3/19/2019 US Rescinds PPD-20 Cyber Command Enters New Age of Cyberwar

SELECT ALL S E P T. 1 1 , 2 0 1 8 U.S. Silently Enters New Age of Cyberwarfare By Mack DeGeurin

Photo-Illustration: Konstantin Sergeyev/SelectAll Years ago, the world witnessed the creation of the first major “cyberweapon.” Secretly loaded onto an unknown Iranian worker’s USB flash drive, an American-Israeli line of malicious code now known as Stuxnet entered Iranian computer networks and spread like a cancer. The self- replicating computer worm burrowed itself in 15 Iranian industrial networks, eventually infecting its primary target: Iran’s nuclear facility at Natanz. Workers watched helplessly as centrifuges spun out of control, tricked by the worm to spin faster and faster until its eventual

http://nymag.com/intelligencer/2018/09/us-rescinds-ppd-20-cyber-command-enters-new-age-of-cyberwar.html 1/17 3/19/2019 US Rescinds PPD-20 Cyber Command Enters New Age of Cyberwar mechanical suicide. By the attack’s end, over 900 centrifuges were left in ruin. Strands of the worm, which found its way into the wild, still infect computers to this day.

Stuxnet, which went through years of development between its initial creation and eventual deployment, required rigorous levels of approval and government oversight before its launch. The weapon was treated as significantly different from conventional weapons and featured an approval process similar to those reserved for nuclear weapons. President Obama himself had to personally authorize the attack. That approval process is changing.

This past month, buried beneath an ant mound of political scandal and news cacophony, President Trump set in motion a plan to gut Presidential Policy Directive 20, an Obama-era policy limiting the use of destructive offensive cyberweapons like Stuxnet. What exactly will replace PPD-20 remains clouded in uncertainty, but one thing seems clear: The military’s gloves are off. Without PPD-20, the U.S. military can now use hacking weapons with far less oversight from the State Department, Commerce Department, and intelligence agencies. A paper released earlier this year by U.S. Cyber Command, the hacking arm of the U.S. military, outlines a proposed policy of increased military intervention, and paints a landscape of nations under constant cyberassault. It’s not a stretch to say the removal of PPD-20 may fundamentally restructure the way America conducts war in cyberspace. Whether or not that is a good thing depends on whom you ask.

“What this is all about is streamlining the process and giving the military permission to use cyberweapons under certain circumstances without having to go through a cumbersome process of coordination with all the different agencies,” former Navy Captain Gail Harris says. In conversation, Harris, who was involved in cyberdefense for the Department of Defense, echoed the arguments laid forth by Cyber Command in its paper. In that document, Cyber Command describes cyberspace as an “active and contested operational space in which superiority is always at risk.” Whether you like it or not, Cyber Command argues, we are currently engaged in a persistent war of code with adversaries continuously attacking and entrenching themselves deep in American networks. The brisk nine-page document details a world under constant subversion. These “persistent threats,” Cyber Command argues, require swift and aggressive military responses in kind. Be they Russian and Iranian state hackers, terrorists, or hacktivists, the document blames bureaucratic red tape and political hand- holding for much of America’s recent cyber woes.

http://nymag.com/intelligencer/2018/09/us-rescinds-ppd-20-cyber-command-enters-new-age-of-cyberwar.html 2/17 3/19/2019 US Rescinds PPD-20 Cyber Command Enters New Age of Cyberwar

modevilla/Getty Images

Get unlimited access to Intelligencer and everything else New York. LEARN MORE »

“We cede our freedom of action with lengthy approval processes that delay US responses or set a very high threshold for responding to malicious cyber activity,” the vision statement reads.

If Cyber Command has its way, it will also be able to transition its fundamental role from defense to potentially more offensive campaigns. Cyber Command says it wants to “expand the military options available to national leaders,” and “defend forward as close as possible to the origin of adversary activity.” The move follows a recent trend by officials geared toward strengthening Cyber Command and granting it far more offensive capability.

