The Russia-Linked Election Hack is a Sign of Things to Come
On Friday, WikiLeaks published a stolen archive of emails from the Democratic National Committee — and Washington spent the weekend trying to figure out if the dump was a normal political scandal or something far more sinister. The dump revealed a number of embarrassing facts, including a number of indications that the nominally neutral DNC had favored Clinton during the primary election — but as the story has progressed, those facts have proved less interesting than where they came from.
Over the weekend, a number of experts have raised suspicions that the email leak was carried out as part of an active campaign by Russian groups to sway the US election. The FBI is actively investigating the hack and the House Intelligence Committee has reportedly been briefed on it as well. If the reports are true, it would be a new level of involvement by a foreign power in a US election. And since the attack used many of the same tactics turned against Sony Pictures and Ashley Madison, it would also set a troubling precedent for how commonly available digital attacks could be used to subvert a national election.
"Attacks against electoral candidates ... are likely to continue up until the election in November."
The DNC was first compromised in May of this year, and while attribution is always tricky, there’s ample evidence linking that attack to Russia. In a blog post in June, the firm Crowdstrike linked the DNC compromise to two different groups, dubbed "Cozy Bear" and "Fancy Bear." One had been linked to previous attacks on the State Department, and both were seen choosing targets "for the benefit of the government of the Russian federation," Crowdstrike CTO Dmitri Alperovitch wrote. Two separate firms later confirmed the finding, and crucially, both assessments were made over a month ago, long before the emails themselves were released. The report closed with an ominous prediction: "Attacks against electoral candidates and the parties they represent are likely to continue up until the election in November."
In the month since, the connection to Russia has only strengthened. A figure came forward taking credit for the hack, claiming to be a Romanian civilian acting alone — but in a pivotal Motherboard interview, he proved unable to converse in Romanian, and metadata for his site showed it had been modified by Russian users. In the wake of the email dump, other experts have piled on the Russian connection, with longtime Russia analyst Thomas Rid describing the evidence as "very strong."
We’ve seen this before, from Sony Pictures to Ashley Madison
At the same time, Russian state media has made no secret of its preference for Donald Trump. The state-run Russia Today channel has been notably enthusiastic about the Trump campaign, and the Republican frontrunner has largely reciprocated, showing an unprecedented lack of support for groups like NATO and the EU that have long served as a counterbalance to Russian influence in eastern Europe. Members of Trump’s campaign staff also have ties to Putin that predate the campaign. That doesn’t indicate any direct coordination, but it does suggest that if a Russian group chose to meddle in the US election, it would be in aid of Trump rather than Clinton.
That leaves both the electorate and the media in an uncomfortable place. The leaked emails are clearly newsworthy — they’ve already inspired the head of the DNC to resign — but they are only public because of an act of espionage. The deeper we dig, the more effective that attack becomes. If the election ends up being swayed by this dump or another in October, it could do permanent damage to the process. Even if it ends here, email dumps are likely to be a permanent fixture of politics in the years to come.
We’ve seen this before, from Sony Pictures to Ashley Madison. A group is targeted for political reasons, their email server is compromised, and years worth of communications are suddenly made available. The source and motivations of the leak are unclear, but the contents are embarrassing enough to be newsworthy. The political fallout takes a toll, bringing down a few staffers and knocking the entire organization off its balance for months on end. Whoever targeted the group gets away clean, protected by international borders and well-covered digital tracks. The stakes feel higher now, with international actors and an election at stake, but the logic itself is depressingly familiar.
Can democratic institutions withstand the pressure of digital attacks?
Not every organization is vulnerable to such an attack. With a few exceptions, government agencies and large corporations can buy their way out of such embarrassments with better security measures and more disciplined employees. As a result, we’ll never learn about intelligence programs this way, or wrongdoing from a major corporation. In that respect, these hacks are entirely different from whistleblower leaks like the Panama Papers, the State Department cables or the Snowden documents. Those leaks exposed genuinely powerful organizations at work, motivated by costly acts of individual principle. What we saw at the DNC was closer to a hit and run, striking a soft target with as little exposure as possible. This attack will always work better against civil society groups and small businesses — and as it becomes more common, those are the groups that will be hit the hardest.
That’s an ugly future, when no speech can be expected to stay private and the weakest are targeted first. It’s not clear how we avoid it. For better or worse, most of the world’s organizations run on email, and that leaves every message persistent and easily accessible on a server. It’s hard to imagine that will change, or that we’ll get any better at protecting those servers. More than a year and a half after the Sony leaks, we still have no better answer to the moral questions raised by that attack. The more urgent question is whether democratic institutions can withstand the pressure of digital attacks. If an election can be swayed by a simple spear-phishing attack, how much trust can we put in the result?