Yahoo! has run two excerpts this week from a new book by its chief investigative correspondent, Michael Isikoff, and David Corn, Washington bureau chief for Mother Jones. The book is Russian Roulette: The Inside Story of Putin’s War on America and the Election of Donald Trump (Twelve Books), which will be released on 13 March.
Isikoff famously wrote the article in September 2016 based on information from Christopher Steele, of “dossier” fame, that ultimately got Steele’s liaison with the FBI terminated. In serving as a source for that article, Steele disclosed things he knew about FBI operations to Isikoff.
Corn wrote an article in late October 2016 that previewed much of the information from the anti-Trump dossier. The two journalists have now collaborated on Russian Roulette. The first excerpt, published on 8 March, is about the Miss Universe pageant organized in Russia by Donald Trump in 2013.
The second excerpt was published on 9 March, and addresses the Obama administration’s response in the late summer of 2016 to Russian cyberattacks in the United States, and then-CIA Director John Brennan’s belief that they represented a comprehensive attack on the U.S. election, ordered by Vladimir Putin.
If you’ve read my own 5 March article on that response (posted with merely coincidental timeliness), you already know the bones of the story. The Washington Post told much of it in 2017. Brennan assembled a group of analysts from the CIA, NSA, and FBI to evaluate what Russia was doing, and Obama had an interagency task force convened, headed by National Security Adviser Susan Rice, to come up with policy responses and operational plans.
It is mildly interesting to see how closely the account given by Isikoff and Corn mirrors that of the WaPo story, written by Greg Miller, Ellen Nakashima, and Adam Entous.
Across the infosphere, the reaction on Friday to the Isikoff/Corn excerpt has focused on one piece of information in it: that Susan Rice gave a “stand down” order to task force planners who were concocting an aggressive set of “counterstrike” measures to clean Russia’s cyber-clock, in retaliation for the intrusion attempts on U.S. systems. The excerpt puts it this way:
One day in late August, national security adviser Susan Rice called [White House Director of Cybersecurity Michael] Daniel into her office and demanded he cease and desist from working on the cyber options he was developing. “Don’t get ahead of us,” she warned him. The White House was not prepared to endorse any of these ideas. Daniel and his team in the White House cyber response group were given strict orders: Stand down. She told Daniel to “knock it off,” he recalled.
As with the WaPo article from 2017, there’s a strong tone of regret from the inside sources for these narratives. They wish more had been done with their proposals, for both cyber retaliation and sanctions (which Obama did levy on Russia after the election).
I can’t get too excited about that aspect of the story, however, in part because the cyber retaliation being proposed appears to me to have been incendiary and dangerously misguided. If we assumed the best about the thinking of Obama and his top advisers, we’d conclude that they saw the same thing. A cyber war is not something you want to escalate for demonstration’s or retaliation’s sake. Against a competent state adversary, you’d better fight a cyber war to “win” – which means starting with an objective that defines an end state for you.
There was no idea of such an objective in this case. Which is why I find it odd that the narrative that keeps emerging about “what Team Obama did” focuses on the decision not to do something irresponsible, as if it requires apology or explanation.
A shell game
Pick that shell up, and there’s nothing under it. On the other hand, over under a different shell, we have the real failure. Without intending to (from what I can tell), the Isikoff/Corn excerpt comes off as an extended alibi for that real failure: a failure to do the obvious, leaderly, American thing about the cyber attack problem the Obama team believed it was facing.
The bones of that story boil down to the following. U.S. cyber experts detected attempts to intrude into the computer networks of the Democratic and Republican national organizations in 2015 and early 2016. By the end of the primary season in 2016, they were seeing intrusion attempts against voter data websites in the U.S. states.
The Isikoff/Corn narrative makes the latter sound like a major crisis, with state after state being affected, although a recent statement from a Homeland Security official indicated that only a small number of state systems were actually penetrated. There was never any assessment that voter data was tampered with (although some, in Illinois, was apparently exposed to the intruders).
The reconciliation of the puzzle pieces, as they are laid out for us, would be that there were attempts on as many as 39 state systems, but only a handful or fewer (two or three) were successful.
Let’s stipulate, however, that in the summer of 2016, it looked alarming. They didn’t have hindsight at that point. (This would be in contrast to what Obama was saying at the time, but we’ll stipulate it anyway.)
John Brennan believed he had credible intelligence that Putin was directly behind what was happening. The fear in the White House was that Putin wanted to at least make it look as if the U.S. election might be compromised, and thus provoke a national crisis for America.
Here’s where they lose me, and where everything starts sounding like an alibi. The story is that Team Obama was afraid of doing everything that a sensible, leadership-minded person would think of first.
The wrong moves – in perspective
This is what they did do. They assembled their task force, had some people start thinking up ways to retaliate against Russia, and sent Homeland Security Secretary Jeh Johnson off to tell the state-level election authorities that their voting systems needed to be designated “critical infrastructure,” so that DHS could “coordinate security” for all of them.
The state officials were strongly resistant to that move. It would inevitably increase federal authority over something that is explicitly made a responsibility of the states in the U.S. Constitution.
And you have to turn your brain off and stop thinking, to accept that the only way to secure state election systems is to increase federal authority over them. That’s not the case at all.
Nor is it the case that the American people mustn’t be troubled with full disclosure about a Russian cyber campaign, lest they panic and immediately lose faith in their government and political system. Yet running through the account of Team Obama’s premises is the idea that they were reluctant to say too much to the public, because Donald Trump would make political hay out of it.
But that’s an alibi. What a leader does is get ahead of the problem by (a) telling the people, (b) having a plan, (c) helping the state leaders do what they need to do – not propose to basically take over their jobs for them – and (d) inspiring confidence rather than instilling fear.
The shell of an infrastructure for facilitating this already existed, with the independent advisory entity called the Election Assistance Commission (EAC). It was created in 2002 by the Help Americans Vote Act, a response to the election dispute in 2000 (with the hanging-chad episode in Florida). Its charter has been mostly about certification and standard-setting for balloting systems; it was something of a shoestring operation for years, but would have been the natural nexus for coordinating cybersecurity consultation on state election systems in 2016.
It would have required a short-term plus-up in funding and staffing. But since the EAC had no charter to exercise federal authority and compel the states, its relationship with the states would have caused no concern for Congress (which was as dubious as the state officials about putting DHS in the driver’s seat with a “critical infrastructure” designation).
The states, for that matter, are by no means helpless in their own right. Every one of them has access to competent experts, and they all deal already in cybersecurity issues, because they have big computer networks and important information to protect, and they’re connected to the Internet.
They didn’t need reorganization or major transformations. They needed information – if they didn’t have it (and some of them already did) – and advice on the margins for their game plans. Helping the EAC to help the states would have been as close to a no-brainer as on-the-fly political decisions get.
This was a cybersecurity problem, for which the relevant expertise existed already, and could have been organized for efficient support in more than one way. But none of those ways required making a critical infrastructure designation, something that carried with it a number of other implications under the relevant statutes – and also opened the door to federal encroachment on all aspects of the voting process, any of which could be deemed a matter of “homeland security,” once the mantle of “critical infrastructure” was draped over “electoral systems.”
Blaming Trump instead of visibly taking leadership
Meanwhile, the fear that Trump would make political hay of the situation is a singularly unimpressive one. Trump wasn’t the president. Obama was. If Obama thought there was a crisis, it was up to him to give the American people reason for confidence.
There were two very important places to inspire confidence, in fact: the Trump campaign, and the Clinton campaign. Both of them had a legitimate stake in the performance of the states’ voting systems. But neither of them should properly have been coordinating directly with the state authorities. Obama could have used the EAC to keep them briefed on what was going on, and make sure they had the information to believe in the outcome of the vote.
In conjunction with the normal state-level coordination between public officials and state political party leaders, the EAC keeping the Clinton and Trump campaigns informed at the federal level could have gone a long way to bring a sense of unified purpose, can-do, and candor to everything that was happening.
But that’s not what the Obama administration did. It literally did none of the things I have just outlined. Instead, it dribbled out alarming hints that the Russians had our systems under attack; it proposed that the states agree, with no more information than that, to have their systems placed under increased – effectively open-ended – federal supervision; and it implied over and over as the months wore on that Trump was somehow involved in whatever Putin was doing.
The excerpt from Isikoff and Corn gives us an Obama administration that seemed to be using its 2016 task force mainly to write an alibi narrative. We’ve asked the question before: why Obama didn’t do the things that would have constituted a good-faith effort to deal with the crisis he reportedly thought he was facing. Regarding the FBI investigation and the FISA surveillance, specifically, I put it this way in February:
If the operation was a good-faith effort to analyze what Russia was doing, determine whether Trump had a role in it, and defend America against a defined threat – again, what we would have seen from the Obama administration in the latter half of 2016 would have been very different.
We still don’t have a definitive solution on this. