Jack Cable sat down at the desk in his cramped dorm room to become an adult in the eyes of democracy. The rangy teenager, with neatly manicured brown hair and chunky glasses, had recently arrived at Stanfordhis first semester of life away from homeand the 2018 midterm elections were less than two months away. Although he wasnt one for covering his laptop with strident stickers or for taking loud stands, he felt a genuine thrill at the prospect of voting. But before he could cast an absentee ballot, he needed to register with the Board of Elections back home in Chicago.
To hear more feature stories, get the Audm iPhone app.
When Cable tried to complete the digital forms, an error message stared at him from his browser. Clicking back to his initial entry, he realized that he had accidentally typed an extraneous quotation mark into his home address. The fact that a single keystroke had short-circuited his registration filled Cable with a sense of dread.
Despite his youth, Cable already enjoyed a global reputation as a gifted hackeror, as he is prone to clarify, an ethical hacker. As a sophomore in high school, he had started participating in bug bounties, contests in which companies such as Google and Uber publicly invite attacks on their digital infrastructure so that they can identify and patch vulnerabilities before malicious actors can exploit them. Cable, who is preternaturally persistent, had a knack for finding these soft spots. He collected enough cash prizes from the bug bounties to cover the costs of four years at Stanford.
Though it wouldnt have given the average citizen a moment of pause, Cable recognized the error message on the Chicago Board of Elections website as a telltale sign of a gaping hole in its security. It suggested that the site was vulnerable to those with less beneficent intentions than his own, that they could read and perhaps even alter databases listing the names and addresses of voters in the countrys third-largest city. Despite his technical savvy, Cable was at a loss for how to alert the authorities. He began sending urgent warnings about the problem to every official email address he could find. Over the course of the next seven months, he tried to reach the citys chief information officer, the Illinois governors office, and the Department of Homeland Security.
As he waited for someone to take notice of his missives, Cable started to wonder whether the rest of Americas electoral infrastructure was as weak as Chicagos. He read about how, in 2016, when he was a junior in high school, Russian military intelligenceknown by its initials, GRUhad hacked the Illinois State Board of Elections website, transferring the personal data of tens of thousands of voters to Moscow. The GRU had even tunneled into the computers of a small Florida company that sold software to election officials in eight states.
Out of curiosity, Cable checked to see what his home state had done to protect itself in the years since. Within 15 minutes of poking around the Board of Elections website, he discovered that its old weaknesses had not been fully repaired. These were the most basic lapses in cybersecuritypreventable with code learned in an introductory computer-science classand they remained even though similar gaps had been identified by the FBI and the Department of Homeland Security, not to mention widely reported in the media. The Russians could have strolled through the same door as they had in 2016.
From the January/February 2018 issue cover story: What Putin really wants
Between classes, Cable began running tests on the rest of the national electoral infrastructure. He found that some states now had formidable defenses, but many others were like Illinois. If a teenager in a dorm roomeven an exceptionally talented onecould find these vulnerabilities, they were not going to be missed by a disciplined unit of hackers that has spent years studying these networks, a unit with the resources of a powerful nation bent on discrediting an American election.
#DemocracyRIP was both the hashtag and the plan. The Russians were expecting the election of Hillary Clintonand preparing to immediately declare it a fraud. The embassy in Washington had attempted to persuade American officials to allow its functionaries to act as observers in polling places. A Twitter campaign alleging voting irregularities was queued. Russian diplomats were ready to publicly denounce the results as illegitimate. Events in 2016, of course, veered in the other direction. Yet the hashtag is worth pausing over for a moment, because, though it was never put to its intended use, it remains an apt title for a mission that is still unfolding.
Russias interference in the last presidential election is among the most closely studied phenomena in recent American history, having been examined by Special Counsel Robert Mueller and his prosecutors, by investigators working for congressional committees, by teams within Facebook and Twitter, by seemingly every think tank with access to a printing press. Its possible, however, to mistake a plot pointthe manipulation of the 2016 electionfor the full sweep of the narrative.
Events in the United States have unfolded more favorably than any operative in Moscow could have ever dreamed: Not only did Russias preferred candidate win, but he has spent his first term fulfilling the potential it saw in him, discrediting American institutions, rending the seams of American culture, and isolating a nation that had styled itself as indispensable to the free world. But instead of complacently enjoying its triumph, Russia almost immediately set about replicating it. Boosting the Trump campaign was a tactic; #DemocracyRIP remains the larger objective.
From the April 2020 issue: George Packer on how Trump is winning his war on American institutions
In the week that followed Donald Trumps election, Russia used its fake accounts on social media to organize a rally in New York City supporting the president-electand another rally in New York decrying him. Hackers continued attempting to break into state voting systems; trolls continued to launch social-media campaigns intended to spark racial conflict. Through subsidiaries, the Russian government continued to funnel cash to viral-video channels with names like In the Now and ICYMI, which build audiences with ephemera (Man Licks Store Shelves in Online Post), then hit unsuspecting readers with arguments about Syria and the CIA. This winter, the Russians even secured airtime for their overt propaganda outlet Sputnik on three radio stations in Kansas, bringing the networks drive-time depictions of American hypocrisy to the heartland.
While the Russians continued their efforts to undermine American democracy, the United States belatedly began to devise a response. Across governmentif not at the top of itthere was a panicked sense that American democracy required new layers of defense. Senators drafted legislation with grandiose titles; bureaucrats unfurled the blueprints for new units and divisions; law enforcement assigned bodies to dedicated task forces. Yet many of the warnings have gone unheeded, and what fortifications have been built appear inadequate.
Subscribe to The Atlantic and support 160 years of independent journalism
Jack Cable is a small emblem of how the U.S. government has struggled to outpace the Russians. After he spent the better part of a semester shouting into the wind, officials in Chicago and in the governors office finally took notice of his warnings and repaired their websites. Cable may have a further role to play in defending Americas election infrastructure. He is part of a team of competitive hackers at Stanfordnational champions three years runningthat caught the attention of Alex Stamos, a former head of security at Facebook, who now teaches at the university. Earlier this year, Stamos asked the Department of Homeland Security if he could pull together a group of undergraduates, Cable included, to lend Washington a hand in the search for bugs. Its talent, but unrefined talent, Stamos told me. DHS, which has an acute understanding of the problem at hand but limited resources to solve it, accepted Stamoss offer. Less than six months before Election Day, the government will attempt to identify democracys most glaring weakness by deploying college kids on their summer break.
Despite such well-intentioned efforts, the nations vulnerabilities have widened, not narrowed, during the past four years. Our politics are even more raw and fractured than in 2016; our faith in governmentand, perhaps, democracy itselfis further strained. The coronavirus may meaningfully exacerbate these problems; at a minimum, the pandemic is leeching attention and resources from election defense. The president, meanwhile, has dismissed Russian interference as a hoax and fired or threatened intelligence officials who have contradicted that narrative, all while professing his affinity for the very man who ordered this assault on American democracy. Fiona Hill, the scholar who served as the top Russia expert on Trumps National Security Council, told me, The fact that they faced so little consequence for their action gives them little reason to stop.
David Frum: Trump has lost the plot
The Russians have learned much about American weaknesses, and how to exploit them. Having probed state voting systems far more extensively than is generally understood by the public, they are now surely more capable of mayhem on Election Dayand possibly without leaving a detectable trace of their handiwork. Having hacked into the inboxes of political operatives in the U.S. and abroad, theyve pioneered new techniques for infiltrating campaigns and disseminating their stolen goods. Even as to disinformation, the best-known and perhaps most overrated of their tactics, they have innovated, finding new ways to manipulate Americans and to poison the nations politics. Russias interference in 2016 might be remembered as the experimental prelude that foreshadowed the attack of 2020.
When officials arrived at work on the morning of May 22, 2014, three days before a presidential election, they discovered that their hard drives were fried. Hours earlier, pro-Kremlin hackers had taken a digital sledgehammer to a vital piece of Ukraines democratic infrastructure, the network that collects vote tallies from across the nation. After finishing the task, they taunted their victim, posting photos of an election commissioners renovated bathroom and his wifes passport.
Relying on a backup system, the Ukrainians were able to resuscitate their network. But on election night the attacks persisted. Hackers sent Russian journalists a link to a chart they had implanted on the official website of Ukraines Central Election Commission. The graphic purported to show that a right-wing nationalist had sprinted to the lead in the presidential race. Although the public couldnt access the chart, Russian state television flashed the forged results on its highly watched newscast.
If the attack on Ukraine represented something like all-out digital war, Russias hacking of the United States electoral system two years later was more like a burglar going house to house jangling doorknobs. The Russians had the capacity to cause far greater damage than they didat the very least to render Election Day a chaotic messbut didnt act on it, because they deemed such an operation either unnecessary or not worth the cost. The U.S. intelligence community has admitted that its not entirely sure why Russia sat on its hands. One theory holds that Barack Obama forced Russian restraint when he pulled Vladimir Putin aside at the end of the G20 Summit in Hangzhou, China, on September 5, 2016. With only interpreters present, Obama delivered a carefully worded admonition not to mess with the integrity of the election. By design, he didnt elaborate any specific consequence for ignoring his warning.
