Published by The Lawfare Institute
in Cooperation With
Special Counsel Robert Mueller and his Justice Department/FBI team deserve congratulations for doing their job of figuring out in concrete detail what the Russians did in the 2016 election campaign and telling the American people about it—now in an indictment and perhaps later, and in more detail, in a report. Last week’s indictment might also portend, as the Lawfare crew implied, a tightening of the criminal-conspiracy noose to include Americans, perhaps some with connections to the Trump campaign.
The indictment also represents an extraordinary assertion of Justice Department power and independence. President Trump never stops complaining about the DOJ “witch hunt,” but his subordinates in the Potemkin unitary executive branch keep proving him wrong. The president didn’t even have the de facto authority to delay Rod Rosenstein’s announcement from the maximum embarrassment it caused him on the dawn of his summit with Vladimir Putin. With each new concrete revelation contrary to the president’s wishes and representations, Rosenstein’s and Mueller’s effective power grows vis-a-vis the president.
But behind the indictment, and the congratulatory reaction to it, lie some uncomfortable unanswered questions about blowback toward U.S. officials, reciprocal interference by the United States in other nations' political affairs, the lack of preparation for renewed electoral interference in this country, and U.S. journalists’ publication of stolen U.S. government information. These questions have heightened significance and more difficult answers in light of President Trump’s astounding performance Monday in Helsinki.
I have been critical of the Justice Department’s “indict and shame” strategy in the past, and I noted the downsides of Mueller’s first indictment. I agree that indictments can serve useful goals, as David Kris noted in the best account of law enforcement as a counterintelligence tool. And Mueller’s “speaking indictment” certainly serves the very important goal of telling the American people what happened in 2016. I continue to think, however, that as a substitute for other responses to serious cyberintrusions, indictments on balance signal weakness.
What I want to focus on here is how this highest-profile-yet indictment of foreign officials for breaking into computers in the United States raises questions about reciprocity and blowback. As the Snowden documents and David Sanger’s great new book and other books make plain, and as U.S. officials are wont to brag, the U.S. intelligence services break into computers and computer networks abroad at an astounding rate, certainly on a greater scale than any other intelligence service in the world. Every one of these intrusions in another country violates that country’s criminal laws prohibiting unauthorized computer access and damage, no less than the Russian violations of U.S. laws outlined in Mueller’s indictment. This is not a claim about the relative moral merits of the two countries’ cyber intrusions; it is simply a claim that each side unequivocally breaks the laws of the other in its cyber-espionage activities.
How will the United States respond when Russia and China and Iran start naming and indicting U.S. officials? Maybe the United States thinks its concealment techniques are so good that the type of detailed attribution it made against the Russians is infeasible. (The Shadow Brokers revealed the identities of specific NSA operators, so even if the National Security Agency is great at concealment as a matter of tradecraft that is no protection against an insider threat.) Maybe Russia and China and Iran won’t bother indicting U.S. officials unless and until the indictments actually materialize into a trial, which they likely never will. But what is the answer in principle? And what is the U.S. policy (if any) that is being communicated to military and civilian operators who face this threat? What is the U.S. government response to former NSA official Jake Williams, who worked in Tailored Access Operations and who presumably spoke for many others at NSA when he said that “charging military/gov hackers is dumb and WILL eventually hurt the US”?
2. Interference and Reciprocity
The Mueller indictment was greeted by outrage anew—outrage that is reaching new heights after President Trump’s Russia-friendly press conference. But is there a principled basis on which the United States can object to the Russian interference? Recall that President Obama boasted that U.S. offensive cyber capacities were the greatest in the world, and that Sanger reports that “the United States remains the world’s stealthiest, most skillful cyberpower.” Then consider:
- The wide array of U.S. cyber intrusions abroad revealed by Snowden.
- Olympic Games, the operation against Iranian centrifuges that Michael Hayden compared in significance to the use of nuclear weapons in August 1945.
- The Shadow Broker leaks of many of the NSA’s offensive tools and what the NSA was doing with those tools.
- The U.S. Internet Freedom program, which (among other things) provides cyber tools and training to activists in authoritarian nations with the aim of achieving political change there.
- U.S. officials assisting and urging U.S. social media giants such as Twitter to help activists bring down foreign governments.
