“Our sovereignty was violated in 2016... Let's be clear, a foreign government, a hostile government, attacked us to influence one of the most sacred things we do as a democracy, and with clear intentionality – it wasn't just some accident. By the way, I think it was rather successful.” – Prof. Michael McFaul, former U.S. Ambassador to Russia (2012–2014)
Interfering, hacking, tampering...meddling. Whatever you want to call it, Russians inserted themselves into the 2016 U.S. presidential election. Now, did the Russians singlehandedly swing the election? We’ll probably never know. But they certainly tipped the scales, and their intrusion into our democratic processes was unprecedented.
Professor Michael McFaul, co-director of the Stanford Cyber Initiative and former ambassador to Russia, places this attack on par with 9/11 and the bombing of Pearl Harbor. It signifies an escalation in cybersecurity threats from foreign actors. Now, “cybersecurity” as a word may be problematic. Cyber makes you think of giant, old military computers, and a “cyber attack” is something that only the Pentagon or a company’s IT department has to deal with.
But maybe our definition of cyber is too narrow. Given that so many things are now connected to the Internet, it’s easy to lose track of all the points of vulnerability and how they can be turned against us.
“It is my opinion that basically no large organization correctly understands their network space,” said Tim Junio, co-founder and CEO of cybersecurity startup Qadium.
Qadium is helping everyone from private companies to three-letter government agencies keep track of their sprawling network and scan for potential security threats. The stakes are high in the political sphere, particularly when one country tries to influence another.
But cybersecurity is about more than battening down the hatches and encrypting systems. Russian interference in the 2016 election involved hacking into the DNC’s servers, but also relied on a campaign of information and misinformation through leaks and fake news. So does putting emails on WikiLeaks count as “cyber”? Does fake news? And, more importantly, what’s motivating the Russians to engage in these instances of cyber aggression?
According to both Michael McFaul and Jackie Kerr (postdoctoral research fellow at the Center for Global Security Research at Lawrence Livermore National Laboratory), Russia’s motivations can be traced all the way up to President Putin’s ambitions as an authoritarian leader of an influential world power. Jackie helps us understand what’s been going on in Russia domestically, and how that’s shaped their approach to online communication.
Thinking of misinformation as a cyber threat seems to challenge the optimistic American conception of the Internet as a place for free information flow – a view that relies on the democratic principle that a marketplace of information is inherently good. The whole saga is muddying our definition of “cyber,” and challenging our most deeply held values about the nature of information.
LESLIE CHANG: From Stanford this is Raw Data, I’m Leslie Chang.
MIKE OSBORNE: And I’m Mike Osborne. Today’s episode – Meddling.
MCO: Last year, Leslie and I decided to launch Raw Data season 2 in late November – we figured it would be best to wait until after the crazy 2016 election. And as we were working on stories last fall, we went to a workshop here on Stanford campus called Hack the Vote. This event was organized by a student group, and it was kind of a demo slash workshop.
LC: There was a mix of Stanford undergrads and grad students in the audience. When we got there, everyone was eating Chipotle, munching on chips, and firing up their laptops. We talked to Priyanka Sekhar, she’s the president of the student group that put on the event.
MCO: Can you tell us what day it is?
PRIYANKA SEKHAR: Today? November 7th.
MCO: Why is that significant?
PS: It is the day before the election.
MCO: What are we ... What is this?
LC: Yeah, describe the event.
PS: This event is the election hacking. It’s called hack the vote. We're looking at all the ways that election systems are vulnerable, and this is one of our respondents who is just ... Or one of our demo people who's just coming up and we're just showing you all the ways that our voting infrastructure is insecure and ways that you can influence an election through technical means. Or if you're a hacker, what it is that you could do to swing the election in your favor.
MCO: People did demos up at the front of the room, and the audience members who brought laptops followed along were invited to try out some of the coding and hacking.
LC: Priyanka’s group even managed to buy a machine off eBay called the *ExpressPoll-5000.* It was this clunky-looking gray tablet, and you don’t actually use it to cast your ballot – the ExpressPoll-5000 is used at polling stations to verify a voter’s identity.
MCO: Do people actually use that thing? Is that thing out in the wild?
PS: Yes, so that thing is out in a lot of electronic polling places.
