Data Versus Democracy
Page 14
goal of the public influence operations. As significant as a close business tie
with a real estate mogul and reality TV star is, that business tie or personal
relationship becomes exponentially more valuable if that asset becomes the
president of the United States. Not only is that asset a “friend in high places,”
but that asset also has a personal financial motivation to work in the interests
21“Maria Butina’s Defiant Plea and Yet Another Russian Ploy,” Natasha Bertrand, The
Atlantic, December 13, 2018, www.theatlantic.com/politics/archive/2018/12/
maria-butina-pleads-guilty-russian-agent/578146/.
22Karen Dawisha, Putin’s Kleptocracy (New York: Simon & Schuster, 2014).
76
Chapter 5 | Democracy Hacked, Part 1
of his foreign business associates. Even more so should those associates, or
others with whom they are coordinating, come to possess kompromat (the
intelligence industry’s term for compromising material) about the would-be
president or his inner circle. As tantalizing as the investigation into these
alleged and attempted relationships can be, they are ultimately not what this
book is about.
This book is about how big data and information can influence people and
alter history. And so, I will focus on the activity of the GRU and the IRA, two
organizations that were successful at influencing public discourse, spreading
falsehood, and setting the lion’s share of the agenda in the final weeks of the
presidential election. We may never know how many votes—popular or in
the Electoral College—were won or lost by their activities. But there is no
doubt that their activity influenced the issues that Americans took with them
into the voting booth, and even at the end of 2018, the content they published
in 2016 is still circulating and driving political conversations. (And that’s to say
nothing of the work they have done since then, both detected and undetected.)
Let’s start with Fancy Bear.
Fancy Bear Crashes the Democratic Party
The GRU has likely been focused on the United States for some time. They
have certainly had their eyes fixed on the West in recent years. For example,
in April 2015, Fancy Bear hacked into TV5Monde in France and posted
messages on the national television network like, “Soldiers of France, stay
away from the Islamic State! You have the chance to save your families, take
advantage of it. The CyberCaliphate continues its cyberjihad against the
enemies of Islamic State.” While initial signs pointed to a possible ISIS attack,
security experts ultimately determined the source of the attack to be an IP
address associated with the GRU.23
One of the earliest direct signs that they intended to conduct an operation to
influence or discredit the outcome of the 2016 U.S. presidential election was
in October 2015, when the GRU began targeting the email account of
Democratic National Committee (DNC) director of voter protection, Pratt
Wiley. According to the Chicago Tribune, Fancy Bear hackers “tried to pry
open his inbox as many as 15 times over six months. ”24 This, of course, raised
23Sheera Frenkel, “Meet Fancy Bear, The Russian Group Hacking The U.S. Election,”
BuzzFeed News, published October 15, 2016, www.buzzfeednews.com/article/sheer-
afrenkel/meet-fancy-bear-the-russian-group-hacking-the-us-election.
24Raphael Satter, “Inside story: How Russians hacked the Democrats’ emails,” Associated
Press, published November 4, 2017, www.apnews.com/dea73efc01594839957c3c9
a6c962b8a.
Data versus Democracy
77
the specter of possible hacks into voting machines to change vote counts in
precincts with fully electronic voting.
While cybersecurity experts generally agree that Russia did not change any
electronic vote tallies in the United States in 2016, they did manage to break
in and steal personal information about U.S. citizens from voter registration
records in states such as Illinois. 25 Election officials across the United States shored up election security and in some cases returned to paper ballots, at
least as a backup. But even as the U.S. midterm election approached in
November 2018, security experts and election officials across the United
States were worried that many precincts around the country would not be
able to withstand an attack on vote tallies if it did come. But even that isn’t
the greatest fear of many election officials. As NPR reported in a story about
the Illinois data breach:
Illinois is investing a few million dollars in federal money to help
some of the state's smaller voting jurisdictions secure their data and
equipment. Some counties don’t even have their own IT staff. But
officials here are less worried about hardware and software. They’re
more concerned that even a modest breach could undermine voter
confidence in the machinery of our elections. 26
Where changing voter tallies or bringing down machines on election day could
be a devastating attack on the U.S. democratic system, perhaps just as
effective—and certainly more cost- effective—would be a discrediting of the
election results. If voter confidence were brought down far enough, it could
depress turnout. And you can’t recount votes that were never cast. If you
targeted that voter confidence to a specific demographic or geographic region
that leaned heavily one way, you could depress votes for a single party
predictably and irreversibly. And if that took place in a large swing state with
a large pool of electoral votes and a close final tally, you could theoretically
swing an election.
