Cybersecurity

Yet More Thoughts on the DNC Hack: Attribution and Precedent

By Jack Goldsmith
Wednesday, July 27, 2016, 9:21 AM

David Sanger and Eric Schmitt this morning that American intelligence officials “now have ‘high confidence’ that the Russian government was behind the theft of emails and documents from the Democratic National Committee.”  They add that “intelligence officials have cautioned that they are uncertain whether the electronic break-in at the committee’s computer systems was intended as fairly routine cyberespionage — of the kind the United States also conducts around the world — or as part of an effort to manipulate the 2016 presidential election.” 

Some reactions:

First, note the attribution problems that remain even if the digital fingerprints point to Russian intelligence services.   Sanger and Schmitt say that “[i]t is unclear how the documents made their way to the group,” though some evidence points to Russia.   But more importantly, many steps remain before the deed can be convincingly laid at the doorstep of the FSB or GRU.  Sanger and Schmitt are reporting the conclusions of anonymous USG officials.   As I of the Sony Hack, “Even if the attribution problem is solved in the basement of Ft. Meade and in other dark places in the government, that does not mean the attribution problem is solved as far as public justification – and defense of legality – is concerned.”  The Russians have adamantly denied any involvement in the hack.   If the United States wants to take public action against Russia in response to the hack—and indeed, even if it wants (as the NYT puts it) “to publicly accuse the government of President Vladimir V. Putin of engineering the hacking”—it needs to make a credible public case of attribution.  Private third-party services can help here.  But usually in these cases, attribution by the United States government rests on combinations of human and electronic intelligence that implicate “sources and methods,” the details of which the United States government is understandably very leery to divulge.  It may be very hard to present a clinching public case of attribution in this context.       

Second, assuming full attribution, what exactly is untoward in the Russian action?  Sanger and Schmitt say: “But intelligence officials have cautioned that they are uncertain whether the electronic break-in at the committee’s computer systems was intended as fairly routine cyberespionage — of the kind the United States also conducts around the world — or as part of an effort to manipulate the 2016 presidential election.”  Yes, the act of Russian cybertheft, taken alone, is not at all unusual.  It violates U.S. domestic law, but the U.S. (and every country) often violate foreign domestic law when they engage in cyber-snooping abroad.  (Some claim this practice , but if so (I doubt it) that just shows how utterly inconsequential international law is in this context.)  Some have claimed the hack is different than what the United States does because the DNC is not a state actor.  I’ve no idea if that is technically true, but the DNC is clearly very close to the State, especially in the context of choosing a president.  And more importantly, routine State-sponsored cyberespionage is not limited to State-actor targets.  It often extends to private actors or in-between organizations.  (The recent soft agreement about IP theft is to the narrow context of stealing commercial data “with the intent of providing competitive advantages to companies or commercial sectors.”)

Sanger and Schmitt (and others) imply that what may be different here is the Russian intent to manipulate the national election.  That will be hard to prove, of course, but why does it matter?  Nations routinely try to influence foreign elections.  President Obama weighed in on the Brexit vote in an attempt to influence it.  And governments, including the United States, have often used covert means for the same end.  In now-public covert actions in the past, the United States secretly provided favored political parties with financial support and training in campaign techniques.  It also engaged in what the as “information programs” to negate communist political influence in Western Europe.  These information programs, which lasted from the 1940s through at least the 1960s, included the covert establishment of “counterfront” organizations as alternatives to communist-inspired groups.  There is no reason to think U.S. covert actions to influence elections or political outcomes stopped in the 1970s.  (Indeed, influencing political outcomes is a core aim of covert action.)  The U.S. covertly provided Poland’s Solidarity movement with “” after Poland declared martial law.  And the Bush administration approved (then aborted) a covert action to influence Iraq elections in late 2004.

Nor is a State’s publication of information with an intent to influence public opinion or an election new.  Again, this is core covert action stuff.   “One of the more direct ways of attempting to influence a society is by disseminating opinions, information, or misinformation through the available media—that is, by propaganda (as it is pejoratively called),” note Shulsky and Schmitt in their invaluable book, .   Governments often “put certain opinions or facts into circulation in a manner that does not make their origin apparent,” they add.  “This may he accomplished either by planting them in news media it does not own or control, or by means of media that appear to the public to be independent but that are in fact controlled by the government.”  Shulsky and Schmitt offer the famous example of the publication, in the United States and abroad, of “a CIA-supplied copy of Khrushchev's 1956 ‘secret speech’ attacking Stalin's ‘cult of personality.’”  They also note that governments frequently put in circulation forged documents “to influence a target audience's perceptions so it will take desired actions.”  And yet, they insist, “a totally true message” can be devastatingly effective.  “The most effective part of the Khrushchev secret speech (in the sense of reducing communism's prestige in Western and Eastern Europe) consisted of the revelations concerning Stalin's crimes and of the ‘cult of personality.’”  (Shulsky and Schmitt note the debate whether part of the speech was forged, a detail not relevant here.)

These examples are all old ones, since it usually takes time for covert actions to become public.  But I have no reason to think that any of these basic techniques have been discontinued, and every reason to think they are still-available intelligence/covert action tactics.

All of which underscores the question of what is new or untoward about the Russian DNC hack.   Foreign cyber-espionage of political parties is not new.  Covert actions to influence elections—including by covert publication of stolen but true information—is not new. 

And yet the DNC hack seems different.  It seems different because it involves new mechanisms and scale—cybertheft and publication of massive amounts of potentially consequential information.  It seems different because it involves manipulation of an American election.  (This is the first election I can think of involving a publicly known, large-scale, consequential information operation against a U.S. presidential candidate by a foreign adversary.  It is not fun to be on the receiving end of such an operation.)  And it seems different because of the suggestion that a presidential candidate of one U.S. party might be working with—or at least supportive of—a major foreign adversary’s efforts to covertly damage the rival presidential candidate.  

Topics: