‘I f***ing hate that guy. Like I’d like to kick the sh** out of him on twitter . . . but I know that is dumb.” “That guy,” as every clucking tongue in Washington can now tell you, was liberal Harvard Law professor (and former law clerk to Justice Antonin Scalia) Lawrence Lessig, who ran a brief, quixotic campaign for the 2016 Democratic presidential nomination.
This moment of impulsive pettiness was not meant to be public; it came in a private e-mail, between two private citizens, from one Gmail account to another. Its author was Neera Tanden, president of a left-leaning D.C. think tank. Its recipient was Democratic bigwig John Podesta, chairman of Hillary Clinton’s presidential campaign. The embarrassing e-mail became public when WikiLeaks posted it online in October, along with thousands of others from Podesta’s account.
Catty gossip about a law professor is not usually the stuff of geopolitics. But geopolitics this was. For we now know that Russia’s military-intelligence agency, the GRU, was behind the release. The agency apparently hacked Podesta’s e-mail using a low-tech “spearphishing” attack; that is, it tricked him into entering his password into a fake Google login page.
Had the operation ended there, it would have been unremarkable — and we would almost certainly never have heard about it. Countries, including the United States, routinely steal information about officials of adversary governments, by hacking and other means. They then use the information to inform their foreign policy or future intelligence operations — or, if it’s an especially compromising personal secret, to blackmail the compromised official into becoming a spy. China, having stolen millions of security-clearance files from the U.S. Office of Personnel Management, is quietly extracting from that trove a bonanza of valuable information about Americans involved in national security.
What made this and other recent Russian hacks different is that instead of hoarding the information for future use, Russia published it. In Internet jargon, this modus operandi — hacking and releasing someone’s private information — is called “doxing” (from “docs,” short for documents). Some of the stolen e-mails have been given to WikiLeaks; others have been disseminated through an online persona known as Guccifer 2.0; yet others posted on a new, mysterious WikiLeaks knockoff, DC Leaks. In 2016 alone, hackers linked to the Russian government have stolen and released through these intermediaries e-mails from the Democratic National Committee, the Democratic Congressional Campaign Committee, and the private e-mail accounts of Colin Powell and Philip Breedlove, former commander of NATO military forces in Europe. The DNC hack brought down Chairwoman Debbie Wasserman Schultz after leaked e-mails showed DNC staff favoring Clinton over Bernie Sanders in the Democratic primaries.
These attacks use the channels and tools of cyberspace, both to obtain sensitive information and to spread it, but it is wrong to think of this as cyberwarfare or to see it principally through the “cyber” lens at all. Rather, it is best seen as a form of subversion — that is, a clandestine effort to undermine an adversary’s political, economic, or social stability.
Russia’s recent campaign of embarrassing-document dumps is only one element of a broader campaign to deepen political discord and undermine social cohesion in the West. In Europe, Russia has forged ties with anti-EU, anti-NATO, populist, and authoritarian political parties on both the far left and the far right, from Hungary’s neo-fascist Jobbik to Greece’s far-left Syriza. A Russian bank loaned 11 million euros to France’s anti-NATO National Front. The euroskeptic Alternative for Germany is sympathetic to Russian president Vladimir Putin’s regime; its youth movement openly cooperates with his United Russia party’s “Young Guard.” Western intelligence services fear that Russia has redirected migration flows from the Middle East and Africa as a political weapon and may be seeding its own deep-cover operatives among the migrants.
Russia has also sought to manipulate public opinion in NATO member states by planting false stories in the media. For example, Russian officials and Russian-language media in Germany promoted reports, later revealed to be a fabrication, that migrants had kidnapped and raped a 13-year-old Russian girl living in Germany. The story created a furor among Germany’s sizable population of Russian-speaking immigrants from the former Soviet Union.
