Oct 14, 2020

Axios Codebook

Hello, and welcome to the latest edition of Codebook, where we're thinking about the minefield media outlets face when reporting about — or becoming an unwitting amplifier of — disinformation.

Today's newsletter is 1,303 words, a 5-minute read.

1 big thing: Botnet disruption shows aggressive U.S. cyber posture

Illustration: Sarah Grillo/Axios

A U.S. military-led cyber strike aimed at hobbling the world’s largest botnet is the latest escalation of the Trump administration's increasingly aggressive cyber policy.

Why it matters: Going more on the offensive in cyberspace can mean more chances to preempt state-backed or criminal cyber operations before they can harm Americans. But it also raises concerns about America's cyber warriors overstepping their authority and trampling on people's privacy.

What's happening: The military's Cyber Command recently disrupted the TrickBot botnet, per the Washington Post and CyberScoop News.

  • U.S. officials were concerned the botnet, which has generally been used in ransomware schemes, would be deployed to snarl up computer systems tied to U.S. elections.
  • Cyber Command reportedly doesn't expect the move to permanently take the network offline, but it hopes its action will be enough to degrade the TrickBot-linked syndicate's capabilities until after the election.

The big picture: In general, the Trump administration has been willing to launch much more aggressive cyber operations than its predecessor, including on botnet takedowns, says a former senior intelligence official.

  • The Obama administration discussed stripping botnet-planted malware out of victims' computers, recalls this official, in an operation that could have also swept up U.S.-based devices.
  • But the operation never happened because officials believed if it went awry, the U.S. government would be deemed responsible for covertly damaging infected computers.
  • "The chance of a negative incident was so small, so small — minute," recalls the official. "But it was enough for them to not do it."

This changed with the Trump administration, whose "risk tolerance is higher," this person says. "They’re willing to take the risk of upsetting other countries."

The intrigue: The blow to TrickBot reflects that growing assertiveness, which has emerged under cyber commander Paul Nakasone and his doctrine of "persistent engagement" — the idea that U.S. cyber spies should deal blows against adversaries instead of merely playing defense.

The catch: As experts have noted, Cyber Command’s actions raise serious questions about the scope of its powers.

  • The Pentagon’s cyber operators have targeted malicious nation-state actors and even terrorists like ISIS, but this is the first documented case of them executing an operation against a cyber criminal group.
  • It's unclear what authority the U.S. military has to do so, particularly absent a demonstrable contemporary connection between the TrickBot syndicate and the Russian government, or any other state actor.

Privacy concerns have also been raised.

  • In addition to padding the TrickBot network’s records with fake data, Cyber Command’s operation involved pushing out a phony update to infected computers, including in the U.S., cutting them off from the cyber criminals' control.
  • That means Cyber Command forcibly altered the functioning of U.S.-based computers, unbeknownst to their users.
  • Of course, this was done for benign reasons. But it still leaves open the question of whether the government, by forcing its way into Americans' computers, violated the Fourth Amendment.

Meanwhile: Private actors are also moving against the group behind TrickBot.

  • In a related action, Microsoft, leading a coalition of private cybersecurity firms, got the go-ahead from a U.S. federal court to start disabling the syndicate's access to servers critical to TrickBot infrastructure, the company announced Monday.
  • Yes, but: Like Cyber Command, the Microsoft-led coalition believes its action won't keep the cybercriminals from eventually rebuilding TrickBot.

Context: There are more than 1 million computers and other Internet of Things devices hijacked by the TrickBot network, which has been active since 2016.

  • In September, TrickBot operators used the network to launch a major ransomware attack against United Healthcare Services, a large U.S.- and U.K.-based health care company.

The bottom line: The Cyber Command and Microsoft-led actions should forestall similar attacks, at least for a little while. The broader debates around appropriate cyber policy will long outlive TrickBot’s period of darkness.

2. The “ultimate gray man” who is America’s top cyber spy

Paul Nakasone. Photo: Chip Somodevilla via Getty Images

Paul Nakasone, who heads Cyber Command as well as the National Security Agency, is still largely a mysterious figure, though he inhabits "perhaps the most powerful intelligence role ever created," according to a new Wired profile.

