Cyber Command's Role in Election Defense: Important, But Not a Panacea

As Election Day 2020 draws near, there has been a wave of reporting about adversarial use of cyberspace to attempt to interfere—again—in a U.S. election. A few weeks ago, there were reports that both U.S. Cyber Command and Microsoft—purportedly acting independently of one another—attempted to disrupt TrickBot, a large botnet associated with Russian-speaking cyber criminals that could be used to conduct ransomware attacks against election infrastructure. Last week, senior Trump administration officials held a press conference where they revealed that both Russia and Iran were actively seeking to interfere in the election through cyber-enabled information operations, as well as cyber operations to gain access to election infrastructure. And, earlier that week, the U.S. Department of Justice unsealed an indictment of six Russian officers, charging them with crimes in connection to their engaging in a range of cyber operations around the world, including the 2017 French election hack.

These efforts by government and private actors to push back on foreign cyber activity raise an important question: What is the role of Cyber Command in defending the elections, and how might the concepts of defend forward and persist engagement apply?

While Cyber Command is one stakeholder in election defense, there are important and appropriate constraints on using the military to defend U.S. elections, even against threats posed by foreign actors. Moreover, defend forward should not be construed as the universal remedy for all cybersecurity challenges facing the United States.

Gen. Paul Nakasone, the commander of U.S. Cyber Command, stated recently that “[t]he number one objective at the [National Security Agency] and USCybercom is a safe, secure, and legitimate 2020 election.” He linked defending the elections to persistent engagement. Defend forward, the strategic concept outlined by the Defense Department in its 2018 Cyber Strategy—which Cyber Command implements through the concept of persistent engagement—calls for the U.S. to position its cyber forces outward to halt attacks at the source, as close as possible to the adversary. The Cyber Strategy also highlights the role of the Department of Defense in working with partners across the interagency and the private sector to share information to enable early warning and improve domestic defense.

Ostensibly, an early test run of this strategic concept took place in 2018 when Cyber Command, working through a newly formed task force, the Russia Small Group, reportedly took a number of actions to disrupt threat actors aiming to interfere in the 2018 midterm elections. This was reported to have included a temporary operation to take offline the Russia-based troll farm the Internet Research Agency, as well as cyber operations to send direct messages to Russian operatives. Immediately following the elections, the Cyber National Mission Force, the operational arm of Cyber Command, announced that it had launched an effort to share foreign malware samples on VirusTotal, a website that provides a public platform for sharing cybersecurity information. The first sample uploaded was malware that had been linked to APT28, a threat actor affiliated with the GRU, Russia’s military intelligence service.

Cyber Command touted its defense of the 2018 midterm elections as a success, and this model is likely being applied to defend the 2020 elections. Indeed, the New York Times reported in 2019 that Cyber Command and the National Security Agency had made the Russia Small Group task force a permanent entity. And public reporting around Cyber Command’s operations in the past few weeks is consistent with the 2018 model.

However, there are fundamental challenges and limitations associated with relying primarily on the military, and Cyber Command in particular, to defend the 2020 elections in cyberspace. There are also risks of applying defend forward as a panacea to address the full scope of cyber challenges America faces.

Setting aside the particularly vexing challenge of domestic threats to American elections, efforts to secure an election even against foreign threats rest primarily with departments and agencies with domestic authorities. Military and intelligence organizations have highly circumscribed authorities and roles—and rightly so. Defend forward was designed to counter adversary action outside of U.S.-controlled cyberspace and to cultivate a more comprehensive understanding of the threat environment. To those ends, there is a clear role for defend forward in disrupting and denying infrastructure and capabilities that adversaries are leveraging to target the elections if that infrastructure exists outside of the United States, such as a troll farm housed in St. Petersburg. That said, much of the threat activity manifests itself within domestic cyberspace, whether it be misinformation and intimidation campaigns propagated via email or on social media platforms, or threat actors within state election systems. In these cases, Cyber Command has limited authorities to act.

Instead, the critical stakeholders include state and local governments, which have the responsibility for administering elections and certifying results; domestic federal departments and agencies, such as the Department of Homeland Security and Justice Department; independent entities, such as the Election Assistance Commission; private companies, including social media platforms and internet service providers; and the American people themselves.

