Cybersecurity & Tech Democracy & Elections

How the U.S. Has Failed to Protect the 2018 Election—and Four Ways to Protect 2020

Alex Stamos
Wednesday, August 22, 2018, 4:04 PM

In the swirl of news this week, it would be easy to miss recent announcements from two of America's largest and most influential technology companies that have implications for our democracy as a whole. First, on Tuesday morning, Microsoft revealed that it had detected continued attempts at spear-phishing by APT 28/Fancy Bear, the hacking group tied to Russia’s Main Intelligence Directorate (known as the GRU).

Flickr/Andrew Malone

Published by The Lawfare Institute
in Cooperation With

In the swirl of news this week, it would be easy to miss recent announcements from two of America's largest and most influential technology companies that have implications for our democracy as a whole. First, on Tuesday morning, Microsoft revealed that it had detected continued attempts at spear-phishing by APT 28/Fancy Bear, the hacking group tied to Russia’s Main Intelligence Directorate (known as the GRU). Later that day, my friends and former colleagues at Facebook unveiled details on more than 600 accounts that were being used by Russian and Iranian groups to distort the information environment worldwide.

The revelations are evidence that Russia has not been deterred and that Iran is following in its footsteps. This underlines a sobering reality: America’s adversaries believe that it is still both safe and effective to attack U.S. democracy using American technologies and the freedoms we cherish.

And why wouldn’t they believe that? In some ways, the United States has broadcast to the world that it doesn’t take these issues seriously and that any perpetrators of information warfare against the West will get, at most, a slap on the wrist. While this failure has left the U.S. unprepared to protect the 2018 elections, there is still a chance to defend American democracy in 2020.

From 2014 until very recently, I worked on security and safety at Yahoo and then at Facebook, both companies on the front line of Russia’s information and cyber-warfare campaign. From that vantage point, the facts are indisputable: There was a multiyear effort by a coalition of Russian agents to harm the likely presidency of Hillary Rodham Clinton and sow deep division in America’s political discourse. The uniformed officers of the GRU and the jeans-wearing millennial trolls of the private Internet Research Agency turned American technology, media and this country’s culture of discourse back against the United States. Stymied by a lack of shared understanding of what happened, the government’s sclerotic response has left the United States profoundly vulnerable to future attacks. As a security leader in my former role at Facebook, my personal responsibility for the failures of 2016 continues to weigh on me, and I hope that I can help elucidate and amplify some hard-learned lessons so that the same mistakes will not be made again and again.

The fundamental flaws in the collective American reaction date to summer 2016, when much of the information being reported today was in the hands of the executive branch. Well before Americans went to the polls, U.S. law enforcement was in possession of forensics from the hacks against the Democratic National Committee; important metadata from the GRU’s spear-phishing of John Podesta and other high-profile individuals; and proactive reports from technology companies. Following an acrimonious debate inside the White House, as reported by the New York Times’s David Sanger, President Obama rejected several retaliatory measures in response to Russian interference—and U.S. intelligence agencies did not emerge with a full-throated description of Russia’s meddling until after the election.

If the weak response of the Obama White House indicated to America’s adversaries that the U.S. government would not respond forcefully, then the subsequent actions of House Republicans and President Trump have signaled that our adversaries can expect powerful elected officials to help a hostile foreign power cover up attacks against their domestic opposition. The bizarre behavior of the chairman of the House Permanent Select Committee on Intelligence, Rep. Devin Nunes, has destroyed that body’s ability to come to any credible consensus, and the relative comity of the Senate Select Committee on Intelligence has not yet produced the detailed analysis and recommendations our country needs. Although by now Americans are likely inured to chronic gridlock in Congress, they should be alarmed and unmoored that their elected representatives have passed no legislation to address the fundamental issues exposed in 2016.

Republican efforts to downplay Russia’s role constitute a dangerous gamble: It is highly unlikely that future election meddling will continue to have such an unbalanced and positive impact for the GOP. The Russians are currently the United States’ most visible information-warfare adversaries, but they are not alone. Their proven playbook is now “in the wild” for anyone to use. Recent history has shown that once a large, powerful nation-state actor demonstrates the effectiveness of a technique, many other groups rush to build cheaper, often more nimble versions of the same capability.

The GRU attacks relied upon well-known social engineering and network intrusion techniques. Likewise, the Internet Research Agency’s trolling campaign required only basic proficiency in English, knowledge of the U.S. political scene available to any consumer of partisan blogs, and the tenacity to exploit the social media platforms’ complicated content policies and natural desire to not censor political speech. After Facebook’s announcement on Tuesday, it is clear that Iran has also followed this playbook. There are many other U.S. adversaries with well-developed cyber-warfare capabilities, such as China or North Korea, that could decide to push candidates and positions amenable to them—including those supported by Democrats and opposed by Republicans. There are also domestic groups that could utilize the same techniques, as many kinds of manipulation might not be illegal if deployed by Americans, and friendly countries might not sit idly by as their adversaries work to choose an amenable U.S. government.

In short, if the United States continues down this path, it risks allowing its elections to become the World Cup of information warfare, in which U.S. adversaries and allies battle to impose their various interests on the American electorate.

Enemies aiming to discredit American-style democracy, rather than promote a specific candidate, will not have to wait for election dynamics like those of 2016, when two historically unpopular nominees fought over a precariously balanced electoral map. Direct attacks against the U.S. election system itself—as opposed to influence operations aimed at voters—were clearly a consideration of U.S. adversaries: There are multiple reports of the widely diffuse U.S. election infrastructure being mapped out and experimentally exploited by Russian groups in 2016. While swinging a national vote in a system run by thousands of local authorities would be highly difficult, an adversary wouldn’t need to definitively change votes to be successful in election meddling. Eliminating individuals from voting rolls, tampering with unofficial vote tallies or visibly modifying election web sites could introduce uncertainty and chaos without affecting the final vote. The combination of offensive cyber techniques with a disinformation campaign would enable a hostile nation or group to create an aura of confusion and illegitimacy around an election that could lead to half of the American populace forever considering that election to be stolen.

