“That’s not fun and not a good standard,” says Schneider. She says much of the U.S. government’s slow approach to cyberattacks stems from its concern to ensure it doesn’t inadvertently hit civilians, violate international law or cause a dangerous backlash.
Still, Schneider concedes that Caceres and Angus have a point: the US could use its cyber forces more, and some of the explanations for why this doesn’t amount to bureaucracy. “There are good reasons, and there are also bad reasons,” says Schneider. “For example, we have complicated organizational politics, we don’t know how to do things differently, we are bad at using this kind of talent, we have been doing it this way for fifty years and it worked well in dropping bombs. .”
American offensive hacking has likely become less aggressive and less agile over the past five years, Schneider points out. For example, as of 2018, General Paul Nakasone, then head of Cyber Command, advocated a “defend forward” strategy that focused on bringing cyber conflict into the enemy’s network rather than waiting for it to occur on U.S. soil. During those years, Cyber Command launched disruptive hacking operations intended to cripple the Internet Research Agency’s Russian troll farm and take down the infrastructure of the Trickbot ransomware group, which some at the time feared could be used to exploit meddling in the 2020 election. Since then, however, Cyber Command and other U.S. military hackers appear to have been relatively quiet, often leaving the response to foreign hackers to law enforcement agencies like the FBI, which face many more legal constraints.
Caceres isn’t entirely wrong to criticize this more conservative stance, says Jason Healey, who until February was a senior cybersecurity strategist at the U.S. Cybersecurity and Infrastructure Security Agency. He responds to Caceres’ cyberhawk arguments by citing the Subversive Trilemma, an idea laid out in a 2021 paper by researcher Lennart Maschmeyer: Hacking operations must choose between intensity, speed and control. Even in earlier, more aggressive years, U.S. Cyber Command tended to turn up the dial, Healey says, and prioritize those other variables. But he notes that there may in fact be certain targets — such as ransomware gangs or hackers working for Russia’s GRU military intelligence agency — that could justify resetting those buttons. “For those targets,” Healey says, “you can really set the dogs free.”
P4x is dead, Viva P4x
As for Caceres himself, he says he’s not against US hacking agencies taking a conservative approach to limiting their damage or protecting citizens – as long as they take action. “You’re a conservative,” he says, “and you still have some work to do.”
Arguing that more aggressive cyber attacks would lead to escalation and counterattacks from foreign hackers, Caceres points to the attacks these foreign hackers are already carrying out. For example, ransomware group AlphV’s catastrophic attack on Change Healthcare in February crippled the medical claims platforms of hundreds of healthcare providers and hospitals, with consequences that could be as disruptive to citizens as any cyberattack can be. “That escalation is already underway,” says Caceres. “We don’t do anything and they are still escalating.”
Caceres says he hasn’t completely given up on convincing anyone in the U.S. government to follow his more “roll up his sleeves” approach. Throwing away the P4x handle and revealing his real name is, in a sense, his last-ditch effort to get the attention of the US government and restart the conversation.
But he also says he won’t wait for Pentagon approval before pursuing that approach on his own. “If I go through this alone, or with just a few people I trust, I can move forward much faster,” he says. “I can screw it up for the people who deserve it, and I don’t have to report to anyone.”
In other words, the P4x handle may be dead. But the P4x doctrine of cyber warfare lives on.