MCO: It’s going to be used tomorrow.
MCO: To help decide who the next President of the United States is.
PS: Yes, it will be used tomorrow.
MCO: Among other things.
PS: That is a cause of concern in a lot of places because if they're not secure systems, then can you ensure democracy is a valid question that's going to start coming up. You have to be able to trust the voting systems in order to trust the democracy.
MCO: A few minutes later, a guy up at the front of the room shows this group of Stanford computer geeks how he was able to hack into the ExpressPoll-5000.
MCO: Leslie and I have no idea what’s going on, or why exactly everyone is laughing...but we get the basic message. Our voting machines... are vulnerable to cyber attacks.
LC: These machines are not the only points of vulnerability. American intelligence agencies agree that our 2016 presidential election was influenced by Russia. But, as far as we know, the Russians didn’t hack into voting machines – instead they used methods that may seem less direct, but ultimately could have contributed to swinging the election.
MCO: But was Russian involvement in the 2016 election a *cyber attack?* Given that everything we do these days involves the Internet or digital technologies, how do we even define what counts as a cyber attack?
LC: We’ll get back to the 2016 election later in the episode, but first let’s spend some time looking at how we traditionally think of cyber attacks. As security people would phrase it: what does the threat landscape look like? After all, the internet is incomprehensibly big. It almost seems like an impossible task to keep track of everything.
MCO: But a lot of people and organizations are realizing they need to take cybersecurity seriously. Major companies and government agencies want to protect their network, their data, intellectual property, and other digital assets. In response to the growing threats, in the last few years a lot of venture capital money has been invested in cybersecurity startups.
LC: We’ve been keeping an eye on one startup in particular, called Qadium. Recently Mike and I made a trip to San Francisco to talk to the co-founder and CEO, Tim Junio.
TIM JUNIO: What Qadium is doing at the most fundamental level is organizing information about internet connected devices. And this is important because actually this phenomenon you hear about all the time, internet of things, IOT, is not something that has been well measured by anybody. So...we're really the first company that has a dedicated mission with a technology stack oriented around discovering every internet connected device.
LC: Now, you’ve probably heard that term “Internet of things,” or IoT. The idea is that there are all kinds of consumer products that have built-in little computers that can connect to the internet. The grand IoT vision is that everything, from refrigerators, to baby monitors, to heating and cooling devices – they will all harmonize seamlessly with our daily lives. All these little computers, singing together in perfect harmony. But the problem is that all these little computers can also be turned against us to create security problems.
MCO: As Tim Junio said, what Qadium has done – their breakthrough technology – is they’ve developed a way to scan the GLOBAL internet, and create a database of all of these devices. A good analogy for what they’re doing is Google, which crawls the web and indexes public web pages.
TJ: We're indexing devices in the same way across the public internet and we have monetized it through an enterprise security product.
LC: And public internet, can you just define that super quick for our listeners?
TJ: Sure, so what we consider the public internet is anything that is not behind a firewall or other perimeter security or on a local network.
LC: Qadium’s product is enterprise software – it’s for big organizations who can afford the service. When we talked to people at Qadium, they said that if you’re an organization, you can think of your network like a house. There’s a front door, a back door, a side door, a lot of windows, a basement. What Qadium is basically doing is scanning all these entry points to see if someone accidentally left a door or a window open somewhere.
MCO: According to Tim, most organizations don’t even realize how big their house is – so it’s hard to keep track of all the entry points.
TJ: it is my opinion that basically no large organization correctly understands their network space and...we provide the best availability on the market by a really wide margin.
MCO: Maybe it seems crazy that you wouldn’t know your own network. But think about it for a second – if you’re a big company, a government office, or a hospital, it can be surprisingly difficult to track all the devices you’re responsible for. Maybe your office merged with another office, or maybe your company acquired a smaller company, and you’ve just inherited a bunch of IoT gadgets – not to mention laptops and computers. The point is, if it’s in your network, someone might’ve left a door open somewhere.
LC: Qadium’s services are in demand. They have a growing customer base, and their clients include several government agencies and large companies.
TJ: So we have customers in both [00:15:00] enterprise and government. So our government customers include US Cyber Command, the Navy, Defense Information Systems Agency, and a couple of others.
