Putin Is Well on His Way to Stealing the Next Election
Jack Cable sat down at the desk in his cramped dorm room to become an adult in the eyes of democracy. The rangy teenager, with neatly manicured brown hair and chunky glasses, had recently arrived at Stanford—his first semester of life away from home—and the 2018 midterm elections were less than two months away. Although he wasn’t one for covering his laptop with strident stickers or for taking loud stands, he felt a genuine thrill at the prospect of voting. But before he could cast an absentee ballot, he needed to register with the Board of Elections back home in Chicago.
To hear more feature stories, get the Audm iPhone app.
When Cable tried to complete the digital forms, an error message stared at him from his browser. Clicking back to his initial entry, he realized that he had accidentally typed an extraneous quotation mark into his home address. The fact that a single keystroke had short-circuited his registration filled Cable with a sense of dread.
Despite his youth, Cable already enjoyed a global reputation as a gifted hacker—or, as he is prone to clarify, an “ethical hacker.” As a sophomore in high school, he had started participating in “bug bounties,” contests in which companies such as Google and Uber publicly invite attacks on their digital infrastructure so that they can identify and patch vulnerabilities before malicious actors can exploit them. Cable, who is preternaturally persistent, had a knack for finding these soft spots. He collected enough cash prizes from the bug bounties to cover the costs of four years at Stanford.
Though it wouldn’t have given the average citizen a moment of pause, Cable recognized the error message on the Chicago Board of Elections website as a telltale sign of a gaping hole in its security. It suggested that the site was vulnerable to those with less beneficent intentions than his own, that they could read and perhaps even alter databases listing the names and addresses of voters in the country’s third-largest city. Despite his technical savvy, Cable was at a loss for how to alert the authorities. He began sending urgent warnings about the problem to every official email address he could find. Over the course of the next seven months, he tried to reach the city’s chief information officer, the Illinois governor’s office, and the Department of Homeland Security.
As he waited for someone to take notice of his missives, Cable started to wonder whether the rest of America’s electoral infrastructure was as weak as Chicago’s. He read about how, in 2016, when he was a junior in high school, Russian military intelligence—known by its initials, GRU—had hacked the Illinois State Board of Elections website, transferring the personal data of tens of thousands of voters to Moscow. The GRU had even tunneled into the computers of a small Florida company that sold software to election officials in eight states.
Out of curiosity, Cable checked to see what his home state had done to protect itself in the years since. Within 15 minutes of poking around the Board of Elections website, he discovered that its old weaknesses had not been fully repaired. These were the most basic lapses in cybersecurity—preventable with code learned in an introductory computer-science class—and they remained even though similar gaps had been identified by the FBI and the Department of Homeland Security, not to mention widely reported in the media. The Russians could have strolled through the same door as they had in 2016.
[From the January/February 2018 issue cover story: What Putin really wants]
Between classes, Cable began running tests on the rest of the national electoral infrastructure. He found that some states now had formidable defenses, but many others were like Illinois. If a teenager in a dorm room—even an exceptionally talented one—could find these vulnerabilities, they were not going to be missed by a disciplined unit of hackers that has spent years studying these networks, a unit with the resources of a powerful nation bent on discrediting an American election.
#DemocracyRIP was both the hashtag and the plan. The Russians were expecting the election of Hillary Clinton—and preparing to immediately declare it a fraud. The embassy in Washington had attempted to persuade American officials to allow its functionaries to act as observers in polling places. A Twitter campaign alleging voting irregularities was queued. Russian diplomats were ready to publicly denounce the results as illegitimate. Events in 2016, of course, veered in the other direction. Yet the hashtag is worth pausing over for a moment, because, though it was never put to its intended use, it remains an apt title for a mission that is still unfolding.
Russia’s interference in the last presidential election is among the most closely studied phenomena in recent American history, having been examined by Special Counsel Robert Mueller and his prosecutors, by investigators working for congressional committees, by teams within Facebook and Twitter, by seemingly every think tank with access to a printing press. It’s possible, however, to mistake a plot point—the manipulation of the 2016 election—for the full sweep of the narrative.
Events in the United States have unfolded more favorably than any operative in Moscow could have ever dreamed: Not only did Russia’s preferred candidate win, but he has spent his first term fulfilling the potential it saw in him, discrediting American institutions, rending the seams of American culture, and isolating a nation that had styled itself as indispensable to the free world. But instead of complacently enjoying its triumph, Russia almost immediately set about replicating it. Boosting the Trump campaign was a tactic; #DemocracyRIP remains the larger objective.
