Russia may have attempted to tamper with the 2016 election, helping put an unstable narcissist in the White House. But the upside is that it has finally led Congress to adopt a sensible approach to cybersecurity. The main question is whether the narcissist in question will sign off.
The 2018 Intelligence Authorization bill, passed by a 14-1 vote in the Senate Intelligence Committee on July 28, was unveiled last week. Had Congress mandated the measures included therein in 2015, instead of investing all its energy that year in passing the Cybersecurity Intelligence Sharing Act, it might have mitigated Russia’s efforts to interfere in the election, including the hack of the voting systems of 39 states.
For example, the bill would require the Director of National Intelligence to work with the heads of the CIA, the National Security Agency, the FBI, and the Department of Homeland Security to start a review, a year before a federal election, to identify the security vulnerabilities of any state election systems, including whether they are vulnerable to foreign intelligence threats. They would present their findings to the so-called Gang of Eight—a bipartisan group of senators briefed on intelligence matters—three to six months before the election. Had such a review taken place in 2016, the government might have been able to respond aggressively to Russia’s attempted hack.
The same intelligence officials, plus the secretary of the Treasury, would have three months after passage of the bill to come up with a “whole-of-government strategy” to combat Russian threats to electoral systems. The strategy would include items like auditable paper trails and secure wireless and internet connections for election machines, both of which would make our elections more resilient to a number of threats.
Thus far, the government says no vote results were affected by Russian hacking attempts. (Though North Carolina is conducting an investigation into irregularities with some electronic voting systems, known as poll books, that had been provided by a firm targeted by Russian hackers.) Nevertheless, had these expansive detection efforts been in place in 2016, more of Russia’s hacks might have been identified in real time, with better means to deter them.
The bill would also give the intelligence community six months to report on the counterintelligence threat posed by Russian money-laundering. Public reports show that Paul Manafort, Donald Trump’s campaign manager, had $17 million in debt to pro-Russian interests when he joined the campaign. He also obtained a suspicious $3.5 million loan using a shell company just after parting ways with Trump. Meanwhile, Trump’s luxury properties have long catered to the kinds of foreign buyers known to launder cash through real estate acquisitions. Since he became president, more and more buyers are purchasing Trump properties through shell companies.
Suspicions have abounded that Trump and especially his associates might have cooperated with Russia because of these financial ties. Robert Mueller, the special counsel investigating Russia’s meddling in the 2016 election, has clearly focused on Manafort’s shady finances. A more sustained focus on Russian money-laundering during the campaign might have alerted authorities to potential levers of influence Russia could use against Trump’s people.
Even the bill’s most controversial provision, which would declare WikiLeaks a “hostile” spy service after it published hacked emails from the Democratic National Committee, might have deterred interference in the election. The provision declares that, “It is the sense of Congress that WikiLeaks and the senior leadership of WikiLeaks resemble a non-state hostile intelligence service often abetted by state actors and should be treated as such a service by the United States.”
It’s unclear what the provision will mean in practice, which is why Senator Ron Wyden of Oregon voted against the bill in committee. “My concern is that the use of the novel phrase ‘non-state hostile intelligence service’ may have legal, constitutional, and policy implications,” Wyden explained, worrying that the category might “be applied to journalists inquiring about secrets.” Wyden also expressed concerns about the provision’s ambiguous direction that the U.S. take an “unstated course of action” against WikiLeaks.
Such a declaration might criminalize any support for WikiLeaks, or heighten penalties for sharing information with the group. It’s possible the government might have responded differently to Trump associate Roger Stone’s claims that he was in contact with WikiLeaks during the election if Congress had already deemed it a hostile non-state intelligence service.
The same provision, however, might have changed the outcome of Chelsea Manning’s charge of aiding the enemy—the sole count on which she was found not guilty—which arose from Manning providing State Department cables and other documents to the organization in 2009-2010. The press still cites that information on a regular basis, attesting to its value. Moreover, Russian hackers had other outlets for stolen Democratic documents in any case, including the hacker Guccifer 2, so shutting down WikiLeaks would in no way shut off leaks altogether.
None of these things, by themselves, would have prevented Russia’s hack of the DNC. Indeed, the provisions focus more on electoral targets than political ones. But the bill provides real measures that might have made a difference, constituting the most useful response to last year’s events that we’ve seen so far.
Russia and WikiLeaks are not the bill’s only targets. It also includes two provisions that would constrain any plans Trump might have to cozy up to the Russians. One would defund any scheme to partner with Russia on cybersecurity, which Trump has pledged to do. The second would impose a review of the risks of returning diplomatic compounds seized from Russia in December under the Obama administration, which was retaliating against Russia’s interference in the election. Russia has put heavy pressure on Trump to give the compounds back.
The intelligence authorization includes a range of other measures to fix known weak points. It establishes a task force that will identify risks to the government’s supply chain, such the widespread use of software produced by Russian anti-virus company Kaspersky. It establishes a working group to develop a national strategy to protect energy infrastructure, especially its industrial control systems. That effort comes in the wake of reports that Russian hackers were targeting engineers with access to the control systems of energy facilities, including nuclear power plants. And finally, the bill mandates a review of whether the intelligence community had the information it needed on the Russian threat and shared it effectively.
All told, the Intelligence Authorization mentions Russia 34 times, and includes a number of other provisions, such as the supply chain review and the energy infrastructure task force, that don’t name Russia but respond to U.S. vulnerabilities that Russia is suspected of exploiting. While neither the intelligence community nor the White House have weighed in on the bill yet, in its current form it represents a focused response to a threat to the U.S., and a concrete effort to improve America’s security generally.
That’s important for two reasons. First, it’s a tangible response to the Russian hack, and it comes as the president and House Intelligence Committee Chair Devin Nunes continue to undermine the investigations of four congressional committees and Robert Mueller’s special counsel team.
Just as importantly, the bill makes a number of common-sense changes—like higher salaries for top cybersecurity positions at NSA, congressional oversight over the vulnerability equities process, and a strategic plan to make the most of bounties paid to “white hat” hackers who find weaknesses in government systems—that will likely have a real impact on cybersecurity. These were all pitched back in 2015, when Congress focused instead on information-sharing between various intelligence agencies, an effort that still hasn’t shown great returns.
The Senate Intelligence Committee is by no means perfect. It rushed through the confirmation of CIA Director Mike Pompeo, who in April came up with the term “non-state hostile intelligence service” that Wyden now objects to. The Senate confirmed Pompeo even though he, like the president, cheered this non-state hostile intelligence service when it served his purposes. But the committee has at least shown where it stands on the issue of Russian interference in U.S. elections, which is more than we can say for Pompeo and Trump.