From the March 2017 issue: Franklin Foer on how Vladimir Putin became the hero of nationalists everywhere
Perhaps the warning was heeded. The GRU kept on probing voting systems through the month of October, however, and there are other, more ominous explanations for Russias apparent restraint. Michael Daniel, who served as the cybersecurity coordinator on Obamas National Security Council, told the Senate Intelligence Committee that the Russians were, in essence, casing the joint. They were gathering intelligence about the digital networks that undergird American elections and putting together a map so that they could come back later and actually execute an operation.
What sort of operation could Russia execute in 2020? Unlike Ukraine, the United States doesnt have a central node that, if struck, could disable democracy at its core. Instead, the United States has an array of smaller but still alluring targets: the vendors, niche companies, that sell voting equipment to states and localities; the employees of those governments, each with passwords that can be stolen; voting machines that connect to the internet to transmit election results.
Matt Masterson is a senior adviser at the Department of Homeland Securitys freshly minted Cybersecurity and Infrastructure Security Agency, a bureau assigned to help states protect elections from outside attack; its where Jack Cable will work this summer. I asked Masterson to describe the scenarios that keep him up at night. His greatest fear is that an election official might inadvertently enable a piece of ransomware. These are malicious bits of code that encrypt data and files, essentially placing a lock on a system; money is then demanded in exchange for the key. In 2017, Ukraine was targeted again, this time with a similar piece of malware called NotPetya. But instead of extorting Ukraine, Russia sought to cripple it. NotPetya wiped 10 percent of the nations computers; it disabled ATMs, telephone networks, and banks. (The United States is well aware of NotPetyas potency, because it relied on a tool created byand stolen fromthe National Security Agency.) If the Russians attached such a bug to a voter-registration database, they could render an entire election logistically unfeasible; tracking who had voted and where theyd voted would be impossible.
But Russia need not risk such a devastating attack. It can simply meddle with voter-registration databases, which are filled with vulnerabilities similar to the ones that Cable exposed. Such meddling could stop short of purging voters from the rolls and still cause significant disruptions: Hackers could flip the digits in addresses, so that voters photo IDs no longer match the official records. When people arrived at the polls, they would likely still be able to vote, but might be forced to cast provisional ballots. The confusion and additional paperwork would generate long lines and stoke suspicion about the underlying integrity of the election.
Given the fragility of American democracy, even the tiniest interference, or hint of interference, could undermine faith in the tally of the vote. On Election Night, the Russians could place a page on the Wisconsin Elections Commission website that falsely showed Trump with a sizable lead. Government officials would be forced to declare it a hoax. Imagine how Twitter demagogues, the president among them, would exploit the ensuing confusion.
Such scenarios ought to have sparked a clamor for systemic reform. But in the past, when the federal government has pointed out these vulnerabilitiesand attempted to protect against themthe states have chafed and moaned. In August 2016, President Obamas homeland-security secretary, Jeh Johnson, held a conference call with state election officials and informed them of the need to safeguard their infrastructure. Instead of accepting his offer of help, they told him, This is our responsibility and there should not be a federal takeover of the election system.
After the 2016 election, the federal government could have taken a stronger hand with localities. Unprecedented acts of foreign interference presumably would have provided quite a bit of leverage. That did not happen. The president perceives any suggestion of Russian interference as the diminution of his own legitimacy. This has contributed to a conspiracy of silence about the events of 2016. A year after the election, the Department of Homeland Security told 21 states that Russia had attempted to hack their electoral systems. Two years later, a Senate report publicly disclosed that Russia had, in fact, targeted all 50 states. When thenDHS Secretary Kirstjen Nielsen tried to raise the subject of electoral security with the president, acting White House Chief of Staff Mick Mulvaney reportedly told her to steer clear of it. According to The New York Times, Mulvaney said it wasnt a great subject and should be kept below his level.
From the April 2019 issue: William J. Burns on how the U.S.-Russian relationship went bad
This atmosphere stifled what could have been a genuinely bipartisan accomplishment. The subject of voting divides Republicans and Democrats. Especially since the Bush v. Gore decision in 2000, the parties have stitched voting into their master narratives. Democrats accuse Republicans of suppressing the vote; Republicans accuse Democrats of flooding the polls with corpses and other cheating schemes. Despite this rancor, both sides seemed to agree that Russian hacking of voting systems was not a good thing. After the 2016 election, Democratic Senator Amy Klobuchar, from Minnesota, partnered with Republican Senator James Lankford, from Oklahoma, on the Secure Elections Act. The bill would have given the states money to replace electronic voting machines with ones that leave a paper trail and would have required states to audit election results to confirm their accuracy. The reforms would also have had the seemingly salutary effect of making it easier for voters to cast ballots.
The Secure Elections Act wouldnt have provided perfect insulation from Russian attacks, but it would have been a meaningful improvement on the status quo, and it briefly looked as if it could pass. Then, on the eve of a session to mark up the legislationa moment for lawmakers to add their final touchesSenate Republicans suddenly withdrew their support, effectively killing the bill. Afterward, Democrats mocked Senate Majority Leader Mitch McConnell as Moscow Mitch, an appellation that stung enough that the senator ultimately agreed to legislation that supplied the states with hundreds of millions of dollars to buy new voting systemsbut without any security demands placed on the states or any meaningful reforms to a broken system. McConnell made it clear that he despised the whole idea of a legislative fix to the electoral-security problem: Im not going to let Democrats and their water carriers in the media use Russias attack on our democracy as a Trojan horse for partisan wish-list items that would not actually make our elections any safer. For McConnell, suppressing votes was a higher priority than protecting them from a foreign adversary.
To raise the subject of John Podestas email in his presence is a callous act. But I wanted his help tabulating a more precise toll of Russian hackinghow it leaves a messy trail of hurt feelings, saps precious mental space, and reshapes the course of a campaign. After repeatedly prodding him for an interview, I finally met with Hillary Clintons old campaign chief in his Washington office, which stares down onto the steeple of the church Abraham Lincoln attended during the Civil War. Dressed in a plaid shirt, with a ballpoint pen clipped into the pocket, Podesta rocked back and forth in a swivel chair as he allowed me to question him about one of the most wince-inducing moments in recent political history.
Months before WikiLeaks began publishing his emails, Podesta had an inkling that his Gmail account had been compromised. Internal campaign documents had appeared on an obscure website, and he considered the possibility that they had been lifted from his computer. Still, the call from a member of the campaigns communications team on October 7, 2016, left him gobsmacked. As he finished a session of debate preparation with Clinton, he learned that Julian Assange intended to unfurl the contents of his inbox over the remaining month of the campaign. Its a familiar if much-ignored maxim in politics that no email should ever contain content one wouldnt want to see on the front page of The New York Times. This was now Podestas reality.
On the 10th floor of the Clinton campaigns headquarters, in Brooklyn, a team of 14 staffers quickly assembled. They covered a glass door in opaque paper to prevent voyeurs from observing their work and began to pore over every word of his 60,000 emailsevery forwarded PDF, every gripe from an employee, even the meticulous steps of his risotto recipe. The project would consume the entirety of the month. Every day, Podesta set aside time to meet with emissaries from the 10th floor and review their findings. I willed myself not to feel pain, he told me.
The material that WikiLeaks eventually posted created some awkward moments. Podesta had received snarky emails from colleagues, and had sent a few himself. To repair relationships, Podesta found himself apologizing to co-workers, friends, former Cabinet secretaries. Even when the contents of the leaked messages seemed innocuous, new annoyances would arise. WikiLeaks hadnt redacted the correspondence to protect privacy, leaving the cellphone numbers of campaign staffers for the world to view. In the middle of meetings, staffers would find their devices vibrating incessantly; strangers would fill their voicemails with messages like I hope youre raped in prison. Identity thieves quickly circled Podesta, attempting to claim his Social Security benefits and applying for credit cards in his name. Despite a political career that has permitted him to whisper into the ears of presidents, the legendarily frugal Podesta had commuted to New York on Vamoose, a discount bus line. A fraudster exploited the hack to steal the points he had accumulated in the Vamoose rewards program.
As Podesta revisited these painful moments, he claimed that hed stoically persisted in their face: I kept going on television. I kept raising money. I kept traveling with Hillary and President Clinton. I kept doing everything that I had been doing. But these were the closing weeks of an election that would turn on fewer than 80,000 votes spread across three states. For a campaign that arguably didnt invest its resources properly in the final stretch, the question must be asked: How badly did the Russians throw the campaign off its game? The least visible damage of the hack might have been the most decisive.
Read: How Trump plans to weaponize COVID-19 against Biden
In the years since the Podesta hack, Microsofts Tom Burt has continually battled its perpetrators. As the man charged with safeguarding the security of Windows, Word, and his companys other software, he has developed a feel for the GRUs rhythms and habits. Through Microsofts work with political parties and campaigns around the worldthe company offers them training and sells them security software at a discountBurt has accumulated lengthy dossiers on past actions.
What hes noticed is that attacks tend to begin on the furthest fringes of a campaign. A standard GRU operation starts with think-tank fellows, academics, and political consultants. These people and institutions typically have weak cybersecurity fortifications, the penetration of which serves dual purposes. As the GRU pores through the inboxes of wonks and professors, it gathers useful intelligence about a campaign. But the hacked accounts also provide platforms for a more direct assault. Once inside, the GRU will send messages from the hacked accounts. The emails come from a trusted source, and carry a plausible message. According to Burt, It will say something like Saw this great article on the West Bank that you should review, and its got a link to a PDF. You click on it, and now your campaign network is infected. (Although Burt wont discuss specific institutions, he wrote a blog post last year describing attacks on the German Marshall Fund and the European offices of the Aspen Institute.)