Why does Russia bother? It is not blind malevolence, although some Russian intelligence operations, such as the harassment of U.S. diplomats posted to Russia, reveal the regime’s cynicism and petty cruelty. (Russian intelligence officers in Moscow reportedly killed the U.S. defense attaché’s dog.) Subversion is an asymmetric tactic that an economically diminished, politically isolated Russia can use to strike back against Western sanctions and other efforts to isolate it. These operations are designed to mirror what Russia perceives as Western efforts to foment pro-democracy “color revolutions,” such as the 2003 Rose Revolution in Georgia and the 2004 Orange Revolution in Ukraine, by supporting opposition movements and funding civil-society groups and independent media in Soviet successor states. They intimidate individual critics of Russia in the West — who wants to have his embarrassing correspondence exposed to the world? They generate “evidence” of the chaos and disorder that supposedly afflict democratic societies, which can be repackaged and broadcast on state-run media to illustrate the superiority of Putin’s authoritarian model.
Most worryingly, however, they strengthen political forces in the West that will advance Russian geopolitical interests, and they weaken those forces and institutions that oppose them. In Europe, this means supporting anti-EU, anti-NATO parties whose policies would fragment the Western alliance, or authoritarian parties whose leaders naturally find common cause with Putin.
In the United States, in this election cycle, it means — it must be said — that Russia prefers Donald Trump. The Republican nominee’s utterances about Russia are friendlier than anything Vladimir Putin would have dared to dream of four years ago, when Mitt Romney declared Russia the greatest geopolitical threat facing the United States, or two years ago, when the Ukraine crisis triggered bitter recriminations between Russia and the Obama administration.
To be sure, not everything Trump says about Russia is necessarily wrong; detoxifying relations with Russia, with its thousands of nuclear warheads and ability to play spoiler in Eastern Europe and the Middle East, would be welcome if it could be done on honorable terms. Trump’s proposal to collaborate with Russia against ISIS in Syria is controversial, given the Assad regime’s murderous human-rights record, but it at least represents a coherent realist approach to stabilizing that chaotic land. On the other hand, his bizarre moral equivalence in response to the Russian government’s murder of journalists (“Well, I think our country does plenty of killing also”) echoes the blame-America-first rhetoric of the Chomskyite Left. His evident pleasure at Putin’s flattery (“Many years ago, he said something very nice about me”) is simply odd. Most important, however, his unwillingness to affirm the United States’ treaty obligation to defend NATO members under armed attack reverses 50 years of commitment to the Atlantic alliance and the defense of free Europe. Fracturing NATO, or even weakening other members’ faith in the U.S. commitment to the alliance, would be a geopolitical windfall for Russia.
Unfortunately, hacking and the ensuing document releases have proven to be a remarkably effective tool — far more effective than traditional propaganda would be. In an open society with a free press, the marketplace of ideas weeds out blatant fabrications. Document dumps, by contrast, are effective because they exploit true information. Here, our open, intensely competitive media environment works against us. Media outlets, desperately competing for page views, push new stories out as quickly as possible — and the more salacious the story, the more clicks it generates. In our system, there is no censor to filter out truthful information in which there is no legitimate public interest.
Another reason these cyberattacks and document dumps are so effective is that they are so easy to execute. The private e-mail accounts of aging politicos are the ultimate soft targets. If the victim has not switched on two-step verification, all it takes to gain access to his or her account is one cleverly designed fake security alert or one compromised attachment that appears to come from a trusted acquaintance. This is not hard to do; even a relatively unsophisticated hacker can pull it off. For the Russian intelligence services, which are among the world’s most skilled, it is barely a challenge.
There is little the U.S. can do to directly stop this type of cyber-subversion. A bar on publishing stolen private information would offend the First Amendment, which strongly disfavors such “prior restraints” on publication. The potential efficacy of retaliation in kind, which some have suggested might deter future leaks, is limited by Russia’s closed political order and media environment. The U.S. intelligence community surely has reams of embarrassing data about Russian leaders and their corrupt accumulation of wealth. But independent media outlets that report news critical of the regime have small audiences, and even if the information did reach the population, Russia’s political system offers little real opportunity to act on it. Finally, the idea that information about corruption would meaningfully affect Russian public opinion rests on the questionable premise that the Russian public today believes government officials to be clean. (Leaking information that reveals disloyalty or exacerbates rivalries among the ruling clique might be more effective.)
But the best reason not to retaliate in kind is that publishing what the U.S. government knows about top Russian officials would reveal the clandestine methods used to penetrate Russian networks. Intelligence operators would almost certainly prefer to keep this hard-won access hidden, to exploit for clandestine intelligence gathering or, if a conflict were to break out, to take down enemy systems.
Other forms of retaliation would be more effective, although still far from devastating. One option is targeted sanctions; under a 2015 executive order, the Treasury Department can sanction “persons engaging in malicious cyber-enabled activities.” The Justice Department can also seek indictments against individual Russian operators involved in the hacks, as it did in 2014 against Chinese hackers who stole American intellectual property. While there would be little realistic prospect of arresting those charged, the indictments would carry other unpleasant consequences. (No more Christmas shopping at Harrods.)
The unsatisfying truth is that there is relatively little we can do to deter Russian cyberattacks altogether. We can, however, make them more difficult to execute and less consequential when they occur.
The first step in hardening our defenses against Russian cyberattacks and document dumps should be to immediately improve cybersecurity for the personal communications of those who are likely to be targets. The process for issuing security clearances should include training on cybersecurity threats to holders’ personal accounts. Given that embarrassing secrets stolen from a hacked e-mail or cloud-storage account could give an adversary’s intelligence services powerful leverage, holders should be required to certify that they maintain basic cybersecurity hygiene on private e-mail and social-media accounts. This could include strong passwords and password-manager software; two-step verification using encryption tokens; and regular purges of old messages from storage. Companies that provide webmail could help protect their users by offering a simple menu of user-friendly security profiles — weak (password alone), medium (two-step verification using SMS), and strong (two-step verification using a USB encryption token). Companies should also require additional identity verification before allowing users to download large numbers of messages from the cloud, and should offer the option to automatically purge messages older than a certain age.
The bigger challenge, however, is to inoculate our society against the effects of such document dumps. Ideally, we would have a strong patriotic norm against using the fruits of foreign subversion for domestic political advantage. On that front, we seem to be moving in the wrong direction: Media outlets across the political spectrum have published revelations from Russian hacking with barely a thought about the ethics of doing so. In a ruthlessly competitive, decentralized media environment, that is probably inevitable. Far more depressing is the spectacle of Donald Trump and his acolytes defending and even praising Julian Assange. Perhaps the weirdest memory of this bizarre election cycle will be the Republican nominee celebrating WikiLeaks, a cat’s-paw of Russian intelligence, and conservative talk-show hosts lauding Assange, author of a book subtitled “The World According to US Empire.”
In Federalist 22, Alexander Hamilton noted the tendency of republican forms of government, with their inherent factionalism, to “afford too easy an inlet for foreign corruption.” Each faction has an incentive to seek foreign support in order to prevail in domestic political struggles, a tendency that “contributed to the ruin of the ancient commonwealths.” Keeping faith with the Framers’ vision of American strength and sovereignty, such principled conservatives as Senator Ben Sasse (R., Neb.) have denounced WikiLeaks and Russian interference in American elections. Refusing to seize on the fruits of Russian hacking carries particular weight when it runs against partisan self-interest.
Which brings us back to Lawrence Lessig and his response to being attacked in a leaked e-mail: “I can’t for the life of me see the public good in a leak like this,” he blogged. “We all deserve privacy.” In an age in which the typical reaction to even a trivial public slight is to bray for an apology while sending a fundraising e-mail cashing in on the offense, this was a small moment of civic heroism. Reactions such as Professor Lessig’s and Senator Sasse’s, were they typical, would defang Russian document dumps as a political weapon. Sadly, they are not. In the end, these Russian attacks, devious as they are, may tell us more about the state of our civic culture than about the state of theirs.
– Mr. Klein is a senior fellow at the Center for a New American Security.