Commentary 16 December 2016

Europe in Russia’s Digital Cross Hairs

by Thorsten Benner, Mirko Hohmann                Foreign Affairs

In recent weeks, politicians and intelligence officials in France and Germany have stepped up their warnings of Russian interference in the national elections both countries will hold next year. In late November, Bruno Kahl, the head of Germany’s Federal Intelligence Service, told the Süddeutsche Zeitung that Germany had “evidence that cyberattacks are taking place that have no purpose other than to elicit political uncertainty.” German Chancellor Angela Merkel has expressed similar concerns, suggesting that Moscow may attempt to influence Germany’s parliamentary elections, which are slated for September 2017. French politicians have been more circumspect about the specific threats posed to their country’s presidential elections, which will be held in April and May. But Guillaume Poupard, the director-general of France’s National Agency for the Security of Information Systems, has indicated that Paris, too, is concerned about the prospect of foreign interference. Western democracies face “the development of a digital threat for political ends and for destabilization,” he told Le Monde in early December.

Neither France nor Germany, however, is ready to deal with such attacks. Their institutions are ill-equipped to prevent digital breaches, and their politicians and publics are unprepared to handle the fallout from them.

To better understand the threat they face, leaders in both countries would do well to learn from the most brazen Russian-led influence operation so far: the leaking of information stolen from servers of the Democratic National Committee (DNC) and the private email account of John Podesta, the chairman of Hillary Clinton’s presidential campaign. A careful look at that episode and its aftermath demonstrates the importance of strengthening the cyberdefenses of democratic institutions, building a political consensus to condemn attacks, and publicly naming – and punishing – the perpetrators.

The use of incriminating information to publicly discredit opponents is widespread, but Russian intelligence services have a particularly strong penchant for the tactic. During the Cold War, the practice was common enough that the Russian term kompromat (a portmanteau combining the Russian words for “compromising” and “material”) entered the Western vernacular.

Today’s digital communications offer those seeking to gather and exploit kompromat enormous advantages relative to their Cold War–era counterparts. It is now easier than it was during the twentieth century to quickly obtain vast amounts of sensitive information, in part because the digital networks of key institutions are difficult to secure. Completely safeguarding a platform used by hundreds or thousands of people, such as that of a political party, is nearly impossible. And once attackers access sensitive information, they can easily release it, sometimes in altered form, to the public. Consider the speed at which the DNC’s and Podesta’s hacked emails moved from WikiLeaks and social media to state-sponsored news outlets such as RT, far-right sites such as Breitbart, and mainstream news organizations. All these factors make the work of hackers hard to counter, let alone contain.

Kompromat operations do not always seek to promote particular candidates, even though Russia’s interventions in the U.S. election clearly meant to elevate Donald Trump. (French officials should expect similar moves in support of National Front leader Marine Le Pen in the coming months.) The goal is usually broader: to corrode democratic norms and institutions by discrediting the electoral process and to tarnish the reputations of democratic governments in order to establish a kind of moral equivalence between Russia and the West. From the Kremlin’s perspective, attacks on democratic political institutions are a form of payback for what it perceives as the West’s longstanding attempts to hem in and undermine Russia—most recently, the leak of the Panama Papers, which pointed to the cronyism of Russian President Vladimir Putin’s inner circle and which Russian authorities attributed to Washington, and the anti-government demonstrations that roiled Russian cities after the country’s election in 2011. Putin accused Hillary Clinton, then the U.S. secretary of state, of instigating those protests.

As Thomas Rid, a leading analyst of intelligence operations, has noted, Russia’s attempt to undermine the U.S. election was “innovative, bold, shrewd, cost-effective, professional (largely), [and] very hard to counter.” Yet the degree to which U.S. institutions were blindsided by the attack remains astonishing.

Given Clinton’s own experience with controversies related to email security, her campaign’s digital communications should have been ironclad. Instead, one of the Clinton campaign’s own network administrators cleared as legitimate – apparently as a result of a typo – a spearphishing attack that may have let Russian hackers into Podesta’s account. The DNC apparently neither used state-of-the-art security software, nor did it have a budget large enough to hire the professional staff required to protect its networks. DNC officials did not even respond to the messages that intelligence officials left on their answering machines weeks after the first warnings of a potential attack.

Even more surprising was the U.S. government’s apparent lack of preparation for such a contingency. Once the administration of President Barack Obama became aware of the extent of the attack, it scrambled to develop a coherent response. The FBI was apparently aware of the initial intrusions into the DNC’s systems in late 2015, and the security firm Crowdstrike published a report linking the hack to the Russian government in June 2016. But even then, it took the Obama administration until October to do the same, and it changed tack only under intense pressure from Congress. To make matters worse, the administration announced Russia’s involvement on a Friday evening, as the public’s attention was consumed by Hurricane Matthew, and it failed to publicly outline any measures it would take to punish the attackers or their sponsors.

The administration’s reluctance may have stemmed from an understandable fear of appearing partisan, but in light of the serious challenges to U.S. security posed by Russia’s actions, it was the wrong call. The White House should have publicly implicated Russia soon after the evidence was available in the summer. It should have outlined clear political consequences for Moscow. And, along with the DNC, it should have done more to establish a bipartisan consensus around condemning Russia’s actions – before November 8.

As their own elections approach, French and German policymakers should learn from the United States’ recent experience. There are a number of steps Berlin and Paris can take to protect their institutions and discourage Russia from carrying out the same kinds of actions in Europe as it has in the United States.

