5 April 2017

Opinion: No, Russia didn't hack the election

Niloofar Razi Howe

Moscow carried out a digital campaign to disrupt our democracy, but did not change vote counts. That's a key distinction because the US needs to accurately identify weaknesses to sharpen national cyberdefenses. 

MARCH 1, 2017 —Words matter. Cybersecurity is a complicated topic and it touches every aspect of our lives – from national security, to business transactions, to personal information and communications.

How we discuss the issues, how we formulate policies, what social norms we embrace, what regulations we enact will change how we interact with the waves of technology innovation coming at us today and in the future.

As complicated as the issues seem today, the challenges will only increase with fleets of self-driving vehicles, drones, blockchain, quantum computing, virtual reality, and augmented reality. Layer on top of that the fact that deterrence based upon the full spectrum of American power – informational, economic, diplomatic, military – does not extend credibly to the cyberdomain, and we are in unchartered territory.

The words we use will make a difference to the outcome of the conversation and the important decisions we have to make on issues of law, policy, and regulation. This is not a time for hyperbole. It is not a time for "fake news." It is not a time to be superficial. It is not a time to be shrill or grab headlines. And it can’t be resolved on Twitter. To arrive at rational policies that protect our democracy requires fact-based thoughtful conversation around some very difficult topics.

Unfortunately, that’s not how the conversation is playing out. And that's why it's important to start the conversation by saying that our elections were not hacked. 

As someone who has worked in the security field for more than a decade, as a venture capitalist, an entrepreneur, and an operator, and as the chief strategy officer of one of the largest companies in the cyber security space, RSA, I want to set the context, because the policies that will flow from these discussions will impact our lives, our businesses and our industry. To be clear though, these opinions are mine, and are not representative of RSA or its affiliates.

On Nov. 8, Americans went to the polls all over the country, close to 129 million people cast their ballots, and by all measures, including after some admittedly limited recounts in a few states, it is clear that our fundamental democratic process of having our votes cast and counted was not interfered with.

As a result of our election, the Electoral College vote, and its certification by congress, there has been a peaceful transition of power in our republic. And while we all, as citizens of this great country, continue to have the obligation to question the new administration, to criticize, even to protest, almost all of us do it in the hope of changing policies and outcomes, not in the hope of undermining our country or our system of government.

Our republic survived this election cycle, bruised perhaps, but it survived. A transition has taken place. And there was no outside tampering with our most fundamental democratic process. Upon reflection, many have questions about our Electoral College system of electing a president, especially in light of the election results where Hillary Clinton won the popular vote by a margin of almost 2.9 million votes, with 65,844,954 (48.2 percent) for Mrs. Clinton to President Trump’s 62,979,879 (46.1 percent), according to revised and certified final election results from all 50 states and the District of Columbia. 

Whether we should continue with an Electoral College system or move to a popular vote is an important conversation to have and one of the many issues we must turn into in light of this year’s elections. Having said that, this election and its results are valid under our existing system of national elections. Russia did not hack the outcome. The results are ours to own and if anyone is looking for an actor to blame, only look to ourselves, our media, and the fact that we had the lowest voter turnout in two decades, where almost half the electorate chose not to show up.

However, evidence supports the conclusion that hacking from Russian-based attackers did occur during the election. When the intelligence community and cybersecurity private sector come together to say, with zero doubt, "It was the Russians," it’s hard not to believe that as an almost unprecedented, unanimous, an unassailable conclusion that it was the Russians.

According to both government intelligence agencies and private sector cyber experts, Russians connected to two different Russian intelligence agencies were behind the Democratic National Committee (DNC) hack, the leak of emails, information and opposition research. And the American public was made aware of these activities and the actors most likely behind them, months before the election. 

Director of National Intelligence James Clapper has released portions of intelligence reports stating that the, "… goals of this campaign were to undermine public faith in the US democratic process, denigrate Secretary Clinton, and harm her electability and potential presidency." Regardless of what the motivation of the hackers was, their activities had the clear effect of undermining confidence in our political system, sowing discord and creating confusion.

If the alleged goal of certain actors in the Russian government, who lead a country with an economy the size of Italy, is to create chaos, sow distrust and confusion in political systems and outcomes in the US and in Europe, we are allowing them to do it effectively. This one is on us. If the capabilities of our journalistic integrity have devolved to a point where people cannot tell the difference between real and fake news stories, then it is “we” who have failed. And most importantly, when we inexcusably fail to exercise the single most powerful tool of change we have, our right to vote, then “we” have utterly failed.

When our political leaders don’t play fair in their own party politics, then it is “we” who have failed. These hacks unveiled some disturbing information – we can either become shrill in our conversations about these issues or we can do something about it. The burden is on us—the people, the news media, the political parties. "We" need to demand more, we need to demand accountability, from these organizations and institutions that we rely on for transparency, honesty, and the protection of civil liberties and our democratic process. No country, no matter how small or big, can impact that if we choose not to let them. This one is on us.

Russia’s activities matter whether or not they impacted our national elections. These activities displayed the structural dominance of offense in cyberspace – that is an adversary only has to be right once to get into our systems (though causing damage takes a little more effort), whereas defenders have to be right every time to stop them. While the DNC’s response during this episode did not amount to cybersecurity “best practices” by any stretch of the imagination, a committed adversary will almost always find a way in, even when best practices like network segmentation and dual factor authentication are used. Offensive cyber is an almost perfect weapon of asymmetric guerrilla warfare, where a country with modest economic resources can inflict tremendous damage on a much stronger, at least conventionally stronger, foe, especially when policy and norms are neither well-established nor broadly agreed upon. Russia proves this point over and over again. 

There should be no question that Russia is effectively deploying its cybercapabilities to further a bold national and international agenda. What is even more remarkable is that the Russians are carrying out these activities with a seemingly complete lack of concern over attribution or retribution. They are the proverbial drunken sailors leaving their fingerprints all over the crime scene, though one should ask why they are being so blatantly obvious. Do they have something to gain politically by pointing the finger at themselves? 

Ironically, the US has the most talented cyber warriors and professionals in the world. What we have proved over and over again is that we don’t have clearly defined policies, including escalation policy, in the face of acts such those we suffered during our election, that are in step with the state of current technology and the social norms of our society. Our military and intelligence agencies will carry out their mission better than anyone else in the world – they have proven that over and over again. Our obligation is to set the right guardrails. Once those guardrails are set, our national leaders have the obligation to stand up and defend our policies, our activities, and the men and women who carry out these important missions. We have fallen short on this front as well. 

It’s 2017. While it is important to understand the full scope of Russian activity and involvement in our political system, it is even more important we look forward. Let’s focus on having real discussions in order to drive the changes that will improve our country, our political system, our economy, and our ability to ensure that our people have safe access to the resources they need to thrive in today’s world. Determining acceptable norms of behavior, especially how deterrence will work in cyberspace will take the resolve and commitment of our brightest minds.

Let’s have thoughtful, fact-based conversation on important topics where we have a unique opportunity to define policies and norms that fit with the waves of technology innovation going on all around us and their impact on every aspect of our lives.

Niloofar Razi Howe is senior vice president and worldwide chief strategy officer for the cybersecurity firm RSA. Follow her on Twitter @NiloofarHowe.

No comments: