A US history of not conducting cyber attacks

The United States is a leading cyber power.

Naturally, experts have focused on deconstructing US-led cyber attacks to broaden our understanding of the nature of cyber conflict (Healey 2013). Most prominently, Operation Olympic Games—better known as Stuxnet—destroyed 1,000 centrifuges at Iran’s Natanz uranium enrichment site. These cyber attacks did three things: They proved the ability of cyber operations to cause destruction to critical infrastructure, highlighted the role of the private sector in exposing cyber attacks, and revealed where the offense versus defense balance lies (Lindsay 2013; Slayton 2016).

But these cyber attacks are only one part of the story.

Just as important is the United States military’s history of not conducting cyber attacks—in particular, those it planned but never executed. There were numerous occasions when the US military considered conducting cyber attacks but refrained from doing so, and these have been largely overlooked as sources of insight. Part of this is due to the limited availability of information on these cases. (There are also operations the United States has tried but failed. For example, Joseph Menn reported that the United States tried a similar attack to Stuxnet against North Korea but ultimately failed because it was not able to get sufficient level of access [Menn 2015]).

Six cases that are publicly known —mostly originating from the diligent reporting of investigative journalists—reveal much about the US military’s strategic thinking, posturing, and assessment of the limits of cyberspace. These incidents reveal much about the US military’s strategic thinking, posturing, and assessment of the limits of cyberspace. What at first glance appear to be cyber non-events in fact help us to identify the difficulties of planning cyber operations alongside conventional military operations. These non-events also aid in examining the US record (which actually shows considerable restraint), give context to institutional efforts, and show how uncertainty about collateral damage can lead to inaction.

Early worries

When Gen. Keith Alexander of the US Army appeared before the Senate Committee on Armed Services for his confirmation hearing in 2010 to become director of the National Security Agency and the new Cyber Command, he was asked if the United States had ever “demonstrated capabilities” in a way that “adversaries are deterred” from acting against US interests in cyberspace (US Senate Committee on Armed Services 2010). He responded: “Not in any significant way. We have conducted exercises and war games, and responded to threats, intrusions, and even attacks against us in cyberspace. Law enforcement and the counter-intelligence community have responded to intrusions and insider threats. Even industry and academia have attempted to ‘police’ the Internet. How all of these have deterred criminal actions, terrorists, hostile intelligence entities, and even nation states cannot be systematically measured” (US Senate Committee on Armed Services 2010).

There is no publicly recorded evidence that the US military conducted any cyber attacks — better known to practitioners in this field as so-called “cyber effect operations”—prior to operation Olympic Games (Smeets 2022). (Cyber effect operations refers to operations which seek to disrupt, deny, degrade, or destroy an opponent’s assets.) Regardless of whether they are called cyber attacks or cyber effect operations, we know of at least three cases in which the Pentagon considered launching them in the 1990s and early 2000s.

First, in late 1999, the Washington Post reported that the US Defense Department considered hacking into Serbian computer networks to “disrupt military operations and basic civilian services” in the later stages of the Kosovo war. According to senior defense officials, the Pentagon ultimately opted out because of “continuing uncertainties and limitations surrounding the emerging field of cyber warfare” (Graham 1999; also see Arkin 1999).

The Washington Post continued “…the Defense Department’s top legal office issued guidelines warning that misuse of cyber attacks could subject US authorities to war crimes charges. It advised commanders to apply the same ‘law of war’ principles to computer attack that they do to the use of bombs and missiles. These call for hitting targets that are of military necessity only, minimizing collateral damage and avoiding indiscriminate attacks” (Graham 1999). An internal assessment of the Pentagon later stated that under the principle of military necessity “…stock exchanges, banking systems, universities, and similar civilian infrastructures may not be attacked [whether with bombs or bits] simply because a belligerent has the ability to do so” (Arkin 1999)

Concerns about legality were not the only reason that the US military did not conduct cyber attacks. Another reason concerned the immature state of the US cyber arsenal as well as the “rudimentary or decentralized nature of some Yugoslav systems,” limiting the attack surface for a computer assault (Graham 1999).

