Living Inside Adversary Networks

The Trump administration on Thursday accused Russia of infiltrating by digital means “energy and other critical infrastructure sectors” in the United States. “We now have evidence they’re sitting on the machines, connected to industrial control infrastructure, that allow them to effectively turn the power off or effect sabotage,” Eric Chien, a security-technology director at Symantec, said to Nicole Perlroth and David Sanger in the New York Times. “From what we can see, they were there,” Chien added. “They have the ability to shut the power off. All that’s missing is some political motivation.”

That sounds pretty bad, and it is. But is it unusual?

"The National Security Agency has implanted software in nearly 100,000 computers around the world that allows the United States to conduct surveillance on those machines and can also create a digital highway for launching cyberattacks,” Sanger, along with Thom Shanker, reported four years ago. Perlroth and Sanger reported three years ago on a Kaspersky report that concluded that the United States “has found a way to permanently embed surveillance and sabotage tools in computers and networks it has targeted in Iran, Russia, Pakistan, China, Afghanistan and other countries closely watched by American intelligence agencies.”

There have been scores and scores of other stories in recent years about NSA infiltration of foreign networks in ways that establish the capacity for the United States to launch cyberattacks on those networks. The extraordinary array of NSA capacities revealed by Edward Snowden gave these stories credence. So too, more recently, has the loss to the public of some of the NSA’s most powerful hacking tools.

Moreover, the U.S. government has for many years warned that foreign adversaries have penetrated U.S. networks in ways that could be preparation for devastating cyberattacks. As long ago as November 2014, NSA Director Mike Rogers warned that China and “probably one or two other countries” were inside the networks that controlled U.S. critical infrastructure, including the power grid, and could thus attack or disrupt those networks. At least twice in 2017, the U.S. government warned that foreign hackers had penetrated the computer networks of companies that run energy facilities in the United States. In November 2017, Symantec reported that hackers, including ones linked to the Russian government, had gained access to the computer networks of electrical utility companies.

So there is little that is new or surprising in the revelation that Russia is probing and placing potentially offensive implants in the computers that operate the U.S. electrical grid. But of course the revelation comes in the context of deep anxiety about Russian interference in the 2016 election and is exacerbated by deteriorating relations between Russia and the West.

The news that Russia and other adversary nations are deeply embedded in U.S. critical infrastructure networks—and that we are embedded in theirs—raises at least the following questions:

• What, if anything, can the United States do about adversaries living in its networks?

• What is the relationship between (i) the hundreds of stories over the past five years about the many ways that the United States successfully penetrates foreign adversary networks, and (ii) the growing revelation that foreign adversaries live in U.S. networks? Did the combination of Snowden, Cyber Command, Stuxnet, the U.S. Internet Freedom Agenda (which helped activists circumvent controls in foreign networks), etc., spark a panic among U.S. adversaries and a subsequent arms race in offensive cyberoperations that is adversely affecting the United States?

• Does foreign penetration of U.S. networks on which U.S. firms and citizens are deeply dependent explain, at least in part, the United States’ extraordinary hesitation to respond to damaging cyberoperations such as the Democratic National Committee hack, the Sony hack, the Iranian attack on U.S. banks, and the like, for fear of losing in escalation?

• When major adversaries live in one another’s networks in ways that allow them to launch attacks on those networks, is the situation stabilizing (under something like a mutually assured destruction theory), or destabilizing (because of the powerful incentive to engage in damaging low-level attacks, and the absence of clear lines about which forms of attacks might trigger damaging retaliation on critical infrastructure)? How might the answer vary across pairs of adversaries? (U.S. vs. Russia, U.S. vs. China, U.S. vs. Iran, U.S. vs. North Korea, and the like.)

Hard questions, scary times.

Note: I just noticed that Marcy Wheeler and Julian Assange made similar points earlier today (Friday). I agree with Marcy that this is not about "whataboutism." Rather, as I have argued before, it's about (among other things) the possibly adverse consequences at home of offensive U.S. cyberoperations abroad or at least about the relationship between U.S. cyber-offense and U.S. cyber losses at home. As I have noted many times, I have never heard a U.S. official discuss this relationship in any detail or with any concern.