Election Hacking, As We Understand It Today, Is Not A Cybersecurity Issue

At a Senate intelligence committee hearing in November on Social Media Influence in the 2016 U.S. Elections, Sen. Dianne Feinstein said about Russian interference in the 2016 election, “What we're talking about is a cataclysmic change. What we're talking about is the beginning of cyber warfare.”

Others have gone further. Sen. John McCain said during an appearance on Ukrainian television:

When you attack a country, it’s an act of war ... And so we have to make sure that there is a price to pay so that we can perhaps persuade Russians to stop this kind of attacks on our very fundamentals of democracy.

Former Vice President Dick Cheney said at the Economic Times’ Global Business Summit 2017 in New Delhi:

[An] aspect of Mr. Putin’s conduct is the issue that is now very much in the headlines at home, and that has to do with cyber warfare, cyberattack on the United States—the fact that he took his capabilities in the cyber area and used it to try to influence our election.

He continued:

There’s no question there was a very serious effort made by Mr. Putin and his government, his organization, to interfere in major ways with our basic fundamental democratic processes. In some quarters, that would be considered an act of war.

Commenting on the first year of the Trump administration’s efforts in cybersecurity, our colleague Paul Rosenzweig recently wrote that “Trump’s efforts in cybersecurity have not been terribly impressive.” Acknowledging a number of modestly positive developments, he argued that “all of those positives pale in comparison to the single, overarching massive failure of national policy-making in the cyber area: the utter unwillingness to come to grips with the vulnerability of our electoral infrastructure.”

To address concerns about cybersecurity vulnerabilities of the electoral infrastructure, a bipartisan group of six senators introduced on December 21, 2017, S. 2611, the “Secure Elections Act,” a bill intended to streamline cybersecurity information-sharing between federal intelligence entities and state election agencies; provide security clearances to state election officials; and provide support for state election cybersecurity operations. (See, for example, Sen. Susan Collins’ press release on the bill.) The authors of this legislation, and press stories around it, characterize it as a bill to improve the cybersecurity of the U.S. election infrastructure.

But it’s not at all obvious to me that the success of Russian meddling in the 2016 election was primarily the result of failures in the nation’s cybersecurity posture. Although cybersecurity issues were implicated in the election, they did not play a central role, and formulating the problem as mostly one of “improving cybersecurity” against Russian hacking of our computer and communications systems is highly misleading. It may even be dangerous, if it diverts our attention from more critical issues.

Start with the U.S. government’s working definition of cybersecurity as “prevention of damage to, protection of, and restoration of computers, electronic communications systems, electronic communications services, wire communication, and electronic communication, including information contained therein, to ensure its availability, integrity, authentication, confidentiality, and nonrepudiation.” (This unclassified definition comes from National Security Presidential Directive NSPD-54.)

As far as is known on the public record, the only Russian activities of any consequence were the email hacking of the Democratic National Committee (DNC) and John Podesta. That is, Russian hacking did compromise these email accounts and thus falls within the ambit of the NSPD-54 definition of cybersecurity. (Cyberattacks on the election-related systems of 21 states and at least one voting-systems vendor were less consequential; public reporting to date has not shown that these attacks had any actual effects on the integrity of the voting process.)

It is true that during the election, a great deal of public attention focused on the DNC and Podesta emails. But even if these emails had never been compromised (and even if the inconsequential Russian attack on election-related states had never occurred), other Russian efforts to affect political discourse during the election would have been unaffected; these largely successful efforts are by now well documented. For example, Facebook has acknowledged that approximately 126 million people may have been seen content from a source associated with the Russian Internet Research Agency, a known troll farm. Twitter retrospectively identified 36,746 automated accounts tweeting election-related content as Russian-linked. These accounts generated 1.4 million election-related tweets, many of which received additional exposure through liking and retweeting. Google identified about 1,100 videos with 43 hours' worth of content on YouTube tied to the Russian campaign, of which a few dozen had in excess of 5,000 views each.

The U.S. intelligence community’s assessment of Russian interference in the election reflects both elements: The report stated that “Moscow’s influence campaign followed a Russian messaging strategy that blends covert intelligence operations—such as cyber activity—with overt efforts by Russian Government agencies, state-funded media, third-party intermediaries, and paid social media users or “trolls.” That is, the Russian campaign involved both cyber activity and other overt efforts.

It further noted that “when it appeared to Moscow that Secretary Clinton was likely to win the election [that is, at the beginning of the U.S. election campaign], the Russian influence campaign began to focus more on undermining her future presidency.” At that stage, the goals of the Russian campaign were to “undermine public faith in the U.S. democratic process, denigrate Secretary Clinton, and harm her electability and potential presidency.“ Indeed, had Hillary Clinton won the election, it is hard to believe that the nature of American politics in this alternative universe would be significantly different than it is today in reality.

Based on what is known today, improving the cybersecurity posture of the U.S. election infrastructure is certainly a useful measure to take, and the Secure Elections Act is an important step in that direction. But make no mistake—even an enacted, fully funded and well-implemented Secure Elections Act will not ameliorate the effects of Russian efforts to increase the polarization of the U.S. electorate.

For this reason, a focus on preventing the hacking of election systems is misleading and dangerous—it distracts us from the real danger to the republic today, which is the toxic nature of political discourse in an internet-enabled information environment that Russia can manipulate in entirely legal ways. Dealing with this danger will force us as a nation to ask whether the information environment should still be characterized as an information marketplace in which the antidote to bad speech is more speech and good ideas rise to the top. If nothing else, the political events of the past year or two have called that premise into question.