For years, the US government has been promising—or threatening—a more autonomous and aggressive Cyber Command, the sibling of the National Security Agency whose hackers are authorized to wage cyberwar and disrupt America’s adversaries with direct acts of digital sabotage. During last November’s congressional election, it seems, the newly empowered agency quietly flexed its muscles in an operation that took out internet access for Russia’s Internet Research Agency, a Kremlin-linked hub of social media disinformation.
But while that takedown created an immediate, albeit temporary, impediment for the IRA’s trolls at a key moment, much of the security and intelligence community argues that the message the operation sent—its power as a “signal” to US adversaries online—will resonate further and longer. But the question remains: What does that message actually say?
On Tuesday, the Washington Post reported that Cyber Command targeted the St. Petersburg-based Internet Research Agency with a cyberattack in late 2018—exactly how, or for how long, isn’t clear—that knocked the organization offline during the US midterm elections, potentially preventing a last-minute flood of disinformation designed to affect the election’s results or turnout. Some US senators even told the Post that Cyber Command’s actions had deterred Russia’s attempts to repeat their meddling from the 2016 presidential campaign.
The St. Petersburg headquarters of the Internet Research Agency, Russia’s so-called troll factory.
But most of the former intelligence and cybersecurity officials who spoke to WIRED about Cyber Command’s operation say that the key significance of turning off the IRA’s internet access was not the immediate outage it created, but the larger message it communicated to the Kremlin—amplified further by the classified operation now having leaked to the Post. The mere action of demonstrating that level of control over the IRA’s network makes clear that the US government could have done worse, such as destroying computers or leaking the IRA’s internal communications.
“This operation was nothing more than a signal to the Russians that what you did was not acceptable and we’ll take action and use some element on the spectrum of force to counter that,” says Sergio Caltagirone, a former technical lead at the NSA who has since worked in threat intelligence at Microsoft and security firm Dragos. “You start small to get the message across: If you do this, we will do something. If they do it again, you ratchet up the pain a little more.”
Exactly how much immediate pain the IRA-targeted operation itself caused remains far from clear. The IRA’s staff was reportedly sufficiently annoyed by the shutdown that Cyber Command recorded complaints they sent to their systems administrators. But former White House cybersecurity advisor Rob Knake, who served for four years on president Barack Obama’s national security council, argues that IRA staffers may have had to do little more than walk to a coffee shop, or tether their computers to their phones, to overcome a mere network outage. “If you cut internet access to a bunch of trolls at a troll farm, they work from home or go to their local Starbucks,” Knake says. “I think the message it sent was probably far more significant.”
But Knake and other cybersecurity analysts also question exactly how that apparent message was interpreted. A mere internet takedown in response to a highly aggressive campaign to swing a US presidential election, Knake argues, could be seen within the Kremlin as the opposite of a demonstration of strength. “Our response to a very hostile act is we’re going to cause connectivity problems? That’s not a terribly strong signal,” Knake says. “If you shut off the internet for all of Russia, that’s a signal. Isolating one building I don’t think is much of one.”
Cyber Command had, prior to the IRA’s network shutdown, sent far more literal signals to the IRA staffers, as well as the hackers within the Russian military intelligence agency known as the GRU responsible for much of 2016’s election interference. As the New York Times reported last October, Cyber Command operators sent direct messages to individual Russian staffers that they had identified as involved in election interference, and were tracking their activity. The Post reports that the IRA was troubled enough by those messages that they launched an internal investigation to identify potential leakers.
Whether the attack on the IRA’s entire network served as an effective capstone to that Cyber Command hacking campaign depends on factors that still aren’t public, argues Johns Hopkins cyber conflict researcher Thomas Rid. That includes the timing of the takedown, and whether Cyber Command was disrupting a specific plan the IRA had in place. It’s also not clear what other offensive actions Cyber Command may have taken that remain unreported. For at least the revealed elements of those operations, Rid argues that signaling may be their most significant element, but still questions the signal’s forcefulness.
“I have my doubts whether it has any meaningful effects on the most aggressive components of the Russian establishment. They might just laugh it off,” Rid says. Compared with the GRU intelligence operations that targeted the US over the last several years, he calls the IRA “low-hanging fruit,” a less protected and valued target than actual Russian government entities. “If we look at the whole of Russian intelligence community targeting of American organizations, this small interference with a contractor that’s not part of a core operation doesn’t make a significant difference.”
“If you do this, we will do something. If they do it again, you ratchet up the pain a little more.”
Sergio Caltagirone, Dragos
But Cyber Command seems to be walking a thin line between sending a signal meant to deter foreign misbehavior online and triggering a cycle of escalation that could lead to even more aggressive attacks. As Rid points out, Russian president Vladimir Putin is widely understood to have perceived the release of the Panama Papers—a massive trove of tax haven documents that included information about Putin’s own illicit finances—as a US-led action intended to embarrass him, for which Russia’s sabotage of Democrats in the US election served as payback. A stronger counterattack against the IRA or Russia writ large might only set off the next round of that tit-for-tat.
In that light, a network outage may have been an appropriately conservative option, says Caltagirone. “This is exactly what you want to do in statecraft,” he says. “It’s a light touch, and a masterful move.”
Time will tell if the signal had any long term effect. But Kenneth Geers, a cybersecurity-focused fellow at the Atlantic Council, argues that it’s just the first step in establishing an “escalatory ladder” that’s understood by US adversaries, with increasing responses for every violation. “It says ‘we’re going to hinder your ability to do this. We know who the people are, where the network is, how they’re doing it, and we can stop you,'” Geers says. “This is a message that will be heard loud and clear in the Kremlin.”