Swinging an election isn’t the only end game. Discrediting the process can call
the results into question, and if enough citizens feel the election was
illegitimate, it can make it difficult for the election winners to govern. This
appears to be the underlying motivation of Fancy Bear’s wildly successful
campaign to hack the Clinton campaign and the Democratic National
Committee.
25“What Illinois Has Learned About Election Security Since 2016,” All Things Considered,
National Public Radio, broadcast September 17, 2018, www.npr.org/2018/09/17/
648849074/what-illinois-has-learned-about-election-security-since-2016.
26Ibid.
78
Chapter 5 | Democracy Hacked, Part 1
How Fancy Bear Got In
Have you ever seen the movie WarGames (1983)? It’s not exactly recent, but
it illustrates perfectly the kind of hacker mindset that underlies the specific
techniques used by Fancy Bear leading up to the 2016 election. In WarGames,
the protagonist, David Lightman, wants to change his high school biology
grade to avoid going to summer school. The school’s grade database is
(somewhat shockingly for 1983) accessible “online”—that is, by modem
access over the phone lines from a compatible computer. The database is
protected by a password that changes on a regular basis, which David doesn’t
have, and would only last for a short time anyway. David could try a brute-
force method, like algorithmically generating random passwords until he
guesses the correct one, which could work wi
th a simple enough password
and a lot of time. But it would spike system login attempts over a prolonged
period of time, raising the likelihood that his attack would be detected.
Instead, he uses a human intelligence or HumInt (pronounced hyoo-mint)
method. He (purposefully?) gets in trouble at school on a regular basis and
sent to the main office for a talk with the principal. While there, he discovers
where the database password is kept and regularly notes the new password
as it is changed. He gets in trouble frequently enough that his presence near
the location the password is written raises less red flags than multiple access
attempts from the computer at his home phone number would. And so his
password theft and grade change go undetected by the school.
A little later in the movie, David is searching for the servers of a video game
company so he can attempt to play a new game before it is released (and,
presumably, without paying the price of new computer software in the early
1980s!). As he probes phone numbers in the geographical vicinity of the video
game company, he stumbles upon a few other interesting computer
connections. After making a phony reservation for a trip to Paris with a female
classmate he wants to impress, he discovers what turns out to be a military
server containing games that teach the kinds of strategy that could be helpful
to decision-makers and negotiators at the height of the Cold War. He consults
two fellow computer geeks, who tell him he’ll never get through the primary
system security. But he could look for a “back door”—a secret method of
entry placed by the original programmer(s) unknown to the current system
administrators. It turns out that one of the games on the server contains a
name: Falken’s Maze. David does some digging at the library and discovers a
developer and inventor, Steven Falken, who had a history of working with and
for the government. Upon researching his life, David discovers Falken’s “back
door” password and gains entry to the system. (And almost starts World
War III…)
Encryption and online computer security has increased exponentially since
the early 1980s. Brute-force methods, without any knowledge of the system,
are nearly doomed to failure, as it is far, far easier to encrypt data than it is to
Data versus Democracy
79
computationally discover the encryption “key.” (And because the same kinds
of computer processors are responsible for both processes, that will continue
to be the case for some time.)
But technology has also increased drastically since the 1980s, in both
complexity and ubiquity. What hasn’t increased since then is the human brain’s
capacity to manage that complexity. We make mistakes. Expert developers
don’t just leave back doors in their code, they leave obsolete functions, unit
tests, analytic trackers, dependencies on other people’s code that isn’t always
updated when security vulnerabilities are discovered in that other code, overly
permissible web app installation scripts that are triggered when a system is
overloaded and forced to restart—or left open when a user fails to update
permissions after installation. And that’s to say nothing of user error like bad
passwords, reused passwords, unnecessarily running the wrong app with
administrator settings, and unknowingly installing and using apps that require
more system access than necessary … and leave those doors open through
their own poor security settings.
Just as fictional hackers like David Lightman used HumInt and traditional
research to reduce the complexity of a computational problem, real-life
hackers like those of Fancy Bear use human intelligence—and capitalize on
human error—as their point of entry.
