Jul 15, 2020

Axios Codebook

Good morning, and welcome to this week’s Codebook, where we’re thinking about the vast changes technology has wrought on the world of espionage in the 21st century.

⚡️ Situational awareness: Secretary of State Mike Pompeo announced new U.S. visa restrictions on some Huawei employees in a further escalation of the Trump administration's campaign against the Chinese telecom manufacturer. Go deeper.

Today's newsletter is 1,540 words, a 6-minute read.

1 big thing: The CIA's new license to cyberattack

Illustration: Aïda Amer/Axios

In 2018, President Trump granted the CIA expansive legal authorities to carry out covert actions in cyberspace, providing the agency with powers it has sought since the George W. Bush administration, former U.S. officials directly familiar with the matter told Yahoo News.

Why it matters: The CIA has conducted disruptive covert cyber operations against Iran and Russia since the signing of this presidential finding, said former officials.

Driving the news: According to the Yahoo News story, of which I am the lead author, the 2018 covert action finding gives the CIA much more power to undertake such operations without needing prior approval from the National Security Council.

  • Under the Obama administration, U.S. officials would discuss proposals for specific potential covert actions for months, or even years, before signing off on them, former officials said.
  • Now they can go “from idea to approval in weeks,” a former U.S. official told Yahoo News. And many proposals can now circumvent the NSC entirely, said former U.S. officials. “Trump wanted to push decision-making to the lowest possible denominator,” said another former U.S. official — which means many of these decisions are now being made in-house within the CIA, said former officials.

Of note: These new powers are not related to the CIA’s ability to hack for the purpose of mere intelligence-gathering, said former officials.

  • Instead, they are about creating real-world effects like degrading or destroying adversaries’ infrastructure or exposing rival intelligence services’ secrets, said these officials.
  • The CIA’s new authorities have allowed it to more freely engage in “hack-and-dump” operations of the sort popularized by Russian intelligence via WikiLeaks, where pilfered data is leaked to journalists or released online via personas like Guccifer 2.0, the online front used by Russian operatives to publicize the 2016 hack of the DNC, said former U.S. officials.
  • The CIA has already dumped Russia- and Iran-related tranches of data online, said former officials.

Other impacts of the 2018 finding:

1. Financial institutions. It loosens prior restrictions on disruptive or destructive targeting of financial institutions, former U.S. officials said.

  • In prior administrations, wiping or dumping hacked banking data was considered an uncrossable line because of the potential effects of retaliation by foreign states on the U.S. banking system, said former officials.
  • Treasury Department officials were always particularly vociferously opposed to such measures in the past, said former officials.
  • “These were “things CIA always knew were an option, but were always a bridge too far," a former official told Yahoo News. “They had been bandied about at senior levels for a long time, but cooler heads had always prevailed."

2. "Cut-outs." The presidential authorization makes it much easier for the CIA to target “cut-outs” believed to be working surreptitiously for hostile foreign intelligence services at media organizations, charities, religious institutions or other nonstate entities for disruptive or destructive cyber actions, said former officials. In the past, the burden of proof for targeting such entities was high; now, standards have been made far more lax, said former officials.

3. The "big four." The finding explicitly enables the CIA to use these new powers against the “big four” U.S. adversaries — China, Russia, Iran and North Korea. But even though the CIA already had more legal maneuverability on covert operations against Iran than other U.S. foes, the Trump administration was particularly focused on escalating its activities against Tehran, said former officials.

  • These new CIA authorities, as well as a capacious interpretation of prior ones, have contributed to the administration’s “maximum pressure” campaign against Iran, say former officials, with the CIA conducting disruptive cyberattacks against Iranian infrastructure throughout Trump's term.
  • This maximum pressure campaign has been tantamount to a “regime destabilization” strategy for some senior Trump-era national security officials, aiming to weaken the Iranian government in order to force it to retreat to its own borders — and even hopefully collapse entirely, say former officials.

The big picture: Some officials emphasize that Trump-era shifts in U.S. offensive cyber operations are part of a natural evolution in U.S. policies in this arena and that many changes would have been granted under a new Democratic administration as well.

  • “It’s not like some cabal of folks who had been sort of outside the national security establishment ... were then brought in and hijacked” this process, a former senior official told me.
2. Trump: 2018 cyberattack on Russian agency was U.S. effort

Illustration: Lazaro Gamio/Axios

A cyberattack on the day of the 2018 U.S. elections that temporarily crippled the Internet Research Agency (IRA), the Russian “troll farm” affiliated with Moscow’s intelligence services, was the work of the U.S. Military Cyber Command, President Trump confirmed in an interview last week with the Washington Post.