There has been some laudable work across the interagency (notwithstanding apparently countervailing efforts by the president himself) to figure out how to alter the risk calculus for adversaries contemplating interference in the U.S. election system. But, the United States remains challenged in figuring out exactly the right moves. It is manifestly clear that bad behavior from adversaries is continuing. And, despite costs the U.S. government has attempted to create—public statements warning adversaries about election interference, counter-cyber operations, indictments, sanctions, attribution, botnet takedowns and so forth—these appear to have some disruptive effects on adversary operations but have not led to meaningful, decisive changes at a systemic level.

Taken together, this strongly suggests that the best defense of the American election system is, in fact, a good defense. Specifically, the U.S. could take a range of actions domestically to improve societal resilience to adversary information operations and improve the cybersecurity of election infrastructure itself. The Cyberspace Solarium Commission’s March 2020 report, for example, provides a number of suggestions on that front. These include improving the capacity, organization and funding of the Election Assistance Commission; making funding for election security to states more reliable and consistent; and promoting digital literacy and civics education to make American society more resilient.

This begs the question: What more, if anything, could Cyber Command do to defend the election system? Beyond Cyber Command’s existing efforts, there are three areas for improvement. First, there needs to be better coordination with the private sector, made possible by deliberate efforts to cultivate and institutionalize relationships. Take the reporting about the recent actions against TrickBot. If accurate, it suggests that Microsoft took independent action through licit mechanisms to take down the botnet, Cyber Command conducted a disruptive cyber operation on the same botnet, and neither of these actions was coordinated with the other. At best, this reflects a disjointed, uncoordinated approach with the happy coincidence of having shared objectives. At worst, however, Microsoft and Cyber Command could have been operating at cross-purposes. While there is recognition within the federal government, including within the military and the intelligence community, of the need to improve collaboration with the private sector, major hurdles must be overcome—particularly in terms of outreach to technology companies and internet service and cloud providers.

Second, there is a critical but underappreciated function of intelligence. Much of the media focus is on reports about Cyber Command’s counter-cyber operations, perhaps because these are inherently more exciting to speculate about. However, this focus neglects a central aspect of defend forward: maneuvering within and through adversary and neutral cyberspace to gain information about evolving adversary capabilities, tradecraft and infrastructure. Defend forward pairs this with sharing actionable information with other stakeholders rapidly to provide early warning and aid in more proactive defensive actions. Greater emphasis should be placed on improving organizational capacity and capabilities, and building and institutionalizing the relationships that support this effort. Given that many U.S. counter-cyber operations are likely to have limited, transient effects, this suggests that strategic intelligence and early warning should play a greater role. The ideal end state would be to leverage this information to be more anticipatory on the defensive side—to identify likely adversary next steps and adversary intelligence collection requirements to get ahead of potential next targets.

A challenge the Obama administration reportedly faced in 2016 illustrates why this kind of intelligence is critical. While officials observed malicious Russian behavior, the U.S. could not necessarily ascertain with confidence what the Russian playbook looked like. In other words, it wasn’t clear whether the activity was only the opening salvo of a broader campaign to more directly interfere in the election, by manipulating voter tallies, or by hitting other targets, such as the power grid. Or, was what officials had already observed the extent of Russia’s campaign plan? Without this type of intelligence information, it is difficult to reliably assess the risks of various policy responses and to know where to proactively surge defensive efforts. Today, it’s still not clear whether we know enough about the Russian playbook. This may explain why administration officials have recently gone public with implicit red lines around certain types of election interference actions (such as direct interference in voter tallies), as a means of signaling. This parallels the private signaling that took place in 2016 when President Obama used the nuclear hotline to warn Russian President Vladimir Putin to refrain from more direct interference in the election.

Finally, there are some scenarios where Cyber Command and defend forward should play an essential role. For instance, in the event of a contested election or an ambiguous result, or even simply during a peaceful transfer of power, a foreign adversary may seek to conduct a cyberattack of significant consequence to test the responsiveness of the U.S. government or to further foment domestic unrest. A counter-cyber campaign to prevent this kind of attack or, more likely, to reduce its impact would be an area where Cyber Command should be a critical actor. Therefore, contingency planning for these kinds of scenarios is crucial.

Defending American democracy against cyberthreats is a foundational national security issue. However, the predominant share of this effort should be taken by domestic agencies, the private sector, and the American people, rather than the military.