Podesta fell victim to a generic spear-phishing attack: a spoofed security warning urging him to change his Gmail password. Many of us might like to think were sophisticated enough to avoid such a trap, but the Russians have grown adept at tailoring bespoke messages that could ensnare even the most vigilant target. Emails arrive from a phony address that looks as if it belongs to a friend or colleague, but has one letter omitted. One investigator told me that hes noticed that Russians use details gleaned from Facebook to script tantalizing messages. If a campaign consultant has told his circle of friends about an upcoming bass-fishing trip, the GRU will package its malware in an email offering discounts on bass-fishing gear.
From the March 2017 issue: How to build an autocracy
Many of these techniques are borrowed from Russian cybercrime syndicates, which hack their way into banks and traffic in stolen credit cards. Burt has seen these illicit organizations using technologies that he believes will soon be imported to politics. For instance, new synthetic-audio software allows hackers to mimic a voice with convincing verisimilitude. Burt told me, In the cybercrime world, youre starting to see audio phishes, where somebody gets a voicemail message from their boss, for example, saying, Hey, I need you to transfer this money to the following account right away. It sounds just like your boss and so you do it.
What the Russians cant obtain from afar, they will attempt to pilfer with agents on the ground. The same GRU unit that hacked Podesta has allegedly sent operatives to Rio de Janeiro, Kuala Lumpur, and The Hague to practice what is known as close-access hacking. Once on the ground, they use off-the-shelf electronic equipment to pry open the Wi-Fi network of whomever theyre spying on.
The Russians, in other words, take risks few other nations would dare. They are willing to go to such lengths because theyve reaped such rich rewards from hacking. Of all the Russian tactics deployed in 2016, the hacking and leaking of documents did the most immediate and palpable damagedistracting attention from the Access Hollywood tape, and fueling theories that the Democratic Party had rigged its process to squash Bernie Sanderss campaign.
In 2020, the damage could be greater still. Podesta told me that when he realized his email had been breached, he feared that the hackers would manufacture embarrassing or even incriminating emails and then publish them alongside the real ones. Its impossible to know their reasoning, but Russian hackers made what would prove to be a clever decision not to alter Podestas email. Many media outlets accepted whatever emails WikiLeaks published without pausing to verify every detail, and they werent punished for their haste. The Podesta leaks thus established a precedent, an expectation that hacked material is authenticperhaps the most authentic version of reality available, an opportunity to see past a campaigns messaging and spin and read its innermost thoughts.
In fact, the Russians have no scruples about altering documents. In 2017, hackers with links to the GRU breached the inboxes of French President Emmanuel Macrons campaign staffers. The contents were rather banal, filled with restaurant reservations and trivial memos. Two days before these were released, other documents surfaced on internet message boards. Unlike the emails, these were pure fabrications, which purported to show that Macron had used a tax haven in the Cayman Islands. The timing of their release, however, gave them credibility. It was natural to assume that they had been harvested from the email hack, too. The Macron leaks suggested a dangerous new technique, a sinister mixing of the hacked and the fabricated intended to exploit the electorates hunger for raw evidence and faith in purloined documents.
In the spring of 2015, trolls in St. Petersburg peered at the feed of a webcam that had been furtively placed in New York City. Sitting in front of a computer screen on the second floor of a squat concrete office building, the trolls waited to see if they could influence the behavior of Americans from the comfort of Russian soil.
The men worked for a company bankrolled by Yevgeny Prigozhin, a bald-headed hot-dog vendor turned restaurateur, known to the Russian press as Putins chef. In the kleptocratic system that is the Russian economy, men like Prigozhin profit from their connections to Putin and maintain their inner-circle status by performing missions on his behalf. The operation in St. Petersburg was run by the Internet Research Agency, a troll farm serving the interests of the Kremlin. (Prigozhin has denied any involvement with the IRA.)
The IRA is an heir to a proud Russian tradition. In the Soviet Unions earliest days, the state came to believe that it could tip the world toward revolution through psychological warfare and deception, exploiting the divisions and weaknesses of bourgeois society. When it was assigned this task, the KGB referred to its program by the bureaucratic yet ominous name Active Measures. It pursued this work with artistic verve. It forged letters from the Ku Klux Klan that threatened to murder African athletes at the 1984 Summer Olympics in Los Angeles. It fomented conspiracies about the CIAthat the agency had orchestrated the spread of the AIDS virus in a laboratory and plotted the assassination of President John F. Kennedy. Some of these KGB schemes were harebrained. But as one defector to the West put it, more Americans believed the Soviet version of JFKs murder than the Warren Report.