[From the April 2020 issue: George Packer on how Trump is winning his war on American institutions]
In the week that followed Donald Trump’s election, Russia used its fake accounts on social media to organize a rally in New York City supporting the president-elect—and another rally in New York decrying him. Hackers continued attempting to break into state voting systems; trolls continued to launch social-media campaigns intended to spark racial conflict. Through subsidiaries, the Russian government continued to funnel cash to viral-video channels with names like In the Now and ICYMI, which build audiences with ephemera (“Man Licks Store Shelves in Online Post”), then hit unsuspecting readers with arguments about Syria and the CIA. This winter, the Russians even secured airtime for their overt propaganda outlet Sputnik on three radio stations in Kansas, bringing the network’s drive-time depictions of American hypocrisy to the heartland.
While the Russians continued their efforts to undermine American democracy, the United States belatedly began to devise a response. Across government—if not at the top of it—there was a panicked sense that American democracy required new layers of defense. Senators drafted legislation with grandiose titles; bureaucrats unfurled the blueprints for new units and divisions; law enforcement assigned bodies to dedicated task forces. Yet many of the warnings have gone unheeded, and what fortifications have been built appear inadequate.
Jack Cable is a small emblem of how the U.S. government has struggled to outpace the Russians. After he spent the better part of a semester shouting into the wind, officials in Chicago and in the governor’s office finally took notice of his warnings and repaired their websites. Cable may have a further role to play in defending America’s election infrastructure. He is part of a team of competitive hackers at Stanford—national champions three years running—that caught the attention of Alex Stamos, a former head of security at Facebook, who now teaches at the university. Earlier this year, Stamos asked the Department of Homeland Security if he could pull together a group of undergraduates, Cable included, to lend Washington a hand in the search for bugs. “It’s talent, but unrefined talent,” Stamos told me. DHS, which has an acute understanding of the problem at hand but limited resources to solve it, accepted Stamos’s offer. Less than six months before Election Day, the government will attempt to identify democracy’s most glaring weakness by deploying college kids on their summer break.
Despite such well-intentioned efforts, the nation’s vulnerabilities have widened, not narrowed, during the past four years. Our politics are even more raw and fractured than in 2016; our faith in government—and, perhaps, democracy itself—is further strained. The coronavirus may meaningfully exacerbate these problems; at a minimum, the pandemic is leeching attention and resources from election defense. The president, meanwhile, has dismissed Russian interference as a hoax and fired or threatened intelligence officials who have contradicted that narrative, all while professing his affinity for the very man who ordered this assault on American democracy. Fiona Hill, the scholar who served as the top Russia expert on Trump’s National Security Council, told me, “The fact that they faced so little consequence for their action gives them little reason to stop.”
The Russians have learned much about American weaknesses, and how to exploit them. Having probed state voting systems far more extensively than is generally understood by the public, they are now surely more capable of mayhem on Election Day—and possibly without leaving a detectable trace of their handiwork. Having hacked into the inboxes of political operatives in the U.S. and abroad, they’ve pioneered new techniques for infiltrating campaigns and disseminating their stolen goods. Even as to disinformation, the best-known and perhaps most overrated of their tactics, they have innovated, finding new ways to manipulate Americans and to poison the nation’s politics. Russia’s interference in 2016 might be remembered as the experimental prelude that foreshadowed the attack of 2020.
Jack Cable, photographed in Chicago in April. The Stanford undergraduate found that dangerous vulnerabilities in Illinois’s electoral infrastructure had not been repaired after 2016. (David Kasnic)1. Hack the Vote
When officials arrived at work on the morning of May 22, 2014, three days before a presidential election, they discovered that their hard drives were fried. Hours earlier, pro-Kremlin hackers had taken a digital sledgehammer to a vital piece of Ukraine’s democratic infrastructure, the network that collects vote tallies from across the nation. After finishing the task, they taunted their victim, posting photos of an election commissioner’s renovated bathroom and his wife’s passport.
Relying on a backup system, the Ukrainians were able to resuscitate their network. But on election night the attacks persisted. Hackers sent Russian journalists a link to a chart they had implanted on the official website of Ukraine’s Central Election Commission. The graphic purported to show that a right-wing nationalist had sprinted to the lead in the presidential race. Although the public couldn’t access the chart, Russian state television flashed the forged results on its highly watched newscast.
If the attack on Ukraine represented something like all-out digital war, Russia’s hacking of the United States’ electoral system two years later was more like a burglar going house to house jangling doorknobs. The Russians had the capacity to cause far greater damage than they did—at the very least to render Election Day a chaotic mess—but didn’t act on it, because they deemed such an operation either unnecessary or not worth the cost. The U.S. intelligence community has admitted that it’s not entirely sure why Russia sat on its hands. One theory holds that Barack Obama forced Russian restraint when he pulled Vladimir Putin aside at the end of the G20 Summit in Hangzhou, China, on September 5, 2016. With only interpreters present, Obama delivered a carefully worded admonition not to mess with the integrity of the election. By design, he didn’t elaborate any specific consequence for ignoring his warning.
[From the March 2017 issue: Franklin Foer on how Vladimir Putin became the hero of nationalists everywhere]
Perhaps the warning was heeded. The GRU kept on probing voting systems through the month of October, however, and there are other, more ominous explanations for Russia’s apparent restraint. Michael Daniel, who served as the cybersecurity coordinator on Obama’s National Security Council, told the Senate Intelligence Committee that the Russians were, in essence, casing the joint. They were gathering intelligence about the digital networks that undergird American elections and putting together a map so that they “could come back later and actually execute an operation.”
What sort of operation could Russia execute in 2020? Unlike Ukraine, the United States doesn’t have a central node that, if struck, could disable democracy at its core. Instead, the United States has an array of smaller but still alluring targets: the vendors, niche companies, that sell voting equipment to states and localities; the employees of those governments, each with passwords that can be stolen; voting machines that connect to the internet to transmit election results.
Matt Masterson is a senior adviser at the Department of Homeland Security’s freshly minted Cybersecurity and Infrastructure Security Agency, a bureau assigned to help states protect elections from outside attack; it’s where Jack Cable will work this summer. I asked Masterson to describe the scenarios that keep him up at night. His greatest fear is that an election official might inadvertently enable a piece of ransomware. These are malicious bits of code that encrypt data and files, essentially placing a lock on a system; money is then demanded in exchange for the key. In 2017, Ukraine was targeted again, this time with a similar piece of malware called NotPetya. But instead of extorting Ukraine, Russia sought to cripple it. NotPetya wiped 10 percent of the nation’s computers; it disabled ATMs, telephone networks, and banks. (The United States is well aware of NotPetya’s potency, because it relied on a tool created by—and stolen from—the National Security Agency.) If the Russians attached such a bug to a voter-registration database, they could render an entire election logistically unfeasible; tracking who had voted and where they’d voted would be impossible.
But Russia need not risk such a devastating attack. It can simply meddle with voter-registration databases, which are filled with vulnerabilities similar to the ones that Cable exposed. Such meddling could stop short of purging voters from the rolls and still cause significant disruptions: Hackers could flip the digits in addresses, so that voters’ photo IDs no longer match the official records. When people arrived at the polls, they would likely still be able to vote, but might be forced to cast provisional ballots. The confusion and additional paperwork would generate long lines and stoke suspicion about the underlying integrity of the election.
Given the fragility of American democracy, even the tiniest interference, or hint of interference, could undermine faith in the tally of the vote. On Election Night, the Russians could place a page on the Wisconsin Elections Commission website that falsely showed Trump with a sizable lead. Government officials would be forced to declare it a hoax. Imagine how Twitter demagogues, the president among them, would exploit the ensuing confusion.
Such scenarios ought to have sparked a clamor for systemic reform. But in the past, when the federal government has pointed out these vulnerabilities—and attempted to protect against them—the states have chafed and moaned. In August 2016, President Obama’s homeland-security secretary, Jeh Johnson, held a conference call with state election officials and informed them of the need to safeguard their infrastructure. Instead of accepting his offer of help, they told him, “This is our responsibility and there should not be a federal takeover of the election system.”
After the 2016 election, the federal government could have taken a stronger hand with localities. Unprecedented acts of foreign interference presumably would have provided quite a bit of leverage. That did not happen. The president perceives any suggestion of Russian interference as the diminution of his own legitimacy. This has contributed to a conspiracy of silence about the events of 2016. A year after the election, the Department of Homeland Security told 21 states that Russia had attempted to hack their electoral systems. Two years later, a Senate report publicly disclosed that Russia had, in fact, targeted all 50 states. When then–DHS Secretary Kirstjen Nielsen tried to raise the subject of electoral security with the president, acting White House Chief of Staff Mick Mulvaney reportedly told her to steer clear of it. According to The New York Times, Mulvaney said it “wasn’t a great subject and should be kept below his level.”
[From the April 2019 issue: William J. Burns on how the U.S.-Russian relationship went bad]
This atmosphere stifled what could have been a genuinely bipartisan accomplishment. The subject of voting divides Republicans and Democrats. Especially since the Bush v. Gore decision in 2000, the parties have stitched voting into their master narratives. Democrats accuse Republicans of suppressing the vote; Republicans accuse Democrats of flooding the polls with corpses and other cheating schemes. Despite this rancor, both sides seemed to agree that Russian hacking of voting systems was not a good thing. After the 2016 election, Democratic Senator Amy Klobuchar, from Minnesota, partnered with Republican Senator James Lankford, from Oklahoma, on the Secure Elections Act. The bill would have given the states money to replace electronic voting machines with ones that leave a paper trail and would have required states to audit election results to confirm their accuracy. The reforms would also have had the seemingly salutary effect of making it easier for voters to cast ballots.
The Secure Elections Act wouldn’t have provided perfect insulation from Russian attacks, but it would have been a meaningful improvement on the status quo, and it briefly looked as if it could pass. Then, on the eve of a session to mark up the legislation—a moment for lawmakers to add their final touches—Senate Republicans suddenly withdrew their support, effectively killing the bill. Afterward, Democrats mocked Senate Majority Leader Mitch McConnell as “Moscow Mitch,” an appellation that stung enough that the senator ultimately agreed to legislation that supplied the states with hundreds of millions of dollars to buy new voting systems—but without any security demands placed on the states or any meaningful reforms to a broken system. McConnell made it clear that he despised the whole idea of a legislative fix to the electoral-security problem: “I’m not going to let Democrats and their water carriers in the media use Russia’s attack on our democracy as a Trojan horse for partisan wish-list items that would not actually make our elections any safer.” For McConnell, suppressing votes was a higher priority than protecting them from a foreign adversary.
2. The Big Phish
To raise the subject of John Podesta’s email in his presence is a callous act. But I wanted his help tabulating a more precise toll of Russian hacking—how it leaves a messy trail of hurt feelings, saps precious mental space, and reshapes the course of a campaign. After repeatedly prodding him for an interview, I finally met with Hillary Clinton’s old campaign chief in his Washington office, which stares down onto the steeple of the church Abraham Lincoln attended during the Civil War. Dressed in a plaid shirt, with a ballpoint pen clipped into the pocket, Podesta rocked back and forth in a swivel chair as he allowed me to question him about one of the most wince-inducing moments in recent political history.
Months before WikiLeaks began publishing his emails, Podesta had an inkling that his Gmail account had been compromised. Internal campaign documents had appeared on an obscure website, and he considered the possibility that they had been lifted from his computer. Still, the call from a member of the campaign’s communications team on October 7, 2016, left him gobsmacked. As he finished a session of debate preparation with Clinton, he learned that Julian Assange intended to unfurl the contents of his inbox over the remaining month of the campaign. It’s a familiar if much-ignored maxim in politics that no email should ever contain content one wouldn’t want to see on the front page of The New York Times. This was now Podesta’s reality.
On the 10th floor of the Clinton campaign’s headquarters, in Brooklyn, a team of 14 staffers quickly assembled. They covered a glass door in opaque paper to prevent voyeurs from observing their work and began to pore over every word of his 60,000 emails—every forwarded PDF, every gripe from an employee, even the meticulous steps of his risotto recipe. The project would consume the entirety of the month. Every day, Podesta set aside time to meet with emissaries from the 10th floor and review their findings. “I willed myself not to feel pain,” he told me.
John Podesta rides the Vamoose Bus in June 2015. After WikiLeaks published the Clinton-campaign chairman’s emails, identity thieves attempted to claim his Social Security benefits and applied for credit cards in his name. One fraudster even stole the points Podesta had accumulated in the Vamoose rewards program. (Melina Mara / The Washington Post / Getty)
The material that WikiLeaks eventually posted created some awkward moments. Podesta had received snarky emails from colleagues, and had sent a few himself. To repair relationships, Podesta found himself apologizing to co-workers, friends, former Cabinet secretaries. Even when the contents of the leaked messages seemed innocuous, new annoyances would arise. WikiLeaks hadn’t redacted the correspondence to protect privacy, leaving the cellphone numbers of campaign staffers for the world to view. In the middle of meetings, staffers would find their devices vibrating incessantly; strangers would fill their voicemails with messages like I hope you’re raped in prison. Identity thieves quickly circled Podesta, attempting to claim his Social Security benefits and applying for credit cards in his name. Despite a political career that has permitted him to whisper into the ears of presidents, the legendarily frugal Podesta had commuted to New York on Vamoose, a discount bus line. A fraudster exploited the hack to steal the points he had accumulated in the Vamoose rewards program.
As Podesta revisited these painful moments, he claimed that he’d stoically persisted in their face: “I kept going on television. I kept raising money. I kept traveling with Hillary and President Clinton. I kept doing everything that I had been doing.” But these were the closing weeks of an election that would turn on fewer than 80,000 votes spread across three states. For a campaign that arguably didn’t invest its resources properly in the final stretch, the question must be asked: How badly did the Russians throw the campaign off its game? The least visible damage of the hack might have been the most decisive.
In the years since the Podesta hack, Microsoft’s Tom Burt has continually battled its perpetrators. As the man charged with safeguarding the security of Windows, Word, and his company’s other software, he has developed a feel for the GRU’s rhythms and habits. Through Microsoft’s work with political parties and campaigns around the world—the company offers them training and sells them security software at a discount—Burt has accumulated lengthy dossiers on past actions.
