PC Magazine|September 2019
What’s your daily routine? Perhaps you roll over and scroll through your phone for a few minutes, ask Alexa for the weather, fire up satellite radio on your drive to work or use a credit card to purchase a train ticket, swipe a keycard at the office, and sign into a PC at your desk. You pay for lunch with Apple Pay, keep tabs on your home and pets via a security cam, and buy a few things on Amazon. At home, the kids watch Netflix or play Fortnite as a robot vacuum whirs nearby and you pay bills with a few taps on the iPad.
Most of us remember a time before these modern creature comforts. We made do with paper books, physical maps, landlines, and snail mail. N ow, it’s all but impossible to live a productive life without access to the internet, not to mention more vital resources such as electricity.
If any of these services were to go offline—briefly or for a long time—it could seriously disrupt our way of life and the economy, and our foreign adversaries know it. But it works both ways; every country with formidable cyber weapons is well aware that their foes are one extended power outage, ransomware crisis, or data dump away from chaos. Many, including the US, have already wormed their way deep into the critical infrastructure of their foreign adversaries. Russia has turned off the lights in Ukraine, the joint US-Israel Stuxnet operation messed with an Iranian nuclear facility, and North Korea crippled operations at Sony Pictures.
Still, nation-states have not yet approved the sort of attack that might signal the start of a formal cyberwar, in large part because a retaliatory strike could be worse. US policy changes at the top, however, suggest that might soon change.
THE BRAKES ARE OFF
In summer 2018, President Trump quietly reversed the Obama-era Presidential Policy Directive 20 (PPD-20). This wonky-sounding directive’s demise gave the US government the authority to unleash on its enemies some of the most powerful cyber weapons at its disposal. As National Security Director John Bolton put it at the time, “Our hands are not tied as they were in the Obama administration.”
What this means exactly is classified. Even members of Congress aren’t entirely sure what Trump’s approach— dubbed National Security Presidential Memorandum 13 (NSPM 13)—actually allows the US government to do, and they’re not happy about it.
In theory, NSPM 13 cuts the red tape. It “frees the military to engage, without a lengthy approval process, in actions that fall below the ‘use of force’ or a level that would cause death, destruction or significant economic impacts,” according to The Washington Post, which cited anonymous individuals familiar with the policy.
The US is not rushing to turn the lights off in China or Iran, according to Bolton. He says NSPM 13 is “in our national interest—not because we want more offensive operations in cyberspace, but precisely to create the structures of deterrence that will demonstrate to adversaries that the cost of their engaging in operations against us is higher than they want to bear.”
US Cyber Command is ready to get cracking. “We cede our freedom of action with lengthy approval processes,” the agency said in April 2018. “Our adversaries maneuver deep into our networks, forcing the US government into a reactive mode after intrusions and attacks that cost us greatly and provide them with high returns.”
According to Bolton, NSPM 13 was used to target Russia’s Internet Research Agency (IRA) ahead of the 2018 midterms. More recently, The New York Times reports that the US has placed “potentially crippling malware” inside the Russian electric grid. This was intended both to send a message and to prepare for a strike should it be necessary, though that used authority granted in the defense authorization bill, not NSPM 13.
The US is no stranger to clandestine operations, particularly in cyberspace. The Stuxnet malware that hit Iran’s Natanz nuclear facility was reportedly part of a much larger effort known as Nitro Zeus (NZ), which anonymous National Security Agency (NSA) officials described as a “science-fiction cyberwar scenario.”
NZ infiltrated Iran’s command-and-control systems, military air defense systems, and civilian support systems, including power grids, transportation, communications, and financial systems, as filmmaker Alex Gibney outlined in his Zero Days documentary about Stuxnet.
“We were inside waiting, watching, ready to disrupt, degrade, and destroy those systems with cyber attacks,” officials told Gibney. “And in comparison, Stuxnet was a back-alley operation. NZ was the plan for a full-scale cyber war with no attribution.”
NZ was reportedly a last resort—a way for the US to stop Iran in its tracks if it attacked Israel and started a real war. But it begs the question: What do our adversaries have planned for us?
You can read up to 3 premium stories before you subscribe to Magzter GOLD
Log in, if you are already a subscriber
Get unlimited access to thousands of curated premium stories and 5,000+ magazines
READ THE ENTIRE ISSUE