Further Reflections on the Russian Hacking Indictment

In the wake of a bombshell indictment like the one returned on Friday, July 13th by Robert Mueller, the initial reaction is always a rush to respond. Accordingly, I gave my own first written thoughts in The Atlantic, and I joined my Lawfare colleagues in an evening podcast with my own “hot take” on the significance of the indictment, which alleged that Russian military intelligence officers of the GRU infiltrated the computer systems of American political campaigns. Quite naturally, our initial reactions focused on the political dimension of the indictment and what it portended for the Trump administration.

With the benefit of several days to read more deeply and think a bit more about what we have learned so far, I wanted to offer some additional thoughts about what the indictment tells us about the broader systemic vulnerability of American democracy, especially when combined with the earlier indictment against the Internet Research Agency.

For starters, it now seems clear that the Russian assault on the integrity of the American electoral system was a rather sophisticated three-pronged effort. One aspect of the three was a disinformation/information operation that involved exploitation of social media to sow discord and distract and disrupt public opinion, the latter of which, in essence, is the core allegation of the IRA indictment. Another aspect, at the core of the more recent GRU indictment, was a theft/exfiltration/exploitation operation that used rather unsophisticated methods (like spoofing) that are readily counteracted with better cyber hygiene. In the end, this aspect of the Russian campaign resembles nothing so much as the Watergate break-in—an effort to steal information from a campaign and use the internal deliberations to the detriment of those from whom it was stolen. The third prong of the campaign—barely hinted at in the GRU indictment—was a direct attack on the confidentiality, integrity, and availability of information inside the electoral infrastructure of the United States.

Second, beyond the descriptive, it is increasingly and depressingly clear how readily avoidable at least some of this damage was. For example, most experts agree that the GRU efforts to infiltrate the DNC and Clinton campaigns were fairly routine and could have been pretty easily countered by fairly normal responses. Yet, apparently, those responses were neither adopted nor considered. This tweet from @dotMudge, a well-regarded white-hat hacker, about his interactions with some of the campaigns is both instructive and saddening:

Third, although the release of internal campaign communications was a real issue that resonated (candidate Trump called out Wikileaks for its disclosures of Clinton-related material roughly 160 times in the last month of the campaign) the gravest damage may well have been more covert. According to paragraph 34 of the allegations, the intruders succeeded in stealing “test applications related to the DNC analytics,” which is to say the applications that the DNC used to analyze voting patterns, project turnout and, in the end, target electoral resources. Apparently, according to paragraph 44, they also stole some of the DNC’s online donor database and then shared some of this information, including the DNC’s model for voter turnout, with an individual who has been identified Roger Stone—who allegedly said it was “pretty standard.” If (as we might speculate) Stone (whom the indictment describes as “in regular contact” with the Trump campaign) shared those analytics and models with Trump’s campaign officials, it may be the case that Trump was contesting the election with the Democratic playbook in hand. This would be as if, say, the Philadelphia Eagles had the New England Patriots playbook for the game.

Fourth, the role of Wikileaks in the Russian campaign is seemingly one of active collaborator. There can be no doubt that Wikileaks is the unnamed “Organization 1” of the indictment. What is clear now, however—see paragraphs 47-49—is that Wikileaks actively solicited damaging information with the intent of harming the Clinton campaign and aiding Trump. The organization feared that the Democratic convention would solidify Hillary Clinton’s support among backers of Bernie Sanders: the indictment quotes Wikileaks as calculating that “we think Trump has only a 25% chance of winning against Hillary…so conflict between Bernie and Hillary is interesting.” And when Wikileaks did release the information provided, it chose not to disclose who the source of the information was—even though, by then, Guccifer 2.0 was widely suspected of being a Russian source. In the end, Wikileaks released 33 tranches of information with more than 500,000 documents. In light of this evidence, anyone who continues to take Wikileaks seriously as a source of information or as a journalism outlet is most unwise.

Fifth, buried in the indictment are allegations related to what I personally perceive to be the most significant vector of vulnerability—assaults on the actual infrastructure of the voting system. The indictment reveals (in paragraphs 71-76) the very first tentative efforts by the GRU in that regard, which include:

• The Russians penetrated a state board of election and stole the personal information of more than 500,000 registered voters. This is almost certainly an allegation related to a breach in Illinois, though officials there think the number is much closer to 75,000 than 500,000.
• The Russians penetrated the computer system of a vendor who sold voter registration equipment to the states. The Russians then turned around and used the access to the vendor to send spearfishing emails to many of the vendors clients, most notably those in Florida. Though not quite as explicitly as with Illinois, the facts alleged here match the known, reported breach of the election vender VR Systems, a company previously linked to Florida voting systems.
• And the Russians probed the systems of counties in Florida, Iowa and Georgia looking for vulnerabilities. It should be noted that the indictment says nothing about whether any were found. Nevertheless, there’s some irony to this allegation, particularly because the Georgia secretary of state (and current candidate for governor of that state) has previously insisted that Georgia was not the target of any Russian intrusions. Also of note: Georgia is also one of only five states that rely entirely on paperless voting.

In light of these nascent efforts, one has to wonder precisely what the House Republican caucus was thinking the other day when it voted to discontinue funding for election security assistance in the coming fiscal year.

In any event, the president is wont to say, and his administration is wont to repeat, that there is no evidence that any votes were changed or that any American was denied his or her right to vote through the actions of the Russians. Assuming that they mean none were changed “using cyber intrusive methods,” this is a true statement. But it is only true as far as it goes.

As a result of the twin Mueller indictments, we now have good reason to believe—or if you prefer a legal conclusion, probable cause to believe—that the Russians began preparatory efforts so that in some coming election cycle they would have the capability to manipulate voting data. In other words, the fact that this manipulation hasn’t happened yet isn’t proof that it won’t happen in the future.

We also have probable cause to believe that the Russians, with the connivance of Wikileaks, made significant efforts to influence American votes. And this occurred through the direct release of internal campaign conversations and through concerted influence operations campaigns on social media. As of now, there is absolutely no way for us to know whether and/or to what degree those efforts were effective. Nor is there any way of knowing which effort was the more effective, though for my money, I would bet on the Wikileaks/Guccifer 2.0/DCleaks having had greater effect than the Facebook campaign. But without a doubt, we can say that the efforts were made, and much as in the case of advertising dollars spent on brand recognition, we know that those making the effort thought they would have some effect.

Finally, we now have the first hints that there was more to the Russian campaign than an information operation married to an infrastructure assault. As noted earlier, buried in the most recent indictment is the suggestion that the Russian effort was also an intelligence collection operation directed at the Democratic party and that some of the intelligence collected was shared with at least one person associated with Donald Trump. This last piece is tentative at best and needs to be teased out further. However, it may well prove to be the most significant of the new data. We’ll certainly know more if and when Roger Stone is called to testify.