What he’s noticed is that attacks tend to begin on the furthest fringes of a campaign. A standard GRU operation starts with think-tank fellows, academics, and political consultants. These people and institutions typically have weak cybersecurity fortifications, the penetration of which serves dual purposes. As the GRU pores through the inboxes of wonks and professors, it gathers useful intelligence about a campaign. But the hacked accounts also provide platforms for a more direct assault. Once inside, the GRU will send messages from the hacked accounts. The emails come from a trusted source, and carry a plausible message. According to Burt, “It will say something like ‘Saw this great article on the West Bank that you should review,’ and it’s got a link to a PDF. You click on it, and now your campaign network is infected.” (Although Burt won’t discuss specific institutions, he wrote a blog post last year describing attacks on the German Marshall Fund and the European offices of the Aspen Institute.)
Podesta fell victim to a generic spear-phishing attack: a spoofed security warning urging him to change his Gmail password. Many of us might like to think we’re sophisticated enough to avoid such a trap, but the Russians have grown adept at tailoring bespoke messages that could ensnare even the most vigilant target. Emails arrive from a phony address that looks as if it belongs to a friend or colleague, but has one letter omitted. One investigator told me that he’s noticed that Russians use details gleaned from Facebook to script tantalizing messages. If a campaign consultant has told his circle of friends about an upcoming bass-fishing trip, the GRU will package its malware in an email offering discounts on bass-fishing gear.
Many of these techniques are borrowed from Russian cybercrime syndicates, which hack their way into banks and traffic in stolen credit cards. Burt has seen these illicit organizations using technologies that he believes will soon be imported to politics. For instance, new synthetic-audio software allows hackers to mimic a voice with convincing verisimilitude. Burt told me, “In the cybercrime world, you’re starting to see audio phishes, where somebody gets a voicemail message from their boss, for example, saying, ‘Hey, I need you to transfer this money to the following account right away.’ It sounds just like your boss and so you do it.”
What the Russians can’t obtain from afar, they will attempt to pilfer with agents on the ground. The same GRU unit that hacked Podesta has allegedly sent operatives to Rio de Janeiro, Kuala Lumpur, and The Hague to practice what is known as “close-access hacking.” Once on the ground, they use off-the-shelf electronic equipment to pry open the Wi-Fi network of whomever they’re spying on.
The Russians, in other words, take risks few other nations would dare. They are willing to go to such lengths because they’ve reaped such rich rewards from hacking. Of all the Russian tactics deployed in 2016, the hacking and leaking of documents did the most immediate and palpable damage—distracting attention from the Access Hollywood tape, and fueling theories that the Democratic Party had rigged its process to squash Bernie Sanders’s campaign.
In 2020, the damage could be greater still. Podesta told me that when he realized his email had been breached, he feared that the hackers would manufacture embarrassing or even incriminating emails and then publish them alongside the real ones. It’s impossible to know their reasoning, but Russian hackers made what would prove to be a clever decision not to alter Podesta’s email. Many media outlets accepted whatever emails WikiLeaks published without pausing to verify every detail, and they weren’t punished for their haste. The Podesta leaks thus established a precedent, an expectation that hacked material is authentic—perhaps the most authentic version of reality available, an opportunity to see past a campaign’s messaging and spin and read its innermost thoughts.
In fact, the Russians have no scruples about altering documents. In 2017, hackers with links to the GRU breached the inboxes of French President Emmanuel Macron’s campaign staffers. The contents were rather banal, filled with restaurant reservations and trivial memos. Two days before these were released, other documents surfaced on internet message boards. Unlike the emails, these were pure fabrications, which purported to show that Macron had used a tax haven in the Cayman Islands. The timing of their release, however, gave them credibility. It was natural to assume that they had been harvested from the email hack, too. The Macron leaks suggested a dangerous new technique, a sinister mixing of the hacked and the fabricated intended to exploit the electorate’s hunger for raw evidence and faith in purloined documents.
3. Disinformation 2.0
In the spring of 2015, trolls in St. Petersburg peered at the feed of a webcam that had been furtively placed in New York City. Sitting in front of a computer screen on the second floor of a squat concrete office building, the trolls waited to see if they could influence the behavior of Americans from the comfort of Russian soil.
The men worked for a company bankrolled by Yevgeny Prigozhin, a bald-headed hot-dog vendor turned restaurateur, known to the Russian press as “Putin’s chef.” In the kleptocratic system that is the Russian economy, men like Prigozhin profit from their connections to Putin and maintain their inner-circle status by performing missions on his behalf. The operation in St. Petersburg was run by the Internet Research Agency, a troll farm serving the interests of the Kremlin. (Prigozhin has denied any involvement with the IRA.)
The IRA is an heir to a proud Russian tradition. In the Soviet Union’s earliest days, the state came to believe that it could tip the world toward revolution through psychological warfare and deception, exploiting the divisions and weaknesses of bourgeois society. When it was assigned this task, the KGB referred to its program by the bureaucratic yet ominous name Active Measures. It pursued this work with artistic verve. It forged letters from the Ku Klux Klan that threatened to murder African athletes at the 1984 Summer Olympics in Los Angeles. It fomented conspiracies about the CIA—that the agency had orchestrated the spread of the AIDS virus in a laboratory and plotted the assassination of President John F. Kennedy. Some of these KGB schemes were harebrained. But as one defector to the West put it, more Americans believed the Soviet version of JFK’s murder than the Warren Report.
