Defining Russian election interference: An analysis of select 2014 to 2018 cyber enabled incidents

Download pdf

Of all the political ideas to defend themselves before the court of human history, few have proven as potent and as compelling as that of electoral democracy. Yet in recent years, electoral democracy has once more come under challenge, facing off against popular discontent, revisionist governments, and—most significantly—the rise of new media and digital technologies. These technologies have at times demonstrated exhilarating promise, but they have also created new vulnerabilities that malicious actors have proven able and willing to exploit. This Issue Brief aims to provide a taxonomy of different forms and levels of state involvement in election interference, giving states a common lexicon to respond to cyber threats. It is not enough to simply speak of “hacking the vote”—and hopefully, by providing these initial terms, this report will spur a wider discussion on defining actions and sponsorship in this domain.

Foreword

Of all the political ideas to defend themselves before the court of human history, few have proven as potent and as compelling as that of electoral democracy. Through the twentieth century, democracy has faced off many times against fascism, communism, and other ideologies, and proven itself time and again to have the stronger case. The central tenet of democracy—that people should be able to select for themselves the leaders who can best govern and meet their political needs—has ascended around the world, so much so that in many places it is difficult to remember that it was ever in doubt. Indeed, today’s authoritarians often go to great lengths to mimic the trappings of democracy, ceding the point that elections are the best means to deliver political legitimacy.

But in recent years, electoral democracy has once more come under challenge, threatening to undermine these hard-won social and political freedoms. Around the globe, tensions over the distribution of globalization’s boons have led to widespread discontent and a resurgence in populism, while revisionist governments—such as in the Kremlin—have demonstrated clear intent to manipulate these seismic political forces to discredit democracy in other countries. Among the foremost drivers of this challenge, however, has been the rise of new media and digital technologies, and their intersection with traditional political and social life. These technologies have at times demonstrated exhilarating promise, giving citizens new tools to organize and governments new tools to lead. But they have also created new vulnerabilities, both technological and societal, that malicious actors have proven able and willing to exploit, damaging public trust in democratic institutions, exploiting societal tensions, and eroding the foundation of our ruled based international system.

The magnitude and cross-cutting nature of this challenge means that no single actor can solve this problem alone. Any effective solution must draw together expertise from across all sectors, uniting technologists, policymakers, civil society, and corporate leaders alike. Coming from the Cyber Statecraft Initiative of the Atlantic Council’s Scowcroft Center for Strategy and Security, this Issue Brief is one such attempt to do just that. In the spirit of our mission to build bridges between the technology and policy communities, the Council brought together a high-level group of experts and policymakers on the sidelines of the Munich Security Conference in February 2018.

Out of the many strands of that discussion, the Scowcroft Center’s senior fellow Laura Galante then expertly wove together this Issue Brief. In January 2017, all seventeen United States intelligence agencies published a nearly unprecedented and unclassified assessment of Russian interference in the 2016 US presidential elections, which stated:

Moscow’s influence campaign followed a messaging strategy that blends covert intelligence operations—such as cyber activity—with overt efforts by the Russian Government agencies, stateowned media, third party intermediaries, and paid social media users or “trolls.”

Cyber enabled influence operations encompass a range of activity that is separate, but mutually reinforcing, for instance hacking into an email account then releasing embarrassing or false information via social media content. This Issue Brief provides a lexicon and tangible examples of cyber activity within a broader universe of election interference.

By providing a taxonomy of different forms and levels of state involvement in election interference, it gives a guide to the recent history of election influence and interference. From there, it posits what norms and tactics have emerged as commonalities in the behavior of nation-states, asking: How will the toolsets and norms we currently see in play shape nation-state use of technology in the future?

