Opinion: How to counter the Kremlin's hacking playbook
In an age of hacking and fake news, governments and private companies must join forces to stop Russian disinformation.
—In a recent Passcode opinion piece, Niloofar Razi Howe, the worldwide chief strategy officer of the cybersecurity firm RSA, declared, "No, Russia didn’t hack the election."
So, I'll be equally unequivocal, too: Russia did hack the US election.
While Russia did not alter the vote counts, we know from the Joint Analysis Report issued by the National Cybersecurity and Communications Integration Center and the FBI in December that Russia waged a campaign of strategic hacking and leaking of documents to influence the outcome of the election. Many would argue that they succeeded, even if it is unknowable.
As uncomfortable as it may be, we need to recognize foreign interference in our free and fair election system. Russia modernized its cold war disinformation campaign apparatus with social media platforms to achieve unprecedented scale for its campaigns of influence. The Kremlin exploits the best attributes of the internet – that anyone can be a publisher and can potentially reach everyone – to create divisions for Russia’s political goals. Social media – once promised as a force to democratize the world through the free and unfettered flow of information – is now distributing extreme content that could pose a significant threat to democracies everywhere.
Russian-backed extremist movements could present formidable challenges in elections this year in Western democracies including France and Germany. The Kremlin playbook follows the classic foreign influence recipe of disinformatica (spreading fake news stories) and kompromat (shaming individuals through public release of private information) to drive wedge issues while preying on some of our basest human emotions, values, and beliefs..
We must reconsider traditional foreign policy in light of foreign interference in the internet age. The internet is the great equalizer because of its ability to connect anyone to everyone. It can be used for good or for evil. With antiglobalization sentiment growing with the Brexit referendum and the US election, we can no longer stand idly by as democracy, globalization, and free trade face strong headwinds in Western Europe.
The new tools of the trade are the automated mass disinformation campaigns perpetrated by paid social media propagandists and amplified by bots. Proxy hacker groups are used to steal, manipulate, and publish damaging information via outlets such as WikiLeaks and its politically motivated document dumps to manipulate public sentiment. Not to mention the threat of destructive malware attacks such as the alleged North Korean attacks against Sony Pictures Entertainment.
So, what can be done and whose job is it to address these new threats? Most cybersecurity professionals are not experts in foreign policy and geopolitics. Likewise, most foreign policy experts are not cybersecurity experts. However, to address these challenges, governments, private companies, and individuals must begin working together to build more resilient digital systems and the ability to monitor how these digital systems may be exploited for nefarious purposes. However, these checks and balances cannot throw out constitutionally guaranteed rights such as the First Amendment right to free speech either.
Traditional nation-state hacking focuses on stealing sensitive data for intelligence collection. The new playbooks attack constitutional processes such as free and fair elections. Democracies will need to define boundaries for what constitutes intelligence collection versus nation-on-nation cyber or information warfare. This means not only defining the rules but also enforcing them – and responding to attacks with the full extent of government powers from diplomacy, economic sanctions, and law enforcement to military action. For the US, it means naming and shaming adversaries when we have strong evidence of complicity, and then holding them publicly accountable. The Obama administration’s strong response to Russia’s election interference with economic and diplomatic sanctions is a first step, but we still lack a clear policy framework for defining the bounds of where cyberespionage ends and sabotage begins. What is acceptable and what constitutes an act of war?
Private companies and individuals must play an essential role, too. Fake news via social media is a massive problem, which the private sector is uniquely capable of addressing. Social media companies, which already employ machine learning for face recognition, can apply machine learning and crowdsource its user base to fact check and grade for accuracy. At the same time however, we must ensure that fact-checking efforts don’t drift into the territory of censorship. We need our best entrepreneurs thinking about these problems.
Democracy doesn’t guarantee that everyone will be pleased with election outcomes; democracy does provide for certain freedoms and rights along with a system to cast our ballots in free and fair elections. In establishing the US republic with an Electoral College system and a separate House and Senate, the founders recognized that for democracy to be functional, it needed an educated body to balance the threats that might exploit the process to subvert it.
The most robust defense is a well informed and critically thinking electorate that votes at the polls. For cybersecurity professionals, we have a higher calling now – one to protect the nation from foreign governments or other forces of corruption or deception who are exploiting the internet and social media in order to unseat democracies globally.
Anup Ghosh is founder and chief executive officer of Invincea, a Sophos company.