America's sprawling elections infrastructure has been called "a hairball" — but as people in Silicon Valley might ask, is that a feature or a bug?
Then-FBI Director James Comey touted it as a good thing — "the beauty of our system," he told Congress, is that the "hairball" is too vast, unconnected and woolly to be hacked from the outside.
That was before Monday's leak of a top secret National Security Agency report about a Russian election cyberattack. What that document confirms is that if the whole is safe, its many individual parts may not be.
The NSA report, posted by The Intercept, documents a scheme by Russia's military intelligence agency, the GRU, to compromise the systems of a Florida elections services company — then use that access to explore local voting registration records.
"It is unknown whether the aforementioned spear-phishing deployment successfully compromised the intended victims, and what potential data could have been accessed by the cyber actor," as one NSA analyst wrote in the report.
Here are 5 other questions that remain unknown about this story and the ongoing threat that national security officials say Russia poses to the integrity of American elections.
1. How widespread are these attacks?
The Department of Homeland Security and U.S. intelligence leaders have said generally that voter registration rolls were a pet target of Russian cyberattackers, but that Russia didn't change any votes. The American leaders also have warned, however, that they expect the Russian mischief to continue in the 2018 and 2020 election cycles. If the GRU continues operations like this elsewhere, how much better of an understanding will it have of local elections officials and their vendors next year or beyond?
Elections systems analysts tell NPR that although electronic voting machines are not connected to the public Internet, the computers that update their firmware are, or the ones that program them at the factory. It isn't clear what's practically possible in this realm in terms of hacking or compromising those systems; Comey told members of Congress that Russia has attempted to tamper with votes "in other countries," but the details aren't clear.
Even with the redactions, The Intercept made at the request of the NSA to protect some of its key secrets, there are tantalizing details about the extent of the GRU mischief. One note makes clear that this so-called "spear-phishing" campaign was separate from another major program known within secret circles — though the name of that is blacked out.
Another mention in the NSA report suggests that two-factor authentication — the popular system in which Gmail, for example, sends users a text message with a code they must enter along with a password in order to log in — is not a failsafe security feature. The GRU hackers were able to use fake websites that used real Google verification codes to gain access to victims' accounts.
2. Can the federal government do more?
Then-DHS Secretary Jeh Johnson said last year that the federal government was offering help across the board to local elections officials to be aware of the Russian cyber-mischief. And Comey told the Senate Intelligence Committee last month that the government continued to provide information about the ongoing threat.
"Two things we can do, and that we are doing, both in the United States and with our allies, is telling the people responsible for protecting the election infrastructure in the United States everything we know about how the Russians and others try to attack those systems," Comey said. "How they might come at it, what [Internet protocol] addresses they might use, what phishing techniques they might use."
That may have been one eventual goal for the NSA report posted on Monday — it could have been the top secret original from which DHS or other agencies might have created unclassified advisories to send out to states.
But is it enough just to share information about such a sophisticated adversary? Local vendors and state officials don't have vast IT resources or sophisticated counterintelligence to help defend themselves against state-actor adversaries. And states "pushed back" against Johnson when he offered help last year, as former Director of National Intelligence James Clapper told Congress — they rejected what he called "federal interference."
Clapper said he believed Congress should designate the national election apparatus "critical infrastructure," the way the U.S. has labeled 16 other "sectors," including the American chemical industry, dams, the power grid and others. That could get very complicated, however, and it would take time and cost money.
3. Why do these leaks keep happening?
The Justice Department has charged a U.S. intelligence community contractor, Reality Winner, with allegedly leaking the NSA report to The Intercept. According to court documents, when the news site's correspondents asked the NSA's public affairs office to verify the report, that enabled the FBI to narrow down who had access to it and pinpoint Winner.
From the perspective of NSA leaders, that's a partial success story: they plugged a leak quickly instead of having it turn into a gusher. But at the same time Winner's case is just the latest example of a contractor on the outer periphery of a spy agency hazarding closely held secrets.
Last month, tens of thousands of sensitive files connected to the National Geospatial-Intelligence Agency were left on a publicly accessible Amazon server by an engineer with contractor Booz Allen Hamilton. Last year, an NSA contractor also with Booz Allen was charged with hoarding a "breathtaking" amount of sensitive material. And before that, NSA contractor Edward Snowen took huge amounts of secret information about the U.S. intelligence community and the military.
Agency bosses, now led by Director of National Intelligence Dan Coats, say they've focused intensely on what they call the "insider threat" since the Snowden days, and the intelligence community now has a task force dedicated to helping snuff it out.
The question that Winner's case again raises is how secure Coats and agency leaders can make a constellation of 17 separate agencies that each has its own wider network of contractors who support it.
4. Why can't the U.S. stop these cyberattacks?
Then-CIA Director John Brennan called his counterpart in Russia last year to read him the riot act: "I said that all Americans, regardless of political affiliation or whom they might support in the election, cherish their ability to elect their own leaders without outside interference or disruption," Brennan told the Senate last month. "I said American voters would be outraged by any Russian attempt to interfere in the election."
But Alexander Bortnikov, the head of Russia's FSB intelligence agency — the successor to the infamous KGB — claimed he didn't know anything about any election meddling. In Brennan's telling, he promised he'd relay the details of the phone conversation to Russian President Vladimir Putin.
President Barack Obama also is believed to have warned Putin to knock off the interference — with no result. The NSA report posted on Monday describes a cyberattack that lasted until just before Election Day in November, well after the U.S. announced publicly that Russia had been responsible for campaign mischief.
U.S. intelligence officials said at the time that they believed so-called "attribution" was a powerful weapon. The FBI later issued indictments for Russian intelligence officers and others involved with the meddling, making public how much information Americans have about what's taking place behind the scenes.
None of it, however, appears to have made a difference. Coats, Comey, Brennan and other leaders continue to warn that Russian cyber-mischief proceeds, that Moscow considers it successful and that it could ramp up again in the 2018 midterm and 2020 presidential elections. One political scientist told NPR the world of foreign meddling is "the new normal."
Is that so, or can the U.S. government do more — launch cyberattacks of its own, impose further restrictions on Russia or take some other step — to impose greater costs on the Russians?
5. Will this change Trump's tune?
"As far as hacking, I think it was Russia," then-President-elect Trump said at a news conference before Inauguration Day.
Since then, however, he's dismissed the election-meddling story as an excuse created by Democrats to cover up Hillary Clinton's loss, or opined that cyberspace is so complicated that no one could ever know for certain who might have been behind it. Russian President Vladimir Putin made the same point over the weekend to NBC News' Megyn Kelly.
The NSA report leaked on Monday, however, shows that, in fact, American intelligence officers have a highly detailed technical understanding about how much of Russia's hacking operation works. They attribute the scheme without hesitation to the GRU and talk in detail about the software and other tools used to try to compromise the victims' computers.
It was one thing for the intelligence community to conclude that Russia had interfered and not explain how it knew. Now there are more clues in the open about how it knows. And the report, completed in May, shows that its analysis continues about the ways Russia's intelligence agencies attacked the U.S during the 2016 cycle.
Trump rejects any notion that his campaign aides might have colluded with the Russian operatives who meddled in the election, but does the emergence of this NSA document make it tougher for him to continue to question whether it even happened?
Copyright 2020 NPR. To see more, visit https://www.npr.org.