The big picture: Nakasone, who took the reins at the NSA and Cyber Command in 2018, has helped revolutionize the Pentagon’s offensive cyber operations, writes Wired. That’s led to aggressive campaigns against Russia’s Internet Research Agency and Iranian cyber spies, as well as the TrickBot syndicate, as we detailed above.

What they’re saying: "It is likely that Nakasone has already, in his short, two-year tenure, launched more cyberattacks against US adversaries than Fort Meade had initiated in the rest of its history," writes Wired.

  • These include "at least two other sets of operations since the fall of 2019 [carried out] without public knowledge," reports Wired.

Of note: By tradition, Nakasone’s term of service at both the NSA and Cyber Command should last until 2022 — meaning his influence will likely continue well into the next administration.

Between the lines: Nakasone got far greater room to maneuver with the 2018 advent of the National Security Presidential Memorandum 13 (NSPM 13), an executive order that freed Cyber Command to take more aggressive cyber actions with much looser executive branch oversight.

  • NSPM 13 was accompanied by a secret presidential finding that also freed CIA cyber operators to undertake much more aggressive cyber-enabled covert action.
3. Intelligence alliance renews call for weakening encryption

Representatives of the Five Eyes intelligence alliance — the U.S., U.K., Canada, Australia and New Zealand — plus Japan and India, have released a new statement again calling for expanding "lawful access" into commercial encryption.

Why it matters: It’s more international pressure on tech companies to put backdoors into their encrypted systems, even though experts, including the former FBI general counsel, agree these backdoors would likely be exploited by bad actors, including hostile foreign powers.

What they’re saying: "Law enforcement has a responsibility to protect citizens by investigating and prosecuting crime and safeguarding the vulnerable. Technology companies also have responsibilities and put in place terms of service for their users that provide them authority to act to protect the public," the signatories write.

  • "End-to-end encryption that precludes lawful access to the content of communications in any circumstances directly impacts these responsibilities, creating severe risks to public safety."

Between the lines: While the signatories state that they support "strong encryption,” they “urge industry to address our serious concerns where encryption is applied in a way that wholly precludes any legal access to content."

  • In other words, they say they want to protect encryption while simultaneously leaning on private industry to weaken it.

Our thought bubble: Would these countries’ own intelligence services assent to such a weakening of their own cryptographic standards? Unthinkable. But for advocates of backdoors like Attorney General Bill Barr, what’s good for the goose isn’t necessarily good for the gander.

4. USAGM soliciting OTF partners as it withholds funds

Illustration: Sarah Grillo/Axios

The U.S. Agency for Global Media (USAGM) is trying to lure away partners that have provided services for the Open Technology Fund (OTF) to work with a different agency it has stood up called the Office of Internet Freedom (OIF), emails obtained by Axios' Sara Fischer show.

Details: USAGM, racked with controversy since Trump appointee Michael Pack took over, is reaching out to OTF grant recipients directly in an effort to get them to apply to work for the OIF, according to the emails.

  • Sources say some vendors have expressed concern as to how their contact information was obtained. The OTF, a government-supported nonprofit focused on building software that advances internet freedom, manages sensitive work with dissident journalists and technologists in authoritarian countries.
  • In emails to the OTF vendors, USAGM executives urged them to apply to OIF using a set of project categories that mostly overlap with the OTF’s areas of focus and told them they might be able to prequalify based on their existing relationship with OTF.

Meanwhile, USAGM has also been withholding funds from the OTF, to the tune of $20 million to date, sources say. Critics fear the funding is being routed to the OIF without congressional approval.

Between the lines: Observers argue the USAGM maneuver is an effort to move the funding of internet freedom projects out from under OTF's more rigorous requirements so that money can be funneled to projects favored by USAGM leadership.

The big picture: USAGM is facing lawsuits and investigations into its handling of OTF as well as other USAGM media agencies, like Voice of America.

5. Odds and ends