The US military had only started institutionalizing its cyber efforts in the late 1990s, “spurred on by the command and control warfare theories that found success in Desert Storm” (White 2019). In 1998, the US Defense Department created the Joint Task Force Computer Network Defense unit—an entity that turned into Joint Task Force-Computer Network Operations two years later, and essentially became the cyber attack mission of the Pentagon.

US forces did conduct two other types of operations during the Kosovo war that could be thought of as cyber. First, the US jammed the Yugoslav air defense system through electronic countermeasures, launched from an electronic jamming aircraft (Graham 1999). Second, they conducted several traditional information operations, such as psychological operations and deception actions, that targeted the military, police forces, and the Yugoslav leadership, through such activities as bombarding Milosevic and his associates with faxes.

Second, in 1990, as the United States was preparing to go to war with Iraq for the first time, the US Special Operations Command proposed a plan to seize control of a radar base in the south of the country. According to Richard Clarke and Robert Knake, “[T]hey planned to bring with them some hackers, probably from the U.S. Air Force, who would hook up to the Iraqi network from inside the base and then send out a program that would have caused all the computers on the network all over the country to crash and be unable to reboot.” (Clarke and Knake 2010, 35-36). The leader of the coalition forces against Iraq, Gen. Norman Schwarzkopf, is said to have found the plan a “crazy idea” and thought it was risky and unreliable. “If you want to make sure their air defense radars and missiles don’t work, blow them up first. That way they stay dead. Then go in and bomb your targets.” (Clarke and Knake 2010, 35-36)

Third, in the lead-up to Operation Iraqi Freedom in 2003, the Pentagon developed a classified plan to cripple the Iraqi financial infrastructure and shut down Saddam Hussein’s financial ability to pay supplies and troops.

The attack was not approved by officials in the George W. Bush administration, who were again concerned about the risks of collateral damage. As another senior officer stated: “We are deeply concerned about the second- and third- order effects of certain types of computer network operations, as well as about laws of war that require attacks be proportional to the threat” (Markoff and Shanker 2009). For this operation, reporting suggests that the embryonic state of the US arsenal was not an additional obstacle. One senior official who worked at the Pentagon at the time told the New York Times, “We knew we could pull it off—we had the tools” (Markoff and Shanker 2009; also see Clarke and Knake 2010, 39).

In mid-2009, Secretary of Defense Robert Gates directed the commander of the US Strategic Command to establish a unified cyber command (Warner 2015). Cyber Command followed a dual-hatted arrangement, in which the director of the National Security Agency, or NSA, also served as the Commander of US Cyber Command, also known as “USCYBERCOM.” Historian Michael Warner wrote that “the creation of USCYBERCOM marked the culmination of more than a decade’s worth of institutional change. DoD [US Defense Department] defensive and offensive capabilities were now firmly linked, and, moreover, tied closely, with the nation’s cryptologic system and premier information assurance entity, the NSA” (Warner 2015).

One glove off

Yet, the establishment of US Cyber Command did not mean that all the gloves were off; efforts were still somewhat half-hearted. In 2011, high-level officials at the Pentagon considered carrying out offensive cyber operations against Libya’s air defense system (Nakashima 2011). There were again concerns about weapon reliability, as it was unclear whether the Libyan government would simply restore its air defenses. As one former US government official put it: “Cyber is just going to destroy or disable a component. […] It’s not going to blow something up on the rails.” (Daily Mail Reporter 2011) That said, reporting from Washington Post correspondent Ellen Nakashima (2011) suggests that the main reason the operation was aborted was because officials had insufficient time to prepare the attack. “We just ran out of time,” a former military official said. “It was overcome by events.”

The operational planning in Libya illustrates a more general point that James McGhee, the legal advisor for US Special Operations Command North, made in a Strategic Studies Quarterly article: “It is generally impractical to use offensive cyber operations because, contrary to the speed at which they are carried out, planning these operations generally takes more time than planning conventional, kinetic operations [and] […] while we may have some number of cyber capabilities ‘on the shelf,’ their operational use requires much more than simply loading them and sending them on their way. Our operators must first know and understand the target network, node, router, server, and switch before using any cyber capability against them. However, to conduct such preparatory work still requires operators being told to do so in the first place” (McGhee 2016).

From 2012 to 2018, cyber effect operations (also referred to in the US intelligence community as “Computer Network Attacks”) were regulated by a Presidential Policy Directive. This particular directive, known as PPD-20, was leaked to the press by an American former computer intelligence consultant, Edward Snowden, who had worked for the National Security Agency as a subcontractor. Consequently, we know that PPD-20 established “principles and processes for the use of cyber operations so that cyber tools are integrated with the full array of national security tools”—something later confirmed by unclassified talking points released by the government (White House 2013). Furthermore, the directive stated that “The policy enables us to be flexible, while also exercising restraint in dealing with the threats we face” (White House 2013).

Yet, as Jason Healey, senior scholar at Columbia University, noted: “PPD-20 appeared to allow the military only limited flexibility to conduct military operations outside their own networks, even in self-defense.” Approval for significant cyber operations outside of the “defended network or portion of cyberspace” remained with the president and had to go through a long interagency process between various departments. This interagency process was implemented to limit potential escalation, ensure civilian control over the military, and confirm that the military had sufficient certainty their operation would succeed—issues put forward in all the individual operations discussed above. The process seemed convoluted, and even those who helped to create the rules felt it was too great a bureaucratic roadblock to conduct operations effectively and responsibly (Healey 2019).

A milestone

But carrying out cyber operations during the heat of wartime proved less tedious. In 2016, US Cyber Command established a new unit called Joint Task Force Ares, whose mission was to counter the Islamic State of Iraq and the Levant (ISIL), as well as other actors across the globe (Martelle 2018). According to the US Cyber Command Mission analysis brief, Joint Task Force Ares aims “to deny ISIL’s use of the cyberspace domain through a multi pronged approach” and “support the broader effort to dismantle ISIL in Iraq and Syria, and posture for follow-on cyberspace operations” (United States Cyber Command 2016). It sought to “employ cyberspace forces and integrate, synchronize, and deconflict […] to deliver effects against ISIL.” (United States Cyber Command 2016).

It was a historic turning point: Joint Task Force Ares was now operating globally, organized around a unified purpose, developing a range of cyber options, and actually executing some of them (Martelle 2016).

A key operation assigned to Joint Task Force Ares was Operation Glowing Symphony. Declassified documents obtained under the Freedom of Information Act by VICE Motherboard and the National Security Archive (a non-profit organization founded by journalists and scholars to check rising government secrecy, and which has the world’s largest archive of declassified US documents outside the federal government) show the careful codification of both the goals of Operation Glowing Symphony and the manner in which progress and success is measured. The documents also indicate there was careful coordination between the use of artillery and airstrikes.

However, US Cyber Command’s operations against the Islamic State group ran far from smoothly—despite upbeat public proclamations to the contrary. At the 2018 US Cyber Command symposium, the cyber campaign against ISIL was heralded to be a success: “We are hitting every target as we said and hit it without collateral damage. We can do this” (Rogers 2018). According to Admiral Michael Rogers, then-commander of US Cyber Command “…cyberspace operations played an important role” in “[…] stabilizing the nations of that region and building peace in the Middle East.” Gen. Paul Nakasone, current commander of US Cyber Command, who led the organization’s efforts against ISIL at the time, also claimed that the approval process led to a “tremendous amount of success with ongoing operations [in] our fight against” ISIL (Healey 2019).