While anyone losing hair over election hacking, foreign manipulation, and electrical grid vulnerabilities may take some solace in sharpening the military’s cyber teeth, the prospect of a perpetual online war could come with serious, sometimes unforeseen, consequences. The Plunge Into Perpetual War http://nymag.com/intelligencer/2018/09/us-rescinds-ppd-20-cyber-command-enters-new-age-of-cyberwar.html 3/17 3/19/2019 US Rescinds PPD-20 Cyber Command Enters New Age of Cyberwar “We’ve slipped into permanent warfare,” Columbia research scholar and cybersecurity expert Jason Healey told Select All. “There is no winning this war, it is happening online.” Healey, who wrote the first history of cyberconflict and previously worked on network defense for the Pentagon, said he worried traditional military solutions may simply not work to address cyberconflict. “The military is asking politicians to give them this authority and then get out of the way forever. Once we have done this, we are not going to be able to go back to the way it was before.”

Though agreeing that changes to PPD-20 were needed, Healey said the “friction” between the military and the government over approval processes act as a force for good.

“I like friction,” he said. “Friction is how you avoid bombing Afghan weddings. This interagency process is in place to ensure civilian control over the military, limit potential escalation, and ensure other agencies that might be affected by cyberoperations have a say in the decision.”

In addition to the issues of oversight, another problem arises through the complex nature of just how these digital weapons work. Cyberweapons and hacking tools on the state level differ widely from the air strikes, tanks, and fighter jets of conventional war. Unlike roaring battlegrounds, networks transcend the geographical bounds of nation states. Militaries can, and do, launch attacks from other countries, purposefully muddying attribution attempts. Distinguishing between a hostile enemy and a civilian on their computer bemuses traditional military logic even further. What may begin as a targeted military strike in cyberspace can quickly amplify into a tsunami of code crushing anything in its path.

“At the end of the day, there just might not be a military solution,” Healey said. “Fighting fire with fire sounds great, except we are all standing in dry glass covered in gasoline.”

This is not just theory; we have proof.

Last June, Europe witnessed what happens when a cyberweapon loses control. As a recent Wired story describes in detail how NotPetya, a cyberattack that was intended as a show of political force against Ukraine by the Russian government, quickly hopped borders and dealt over $10 billion in damages around the world. Over 300 Ukrainian companies were hit in what one Ukrainian man described to Wired as “a bombing of all our systems.” Nearly 5,000 miles to the west, Maersk shipping containers were left stranded in New Jersey. The code cared little for international borders.

http://nymag.com/intelligencer/2018/09/us-rescinds-ppd-20-cyber-command-enters-new-age-of-cyberwar.html 4/17 3/19/2019 US Rescinds PPD-20 Cyber Command Enters New Age of Cyberwar Others in support of less restrictions, like Richard Harknett argue in favor of the U.S. attacking enemies before they ever reach American networks in the first place. “Previous U.S. approaches ultimately left the U.S. playing ‘clean up on aisle nine,’” Harknett wrote.

In a similar vein, Harris said a U.S. posture of strength could deter adversaries from challenging with attacks in the first place. “I think if people know that we are going to respond under certain circumstances, then I think that will lead to less attacks,” she said. “Right now there are no red lines for our cyberopponents.”

Maybe. It’s certainly true that, at least on the public level, where and when the U.S. will take on enemies with code remains shrouded in secrecy. It also may be true that a show of cyber teeth by the U.S. military could intimidate enemies and send would-be attackers meekly cowering over the prospect of finding themselves on the receiving end of a cyber equivalent to Hiroshima and Nagasaki. But another less palatable possibility may exist. A ramping up of aggressive U.S. attacks could, according to Healey, have just the opposite effect, and encourage others to step up and match that escalation with even greater force. Several rounds of this back and forth, and the not long specter of a Cold War era arms race runs the risk of resurrection, this time through lines of code and paid trolls.

In its vision statement, Cyber Command attempted to jump ahead of criticism, and denied claims that it is “militarizing” cyberspace.

Even if it’s not, top members of the U.S. government have signaled they are.

At a national cybersecurity conference in July, Vice-President Mike Pence made clear the government’s focus on offensive attacks.

“Resilience,” Pence said, “isn’t enough. We must be prepared to respond.”

http://nymag.com/intelligencer/2018/09/us-rescinds-ppd-20-cyber-command-enters-new-age-of-cyberwar.html 5/17 3/19/2019 US Rescinds PPD-20 Cyber Command Enters New Age of Cyberwar

Vice President Mike Pence @VP

We inherited a cyber-crisis. The previous administration all but neglected cyber-security, even though the digital threats were growing more numerous and more dangerous by the day. #DHSCyberSummit 4,892 4:58 PM - Jul 31, 2018

2,406 people are talking about this

Pence explained the government’s own vision further, saying, “Our administration has taken action to elevate the United States Cyber Command to a ‘combatant command,’ putting it on the same level as the commands that oversee our military operations around the world. Gone are the days when America allows our adversaries to cyberattack us with impunity.”

