Through the lens of the 2016 U.S. election Russian meddling
Author: Pablo Canseco
Foreword
Looking forward to the elections around the World in 2024, and more specific and urgent is the outlook of another attempt from foreign actors to interfere in the U.S. elections. This time, however, and unlike in 2016, those foreign actors are more defined and galvanized than ever; leading the pack are China, Russia, North Korea, Iran.
China, who already outpaces and outperforms the United States in cyberspace is the long-term active threat trying to steal U.S. intellectual property and likely to ramp up their efforts to stifle their economic woes as it engages in a trade war with the United States and considers an assault on Taiwan to bolster itself from their internal affairs.
Russia, the main character in the 2016 U.S. election interference going into their third year of war in Ukraine may see the 2024 U.S. election as a worthy effort to be part of if their favored 2016 candidate is again on the ballot this year.
North Korea, who recently announced they will no longer seek reunification with South Korea and will put three additional military spy satellites in space and has the capability to conduct disruptive cyberspace activities against U.S. infrastructure.
Iran, who like North Korea, is an active threat actor in cyberspace and routinely conducts disruptive activities against U.S. interests through state-sponsored threat-groups has seen its purpose and opportunity to inject itself in the war between Israel and Hamas, which ironically can be said to have the support in the Arab world.
If the United States were to vote for Russia’s favorite and winner in 2016, it would be the beginning of a deteriorating U.S. image again which started back then, but this time, the pieces would begin to fall. A weakened NATO may no longer be able to coordinate concerted support for Ukraine. Russia would be re-energized to defeat Ukraine. China could be encouraged to take Taiwan. North Korea and Iran would be emboldened to take their proxy wars even further, not just in cyberspace, as they have already demonstrated.
Abstract
The 2016 United States presidential election was tainted by not only hateful rhetoric, but an active measures campaign conducted by a long-standing adversary of the United States as is Russia. At a time of extreme political characterizations, Russia conducted a full-scale computer network operations campaign, which included influence, psychological, and strategic communications operations, of which we will lay out in this paper.
Russian information warfare was launched against the United States in ways that our country was not prepared to accept, much less counter. The West, along with the United States, have acquired a renewed interest in the far-reaching consequences, tactics, implementation and evolution of Russia’s non-military encroachments since the annexation of Crimea in Ukraine in 2014, however, Russia’s advancement in 2016 against the United States was largely underestimated.
In order to fully grasp the nature of Russian interference on our elections, it is important to understand Russia’s terminology, concepts, understanding and ways of thinking around the subject of Information warfare in contrast to Western logic and principles, which at first glance, may have hindered the United States’ ability to thwart Russia’s advancement in information space. This implication also carries ethical and moral challenges for the United States and NATO allies whose thinking around information conflict differs greatly from that of Russia during peacetime and wartime.
A Fragmented State of the Union
The 2016 U.S. election has been one of the most historic and controversial Presidential elections in recent memory, not only because of its many outlying characteristics and implications, but also because of its shroud of doubt surrounding its validity given the fact that a major foreign adversary of the United States helped the winner of the same election through active measures.
Since then, the U.S. Intelligence community has affirmed conclusively that Russia not only interfered in the U.S. presidential election but is actively engaged in furthering their commitment by having attempted to interfere in the 2018 local and state elections across the country.
The United States, amid political turmoil, has slowly come to grips with the gravitas of the Russian information warfare attack by taking various, mostly reactive countermeasures. Most of the work ahead to secure, not only our voting infrastructure, but our general utilities infrastructure is still on hold in the hands of idle U.S. Government hands.
However, if we ought to defend, prepare and counter future attacks, we must first understand the facts as far away from political banter as it is possible despite a highly-politicized environment. Most of the public is familiar with “fake news”, or disinformation campaigns, but its impact is hardly quantifiable and does not make for an effective, marketable news that the public can digest in a five-minute TV segment; it requires a much deeper dive, worthy of psychological, statistical studies that future generations will read about. For now, we can lay out tangible and measurable facts that can be actionable and help with building our understanding and analysis with as much less room for interpretative or subjective calculations as possible.
