When the New York Times published its blockbuster scoop about President Donald Trump’s tax returns, a lot of cybersecurity experts had traumatic flashbacks to four years ago.
Just a few weeks before the 2016 election, recordings were leaked of Trump on the set of Access Hollywood describing his strategy to sexually assault women. The news threatened to derail his presidential bid.
Less than an hour later, Wikileaks began publishing emails from the account of Hillary Clinton’s presidential campaign chair John Podesta, whose account had been hacked by Russian intelligence.
The goal was to distract from the Access Hollywood tapes, and the tactic worked.
Despite containing relatively little news for tens of thousands of pages of documents, the hacked-and-leaked emails eclipsed the tapes—in part because media, technology companies, and the government agencies were not prepared for such a well-planned Russian influence operation. The tens of thousands of pages of documents were enough to overwhelm the news cycle anyway. It proved just how vulnerable journalists and Silicon Valley were to this new twist on the old art of information warfare.
Since 2016, hack-and-leak operations have become far more common. Incidents have been spotted repeatedly in Saudi Arabia, the United Kingdom, France, and the United Arab Emirates. The outcomes have varied wildly, but the overall trend is clear: this has become a go-to tool for foreign nations looking to impact politics and elections.
“We’ve seen an uptick in these kinds of operations, first, because they’re easy to do,” says James Shires, a researcher at the Atlantic Center’s Cyber Statecraft Initiative. “It’s also deniable because of an unknown person or hacktivist who claims to be doing the leaking. And it’s within the rules of the game. It’s not clear what is permissible and not in terms of foreign interference in elections. It’s very clear that changing the vote count is beyond the red line most states set. But leaking information about political parties, it’s hard to measure the impact and it’s not clearly something states say don’t do and this is how we’ll respond. So there is a great opportunity, it’s deniable, and it’s subtle as well.”
The next operation
So is the United States any better prepared for this kind of information warfare during the 2020 election?
The Russian hackers who carried out the 2016 operation were spotted targeting Democratic organizations just this month. When Facebook removed a Russia-linked influence operation last week, the head of security policy at the company explicitly warned about hack-and-leak operations. And last week Washington Post editor Marty Baron warned his staff about the perils of covering hacked material and laid out the new plan: Slow down and think more about the bigger picture. With the presidential election just 36 days away, the possibility of another distracting dump of hacked information looms large.
Shires, who researches hack-and-leaks, says that America has a mixed record. On one hand, the US government, political campaigns, press, and tech companies are more aware of the threat than in 2016. There have also been real investments and increases in cybersecurity protection. On the other hand, he points to that France responded in a very different way to similar attempts to interfere with its own election.
“The effect of a hacking operation really comes from the underlying political context and in that case the US is far worse now than it was in 2016,” Shires says. “If you look at the Macron leaks, which happened shortly before the French president was elected, a lot of things from the party were put online. French media got together, the candidate communicated, and they agreed not to publish stories based on these leaks before the election. There is a lot of trust and community spirit in the French media and political environment. That is clearly not the case in the US at the moment.”
Facing the same trap
Shires says a lot can be done to blunt the next operation. Traditional media can more thoughtfully control the tone and focus of their articles so that the hackers don’t so easily manipulate narratives. Social-media companies can, in some cases, control the virality of the hacked material being spread.
The situation quickly becomes more complex if the material is coming out of American newsrooms. That makes journalists key targets in these kinds of operations.
“The press is, to a degree, aware of how they were used and played in 2016,” says Bret Schafer, a media and digital disinformation researcher at the Alliance for Securing Democracy. “But collectively I don’t think we’re in a much better spot for a hack-and-leak operation. Facebook and Twitter policies now ban stolen material from being published on their platform, but that only bans it from its point of origin. If it’s placed somewhere else, a fringe site or a publication, then it can exist. And for obvious reasons we’re not going to look to Facebook to take down the New York Times if they report on hack-and-leak material.”
“The tech companies are boxed in and reporters look at it asking if the information is authentic and of public interest. I’m hoping they don’t fall in the same trap of 2016 of pulling out more salacious details not of the public interest. But this is still the vector where we are most vulnerable.”
And how should ordinary voters prepare?
Be careful, says Shires. When presented with leaked information “it’s natural and valuable to read and learn.”
“But the second level of how to treat this information is to think twice about why it’s in the public domain, who tried to put it there, who leaked it and for what purpose. This is media literacy, to understand the sourcing and the actors writing these stories and producing information behind these stories. If every member of the public is thinking twice about the content and sourcing, then we should get to a much more mature and responsible debate.”