U.S. government offensive cybersecurity actions tied to defensive demands

Offensive cyber operations are best known as acts of digital harm, mainly in the context of cyber “warfare,” with nation-states, particularly intelligence organizations, serving as the primary actors. But, as experts and officials speaking at the Billington Cybersecurity Summit this year attest, “offensive cyber” is also a term increasingly applied to the growing use of digital tools and methods deployed by various arms of the federal government, often in partnership with private sector parties, to snuff out threats or help victims of ransomware actors proactively.

These officials and experts say that, for the most part, offensive cyber, if done right and with collaboration among the necessary partners, can lay the groundwork for more robust public and private sector defense. The downside, however, is that a possible misfired offensive hack can cause collateral damage among innocent parties, possibly sparking dangerous real-world responses.

DoD now has defense forward capabilities

Although the U.S. National Security Agency (NSA) has long engaged in offensive cyber operations, U.S. Cyber Command, an arm of the U.S. military founded in 2010 that is closely linked to NSA, has only recently become a visible player in this arena. In 2018, the U.S. Department of Defense (DoD) published a Cyber Strategy summary introducing a new concept called “defense forward.” The summary states that DoD will “defend forward to disrupt or halt malicious cyber activity at its source, including activity that falls below the level of armed conflict.”

It marked a radical shift in the military’s strategic posture and signaled that the U.S. would not wait until a malicious cyber act occurred before taking action. As legal scholar Bobby Chesney put it, “Defense forward entails operations that are intended to have a disruptive or even destructive effect on an external network: either the adversary’s own system or, more likely, a midpoint system in a third country that the adversary has employed or is planning to employ for a hostile action.” 

That same year, close on the heels of Russia’s digital efforts to meddle in the 2016 presidential election, the annual National Defense Authorization Act arguably gave the Pentagon the ability to pre-emptively address cyber threats, particularly regarding elections and democratic political processes. Defense forward is now in common cybersecurity parlance often referred to as “offensive cyber,” or actions that preemptively defend against cyber threats or likely cyber threats before they can cause damage.

Recent offensive cyber operations

Domestic U.S. law enforcement agencies have engaged in offensive operations for several years, typically seeking court orders to enter the digital spaces of adversaries and shut them down or, more recently, to retrieve cryptocurrencies on behalf of ransomware victims, mostly notably Colonial Pipeline. The FBI and Justice Department (DOJ) achieved court-ordered take-downs of destructive botnets VPNFilter in 2018 and Cyclops Blink in April 2022.

In April 2021, DOJ undertook a court-authorized operation to copy and remove malicious web shells from hundreds of vulnerable computers in the U.S running on-premises versions of Microsoft Exchange Server software. That action was undertaken in response to attacks by a threat group known as HAFNIUM, believed to be part of the Chinese government

The first publicly known offensive cyber operation undertaken by U.S. Cyber Command occurred last December when that military organization’s leader General Paul Nakasone admitted his unit had taken offensive action to disrupt cybercriminal groups that launched ransomware attacks on U.S. companies. In June, Nakasone confirmed that the U.S. had engaged in unspecified cyber operations supporting Ukraine.

No bright lines between offensive and defensive cyber

Firmly part of the U.S. law enforcement and now military toolkit, it’s no surprise that offensive cyber operations were a big topic at this year’s Billington Cybersecurity Summit in Washington, DC. Experts and officials at the event advocated for partnerships among government agencies and private sector organizations as critical components for successful offensive cyber operations and underscored that offensive operations can help shore up defensive cyber activities.

“It’s really important the way that we’re organized, that we can take full advantage of both defensive aspects and everything that we learned from the defensive aspect and actually take that and pursue the adversaries offensively to disrupt their operations,” Holly Baroody, deputy to the commander, Cyber National Mission Force (CMF), an operational arm of Cyber Command, told the attendees.

CMF deploys defensive teams to foreign countries to hunt for foreign adversaries at the request of the partner nations. “We’re able to learn new information against foreign adversaries before they ever use it against the U.S.,” Baroody said. “We put in place inoculations before it’s ever used. And to me, that’s a way of showing we’re defending forward. We’re employing offensive to be able to feed our defense. We like to say that a good defense has a good offense.”

“Data can help us understand what [an] attack environment looks like so that we can leverage different authorities from law enforcement or defending forward from a military standpoint to go and deny that infrastructure from attackers,” said Brigadier General, USAF (ret.) Greg Touhill, now director of the CERT Division, Carnegie Mellon University Software Engineering Institute. “We can launch an offensive type of operation where we, in fact, put together a plan to identify actors using that infrastructure by tracing them back to the roots and then interdicting at the source.”

“I’m not going to call it offensive cyber operations,” Adam Hickey, deputy assistant attorney general, National Security Division, U.S. DOJ, said. “What we’re talking about here are traditional law enforcement techniques deployed in the cyber context.  What we’re talking about is gathering information, trying to prevent crime, mitigate damage from crime.”

Hickey said that DOJ’s offensive operations are always the last resort option. “We tend to use them when merely sharing information with the private sector or publicly isn’t enough to help people clean up the malware on their computers. And we tend to use them when there’s a need for simultaneity, where if we try to knock on every door of every infected person, the adversary would simply learn what we were up to. They would retool, and we would lose the opportunity to protect public safety.”

“It’s been a cultural evolution for the FBI over the past two years about moving away from traditional rule of law decisions and into the space of proactive operations, putting pressure on the threat. We are working daily to come up with these disruption campaigns, but we also work extensively across the private sector because of the private sector’s unique access to data infrastructure,” said Bryan Vorndran, assistant director of the Cyber Division at the FBI.

Offensive cyber carries risk

Despite the successes that Cyber Command and U.S. law enforcement have scored in chasing and taking down adversaries in the digital world, offensive operations carry risks. “One of the risks that I’m well aware of is the fact that there are some folks out there who would like to hack back,” Touhill said.

“But those of us who have been in the business for a while know that the tradecraft is you’re never going to launch an attack from your own box if you’re a criminal group or a nation-state actor. So, you run the risk of maybe crushing the servers that are supporting the Little Sisters of the Poor or whoever. And you don’t want to do that. I’m very concerned about continued conversations about hacking back because it could devolve rapidly into cyber vigilantism that could escalate to non-cyber confrontation.”