While it is much too late to effectively rehabilitate election security for the 2018 midterms, there are four straightforward steps the United States can take to prepare for potential attacks in 2020.

First, Congress needs to set legal standards that address online disinformation. Social media platforms, including my former employer, made serious mistakes in 2016. Tech companies were still using a definition of cyber-warfare focused on traditional hacking techniques—such as spear-phishing or the spreading of malware—and were not prepared to detect and mitigate the propaganda campaigns that were subsequently found and stopped.

Since 2016, many companies have changed their products to deal with misinformation, updated policies to catch inauthentic behavior and created new types of transparency around political ads. Yet it is important to note that companies have undertaken this work voluntarily and could reverse it in the future. And there is a significant gap between the actions of the most criticized companies and those that have flown under the radar: Unlike Facebook and Google, the rest of the massive online advertising industry has kept changes to a minimum.

The Honest Ads Act, introduced by Democratic Sen. Amy Klobuchar and supported by 30 bipartisan co-sponsors, is a good start to setting a legal baseline; however, it must be amended to provide for technical standardization of advertising archives and to set guidelines for the use of massive voter databases by campaigns and political parties. Since the Obama 2012 campaign demonstrated the power of online ad targeting, parties, campaigns and super PACs have finely honed their targeting techniques and regularly run ads specifically designed to influence dozens or hundreds of voters with customized messaging. Americans need to collectively decide how finely political influence campaigns should be allowed to divvy up the electorate, even when those campaigns are domestically run and otherwise completely legal. Congress could also encourage more cooperation between the tech platforms by expanding the protections it granted to share cybersecurity threats to include misinformation actors, as well as by giving legal encouragement to companies to engage academics in joint research projects.

Second, the United States must carefully reassess who in government is responsible for cybersecurity defense. The U.S. has two hyper-competent intelligence and military security organizations in the National Security Agency and U.S. Cyber Command, but both are most broadly focused on offensive operations and face legal restrictions on domestic U.S. operations. The Department of Homeland Security has consolidated a great deal of the defensive responsibilities across multiple sectors, but its cyber capabilities focus on critical infrastructure such as the power grid. This leaves the FBI as the de facto agency coordinating cyber defense in the United States. While the bureau has many skilled agents and technologists, it is at its core a law enforcement entity that focuses on investigating crimes after they occur, diligently building a case and, eventually, bringing the perpetrators to justice. Prevention certainly has become a bigger focus for the FBI—especially in the terrorism context since 9/11—but the special counsel’s recent indictments for two-year-old Russia actions demonstrate that the general timeline of FBI action does not comport well with preventing attacks in the first place.

The United States should consider following its closest allies in creating an independent, defense-only cybersecurity agency with no intelligence, military or law enforcement responsibility. In the run-up to the most recent French and German elections, the respective cybersecurity agencies of these countries had access to intelligence on likely adversaries, the legal authority to coordinate election protection and the technical chops to work directly with technology platforms. These organizations were independent enough to work directly with the relevant political campaigns, and their uncompromised mandates made them effective partners for multinational tech companies.

Third, each of the 50 states must build capabilities on election protection. While the Constitution gives Congress the ability to regulate elections, traditionally states have jealously guarded this area and eyed federal aid with great suspicion. For states’ autonomy to thrive, it is critical for every state to follow the lead of Colorado and a handful of others in building competent statewide election security teams that set strong standards for verifiable voting, perform security testing of local systems, and provide a rapid-reaction function in case of an attempted attack. The federal government could support the growth of these statewide functions with funding, intelligence and training, and by finding ways to harness the capabilities of private IT workers.

In the long run, it will be impossible to completely prevent any interference in elections. Any system as complicated as one supporting the franchise of more than 200 million registered voters will have serious vulnerabilities. Individual candidates and campaign workers will succumb to professional attacks. And open societies are inherently vulnerable to external influence. This is particularly true in the United States, where the government doesn’t license the official press, empower officials to declare certain topics verboten, jail journalists for reporting on leaked documents, arrest bloggers for questioning the government, or require state IDs to create online accounts. In 2016, the most effective Russian propaganda was that which was carried in the pages of the New York Times and the Washington Post and repeated 24/7 on the cable news channels. The GRU successfully leveraged stolen information to entice the media to cover the anti-Clinton stories it preferred, and there is no way to prevent or limit that kind of influence while also respecting the rights of a free press.

The fourth step necessary is one that can be driven only by the demands of the American citizenry: Americans must demand that future attacks be rapidly investigated, that the relevant facts be disclosed publicly well before an election, and that the mighty financial and cyber weapons available to the president be utilized immediately to punish those responsible. This might seem like a far stretch under President Trump, but recent efforts by members of his administration to prepare for the midterms demonstrate that public pressure could encourage a meaningful response despite the current occupant of the Oval Office.

The attacks against U.S. political discourse aim to undermine citizens’ confidence, create chaos and jeopardize the legitimacy of the American government. With the right political will and cooperation, the United States can demonstrate that 2016 was an aberration and that the U.S. political sphere will not become the venue of choice for the latest innovations in global information warfare. The world—including America's enemies—is watching.

Alex Stamos is an adjunct professor at Stanford University’s Freeman Spogli Institute for International Studies, a fellow at the Center for International Security and Cooperation, and a visiting scholar at the Hoover Institution. Until recently, he was the chief security officer of Facebook.

Subscribe to Lawfare