These may be titanic problems, but fortunately the Cyber Statecraft Initiative has not been alone in taking them on, and is working alongside a number of other centers throughout the Atlantic Council and beyond. Established in 1961 as part of a transatlantic effort to reinvigorate democracy and democratic values, the Council is uniquely positioned to tackle yet another set of challenges to democracy more than a half century later. Its Eurasia Center has called attention to Moscow’s influence operations throughout Europe with its Kremlin’s Trojan Horses reports, with two editions released in November 2016 and November 2017, and a forthcoming edition launching in November 2018. The Eurasia Center convened the Global Forum on Strategic Communications (StratCom) in September 2017 and October 2018, and launched DisinfoPortal. org, a one-stop interactive guide to the Kremlin’s information war, bringing together thirty organizations and more than one hundred experts working to counter disinformation.

However, Russia is far from the only actor in this space, and the Digital Forensics Research Lab (DFRLab) has built a leading center of open source and digital forensic analysts, as well a global network of “digital sherlocks,” tracking events in governance, technology, security, and where each intersect as they occur. Over the past two years, the DFRLab has built capabilities to identify, expose, and explain disinformation where and when it occurs; to promote objective truth as a foundation of government for and by people; to protect democratic institutions and norms from those who would seek to undermine them in the digital engagement space. The DFRLab has focused on election integrity through a series of #ElectionWatch campaigns monitoring the spread of disinformation tactics and narratives around prominent global elections, partnering both with local actors and tech companies in countries as far-ranging as Brazil, Colombia, France, Germany, Italy, Malaysia, and Mexico.

Ultimately, all these efforts—and more—will be needed to ensure that electoral democracy can stand up to the challenges of the twenty-first century. This Issue Brief is a part of that, aiming to continue the conversation around cyber enabled influence operations, not to be the final word on it. As technological progress continues apace, new developments that have little precedent in democracy’s long history will continue to emerge. Whether those developments bolster democ racy—or whether they undermine it—will be decided by how well today’s policymakers, technologists, and civil society cooperate to produce principles and standards that withstand the test of time.

Damon Wilson, Executive Vice President, Atlantic Council

Introduction

The past five years have demonstrated at least one thing about election interference: though it keeps happening, nobody can agree on just what it is. The 2016 US elections served as a flashpoint in recognizing modern election interference, but there have been numerous instances of interference in other European elections that can provide valuable lessons, and this report aims to connect them into a coherent and singular framework. While not meant to be exhaustive, this report assesses four elections and a referendum that have been characterized by attempted foreign interference.

The five case studies were selected because they illustrate a variety of actions associated with modern cyber and information operations from both a technical and psychological perspective. Each case study summarizes the openly available information about these incidents and identifies the state sponsorship and actions involved per the definitions developed for this report. The main objective in releasing this work is to classify the reported interference actions that took place and propose the norms of state behavior and response that have emerged in this realm.

These cases focus on suspected Russian government efforts, as the Russian government is widely acknowledged as the most active state in this domain. Numerous governments and independent security researchers have provided ample forensic, doctrinal, and circumstantial evidence that links interference actions to the Russian government, most prominently the Russian military’s Main Intelligence Directorate (the Glavnoje Razvedyvatel’noje Upravlenije, or GRU). Nonetheless, this report makes an effort to identify specific sources and their basis for making claims of attribution to the Russian government.

Interference terminology*

The following list of terms captures several of the actions commonly observed in modern cyber and information operations aimed at election interference as well as commonly documented levels of state involvement in those actions. Providing definitional clarity must be the key to wider public understanding and * The definitions proposed in this publication reflect the views of the author for the purpose of this publication.

agreement on interference activities. A lack of specificity and consistency in terminology has contributed greatly to the confusion surrounding a number of the interference cases discussed in this report. If there is a single lesson from cyber activity over the last decade, it is that states must have a common lexicon in order to respond to cyber threats. It is not enough to simply speak of “hacking the vote.” Hopefully, by providing these initial terms, this report can spur a wider discussion on defining actions and sponsorship in this domain.

Interference actions:

Infrastructure Exploitation: An action—including reconnaissance and collection efforts—that gathers or distorts data or functionality of information technology (IT) systems or networks.
Vote Manipulation: An action that alters vote tallies, vote input, vote transmission, or other modes of counting and transmitting the voters’ true choices. This does not include actions intended simply to communicate a false result or otherwise cast doubt on the reliability of the vote.
Strategic Publication: The public release of data that is obtained illicitly, typically through Infrastructure Exploitation, with the intent to embarrass, expose, or otherwise cast the subject in a negative light.
False-Front Engagement: The fabrication of a false public identity by a person or group that subsequently takes actions to communicate, provoke, organize, or otherwise interact with others using the false identity.
Sentiment Amplification: An action that increases the dissemination and prominence of a specific viewpoint. Sentiment Amplification can be conducted overtly, in which case the actor is clearly identifiable and there is no question of proper attribution. Covert Sentiment Amplification intentionally obscures the actor either by taking the form of False-Front Engagement or appearing to minimize the role of any actor behind the action.
Fabricated Content: The propagation of written or broadcasted information that is false in nature or embellishes the truth. This may include actions that intentionally miscommunicate the number of votes for a candidate or an election result, or other false and misleading statements.

State involvement:

State-Directed: An action that state officials, acting in their capacity as representatives of the government or government’s leadership, have sanctioned and signaled their desire to achieve in some expressed manner.
State-Encouraged: An action that state officials have not directly ordered or signaled, but one in which an individual or entity with good knowledge (usually ascertained from close contact with current or former state officials) of the state’s objectives can partake with reasonable assurance that these efforts will be viewed favorably.
State-Aligned: An action that individuals or entities conduct with the intention to support specific or general state objectives.

Key actors:

Advanced Persistent Threat (APT) 28: Also known as “Fancy Bear” or “Sofacy,” APT28 is a Russian government-sponsored hacking group that has been implicated in multiple high-profile cyberattacks and intrusions since 2014—including the 2015 hack of the German Bundestag and the 2016 hack of US political organizations. Numerous government agencies including the US intelligence community and Department of Justice have stated that the group APT28 is part of the Russian military’s main intelligence directorate, the GRU.¹

APT29: Also known as “Cozy Bear” or “CozyDuke,” APT29 is another Russian government-sponsored hacking group that, like APT28, has been implicated in several high-profile cyberattacks, including the 2016 intrusion into the networks of the US Democratic National Committee (DNC), the US Department of State, and the White House, and has been attributed to Russia’s Federal Security Service (the Federal’naya sluzhba bezopasnosti, or FSB).²

Internet Research Agency (IRA): Based in St. Petersburg, Russia, the IRA is an organization, often referred to as a “troll farm,” that uses social media accounts to propagate frequently pro-Kremlin disinformation and amplify divisive political content. The IRA has been implicated in disinformation spread around the 2016 United Kingdom “Brexit” referendum as well as the 2016 US presidential election; notably, twelve of the thirteen Russians indicted during the Mueller investigation were employees of the IRA.³

CyberBerkut: A “hacktivist” group with a pro-Russian government sentiment, active primarily in Ukraine, with the name “Berkut” referring to a professional police unit that was involved in the repression of protests during the 2014 Ukrainian Revolution. Though CyberBerkut postures as a domestic opposition group with roots in the local Ukranian political environment, claiming to fight “neo-fascism” in Ukraine, multiple agencies including the US Defense Intelligence Agency have labeled it as a “false persona” and a “front organization for Russian state-sponsored cyber activity.”⁴

Numerous security researchers, including Citizen Lab, have linked “CyberBerkut” to APT28 based on evidence such as similarities in shortcode and domain name formats. ⁵

Ukrainian presidential election: May 25, 2014

Type: State-Directed

Incident

In 2014, months after ousting President Viktor Yanukovych, Ukrainians headed to the polls to elect a new president. But days before the vote, the pro-Russian hacking group CyberBerkut destroyed key vote tallying system files and leaked private emails and administrator documentation from Ukraine’s Central Election Commission (CEC). CEC restored the system from backups but faced another wave of attacks around the election, which delayed the release of results and nearly led to an incorrect announcement that the ultra-nationalist Dmytro Yarosh—who had less than 1 percent of the vote—was the winner.⁶

Analysis

Vote Manipulation: Four days before the election, CEC programs to monitor voter turnout and tally votes were shut down for twenty hours by the deletion of key files.⁷

Infrastructure Exploitation: CyberBerkut penetrated CEC systems two months prior to the election and posted internal emails and administrator documentation from the CEC four days before the election.⁸

Fabricated Content: The CEC website was compromised so that it would display far-right Dmytro Tarosh as the winner; experts identified and corrected this, but Russian media continued to report the incorrect winner.⁹

Outcome: Unambiguous victory for Petro Poroshenko, who avoided a run-off election by winning an absolute majority (54.70 percent), and announced that the maintenance of Ukranian territorial integrity—under threat from Russia’s annexation of Crimea and separatism in Donbass—would be a key part of his presidential agenda. It is unclear whether the interference actions successfully cast doubt on the legitimacy of the election.

Response

Government: As the incidents occurred, Nikolay Koval, the head of Ukraine’s Computer Emergency Response Team, reported that the malware used to collect the CEC’s emails and administrator data had been used previously by APT28.¹⁰

Media: Widely reported in Ukrainian media at the time, very limited global media attention and no coverage in OSCE election report. The insistence of Russian media outlets such as Russian Channel One on reporting the false winner and the simultaneous military conflict further the case for viewing this as state-directed interference.¹¹

UK “Brexit” Referendum: June 23, 2016

Type: State-Encouraged

Incident

In the run-up to the 2016 Brexit Referendum, Russianlanguage bots executed an extensive social media campaign on social media platforms like Twitter, posting and amplifying pro-Brexit rhetoric.¹² These Twitter accounts were later shown to be operated by the Russia-based IRA in an attempt to sway the referendum’s vote toward the Leave.EU camp.¹³ In addition to the IRA, other Russian actors, including Russia Today, spent over one thousand dollars on referendum advertisements.¹⁴ On June 23, 2016, as tens of millions of UK citizens turned out to vote in the Brexit Referendum, the British power supply was targeted by hackers.

Analysis

Infrastructure Exploitation: Russia targeted the UK energy network on the day of the referendum.¹⁵ In addition, in 2017, the UK Parliament’s Public Administration and Constitutional Affairs Committee (PACAC) reported that the British referendum website where citizens registered to vote may have been hacked.¹⁶ ¹⁷

False Front Engagement: Russian-managed Twitter bots were mobilized around the Brexit vote, although their impact appears to have been limited.¹⁸

Sentiment Amplification: In the months preceding the Brexit referendum, hundreds of thousands of Russian-language Twitter accounts posted and amplified pro-Brexit messages.¹⁹

Fabricated Content: Over four hundred accounts, run by the Russia-based IRA, were used to circulate disinformation during the run-up to the referendum.²⁰

Outcome: The Leave campaign narrowly beat the Remain campaign with 51.89 percent of the referendum vote.²¹

Response

Government: The head of the UK Government Communications Headquarters’ (GCHQ) National Cyber Security Centre has publicly stated that Russian hackers targeted the UK’s power supply on the day of the referendum.²² Conversely, there remains insufficient publicly available evidence to confirm whether the British referendum website was hacked and, if so, whether a nation-state was behind the operation.²³ UK governmental agency investigations continue to probe into the extent of Russia’s role in fake news, misinformation, social media manipulation, and the Leave.EU campaign ties to Russia.²⁴ In 2017, UK Prime Minister Theresa May issued a stern public warning on Russian attempts to sow discord by using fake news stories published by Russian government media.²⁵

Media: British and American media have both covered Russian efforts to influence the Brexit vote more widely as new evidence of Russian social media manipulation and potential coordination between Leave.EU officials and Russian government officials have emerged. Global media coverage continues after details have emerged of Cambridge Analytica and Facebook’s involvement in targeting UK voters and local media exposure of potential UK and Russian officials’ ties.²⁶

US presidential election: November 8, 2016

Type: State-Directed

Incident

In the run-up to the 2016 US presidential elections, Russian agents engaged in a multipronged influence campaign intended to “undermine public faith in the US democratic process, denigrate [Democratic candidate Hillary Clinton], and harm her electability and potential presidency.”²⁷

One aspect of this campaign began as early as 2014, and aimed to delegitimize the US political process by amplifying politically polarized views through social media accounts—often under false personas— managed by the Russia-based IRA.²⁸ Another aspect involved the compromise of US political organizations, most notably the Democratic National Committee (DNC) and Democratic Congressional Campaign Committee (DCCC), and subsequent leaking of emails and documents to damage Hillary Clinton’s candidacy.