The IRA has updated the principles of Active Measures for the digital age. On social media, disinformation can flourish like never before. Whereas the KGB once needed to find journalistic vehicles to plant their storiesusually the small-audience fringes of the radical pressFacebook and Twitter hardly distinguished between mainstream outlets and clickbait upstarts. And many of the new platforms were designed to manipulate users, to keep them engaged for as long as possible. Their algorithms elevated content that fueled panic and anger.
Read: What Facebook did to American democracy
With the New York webcam, the IRA was testing a hunch: that, through the miracle of social media, it could now toy with Americans as if they were marionettes. As the political scientist Thomas Rid recounts in his powerful new history, Active Measures, a post on Facebook promised that free hot dogs would be available to anyone who arrived on a specific corner at a prescribed time. Back in St. Petersburg, IRA employees watched as New Yorkers arrived, looked at their phones in frustration, and skulked away.
The ruse was innocuous, but it proved a theory that could be put to far more nefarious ends: Social media had made it possible, at shockingly low cost, for Russians to steer the emotions and even movements of Americans. No study has quantified how many votes have been swayed by the 10 million tweets that the IRA has pumped into the digital world; no metric captures how its posts on Facebook and Instagram altered Americas emotional valence as it headed to the polls in 2016. In the end, the IRAs menagerie of false personas and fusillades of splenetic memes were arguably more effective at garnering sensationalistic headlines than shifting public opinion. For their part, the IRAs minions immodestly credited themselves with having tilted the trajectory of history. The U.S. government obtained an email from an IRA employee describing the scene at the St. Petersburg office on Election Night: When around 8 a.m. the most important result of our work arrived, we uncorked a tiny bottle of champagne took one gulp each and looked into each others eyes We uttered almost in unison: We made America great.
Having run a noisy operation in 2016, the IRA has since learned to modulate itself. Its previous handiwork, much of which was riddled with poor syntax and grammatical errors, hardly required a discerning eye to identify. These days, the IRA takes care to avoid such sloppiness. Now, when they want to, IRA trolls can make themselves inconspicuous.
Relying on this quieter approach, the IRA has carried the theory of its hot-dog experiment into American political life. When white supremacists applied for a permit to hold a march in 2018 to commemorate the first anniversary of their protests in Charlottesville, Virginia, a Facebook group organized a counterprotest in Washington, D.C. The group was called the Resisters. Its administrators, who went by the names Mary and Natasha, recruited a coterie of enthusiastic organizers to promote the rally. When Facebook took down the Resisters pagenoting its ties to IRA accounts, and implying that Mary and Natasha were fictitious creationsAmerican leftists were shocked to learn that they had apparently been hatching plans with foreign trolls. According to The New York Times, they were also furious with Facebook: Whether or not the page was a Russian ploy, it had become a venue for real Americans to air their real grievances. In fact, it was hard to pinpoint where the Active Measures ended and the genuine action beganthe sort of tradecraft that the KGB would have admired.
From the December 2019 issue: The dark psychology of social networks
Although the IRA might practice stealth when the operation demands, in other circumstances it will deploy raw bluster. Starting in 2017, it launched a sustained effort to exaggerate the specter of its interference, a tactic that social-media companies call perception hacking. Its trolls were instructed to post about the Mueller report and fan the flames of public anger over the blatant interference it revealed. On the day of the 2018 midterm elections, a group claiming to be the IRA published a grandiloquent manifesto on its website that declared: Soon after November 6, you will realize that your vote means nothing. We decide who you vote for and what candidates will win or lose. Whether you vote or not, there is no difference as we control the voting and counting systems. Remember, your vote has zero value. We are choosing for you.
The claim was absurd, but the posturing had a purpose. If enough Americans come to believe that Russia can do whatever it wants to our democratic processes without consequence, that, too, increases cynicism about American democracy, and thereby serves Russian ends. As Laura Rosenberger, a former National Security Council staffer under Obama who runs the Alliance for Securing Democracy, put it, They would like us to see a Russian under every bed.
Judging by this years presidential-primary campaign, they have been successful in this effort. When the Iowa Democratic Party struggled to implement new technology used to tally results for the states caucus, television panelists, Twitter pundits, and even a member of Congress speculated about the possibility of hacking, despite a lack of evidence to justify such loose talk. American incompetence had been confused for a plot against America.
As the outlines of the IRAs efforts began to emerge in the months following the 2016 election, Facebook at first refused to acknowledge the problem. The companys defensiveness called attention to its laissez-faire attitude toward the content that it elevated in peoples News Feeds. Facebook found itself flayed by congressional committees, its inner workings exposed by investigative journalists. Ostensibly it had been Alex Stamoss job to prevent the last attack, and now he faced another wave of disinformation, with midterm elections fast approaching. Stamos worried that, in the absence of an orchestrated defense, his company, as well as the nation, would repeat the mistakes of 2016.
