From climate change denial to pizza-parlor pedophile conspiracy theories, 2016 has thoroughly shaken the groundwork of facts that Americans agree on. But there’s at least one story that the US can’t afford to let slide into the muck of conspiracy theories, fake news, and truthiness: whether the Russian government hacked America’s election.
On Wednesday, Congressmen Elijah Cummings (D-MD) and Eric Swalwell (D-CA) introduced a bill to create an independent commission to investigate Russian government involvement in the digital attacks that shook the presidential election this year. It’s an extensive list. Security experts have linked Russian actors to hacker breaches of the Democratic National Committee, the Democratic Congressional Campaign Committee, the Gmail accounts of Hillary Clinton aide John Podesta and former Secretary of State Colin Powell, the voter rolls of Arizona, Illinois, and Florida, and a deluge of fake news. The 12-member commission, to be chosen by both Republicans and Democrats, would present their findings and recommendations for preventing future attacks in 18 months.
“This commission will do a bipartisan, independent, and robust review of Russia’s efforts to influence our election and attack our nation’s democracy, and it will make specific recommendations for the future,” Cummings told reporters Wednesday afternoon. “We must preserve the integrity of our democracy and Americans’ trust in our electoral system.”
After a deeply divisive campaign, that call for an investigation from two Democrats might sound like a partisan witch hunt meant to highlight Russian president Vladimir Putin’s ties to President-elect Donald Trump. It follows a letter from Democratic members of the Senate’s intelligence committee that asks President Obama to declassify existing evidence relating to Russian hacking.
But the issue goes beyond partisan politics. Republican Senator Lindsay Graham on Wednesday told CNN he and fellow GOP luminary John McCain will also push for investigations into the hacking incidents. And cybersecurity experts are echoing those calls for a deeper, public investigation into the evidence of Russian hacking—both the majority who already believe that the Russian government carried out the attacks, and the small minority that don’t.
“This is the most serious type of digital sabotage we’ve ever seen of a political system, and we’re not seeing the appropriate conversation,” says Thomas Rid, a cybersecurity-focused professor in the department of War Studies at King’s College London and author of Rise of the Machines. “Having a public conversation about this problem—staring the problem of electoral sabotage in the face—means it’s harder to do it again.”
From Russia With…Very Little Doubt
For most of the cybersecurity and US intelligence community, the Russian government’s ties to this year’s electoral hacks are no longer up for debate. Security firms Crowdstrike, Mandiant and Fidelis all analyzed evidence of the DNC hack and agreed it was the work of two Russian intelligence agency hacking teams, using some of the same tools and techniques as earlier breaches by those groups. Despite the pseudonymous claims of a supposedly Romanian hacker taking solo credit, the files he or she leaked contained Russian-language formatting error messages. And in October, the Department of Homeland Security and the Office of the Director of National Intelligence jointly issued a statement pinning the hacks on the Kremlin, writing that “only Russia’s senior-most officials could have authorized these activities.”
In fact, some in the cybersecurity community argue that the Russian government’s involvement is so clear that a commission would be a waste of time and money. Former NSA staffer Dave Aitel, the founder of security firm Immunity, points to NSA Director Michael Rogers’ recent statement that “there shouldn’t be any doubts in anybody’s mind” that the DNC and DCCC hacks were “a conscious effort by a nation state to attempt to achieve a specific effect.” A commission, he argues, can’t offer much more certainty than that. “If you don’t trust the director of the NSA, you have a much worse problem,” says Aitel. “I don’t know anyone serious in the intelligence community who’s confused about it.”
And yet, for some, doubts linger. That starts with Trump, who has publicly ignored the statements of intelligence agencies even after receiving classified intelligence briefings. He recently telling Time Magazine that the electoral hacking “could be Russia. And it could be China. And it could be some guy in his home in New Jersey.”
Trump’s not alone, though. Jeffrey Carr, a cybersecurity analyst and author of Inside Cyber Warfare, point out that DHS and ODNI attribution to Russia wasn’t backed up with public evidence He compares the agencies’ brief statements about Russia’s involvement to the more detailed claims intelligence agencies released when North Korea hacked Sony Entertainment in late 2014. Those North Korea accusations included a speech in which President Obama named Kim Jong-Un’s government as the source of the hack, and a press conference by FBI director James Comey in which he laid some of evidence of the country’s involvement. “In this case I don’t see anything like that,” Carr says.
The Importance of Clarity
That there’s any question at all as to whether Russia directly attempted to fear with our election, though, seems all the more reason to know for sure. Even a skeptic like Carr agrees. “I’m totally in favor of a commission that will take a hard look, examine the quality of the evidence and issue a finding,” Carr says. “If a foreign government is interfering with a critical process like our election, that should transcend the disputes between Republicans and Democrats.”
A more open investigation wouldn’t just help dispel doubts and disinformation, says Rid. It would also send a message to Russian hackers at a time when cybersecurity analysts warn they’ve been emboldened by Trump’s win, and that they perceive their successful hack of the DNC as evidence that the same tactics will work in upcoming elections in Germany, France, and the Netherlands. Crowdstrike and the security firm Trend Micro have both reported that one of the two Russian hacker groups responsible for the DNC hack has continued to attempt intrusions on targets across the US and Europe this fall, including several that resulted in successful, still-unpublicized breaches. And security firm Volexity found that the second Russian group had launched a targeted phishing campaign against American universities, think tanks, the State Department and Radio Free Europe just hours after Trump’s election.
As those attacks continue, a commission of the sort Cummings and Swalwell have called for wouldn’t just put doubts around our most recent election to rest. It could be the first step in a meaningful response aimed at deterring those political hacks. “We have to find a way to counter this,” says Rid. “To show that politically, this is really not acceptable, that America is not going to accept this without a response.”