War Stories

Democracy, Unguarded

We can’t protect our elections from Russian interference if the president won’t even admit it’s happening.

A "Vote Here/Vote Aqui" sign is seen outside the front of a church where people stand in line to go in.
People crowd a sidewalk in downtown Washington to enter a polling station on Nov. 8, 2016. Eric Baradat/AFP/Getty Images

It was a startling move for the top U.S. national security officials to appear at a White House news conference, as they did on Thursday to affirm what their boss, the president, has repeatedly denied: that the Russians hacked into our electoral system, that they could do so again with the flick of a switch, and that efforts have been stepped up to stop them.

So what are those efforts? What are these officials—the directors of national intelligence and the FBI, the secretary of homeland security, and the commander of U.S. Cyber Command (who is also director of the National Security Agency)—doing to ward off the next assault? And will those efforts block wily hackers from intruding through some back door?

The short answers: The officials, or some of them, are doing more than they were—but not enough to secure our elections.

Part of the problem is that certain gears in the voting machinery are inherently vulnerable. Part of the problem is that a coordinated strategy requires someone to coordinate it, and the only person who can do that—President Donald Trump—has gone AWOL

National Security Adviser John Bolton appeared alongside the security officials at Thursday’s news conference, but one of the first things Bolton did when he took the job in April was to fire the White House cyber chief and then eliminate the job. The cyber chief, Rob Joyce, was no hapless bureaucrat; he had been director of Tailored Access Operations, the NSA’s squadron of elite hackers. He was, in short, ideally suited for the job: immersed in the art and science of cyber offense and defense. (Joyce has since returned to the NSA.)

Ellen Nakashima recently reported in the Washington Post that, in the absence of White House leadership, the NSA and Cyber Command are teaming up to coordinate actions to counter Russian interference in the upcoming midterm elections. This is unusual, to say the least. The agency and the command are both led by the same person, a four-star general named Paul Nakasone. In other words, one of the nation’s most senior military officers has taken it upon himself to use his organizations—a combatant command and the most secretive U.S. intelligence agency—to protect the legitimacy of America’s domestic politics.

Well, somebody has to do it.

Shortly after the Sept. 11 attacks, the FBI and NSA figured out ways to combine the former’s legal authority and the latter’s surveillance tools to hunt down foreign terrorists. The Department of Homeland Security soon helped itself to this procedure as well. DHS is formally tasked with protecting the nation’s critical infrastructure from cyberattacks. An ill-conceived, maladroit hodgepodge of bureaucracies, hammered together in the wake of 9/11 and a mindless rush of good intentions, the department was meant to consolidate all the agencies that protected the homeland from harm—FEMA, TSA, the Coast Guard, the Customs and Border Protection as well as the various counterterrorist bureaus—but wound up only dissipating their power. “DHS has some good people,” a former intelligence official told me, “but the place is structurally hopeless.” And so, DHS too draws on the NSA’s tools when it has no other choice.

This is the NSA’s piece of the counter-Russian campaign: detecting the intrusions in cyberspace. DHS Secretary Kirstjen Nielsen pretends that her shop is ferreting out the hackers, but she’s doing little more than reading the NSA reports. Other Cabinet heads play the same game. Secretary of Energy Rick Perry recently claimed that CRISP—the Cybersecurity Risk Information Sharing Program, which his department runs in conjunction with private companies—detected Russian hacking of the U.S. electric grid. But in fact, according to former intelligence officers who are still working in the cyber field, NSA made the discovery and passed it on to DOE.

Cyber Command is going after foreign hackers in a more aggressive way.

When the command was set up in 2010, it had two core missions. The first was to support other U.S. combatant commanders (Central Command, Europe Command, Southern Command, etc.) by going through their war plans and figuring out which targets could be destroyed by cyber means rather than by missiles, bullets, or bombs. The second was to protect the Defense Department’s computer networks. By this time, military security officers had isolated those networks to the point where there were only eight points of access to the open internet; Cyber Command could sit on top of those eight points, watching for intruders.

But then the command was given a third mission: to defend civilian critical infrastructure. This included banks, power grids, transportation systems, waterworks, and so forth, many of them privately owned. Intruders could hack into these targets through thousands of networks; Cyber Command had neither the ability nor the legal authority to guard all of them.

So the chief of Cyber Command at the time, Gen. Keith Alexander, came up with a different approach: go on the offensive before the attack begins. Get inside an adversary’s networks, watch him preparing for an attack, then deflect it.

Cyber Command has long been penetrating Russian networks. That’s how the Justice Department was able to indict 12 Russian military intelligence hackers last month, identifying them by name and recounting precisely what each one of them did, when, and how. (No one expects Russian President Vladimir Putin to extradite the officers; the whole point was to let him know that we know exactly what his people are doing.) Now Nakasone is starting to swat the attacks.

At the White House news conference on Thursday, Nakasone was asked whether he’d been ordered to authorize any cyber-offensive operations in response to the Russian hacking. He replied, “So my guidance and the direction from the present Secretary of Defense [Jim Mattis] is very clear. We’re not going to accept meddling in the elections. And it’s very unambiguous.”

Plain-English translation: Yes.

It’s unclear exactly what these operations amount to. Cyber-offensive operations are highly classified. But here’s the thing: By law, they also have to be authorized not just by the secretary of defense, but by the president. Has Trump authorized them? How far would he be willing to go not just to deflect an attacker but to harm or embarrass Putin himself?

Unless the NSA and Cyber Command are willing to play endless rounds of whack-a-mole in their pursuit of hackers on all fronts, the U.S. government is going to have to devise a strategy of cyber deterrence. What this means and what it requires are questions that officials and experts have been pondering for a few decades now, to little avail. In nuclear strategy, deterrence involves persuading the adversary that, if he attacks you, you’ll retaliate in kind. For the 73 years since Hiroshima and Nagasaki, the major powers have drawn a bold line between the use and nonuse of nuclear weapons; no one has fired off even a mini-nuke, out of fear that someone will fire back and the conflict could quickly escalate to an all-out nuclear war. But a half-dozen countries have been launching cyberattacks, of varying degrees of damage, for decades; lines have not been clearly drawn; “retaliation in kind” means little if your entire social infrastructure is hooked up to the internet and, therefore, vulnerable to further attacks.

A report last year by the Defense Science Board noted that cyber deterrence must involve threatening to attack something that an adversary holds dear if he hits us first with a devastating cyberattack. It’s unclear what that might be. And it’s equally unclear that our current president would want to threaten something that Putin holds dear—especially since Putin could strike back against one of the many things (golf courses and other properties, say) that Trump holds dear.

Even if we had a president who put his mind to these issues, rather than systematically avoided the very premise, there would be another problem: the vulnerability of the voting machines and the networks that connect them. Earlier this year, Kim Zetter reported in the New York Times that the most commonly used voting machines have portals for communications through a network—for remote diagnostics, maintenance, even to transmit voting results. Those portals and the network software that connect them are vulnerable to hacking. A popular contest at the annual DEFCON conference these days is to see who can most quickly hack into a voting machine. It never takes long.

It is now known that the Russians hacked into some machines and some voter rolls leading up to the 2016 election. It is not known whether they then altered votes or removed names from the rolls. I asked a former senior intelligence officer, who worked on cybersecurity, whether it was possible to know whether any alterations had been made. He thought a moment and said, “Not after the fact. No, there’s no way of knowing, one way or the other.”

There are thousands of machines across the country; it would be very difficult to hack into enough of them to significantly alter the overall vote. However, since the margins in certain states are very close, if a hacker knew which precincts are the tightest, he could have an impact by hacking those machines.

But the main problem, the problem that may well have tilted the 2016 presidential election, is not the hacking of voting machines. It’s the hacking of emails and campaign memos, to gain intelligence on “analytics” strategy, and the hacking of social media, to aim false messages at targeted groups of voters. (In this sense, cyberattacks are much more swift and potent than the propaganda campaigns that Russia, the United States, and many other countries waged in foreign elections decades ago.)

The biggest problem here is education. Too many people fall for simple spear-phishing expeditions. Too few people follow the most basic steps of cyberhygiene. It’s as if you left your door unlocked and your windows open, then expressed surprise upon finding that, while you were out, your entire house was cleaned out. Only in this case, it’s also as if the police chief shrugged when you reported the crime, wondered out loud whether the burglary really happened, and waved away all the evidence as a “hoax” and a “witch hunt” when his top detectives fingered the culprit.

The house of American democracy is under attack, and the man who’s sworn to protect it doesn’t care.