LC: Most of their corporate customers have non disclosure agreements in place, so Tim couldn’t name specific companies, but their clients come from lots of different sectors, like finance, retail, pharmaceuticals, and insurance.
MCO: But cybersecurity is a constantly evolving landscape and there’s a lot to keep up with. And the bad guys want to achieve something – like stealing credit card info, or holding patient data to extract a ransom from a hospital... or meddling in the normal functioning of a democracy.
LC: Given that Tim is a cybersecurity entrepreneur, we wanted to know how he would go about protecting our country from foreign governments who might want to influence our elections. We asked him about both physical voting infrastructure and the potential influence of... fake news.
TJ: If I were to think about it at a strategic level, what I would care about is how do I impose the greatest cost on somebody trying to do something bad. So if we take your scenario, you want it to be expensive to try to meddle with US elections, so if you make it hard to tamper with voting booths that's one attack vector that's kind of closed off. And then if you have really good tooling around detection of say social media manipulation or influence, like let's say the FBI is chatting with Facebook and Facebook was able to detect based on certain patterns within social media posts that a government entity was trying to influence Americans, that would also increase the cost to foreign governments, if there were good detection rules in collaboration with private companies between government and who is providing the service, that's another example where you're increasing cost. So the way I would think about as an organization or as a government from a policy perspective is where can I invest the most dollars to cause the greatest cost to somebody that wants to do something bad to me.
LC: There are a lot of questions right now about what exactly happened in the 2016 US election. Depending on how federal investigations unfold, hopefully we’ll learn more in the coming weeks and months. But we do know that Russia used their capabilities to influence the election’s outcome, and the whole situation is raising big questions about national security and cybersecurity on the international stage.
MCO: Stanford Professor Michael McFaul was the U.S. Ambassador to Russia from 2012 to 2014. He had a front row seat to the way the Kremlin deals with foreign policy.
MICHAEL MCFAUL: Let's talk about what we know, and then what we don't know, because we need to be very clear about where we're at so far. We know that Russian-affiliated agents stole data from the DNC and John Podesta. Notice the verb I used. They stole data, it wasn't a hack. They stole data. They stole it. That's number one, and by the way, lots of countries do that all the time for intelligence gathering purposes. Then second, they went farther than what most countries do, they then published the data.
MCO: The Russians deny this, but intelligence experts agree it was them. One way or another, these DNC emails showed up on Wikileaks.
MM: In addition, they also did some other things with respect to Russia Today, RT, on the media, Sputnik, their information channel, bots that they run, fake news, [00:14:00] they have a whole operation on that. They ran a series of campaigns in that domain, on Twitter, on television, on Facebook.
LC: A few months ago, James Clapper, the Director of National Intelligence, testified before a Senate committee – and he confirmed that Russia ran these disinformation campaigns. They were promoting fake news.
MM: ...What we don’t know – here's what we don't know about all this. We don't know the exact impact of their activities on the outcome of the election. That's a bigger leap. Of course there were many factors involved that lead to Donald Trump's electoral victory. Where does this set of variables fit? That's a social science question that has not been answered.
MCO: And that question may never be definitively answered. There were many factors at play into 2016, and it would be an oversimplification to say the Russians were the sole reason Donald Trump won.
LC: It’s worth pausing at this point to separate out some of the issues on the table. As of this recording, the question about potential coordination between the Trump campaign and the Russians remains unresolved. But Mike McFaul says that the United States should investigate the full extent of what the Russians did, regardless of any potential collusion.
MM: Here's the way I try to parse it. Leave aside whether Flynn or Stone or Page or these people that are in the news right now, whether they colluded or not with the Russians. In a way that should be a separate investigation. Let's just put that aside, and just focus on what the Russians did... It's not Trump's fault that the Russians stole data from the DNC and published it through WikiLeaks.
...but let's just focus on that piece first. Get that data fully investigated as to what happened, and then take prescriptive measures to protect us so that it doesn't happen again.
MCO: I guess in your circles, are you thinking of the 2016 involvement as a cyber attack? Should we go with that?
MM: Of course.
MM: Of course.
MCO: Without hesitation?