Analysis

Infrastructure Exploitation: Russian hacker groups APT29 (Cozy Bear) and APT28 (Fancy Bear) penetrated the DNC’s networks, apparently separately.²⁹” APT28 also gained access to the DCCC’s networks.³⁰

In addition, Russian actors targeted twenty-one US state or local electoral boards.³¹

Strategic Publication: Under the persona of “Guccifer 2.0” and using the platforms of DCLeaks.com and WikiLeaks, the GRU leaked documents obtained through their Infrastructure Exploitation campaigns.³²

This was done serially at strategic points in time during the campaign in order to damage Hillary Clinton’s candidacy.³³

False-Front Engagement: The IRA created hundreds of social media accounts to impersonate Americans and propagate political beliefs on opposing ends of the political spectrum, going as far as to organize rallies and protests through these accounts.³⁴

Sentiment Amplification: The advertisements and social media posts made by the IRA were used to exploit divisive political issues, such as racial tensions, that would undermine the Clinton campaign and increase political polarization.³⁵

Fabricated Content: Posts made by IRA-managed social media accounts made factually incorrect claims, such as Hillary Clinton’s adviser blaming her for the loss of US lives in Benghazi and Google having a bias in its search engine favoring Hillary Clinton.³⁶

Outcome: Victory for Donald Trump over Hillary Clinton, although there currently remains no evidence that there was direct Vote Manipulation. However, Russian activities further exacerbated social and political divisions within the country and undermined public faith in the US democratic process as a whole.

Response

Government: Prior to the election, US security firms, like Crowdstrike, were able to attribute the DNC hack to Russia. ³⁷US government and intelligence agencies, including the Office of the Director of National Intelligence (ODNI), the Federal Bureau of Investigation (FBI), and the US Department of Homeland Security (DHS), followed this with an October 2016 joint statement assessing with high confidence that the Russian government-directed GRU was behind the DNC hack.³⁸ In January 2017, the US intelligence community issued a joint report, attributing Russian efforts to undermine the 2016 presidential elections, although the report “did not make an assessment of the impact that Russian activities had on the outcome of the 2016 election.”³⁹ In the summer of 2018, special counsel Robert Mueller indicted 12 GRU officers for hacking the networks of DCCC and DNC, as well as releasing documents and emails in an effort to interfere with the presidential election.⁴⁰

Media: Initial media coverage focused predominantly on the content and sentiment of emails leaked following the DNC hack, particularly on the DNC’s preference for Hillary Clinton over her rival in the Democratic primary, Bernie Sanders.⁴¹ As the election neared, the conversation was increasingly framed as a national security issue, but media responses varied depending on political leaning. Right-leaning media tended to deny or question the effects of the hack, while left-leaning media asserted it was an attack on democracy and US institutions.

French presidential election: May 7, 2017

Type: State-Aligned

Incident

On May 5, two days before the French presidential election, nine gigabytes of data from Emmanuel Macron’s campaign, including documents and emails, was posted online on a document sharing website called Pastebin, and was further disseminated on 4Chan. The data was reportedly obtained by with spear-phishing methods and there are conflicting reports as to whether the documents contained fake information or not.⁴²

Analysis

Infrastructure Exploitation: Actors gained access to documents and emails of the Macron campaign through a spear-phishing operation.
Strategic Publication: Documents obtained through the spear-phishing operation were released during the no-campaigning period immediately before the French presidential election, making it difficult for the Macron campaign to counter information released during the leak.
Sentiment Amplification: Use of bots to amplify the messaging and rhetoric around the Macron leak, with just 5 percent of accounts promoting the hashtag #MacronGate accounting for nearly half of all the posts.⁴³

Outcome: Despite the leaking of campaign emails and the use of bots to promote anti-Macron rhetoric on social media, Emmanuel Macron won over Marine Le Pen with 66.1 percent of the vote.