Most security experts agree with some of the major points issued by Cyber Command and by government officials like Pence. Attempts at interference and disruption online have changed, and the need for updated rules and procedures to deal with these issues need to evolve as well. Allowing the military a clearer, faster protocol for dealing with attacks sounds wise, but just where the limits are remain unclear. The Cyber Command vision statement is just that — a vision. Academics critical of the PPD-20 rescinding, like Stanford cybersecurity experts Herb Lin and Max Smeets, are calling for greater clarity.

“The vision doesn’t address what that [gaining strategic advantage] actually means and how much it will cost,” they wrote. As it stands, the language used both by Cyber Command and Pence suggests an emphasis not on stability, but on victory. But as Lin and Smeets note, “winning” cyberbattles may keep the United States on top, but does little to end that larger issue of persistent online war. “A United States that is more powerful in cyberspace does not necessarily mean that it is more secure.”

In terms of actual policy decision and accountable legal frameworks, the Trump administration and the military remain relatively silent — at least publicly. However unlikely the thought of the U.S. launching a successor to NotPetya may be, without clear language specifically limiting these types of weapons, it’s difficult to predict what safeguards are in place to prevent that situation.

http://nymag.com/intelligencer/2018/09/us-rescinds-ppd-20-cyber-command-enters-new-age-of-cyberwar.html 6/17 3/19/2019 US Rescinds PPD-20 Cyber Command Enters New Age of Cyberwar The rescinding of PPD-20, regardless of what may replace it, signals a watershed moment for how the United States engages in cyberwarfare, who it is willing to target, and what methods it is willing to use.

“I wrote the first history book on this,” Healey said, reflecting on the weight of this moment in context. “I suspect that when I write the second or third version, 2018 is going to be one of the turning points for when things get better or worse. The U.S. has said, ‘The gloves are off.’”

TA G S : U S C Y B E R C O M M A N D P P D - 2 0 C Y B E R S E C U R I T Y D O N A L D T R U M P M O R E

L E AV E A C O M M E N T

4 MINS AGO SELECT ALL Bitcoin Tie Guy Is Breakout Star of the Elizabeth Holmes Documentary B y M A D I S O N M A L O N E K I R C H E R Venture capitalist Tim Draper chose to make a, uh, fashion statement in the HBO documentary about failed blood-testing start-up Theranos.

8:56 A.M. More details on tech companies’ Sisyphean efforts to keep the New Zealand shooting video off their sites

YouTube and Facebook have defended themselves against accusations that they failed to act quickly enough in the wake of the Christchurch terror attack, arguing that their moderation is as good as possible given the number of videos uploaded.

Facebook said on Tuesday that the original stream of the attack was viewed live fewer than 200 times and non-live by 4,000 people before it was removed from the site.

http://nymag.com/intelligencer/2018/09/us-rescinds-ppd-20-cyber-command-enters-new-age-of-cyberwar.html 7/17 3/19/2019 US Rescinds PPD-20 Cyber Command Enters New Age of Cyberwar

Copies of it spread rapidly and by Saturday evening the company had removed 1.5m uploads. By Tuesday morning more than 800 distinct edits of the footage had been posted to the site.

Facebook and YouTube defend response to Christchurch videos —The Guardian

8:34 A.M. Opponents of the New York Amazon deal were a vocal minority – emphasis on minority

Most voters in New York think it was bad for the state when Amazon dropped plans to put a second headquarters in Queens and many think U.S. Rep. Alexandria Ocasio-Cortez bears blame for the deal falling through, according to a new poll released Monday.

The Siena College poll of registered voters in New York state found that 67 percent of those surveyed said the internet retailer’s decision last month was detrimental to New York. Sixty-one percent support the state and city again offering Amazon up to $3 billion in incentives to create 25,000 jobs if the internet giant reconsiders.

“While some may have celebrated Amazon’s announcement to pull the plug, the vast majority of New Yorkers of every stripe thought it was bad for the Empire State,” said Siena pollster Steven Greenberg. “Clearly, jobs outweigh the cost of government incentives in the minds of most voters.”

