According to the Yahoo report, which is based on the testimonies of “former US officials with direct knowledge of the matter,” a secret rule change issued by US President Donald Trump in 2018 allowed the CIA to circumvent the previous vetting process for cyber operations.
Previously, proposed CIA cyber ops had to be rigorously vetted by the National Security Council, a process that might take months or even years. However, once Trump gave the CIA the authority to vet its own proposals, cyber operations went “from idea to approval in weeks,” one official told Yahoo News.
“Trump wanted to push decision-making to the lowest possible denominator,” another official said.
“Before, you would need years of signals and dozens of pages of intelligence to show that this thing is a de facto arm of the government,” a former official told Yahoo News. Now, “as long as you can show that it vaguely looks like the charity is working on behalf of that government, then you’re good.”
According to the official, the agency has used the authority given it by Trump to carry out more than a dozen operations that were on its “wish list.”
“This has been a combination of destructive things - stuff is on fire and exploding - and also public dissemination of data: leaking or things that look like leaking,” they said. The operations were directed against Russia, the DPRK, China and especially Iran.
The rule change specifically gives very wide leeway for the CIA to target institutions that had previously largely been off-limits, ranging from infrastructure like electrical grids and petrochemical plants to hack-and-dump operations against banks, companies or government agencies. It also allows cyber ops against media entities, religious institutions, charities and other nongovernmental organizations, if even the flimsiest connection can be drawn to a government on Washington’s naughty list.
Some of these operations didn’t sit well with agents. One fumed to Yahoo that “our government is basically turning into f**king WikiLeaks, [using] secure communications on the dark web with dissidents, hacking and dumping.”
The order given by Trump was a type of secret document called a presidential finding or memorandum of notification. According to the CIA Library, Congress mandated such memoranda informing certain committees of the CIA’s activities after journalist Seymour Hersh revealed the “family jewels” operations in 1974, triggering a huge scandal and cries for more accountability and oversight for US intelligence operations.
The presidential finding in question is not the same document as National Security Presidential Memorandum 13 (NSPM-13), a September 2018 order announced by then-national security adviser John Bolton that eased rules on cyber ops by the Pentagon. However, the rules of engagement remained secret, with the House Armed Services Committee only winning the fight to see the memorandum in March of this year - and the CIA rule changes remained totally unknown.
“I would say that in 8, 9, 10 years under the old decision process, I can count on less than two fingers the number of operations conducted,” an anonymous senior Department of Defense official told reporters in April 2019, Fifth Domain reported. “In this time since mid-August  when the new process went into place, we’ve conducted many more” operations.”
In Bolton’s recently published memoir, he recalls the initiative behind the rule change, noting the Trump administration “needed to scrap the Obama-era rules and replace them with a more agile, expeditious decision-making structure,” adding this involved expanding the US’ “clandestine capabilities” in cyber operations directed against “nonstate actors,” Yahoo News reported.
However, according to Yahoo, the memorandum specifically takes aim at Iran and plays into the administration’s “maximum pressure” campaign begun in 2018 with the repudiation of the 2015 Iran nuclear deal and the reimposition of sanctions against Tehran.
“It was obvious that destabilization was the plan on Iran,” a former official told Yahoo News. Another noted that Bolton “wanted another tool, he wanted another hammer. He was looking at Stuxnet and how to be mean to Iran, so that was probably attractive to him.”
Two examples mentioned by Yahoo News but not confirmed to have been CIA operations were the March 2019 dumping of the names, addresses, phone numbers and photos of Iranian intelligence officers allegedly involved in hacking operations, as well as their hacking tools, and the November 2019 leaking of the details for 15 million debit cards of customers of three banks supposedly linked to Iran’s Islamic Revolutionary Guard Corps.