Response

Government: Initially, the hack was attributed to Russian actors and APT28 by various sources, including US CYBERCOM Commander Mike Rogers and two other US cybersecurity firms.⁴⁴ However, one month following the election, Guillame Poupard, head of the French National Agency for the Security of Information Systems (the Agence Nationale de la Sécurité des Systèmes d’Information, or ANSSI), declared no conclusive evidence pointed to Russian groups had been found, and that simplicity of attacks pointed toward an actor with lower capabilities.⁴⁵

Media: Coverage of the hack in the run-up to the election was limited by several factors. The French Electoral Commission published an official statement one day before the election that the dissemination of fraudulently obtained data is liable to be classified as a criminal offense.⁴⁶

According to French law, a national ban on electioneering enters into effect forty-eight hours before an election, prohibiting media and the candidates from carrying or publishing election-related activities.⁴⁷ While it is challenging to gauge the exact impact, this clearly affected coverage of the Macron campaign leaks in traditional media outlets. Finally, the lesson learned as a result of the Russian interference in the US election plausibly played a role in the mental preparation for destabilizing interventions as well as the balanced French response to the hack.⁴⁸

German federal elections: SEPTEMBER 24, 2017

Type: State-Directed

Incident

In 2015, data was stolen (primarily emails) from multiple German political sources, including the Bundestag (the lower house of parliament) and the state offices of Chancellor Angela Merkel’s Christian Democratic Union of Germany (the Christlich Demokratische Union Deutschlands, or CDU) party during a prolonged weekslong cyberattack.⁴⁹ However, this data was ultimately not released. In addition to the data theft, Germanlanguage Russian media also produced fake stories and magnified issues, such as immigration, to stoke domestic tension as early as in 2016.⁵⁰ This was a social media campaign similar to that used in the US 2016 elections, with bots, divisive rhetoric, warnings of electoral fraud, and “vote-rigging” claims toward the end of the vote.⁵¹

Analysis

Infrastructure Exploitation: In 2015, a group of hackers—likely APT28—gained administrator access to the Bundestag network and copied sixteen gigabytes of emails from lawmakers and their staff, although these were never released.⁵²

Sentiment Amplification: German-language Russian media focused on issues such as immigration that were politically polarizing. One group of university researchers noted social media accounts amplifying right-wing rhetoric and Russian media stories, but attributed this to the US “alt-right” rather than Russia.⁵³

Fabricated Content: Both German-language Russian media and the right-wing Alternative for Germany (the Alternative für Deutschland, or AfD) party shared fabricated information, most famously the “Our Lisa” story which claimed that a young Russian-German woman had been raped by “Arab” migrants.⁵⁴

Outcome: Merkel’s party alliance between the CDU and Christian Social Union in Bavaria (the Christlich-Soziale Union in Bayern, or CSU) won 30 percent of the vote but achieved the worst result since 1940; the far-right, anti-immigration party, AfD, made gains and came in third place with 13.5 percent of the vote. Five months after the election, an agreement was reached with the Social Democratic Party of Germany (the Sozialdemokratische Partei Deutschlands, or SPD) for a governing coalition.

Response

Government: German officials blamed APT28 (Fancy Bear) for the 2015 hack of the Bundestag and other cyberattacks aimed at Chancellor Angela Merkel.⁵⁵ In May of 2016, Germany’s domestic intelligence agency, the Federal Office for the Protection of the Constitution (the Bundesamt für Verfassungsschutz, or BfV), stated that Russia was behind the 2015 hack of Bundestag and Merkel’s CDU.⁵⁶ The vice chairman of Merkel’s political party publicly announced that prior to the election debate, her website had been targeted by thousands of cyberattacks, many from Russian IP addresses.“⁵⁷

Media: Lessons learned from both US and French presidential elections, combined with robust German institutions and less political polarization than in other countries, may have reduced the impact of misinformation. The major campaigns entered into a “gentlemen’s agreement” to avoid using data stolen during the 2015 cyberattacks should it emerge (which it ultimately did not).⁵⁸ However, both government and media extensively focused on the possibility of Russian interference during the election, sensitizing both politicians and citizens to that possibility.⁵⁹

New norms

As with any new weapon set or domain, establishing norms of state behavior has been the focus of diplomats and military strategists. Cyberspace and the actions taken within it have been particularly challenging to define, let alone develop a semblance of standards and acceptable actions.

