December 29, 2016

Obama used a cybersecurity link for the first time to warn Russia

(Updated: January 7, 2017)

Shortly before the recent US presidential election, a dedicated cybersecurity hotline with Moscow was used by president Obama to warn the Russian government not to interfere with the election process through hacking operations.

Press reports compared the cybersecurity with the "Red Phone", which many people believe is used on the Hotline between Washington and Moscow. That's not true, and also Obama's message seems not to have been transmitted by phone, but through an e-mail channel which is maintained by the Nuclear Risk Reduction Center (NRRC).

The Nuclear Risk Reduction Center (NRRC) at the US State Department,
which also maintains the cybersecurity communications link
between US and Russian Computer Emergency Readiness Teams
(screenshot from a State Department video)

Obama's message

The fact that on October 31, US president Obama sent the Russians a direct message through the cyber channel was first reported on December 16. Three days later, NBC News came with some details about the content of the message. According to anonymous officials, it included phrases like "International law, including the law for armed conflict, applies to actions in cyberspace" and that the US "will hold Russia to those standards."

However, another senior intelligence official told NBC that the message was "muddled" because there was no bright line laid down and no clear warning given about the consequences. According to the official, the Russian response was non-committal. It's worrying that these government officials are leaking the content of the message, thereby undermining the necessary confidentiality of such an important hotline.

Obama's warning message was not about the hacking of the Democratic National Committee (DNC) or of it's chairman John Podesta, which director of national intelligence James Clapper had previously said was conducted with the knowledge of the Russian leadership. Instead, the warning reportedly only referred to the concerns about hacking around the election process itself.


On December 29, 2016, the White House announced actions "in response to the Russian government’s aggressive harassment of U.S. officials and cyber operations aimed at our election." As most visible action, 35 Russian intelligence operatives under diplomatic cover were expelled and two Russian compounds were closed, but although that seemed to be a response to the Russian hacking operations, it was actually a retaliation for the harassment of US diplomats over the past 2 years.
Regarding Russian hacking, only several GRU officials, two Russian hackers and a few Russian companies were named. Also some technical information was published in a Joint Analysis Report (JAR) by the FBI and the US-CERT, to identify Russian cyber attacks, but experts considered this information inconsistent and hardly useful.

US president Obama and Russian president Putin during
the G-8 summit in Northern Ireland in June 2013
(photo: Kevin Lamarque/Reuters - click to enlarge)

The cybersecurity link

On June 17, 2013, shortly after the start of the Snowden-revelations, the White House announced that during the G-8 summit in Northern Ireland, Russia and the United States had agreed upon several confidence-building measures (CBMs) to reduce the mutual danger from cyber threats. This includes the regular exchange of technical information about malware and other kinds of risks to critical systems, which appear to originate from each other’s territory and/or could be misperceived as an attack.

Such information is exchanged between the US Computer Emergency Readiness Team (US-CERT), which is part of the National Cybersecurity and Communications Integration Center (NCCIC) of the Department of Homeland Security (DHS), and its Russian counterpart. To provide secure and reliable communication lines for the formal inquiries about cybersecurity incidents, this task was delegated to the Nuclear Risk Reduction Center (NRRC - see below).

Secure voice line

Besides the information channel via the NRRC, the White House and the Kremlin also agreed to set up a direct secure voice communications line between the US Cybersecurity Coordinator at the White House and the Deputy Secretary of the Security Council of Russia, in case there should be a need to directly manage a crisis situation arising from a cybersecurity incident.

The announcement said that this direct voice line "will be seamlessly integrated into the existing Direct Secure Communication System ("hotline") that both governments already maintain" - which indicates that this line runs over the same redundant and secure satellite link as the Direct Communications Link (DCL, which is the official name of the Hotline) and the Direct Voice Link (DVL) between both heads of state.

We have no information about how this direct cybersecurity voice line is secured, but earlier, similar high-level bilateral telephone links consisted of Secure Telephone Equipment (STE), provided by the US.


As the press reports say that Obama's message was sent via the NRRC, we have to assume that it was in the form of an e-mail, and not a call through the secure voice channel. It was also reported that "the Obama administration had never used the cyber line before", but it's not really clear whether that means that the president never sent a message this way, or that the system was never used in any way.

The latter would mean that since 2013 no information about suspicious network intrusions has been exchanged between Russia en the US. The secure voice line for cybersecurity incidents has then probably also never been used - this kind of high-level direct phone lines seem rarely used in general.

Watch center of the National Cybersecurity and Communications Integration Center (NCCIC),
which includes the US-CERT. On the right there's an STE secure telephone.
(photo: Saul Loeb/AFP/Getty Images - click to enlarge)


The Nuclear Risk Reduction Center

The relay of cybersecurity messages is now one of the tasks of the Nuclear Risk Reduction Center (NRRC), which is located in the US Department of State (DoS). Its Russian equivalent is part of the Russian Ministry of Defence. The Cyber Security Protocol agreed upon in 2013 is the latest of 14 arms control treaties and agreements for which the NRRC exchanges information with more than 55 foreign governments and international organizations.