Mueller’s Report
On May 17, 2017, following the President Trump’s firing of FBI’s Director, James Comey, Deputy Attorney General, Rod J. Rosenstein appointed Special counsel Robert S. Mueller III to investigate Russia’s interference in the 2016 Presidential election. The report was submitted on March 22, 2019 to Attorney General, William Barr, and a redacted version almost a month later. The report established not only influence operation links to the GRU, but also conclusive links and communications between the Trump campaign and pro-Kremlin contacts. (Mueller, volume 1, 2019)
Internet Research Agency
In the Russian framework, information warfare is the subject and medium of operations during a notional peacetime or in a time of conflict. This includes a preparatory phase in cyberspace.
As early as 2014 and 2015, the IRA, or the Internet Research Agency sent employees to the United States as part of a broader, however, general operation campaign to sow discord and distrust in the American political system via social media campaign platforms.
The IRA operatives bought political advertisements and often posed as grassroots activists. The IRA, which is based in St. Petersburg, is often referred to as the “Troll Farm,” because of their operatives’ behavior of posting politically charged and polarizing comments, memes with extreme and non-tolerant views in order to incite more extreme sentiments and create a toxic environment online. This effectuated and sustained deep divisions in the U.S. populace and persuaded many in supporting more polarizing political stances. The Russian operatives were not bound by any of the Lessig’s social norms that act as regulative forces online; not only because they acted outside our social spectrum but acted to suppress and scramble it.
The IRA’s influence-psychological campaign was largely held on social media platforms such as Twitter and Facebook, however, they were not limited to these specific platforms. In their collective, IRA social media accounts reached tens of millions of U.S. persons. For example, IRA-controlled Facebook accounts such as “United Muslims of America” gathered 300,000 followers, the “Don’t Shoot Us” group gathered 250,000 followers, the “Being Patriotic” group gathered 200,000, and the “Secured Borders” group gathered 130,000 followers. (Mueller, volume 1, 2019). These accounts were still available online well after the 2016 election because of Free Speech implications. Even though, the creators had ulterior motives, there were also legitimate users who saw the groups as a safe space to express their views online and curtailing the groups may be held as limiting their member’s Free Speech rights.
Some of the technology used by IRA-controlled Twitter accounts were botnets, or automated accounts, which immediately amplify a message by “listening” for a trigger. Twitter botnets are designed to find a message or tweet from a given set of accounts, or from any users who tweet with a keyword or hashtag and immediately retweet the message to their followers. If the IRA-control Twitter account is followed by other botnets, who in turn retweet the same message, then it can exponentially increase the exposure factor of the message.
The IRA is known to have been funded until at least February of 2018 by Yevgeniy Viktorovich Prigozhin and two other Concord companies. The former is seen as a long-time friend of Vladimir Putin. (Mueller, 1, 2019) With the 2016 election behind us, on December of that same year, Prigozhin was sanctioned by the U.S. Treasury Department for allegedly having provided material assistance and funding to the operations of the IRA. (U.S. Treasury, 2018)
In 2018, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) charged five entities and 19 individuals under the Countering America’s Adversaries Through Sanctions Act (CAATSA). Prigozhin and his companies such as Concord Management and Consulting LLC and Concord Catering, along with many GRU “trolls” were part of the indictments. (U.S. Treasury, 2018)
Election Infrastructure
Election infrastructure according to the Department of Homeland Security (DHS) is defined as Systems that manage the election process such as storage facilities, polling and tabulation places, as well as information and communications tools that include voter databases, machines, and others. (Mueller, volume 1, 2019)
The definition of DHS concerning election infrastructure appears to need modernization considering Russian interference in the U.S. 2016 election. DHS, and in large, our U.S. government agencies give the notion, or at least appear to place a heavier weight on the protection of physical infrastructure rather than the voter’s information and even the voter themselves. One could argue that factual and accurate information is an integral part of a democratic election ecosystem. The U.S. and Western approach to cyber threats is looked upon from a technical perspective, and as such, given a purely technical response. Whereas Russia uses information weapons in a much broader sense, to include the human cognitive domain and is not limited to a time during a conventional arms conflict or war.