Early on, the issue of attribution—or rather, the difficulty of attributing actions in cyberspace—was the preeminent obstacle for devising credible response frameworks. Over time, the public and private sectors’ ability to identify, analyze, and present findings attributing cyber activity to specific actors improved dramatically. While attributing activity in cyberspace will always be a challenge, governments have become increasingly public in attributing malicious cyber activity. These public attribution statements and their counteractions serve as strong indicators of the norms that have been emerging in this area over the last several years.

Thus far, perhaps the norm most clearly established and most widely recognized is a prohibition on hacking intellectual property theft from private-sector networks. This norm has been established through: exposing the most active state actor, in this case China’s People’s Liberation Army (PLA); judicial actions like the 2014 US Department of Justice indictment of five PLA officers; consistent denunciation of this specific cyber-enabled activity by multiple heads of state, and eventually tariffs on goods benefiting from hacked intellectual property. From this, it has now become clear to a range of state and non-state actors that hacking intellectual property from private (nongovernment) targets will result in widespread condemnation and leads to the imposition of significant political and economic costs.

In contrast, election interference and information operations more broadly have presented a complicated set of political and definitional dimensions for effective norm-setting. In part, this difficulty arises from the two major differing perspectives states have taken as they define cyberspace. This philosophical divide hinges on whether a nation-state includes (in action and in word) information, and the effect that information can have via its disbursal through the Internet, in that nation-state’s own sovereign purview and field of action.

Historically, states that take this expansive view of the domain, like Russia and China, have been more inclined to classify a wider set of actions as interference rather than milder attempts at influence. For example, the Kremlin has frequently interpreted US government statements as interference actions. One of the most notable examples was Secretary Clinton’s speech regarding the large anti-government demonstrations, which had been set off by the 2011 Russian parliamentary elections. Secretary Clinton stated that “The Russian people, like people everywhere, deserve the right to have their voices heard and their votes counted… and that means they deserve free, fair, transparent elections and leaders who are accountable to them.”

While the statement was uncontroversial to US and other democratically inclined audiences, then-Prime Minister Putin viewed the statement as a trigger to hostile action, saying: “She set the tone for certain actors inside the country; she gave the signal. They heard this signal and, with the support of the US State Department, started actively doing their work.”⁶⁰ The norms below take this informational threat calculus into account simply because states like Russia are formulating their actions and responses in this way.

The following norm statements are an attempt to capture how the case studies presented here have shaped interpretations of permissible state action, response thresholds, and the calculus that actors are now considering before taking action in this realm:

If the state’s representatives direct or encourage Infrastructure Exploitation or Vote Manipulation against a foreign state, the targeted state will consider this a breach of sovereignty and a hostile act.
If the state’s representatives engage in overt Sentiment Amplification, Strategic Publication, or Content Fabrication, the targeted state or faction will not take meaningful retaliatory action unless they consider these actions as a direct call to Infrastructure Exploitation or Vote Manipulation—a consideration more likely to occur if the state views the informational domain as sovereign.
If a state defines their sovereignty to include the informational domain (e.g., a psychological domain beyond the physically defined boundaries of the land, sea, air, or physical technological infrastructure of the internet), it is more likely to consider overt Sentiment Amplification and Strategic Publication as a hostile act and respond accordingly.
If the state’s representatives direct or encourage False Front Engagement, covert Sentiment Amplification, or covert Strategic Publication, the targeted state will view these actions as hostile. Whether the targeted state views these acts as a breach of sovereignty or simply as an attempt at influence will dictate the severity of the state’s response.

