Much of the focus of the leaked NSA report about Russian cyberattacking efforts has centered on the botched leak, but the report itself holds some early key lessons worthy of far more scrutiny and inquiry. Both the report and the Russian actions detailed in it describe a broad and brazen effort by Russian operatives to reach beyond external manipulation of the 2016 media narrative in order to internally corrupt US voting systems.
Once more, far from having a satisfying determination as to whether the Russian cyberattack affected the election outcome in any way—the NSA makes no conclusion whatsoever, writes The Intercept:
The NSA analysis does not draw conclusions about whether the interference had any effect on the election’s outcome and concedes that much remains unknown about the extent of the hackers’ accomplishments.
That's not only worrisome in terms of the very slim margin of some 70,000 votes that pushed Donald Trump over the electoral college edge in Michigan, Pennsylvania and Wisconsin, it also has implications for 2018.
1. The Russian effort was both broad and localized, covering eight states and targeting 100-plus local election officials
The NSA report does not name a specific vendor, but homes in on efforts to hack a product made by the Florida-based company VR Systems, which services eight states.
VR Systems has contracts in eight states: California, Florida, Illinois, Indiana, New York, North Carolina, Virginia, and West Virginia.
In order to hack their system, the Russians performed pretty classic phishing expeditions.
The Russian plan was simple: pose as an e-voting vendor and trick local government employees into opening Microsoft Word documents invisibly tainted with potent malware that could give hackers full control over the infected computers.
On August 24, 2016, the Russian hackers sent phishing emails to vendor employees so it could access the company's information and credibly mimic it. Someone bit: On October 27, the hackers set up a Gmail account that looked as though it belonged to an employee of the vendor. They used that account to target more than 100 local officials.
The NSA assessed that this phase of the spear-fishing operation was likely launched on either October 31 or November 1 and sent spear-fishing emails to 122 email addresses “associated with named local government organizations,” probably to officials “involved in the management of voter registration systems.”
2. The Russian attack was downright brazen
During Senate testimony last month, former CIA director John Brennan described with some consternation reaching out to his Russian counterpart, FSB head Alexander Bortnikov, in early August and warning him to stay out of the U.S. election.
He told Bortnikov that “American voters would be outraged by any Russian attempt to interfere in the election” and that such an attempt would “destroy any near-term prospect” of improved relations between Moscow and Washington.
President Obama also twice told Russian President Vladimir Putin to back off meddling in the election: once last September at the G-20 summit in China and again on October 31 over the "red phone" used for crisis communications between Washington and Russia (not to be confused with the secret backchannel Jared Kushner sought to establish).
This time Obama used the phrase "armed conflict."
"International law, including the law for armed conflict, applies to actions in cyberspace," said part of a message sent over the Red Phone on Oct. 31, according to a senior U.S. official. "We will hold Russia to those standards."
Putin did it anyway.
3. The effects were undetermined
The overall assessment of the Russian cyberattack's effectiveness was inconclusive, and this is perhaps as concerning as any part of the NSA report. VR Systems was reportedly not involved in any vote tallying in the states it services but voter registration and voter rolls were a clear concern in the NSA report.
If any local election officials opened one of the phishing emails, it could have given the hackers "persistent access" to that person's computer, offering "all the same capabilities" as the user has, according to computer security expert and former NSA hacking team member Jake Williams.
“It is unknown,” the NSA notes, “whether the aforementioned spear-phishing deployment successfully compromised the intended victims, and what potential data could have been accessed by the cyber actor.”
All in all, the NSA report has opened a Pandora's Box of questions about 2016 and the integrity of our elections moving forward. While the voting machines themselves aren't directly connected to the internet, it doesn't mean they're impenetrable, notes The Intercept:
They do receive manual updates and configuration from people at the local or state level who could be responsible for both. If those were the people targeted by the GRU malware, the implications are troubling.
Electronic voting expert Alex Halderman, director of the University of Michigan Center for Computer Security and Society, sees programming of the machines as a potential opening for hackers:
“Usually at the county level there’s going to be some company that does the pre-election programming of the voting machines,” Halderman told The Intercept. “I would worry about whether an attacker who could compromise the poll book vendor might be able to use software updates that the vendor distributes to also infect the election management system that programs the voting machines themselves,” he added. “Once you do that, you can cause the voting machine to create fraudulent counts.”
Halderman also happens to be one of the people who pushed Hillary Clinton's campaign to demand recounts in Michigan, Pennsylvania, and Wisconsin. Last November, New York Magazine wrote:
The academics presented findings showing that in Wisconsin, Clinton received 7 percent fewer votes in counties that relied on electronic-voting machines compared with counties that used optical scanners and paper ballots. Based on this statistical analysis, Clinton may have been denied as many as 30,000 votes; she lost Wisconsin by 27,000. While it’s important to note the group has not found proof of hacking or manipulation, they are arguing to the campaign that the suspicious pattern merits an independent review — especially in light of the fact that the Obama White House has accused the Russian government of hacking the Democratic National Committee.
In light of the NSA report, any irregularities are not only worrisome but worthy of further review.
The report also raises the stakes for Wednesday's Senate testimony from NSA director Mike Rogers, once seen as only a backdrop to James Comey's testimony on Thursday. There's some speculation that Rogers has a "bomb" of his own to drop.
In the meantime, Democratic lawmakers are just beginning to grapple with being in the minority party amid a growing scandal and an NSA revelation that under normal circumstances could be considered an act of war, which was essentially what President Obama communicated to Putin.
"In any other circumstances this would be an earthquake," but because of "everything" going on in Washington it is a matter that has not received the attention it deserves, Sen. Claire McCaskill, D-Missouri, said at the start of a committee hearing. "This was Russia ... this was an international attempt to impact the elections of the United States of America."
Democratic Sen. Mark Warner is also urging intelligence agencies to declassify the states that were targeted in 2016 with an eye toward 2018.
"None of these actions from the Russians stopped on Election Day," he warned.
As for our current commander in chief, he just ordered his secretary of State to rehabilitate our relationship with Russia. Good god.