The missed cyber opportunity in the Senate Intel report on Russia
The Senate Intelligence Committee detailed shocking new revelations about the 2016 Trump campaign's dealings with Russia in the landmark final volume of its report on the matter, but it missed an opportunity to recommend cybersecurity fixes for today’s campaigns and parties — perhaps by design.
Why it matters: The DNC and RNC could be considered a type of “critical infrastructure,” because without them and the presidential and congressional fundraising they facilitate, U.S. politics as we know it wouldn’t exist. But because they fall outside the government’s protective cybersecurity remit, they are also uniquely vulnerable to outside threats.
- As the 2016 hacking of John Podesta’s emails showed, the personal devices and accounts of major politicos are also major targets for foreign intelligence services.
Where it stands: The Senate Intelligence report, out last week, lays out key recommendations for preventing 2016-style meddling from happening. They include:
- Strengthening enforcement of the Foreign Agents Registration Act.
- Reorienting the U.S. intelligence community to prioritize gathering information on foreign electoral interference schemes.
- Having the FBI do more to brief candidates and campaigns on foreign counterintelligence threats.
- Making the FBI develop more robust systems for alerting nongovernment actors — like political campaigns — that have been hacked.
Yes, but: The 966-page report does not go into detail about what these campaigns, or the larger party infrastructure supporting them, should do to prevent cyber intrusions from foreign governments.
- It also doesn’t provide a broader framework for how (or if) federal agencies like Homeland Security’s Cybersecurity and Infrastructure Security Agency, charged with securing domestic networks, could coordinate or cooperate with political parties on basic cybersecurity.
This is no small matter. As the report makes clear, the hack and leak of materials from the Democratic National Committee was the single most effective prong of Russia’s 2016 active measures campaign.
- The report does detail the DNC’s 2016 cybersecurity practices, but these were plainly insufficient to prevent catastrophe.
- “The DNC's IT staff did not understand the nature of the threat it faced, despite multiple entreaties from an FBI agent at the Washington Field Office,” says the report.
- The FBI also failed to sufficiently convey the seriousness of the breach to the DNC, and it did not follow up with DNC executives when its warnings seemed to go unheeded, the report concludes.
- “The uniquely political nature of the DNC as an organization and the FBI's approach towards victims of cyber attacks led to miscommunications and missed opportunities to thwart, or eradicate, the Russian cyber actors from the DNC systems,” says the report.
Between the lines: The paucity of material on how to protect political party infrastructure from malign cyber activity may not be an oversight.
- After all, the committee is composed of Republicans and Democrats. Shining a bright light on the cybersecurity practices — and deficiencies — of the RNC and DNC today would force lawmakers to scrutinize the political machinery at the heart of their own parties. That’s a tough sell in hyperpartisan Washington.
- Meanwhile, it's unclear if the 2020 political campaigns have fully absorbed the cybersecurity lessons of 2016. Democratic presidential candidate Joe Biden only hired a chief information security officer in July — over a month after formally clinching his party’s nomination.
The bottom line: Empowering the government to help encourage best practices within political parties’ networks, or even legislating minimum cybersecurity standards for these entities, could help avoid a repeat of 2016-type interference.
- But government actors have to want these changes first, and the Senate Intelligence report suggests they’re not happening.