit. If an anonymous source is concerned the president will shut down his favorite top-secret anti-Russian program, blabbing about his favorite top-secret program to the Times -- which makes its bones publishing everything in a public forum -- would indicate that said agent isn’t all that bright.
 
In fact, the only people this article seems to be alerting are the Russians. But as the author pointed out, the government raised no national security concerns about the article. That suggests this is all about sending the Russians a message.
 
The context of that message is one I can only guess at, but I must underline repeatedly that the United States is not on the verge of shutting off the lights in Russia. There is an enormous difference between hacking something like the Russian power system to install malware and activating said malware. The former is rude… and a normal part of state policy. The latter would crash air traffic control and shut down mass transit and darken hospitals. It would kill a lot of people and be a flat-out act of war.
 
It also isn’t going to happen without a change in strategic relations far more radical than anything Donald Trump has brought to the table to date.
 
But the Americans now have drawn a line in the sand, publicly. The question is who is going to cross it.