TrickBot was in the news quite a bit in early October 2020. Starting with reports of TrickBot disruption in late September 2020 subsequently linked to United States Cyber Command (USCC), events ramped up with an independent coordinated infrastructure take-down organized by Microsoft coming shortly thereafter. There are many avenues of analysis into this event and very interesting questions raised, including items such as election security concerns and public-private coordination (or in this instance, lack thereof). At the moment, what most interests me is how and under what authorities USCC engaged in its action, an item which appears to be ignored in most current reporting.
USCC has increasingly adopted a more aggressive posture with respect to the command’s area of responsibility under the “persistent engagement” and “defend forward” frameworks. Yet as a US military entity, USCC remains bound by the strictures of US Code (USC) Title 10 for the application of military force. In cases where an adversary is a “foreign power”, USCC’s capability and authorization have grown considerably, facilitating the preemptive defend forward strategy which I’ve previously criticized.
Yet the emphasis on “foreign power” as defined by Section 101 of the Foreign Intelligence Surveillance Act (FISA) – which is used in the cyber-specific components in Chapter 19, Section 394 of 10 USC – is more restrictive than many might realize. As outlined in FISA legislation, a “foreign power” is exclusively reserved for entities controlled by or directly affiliated with a foreign state or political entity, with specific extensions to this definition made for terrorism and weapons of mass destruction (WMD) trafficking. Under this framework, operations such as disruption of Russian information operations infrastructure during the 2018 US midterm elections and Joint Task Force Ares for counterterrorism purposes serve as examples targeting various types of “foreign powers”.
The more forceful update to the cyber components of 10 USC found in the most recent National Defense Authorization Act, Section 1642(a)(1) facilitates USCC’s persistent engagement strategy by allowing for disruption and cyber deterrence. Yet while seemingly unleashing USCC on the country’s foes, precise language in the update is more specific still for targeting purposes as it relates only to very specific entities:
“In the event that the National Command Authority determines that the Russian Federation, People’s Republic of China, Democratic People’s Republic of Korea, or Islamic Republic of Iran is conducting an active, systematic, and ongoing campaign of attacks against the Government or people of the United States in cyberspace, including attempting to influence American elections and democratic political processes, the National Command Authority may authorize the Secretary of Defense, acting through the Commander of the United States Cyber Command, to take appropriate and proportional action in foreign cyberspace to disrupt, defeat, and deter such attacks under the authority and policy of the Secretary of Defense to conduct cyber operations and information operations as traditional military activities.”
Based on the available authorities and legislation in play, the TrickBot incident seems quite curious. While TrickBot’s controllers are assessed as “Russian speaking”, no evidence exists and no serious claim has ever been made indicating they have any link whatsoever to the Russian state. Furthermore, the botnet itself is so thoroughly widespread, as indicated in Microsoft’s reporting previously cited, that any intrusions into local government networks responsible for election operations in the US may simply be the result of inadvertent spread and targeting extension rather than any deliberate, precise target selection. Based on this (public) information, TrickBot appears to satisfy neither the definition of a “foreign power” under standard USCC authorities nor the type of attacks spelled out in Section 1642(a)(1).
Three possibilities exist which may explain USCC’s actions:
- USCC has access to nonpublic information linking TrickBot’s controllers to Russian state interests, allowing USCC to target the group as an agent of a “foreign power”, although this incorporates language from 50 USC Section 1801(b).
- TrickBot’s potentially tangential impact on election systems through increasing intrusions in local government networks was used as a way to “sex up” requests for authorization to use the powers in Section 1642(a)(1) to extend this remit to cover entities beyond the four named countries.
- USCC received intelligence indicating a “foreign power” sought to buy access to TrickBot-controlled infrastructure aligning with critical infrastructure needs. To avoid potential intelligence loss, the entire botnet was targeted for takedown to address the threat of a state-nexus adversary using purchased access for possible election disruption.
At this time, insufficient evidence exists to support these speculative claims, and other possibilities exist as well which may have been used to enable and justify USCC’s actions. Overall, the almost certainly twisted logic and legal acrobatics used to justify the takedown seem to indicate the torturous nature of executing operations via 10 USC authorities – presumably clandestine options, resident both north and south of Washington DC, would have been better suited toward such activity. However, that this action occurred under the existing framework indicates that in-house counsel is taking a far more aggressive stance on operations such as this than what I remember ten years ago – but that is another story.
Yet now a precedent of sorts has been set, where USCC will utilize its ability to wage cyberwar to extend this beyond (obvious) state-directed or -sponsored entities to cover criminal groups capable of widespread disruption as well. Given TrickBot’s involvement in events impacting healthcare and other critical infrastructure verticals, the group’s actions certainly extend to types of disruption that are adjacent to what one might anticipate in cyber warfare, even if the group’s (likely) intentions remain monetization. Given my previously-voiced concerns about ransomware potentially being weaponized for deliberately destructive purposes, punishing these actors seems highly desirable to drain the swamp of ransomware operations in which more threatening entities might try to hide.
But as much as we might cheer the (likely brief) disruption to TrickBot or similar malicious actor infrastructure, the precedent swings in a few directions beyond that which is most pleasing to us. Namely, USCC has executed an operation against a (likely) non-state, non-terrorist foreign entity that, election fig leaf aside, was not involved in classic state-centric offensive operations (such as deliberate destruction). Given that USCC’s decision making on this matter is opaque, we have no way of knowing what thresholds, what “red lines” exist to delineate “normal” criminal activity from those actions which will involve the US military.
More concerning still, this is not a space that USCC and the US government own and control unilaterally – other players, some nearly as capable, operate in this arena as well. Given that USCC’s actions were against criminal activities, the possibility of other entities pursuing their own types of criminals but in a more brazen fashion presumably increases. I foresee entities such as the People’s Republic of China (PRC) and Russia looking at this precedent and eagerly seeking to apply it with respect to dissidents and regime opponents abroad. While PRC cyber activity targeting overseas dissidents and critics is already “a thing”, the USCC TrickBot operation makes it into a less “beyond the pale” event so long as such actions can be married to some legal concern or “compelling national interest”.
Overall, I eagerly hope more information comes available concerning USCC’s activity – not the technical aspects (which honestly seem rather blunt and primitive), but rather the institutional and legal settings in which the action took place. For I fear, as USCC has moved beyond state-sponsored entities and terrorist elements, a precedent has been set, the consequences of which remain unclear at this moment.