U.S. military increases cyber hacking to keep foreign adversaries on their toes

Image: A heating power plant in Moscow, Russia, on April 21, 2018.
A heating power plant in Moscow, Russia, on April 21, 2018, part of the country's power grid. Copyright Maxim Shemetov Reuters file
By Ken Dilanian with NBC News Politics
Share this articleComments
Share this articleClose Button

"The other side thought they could just walk all over us," said one expert. "There was a decision in this administration to impose consequences."


WASHINGTON — With little public scrutiny, the U.S. military has dramatically stepped up its secret hacking of foreign computer networks in a new effort to keep China, Russia, Iran and other adversaries on their heels, current and former U.S. officials tell NBC News.

Empowered with new legal authority from both Congress and President Donald Trump, the military's elite cyber force has conducted more operations in the first two years of the Trump administration than it did in eight years under Obama, officials say — including against Russia, despite Trump's well-documented affinity for Vladimir Putin.

The general in charge of the push, Paul Nakasone, has spoken about the new policy in cryptic terms such as "persistent engagement," and "defending forward," without explaining what that means. Multiple current and former American officials briefed on the matter say military hackers are breaking into foreign networks, striking at enemy hackers and planting cyber bombs that would disable infrastructure in the event of a conflict.

A heating power plant in Moscow, Russia, on April 21, 2018, part of the country\'s power grid.
A heating power plant in Moscow, Russia, on April 21, 2018, part of the country\'s power grid.Maxim Shemetov

The officials declined to confirm or deny a New York Times report that an element of these classified operations included hacking into Russia's power grid, but they said that such a move would be a standard response to similar behavior by Russia and China. U.S. officials have said that those countries have for years planted malware that could turn out the lights in parts of the U.S.

"This is no different than a spy satellite," one senior U.S. official briefed on the matter told NBC News. "What this is is finding vulnerabilities in people's military and civilian infrastructure. That's how you should think of it."

Over the last decade, U.S. responses to foreign cyberattacks "have been tenuous, they have been episodic, we really haven't done anything," said Nakasone, who is both the commander of U.S. Cyber Command and the director of the National Security Agency, during a question and answer session at the Marshall Forum in April. "We are going to ensure that our adversaries know that that are limits within which they can operate…. No longer are we going to be on the sidelines."

This sea change has been welcomed by many experts as long overdue after eight years of hesitation during the Obama administration, which was extremely reluctant to authorize offensive cyber operations even as China, Russia, North Korea and Iran attacked U.S. companies, political parties and the government itself.

"The other side thought they could just walk all over us," said Jim Lewis of the Center for Strategic and International Studies, who consults frequently with the U.S. government. "We do need to engage. There was a decision in this administration last year to impose consequences."

The policy carries with it an increased level of risk. There is no developed doctrine of cyber warfare, and cyber operations can have unforeseen consequences.

"There's always a risk that you're going to accidentally damage something and you're going to cause some sort of impact that you did not anticipate," said Michael Daniel, president and CEP of the Cyber Threat Alliance, who was a top cyber security official in the Obama administration. "The truth is we don't fully understand how all these networks fit together, and there can be unintended results."

The new approach was empowered by language Congress inserted last year in a defense bill, which provided new authorities for offensive military cyber operations. Last August, Trump last year signed a classified order known as National Security Presidential Memorandum 13, which officials say authorized Cyber Command to take action abroad without specific presidential approval.

"Between strategy, policy and authorities there has been a tremendous change over the past 18 months," Nakasone said in April.

The army general made clear that the offensive hacking is being done "below the level of armed conflict."

He frequently draws an analogy to other branches of the military. "Our air force doesn't stay in hangars on the ground and never take off and fly in the air," he said. "They're flying every single day. They're flying missions to provide us warning…they provide a show of force sometimes. Its's the same concept in cyber space…We don't wait for something to happen to us."

But that analogy breaks down quickly, Daniels and others say, because the U.S. Air Force doesn't fly a show of force in Russian or Chinese air space. And when the Air Force drops bombs, it discloses that fact, unless it was a clandestine special operations mission. And even in that case, the public knows generally what sorts of missions those are, and under what legal authorities — typically, counterterrorism operations under the post-9-11 authorization for the use of military force.

Cyber Command and the National Security Council did not respond to NBC News requests for comment.

When it comes to what Cyber Command is up to, the American people are almost completely in the dark. Powerful cyber weapons are being deployed with no public buy-in.

One former senior U.S. official with direct knowledge of the how the U.S. is conducting offensive cyber operations said the new policy was long overdue, because America has long been in a low grade cyber conflict.


In the Obama administration, the official said, there was little agreement about how to respond to Chinese computer thefts of intellectual property, a North Korean hacking attack on a Sony Pictures or even the 2016 Russian election interference. Offensive cyber operations often must go through third country networks, and there is a risk they can do damage along the way.

"Now, as long as it doesn't cause massive disruption, they are doing it," the official said. "If a phone system goes out in Germany for an hour, so be it."

The operations, the official said, are often designed to seize control of adversary computer networks and "hold them at risk" — meaning create the potential to disrupt or destroy them.

On Election Day 2018, cyber command went further, and shut down the computers at the Internet Research Agency, the Russian troll farm that used fake social media accounts to manipulate the American electorate.

NBC News reported that Trump personally approved that operation. But Trump has not been involved in many of the details of what military hackers are up to, officials say, because the rules don't require it.


In a briefing for reporters in April, a senior Pentagon official said that Cyber Command had conducted more operations in recent months than in the last decade.

"I would say that in 8, 9, 10 years under the old decision process, I can count on less than two fingers the number of operations conducted," the official said, according to the Fifth Domain, a cyber-focused news site. "In this time since mid-August when the new process went into place, we've conducted many more."

Share this articleComments