Russia’s understanding and application of information conflict has lent an upper-hand in their objective to raise their power regionally and internationally. Russia is aware of their conventional arms inferiority against the U.S. and its NATO allies, therefore, the country has sought to leverage their response through asymmetrical means, such as information warfare. By weaponizing and exploiting culture, history, language, nationalism, disaffection, Russia seeks to not only spread disinformation, but enlarge their distribution of disinformation in broader terms. This means that not only do they spread lies to sow discord and distrust, but also lie about easily corroborated facts; this has a psychological effect known as gaslighting, where the population is desensitized from the truth by not knowing what or who to believe when facts are in plain sight. (Giles, 2016)
Information Space Concept
In April of 2016, Russia’s Main Intelligence Directorate of the General Staff of the Russian Army, or GRU began its cyber operations to hack the National Democratic Committee (DNC). (Mueller, volume 1, 2019) This operation included hacking of presidential candidate Hillary Clinton’s campaign volunteers and employees through spear phishing attacks. We now also know that Roger Stone, a close friend and confidant of President Trump forecast in summer of 2016 that data troves would be dumped in anticipation. Roger Stone, who was convicted of seven felonies related to Mueller’s investigation in the fall of 2019, and is awaiting trial, had been in communication with a Twitter persona named Guccifer 2.0, who was a GRU front.
Whereas Western approach and thought of cyberspace delineate a separation between computer network operations (CNO) and other cyber activities, and predicate cyberspace as a separate function or domain, Russians do not have the same concept. Distributed Denial of Service (DDoS) attacks, Russia Today television and other mediums are regarded as part of the same related tools of information warfare. Concepts of activities in real life and those in cyberspace do not have a marked distinction in Russian thinking. However, in an authoritative Russian textbook, there appears two distinct conceptual approaches to information warfare. Information-psychological warfare is a passive, yet permanent state of engagement, which is designed to affect the population and their governing bodies. The second distinction Russian thought makes is information-technology warfare, which affects information in all its states, and takes effect during an armed conflict. (Giles, 2016)
In line with this type of thinking, the GRU established two separate military units during their meddling campaign in 2016; each with separate departments and objectives. GRU’s Military Cyber Unit 26165 was partitioned in subsections with their own specialties, one department conducted information-psychological excursions through large-scale spear phishing campaigns, while another department was tasked with developing malware. (Mueller, volume 1, 2019) The latter would be considered an information-technology vector. (Giles, 2016)
Wikileaks and Other disinformation Channels
During spring of 2016, the GRU hacked into DNC and the Democratic Congressional Campaign Committee (DCCC) networks seeking to find internal communications with the purpose to use it to undermine the Clinton Campaign. (Mueller, volume 1, 2019)
On July 22, 2016, Wikileaks uploaded thousands of internal Clinton Campaign material documents which had stolen in the spring of the same year. Wikileaks previously released an indexed archive of approximately 30,000 Clinton emails it had obtained through a Freedom of Information Act litigation. (Mueller, volume 1, 2019)
A day before what would become to be known as one of the most damaging releases of stolen information by the Russians with the aim to tarnish the image and electability of presidential hopeful, Hillary Clinton, left-leaning IRA-controlled Twitter accounts saw an upheaval of activity. While the objective is not yet known with certainty, it is speculated that the IRA wanted to energize the presidential candidate runner-up’s, Bernie Sanders, supporters before the anticipatory release of confidential and internal Clinton Campaign communications. This event highlights how meticulous and calculating was Russia’s information-psychological operations were at that time, and how difficult it will be to guage its influence and damage.
On October 7, 2016, the GRU released through Wikileaks the treasure trove of emails stolen from Hillary Clinton’s campaign chairman, John Podesta. The emails which had been stolen in late March of 2016 were Wikileaks’ second release of John Podesta’s emails and coincided just an hour later after a Trump’s misogynistic video with audio was published by the media. (Mueller, volume 1, 2019)
Dissemination of disinformation was overly critical to the Kremlin to sow dissent, distrust and create psychological dissonance among the populace. To reach and exponentially amplify the Russian’s disinformation, they employed different channels, such is the case of a website named DCLeaks, which was registered anonymously. However, we now know that it was paid in bitcoin and under the control of GRU Cyber Unit 26165. Beginning of June 2016, the GRU unit started making stolen Clinton campaign documents available through this site, and using social media platforms to maximize their outreach.
