• The Star Staff

U.S. tried a more aggressive cyberstrategy, and the feared attacks never came

By David E. Sanger and Julian E. Barnes

From its sprawling new war room inside Fort Meade, not far from Baltimore-Washington International Airport in Maryland, U.S. Cyber Command dived deep into Russian and Iranian networks in the months before the election, temporarily paralyzing some and knocking ransomware tools offline.

Then it stole Iran’s game plan and, without disclosing the intelligence coup behind the theft, made public a part of Tehran’s playbook when the Iranians began to carry it out.

Now, nearly a week after the polls closed, it is clear that all the warnings of a crippling cyberattack on election infrastructure, or an overwhelming influence operation aimed at American voters, did not come to pass. There were no breaches of voting machines and only modest efforts, it appears, to get inside registration systems.

Interviews with government officials and other experts suggest a number of reasons for the apparent success.

One may be that the United States’ chief adversaries were deterred, convinced that the voting infrastructure was so hardened, Facebook and Twitter were so on alert, and Cyber Command and a small group of American companies were so on the offensive that it was not worth the risk.

But there is another explanation as well: In the 2020 election the distinction between foreign and domestic interference blurred. From early in the campaign, President Donald Trump did more to undermine confidence in the system’s integrity than America’s rivals could have done themselves.

And in the aftermath, Trump’s baseless accusations, amplified by conservative news media outlets, have only intensified, leaving the Russians and the Iranians with the relatively easy task of bouncing his messages back into the echo chamber of social media.

“A lot of the disinformation that voters consume originates from within our own country,” said Jeh C. Johnson, a secretary of homeland security under President Barack Obama. “All foreign adversaries need to do is aid and abet and amplify.”

Trump and his allies, it turns out, were the chief purveyors of the kind of election misinformation that the FBI, the Department of Homeland Security and U.S. intelligence officials were warning about. He was also the one actor they could not mention, much less try to neutralize. That was left to the online platforms, mostly Twitter, which placed warnings on many of his posts.

In an Election Day conversation with journalists, Gen. Paul M. Nakasone, commander of Cyber Command and director of the National Security Agency, said he was “very confident in the actions that have been taken against adversaries over the last several weeks and several months to ensure they are not going to interfere in our elections.”

He said the National Security Agency was also watching for efforts by foreign adversaries to prod extremist groups to violence — a concern that remains.

Yet over the subsequent few days, before the election was called in favor of Joe Biden, Nakasone and other officials avoided questions about whether their commander in chief was feeding the very forces they were working to defeat.

In interviews, Democrats and Republicans who have been deeply involved in the effort to harden American defenses and put the United States on offense say it is possible that the country is beginning to figure out what works to deter cyberattacks.

They give credit to Nakasone and Christopher Krebs, director of the Cybersecurity and Infrastructure Security Agency at the Department of Homeland Security. Krebs spent the past two years persuading states and social media companies to bolster their defenses against attacks.

Once the election is officially certified, the military will complete its “after action” reports. The most interesting will most likely be classified. But in interviews with a variety of key players, a few lessons are already emerging.

The first is that Nakasone’s aggressive new posture — which Cyber Command describes with terms like “persistent engagement” and “defend forward” — may be working. The phrases refer to going deep inside the computer networks of adversaries, whether that means the Internet Research Agency, the Russia-based group that mounted the 2016 influence campaigns; the GRU, Russia’s military intelligence agency; or Iran’s increasingly active cybercorps.

Once inside, Cyber Command can use its access to hunt for operations that are being planned — or to conduct what amount to preemptive strikes.

The United States has launched such strikes before, of course, against Iran’s nuclear program, North Korea’s missiles and, during the 2018 elections, the Internet Research Agency, which ran the influence campaign that aided Trump in 2016. But there was no significant cyberretaliation, at least that became public, ordered by the Obama administration surrounding the 2016 election, even though the administration knew that Russian actors were stealing data and scanning voter registration systems.

This time Nakasone did not wait for much evidence to roll in before acting. He went after Trickbot, a widely used set of tools written by Russian-speaking criminal groups that he believed could be used to lock up registration systems or computer sites of secretaries of state, which count ballots.

So did Microsoft, which obtained court orders against Trickbot. Together, the military and private sector actions, which appear to have been largely uncoordinated, disrupted the network of the criminal groups in October, leaving them hampered in any potential attacks against election infrastructure.

Officials familiar with the operations say there were also attacks directed at a Russian state-run group called Energetic Bear, or Dragonfly, that has long been inside American electric utilities and has redirected its hacking skills toward state and local governments.

Sen. Angus King, I-Maine, who helped lead a bipartisan effort to draw lessons from the rising tempo of cyberattacks, said Cyber Command’s more active approach had an effect.

“I have felt for years what was lacking in our cyberdefense was a deterrent,” King said. “And we are getting closer to having that deterrent. I want our adversaries to have to think hard about what they are going to do because they know there is going to be some results that will be a cost to be paid.”

Nakasone would not confirm specific operations. But he said he would take his victories in small doses, by knocking adversaries offline, even temporarily, to make it hard for them to launch an attack. “I look at it more as are we imposing a degree of costs that is making it more difficult for them to do their operations?” he said.