Both countries should harden the cyberdefenses of key democratic institutions, such as political parties, federal and state-level parliaments, and government agencies. These organizations form the backbones of democratic societies and should receive the highest level of state protection; at the moment, that is not generally the case. The EU has already defined parliaments and government institutions as critical infrastructures, or systems that are “essential for the maintenance of vital societal functions,” and European governments should deliver on their promises to protect them. Information-security agencies, such as Germany’s Federal Office for Information Security, should assume a deeper role in helping political parties prevent and react to attacks. More broadly, states should take breaches of political institutions as seriously as they would violations of telecommunications networks or power grids, if not more so.

Next, European countries should classify the electoral processes by which ballots are cast and counted as critical infrastructure, thus qualifying them, too, for a higher degree of government protection. States should ban the use of electronic voting machines, using paper ballots instead. In its conversations with China and Russia on cybersecurity norms, Europe should make clear that electoral processes (including voter registries) should be off-limits from cyberattacks and signal that future interference in them would lead to serious consequences.

Both France and Germany should incentivize political parties to improve their digital security. Parties’ fears of public leaks has probably already made them more cautious, but Berlin and Paris should also offer the services of state information agencies to interested parties and their top staff members. If certain parties, especially from the opposition, are not willing to let officials access their servers, the government should offer to pay for them to hire private security companies. France and Germany should also work with allies and private firms to improve their ability to trace the origins of attacks.

Such precautions could help safeguard elections in the future, yet they may do little to protect next year’s votes. Russian-backed hackers successfully infiltrated the German parliament’s servers a year ago. French and German officials should assume that hackers have also tapped the systems of political parties and have sifted through the emails of potential candidates and their associates.

That makes preparing for the political consequences of future leaks even more important. In Germany, Merkel has rightly spoken about potential electoral interference, helping ready Germans for the shock of future leaks. French political leaders should follow suit. Given that Russian involvement in France’s electoral politics is already well-established, French officials may be tempted to overlook the new threats posed by digital kompromat. But that would be a mistake, especially since it will be harder for parties to stand together against such actions, regardless of whom they affect, once their campaigns are under way.

In both France and Germany, parties should publicly promise not to use leaked information for political gain. Parties in other European countries should join them: a united European effort would serve as a stronger deterrent. If some parties, such as the National Front or Germany’s Alternative for Germany, choose not to commit to such a pact, other parties should commit themselves anyway, and they should raise the refusal of their counterparts to do the same in public debates.

That will not be enough, however, since stolen information will spread in the media regardless of how parties handle it. Boycotting reporting on leaked information is not a reasonable option, since doing so would leave coverage to fringe outlets and would constitute a troubling form of self-censorship. But publishers should regard the information provided by enablers such as WikiLeaks more critically, working to establish, for example, which leaked documents have been tampered with. More broadly, media outlets should develop codes of conduct that clarify how they should handle massive tranches of leaked information.

Finally, France and Germany need to show that there will be consequences for foreign nations that interfere in their electoral processes. European governments could expel Russian diplomats, for example, or discuss imposing EU sanctions on Russia or Russian officials, depending on the scale of the interference. France and Germany should try to persuade NATO members to designate the most severe attacks on electoral processes as sufficient to trigger the alliance’s mutual-defense guarantee, and they should outline how NATO would respond to such attacks up front. NATO’s countermeasures should focus on demonstrating the alliance’s offensive cyber capacities to Russia – for example, by taking the networks of hackers involved in past attacks offline. Imposing such costs would help to deter future meddling. And although doing so would risk provoking further retaliation, it would be better than not reacting, which would leave the initiative for escalation entirely in Russia’s hands.

Europe, however, should not respond to political-influence operations in kind. The information gathered by Western intelligence agencies should be used for decision-making and to inform private communications with Russian officials, but the West should not leak it in an attempt to undermine the Russian government. That would only serve to legitimize the tactic.

So far, Russia has managed to carry out such operations at little political cost. Moscow will continue doing so in the run-up to the French and German elections, and given how unprepared both countries are for that possibility, it will probably succeed. The Netherlands, which will hold elections in March, is another possible target, as is Italy, which may hold elections next year. Better managing the threat of influence operations and ensuring that attackers pay a price for carrying them out would help preserve the integrity of European democracies and deter similar actions by Russia and other illiberal powers in the future.

...

This commentary was originally published by Foreign Affairs on December 16, 2016.

Research for this op-ed was conducted within the Transatlantic Digital Debates (TDD) program.

Podcast 19 July 2017

The Pitfalls of Germany’s New Hate Speech Law

by Graham Webster, Niklas Kossow
Transatlantic Digital Debates 2017

Commentary 29 June 2017

Lessons From the Lex Facebook Defeat

by Thorsten Benner
Handelsblatt Global

Commentary 29 June 2017

Germany’s Misguided Social Media Law Is a Minefield for US Tech

by Mirko Hohmann, Alexander Pirang
Council on Foreign Relations

Commentary 20 April 2017

Internet Companies Cannot Be Judges of Free Speech

by Thorsten Benner, Mirko Hohmann
Politico Europe

Commentary 12 April 2017

Why Policymakers Should Care About Weak Digital Infrastructure Abroad

by Mirko Hohmann, Alexander Pirang
Council on Foreign Relations