Where’s the 9/11 Commission for Russia’s Election Attack?

America needs a better way forward to safeguard its democracy in cyberspace. Every day the world learns more about the reach and scope of Russia’s coordinated campaign against the 2016 U.S. presidential election. In recent congressional hearings, Facebook, Google, and Twitter faced questions over their failure to secure their platforms against foreign manipulation. Senator Dianne Feinstein (D-Calif.) scolded the technology giants for doing too little in the face of a dangerous threat. “We’re talking about the beginning of cyberwarfare,” she said, “we’re talking about a major foreign power sowing discontent across this country.” Feinstein has a point, but the implications go well beyond technology companies and well beyond the United States.

In 2015, Russia’s military and intelligence agencies began a coordinated cyberattack against the weak underbelly of America’s political institutions, businesses, and citizens. This reflects an increasing trend of malicious Russian activity in cyberspace, from distributed denial of service attacks on Estonia in 2007 to destructive attacks on Ukraine’s electric infrastructure in 2015 and 2016. Technology companies need to adapt rapidly, as Senator Feinstein and others have said, but protecting Americans from hostile foreign operations in cyberspace is at root a national-security mission and a government responsibility that the Trump administration and Congress are failing to meet.

The Russian election attack may be both the tip of the iceberg and yesterday’s news. Future attacks on American democracy by Russia or others could target polling organizations like Gallup (or the U.S. Census Bureau) to alter data about American society, or manipulate financial institutions to devalue currencies and trigger a political crisis. In the past the United States has responded to historic and disruptive attacks on the country with a strategic re-orientation, as in the period following the terrorist attacks of Sept. 11, 2001. The country is at a similar moment now. Former government officials, sitting Members of Congress, think tankers, writers, and academics are all calling for change. At the same time, President Donald Trump sows confusion by expressing confidence in Russian President Vladimir Putin and hedging about whether Russia’s election interference was real. The non-partisan U.S. intelligence community has twice declared that Russia meddled in the 2016 U.S. presidential election; America’s democracy is at risk in cyberspace. Russia’s attack should spur a broad national security response to improve America’s cybersecurity and build resilience to divisive propaganda.

Russia’s assault on the 2016 election should be seen as what British sociologist Anthony Giddens terms a “high consequence risk,” a disruptive event that can alter people’s perceptions of the world and even a nation’s trajectory. In Giddens’ thinking, the globally interconnected economy and our information technologies make human societies more susceptible to attacks by smaller groups of people using less expensive means. 9/11 presented one such risk. Russia’s election attack is another.

While the analogy is jarring given the extraordinary loss of life and global impact of 9/11, the terrorists and the Russians exploited American businesses and legal and policy loopholes to attack from within. The terrorists used airlines, flight schools, and weaknesses in airport security. The Russians exploited technology companies, weaved through election-law loopholes, and penetrated weak cybersecurity.

Because the internet is inherently vulnerable, Moscow only needed a relatively small, skilled force with modest resources to affect American society. By stealing and publishing private emails, purchasing and targeting divisive ads, and spreading propaganda through social media, Russia turned tools of everyday use into weapons of attack against American elections. There is no way to tell how much Russia’s intrusion affected the election’s outcome; nor can Trump’s rise be blamed on the Russians (that responsibility falls to Americans). Yet the man Vladimir Putin sought to assist is now president, and public trust in America’s media, digital communications, and electoral systems has been undermined.

This was not the kind of cyberattack that the national-security community had anticipated. For years, the dominant concern has been to prevent a destructive cyberattack on U.S. critical infrastructure like the energy or financial sectors. In two separate attacks in 2015 and 2016, for example, Russia conducted malware attacks on Ukraine’s power grid that disrupted the transmission of power to parts of the Ukrainian population. Russia has also previously implanted malware on American industrial-control systems, suspected to include those of nuclear power plants.

In the face of escalating cyber threats, the United States has made substantial organizational investments. From the decision to create U.S. Cyber Command in 2009 to the passage of the Cybersecurity Information Sharing Act of 2015 to the growth in the cybersecurity services and insurance markets and even Trump administration’s 2017 executive order, the world has made progress. But the surprising vulnerabilities exposed in the 2016 election attack show that it has not been enough.

Like the rise of Trump himself, the unexpected nature of the Russian election operation caught the country off guard. Democratic organizations and leaders are softer targets compared to a nuclear power plant or a well-secured bank, and had not been the focus of government cybersecurity efforts in the past. Less attuned to the risk, civic institutions and political parties, polling agencies, political leaders, and election officials may be unaccustomed to following cybersecurity practices like two-factor authentication or encryption. Absent a robust response to secure key organizations, deter and block future attacks, and educate the American public, Russia’s free hand in 2016 may lead American citizens to doubt the integrity of elections and political deliberations for a generation.

America’s response to the Russian hack should be measured against the concrete actions taken in the post-9/11 period. A month after September 11, the Bush administration began the Afghanistan military campaign against al Qaeda and the Taliban. In November, it stood up the Transportation Security Administration. A year later, the 9/11 Commission was launched and the Department of Homeland Security established. The reworking of America’s national security system included such diverse actions as integrating intelligence and military operations for counterterrorism, inventing and deploying new warfighting capabilities like armed drones, and increasing public awareness and education (“if you see something say something”). The country’s response to terrorism was adaptive and forceful. It was imperfect, of course, and arguably went too far in several ways. Yet the country made a concerted national effort and sought to respond effectively to a new kind of threat.

By comparison the national security response to the Russian operation has been anemic. The Obama administration ejected Russian spies, shuttered Russian compounds, and instituted sanctions only after the election, likely doing little to deter future meddling. In January this year, then Secretary of Homeland Security Jeh Johnson designated America’s election systems as “critical infrastructure” that deserved priority assistance. Importantly, the Obama administration also directed the intelligence community to release a declassified version of its assessment attributing Russia’s operations, which included the assessment that Vladimir Putin directed the attacks with the intent of tipping the election towards Donald Trump.

Although Congress passed more sanctions against Russia by an overwhelming and veto-proof majority in July, the measures were originally resisted by the Trump administration and have not been implemented. Three congressional investigations into Russia’s interference are under way, all riven by politics. There is little prospect for an overarching Select Committee, let alone an independent analogy to the 9/11 Commission that can operate above the political fray, unearth the full story, and provide bipartisan recommendations for the future. Special Counsel Robert Mueller’s investigation is leading to charges, but it does not have a policy remit for handling the next cyberattack. In a hopeful sign, Sen. Martin Heinrich (D-N.M.) and Sen. Susan Collins (R-Maine) introduced a bill to help secure the nation’s electoral infrastructure, but its prospects are unclear in a gridlocked Congress.

President Trump closed Russian diplomatic installations in the United States, but only after Russia kicked out hundreds of U.S. personnel to protest new Congressional sanctions. More importantly, the President’s continued claim that Russian election interference is “a hoax” helps Moscow to divide Americans and undercuts the legitimacy of the intelligence community’s attribution of the attack. While the Trump administration’s cybersecurity executive order includes some thoughtful proposals, from building resilient information systems to developing strategic options for cyber deterrence, without top-level attention and a public acceptance by the President of the actual and active threats from Russia and others, the government will struggle to deliver results

So what can be done? Looking forward and building on past improvements, there are three levels of action that can improve the cybersecurity of the nation’s democratic processes. Although strong White House leadership is needed in some cases, it is also unlikely to materialize. Private organizations, federal, state, and local government, and individuals can nonetheless make meaningful progress. It’s time to start thinking of cybersecurity not only as a problem for the tech community, but as a required practice of businesses and civil society and a duty of citizenship for every American, as normal as wearing a seatbelt or taking part in the neighborhood watch.

First, companies and non-profits as well as state and local governments can organize and invest for cybersecurity. Companies and organizations need to invest in the people, processes and technology necessary for effective cybersecurity, from firewalls to two-factor authentication to constant red-teaming of exploitable business practices, like Facebook’s previous ad-selling method that enabled Russian propaganda. If companies and organizations fail to take strategic defensive action, they will eventually get hit hard. While the enemy often has the upper hand in cyberspace operations, following the basics matters significantly. When North Korea hacked Sony in 2015, for example, it was reported that Sony kept its passwords in a folder named “password” and that some passwords included “12345” or “ABCDE.” Countering a capable adversary in cyberspace requires coordinated action, but absent basic best practices an entirecompany can be left exposed.

In addition to technology platforms, state and local election infrastructure is vulnerable. The Department of Homeland Security disclosed in September that Russia tried to hack the election systems of 21 states. States have the Constitutional right to set the “times, places, and manners” of elections and have largely managed electoral processes on their own. Yet things are not working as they should. According to a Harvard study by Pippa Norris and others, in recent years the United States electoral system has displayed the “worst performance among all Western democracies.” While Norris calls for comprehensive reform, simple steps can help. Minimizing digital exposure can drive down cybersecurity risk; after having seen how easily electronic voting machines can be compromised, several states are taking steps to ensure paper records. This practice could extend across the country. State and local authorities need to recognize the threat, invest, and seek federal assistance when needed. The 2018 election is just around the corner.

For its part, Congress should still establish an independent commission on election interference to understand threats and develop recommendations. Legislation could also offer incentives to spur cybersecurity spending through tax credits or reductions, potentially winning administration support. One of the more promising civic initiatives, Harvard’s Defending Digital Democracy initiative, brings together a bipartisan group of national security and political leaders with technology company experts to identify solutions. It could hold events across the country to help secure democratic institutions. Other similar programs could do the same.

The second layer of action is about preparing to counter cyberthreats from abroad. When a foreign government attacks the United States in cyberspace, the intelligence community and the U.S. military have the lead in identifying the adversary’s identity and infrastructure, for preparing to counter incoming cyberattacks, and respond in kind, if directed. For this mission to succeed it is vital that companies, state and local government, and individuals share information as quickly as they can with federal partners. The information-sharing process needs to improve for all parties: during the Russia attack, the FBI warned the Democratic National Committee, but neither organization behaved effectively; the DNC was unsure if the warning was real and failed to act on it, and the FBI failed to ensure that its warning reached the right people. The U.S. government is focused on Russia, North Korea, Iran, and China and other cyber aggressors. It can help victims not only by rapidly sharing threat information but also by ensuring warnings are acted on and, where needed, organizing response operations to stop an attack, control escalation, and reestablish deterrence with a hostile state.

Depending on the nature of the threat, U.S. government response options may include law enforcement actions (such as shutting off a server), indictments, sanctions, or potentially military operations. The U.S. government is also developing capabilities to disrupt cyberattacks through cyberspace operations. This is a difficult mission. It takes time to identify a perpetrator, map the cyberspace infrastructure being used, and deploy tools to blunt an attack. The Department of Defense, the FBI, and other agencies already exercise regularly for counter-offense operations in the event of a cyberattack of significant impact. Beyond building partnerships and strengthening the nascent U.S. military forces tasked with the “defend the nation” mission, the government should engage leading technology companies in deliberate, cooperative planning to lawfully and voluntarily conduct combined defensive operations. Such a response would likely be justified to counter future cyberattacks on democracy.

Third and finally, the United States needs a national campaign to ensure the American people treat the internet as a risky environment that demands common-sense precautions. We the people, the users and consumers of social and mainstream media, need to get educated to defend ourselves against hackers and know when we might be getting played in cyberspace, whether by a foreign power, a domestic group, or a cyber criminal. Russian propaganda reached scores of Americans unaware they could be targeted by information warfare. Some of the weakest links in the Russia hack were end users, yet most Americans probably don’t know that October was national cybersecurity awareness month.

Resilience in the digital age means being aware of the Internet’s impact on our lives, including the influence of online information on our political thinking. Social media companies should try to break down the bubbles that they themselves inadvertently created, a goal that Mark Zuckerberg claims is a priority for Facebook. Mainstream media also spread Russian misinformation. From the New York Times to Fox News to the Times of India, global media companies should enhance their counterintelligence analysis and consider how they may undercut the democracies in which they operate by amplifying propaganda. Politicians would also be prudent to avoid echoing divisive propaganda, something they can do only if they are both aware of potential manipulations and decent enough to ignore it regardless of political expedience.

America’s government and U.S. businesses can also help society prepare for the dangers of cyberspace by identifying and warning of threats and educating the public. As with campaigns to encourage recycling, a focus on young people who are “digital natives” will help. To paraphrase Smokey the Bear, only you can prevent subversion of your democracy.

Technology companies can do more to improve their cybersecurity and protect democracy, but they cannot and should not be expected to lead a comprehensive national response. Following the Russian attack, the United States needs an integrated national approach that brings together government, business, and individual citizens. By failing to outline such a strategy, the Trump administration does little to protect itself from ongoing legal and public scrutiny surrounding possible ties to Russia, and much to harm America’s future and that of democracy everywhere.

The apparent ease with which Russia can exacerbate divisions from Crimea to California will make such meddling a tempting model for other capable cyberspace aggressors, especially if America’s response proves feckless as Russia refines its capabilities and seeks to shape international cyber governance toward state control of data and information. Cyberspace operations by autocratic states against democracies could become a 21^st century norm, impacting elections and trust in democracy around the world as citizens wonder if their systems are rigged. There is no time to waste as elections from Japan and Taiwan to the Baltic States and Europe and across the Western Hemisphere provide a constant testing ground for Russia-style tactics. Alternatively, the United States can design and implement an effective strategy and work toward international rules that encourage an open internet and restraint in state-sponsored cyber manipulation.

If Russia had conducted a destructive cyberattack on our critical infrastructure, as it did in Ukraine, America might be more united in its response. If Americans succumb to acrimony and blame instead of focusing on national security solutions, they will prove that, in one way, brutal attacks by al Qaeda and the Islamic State are less effective than Russia’s foggy war against Western democracies: the terrorists unite us while Moscow divides us.