Special counsel Robert Mueller (L) arrives at the U.S. Capitol for closed meeting with members of the Senate Judiciary Committee June 21, 2017 in Washington, DC.
Alex Wong | Getty Images
Special counsel Robert Mueller’s press conference Wednesday, which briefly described his team’s thinking about how they approached obstruction allegations against the president, buried one largely buried story about the entire affair: Then and now, we as a country still collectively have our pants down on cybersecurity.
The political circus surrounding the Russia investigation and social media’s response to it are largely distractions. And as Congress embarks once again on dissecting Mueller’s words — and not the core problem of cybersecurity that caused him to speak in the first place — it’s clear we’ve learned next to nothing.
What really went wrong
These days, commentators from the tech industry are mostly focused on the role Facebook and other social media companies played as Russian operatives tried to influence the 2016 election. Facebook itself has spent a lot of the last two years talking about the steps it’s taking to prevent being used for misinformation in future elections.
But during the conference, Mueller only touched briefly on that topic:
“…a private Russian entity engaged in a social media operation where Russian citizens posed as Americans in order to influence an election.”
I’m not a Facebook apologist. But we shouldn’t be leaning on social media companies to protect our elections. We should be relying on the federal government.
The Mueller probe has not improved how we think about cybersecurity. All it’s done is move the needle on what individuals think went “wrong” with the 2016 election, based on their political leanings.
Here is what really went wrong. In Russia, a secret intelligence unit spent years — well before Trump’s rise — prepping for a campaign of chaos-driven social engineering that was most likely meant to throw a wrench into American discourse and sow division.
At DNC headquarters, weak passwords and bad security hygiene made it easy for operatives to steal information and inject it into this chaos cycle.
Poorly trained staff in Trump’s inner and outer circles also made it easy for this same Russian department to trick them into associating with fake accounts on social media, including highly inflammatory accounts advocating for the most extreme right-wing positions, according to the report.
In the run-up to the election, secretaries of state across the U.S. did not tap into federal awareness efforts on election hacking. In Florida, this led to a breach of voter databases — though not voting machines themselves, a critical distinction.
Talking about “collusion” and “interference” misses this critical point: The 2016 election problems were the result of a multi-pronged cyberattack that none of these parties were prepared for.
They remain unprepared.
The Department of Homeland Security and information-sharing organizations have done a great deal of organizing since 2016. Elections infrastructure, limited to what is owned and operated by the secretaries of state themselves (in other words, excluding political campaigns), is now under the purview of the Department of Homeland Security, with an important “critical” designation that was bestowed by outgoing President Obama in January 2017.
DHS serves as a sort of dispensary of best practices, and less as a tactical operator, however.
DHS’s program is voluntary — and volunteering may depend on the politics of each state. The aid DHS provides involves more coordination than fingers-on-keyboards help from hackers or counter-intelligence professionals.
Compare that to Russia’s well-oiled hacking machine, as described in the Mueller report. In fact, close your eyes and try to picture Vladimir Putin sitting at a meeting of regional representatives from across Russia discussing “best practices.”
Following the departure of outgoing DHS head Kirstjen Nielsen, who staked much of her tenure on the cybersecurity problem, scattered reports have indicated cyber personnel are being asked to do work at the U.S.-Mexico border instead of elections security.
The FBI, charged with investigating accounts of interference has had its own staffing issues, with numerous departures of key personnel since 2016, coinciding with a range of scandals and frustrations at the agency. The FCC and Congress, who have been focusing Facebook and Twitter over their “roles” in hosting the misinformation and disinformation spread by Russian trolls in 2016, have been largely ineffective.
The social media companies have provided frequent updates on their progress, but realistically, their effectiveness will be limited by practical considerations of the platform and the fact that there are few well-established guidelines for how to do it right — let alone regulations.
Also, Russia or any country interested in misdirection won’t do precisely the same thing again. Which is why centralized coordination is so necessary.
Near the end of his press conference, Mueller acknowledged this important reality: “I will close by reiterating the central allegation of our indictments—that there were multiple, systematic efforts to interfere in our election. That allegation deserves the attention of every American.”
Determining the relevance or legality of obstruction is important. But between the gentlemanly Mueller-Barr feud, the inevitable avalanche of Trump tweets that will follow, Congress’s debate over whether to attempt impeachment or question Mueller or be tougher on Barr, the severely important questions about our national cybersecurity stance go utterly unexplored and unanswered.
And so, yes, it will probably happen again.