This is but a bit of the public evidence—surely a tiny sliver of the overall evidence—of U.S. “interferences” abroad using offensive cyber tools of various sorts. These interferences are why the United States, along with Russia, is widely viewed as one of the world’s most dangerous cyber bullies (if not the most dangerous), and not just by authoritarian states. The U.S. interferences don’t in any moral sense “justify” what Russia did in 2016, though they might have—as Sanger and I and others have suggested—invited or encouraged them. Nor do U.S. cyber interferences abroad in any way impact Mueller’s work, which is to find out what Russia did so the United States can hold the relevant actors responsible to the extent possible and, hopefully, do better the next time.
But U.S. interferences abroad do raise the question: What is the U.S. objection in principle if others do to us as we do to them? The Mueller indictment at bottom accuses the named Russians of hacking into computers in the United States, stealing information, and using that information in public to Russia’s advantage. Similarly, the United States uses the masses of digital information it steals to its advantage in every element of its international relations, including to influence foreign political outcomes.
It is no response to say that the United States doesn’t meddle in foreign elections, because it has in the past—at least as recently as Bill Clinton’s intervention in the Russian presidential election of 1996 and possibly as recently as the Hillary Clinton State Department’s alleged intervention in Russia’s 2011 legislative elections. And during the Cold War the United States intervened in numerous foreign elections, more than twice as often as the Soviet Union. Intelligence history expert Loch Johnson told Scott Shane that the 2016 Russia electoral interference is “the cyber-age version of standard United States practice for decades, whenever American officials were worried about a foreign vote.” The CIA’s former chief of Russia operations, Steven L. Hall, told Shane: “If you ask an intelligence officer, did the Russians break the rules or do something bizarre, the answer is no, not at all.” Hall added that “the United States ‘absolutely’ has carried out such election influence operations historically, and I hope we keep doing it.”
Johnson and Hall argued to Shane that “Russian and American interferences in elections have not been morally equivalent,” since “American interventions have generally been aimed at helping non-authoritarian candidates challenge dictators or otherwise promoting democracy,” while “Russia has more often intervened to disrupt democracy or promote authoritarian rule.” This is descriptively true in general (but not always), comforting to Americans and perhaps of moral relevance. But it won’t influence Putin or other adversaries, and it cuts no ice in international relations generally. Nor is there any relevant distinction in international law. International law almost certainly does not regulate cyber theft, and certainly not in a way that distinguishes what other nations increasingly do to us via cyber theft from what we do to them via cyber theft. It definitely doesn’t distinguish between interferences in foreign nations and their elections to promote democracy and similar interferences that seek to disrupt democracy. Nor does it pick out doxing for particular disapprobation. We can draw distinctions between what the Russians do and what we do from a moral and motivational perspective, and maybe in some factual details, but these differences don’t matter to our adversaries under any shared normative framework.
These are not intended as “gotcha” or “whataboutism” points. Americans are right to be shocked and angry by the revelations in the Mueller indictment, and the government must do everything in its power to ensure that American voters choose leaders without foreign interference. The question is what the United States should do about the unacceptable operations in 2016. So far, it hasn't done much. As I have long argued, I think the United States’ failure to look in the mirror is a large part of the problem. This is a difficult and painful thing to say the same day the president of the United States stood next to Putin, discredited U.S. intelligence agencies, and said “we’re all to blame” for the poor state of U.S.-Russia relations. I am certainly not blaming U.S. intelligence agencies, which don’t control U.S. strategic decisions, for anything. But the reality is that the United States government engages in substantially similar behavior to that which the Russians used to cause us great harm.
This reality has strategic implications for, among other things, the ability to develop bilateral or multilateral international norms as a constraint on the forms of interference the United States abhors. But we are not talking about this reality in the United States. Maybe it’s myopia; maybe it’s fear of charges of moral equivalency. But we’re not talking about it. If as a nation we want to take seriously the threat before us, we should ask whether and how our own actions sparked or invited what we now face and what that implies for our efforts to redress these interferences. To understand this predicament and to have a strategic conversation with allies and adversaries alike, we need an honest, pragmatic assessment of our own conduct that doesn’t fall back on “it’s okay when we do it” justifications. Such assertions, however right as a moral matter, won’t change the behavior of adversaries or improve the U.S. position, and might be a hurdle to both.