Fancy Bear’s weapon of choice in 2016 was email. Specifically, a type of
fraudulent email called spearphishing. You may be familiar with phishing—those
usually poorly written emails saying “your email inbox is full” or “your bank
account is frozen,” and that to fix the problem you have to click on a link in
the email and provide your personal login details—including your username
and password—to solve the problem. Spearphishing is like phishing, except
instead of sending the email out into the wild in the hopes of catching some
users’ data (like “fishing” with a line or a net just aims at catching some fish),
spearphishing attacks are directed at a specific user or group of users (like a
spear is aimed at a specific fish).
These emails look less like “your bank account is frozen” and more like
“Hey [your real name], it’s [your boss’s real name]. I’m stuck in a meeting
and need you to do X for me by lunch time.” There’s almost always a
fraudulent link to click on that will potentially give the sender of the email
access to some part of your system, or request information from you that
will do the same. Or it may look like a really good copy of a Google security
notice sent to your Gmail account, with a button to click on to address the
security concern they detected on your account. They might be after the
contents of your email account, the company documents in your G Suite
account, access to your camera and microphone, or they might be trying to
install a keylogger on your computer that will collect every keystroke,
including usernames, passwords, URLs, and the content of the messages you
write. Any of these can give them access to intelligence—such as the email
80
Chapter 5 | Democracy Hacked, Part 1
addresses of coworkers and clients, internal reports, financial documents,
etc.—or kompromat—information that could compromise the integrity of
you or your firm if it became public.
On March 10, 2016, once it had become clear that Hillary Clinton would
become the democratic nominee for president, her campaign team first
started receiving spearphishing emails from Fancy Bear. On March 19, GRU
hackers began targeting the personal Gmail account of her campaign chair,
John Podesta. The attacks on the campaign continued through March and
April, but also branched out to other groups linked with the campaign, such
as the Clinton Foundation, the Center for American Progress, ShareBlue, and
others.
The campaign was successful. One of Podesta’s staffers had clicked on the link
in a fraudulent Google security alert sent to Podesta’s personal Gmail account
on March 19 and entered his username and password. Twice. In late April,
word reached Trump advisor, George Papadopoulos, that Russia had obtained
kompromat on Clinton from “thousands of emails. ”27
Around the same time, Fancy Bear targeted the Democratic National
Committee. But this spearphishing attempt didn’t just target emails. The
fraudulent link in those emails contained the power to install malware on
the computer when clicked, and malware downloaded onto DNC computers
gave the GRU access to data on both those computers and the DNC
servers. 28
Russia didn’t just sit on the kompromat they gained from these attacks. In
April 2016, two web sites, now beli
eved by U.S. intelligence agencies to be
connected to Russia, were registered: electionleaks.com and dcleaks.com. In
June, both dcleaks.com and the blog of “hacker” Guccifer 2.0 (also believed by
the U.S. intelligence community to be a likely GRU operation) began to publish
kompromat gained against the Democratic Party—including information
about how the DNC leadership worked to protect Clinton from the challenge
posed by Bernie Sanders. This led to, among other things, a suit against the
DNC from Sanders supporters—and likely a number of protest votes from
leftists (either no-votes or votes for a third-party candidate like Jill Stein),
hurting Clinton in the election.29
Also in June 2016, Julian Assange announced that WikiLeaks had obtained
kompromat on Hillary Clinton. (Assange denied that Russia was the source
of the data.) In July, WikiLeaks began to publish that kompromat,
strategically scheduling the release of that information over the course of
the remainder of the election, culminating in the release of the Podesta
27Raphael Satter, “Inside story: How Russians hacked the Democrats’ emails.”
28Sheera Frenkel, “Meet Fancy Bear.”
29Raphael Satter, “Inside story: How Russians hacked the Democrats’ emails.”
Data versus Democracy
81
emails on October 7, 2016—the same day (and soon after) the Trump-
compromising Access Hollywood tape was released.30
Though we’ll never know the full extent of the impact of the GRU’s operation,
there were several fallouts that we can likely attribute to the release of the
kompromat Fancy Bear obtained from the Clinton campaign and the DNC.
First, the revelations about the way the DNC held back Sanders’ chances at
winning the nomination alienated many left-leaning voters—likely depressing
votes for Clinton both from those further left (who supported Sanders in the
primaries and caucuses) and those toward the middle (who may have been
demotivated to vote for Clinton, in spite of distaste for Trump). This was
likely exacerbated by pro-Jill-Stein and “never Clinton” campaigns conducted
by Russia’s Internet Research Agency (which we’ll unpack shortly).
Other details contained in the Podesta emails likely depressed turnout—or at