In the spring of 2018, he invited executives from the big tech companies and leaders of intelligence agencies to Facebooks headquarters in Menlo Park, California. As he thought about it, Stamos was surprised that such a summit hadnt been organized sooner. What shocked him more was a realization he had as the meeting convened: Few of these people even knew one another. People who ran different agencies working on foreign interference met for the first time at Menlo Park, even though they were 10 Metro stops away in D.C., he told me. The normal collaborative process in government didnt exist on this issue.
Stamoss summit succeeded in spurring cooperation. Prior to the meeting, one tech company would identify and disable Russian accounts but fail to warn its competitors, allowing the same trolls to continue operating with impunity. Over the course of 2018, the tech industry gradually began acting in concert. The lead investigators on the threat-intelligence teams at 30 companiesincluding Facebook, Verizon, and Redditjoined a common channel on Slack, the messaging platform. When one company spies a nascent operation, it can now ring a bell for the others. This winter, Facebook and Twitter jointly shut down dozens of accounts associated with a single residential address in Accra, Ghana, where the Russians had set up a troll factory and hired local 20-somethings to impersonate African Americans and stoke online anger.
From the May 2019 issue: Trumps second term
Yet this remains a game of cat and mouse in which the mice enjoy certain advantages. Despite the engineering prowess of the social-media companies, they havent yet built algorithms capable of reliably identifying coordinated campaigns run by phony Russian accounts. In most instances, their algorithms will suggest the inauthenticity of certain accounts. Those data points become a lead, which is then passed along to human investigators.
Facebook has several dozen employees on its threat-intelligence team, many of them alumni of the three-letter agencies in Washington. Still, the tech companies rely heavily on law enforcement for tips. Facebook and Twitter have frequent check-ins with the FBI. Without the bureau, Facebook might have missed an IRA video filled with lies about Russian tampering in the midterm elections. After a heads-up from the government, Facebook blocked the IRA from uploading the video before it ever appeared on its site, using the same technique that it deploys to suppress Islamic State snuff videos and child pornography. Rising from their denialist crouch, the social-media companies have proved themselves capable of aggressive policing; after treating the IRA as a harmless interloper, they came to treat it with the sort of disdain they otherwise reserve for terrorists and deviants.
Devising strategies for thwarting the last attack is far easier than preventing the next one. Even if Russian disinformation can be tamped down on social mediaand the efforts here, on balance, are encouragingthere are other ways, arguably more consequential, to manipulate American politics, and scant defense against them.
On an early-March afternoon, I typed the Federal Election Commission as a destination into Uber and was disgorged at a building the agency hasnt occupied for two years. The antiquated address placed me on course to arrive half an hour late for an appointment with Ellen Weintraub, the longest-serving and most vociferous member of the commission nominally assigned to block the flow of foreign money into political campaigns. When I called her office to inform her of my tardiness, her assistant told me not to worry: Weintraubs schedule was wide open that afternoon. In fact, for the past six months the FEC hadnt conducted much official business. Only three Senate-approved commissioners were installed in their jobs, even though the agency should have six and needs four for a quorum.
Weintraub, a Democrat, has an impish streak. Near the beginning of the FECs hibernation, she called out a fellow commissioner who had blocked the publication of a memo that seemed to criticize the Trump campaign for its 2016 meeting with a Russian lawyerthen posted the memo in a 57-part thread on Twitter. Weintraub has grown accustomed to her colleagues ignoring her questions about the presence of Russian and other illicit money in American campaigns. When the commission received a complaint suggesting that the FBI was investigating the National Rifle Association as a conduit for Russian money, she asked her fellow commissioners for permission to call the FBI, to, as she put it, see if they have interesting information they want to share. But they said, Were not going to call the FBI. They didnt want to do anything.
Outside Weintraubs office, the subject of Russias illicit financing of campaigns hardly provokes any attention. The Alliance for Securing Democracy was the only organization I could find that comprehensively tracks the issue. It has collected examples of Russian money flowing into campaigns around the world: a 9.4-million-euro loan made to the French nationalist Marine Le Pens party; operatives arriving in Madagascar before an election with backpacks full of cash to buy TV ads on behalf of Russias preferred candidate and to pay journalists to cover his rallies.
Or take a case closer to home: Lev Parnas and Igor Frumanthe Soviet-born Americans who worked with Rudy Giuliani in his search for politically damaging material to deploy against former Vice President Joe Bidenwere charged with conspiring to funnel money from an unnamed Russian into American campaigns. Some of the cases cited by the Alliance for Securing Democracy are circumstantial, but they form a pattern. Since 2016, the group has identified at least 60 instances of Russia financing political campaigns beyond its borders. (The Kremlin denies meddling in foreign elections.)