Being honest with ourselves is especially important in a world where our adversaries accurately view cyber tools as a relatively inexpensive and hugely effective way to achieve advantage over the United States. I have offered some thoughts (here and here) on how self-candor might lead to progress. Here is another suggestion. The U.S. government has not, to the best of my knowledge, formally or informally claimed that Russia’s 2016 behavior violates international law. Nor (I believe) has it even strongly claimed that infringements of sovereignty of the type the Russians engaged in is unacceptable in international relations. To have any chance of establishing a norm against the operation outlined in Mueller’s indictment (and I am not confident such a norm is possible), the United States needs to draw a strong principled line and defend it. That defense would acknowledge that the United States has interfered in elections itself, renounce those actions and pledge not to do them again; acknowledge that it continues to engage in forms of computer network exploitations for various purposes that it deems legitimate; and state precisely the norm that the United States pledges to stand by and that the Russians violated. It is revealing that the United States has done none of these things. And it is unclear whether it can do them. But this is a necessary first step to creating norms to prohibit what happened in 2016.
Assuming these proposals make sense, it is hard to see how the Trump administration can even begin to implement them. Far from standing up to Putin and wanting to draw a line, Trump shows every sign of accommodating Putin. The president is also in the amazing position of not being credible to his own intelligence agencies about his bona fides when it comes to the Russians. Even if the president were persuaded to push an international norm against what happened in 2016, any proposals along the lines suggested above would likely be pilloried as caving to the Russians or engaging in moral equivalency. I also fear that Trump’s performance Monday will heighten the angry concern that Americans and members of Congress feel about what happened in 2016, and that will make it yet harder to look in the mirror.
3. We Remain Vulnerable
Over the weekend Director of National Intelligence Dan Coats stated that “the digital infrastructure that serves this country is literally under attack” and that “the warning lights are blinking red again,” just as before 9/11. This is unsurprising, since the U.S. government has done amazingly little—at least in public—in response to the many cyber intrusions and attacks over the years. There are many reasons why the United States has reacted so passively. (See my recent paper with Stuart Russell and Sanger’s book.) It is understandable that adversaries would respond to the success of past operations, and the weak U.S. reactions, and the cheapness and plentitude of offensive cyber tools, to seek to wreak more havoc.
In this light, consider the standard phishing attacks described in Mueller’s indictment, which resulted in the theft and release of Democratic Party information that, in the unregulated U.S. speech environment, went viral and had an enormous impact that still reverberates. (President Obama once described the operation as “not particularly sophisticated.”) There has been a lot of talk and a bit of action about hardening voting systems, cleaning up fake accounts on social media, and cracking down more on propaganda efforts on social media of the type Mueller outlined in his February indictment. But when I read Friday’s indictment I thought: We have done nothing as a nation to redress the tactic of phishing, and once information is stolen and released, there is no possibility of regulating its use in the American free speech environment. Expect much more phishing and related tactics in November and in the 2020 presidential campaign.
4. Implications for the Press
Mueller has not yet indicted anyone who worked with the Russians in releasing the stolen information. The Lawfare team summarized the participation of “conspirators” in the indictment as follows:
[The indictment] describes extensive interaction between the conspirators and an entity, called “Organization 1,” which the Washington Post and other news outlets have identified as Wikileaks. In late June 2016, Wikileaks allegedly solicited additional stolen information from Guccifer 2.0, saying that its release of the data “will have a much higher impact than what you are doing.” In early July, citing the upcoming Democratic convention, it allegedly messaged Guccifer 2.0 that “if you have anything hillary related we want it in the next tweo [sic] days” and that “we think trump has only a 25% chance of winning against hillary” so stoking conflict between Clinton and her rival Bernie Sanders “is interesting.”
There is a lot of anger against WikiLeaks and a lot of support for indicting Julian Assange and others related to WikiLeaks for their part in publishing the information stolen by the Russians. If Mueller goes in this direction, he will need to be very careful not to indict Assange for something U.S. journalists do every day. U.S. newspapers publish information stolen via digital means all the time. They also openly solicit such information through SecureDrop portals. Some will say that Assange and others at WikiLeaks can be prosecuted without threatening “real journalists” by charging a conspiracy to steal and share stolen information. I am not at all sure such an indictment wouldn’t apply to many American journalists who actively aid leakers of classified information. And even if such a principle could be crafted that would nab WikiLeaks and spare the New York Times, a successful indictment and prosecution of WikiLeaks figures for conspiring to publish stolen information would certainly narrow protections for “mainstream” journalists and raise questions about SecureDrop and other interactions with sources who peddle stolen information.