Conclusion

While policymakers and national security officials formulate responses to election interference, Russian state-directed efforts have continued—particularly against US targets. In August 2018, Microsoft announced that its Digital Crimes Unit had found evidence of APT28’s planning efforts to engage in Infrastructure Manipulation against several conservative think tanks and the US Senate.⁶¹ Later that same week, security researchers at several technology and social media companies detailed a long-running covert Sentiment Amplification effort involving multiple False Fronts and sponsored by the Iranian state, that was intended to promote narratives favorable to the current Iranian government.⁶² These efforts demonstrate states’ continued interest in exploiting networks and influencing opinions far beyond their borders.

The Russian government’s investment in influence and network exploitation operations, built on the back of a new and fragmented media environment, created a space for new forms and techniques in electoral interference. But states are not the only entities that have been watching this phase of election interference, and the techniques demonstrated by the Russian government are readily replicable with a high return on investment. The dividends from such interference are too great to ignore, posing a question: what will the next phase of election interference look like, and who will be involved?

The Italian elections of March 2018 may present an initial answer to that question. During the run-up to the elections, fabricated news spread from social media accounts of supporters of anti-establishment parties like the Five Star Movement (5SM) and Lega, with disinformation being propagated and amplified by partisan journalistic sources.⁶³ Yet though the narratives perpetuated indirectly helped Russian strategic objectives, asserting a connection between 5SM/Lega and Russia is difficult, and has been a source of confusion.⁶⁴

This difficulty in attribution should underscore an underlying point: actors with little to no state direction can still wield formidable influence and execute network exploitation operations. It is not only the impact of these techniques that is the most troubling—it is also their ease of replication. The 2018 Italian elections could be a harbinger for non-state-directed interference with major political consequences, achieved with limited technical difficulty, replicable tools, and low barriers of entry

Recommendations

Governments, security researchers, and others privy to the evolving tactics and evidence of Interference Actions taken by states and non-state actors should continue to expose these actions. Exposure in this domain has shown to be the necessary predicate for understanding and countering malicious activity.
Journalists, analysts, and other parties responsible for characterizing Interference Actions and influence operations should take all reasonable efforts to accurately describe the particular action at hand. Vague terminology, and in particular the muddling of Infrastructure Exploitation, Vote Manipulation, and Sentiment Amplification, has led to critical misunderstandings in the public sphere.
The United States, along with other nation-states that traditionally value freedom of speech, expression, and a critical media environment, should be wary of classifying influence operations and Sentiment Amplification efforts as breaches of state sovereignty. While the dark side of global interconnectivity is increasingly becoming clear outside of security circles, the temptation to deem all foreign influence and interference operations as existential threats and breaches of state sovereignty undermines the varied information environment that allows democracies to thrive.

Laura Galante: Recognized as a leading authority on cyber threats, information operations, and intelligence analysis, Laura Galante founded Galante Strategies in 2017 to equip governments and corporations to respond effectively to cyber and information threats. Her recent work has included developing a cybersecurity framework for the Ukrainian government; briefing advanced cyber threats to the Italian government and financial sector; and raising national awareness of cybersecurity in Kosovo and Serbia. Currently a senior fellow at the Atlantic Council’s Cyber Statecraft Initiative, Laura previously served as the director of global intelligence at the cybersecurity company, FireEye Inc. (formerly Mandiant). She frequently serves as a keynote speaker, having testified before the UN Security Council and given a TED talk at TED2017. Laura holds a BA in foreign affairs and Italian from the University of Virginia and a JD from the Catholic University of America.

Shaun Ee is a program assistant with the Asia Security Initiative and Cyber Statecraft Initiative of the Atlantic Council. Before joining the Council, he graduated from Washington University in St. Louis with a BA in philosophy-neuroscience-psychology and international and area studies.

Acknowledgments:

Thank you to the Howard Baker Forum for providing generous support for this project, allowing the Cyber Statecraft Initiative to address an issue of vital importance. The Atlantic Council team, particularly Klara Jordan and Safa Shahwan, provided support and oversight to this project and Anca Agachi, Timothy McGiff, and Heather Regnault provided invaluable research support.