On January 6, the Office of the Director of National Intelligence released a declassified version of the intelligence community’s assessment of alleged Russian interference in the recent US presidential election. The document has been scrubbed of specific references to classified sources and methods used by the intelligence community to reach their conclusions, though the final assessments made in the classified version have been retained. As a result, the lion’s share of the document refers to publicly available information used to make the case regarding Russia’s intent and its disinformation campaign rather than how networks were penetrated.
Assuming confidence in the intelligence community’s assessments, the report is important nonetheless from a cybersecurity perspective because it raises important considerations for any business concerned with securing its own networks. First, it illustrates the kind of determination that a nation-state actor has to achieve its objectives. Second, it refutes the misconception that only governments or other sophisticated actors are targets of nation-state attacks. And third, it makes the case that this kind of activity from Russia will only continue.
Russia’s influence campaign and the US intelligence community’s subsequent report illustrate the determination and capabilities of a nation-state actor. The report assesses that through its campaign “the Kremlin sought to advance its longstanding desire to undermine the US-led liberal democratic order, the promotion of which Putin and other senior Russian leaders view as a threat to Russia and Putin’s regime.” These are existential Russian interests reflected in the Kremlin’s grand strategic thinking. Simply put, if a spear-phishing email targeting an American political official advances those interests, then Russia will pursue a spear-phishing operation.
Organs of the Russian state have also been implicated in hacking the World Anti-Doping Agency in search of embarrassing medical information on US and other athletes to deflect criticism of a Russian doping scandal. This was also referenced in the report. If the Russian government is willing to use state security resources to prosecute an information campaign involving something so relatively trivial as sports, a US non-profit, say, funding a free press advocacy group in Russia—or anything else embarrassing to Putin—should certainly consider itself a potential cyber target.
The 2016 election also demonstrated that anybody inside or outside the targeted entity is fair game for Russian hackers. The report makes references to primary campaigns, think tanks, lobbying groups, state and local election authorities, the GOP, the DNC, Democratic Party officials, and political figures being targeted by Russian cyberattacks. It is fair to say that anyone—regardless of how peripheral to a more obvious target he or she may seem—is, in fact, part of an organization’s cyberattack surface. The lowest-ranking employee sent overseas with a team to finalize a business deal is still privy to sensitive information. He or she could be targeted with a man-in-the-middle or spear-phishing attack—or even have the contents of a laptop copied while he or she is in the hotel gym.
Lastly, it is a foregone conclusion that Russia will continue, if not accelerate, this kind of behavior in cyberspace. The campaign’s relative success will likely embolden the Kremlin to continue these kinds of campaigns during elections and against specific targets that are seen as adversarial or hostile to Russia. This is particularly dangerous as the Kremlin has had opportunities to hone its skills for use on its next likely targets: Germany, the Baltic states, and Ukraine, as well as any Arab and European opponents to Russian policy in Syria.
If the report and this most recent influence campaign have taught us anything, it is that a determined Russia will not just target state entities, but perhaps also a reporter at a German newspaper, an employee at an Estonian company, a Ukrainian political operative, or a French diplomat’s brother in Vienna. These efforts will continue, and anyone is a prospective target.
However, the most critical takeaway for government, businesses, and individuals in the aftermath of Russia’s interference campaign is not that “Russia hacked the election.” To leave it at that misses an opportunity to arrive at a more important conclusion: The Kremlin used cyberattacks as a tool—a tactic—to achieve a more audacious strategic goal. Therefore, criticism aimed at the DNC or certain individuals for poor cybersecurity practices, though warranted, fails to recognize that a determined and increasingly sophisticated adversary such as Russia will use almost any means to achieve its goals.
In that lies the lesson. A cyberattack is not an end in and of itself; similarly, a firewall, antivirus software, or an intrusion detection system cannot be a defensive be-all and end-all. A strong security posture requires partnership, vulnerability awareness, and a culture of security in conjunction with good cyber hygiene on top of off-the-shelf security products. It is now the responsibility of the private sector and government to heed that lesson to be more resilient in the face of future influence campaigns.