Russian Cyber Operations
The first known breach of election infrastructure by Russian threat actors occurred in July 2016 in Chicago, Illinois. (Mueller, volume 1, 2019) From that time to the end of 2018, Russia penetrated Illinois’s voter registration database to the point of exfiltrating unknown quantity of voter registration data and elevating their privileges as to be able to delete or modify voter data. The compromise exposed 14 million registered voters’ personal identifiable information such as name, address, driver’s license and partial social security numbers. There is an indication the Select Senate report’s footnotes that a SQL injection attack may play some part in the data exfiltration (U.S. Senate Intelligence Committee, volume 1, 2019)
The second state to be compromised has not been identified in the Select Senate Intelligence Committee report and is named as State 2. On August 2016, FBI issued an unclassified FLASH. FLASH, or FBI Liaison Alert System messages are notifications directed toward local law enforcement and the private industry with the objective to warn administrators of a cyber threat. The August alert presented several known malicious IP addresses identified from the Illinois’s compromise to all state technical-level experts. (U.S. Senate Intelligence Committee, volume 1, 2019)
In a testification to the Senate Committee on June 21, 2017, Dr. Samuel Liles, Acting Director of the Cyber Analysis Division within DHS’s office of Intelligence and Analysis, testified that in the August of 2016, before the elections, the Russians were probing “a whole bunch of different state election infrastructure, voter registration databases, and other related infrastructure on a regular basis,” and that “21 states were potentially targeted by Russian government cyber actors.” (U.S. Senate Intelligence Committee, volume 1, 2019) However, we also now know through the Senate Intelligence Report that all fifty states were targeted in one way or another. (U.S. Senate Intelligence Committee, volume 1, 2019)
It is known that prior to the election night of 2016, Russian state diplomat officials requested, through several channels and at different diplomatic levels, access to polling places. The Senate Intelligence Report states that their objective was unknown. (U.S. Senate Intelligence Committee, volume 1, 2019) However, the IC notes in their assessment that Russian diplomats, anticipated a Hillary Clinton victory, and were prepared to denounce the U.S. 2016 election’s validity. (IC, 2017) We also know that pro-Kremlin bloggers had drafted a Twitter campaigned labeled #DemocracyRIP in anticipation. This gives credence to the assertion that not even the Kremlin had estimated their influence campaign to be as fruitful.
In one such statement that highlights the dawning of how persuasive and effective the Russian campaign was, former CIA Director, John Brennan, stated during a forum on election security that, “Russian efforts changed the mind of at least one voter,” and concluded that he did not know whether it was “one voter or a million voters.” (Satter, 2019)
Attribution
As of December 29, 2016, a highly-classified analytical assessment was compiled among the Central Intelligence Agency (CIA), The Federal Bureau of Investigation (FBI), and the National Security Agency (NSA). A declassified version without the full supporting information and key elements, but with the same identical conclusions were made public through a document called the Intelligence Community Assessment “Assessing Russian Activities and Intentions in Recent US Elections,” which draws on the Agencies’ intelligence gathering collective and their dissemination. The Intelligence Community (IC) concludes with “high confidence” that Putin himself ordered the 2016 election influence campaign, and that through its means, sought to undermine candidate Hillary Clinton in a clear preference and support for now-President Trump. (DNI, 2017)
A year and some months before the 2016 U.S. election, a Dutch operative, who worked for the Dutch intelligence agency, AIVD, compromised the network of a university building adjacent to the Red Square in Moscow, unbeknown of the implications. (Modderkolk, 2018)
A year later, the AIVD agency witnessed the exfiltration of documents from the DNC. This was the work of a hacker group called Cozy Bear, who are also referred to as APT29, and have been worldly-known for cyber attacks on governments and private industries. Cozy Bear is known to be conformed of GRU operatives. The Dutch not only were able to analyze the group’s activity, but also managed to gain access to the camera system installed on the networks, including the hallway to where the group conducted their operations from. The Dutch could also identify the identities of all those who entered the room and matched them against known operatives.
During this time Malaysia Airlines flight MH17 was downed, killing all 283 passengers on board, and which the Dutch-led investigators found Russia-backed separatists in eastern Ukraine to be responsible. Australia and the Netherlands condemned and held Russia responsible.
Dutch intelligence proved to be extremely critical during this period as the Russians also managed to compromise the U.S. State Department and the White House. After an alert received by the NSA liaison in The Hague, FBI and NSA teams worked to ward off the Russians from the State Department servers, however, not without scuffs, as the State Department cut off email access during a weekend to revamp their security. The White House did not fare as well either, as the Russians also compromised the sent and received emails from president Barack Obama, however, they did not penetrate the message traffic server to a personal Blackberry which was known to hold state secrets. (Modderkolk, 2018)
Conclusion: “They don’t fear us”
While it is understood that the United States is attempting to gather the facts, reconcile their political differences, and come to terms with a historic attack on its core foundation; our resilience quality is being measured by the day. The American political system is in turmoil as the U.S. House of Representatives conducts an Impeachment inquiry into President Trump, all while voter infrastructure across the nation is still largely unprepared for a Russia that has signaled a “new normal” in terms of cyber activities against the United States. (DNI, 2017)
On May 4th, 2018, Lt. Gen. Paul M. Nakasone succeeded Admiral Mike Rogers as Commander, U.S. Cyber Command; Director, National Security Agency/Chief, Central Security Service. (DNI, 2018) Lt. Gen. Nakasone has been a vociferous advocate of the need to “defend forward.” Nakasone, as Commander of Cybercomm, oversaw, before the 2018 midterm elections, the creation of Russia Small Group, a task force designed to maintain a permanent presence to monitor Russia’s activity in cyberspace and thwart their efforts.