The IRA has updated the principles of Active Measures for the digital age. On social media, disinformation can flourish like never before. Whereas the KGB once needed to find journalistic vehicles to plant their stories—usually the small-audience fringes of the radical press—Facebook and Twitter hardly distinguished between mainstream outlets and clickbait upstarts. And many of the new platforms were designed to manipulate users, to keep them engaged for as long as possible. Their algorithms elevated content that fueled panic and anger.
With the New York webcam, the IRA was testing a hunch: that, through the miracle of social media, it could now toy with Americans as if they were marionettes. As the political scientist Thomas Rid recounts in his powerful new history, Active Measures, a post on Facebook promised that free hot dogs would be available to anyone who arrived on a specific corner at a prescribed time. Back in St. Petersburg, IRA employees watched as New Yorkers arrived, looked at their phones in frustration, and skulked away.
The ruse was innocuous, but it proved a theory that could be put to far more nefarious ends: Social media had made it possible, at shockingly low cost, for Russians to steer the emotions and even movements of Americans. No study has quantified how many votes have been swayed by the 10 million tweets that the IRA has pumped into the digital world; no metric captures how its posts on Facebook and Instagram altered America’s emotional valence as it headed to the polls in 2016. In the end, the IRA’s menagerie of false personas and fusillades of splenetic memes were arguably more effective at garnering sensationalistic headlines than shifting public opinion. For their part, the IRA’s minions immodestly credited themselves with having tilted the trajectory of history. The U.S. government obtained an email from an IRA employee describing the scene at the St. Petersburg office on Election Night: “When around 8 a.m. the most important result of our work arrived, we uncorked a tiny bottle of champagne … took one gulp each and looked into each other’s eyes … We uttered almost in unison: ‘We made America great.’ ”
Having run a noisy operation in 2016, the IRA has since learned to modulate itself. Its previous handiwork, much of which was riddled with poor syntax and grammatical errors, hardly required a discerning eye to identify. These days, the IRA takes care to avoid such sloppiness. Now, when they want to, IRA trolls can make themselves inconspicuous.
Relying on this quieter approach, the IRA has carried the theory of its hot-dog experiment into American political life. When white supremacists applied for a permit to hold a march in 2018 to commemorate the first anniversary of their protests in Charlottesville, Virginia, a Facebook group organized a counterprotest in Washington, D.C. The group was called the Resisters. Its administrators, who went by the names Mary and Natasha, recruited a coterie of enthusiastic organizers to promote the rally. When Facebook took down the Resisters’ page—noting its ties to IRA accounts, and implying that Mary and Natasha were fictitious creations—American leftists were shocked to learn that they had apparently been hatching plans with foreign trolls. According to The New York Times, they were also furious with Facebook: Whether or not the page was a Russian ploy, it had become a venue for real Americans to air their real grievances. In fact, it was hard to pinpoint where the Active Measures ended and the genuine action began—the sort of tradecraft that the KGB would have admired.
Although the IRA might practice stealth when the operation demands, in other circumstances it will deploy raw bluster. Starting in 2017, it launched a sustained effort to exaggerate the specter of its interference, a tactic that social-media companies call “perception hacking.” Its trolls were instructed to post about the Mueller report and fan the flames of public anger over the blatant interference it revealed. On the day of the 2018 midterm elections, a group claiming to be the IRA published a grandiloquent manifesto on its website that declared: “Soon after November 6, you will realize that your vote means nothing. We decide who you vote for and what candidates will win or lose. Whether you vote or not, there is no difference as we control the voting and counting systems. Remember, your vote has zero value. We are choosing for you.”
The claim was absurd, but the posturing had a purpose. If enough Americans come to believe that Russia can do whatever it wants to our democratic processes without consequence, that, too, increases cynicism about American democracy, and thereby serves Russian ends. As Laura Rosenberger, a former National Security Council staffer under Obama who runs the Alliance for Securing Democracy, put it, “They would like us to see a Russian under every bed.”
Judging by this year’s presidential-primary campaign, they have been successful in this effort. When the Iowa Democratic Party struggled to implement new technology used to tally results for the state’s caucus, television panelists, Twitter pundits, and even a member of Congress speculated about the possibility of hacking, despite a lack of evidence to justify such loose talk. American incompetence had been confused for a plot against America.
4. An Uncoordinated Response
As the outlines of the IRA’s efforts began to emerge in the months following the 2016 election, Facebook at first refused to acknowledge the problem. The company’s defensiveness called attention to its laissez-faire attitude toward the content that it elevated in people’s News Feeds. Facebook found itself flayed by congressional committees, its inner workings exposed by investigative journalists. Ostensibly it had been Alex Stamos’s job to prevent the last attack, and now he faced another wave of disinformation, with midterm elections fast approaching. Stamos worried that, in the absence of an orchestrated defense, his company, as well as the nation, would repeat the mistakes of 2016.