MM: Without question, but that gets exactly to the conceptual problems that come with cyber attacks, cyber violations. I don't even like those words. When I talk about it, I say, our sovereignty was violated in 2016. That kind of focuses the attention, right? Those are December 7th, 1941, September 11th, 2001. Let's be clear, a foreign government, a hostile government, attacked us to influence one of the most sacred things we do as a democracy, and with clear intentionality, it wasn't just some accident. By the way, I think it was rather successful.
MCO: Not so long ago, the US and Russia were on different footing. So how did US-Russia relations sour so spectacularly?
MM: if you go back 30 years, the end of the Cold War, we in the West aspired to integrate Russia into Europe, into our clubs, make them a member of the international system. They aspired to do that too. Part of the price of doing that, or the deal for doing that, was to develop a democratic and market institutions internally. They wanted to do that, and we wanted to help. Over time, they've become less convinced that that's in Russia's national interest, and by "they" I really mean Vladimir Putin.
MCO: Russia’s path into authoritarianism coincided with the growth of the Internet and social media. Which, you know maybe it seems like these two things are at odds with one another. For idealists, the Internet is a platform for free speech and a space for open access to information. And during Putin’s early days in power, Russians supported a relatively open Internet. Unlike China, Russia historically never has never had a Great Firewall. But, the story has changed, and to start piecing it together, we reached out to Jackie Kerr.
JACKIE KERR: Hi, my name is Jackie Kerr. I'm a post-doctoral research fellow at the Center for Global Security Research at Lawrence Livermore National Lab and I'm an affiliate at the Center for International Security and Cooperation at Stanford.
LC: Jackie has spent the past several years studying how different authoritarian regimes, especially Russia, are evolving to cope with the Internet.
JK: Countries are wrestling with what's sometimes has been called a digital dictator's dilemma or dictator's dilemma. It's the idea that they don't want to lose legitimacy further by cutting off the benefits of the internet to citizens who already have gotten used to using the internet… They want the economic benefits of ICT sector development. And yet, at the same time, they see things like the color revolutions going on or like the Arab Spring and they see the role that these new technologies are potentially playing, they...just makes it much easier for people to organize civically. It makes it easier for people to find each other who disagree with what's going on in the country.
LC: The color revolutions in the 2000s shaped Russian policy towards online speech. Some of these populist uprisings occurred in former Soviet Union countries, right in Russia’s neck of the woods. The demonstrations were anti-government corruption, anti-authoritarian, and pro-democracy. And in many cases, the protest movements were facilitated by people organizing online. Meanwhile, according to Jackie, Putin and others in the Kremlin are watching this all unfold, and they’re growing increasingly concerned about how a similar uprising might happen in Russia.
MCO: The other thing that’s happening at this time is that the Kremlin is going on the offensive with cyber attacks, especially distributed denial of service, or DDoS attacks for short. With DDoS attacks, the idea is that you hack into a bunch of IoT, or internet-connected devices. And then you turn all these little computers against a website or network and overwhelm it, and shut it down.
LC: It’s widely believed that the Russians instigated DDoS attacks during conflicts in Estonia and Georgia in 2007 and 2008. But all of this was just an appetizer for 2011, which was a turning point in recent Russian history.
MM: Remember, 2011 there were demonstrations all over the world, in the Arab world, and dictators were falling. People forget that now, but it felt precarious, if you're living in Russia. I was living in Russia then.
MCO: That year, Putin announced he’d be running for President... again. Now, this gets a little confusing, but in Russia they have both a prime minister and a President. By 2011, Putin had served terms as both. At that time, he was prime minister, and Dmitry Medvedev was president.
JK: And then, you have the rally where they announced that Putin is going to now step down as prime minister, and Medvedev is going to step down as president, and Putin is going to swap and become president again and Medvedev, prime minister. They've got this all planned out… And so that's the spark where you start having the protest movement emerge.
LC: Many Russians, especially young people, had favored Medvedev – they thought he would bring about a more open society, and they were angry that Putin was going to become President once again. On top of that, 2011 was a parliamentary election year in Russia. Hundreds of seats were at stake in the Russian legislature, called the Duma. Putin’s party, United Russia, won the majority of the seats.
MCO: But on election day, there were DDOS attacks on the websites of opposition parties, and also on a website that was used to report election fraud. The results of the election were widely contested – journalists, political activists, and Russian citizens were all crying foul.
