Cybersecurity

Avoiding the Dangers Ahead in Review of Foreign Interference in U.S. Presidential Elections

By Matt Tait
Wednesday, December 21, 2016, 12:57 PM

Last Wednesday, after increasing public and political pressure to declassify more information about Russian interference in the 2016 election, the Office of the Director of National Intelligence announced that it was now conducting a formal review into foreign interference in U.S. presidential elections at the request of the President. This is the ODNI statement it in its entirety:

Senior Administration Officials have regularly provided extensive, detailed classified and unclassified briefings to members and staff from both parties on Capitol Hill since this past summer and have continued to do so after Election Day.

Last week, the President ordered a full Intelligence Community review of foreign efforts to influence recent Presidential elections – from 2008 to present. Once the review is complete in the coming weeks, the Intelligence Community stands ready to brief Congress—and will make those findings available to the public consistent with protecting intelligence sources and methods. We will not offer any comment until the review is complete.

The Intelligence Community releasing more information about foreign interference in presidential elections is a commendable step. And it is particularly positive that the review will not be limited the most recent election—essentially an expanded discussion of Russian hacking in 2016—but instead will cover all forms of interference by foreign governments in the past three presidential elections.

This expanded focus is positive because distinguishing between normal foreign espionage during a campaign and abnormal interference is a prerequisite to deterring foreign covert intervention in future elections. If this report differentiates between the digital theft of emails from the DNC—which is unwelcome but nevertheless ordinary espionage—versus the “active measures” of releasing those emails to influence election coverage, or collaterally leaking the phone numbers and addresses of members of Congress and their staff, then the report will be an important step towards reestablishing the norm that foreign governments will not be permitted to mess with democratic elections unchallenged.

But we should be cautious. There are dangers and traps ahead; not just in terms of the information included in the report and how it will be used, but also in how we choose to respond once the report is published. After all, a report on the reasons for responding is not a substitute for an actual response. And following the publication of the report, we should be careful before rushing into escalatory or ineffective responses, such as, responding via covert means in cyberspace.

My first worry is that this report will inevitably be used by Donald Trump’s opponents as a means to publicly prove him wrong, or to delegitimize his election. To a large degree, this can’t be avoided, the media does and will view Russian interference through a partisan lens. But the IC should be extremely cautious to not pour additional gasoline on this fire. It might be satisfying to see the President-elect publicly proved wrong, especially following his repeated attacks against the intelligence community and his outright rejection of their unanimous assessments. But doing so will not serve the interests of the United States. When Mr. Trump becomes President next month, it will be the men and women who serve in harm’s way under him who ultimately pay the price if he rightly or wrongly comes to view his intelligence agencies as tainted by personal or partisan agendas.

My second concern is the number of people who expect—or are actively calling for—the IC to declassify their specific evidence of Russian interference. These requests are, for the most part, done with noble intentions. But the old “Prove It” trap always sounds like a good idea in the moment, but ends with sources blown and detractors no more convinced.

There is already an enormous amount of evidence in the public domain that Russia hacked the DNC; vastly more than is typical for attribution of a hack. In addition, the intelligence community has already released an official statement of their conclusions and that statement is as strongly worded as intelligence assessments come.

Embellishing this body of public evidence with classified sources is not only dangerous, it is pointless. Those who remain unconvinced by the existing public evidence today will be equally unconvinced by secret evidence tomorrow. Those who do not trust the Intelligence Community’s conclusions on October 7th, will find even disclosure of sources and methods equally unpersuasive.

The Obama administration must be careful, amidst the clamor to release classified evidence, to keep their eye on the end goal. The ultimate aim here is to deter foreign interference, not to persuade the public that IC assessments are correct. What matters is if and how the administration responds. Investigations, commissions, and reports are meant to support a concrete response, not to serve as a distraction from the lack of response.

And it is important to keep in mind that intelligence capabilities are not cheap; and counterintelligence capability against hard targets like foreign intelligence services is the most costly of all. Maintaining this kind of capability against a sophisticated adversary is measured not only in dollars and decades, but also in stars chiseled in marble and flag-draped coffins. Those who know how fragile and costly counterintelligence capability is, tend to be far more cautious in asking that it be sacrificed for unclear benefits.

And the inevitable question following the IC’s report will be what form the U.S. response should take. Here again, we must be careful. It is tempting to respond to Russian covert action in cyberspace with American covert action in cyberspace. But this would be a mistake.

Covert action is, in general, a bad tool for establishing or enforcing norms. It runs the risk that adversaries misunderstand the scale or attribution of actions against them, and this can go wrong in both directions. Adversaries can misattribute our attacks to someone else, leading them to conclude we didn’t respond, and their action was free. This is especially true in domains where we have more than a single adversary, or have allies who are also under attack. Covert responses are by definition conducted secretly. Therefore, the do not deter adversaries who don’t see our response, they don’t reassure allies that we robustly defended the norm when violated either.

Covert action can also lead to adversaries becoming more paranoid and accidentally misattributing attacks to us that were instigated by someone else, leading to unintended escalation. By way of example, consider the attack by the owners of the Mirai botnet against the U.S. internet infrastructure company Dyn a few months ago. At the time, the media was reporting that the United States and Russia were involved in covert action against each other in cyberspace, and so when the East Coast suddenly suffered massive network outages, some commentators questioned if this was an attack by the Russian government against the United States. It turned out to be an entirely unrelated attack, but a rapid response there could easily have ended up in a dangerous and unnecessary escalation. Because covert actions are prone to misinterpretation and escalation, while they certainly have a place in the President’s toolbox, they are a poor substitute for overt responses when attempting to enforce or establish international norms.

Responding via overt action in cyberspace would also likely be a mistake. To be sure, the NSA’s ability to penetrate foreign networks for espionage purposes is unparalleled, and a nation that ever finds itself at war with the United States will find CYBERCOM a fierce and capable enemy. But the U.S.’ ability to use its NSA-obtained accesses to political advantage is very much tilted against the United States. The President himself made this point in his end-of-year news conference on Friday:

We do have some special challenges because oftentimes, our economy is more digitalized. It is more vulnerable partly because we're a wealthier nation and we're more wired than some of these other countries and we have a more open society and engage in less control and censorship over what happens over the internet, which is also part of what makes us special.

The President is right. If the U.S. is to deter foreign interference in elections, it must do so by exerting pressure in domains where it has an asymmetric advantage. The options are clearly fewer now than were available this summer, but there is still an array of options in other domains available to the President.

The U.S. could still, for example, add additional senior Russian officials to sanctions lists. It could indict the GRU officials responsible for the hacking or dissemination of the DNC documents. The U.S. could much more publicly expose and disrupt foreign “active measures” campaigns currently underway in European elections. It could extend military training to Ukrainian soldiers; share more intelligence on Russian military abuses in Syria; provide more non-lethal aid and equipment to regions where Russia is militarily active. Any one of these options would be more effective at deterring future attacks on U.S. elections than a covert retaliation in a domain where we are at an asymmetric disadvantage.

The current administration talks a lot about setting “norms in cyberspace,” and it has only a few weeks left to turn these words into action. Norms are not created by sitting around tables and nodding in agreement that there should be norms. Establishing and defending norms requires clearly specifying what specific behaviors the norm forbids, committing to not do those things ourselves, and consistently enforcing it via the imposition of visible costs against those who violate it. Those three features are the difference between actual norms and mere wishful thinking.