Hackers working on behalf of the Russian government have attacked a wide variety of American citizens and institutions. Targets have included the Democratic National Committee, the Republican National Committee, prominent Democratic and Republican officials, and university and academic research programs. These attacks started years back but have continued after the election. They have hit government sites, like the Pentagon’s email system, as well as private networks, like US banks. And they have widened to target our allies, such as in the run-up to the German election.
This is not the kind of cyber war imagined in the past, with power grids going down in fiery cyber Pearl Harbors. Instead, it is a competition more akin to the Cold War’s pre-digital battles that crossed influence operations with espionage. Now, just as then, there is a need for deterrence, both to defend the nation as well as keep an ongoing conflict from escalating into physical damage and destruction.
While Russian president Vladimir Putin has denied this campaign exists, the US intelligence community, FBI, and allied intelligence agencies have all identified these activities. What’s more, five different well-regarded cybersecurity firms (CrowdStrike, Fidelis Cybersecurity, Mandiant, ThreatConnect, and SecureWorks) have reported Russia’s role, which is notable, as such firms are competitors and have an incentive to debunk each other’s work. Russia’s cyber aggression is real, and it is spectacular that anyone would keep denying it.
While there is ongoing debate as to whether Trump has been compromised (or rather kompromat) by Russian compromise operations and investments, what is not debatable is that his position on this effort has been mystifying, to say the least. For months, Trump denied that the hacks had even occurred, then claimed they could have been anyone (such as his infamous “400-pound” hacker), and refused to acknowledge Russia’s efforts. In Trump’s press conference this week, he finally acknowledged Russia’s role, but yet again held back, not criticizing the attacks and not identifying a government response. Instead he blamed one of the victims, the DNC, and shrugged off that attack’s significance. (“As far as hacking, I think it was Russia. But I think we also get hacked by other countries and other people,” he said, asserting that the real problem was the DNC’s poor “hacking defense.”)
There are many threats in cyberspace, from criminals stealing personal information to governments (like China) that have broken into government databases. But no single threat has brought these acts together in the wide-ranging and brazen manner of Russia, targeting not just individuals and organizations, but the fabric of democracy itself. So what can be done to defend America in this realm? And what can be done in our strange new predicament, a conflict that must be fought not led by, but in spite of, the incoming commander-in-chief?
The Obama administration’s recent moves to sanction Russia for targeting US democracy were a good start, albeit too little and too late—criticism that the Republican congressional leadership was quick, and right, to make. A test of its sincerity will be whether Congress backs its words with action, by turning the sanctions into law and strengthening them further. This will make it harder for Trump to set them aside, as both his aides have noted and he hinted would be the case at his press conference. Instead, strengthened sanctions would show Putin that the party of Reagan and Eisenhower is still willing to stand up to Moscow, rather than shower it with praise.
Deterrence is not about punishment, though, but rather it seeks to find pressure points to influence future action. Here the overall weakness of the Russian economy (indeed, it is sad that the US is being bullied about by the world’s 13th largest economy), as well as its oligarchic structure, are choice leverage points. Targeting the financial assets of Putin and his allies, especially those held outside the country in real estate and tax shelters, would be one way to expand this effort. Outing these assets should also be the target of any covert cyber action. The Russian regime’s anger at the publication of the Panama Papers, showing where a small portion of its money was hidden around the world, reveals an area to exploit further. The same twin goal of outing and defanging networks should also be applied to the digital and financial infrastructure that has been used to conduct the attacks themselves.
Our strategy should be joined with an effort to build resilience, the ability to shrug off future attacks. This is also known as deterrence by denial, where, by making attacks less beneficial to the attacker, you make them less likely. Importantly, building up resilience has the added bonus of being useful against any attacker, not just Russia. The same improvements that would make it harder for Russia’s “Cozy Bear” and “Fancy Bear” (the industry terms for two of the primary Russian efforts) to operate successfully would also aid against high end threats like China’s or even low-level cybercriminals.
In 2015 the Obama administration identified a series of best practices that top companies use for their own cybersecurity, which could also be implemented by government and spread further across society. The administration also convened a bipartisan commission of experts, which just last month issued its own set of recommendations. Those include identifying high-value assets that need to be better protected, recruiting top talent, and accelerating the deployment of detection systems.
Ensuring that these steps are implemented could be one of the most important things the new Congress can do to limit the US’s vulnerabilities. And since these two tracks come from the lessons of the marketplace and a bipartisan commission of experts, the GOP should find them politically palatable. (This already existing pool of vetted ideas from actual experts also points to how there is no need to wait for the Trump team’s promises of various study groups, most recently one supposed to be led by former New York Mayor Rudy Giuliani, whose own security firm’s website has 41 publicly known vulnerabilities.)
The success of Russia’s attacks and interference in the 2016 election are dangerous not just because of their impact, but also because of how they will serve as a guidepost to others in the future. Congress should redefine the institutions involved in our democracy as critical infrastructure, in order to provide higher levels of support from the federal government. Contrary to the approach so far, however, we must recognize that the critical infrastructure of elections is not just the voting machines, but also the wider ecosystem, including parties and campaigns. Much as banks compete, but still share threat information, our election systems and political organizations, including even both the RNC and DNC, should have had the structures to cooperate in this space. Indeed, the only thing that would have been necessary to stop the entire DNC hack was a better line of communication between the organization’s IT staff and the FBI agents who had been tracking the Russian hacking for years.
Our need for resilience extends beyond bits and bytes, though, to building up better political resistance to the influence operations that allows Russia to exploit its cyber attacks. We must continue to uphold our freedom of speech but also ensure that authoritarian leaders don’t take advantage of it. Congress should reconvene the Active Measures Working Group, an interagency effort during the Cold War that debunked the worst of Soviet misinformation. It should also work in cohesion with our NATO allies to help identify and counter Russia’s campaigns (many of which just pivoted from targeting US to European voters). This will also help in debunking the individuals and outlets who have chosen to become either willing partners or полезные дураки, “useful idiots,” for foreign government propaganda.
Other parts of society will also have to weigh their own roles, much as in the Cold War. Tech firms have too long looked away at the manipulation of their networks by extremist groups and now authoritarian governments. The activities by Russian troll factories and bot campaigns that accelerate false news and propaganda violate terms of service and should become a target of reform in social media.
So too does traditional media need to rethink how it rewards these campaigns. When hackers outed millions of people cheating on their spouses after the Ashley Madison breach, responsible journalists reported on the breach, but not the fruits of it. By contrast, they breathlessly reported the most minute and personal details in the latest Russian government attacks. The New York Times public editor even acknowledged last year that by acting this way, the paper had ended up functioning as a “a de facto instrument of Russian intelligence.” Will media continue to be so in the future?
Akin to the Cold War, we face a long-term challenge that has to be managed and mitigated. For as long as we use the Internet, adversaries like those in Putin’s Russia will seek to exploit it and us. The question now is our response. History will record that Donald Trump became president aided in some part by the most important and successful cyber attack to occur so far. Will history then also record that we did nothing about it?