On June 14, it was revealed that “Russian government hackers” may have infiltrated the Democratic National Committee (DNC) computer network to take a database of opposition research. The breach will have political and technological consequences not only for the U.S. but also for the security of candidates and campaigns in the future. Beyond placing blame, the question to be answered is whether the DNC hack will further move the needle of organizational transparency in the wake of a failure in cybersecurity strategy.
DNC Hack & Westphalian Sovereignty
The wonderful yet dangerous creation that we’ve created over the past decades has had flaws that have been exploited for monetary gain. When you realize that every man is worth $800 based on location and other behaviors, you can see why bad actors want your data and the motive behind it. Your data is the key to your future. Yet, the recent hack of the DNC is insightful in that its magnitude isn’t measured in currency but in how an external party can manipulate the U.S. electoral system.
The DNC CEO and two high-level staffers resigned after there was a massive hack of the DNC computers that suggested that the DNC was favoring Hillary Clinton over her rival Sen. Bernie Sanders during the primary season. The release of documents onto Wikileaks shows how nation state and non-nation state actors can influence political outcomes.
While tampering with political outcomes is nothing new to the world’s stage, the recent hack is a game changer in that it goes against Westphalian sovereignty. Countries are known to spy on each other through various technology implants yet meddling in domestic affairs will cause policy concerns as international cybersecurity standards are, at best, nascent.
As of now, the FBI seems to believe that the Russian GRU, the military intelligence unit, and FSB, the successor to the KGB are responsible; however, the FBI has been careful not to directly place blame. Although, the Clinton campaign says that there is a link between the Russian government and the stolen information, the FBI cannot be so forthright. The U.S. has to be very careful to come out and say that this was Russia’s doing, as the President would be mandated to do something.
An interesting theory laid out by James Clapper, Director of National Intelligence at the Aspen Security Forum, is that the DNC hack is retaliation for events that occurred in 2011. When the Russian Parliament installed Vladmir Putin as the Prime Minister, then-U.S. Secretary of State Hillary Clinton called out the corruption that was involved. Clapper argues that Putin may have believed that Clinton was calling for political unrest by telling the Russian populace to protest in the streets. Similar to this political manipulation, the DNC hack may be a way to show that “all is fair in war.”
The clear mandate is for the DNC, like any organization, to take all necessary steps to prevent such a breach in the first place. The hard thing is that the U.S. needs to make sure that they are absolutely correct. It is possible that Russia did this based on current forensic findings. The first breach was in June 2015 when Donald Trump was not on the political radar and the second breach was in the spring of 2016. However, because Russian cyber-intelligence is so skilled and quiet, neither agency may have known of the workings of the other. Whether the malware was inputted by Russia or some other actor, the hack
A Policy of 100% Transparent Failure
As is with any crisis, the country looks to the President for guidance. Our perception of Hillary Clinton and Donald Trump has been viewed from many domestic and foreign policy angles but, unfortunately, cybersecurity has not been one of them. Could either candidate take the time to consider more transparency when such failures in data security happen?
The DNC hack is the latest example of a data breach that may have unknown effects to the country. However, what should be done when a company has a breach? Should the government mandate every organization to disclose anytime there is a breach in customer data? These are questions that we, as a country, must address because this organization’s breach effects every one of us (translation: every U.S. citizen and his/her vote is effected by vulnerabilities in the electoral system).
From a U.S. cybersecurity strategy perspective, there is no national data breach notification standard. President Obama proposed a national data breach law during his 2015 State of the Union address – the Personal Data Notification and Protection Act of 2015. More recently, Obama issued a policy directive, PPD-41, that may add some clarity for the channels through which private sector organizations report incidents to government agencies so as to better position responses to cyber incidents happening in the government or the private sector.
While notification is a first step in the event of a security failure, there is no incentive to be 100% transparent. This is not a proposition of total transparency as reports of every possible failure could lead to the ultimate demise of an enterprise. The goal of a national standard would be to create a policy of no silence in the event of a large-scale failure. Right now there is rampant silent failure. Bad things can and will happen, but every failure need not be reported or penalized because the absence of evidence is not the same as the evidence of absence.
Going Forward – What are the Standards for Covert Actions?
Hacking into a government and publishing the contents of the documents to influence politics goes beyond the normal “spy vs. spy” tactics. When it comes to international policy and the DNC hack, the repercussions are higher as incidents of past espionage just do not equate to the covert action involved in the current case.
The problem that the U.S. faces now is the need to find definitive evidence but also take action. Considering that this event is a manifestation of terrorism, the country may have to retaliate. If you don’t retaliate, then the U.S. will be saying that our electoral system can be manipulated.
From a U.S. cybersecurity strategy perspective, can you mandate a totally transparent standard where every hack must be reported? Probably yes, but it certainly won’t be the best policy as cybersecurity standards are still unchartered territory. Legal standards are premised on history, and right now there isn’t much legal precedent to create a comprehensive act. What we do know is that an overly punitive standard, like the Patriot Act, would probably create compliance headaches and costs that would prove overly burdensome. If you define a breach too narrowly then it becomes painful; this may drive companies out of business and raise the static noise of every breach. Ideally, a standard in which there is just enough transparency so that private security firms and government can work together would be best for our nation.
In the current case, CrowdStrike, a security firm that specializes in countering advanced network threats found “two sophisticated adversaries” on the network which was later confirmed by Mandiant (part of FireEye) and Fidelis. The malware was found to be advanced persistent threats which are well-known in the security industry as “APT 28” and “APT 29.” The probability that this was created by a nation state based on forensic findings shows that our borders need to be guarded by joint efforts to create standards as well as research and response.
There needs to be a closer association between corporations and the government. With a government that has notoriously been slow in embracing technology, now, more than ever, security needs to be in the public forum. Defining a breach is the hardest part but incidents like the DNC hack show that not being transparent at the moment of failure can ultimately prove far worse in the long term.
Transparency is something that we all want more of. Unlike the events of the Brexit, the U.S. electorate is involved, to a greater extent, in the decision-making process. I have no doubt that the DNC hack will be handled properly. However, as a game changer on many fronts of technology and policy, the hack will force us to realize that there needs to be more thought and discussion on the lines that need to be drawn before and after a failure in terms of transparency standards. The U.S., through public and private collaboration, needs to establish an effective deterrent, unambiguously signaling to external actors that the costs of attacking us substantially outweigh the benefits.