The United States is accusing Russia of wide-scale interference.
The U.S. statement is brief, but makes a quite specific charge against Russia. It claims that the Russian government has been behind recent hacking attacks on “US persons and institutions” that have led to material being leaked to outlets like DCLeaks and WikiLeaks. While it does not name the persons and institutions, it is presumably referring to the hacks of the Democratic National Committee (DNC) and the Democratic Congressional Campaign Committee. The DNC hacks were purportedly carried out by an actor calling himself “Guccifer 2.0,” after Guccifer, a notorious hacker who went after celebrities. There has been much speculation that Guccifer 2.0 is Russian, some of it fueled by national intelligence officials speaking off the record. Now the U.S. government has come out and made a formal accusation, claiming that “only Russia’s senior-most officials could have authorized these activities” given their sensitivity.
The statement also notes that a Russia-based company has been linked to efforts to probe “election related systems,” but that there is not yet enough evidence to “attribute this activity to the Russian government.” These sentences are plausibly a shot across Russia’s bow, suggesting that Russia will be held to blame if voting machines are hacked.
We don’t know what evidence the U.S. government has.
As noted, there has been widespread speculation that Guccifer 2.0 is an alias for a Russian-based hacker or team of hackers. The metadata (data about who edited a document, and when, among other things) of a Guccifer 2.0.-linked Microsoft Word document indicates that it was edited by someone using Cyrillic script and identifying himself as “Felix Dzerzhinsky,” while metadata on a Guccifer 2.0 PDF has error messages suggesting that it was converted on a computer using the Russian language.
However, these traces are best described as indicative circumstantial evidence rather than a smoking gun. They could, possibly, be faked. (It isn’t hard to monkey around with metadata.) That raises the possibility that U.S. intelligence agencies have other evidence that they find convincing but are not currently disclosing to the public.
This raises an obvious credibility problem. As I discuss in this Council on Foreign Relations Cyber Brief, intelligence agencies are in a difficult position when they want to attribute an attack to a specific actor. Much of the time, they will not be able to disclose the evidence that they have in public, for fear that it reveals too much about their own capabilities to trace attacks, making it easier for hostile actors to hide their tracks in future.
Hence, for example, some actors did not believe U.S. claims that North Korea was behind a hacking attack on Sony. This means that governments will often have difficulty in making charges of hacking attacks stick. It also means that governments may sometimes have incentives to lie, given that they have plausible reasons to fail to provide evidence. The inability of outside observers to distinguish between true and false accusations is one of the major problems that bedevils cybersecurity, since it means that it may be difficult for a state that has genuinely been attacked to persuade other states to help it sanction the offending actor.
As it has in the past, Russia has indignantly denied the accusations. What happens next will be interesting. Will the United States produce compelling evidence that Russia is to blame? Will it seek specifically to sanction Russia in some way, whether it is able to produce public evidence or not? Whatever happens, this is likely to be a significant and important moment in the international governance of cybersecurity issues.
The U.S. charge sheet also refers to other attacks on other countries.
The United States charges Russia with having behaved similarly toward other countries. Specifically, it says:
These thefts and disclosures are intended to interfere with the U.S. election process. Such activity is not new to Moscow — the Russians have used similar tactics and techniques across Europe and Eurasia, for example, to influence public opinion there.
It is not exactly clear which attacks the United States is referring to, but this could also be an important moment in defining the U.S. stance toward cybersecurity issues.
It could be that the United States is just referring to other hacking attacks. Yet it could also be that it is making a broader charge when it says that Russia is seeking “to influence public opinion” in other countries. The difference is important. If it is just referring to other hacking attacks, then it is implicitly blaming Russia for hacking servers for information that it then leaks to influence the politics of other countries. This is an important but limited and specific charge.
If, however, the accusation is that Russia is looking to influence public opinion in various countries by a variety of means (including, but not limited to, hacking) then this could have much wider implications. Over the last year, Northern Europeans in Finland, Sweden, the Baltic states and elsewhere have complained that Russian “propaganda” is a form of information warfare and there have been quiet discussions of whether Russian “information operations” should be treated as a kind of cyber warfare. Some, at least, in the United States, have been reluctant to get into this debate, because of U.S. public commitments to the free flow of information, which is influenced by the First Amendment. The new statement can possibly be read as tiptoeing one step toward agreement with the Northern Europeans.
Russia believes that the United States is interfering in its politics, too.
Back in the late 1990s, it looked to many observers (including me) as if both Eastern and Western European states had converged on agreement that democracy was the best form of government, and that external intervention to support democracy was legitimate and acceptable. We were very badly wrong.
Russia and other countries (including some members of the European Union) have increasingly become disenchanted with traditional democracy, and directly hostile toward the various kinds of election monitoring and aid for civil society that had become normalized in the immediate wake of the Cold War. After the fall of the previous Russia-friendly regime in Ukraine, Russia became even more paranoid about democratic monitoring and advocacy from non-Russian organizations. Russia now requires any organizations that receive funding from abroad to register as a “foreign agent” and has outlawed U.S.-based organizations like the National Democratic Institute, the Open Society Foundations and the National Endowment for Democracy from operating in Russia.
Putin’s government considers these organizations to be hostile to its continued rule of what is a managed democracy. He has no discernible attachment to the principle of free and fair elections, and it is quite possible that he considers interference in U.S. elections to be fair retaliation.
This puts Donald Trump in an interesting quandary.
Throughout the presidential campaign, Trump has expressed his admiration of Putin, seemingly defended him from various charges, and even suggested (perhaps jokingly) that Russia should hack Clinton’s emails.
Now, Trump is in a tricky position, especially if someone asks a question about Russian hacking at one of the two final debates. If he continues to associate himself with Putin, he risks further contaminating his public image. If he climbs down, he risks opening himself up to a line of attack about his political judgment, and why he made the mistake of expressing his admiration in the first place. It will be interesting to see how he resolves this dilemma.