The NRRC consists of a watch center that operates 24 hours a day, 365 days a year and is staffed by Department of State Foreign Service officers, civil servants, and technical support personnel. They provide and receive inspection notifications, exchanges of data regarding strategic offensive arms, prior notifications of major exercises or unit restructurings, and other treaty-required communications.

The NRRCs were established by an agreement between the United States and the former Soviet Union from September 15, 1987 in order to build confidence through information exchange about their nuclear arsenals. The centers became operational on April 1, 1988. After the split-up of the Soviet Union in 1991 this secure data link, officially called Government-to-Government Communication Link (GGCL), was extended to Ukraine, Belarus and Kazakhstan.

Initially, these communication links consisted of facsimile devices, with (one-time pad) encryption conducted by personal computers and the random keys provided on 5¼ inch floppy disks, just like on the Washington-Moscow Hotline. As of late 1995, the NRRC communications shifted to encrypted e-mail with an additional chat channel for coordination purposes.

State Department video about the Nuclear Risk Reduction Center (2012)
(click to play)


Red Phone versus Hotline

It may be more than clear now that Obama's warning message had nothing to do with a "Red Phone", but it should be mentioned that the White House and the military did use red phones, although not for international, but for internal communications between the president and the military command centers. This was achieved through a secure military telephone network: the Defense Red Switch Network (DRSN).

Through popular culture, the image of a red telephone became projected to the direct communications link between Washington and Moscow, but this is false: the Hotline was never a phone line, as it was set up in 1963 as a teletype connection, which in 1988 was replaced by facsimile units. Since 2008 the Hotline is a highly secure computer link over which messages are exchanged by e-mail.

What the Hotline terminal at the Pentagon looks like nowadays can be seen in the following picture, which was released on the occasion of the 50th anniversary of this communications link in 2013:

The Washington-Moscow Hotline terminal room at the Pentagon (2013)
(photo: - click to enlarge)

Other options?

Besides the cybersecurity channels, the NRRC and the Hotline, the US government has two additional channels for direct communications with the Kremlin: the Foreign Affairs Link (FAL) between the State Department and the Russian foreign ministry, and the Defense Telephone Link (DTL) between de defense ministries of both countries. Both are secure phone lines, which also exist with a range of other countries.

This means that president Obama had several other options for transmitting his warning to Russia. It seems the NRRC cybersecurity channel was chosen because it was about the threat of cyber attacks, but still, such a warning message seems not what that channel is meant for, which is the exchange of technical information about actual intrusions that could be misinterpreted as a deliberate attack.

Therefore, the Foreign Affairs Link (FAL) would probably have been more appropriate: US secretary of state John Kerry could have called his Russian counterpart to issue the warning. But generally, for important messages in which every word counts, written communications are preferred, so that left only the NRRC or the Hotline.

Using the Hotline was probably considered too dramatic, and therefore the remaining option was the cybersecurity channel maintained by the NRRC.

Links and sources

- The Washington Post: Obama’s secret struggle to punish Russia for Putin’s election assault (2017)
- New York Times: Obama Administration Rushed to Preserve Intelligence of Russian Election Hacking (2017)
- NextGov: Obama's cyber legacy: He did (almost) everything right and it still turned out wrong (2017)
- The Washington Post: Obama administration is close to announcing measures to punish Russia for election interference (2016)
- EmptyWheel: Now the spooks are laking criticism of Obama's sole use of the "Red Phone" (2016)
- NBC News: What Obama Said to Putin on the Red Phone About the Election Hack (2016)
- The New York Times: White House Confirms Pre-Election Warning to Russia Over Hacking
- The White House: U.S.-Russian Cooperation on Information and Communications Technology Security (2013)


Anonymous said...

they use shelves instead of tables ?? the last picture looks very uncomfortable. Perhaps they need someone to donate them table and LCDs arm? ..

Leak Launch said...


Robert Welain said...

If you guys are concerned about cybersecurity, you'd better visit this blog and contribute some articles to the,

Anonymous said...

Almost 3AM in Louisville KY and now almost bedtime. I started a google search after seeing a message about the 5 levels of top secretness so I clicked on the poster's source and saw it's so I clicked on the link then began reading entries and was surprised to see all the info on codewords and wondered how anyone can remember so much information.

I once thought it would be cool to join the FBI but when I saw a NETFLIX show about the FBI and how vigorous their "bootcamp" discipline is, especially having to do every routine and remember everything they are taught about the routine. One slipup and they aren't expelled but they have to take a class to help them understand the relevance of the drill.

Now is when I usually stop and go to bed after first deleting everything I wrote because nobody wants to read it. I bet a lot of classic authors like Dose-toy-eF-ski do it and anyhow when they see all the poo they wrote they probably delete all of it before bedtime. But I won't. I wish I had something intellient to say now but I don't.

Goodnight y'all!! :)
July 6,, 2020

Anonymous said...

What a bunch of horsecrap. This is how they (the dumbass US GOV) muddle things and say "look - evidence of russia/trump collusion".

In Dutch: Meer over het wetsvoorstel voor de Tijdelijke wet cyberoperaties