There is little room for doubt that Russia interfered in the 2016 election. The Justice Department on Friday handed down indictments to 13 Russian people and 3 Russian companies for meddling in United States political and election processes, the latest item in a litany of evidence that Russia, well, did it.
Even scarier, there is every indication Russia is likely to try to interfere in the American political process again — and many of the technologies, trends, and processes it exploited in the past are largely unchanged. (Catch that New York Times story on the Twitter bot factories?)
“I’ll tell you right up front, it is going to happen again,” Greg Touhill, a retired Air Force general officer and one of the nation’s premier cybersecurity experts, told me. Touhill is currently president of Cyxtera Federal Group, a secure infrastructure company. Before that, he served in a wide range of government roles, including as the first United States Chief Information Security Officer in 2016.
I spoke with Touhill about what the United States can do to try to stop Russia from interfering in US politics and elections in 2018 and beyond. While the federal government certainly has a major role to play — in deterring future interference, in supporting state and local election officials, and in boosting national security efforts — he noted that the technology companies Russians use as a conduit in their disinformation campaign have a responsibility as well.
So do everyday Americans, in using good judgment when they’re reading news sources: “If it sounds phony, it probably is,” he said.
This interview has been edited and condensed for clarity.
So we keep getting more details about Russian meddling in the 2016 election, including Friday’s indictments, and we’re also seeing warnings that Russians are likely to try something again in 2018. What can and should the federal government and other entities be doing so that we don’t see this happen again?
I’ll tell you right up front, it is going to happen again. It’s happened before, and frankly, it’s happened throughout all of time. A different way to phrase it is how do we prepare ourselves to deal with this when it happens again? And how do we mitigate it and the like?
Information operations, influence operations, or whatever you want to call it — and different nations call it different things — people have recognized, as Francis Bacon used to say, knowledge is power. They’re constantly trying to seek the ability to influence and get knowledge and get an information advantage. From my perch, I think that we want to deter further action, we want to mitigate it when it does happen, and we want to take action that’s effective and proportionate when we do detect that somebody is breaking international norms.
How do you balance deterrence of future action against retaliation or punishment of past action? How would you approach it?
If you take a look at all the different instruments of power that are available to the United States, we have the military option, which as a retired officer I think should be the last resort, but certainly it should be on the table for consideration, particularly when it comes to deterrence. We also have the political, the economic, and the diplomatic means as well.
First thing’s first is you have to — when you see somebody who is breaking norms and is engaged in things that we don’t believe as an international community are the right things to do — you need to confront that, and you need to present the evidence that says, “Hey, here is where you are breaking the norms.”
We have been working, from the United States government, on a very leadership forward-thinking approach to cyber norms. That should be a priority in the international community, and the United States should take a continuous leadership role in making sure that we have a clear understanding and articulation of acceptable behavior in the cyber domain, and affirmation of the cyber norms that have been already proposed needs to be a priority for our diplomat efforts.
Secondly, when we see folks that are deviating from those norms, there needs to be some accountability, and that’s where we have the ability under our current legal framework to issue economic sanctions, diplomatic sanctions, and in [Friday’s] case, legal indictments, where we are trying to hold individuals and states accountable for violating law and, as I mentioned, norms of acceptable behavior.
What agencies or entities within the government need to take the lead here?
Frankly, this is a whole of government issue. And as you take a look at all those instruments of national power, it’s distributed across departments and agencies. That’s a reason why in 1947 we established National Security Council to help coordinate a lot of the activities dealing with national security.
I would submit that our national security and our national prosperity is intrinsically linked to cybersecurity and the integrity of information technology and the information that’s contained within it. You name me a business or an institution or a societal institution itself that doesn’t rely on IT right now, it’s very difficult. As we take a look at the roles across the federal government — the Department of State, the Department of Treasury, the Department of Homeland Security, the Department of Defense, the Department of Commerce, the Department of Justice —virtually every single major department and agency has a stake in those elements of national power that we could use and leverage to deal with issues of deterrence and proper response to cyber attacks.
The National Security Council, working under the National Command Authority, that’s where I’m looking for leadership to coordinate all instruments of national power.
What about the president? On Friday, the indictments come down, and he says, “No collusion!”
I don’t necessarily see the discussion of collusion being the same as to acknowledge that we have an issue with Russian-based actors engaged in influence operations against the United States. I took the collusion issue as separate domestic issue as opposed to the actual influence operations.
I believe that the evidence we’ve seen thus far points toward Russian-based actors engaged in targeted influence operations directed against the people of the United States with what appears to be an ultimate goal to undermine democratic institutions in the United States.
Well but Trump doesn’t seem hyper-concerned about Russia, he seems to be downplaying it.
I don’t know President Trump nor do I know his leadership style, so I really can’t comment on that.
It’s very possible, and I wouldn’t rule it out, that he has directed the National Security Council to provide him different options, and as you take a look at activities at nation state level, many of those deliberations are going to be held in very classified settings. At this point, I really can’t comment because I don’t know what he’s directing in the background, nor would I expect, if it were President Obama or President Bush or President Clinton or any of his predecessors, this is really an important topic, and I’m confident that the National Security Council is in fact looking at all different options that would be on the table and advising the president as such.
Beyond the government and the president, what do companies like Facebook and Twitter, which seem to be a major part of what happened in 2016, need to be doing?
If you look at it through the lens of cybersecurity, I think there are three major lenses: people, process, and technology. You’re taking a look at all sorts of different media platforms, that could include Twitter, Facebook, and the like, which under social media are powerful platforms. You want to make sure you get it right.