From the May 2018 issue: The era of fake video begins
When I asked Weintraub if she had a sense of how many such examples exist in American politics, she replied, We know theres stuff going on out there, and were just not doing anything. Since the Supreme Courts 2010 Citizens United decision, which lifted restrictions on campaign finance, hardly any systemic checks preclude foreigners from subsidizing politicians using the cover of anonymous shell companies. With that decision, the high court opened the door for Russia to pursue one of its favored methods of destabilizing global democracy. By covertly financing campaigns, the Russians have helped elevate extremist politicians and nurture corrosive social movements. Everyone knows there are loopholes in our campaign-finance system, Weintraub said. Why would we think that our adversaries, who have demonstrated a desire to muck around in our democracy, wouldnt be using those loopholes, too?
Problems of inattention, problems of coordination, and deep concerns about Novemberthese themes came up over and over in my interviews for this story. Indeed, at times everyone seemed to be sounding the same alarm. H. R. McMaster, who briefly served as Donald Trumps national security adviser, sounded it when he proposed a new task force to focus the governments often shambolic efforts to safeguard the election. Adam Schiff, the chairman of the House Intelligence Committee, sounded it when he realized how poorly the bureaucracy was sharing the information it was gathering about the Russian threat.
There was a moment that crystallized Schiffs sense of this disjointedness. In the summer of 2018, he attended a security conference in Aspen, Colorado, where Tom Burt revealed that Microsoft had detected Russian phishing attacks targeting Democratic senatorial candidates. When I went back to Washington, Schiff told me, I asked agency heads within the [intelligence community] whether they were aware of this. The answer was no. That the chairman of the House Intelligence Committee had to learn this elemental fact about his own branch of government at a public gathering is troubling; that the people charged with protecting the country didnt know it is flabbergasting.
The sprawling federal bureaucracy has never been particularly adept at the kind of coordination necessary to anticipate a wily adversarys next move. But there is another reason for the governments alarmingly inadequate response: a president who sees attempts to counter the Russia threat as a personal affront.
After McMaster was fired, having made little if any progress on Russia, the director of national intelligence, Dan Coats, took up the cause, installing in his office an election-security adviser named Shelby Pierson. This past February, Pierson briefed Schiffs committee that the Russians were planning to interfere in the upcoming election, and that Trump remained Moscows preferred candidate. Anyone who follows the president on Twitter knows this is a subject that provokes his fury. Indeed, the day after Piersons testimony, the president upbraided Coatss successor, Joseph Maguire, for Piersons assessment. A week later, he fired Maguire and installed in his place the ambassador to Germany, Richard Grenell, a loyalist with no intelligence experience. Grenell immediately set about confirming the wisdom behind Trumps choice. Three weeks into his tenure, a senior intelligence official in the Office of the DNI informed the Senate that Piersons assessment was mistaken.
Trump had graphically illustrated his recurring message to the intelligence community: He doesnt want to hear warnings about Russian interference. Mark Warner, the highest-ranking Democrat on the Senate Intelligence Committee, told me, A day doesnt go by that I dont hear from someone in the intelligence community saying, Oh my gosh, were worried about integrity, were worried about morale, were worried about willingness to speak truth to power. I asked Warner whether he could still trust the intelligence about Russia he receivedwhether he has faith that the government will render an accurate portrait of the Russian threat to the upcoming presidential election. As he considered his answer, he leaned toward me. I dont know the answer to that, he replied, and that bothers me.
From the October 2017 issue: Will Donald Trump destroy the presidency?
Vladimir Putin dreams of discrediting the American democratic system, and he will never have a more reliable ally than Donald Trump. A democracy cant defend itself if it cant honestly describe the attacks against it. But the president hasnt just undermined his own countrys defenseshe has actively abetted the adversarys efforts. If Russia wants to tarnish the political process as hopelessly rigged, it has a bombastic amplifier standing behind the seal of the presidency, a man who reflexively depicts his opponents as frauds and any system that produces an outcome he doesnt like as fixed. If Russia wants to spread disinformation, the president continually softens an audience for it, by instructing the public to disregard authoritative journalism as the prevarications of a traitorous elite and by spouting falsehoods on Twitter.
In 2020, Russia might not need to push the U.S. for it to suffer a terrible election-year tumble. Even without interventions from abroad, it is shockingly easy to imagine how a pandemic might provide a pretext for indefinitely delaying an election or how this president, narrowly dispatched at the polls, might refuse to accept defeat. But restraint wouldnt honor Russias tradition of Active Measures. And there may never be a moment quite so ripe for taking the old hashtag out of storage and giving it a triumphalist turn. #DemocracyRIP.
This article appears in the June 2020 print edition with the headline The 2016 Election Was Just a Dry Run.
See the article here:
Putin Is Well on His Way to Stealing the Next Election - The Atlantic