Poll: Losing Amazon second HQ deal was bad for New York —AP

2/14/2019 Why Amazon Bailed on Its New York Headquarters By JOSH BARRO

MOST POPULAR

1. Devin Nunes Files Bonkers $250 Million Lawsuit Over Mean Tweets B y J O NAT H A N C H A I T

2. Ta-Nehisi Coates Is an Optimist Now B y E R I C L E V I T Z

3. Report: Trump Repeatedly Inflated His Net Worth in Deals With Deutsche Bank B y M AT T S T I E B

4. Man Suspected of Killing Gambino Mob Boss Drew QAnon Symbols on Hands in Court B y M AT T S T I E B

5. Everything Trump Attacked Over a Wild Weekend on Twitter http://nymag.com/intelligencer/2018/09/us-rescinds-ppd-20-cyber-command-enters-new-age-of-cyberwar.html 8/17 3/19/2019 US Rescinds PPD-20 Cyber Command Enters New Age of Cyberwar

B y A D A M K . R AY M O N D

8:09 A.M. HEALTH CARE Beto and Bernie Offer Competing Plans to Fix Health Care B y E D K I L G O R E Medicare for All is still the dominant Democratic health care idea for 2020, but the less ambitious plan backed by O’Rourke could be a competitor.

8:00 A.M. VISION 2020 Democrats Don’t Want to ‘Pack the Supreme Court’ — They Want to Reform It B y E R I C L E V I T Z Democrats are open to reforms that would prevent partisan majorities from dictating policy to a divided nation by fiat. That’s not “court packing.”

7:06 A.M. USC says it’s reviewing the status of the kids in the college admissions scandal and they may be expelled

Updated information on the College Admissions Issue:

• USC has placed holds on the accounts of students who may be associated with the alleged admissions scheme; this prevents the students from registering for classes or acquiring transcripts while their cases are under review —@USC

6:59 A.M. In the Trump administration, this counts as high praise

[Mick Mulvaney] has stayed out of a lot of people’s way … No one is saying he is killing it but staying out of people’s way has helped. —A senior Trump administration official on why Mulvaney may soon become permanent, not acting, White House chief of staff

6:56 A.M. New Zealand’s prime minister has vowed never to say the Christchurch shooter’s name

CHRISTCHURCH, New Zealand — The man accused of carrying out the attack that killed 50 people at two mosques in Christchurch, New Zealand, is expected to represent himself in court, but the country’s

http://nymag.com/intelligencer/2018/09/us-rescinds-ppd-20-cyber-command-enters-new-age-of-cyberwar.html 9/17 3/19/2019 US Rescinds PPD-20 Cyber Command Enters New Age of Cyberwar

prime minister said on Tuesday that she wants to do everything possible to deny him the attention he craves.

“He is a terrorist. He is a criminal. He is an extremist,” Prime Minister Jacinda Ardern said in an address to Parliament. “But he will, when I speak, be nameless.”

“And to others, I implore you,” she added, “speak the names of those who were lost, rather than name of the man who took them. He may have sought notoriety, but we in New Zealand will give him nothing. Not even his name.”

New Zealand Is Loath to Use Suspect’s Name to Avoid Amplifying His Cause —New York Times

6:00 A.M. POLITICS 100 Person Poll: How Will the Trump Presidency End? B y K E L S E Y H U RW I T Z A N D Y E L E N A D Z H A N O VA We asked 100 New Yorkers (plus 19 pundits, journalists, academics, and activists) how they see the Trump administration ending.

12:46 A.M. DONALD TRUMP Report: Trump Repeatedly Inflated His Net Worth in Deals With Deutsche Bank B y M AT T S T I E B Over two decades, the bank reportedly lent Trump $2 billion. In response, Trump inflated his assets on three occasions and defaulted on major loans.

12:25 A.M. Boeing begins the process of rehabbing the 737 MAX

Boeing CEO Dennis Muilenburg said Monday that Boeing will offer pilot training for the 737 Max following two deadly crashes involving the aircraft in recent months.

Muilenburg wrote in a letter to airlines, passengers and the aviation community that Boeing would offer the training and release updated software for the aircraft to “address concerns,” according to the Associated Press.

The new software in the plane is thought to have played a role in a crash earlier this month in Ethiopia that killed all 157 people aboard and an October crash in Indonesia that left 189 people dead, the AP noted.

Boeing will offer pilot training on 737 Max to address safety concerns —The Hill

3/17/2019 http://nymag.com/intelligencer/2018/09/us-rescinds-ppd-20-cyber-command-enters-new-age-of-cyberwar.html 10/17