Hacking Western democracy

President Obama struck back at Russia on December 29 for its alleged cyber-attacks, designed to influence the 2016 election. After intelligence agencies had concluded that the GRU was orchestrating the hacks, Obama ordered 35 suspected Russian intelligence operatives to leave the USA. Cyberwar can indeed pose a threat to democracies in the West, wrote Mark Galeotti already before Obama’s decision. Next year the battleground will be Europe, divided and weaker than the US. We must retaliate, says Galeotti, but not overestimate the effectiveness of tit-for-tat.

by Mark Galeotti

The 'disinformation scare' has now moved into the 'hacker panic', as new claims about Russia’s role in the US presidential elections spark not only an intelligence turf war in Washington, but also new concerns in a Europe facing a series of key elections. This is all unknown territory, though — what can the Russians do? What do they want? — which means, as ever, that everyone sees what they want to within its contours. To some, it is proof of Vladimir Putin’s implacable hatred of the West, to others an absurd media scare and Russophobic myth.

FSB LoebjankaFSB and GRU often independently active in cyberwar. FSB headquarters at Lubyanka square Moscow

In fact, this reflects two things: the first is the extent to which a weak Russia trying to assert an ambitious agenda is turning to political manipulation to achieve what it cannot by other means, and secondly a fundamental legitimacy crisis in the West that is providing Moscow many opportunities for mischief.

Furthermore, the Kremlin is able to draw on a tradition. As I put it in my new report Hybrid War or Gibridnaya Voina? Getting Russia’s non-linear military challenge right:  'From the tsars through the Bolsheviks, the Russians have long been accustomed to a style of warfare that refuses to acknowledge any hard and fast distinctions between overt and covert, kinetic and political, and embraces much more eagerly the irregular and the criminal, the spook and the provocateur, the activist and the fellow-traveler.'

Hacking America

These challenges are often by definition impossible to quantify and attribute with 100% accuracy. For example, in the US case while there is a pretty broad consensus within the intelligence community that the hacks were carried out by Russian intelligence (primarily the FSB, the Federal Security Service), there is much less agreement over quite why. The CIA seems to be taking the maximalist line, claiming that Vladimir Putin personally authorised the operation with the aim of securing the election for Donald Trump.

The FBI, perhaps approaching it more with the evidence-based perspective of a law-enforcement agency (and also, allegedly, more pro-Trump in its leanings), is more cautious. While it accepts that Russia was behind the hacks, it does not pretend to be certain about the motive. Instead, and despite a later attempt to pretend there was no disagreement between the agencies, it initially confined itself to presenting these as attempts to undermine the legitimacy of the US political system and damage Hillary Clinton. On December 29 the FBI released its findings and recommended measures to improve cybersecurity.

For what it’s worth, I think there was little (if any) belief in Moscow that Trump could win. Instead, the assumption seems to have been that a Clinton presidency was an inevitability. She is regarded as a hawkish enemy of the Kremlin. Several Russian security officials told me that they believe her advocacy for the position of supporting Medvedev when he was presidential chairwarmer-in-chief was motivated by a desire to see a weak government in Moscow, while her support for the forcible ousting of Libya’s Muammar Ghaddafi has been taken as a sign of her enthusiasm for regime change. Even before her public denunciation of Putin’s 2011 election, she was hardly in his good books, and since then her image as the Kremlin’s enemy number one has only strengthened.

As a result, anything which could weaken or distract her on her presumed inauguration to the US presidency, anything which could stop her from using her honeymoon period to undermine Russia, became a positive priority. It appears that both the FSB and GRU (military intelligence) were hacking the Democratic Party’s systems. This is entirely to be expected: intelligence agencies gather all the information they can (indeed, they also were breaking into the Republicans’ networks), and in the Russian case agencies often work in parallel, maybe even not knowing of their rivals’ operations.

Red Square by nightFull moon over Kremlin

The GRU stuck to gathering information, but the FSB, primarily a domestic security agency with a much greater emphasis on political operations and fewer constraints on its operations, saw the chance for an active measure. They must have had sanction from the Kremlin for this, but it is unlikely anyone saw this as an election-changer and, frankly, were it not for the particular characteristics of this election — the brittleness of much of Clinton’s support, the disastrous eleventh-hour intervention of FBI director Comey, and the unexpected distribution of the vote — it is unlikely it would have been.

A Dangerous Precedent

After all, we need to be very cautious about treating Russia’s political war strategy of hacks, leaks, disinformation and coercive diplomacy as being more powerful than it really is. Indeed, if we do that, we are actually becoming Putin’s so-called 'useful idiots' every bit as assiduously as those who retweet propaganda or recycle Kremlin talking points.

The Kremlin was clearly unsettled when Trump won. Ultra-nationalist demagogue Vladimir Zhirinovsky may have been popping the champagne corks, but the Presidential Administration and the Ministry of Foreign Affairs were scrambling to try and make sense of this development. While Trump appears to be Putin’s best friend today, no one has any illusions about how changeable the situation could be. If Trump decides Putin is a threat or a rival, or simply decides that his personal interests are in a different alliance, then, as we have seen, he can rewrite policy in mid-speech.

Furthermore, Putin has established a dangerous precedent. Barack Obama has promised unspecific responses, but there is little fear of a lame duck president with a lawyer’s instincts. However, Trump can be expected to act with few restraints and distinctly less predictability, and were he to unleash the full capacities of the United States, Russia would be seriously vulnerable.

This cannot be a symmetric challenge. Trying to plan disinformation within a media space heavily controlled by the Russian government is a much less easy task. Likewise, what could kill a Western politician’s career is often no more than a passing irritation in Russia. Those calling, for example, for the revelation of Putin’s secret assets abroad (if they really are Putin’s, something that is questionable) should remember the minimal impact of the Panama Papers. Telling Russians their leaders are corrupt is a little like telling them the winter gets cold; they may not be happy about it, but it is what they expect and they don’t believe it can change, so why make a fuss?

However, if the USA really wanted to launch its own non-kinetic onslaught on Russia, there is much it could do. Its offensive cyberwar capabilities, for example, while largely secret and unused, are undoubtable and could be used for everything from shattering financial systems and critical electronic infrastructures to spamming Russians with propaganda. Indeed, Trump himself threatened 'crippling, crippling' cyberspace counterattacks against those attacking the United States. This would, of course, be tantamount to an overt declaration of war, but the point is that the capacities are there, and neither Moscow nor Washington want to see that escalation.

For that reason, it is likely that the Russians will be more cautious for the moment with the United States. The campaigns of propaganda and misinformation will continue, but — both shocked by the unexpected impact and unwilling to alienate Trump before any potential geopolitical deal-making — Moscow has every reason to stick to gathering information for the moment.

Besides, at the risk of sounding glib, what possible leverage could the Russians have on Trump? There have been all kinds of wild speculations, from footage of sexual romps in Moscow to compromising emails, but amongst Trump’s greatest political assets would appear to be teflon skin and a brass neck. A tide of credible and substantiated allegations, from sexual misconduct to questionable business practices, have washed over him and failed to stick. Furthermore, as he discards key campaign pledges (not least to 'lock her up') without the slightest hint of embarrassment, it is hard to see what Moscow could have on him that he could not deny, ignore, or simply shrug away.

Europe’s Dangers

Instead, the real battleground is likely to be Europe, which remains vulnerable to further Russian active measures, not least because there are crucial elections looming in France, in Germany, in the Netherlands, and in Italy.

Already, the warnings are coming thick and fast.  Hans-Georg Maassen, head of the Federal Office for the Protection of the Constitution (BfV), Germany’s main domestic security service, has said that 'the indicators that there will be attempts to influence the federal elections next year are intensifying'. Guillaume Poupard, director-general of France’s National Agency for the Security of Information Systems, sees a further 'development of a digital threat for political ends and for destabilisation'.

The risks are real. In the throes of a populist legitimacy crisis, Europe’s political systems are vulnerable to disinformation and more serious active measures such as the covert financing of divisive political movements and even the use of smear, blackmail, and bribery. Furthermore, Europe is seen as a much softer target. The European Union itself, for all its emerging new security doctrine, is not seen by Moscow — rightly — as a coherent actor able to coordinate defensive, let alone offensive operations. Individual states clearly have less muscle than the USA, and on previous evidence are likely to have to respond to any meddling on their own, able to count on their neighbours and allies for little more than words of solidarity.

We should not overdramatise the scale of the threat. While the Russians may have pushed Brexit in Britain, and president Milos Zeman in the Czech Republic, they also pushed Scottish independence and presidential candidate Norbert Hofer in Austria. The extent to which they can influence polls is probably slight. Besides which, the causes and candidates they support are not 'theirs'. They preferred Ruman Radev to Tsetska Tsacheva in Bulgaria’s presidential elections in November, for example, but Radev is a staunch supporter of NATO, not some Muscovite quisling.

Nonetheless, it is a threat. Even if their machinations can only swing a percentage point here or there, this can make all the difference in a tight vote. Furthermore, by the very fact of their interference, the Russians are further undermining the legitimacy of the Western democratic systems, as well as spreading suspicion and division within and between countries. This is, after all, their real aim. They do not really expect to be able to install 'Siberian Candidates' such much as keep the West so divided and distracted it cannot resist Russian actions in Ukraine and elsewhere in their self-defined sphere of influence.

In the long term, addressing fundamental contradictions within the EU, resolving the migrant crisis, strengthening cybersecurity and improving relations with Moscow would be the best ways to address this challenge. But sadly, these fundamentals will likely not see any breakthoughs in the next twelve months.

So the question will be, what measures can address the immediate vulnerabilities. It would be nice if officials and lawmakers stopped being sloppy about computer and information security, but in the meantime the present debate about the potential for hacks ought to be calibrated carefully to maintain public consciousness without creating paranoia.

In part, this must be part of the debate about disinformation. There is a place for media regulators to punish those spreading falsehood, whether through malice or simple negligence. But the current fashion for 'myth-busting' and, even worse, 'blacklists' too easily can devolve into McCarthyite campaigns to shrink the space for legitimate public conversation and demonise dissent. It is not simply a question of what might work in, say, Germany or Italy, but then considering how this may be used in illiberal Poland or Hungary. Rather, there needs to be a willingness to talk openly about how modern media too easily can be manipulated or used by all of us to insulate ourselves in echo chambers that feed our assumptions and prejudices.

But it is not just about 'fake news'. After all, the Clinton emails were not disinformation, they were information, strategically leaked. What gave them power was that they provided real evidence that democratic processes could be bypassed and manipulated by establishment elites, something that is at the heart of the current political legitimacy crises empowering populists across the West. It is a tall order, but greater transparency, a revival of popular participation, and a renewed willingness of the governing to engage with the concerns of the governed and to speak honestly, not just in focus-grouped talking points, will be the best counters to this.

Finally, though, even a Europe uncomfortable with confrontation must recognise that a security threat needs a security response. It may be that it is not enough simply to reaffirm sanctions on Ukraine, but to impose new ones in case of Russian meddling. Spies should be expelled, journalists acting as propagandists have their accreditation revoked, companies acting as front organisations fined or closed. In the long term, to be sure, Europe can ‘target harden’ its political systems, but in the short term it needs to demonstrate that, contrary to Russian assumptions, it has teeth of its own and the willingness to use them.