“They don’t fear us,” said Nakasone, during his Senate confirmation hearing in 2018. With a renewed outlook into the new rules of engagement in cyber space, Nakasone and the U.S. Cyber Command have received new authorities through a classified document known as Presidential Memoranda 13, which grants authority to conduct greater offensive cyber operations without presidential authority. (Sanger & Perlroth, 2019) Nakasone used that new authority to overwhelm the network of the so-called “troll farm” during the 2018 U.S. midterm elections. During a panel discussion, Nakasone has stated that “This is what great power competition looks like today, and it’s what we will look at as we look to the future.”
References
Director National Intelligence (DNI). (2018, April 26). Press Release 2018: DNI Coats statement on senate confirmation of Lt. Gen. Paul M. Nakasone. Retrieved from https://www.dni.gov/index.php/newsroom/press-releases/press-releases-2018/item/1864- dni-coats-statement-on-senate-confirmation-of-lt-gen-paul-m-nakasone-usa-as- commander-u-s-cyber-command-director-national-security-agency-chief-central- security-service
Director of National Intelligence (DNI). (2017) Intelligence Community Assessment: Assessing Russian Activities and Intentions in Recent U.S. Elections. Retrieved from https://www.dni.gov/files/documents/ICA_2017_01.pdf
Giles, K. (2016). NATO Defense College: Handbook of Russian Information Warfare.
Rome, Italy.
Modderkolk, H. (2018, January 25). Dutch agencies provide crucial intel about Russia’s interference in US-elections. deVolkskrant. Retrieved from https://www.volkskrant.nl/wetenschap/dutch-agencies-provide-crucial-intel-about-russia -s-interference-in-us-elections~b4f8111b/
Mueller, R. S. (2019). Report On The Investigation Into Russian Interference In The 2016 Presidential Election, Volume I of II. Retrieved from https://www.justice.gov/storage/report.pdf
Mueller, R. S. (2019). Report On The Investigation Into Russian Interference In The 2016 Presidential Election, volume II of II. Retrieved from https://www.justice.gov/storage/report_volume2.pdf
Sanger, D. E. and Perlroth, N. U.S. Escalates Online Attacks on Russia’s Power Grid. (2019) Retrieved From https://www.nytimes.com/2019/06/15/us/politics/trump-cyber-russia-grid.html
Satter, R. (2019, October 30). Former CIA Director Brennan: Votes were swayed by Russian influence operation. Retrieved from https://www.reuters.com/article/us-usa-trump -russia/former-cia-director-brennan-votes-were-swayed-by-russian-influence-operation- idUSKBN1XA075
U.S. Department of The Treasury. (2018, March 15). Press Release: Treasury Sanctions Russian Cyber Actors for Interference with the 2016 U.S. Elections and Malicious Cyber-Attacks. Retrieved from https://home.treasury.gov/news/press-releases/sm0312
U.S. Senate Select Committee on Intelligence. (2019). Report Of The Select Committee On Intelligence, United States Senate, On Russian Active Measures Campaigns And Interference In The 2016 U.S. Election Volume 1: Russian Efforts Against Election Infrastructure With Additional Views. (2019), 1. Retrieved from https://www.intelligence.senate.gov/sites/default/files/documents/Report_Volume1.pdf
U.S. Senate Select Committee on Intelligence. (2019) Report Of The Select Committee On Intelligence United States Senate On Russian Active Measures Campaigns And Interference In The 2016 U.S. Election Volume 2: Russian Efforts Against Election Infrastructure With Additional Views. 2. Retrieved from https://www.intelligence.senate.gov/sites/default/files/documents/Report_Volume2.pdf
Hi, this is a comment.
To get started with moderating, editing, and deleting comments, please visit the Comments screen in the dashboard.
Commenter avatars come from Gravatar.