Yet, in a report published in 2017, the former US Secretary of Defense, Ashton Carter expressed his disappointment in the cyber component of US efforts to destroy ISIL (Carter 2017). Carter noted: “I was largely disappointed in Cyber Command’s effectiveness against ISIS. It never really produced any effective cyber weapons or techniques. When CYBERCOM did produce something useful, the intelligence community tended to delay or try to prevent its use, claiming cyber operations would hinder intelligence collection.” Carter goes on to state that “This would be understandable if we had been getting a steady stream of actionable intel, but we weren’t. The State Department, for its part, was unable to cut through the thicket of diplomatic issues involved in working through the host of foreign services that constitute the Internet. In short, none of our agencies showed very well in the cyber fight.” Carter did note that there were some successes: “One exception was an international effort to combat ISIS’s hateful online presence with counter-messaging, an effort that did achieve significant reach and had a real impact” (Carter 2017).

Washington Post reporter Ellen Nakashima adds that the cyber campaign against ISIL led to a “heated debate” about the need to notify countries, including US allies, that are home to computer hosting services used by ISIL (Nakashima 2017).

2018 and beyond: A new cyber posture

In 2018, two key developments took place.

First, US Cyber Command outlined its new strategic vision to ‘Achieve and Maintain Cyberspace Superiority,’ by providing “a roadmap for USCYBERCOM to achieve and maintain superiority in cyberspace as [they] direct, synchronize, and coordinate cyberspace planning and operations to defend and advance national interests in collaboration with domestic and foreign partners” (US Cyber Command 2018). The US Cyber Command’s new strategic vision on persistent engagement, together with the US Defense Department’s 2018 Cyber Strategy, embodies a fundamental reorientation in strategic thinking. Based on the recognition that even if an adversary’s behavior falls below the threshold of armed attack it can nevertheless be strategically meaningful, Cyber Command now seeks to achieve ‘superiority through persistence’— in other words, Cyber Command would constantly engaging with its adversary, wherever and however they maneuver.

On August 15, 2018, President Trump rescinded PPD-20 and replaced it with a new edict called the National Security Presidential Memorandum 13, or NSPM-13. As this memorandum still remains classified, much is unclear about the exact authorization process of offensive cyber operations. Reacting to the repeal, Foreign Policy published an op-ed dramatically titled “The Trump Administration Just Threw Out America’s Rules for Cyberweapons” (Barry 2018). While that description was something of an exaggeration, NSPM-13 does remove some vetting and pushes decision-making authority down the chain of command—away from the president, towards the commanders (Chesney 2018). John Bolton, then National Security Advisor, proclaimed that “Our hands are not tied as they were in the Obama administration” and the previous “restraints” were “effectively reversed” (Nakashima 2018). Other significant legislative hurdles for US Cyber Command to operate have also been cleared since 2018.

The change in US cyber posture suggests that the US Cyber Command wants to be more active in cyberspace. Three operations indicate that the United States is serious about turning this vision into action. In 2019, US Cyber Command reportedly disrupted the Internet Research Agency, a Russian troll factory spreading disinformation, (Nakashima 2019) and also led a cyber operation against Iran after the Saudi oil attack in 2019 (Idrees and Stewart 2019). Furthermore, in 2020, it targeted the computer networks of Trickbot, a notorious Russian ransomware gang (Krebs 2020; Nakashima 2020). An interview with Gen. Nakasone suggested that several other operations were planned and executed—but have not been publicly disclosed (Graff 2020).

That said, many of the limits that the early planning of cyber operation exposed—such as the risks of collateral damage, the difficulty of timing operations, and the limited attack options against an opponent—have not gone away as the United States changes to a more engaged posture. Indeed, these barriers are not the result of how the agency planning process is set up but stem from the very nature of cyberspace itself. This suggests that many of the struggles to execute cyber operations continue to persist—particularly when those in charge seek to integrate them with conventional operations.

Acknowledgements

For written comments on early drafts, the author is indebted to Jason Healey and Michael Martelle.