Why it matters: In early 2019, the Washington Post reported that the U.S. was behind the cyber strike, but this is the first time any U.S. official — let alone the president — has confirmed American authorship on the record.

Details: The 2018 cyberattack knocked out the St. Petersburg-based IRA’s power the day of the midterm elections, U.S. officials told the Post in 2019. In the run-up to the midterms, Cyber Command also engaged in a psychological operations campaign against IRA members, reported the New York Times — messaging them online to let them know the U.S. knew their identities and other private data about them.

  • The 2018 IRA operation was largely symbolic, in that U.S. officials waited until the day of the election to take the organization offline. (The IRA’s online influence campaigns are most impactful in the weeks and months leading to an election, not on Election Day itself.)
  • If anything, the action was designed to signal to the Russian government that the U.S. could access IRA networks — and likely the networks of other Russian intelligence entities as well.

Our thought bubble: Offensive U.S. cyber operations are typically conducted with deniability in mind. Affirmation of U.S. responsibility almost always involves officials confirming American involvement anonymously — if at all.

  • That provides American operatives and the affected adversary more room to maneuver on the continuum of escalation or de-escalation.
  • More candid disclosures like this by American officials would help foster public debate about U.S. cyber policies — but there are always trade-offs.
3. Germany seizes server hosting hacked U.S. police data

German police seized a server last week hosting data from a massive recent hack of U.S. law enforcement agencies, according to a tweet by the founder of the transparency group that shared the materials online.

Catch up quick: The material from the hacked tranche, known as BlueLeaks, was stolen from regional U.S. law enforcement “fusion centers” — information-sharing hubs used by federal, state and local law enforcement agencies. Over 200 agencies were affected by the hack, which involved 269 gigabytes of material.

  • The hacked material was provided to Distributed Denial of Secrets (DDoSecrets), a transparency collective that hosts dozens of pilfered data sets from all over the world.
  • The person or persons behind BlueLeaks are affiliated with Anonymous, the diffuse hacker group, said the same DDoS founder.
  • DDoSecrets has come under increasing pressure subsequent to publishing the BlueLeaks files. Last month, Twitter suspended the group’s account because of its role in disseminating hacked materials. The social network has also disabled all links to the stolen tranche.

Our thought bubble: Twitter’s stringent policing of the BlueLeaks data, and the German authorities’ move — requested by U.S. law enforcement — shows how the environment surrounding the reception and dissemination of hacked materials has changed since 2016 and Russia’s hack-and-dump campaign to disrupt the U.S. presidential election.

  • Media organizations, in particular, are struggling with how to report — or whether to report — stories derived from stolen data sets, especially when those hacked materials may be part of state-backed covert influence campaigns.
  • Twitter’s moves also point to the increasing unease some social media platforms feel with becoming vectors for sharing illegally obtained materials.

That leaves some big questions. If Twitter blocks links that point users to the BlueLeaks data set, what will it do with articles by mainstream media outlets reporting on data derived from that data? Should newsrooms and publishers draw different lines than platforms do? It’s an ethical challenge that won’t be resolved in 2020, or anytime soon after.

4. Russian hacker convicted of LinkedIn, Dropbox breaches

Yevgeniy Nikulin, a Russian hacker, was found guilty last week in a San Francisco federal court for charges relating to intrusions of LinkedIn, Dropbox and Formspring. The 2012 breaches authored by Nikulin compromised the information of more than 100 million Americans.

Context: Nikulin’s case has long been shrouded in intrigue.

  • The hacker, who had significant shadowy connections to other prominent members of the Russian cyber crime underground — a world closely tied to Russia’s intelligence services — was arrested in 2016 in Prague at the request of U.S. authorities and subsequently extradited to the United States to face criminal charges.
  • After Nikulin’s arrest, some speculated that his case might be connected to Russia’s 2016 election interference campaign, but no public evidence of these connections ever emerged.
  • Russian officials vociferously protested Nikulin’s extradition to the United States. Nikulin later met with a Russian consular official while in U.S. custody without his lawyer present.

Nikulin’s case has dragged on for an extended period. He was extradited to the U.S. in 2018. Then the case was delayed because of concerns about his psychiatric fitness after the hacker began behaving increasingly erratically. The COVID-19 pandemic further delayed his trial.

5. Odds and ends
  • Reversing a previous decision that had been criticized by the U.S., the U.K. said it would bar all Huawei equipment from its 5G build-out. (Axios)
  • DHS’ Cybersecurity and Infrastructure Security Agency sent an urgent alert warning of a serious vulnerability affecting roughly 40,000 organizations worldwide using SAP software. (CISA)