The greater business community should be on higher alert for cyberattacks by nation-state actors after the report last week that President Trump signed a “presidential finding” around cyberwarfare that gives the CIA broader powers to launch cyberattacks against U.S. adversaries.
After all, following the Stuxnet attack by the U.S. in 2009 the Iranians responded not by attacking military facilities or critical infrastructure, but major banks such as JP Morgan Chase, Wells Fargo and American Express.
“The financial sector and financial targets should be on significantly heightened watch over the next several weeks,” said Jason Healey, a senior fellow at the Cyber Statecraft Initiative at the Atlantic Council. “We already know that attacking financial targets is what Iran does. After Stuxnet they went after the banks.”
Healey and other security experts are concerned that this new aggressive stance by the CIA could escalate tensions and lead to attacks on critical infrastructure. In fact, last week’s Yahoo report indicated that this new aggressive stance was not just to stop the hacking of U.S. business interests and online commerce, but launch cyberattacks on nuclear power and electric plants and wastewater treatment plants.
“If I were in business, I would be worried about attacks on critical infrastructure,” said Jacqueline Schneider, a fellow at Stanford’s Hoover Institution. “If the United States is attacking critical infrastructure, is it OK for our foreign adversaries and allies to do the same thing?”
There’s an inauspicious side to all of this, added Tarah Wheeler, international security fellow at New America.
“All of the news of the CIA’s new cyberwarfare authority has happened while the world is preoccupied with the Covid-19 pandemic, “ Wheeler said. “Most companies are more focused on staying in business and getting through the third quarter and they have no time or space to worry about the cyber policies of the CIA. Frankly, the risk of any individual business being targeted is very low, and I’d tell them to patch their infrastructure and budget for phishing and security awareness, not to invest in offensive weapons versus a hostile nation-state. It’s the US government’s role to protect businesses and individuals, which is also why I don’t advise a lone person in the U.S. to stockpile grenades in case North Korea attacks. Instead, I tell them to invest in good front door locks, teach the kids to not get in strange cars, and make friends with the neighbors.”
In another interesting development, roughly a week after the report about the cyber presidential finding came out, a bipartisan coalition of House members offered 11 amendments to the fiscal 2021 National Defense Authorization Act (NDAA). The amendments are based on the Cyberspace Solarium Commission report, which calls for a National Cyber Director and strengthening the Cybersecurity and Infrastructure Security Agency (CISA). The group seeks a bipartisan national consensus on cyber policy, including offensive attacks.
Rep. Jim Langevin, D-R.I., and Rep. Mike Gallagher, R-Wis., of the House Armed Services Committee have taken the lead on these efforts, along with Sen. Angus King, I-Maine, who along with Gallagher, co-chaired the commission. A spokeswoman for Sen. Mark Warner, D-Va., co-chairman of the Senate Intelligence Committee, said the discussion of expanded CIA powers and cyberwarfare was classified and that Warner was unable to discuss. SC Media received the same response from the office of Rep. Eric Swalwell, D-Calif., who sits on the House Intelligence Committee.
Security experts such as Wheeler have noted that U.S. Cyber Command already has the jurisdiction on cyberwarfare and it’s strange to allocate budget to a civilian agency like the CIA for offensive military operations. She said that Title 10 of the U.S. Code governs the duties of the military to manage offensive military operations (which is what offensive cyber operations can rise to), while Title 50, Chapter 4 outlines espionage, which governs the CIA. She says there are few U.S. laws governing direct civilian use of military weapons, other than the National Firearms Act of 1934, which says that ordnance of a certain size (grenades, bombs, rockets, howitzers) cannot be owned or used by private civilians, absent massive scrutiny, oversight and routine inspection of their storage and inventory.
“The CIA is a civilian agency with clandestine responsibilities,” Wheeler said. “I’m not saying that the CIA doesn’t have good reasons for their actions, but the Presidential directive to the CIA now means they are not subject to regulations and Congressional/civilian oversight in the same way as the military. U.S. Cyber Command has experience running offensive cyber operations and, when necessary, keeping those actions clandestine.”
Keep in mind that this new cyber policy has not emerged out of thin air. Former national security advisor John Bolton announced the nation’s more aggressive cyberwarfare policy in September 2018 when they rolled out National Security Presidential Memorandum 13, known as NSPM-13. This document focused mainly on the U.S. military’s role in cyberwarfare and was championed as evidence that the Trump administration was serious about moving forward more aggressively. “Our hands are not tied as they were in the Obama administration,” Bolton said at the time.
It’s interesting that it took 17 months for the Trump administration to finally let Congress review NSPM-13. How much luck the House and Senate will have getting information out of the CIA is anybody’s guess.
For the doubters, the Atlantic Council’s Healey pointed out that the CIA Director gets confirmed by the Senate, which means they do appear in front of Congress. Only officials such as the national security advisor who aren’t confirmed need not testify. Healey said he was “sure” that if the administration had changed oversight reporting on covert actions, there would have been leaks in the mainstream press.
“I’m convinced the protocols for covert action are solid,” he said. “So, there is intelligence oversight of new CIA actions as with any other covert action.”
Some security experts welcomed the news that the CIA was taking a more strident stance.
“The Russians, Chinese, Iranians and North Koreans have been waging asymmetric cold, economic and cyberwarfare on the U.S. and its allies for many years, and their agencies don’t have to get permission to do so – they are ordered to do so,” said Colin Bastable, CEO of Lucy Security “We should have been taking the offensive long ago. Offense is the best form of defense, so I welcome this news. As for multinational businesses – they have been at risk and under attack for years. No change there.”
Keenan Skelly, founder and CEO of shyftED, countered by saying that this carte blanche and agency-specific type of authorization can be both damaging and destabilizing to our national security and foreign relations.
“While a certain level of autonomy is expected regarding covert activities, when done outside of a national security strategy and without the cooperation of relevant agencies, it tends to result in misguided unintentional outcomes,” Skelly said. “The Obama era policies erred on the side of caution and intense legal review, but this finding seems to remove any authorization.”
Skelly added that agents planning covert cybersecurity actions walk a dangerous tight rope, as many cyber outcomes have second and third order effects that are not as well mapped out as a kinetic event.
“Also, cyber actions can lead to escalation and follow-on kinetic attacks,” Skelly said. “As cybersecurity is the underpinning of banking, telecommunications, and nearly all critical infrastructure, unchecked operations could destabilize countries in such a way that global commerce and the economy are affected. There’s a middle ground here, but it would take cooperation between government agencies and some level of oversight.”
Lucy Security’s Bastable did admit that a more aggressive stance on cyberwarfare does introduce risk.
“Let’s just hope that the CIA does not lose control of its secrets,” Bastable said. “I am sure that they have the ability to compete offensively with any foreign adversaries in cyberspace, but I’m not at all convinced that our myriad intel agencies can guard their secrets from leaks and poor security.”