What Did the Senate Hearing Reveal About Russian Hacking?
A Q&A with cybersecurity expert Michael Sulmeyer on today’s Armed Services Committee hearing and the intelligence community’s response to foreign interference
Did Russian hacking influence the 2016 elections? If so,what motivated it? Those two questions have sparked the biggest political debate since Donald Trump was elected president in November, and as a new session of Congress starts and Trump takes offices in just a few weeks, the questions still linger. The president-elect, intelligence agencies, high-ranking officials in both parties, and even Julian Assange have all been embroiled in the debate.
Congress hoped to take one step closer to resolving those questions on Thursday with a hearing before the Senate Armed Services Committee, chaired by Arizona Senator John McCain. James Clapper, the director of national intelligence; Admiral Mike Rogers, the head of the National Security Agency and U.S. Cyber Command; and Marcel Lettre, the undersecretary of defense for intelligence testified before the committee. While some of their answers were revealing, most promised more details forthcoming—especially on the subject of Russian involvement—in private briefings and a public report over the next several weeks.
So what can we learn from the Thursday hearing? I spoke with Michael Sulmeyer, the director of the Belfer Center's Cyber Security Project at Harvard Kennedy School and a former cybersecurity official in the Department of Defense, about that report, the politicization of hacking, and potential Russian motives in election hacking. The following interview has been edited for clarity.
Vann R. Newkirk II: After the hearing, it seems like most of the real revelations are going to be incorporated into briefings and a report. Did you learn anything from the hearing, and what should people take away from it?
Michael Sulmeyer: The next step here is that tomorrow, that report will get briefed internally in government and then next week an unclassified public version will be released. Right from the beginning of the hearing, Director Clapper said that he did not intend to get in front of that report, so they weren't going to be discussing new information today. They were very clear that they were not going to get into that business. There were some interesting soundbites on information and media especially, and I think implicit in that is an acknowledgement that the way you deal with “fake news” and an information campaign is by more competing news and information, as opposed to just hitting back.
Newkirk: So not just a cyber-security presence but the way we report information as well?
Sulmeyer: I think that the media has been improving how it covers these kinds of stories. One of the things that I'm hoping universities can do is to provide some trainings, and make it so that when you have more technically based questions, you have resources and you have some practical experience of actually getting on a computer and doing some ethical hacking yourself. But in general, cybersecurity is one of those few areas where because the government does not talk a lot about it, the only way the American people know about it is through the lens of a handful of journalists, so that's a really powerful and important role they have.
Newkirk: One of those technical things that was brought up during the hearing was the difference between espionage and interference. Is what Director Clapper said something that's widely accepted in the intelligence community?
Sulmeyer: I think it's fairly well-accepted. It's accepted that states are going to conduct espionage, and spies are going to spy. We should be giving as good as we're getting, if not more. When it comes to weaponizing the products and the outcomes of that kind of spying and collection, and when it becomes more “active measures,” as Russians call it, that takes on a new color, and therefore warrants a different kind of consideration about how the United States would want to respond.
Newkirk: In the aggregate, what purpose do things like this hearing and the public reports serve in preparing the country's cybersecurity infrastructure?
Sulmeyer: In a lot of these reports, there are nuggets that can help those who are charged with defending big networks that can be targets of foreign hacking. But I think the broader point is to more definitively continue to raise the awareness that this happened, that it was deliberate, that it was organized by a foreign government for a specific purpose, and the evidence is mounting so much that it has become harder and harder for the deniers to be credible. It's not credible today, and it'll be even less credible next week. But there still hasn't been a credible explanation for why these folk believe that Russia was not involved. You have a report that'll come out next week and hopefully it'll add even more evidence and be even more convincing about what the intelligence community and the U.S. government have been saying for quite some time.
Newkirk: With that process of ensuring integrity, especially in elections, what does it mean if a president-elect or a president is openly adversarial to investigating claims of hacking?
Sulmeyer: It certainly is extremely concerning. As Director Clapper said, “there is a difference between healthy skepticism and disparagement.” We can talk about healthy skepticism that we should all have about what governments say. Our system of government is built on a separation of powers premised on some element of skepticism of executive power and too much power in any one organ. So I'm all good with healthy skepticism. But undermining the credibility of and disparaging the work of the intelligence community before you've even taken office, that's pretty bold.
And I think Admiral Rogers had it right when he said he hasn't taken a climate survey on morale, but if this type of rhetoric prompts a lot of people to leave, that weakens national security. Whether tweeting about it or not, the intelligence community is extremely important, and building a good relationship with them is going to have to be a priority for the next administration. We all lose if that doesn't happen.
Newkirk: With Russia's potential involvement, is there a politicization of hacking and cybersecurity that might impede the ability to fight or fix it, and might that hinder further elections?
Sulmeyer: I think that it's really unfortunate that this has become a political issue. It's stunning, actually, that a case that seems so clear cut, and then Julian Assange says something and that becomes the poster-child for deniers; deniers who a year or two ago said that Assange should be treated as an enemy combatant. The same people are now saying we have to listen to this guy. That's terrifying, and I think that there's a lot that can actually be done in this country to improve cybersecurity that can be independent of politics, and politicizing these issues cannot possible help.
Newkirk: In the hearing, general consensus was that there was interference but not direct intervention in the actual electoral process in the counting of votes. Is there still a risk for that moving forward?
Sulmeyer: That's exactly the right question to be focused on. I would refer you to a paper that my colleague Ben Buchanan and I wrote just before the election called “Hacking Chads,” where we tried to make this distinction just as you did between hacking the voters and hacking the voting, to put it crudely. What we saw was hacking the voters; or trying to manipulate voters and interfere with the news cycle and how voters saw and perceived the election. We didn't see hacking of the voting infrastructure. In the paper, we talk about what you might see if that was going to happen, and try to give some impetus for reform going forward, regardless of the fact that it did not appear there was tampering. It doesn't mean that the system is still ok. The system is very vulnerable and not secure. You have very outdated systems—with some of them you can't even turn the wi-fi off.
Newkirk: Should we consider “hacking the voters” to be as illegitimate as tampering directly with the elections process?
Sulmeyer: Both are out of bounds. Whether you're trying to conduct an information operation to swing the results of an election, or whether you're trying to mess with tallying machines, we have to respond forcefully to both of those. We have a lot of work we can do over the next four years to be better next time around. The question for the incoming administration is: Are they going to make this a priority or are they going to leave us all vulnerable?
It's a good question, and I think it's hard for people who grew up studying international security in the nuclear age, when the real concern was about global destruction, to get exercised about information stuff. It's amorphous. It's not always clear. The causation is a little murky. But as Admiral Rogers was saying, we have to get to a point where we have to treat this differently. I think this episode has become a wake-up call for a lot of people in the field. Unfortunately, it's become partisan, which is not good, because we should all be able to agree that that kind of foreign interference is undesirable. To be frank, I think a lot of people just felt Secretary Clinton was going to win anyways, and they didn't think that this meddling was going to work out against her.