You want to make sure that your people are properly trained to maintain the integrity of product and information that you’re putting out. You want to make sure that you have the proper processes in place to properly vet input so that you, in fact, are not putting out, for lack of a better term, “fake news.” It’s almost like yelling, “Fire!” in a movie theater: You want to make sure that you are, in fact, accurate and that your product is trusted. You want to put in right technologies to make sure that you have positive control over that information that you’re sharing. There are plenty of tools now that are currently developed and being fielded right now that can help on the technology standpoint, and certainly training and processes are part of good order and discipline in any business these days. From a technology standpoint, you should not let anybody have access to your information or equipment or systems and the like. Having positive control over the platforms themselves is critically important. Technologies such as software-defined perimeters that are identity-centric and really go down and validate authorities and identities prior to connecting and doing authorization first and connection second as a technology is critically important. As you see more and more companies that want to make sure that they have positive control over their tech to protect the information inside it are switching to thinks like software-defined perimeters, regardless of what industry they’re in — finance, social media, etc.
I am heartened, though, by the rhetoric of some of the companies, where they’re coming out and saying, “Hey, we’re putting things in so people, if they see something, they can say something, question whether or not this is fake news.” That’s a step in the right direction, but I want to see more.
I’m interesting in this question of whether social media companies need to know their customers — banks are subject to know your customer and anti-money laundering laws, can’t technology companies be, too? At the same time, with those sorts of regulations, you tend to hear protests on the First Amendment front — namely, shouldn’t people be able to say whatever they want, presumably, on Twitter, even if it is a bot?
That’s gets back to yelling, “Fire!” in a movie theater. There was great debate about 100 years ago as to First Amendment rights. Do you have the right to yell, “Fire!” in the movie theater if public safety is at risk? If we take a look at different companies that are out there, do they in fact have the code of ethics to make sure that the information presented is in fact proper?
Google, what’s their theme? Do no harm, right? If Google is serving up info that may in fact be harmful, is that contrary to their own ethics? It’s a heavy issue, and I’m not necessarily a philosopher, but Professor Touhill would tell you that you’ve got a great capability, and technology doesn’t always solve every problem. Leadership is needed at all levels, including in the technology areas to try to combat this problem.
And as I also tell my mother, you need to not draw conclusions from a single news source, you need to go survey the whole landscape. I believe that freedom of the press here in the United States is one of our greatest strengths, and I expect the press to do their bit, too, to make sure that when they’re seeing fake news they’re pulling it out so that we can, in fact, all work together as a team, as a people, to make sure that the general population gets the right news, the truth. That’s what we’re all looking for. It’s more than just technology.
Along those lines, beyond the government, tech companies, the press, what about me, sitting at home on my computer? Is there some role citizens need to play in this in being smarter in the way that they consume news and information?
There are some very straightforward things that every citizen can and should be doing.
One is don’t believe everything you see online. Do your homework, go check multiple sources, make sure that you are staying away from suspicious websites, go to news sources that are trusted and maintain that same level of integrity as you would hope that you would be promoting yourself. You want to get your news from folks who will double check and triple check their sources, that are unimpeachable, that recognize their responsibility. And if it’s coming from a news source that you don’t know, then it’s probably not necessarily a trusted source. That’s the first thing.
Second thing, follow the advice I gave my mother — get your news from multiple sources. There’s more than one network on TV, and there’s more than one newspaper online. The great news organizations have at their core the same story, but they give you different analyses, different perspectives. If you want to be better educated into the news, you’re better served by understanding those different perspectives. Make sure that you’re doing your homework and not necessarily going to just one news source.
Third, if it sounds phony, it probably is. Dig deeper when you see things that seem outrageous. You may find that that things that are particularly outrageous, if it’s not coming from a trusted news source, it’s probably is made up.
In wrapping up, going forward, just looking at the next six months, if you could pick out three things that the federal government could do to safeguard election integrity, what do you think they should do?
Number one, work with state governments — state, local, county, tribal, territorial governments — because all elections are managed locally. The federal government does not go out and do voter registration, the federal government not do the collection of votes, and the federal government does not do the tabulation of votes. That’s all done locally and up to the state level.
Its’ really important for the fed government to work with the states and the counties to make sure that they are hardened. I mentioned those three processes — voter registration, the actual casting of the ballot, and the actual tabulation, counting the votes — three individual processes that are all critical. That’s all done at the state level, the federal government can assist the states on that. They can assist with best practices, and having been director of the NCCIC for a while — that’s the National Cybersecurity and Communications Integration Center — which has the US CERT and the ICS CERT, the industrial control systems certification, we went out and reached out to the secretaries of state in different states and offered assistance. There’s a lot of discussion right now as to how the states want to use the capabilities and best practices and the like, but I think that’s something that still needs to be at the top of the agenda at the state level as well as within the Department of Homeland Security to help.
Two, from an influence operations standpoint, we have to do counter influence orations, and I think we’ve already started a lot of that. We need to make sure that the American people understand that there are influence operations that are, in fact, being conducted against us, and the media has been really good as of late, for example, highlighting the fact that we had the major intelligence leaders testifying before Congress this past week, raising that alert.
The next step is for the federal government to actually have a plan on how to educate and inform citizens as to, “What do I need to do in an environment where influence operations are ongoing?” That’s going to be very difficult for the United States government to do given the fact that we cherish freedom of the press and our First Amendment, but we do need to make sure that we have have an educated and informed populous.
The third thing that the federal government should be doing, in my opinion, is be very clear from a deterrence standpoint what the consequences would be for any entity that is trying to interfere with our free and open democratic processes. There should be accountability. There should be activity leveraging diplomatic and other instruments of national power to deter any entity from attacking our most cherished democratic institutions.