JK: And during this period, you have the biggest street protest occurring in Russia that have occurred since the collapse of the Soviet Union and it's not just in Moscow, it's not just in St. Petersburg, it's in cities across the country. ...They're using social media, have people who are bloggers emerging as leaders of the protest movement also coming out in street protests.
MM: ...and it felt like something was going on here and that when hundreds of thousands of people demonstrate, that is a threat to the regime. The last time, by the way, that number of people had demonstrated was the year 1991, the year the Soviet Union collapsed. Putin needed to counter that, and he blamed those people on being our agents. He said that we were responsible for regime change, just like we were fomenting revolution in Egypt and Syria and Libya, now we were taking our roadshow here to Russia. By the way, he accused me personally of doing that, I was sent to Russia to overthrow his regime.
LC: The United States called out the fraud in Russia’s parliamentary election. And of course, at the time, the Secretary of State was Hillary Clinton.
MM: In December 2011...we, in the voice of Secretary Clinton, called it out for that, and she criticized that election, and Putin publicly, he said she sent a signal to the protesters to come out and protest against his regime. He's a guy that keeps grudges, and believe me, when he got the chance to seek revenge, he took it.
LC: The protests that began in late 2011 in Russia continued into 2012 and early 2013. The unrest caused the Kremlin to start taking a very different approach towards the flow of online information.
JK: And there was all this discussion about the role of social media as a liberation technology before this, but then, this really brought it home. Seeing this happen during the elections, surrounding these mass protests, and it got personal too. They're personally calling out Putin, and calling the party the party of crooks and thieves, and so on.
MCO: But the Kremlin is walking this fine line. Putin wants to quell opposition, but he also doesn’t want to appear like a dictator to the people of Russia. They’re sort of going through the motions of looking like a free society without actually supporting free speech or ensuring fair elections.
JK: "Why? Why do this?" Well, I think, it's probably a mix of things. On the one hand, it's useful for them in terms of reputation at home and abroad to not do things quite so overtly, but the point is that you pass a point where it's plausibly deniable – to the point where it's implausibly deniable. At that point...Does it still help your legitimacy or is it obvious to everyone that you're censoring, and that you're violating rights, and that you're not democratic? Well, I think the answer is not completely. I think for people in Russian society, there is a big difference between doing it this way versus doing it censoring everything.
LC: In the 3 or 4 years since the protests, a number of repressive Internet laws have gone into place. For example, there’s a blacklist of websites, and analysts believe the law is intended to target independent media outlets. Some websites also have to share encryption keys with the Russian government, and Internet Service Providers can be required to store every single byte of data they transmit for six months.
MCO: It’s not exactly a blanket crackdown like the Chinese firewall – the number of websites blocked in Russia is still miniscule compared to China. But the Russian efforts are targeted, and designed to create a culture of fear.
LC: People who have been idealistic about the spread of liberal democracy might’ve hoped that the Internet would challenge authoritarian regimes and their ability to maintain power. But countries like Russia have adapted.
JK: They've figured out how to be resilient to this too, and not only resilient but how to use the same instruments they've learned to how to manipulate those flows of information instead of blocking them and turn them back and sort of weaponize them.
MCO: Which brings us back to the 2016 American presidential election. Russian operatives didn’t just steal DNC emails – there was a broader strategy of weaponizing information and misinformation. We’ve also seen similar attacks on democracies in Europe, including France’s presidential election in early May.
LC: Mike McFaul says all of this demonstrates that Vladimir Putin is trying to use Russia’s capabilities to expand their sphere of influence.
MM: Today he's now come to the conclusion that: A, democracy is not necessary internally, that's actually dangerous to stability as he would call it. I would call it autocracy, his regime, but B, that joining the Western clubs is not in Russian interest, better to go their own way. Moreover, and this is new in the last three or four years, accelerated in the last three or four years, he's offering alternative ideology, illiberal ideas.
...So what does that mean in terms of this other stuff? It means he's willing to support people that are ideologically like him. That's where the intentionality has grown, that before he might have been somewhat nervous about challenging the international order, he's not worried about it anymore.
...but he's also invested in cyber capabilities and using these new instruments of power to influence what happens domestically and in the United States and Europe.
MCO: People in cybersecurity circles have been talking for a long time about what a so-called “cyber 9/11” or “cyber Pearl Harbor” would look like. Would it be an attack on critical infrastructure like a power plant, or computer system used to run financial markets?
LC: But maybe we’re not thinking broadly enough about cybersecurity. Part of the issue is that the word “cyber” is kinda old school. There’s something militaristic about it, and it mostly seems like a problem for the IT department. Cyber hygiene is one of those things in life that you know you’re supposed to take seriously, but it also feels like someone else’s problem.
MCO: But what the 2016 US election shows, is that cyberwarfare is escalating, and it doesn't look like what we thought it was going to look like. There has, perhaps, been a failure of imagination.
JK: I think we've had blinders on partly because coming back to what I said before that there was this mythos coming out of the Cold War that democracies aren't vulnerable to flows of information. That's just authoritarian states because they're brittle. They rely on having this wall on information, but democracies are all about the free flow of information and so we're all good, we're resilient to that. A lack of realization of the extent to which this kind of thing could be weaponized against us to influence public opinion, to influence the decision-making processes of people in power. You know, tactics of delay, of making things ambiguous, of it being unclear whether you've committed an act of war or not or it's not quite at the cutoff line for a legal definition, things which basically aim for the vulnerabilities of our own decision-making processes, and make those as muddy as possible, and exploit those vulnerabilities through the free flow of information, through targeted information, and we didn't see that coming.
MM: On the prescriptive part, how do we just make our entire electoral system more secure? I would just remind you that it's now May, we have not done one single thing to increase our security of anything. Not one thing. Not one single executive order, not one law, not one state has taken any action. Zero. We've done nothing. We're just sleepwalking… and the Russians will have that capability in 2018 and 2020, in fact, they'll have much greater capability because the technology is not static, it's moving.
MCO: Mike McFaul also told us he believes this should be a bipartisan issue. While the Russians may have favored Trump in 2016, it’s totally possible that foreign actors will favor Democrats in future elections. And it’s not just the presidency at risk. It would be easy to meddle in elections at ALL levels of government.
LC: McFaul says this whole question about sovereignty and “security” really gets back to the social contract between citizens and their government.
MM: One of the definitional words of a state is that they provide security to their citizens. That word goes with it, and people give up the monopoly of the use of force to the state for that kind of protection. That's why we have an army, that's why we have the Pentagon, that's why we have ICBMs...and we pay taxes for that because we expect our government to do that. If we are attacked, as we were on September 11th, in a physical way, we expect our government to defend us and react.
LC: This social contract to provide security is important on the international stage...But of course, there’s a whole other social contract of security that is supposed to keep us safe but has all kinds of problems:
MCO: The American criminal justice system.
SHARAD GOEL: The first thing that might enter people's mind when they think, is an algorithm fair, is a decision fair, is asking are equal number of white defendants and black defendants detained under the algorithm? That's maybe the simplest way of thinking about fairness.
DONNA MURCH: Many of the experimentations with the expansion of policing, of criminalization and surveillance, came from targeting the most vulnerable, and it still does. But we're seeing this dissemination and expansion of this into the general American public, and honestly beyond the borders of the United States, with the scale of surveillance.
MCO: Algorithms and surveillance in the criminal justice system. Next time on Raw Data.
MCO: Our podcast is produced by Leslie Chang and me, Mike Osborne. Our production intern is Isha Salian. Thanks also to Allison Berke, and the rest of the Worldview team.
LC: Tim Junio’s company is called Qadium – that’s spelled Q A D I U M. You can find them online at qadium DOT com. Thank you also to Marshall Kuypers for coordinating our visit.
MCO: Michael McFaul is the co-director of the Stanford Cyber Initiative and the director of the Freeman Spogli Institute for International Studies. You can find him on Twitter AT McFaul – that’s M C F A U L.
LC: You can find Raw Data online at www DOT raw data podcast DOT com. We have blog posts as well as transcripts for all our episodes. If you want to get in touch, we’re on Twitter @rawdatapodcast, or you can email us – raw data podcast AT gmail DOT com.
MCO: Our show is a production of Worldview Stanford, and we receive additional support from the Stanford Cyber Initiative, whose mission is to produce research and frame debates on the future of cyber-social systems.
LC: Thanks so much for listening, and we’ll be back soon.