In the spring of 2018, he invited executives from the big tech companies and leaders of intelligence agencies to Facebook’s headquarters in Menlo Park, California. As he thought about it, Stamos was surprised that such a summit hadn’t been organized sooner. What shocked him more was a realization he had as the meeting convened: Few of these people even knew one another. “People who ran different agencies working on foreign interference met for the first time at Menlo Park, even though they were 10 Metro stops away in D.C.,” he told me. “The normal collaborative process in government didn’t exist on this issue.”
Stamos’s summit succeeded in spurring cooperation. Prior to the meeting, one tech company would identify and disable Russian accounts but fail to warn its competitors, allowing the same trolls to continue operating with impunity. Over the course of 2018, the tech industry gradually began acting in concert. The lead investigators on the threat-intelligence teams at 30 companies—including Facebook, Verizon, and Reddit—joined a common channel on Slack, the messaging platform. When one company spies a nascent operation, it can now ring a bell for the others. This winter, Facebook and Twitter jointly shut down dozens of accounts associated with a single residential address in Accra, Ghana, where the Russians had set up a troll factory and hired local 20-somethings to impersonate African Americans and stoke online anger.
Yet this remains a game of cat and mouse in which the mice enjoy certain advantages. Despite the engineering prowess of the social-media companies, they haven’t yet built algorithms capable of reliably identifying coordinated campaigns run by phony Russian accounts. In most instances, their algorithms will suggest the inauthenticity of certain accounts. Those data points become a lead, which is then passed along to human investigators.
Facebook has several dozen employees on its threat-intelligence team, many of them alumni of the three-letter agencies in Washington. Still, the tech companies rely heavily on law enforcement for tips. Facebook and Twitter have frequent check-ins with the FBI. Without the bureau, Facebook might have missed an IRA video filled with lies about Russian tampering in the midterm elections. After a heads-up from the government, Facebook blocked the IRA from uploading the video before it ever appeared on its site, using the same technique that it deploys to suppress Islamic State snuff videos and child pornography. Rising from their denialist crouch, the social-media companies have proved themselves capable of aggressive policing; after treating the IRA as a harmless interloper, they came to treat it with the sort of disdain they otherwise reserve for terrorists and deviants.
Devising strategies for thwarting the last attack is far easier than preventing the next one. Even if Russian disinformation can be tamped down on social media—and the efforts here, on balance, are encouraging—there are other ways, arguably more consequential, to manipulate American politics, and scant defense against them.
On an early-March afternoon, I typed the Federal Election Commission as a destination into Uber and was disgorged at a building the agency hasn’t occupied for two years. The antiquated address placed me on course to arrive half an hour late for an appointment with Ellen Weintraub, the longest-serving and most vociferous member of the commission nominally assigned to block the flow of foreign money into political campaigns. When I called her office to inform her of my tardiness, her assistant told me not to worry: Weintraub’s schedule was wide open that afternoon. In fact, for the past six months the FEC hadn’t conducted much official business. Only three Senate-approved commissioners were installed in their jobs, even though the agency should have six and needs four for a quorum.
Weintraub, a Democrat, has an impish streak. Near the beginning of the FEC’s hibernation, she called out a fellow commissioner who had blocked the publication of a memo that seemed to criticize the Trump campaign for its 2016 meeting with a Russian lawyer—then posted the memo in a 57-part thread on Twitter. Weintraub has grown accustomed to her colleagues ignoring her questions about the presence of Russian and other illicit money in American campaigns. When the commission received a complaint suggesting that the FBI was investigating the National Rifle Association as a conduit for Russian money, she asked her fellow commissioners for permission to call the FBI, to, as she put it, “see if they have interesting information they want to share. But they said, ‘We’re not going to call the FBI.’ They didn’t want to do anything.”
Outside Weintraub’s office, the subject of Russia’s illicit financing of campaigns hardly provokes any attention. The Alliance for Securing Democracy was the only organization I could find that comprehensively tracks the issue. It has collected examples of Russian money flowing into campaigns around the world: a 9.4-million-euro loan made to the French nationalist Marine Le Pen’s party; operatives arriving in Madagascar before an election with backpacks full of cash to buy TV ads on behalf of Russia’s preferred candidate and to pay journalists to cover his rallies.
Or take a case closer to home: Lev Parnas and Igor Fruman—the Soviet-born Americans who worked with Rudy Giuliani in his search for politically damaging material to deploy against former Vice President Joe Biden—were charged with conspiring to funnel money from an unnamed Russian into American campaigns. Some of the cases cited by the Alliance for Securing Democracy are circumstantial, but they form a pattern. Since 2016, the group has identified at least 60 instances of Russia financing political campaigns beyond its borders. (The Kremlin denies meddling in foreign elections.)
When I asked Weintraub if she had a sense of how many such examples exist in American politics, she replied, “We know there’s stuff going on out there, and we’re just not doing anything.” Since the Supreme Court’s 2010 Citizens United decision, which lifted restrictions on campaign finance, hardly any systemic checks preclude foreigners from subsidizing politicians using the cover of anonymous shell companies. With that decision, the high court opened the door for Russia to pursue one of its favored methods of destabilizing global democracy. By covertly financing campaigns, the Russians have helped elevate extremist politicians and nurture corrosive social movements. “Everyone knows there are loopholes in our campaign-finance system,” Weintraub said. “Why would we think that our adversaries, who have demonstrated a desire to muck around in our democracy, wouldn’t be using those loopholes, too?”
Problems of inattention, problems of coordination, and deep concerns about November—these themes came up over and over in my interviews for this story. Indeed, at times everyone seemed to be sounding the same alarm. H. R. McMaster, who briefly served as Donald Trump’s national security adviser, sounded it when he proposed a new task force to focus the government’s often shambolic efforts to safeguard the election. Adam Schiff, the chairman of the House Intelligence Committee, sounded it when he realized how poorly the bureaucracy was sharing the information it was gathering about the Russian threat.
There was a moment that crystallized Schiff’s sense of this disjointedness. In the summer of 2018, he attended a security conference in Aspen, Colorado, where Tom Burt revealed that Microsoft had detected Russian phishing attacks targeting Democratic senatorial candidates. “When I went back to Washington,” Schiff told me, “I asked agency heads within the [intelligence community] whether they were aware of this. The answer was no.” That the chairman of the House Intelligence Committee had to learn this elemental fact about his own branch of government at a public gathering is troubling; that the people charged with protecting the country didn’t know it is flabbergasting.
The sprawling federal bureaucracy has never been particularly adept at the kind of coordination necessary to anticipate a wily adversary’s next move. But there is another reason for the government’s alarmingly inadequate response: a president who sees attempts to counter the Russia threat as a personal affront.
After McMaster was fired, having made little if any progress on Russia, the director of national intelligence, Dan Coats, took up the cause, installing in his office an election-security adviser named Shelby Pierson. This past February, Pierson briefed Schiff’s committee that the Russians were planning to interfere in the upcoming election, and that Trump remained Moscow’s preferred candidate. Anyone who follows the president on Twitter knows this is a subject that provokes his fury. Indeed, the day after Pierson’s testimony, the president upbraided Coats’s successor, Joseph Maguire, for Pierson’s assessment. A week later, he fired Maguire and installed in his place the ambassador to Germany, Richard Grenell, a loyalist with no intelligence experience. Grenell immediately set about confirming the wisdom behind Trump’s choice. Three weeks into his tenure, a senior intelligence official in the Office of the DNI informed the Senate that Pierson’s assessment was mistaken.
Trump had graphically illustrated his recurring message to the intelligence community: He doesn’t want to hear warnings about Russian interference. Mark Warner, the highest-ranking Democrat on the Senate Intelligence Committee, told me, “A day doesn’t go by that I don’t hear from someone in the intelligence community saying, ‘Oh my gosh, we’re worried about integrity, we’re worried about morale, we’re worried about willingness to speak truth to power.’ ” I asked Warner whether he could still trust the intelligence about Russia he received—whether he has faith that the government will render an accurate portrait of the Russian threat to the upcoming presidential election. As he considered his answer, he leaned toward me. “I don’t know the answer to that,” he replied, “and that bothers me.”
Vladimir Putin dreams of discrediting the American democratic system, and he will never have a more reliable ally than Donald Trump. A democracy can’t defend itself if it can’t honestly describe the attacks against it. But the president hasn’t just undermined his own country’s defenses—he has actively abetted the adversary’s efforts. If Russia wants to tarnish the political process as hopelessly rigged, it has a bombastic amplifier standing behind the seal of the presidency, a man who reflexively depicts his opponents as frauds and any system that produces an outcome he doesn’t like as fixed. If Russia wants to spread disinformation, the president continually softens an audience for it, by instructing the public to disregard authoritative journalism as the prevarications of a traitorous elite and by spouting falsehoods on Twitter.
In 2020, Russia might not need to push the U.S. for it to suffer a terrible election-year tumble. Even without interventions from abroad, it is shockingly easy to imagine how a pandemic might provide a pretext for indefinitely delaying an election or how this president, narrowly dispatched at the polls, might refuse to accept defeat. But restraint wouldn’t honor Russia’s tradition of Active Measures. And there may never be a moment quite so ripe for taking the old hashtag out of storage and giving it a triumphalist turn. #DemocracyRIP.
This article appears in the June 2020 print edition with the headline “The 2016 Election Was Just a Dry Run.”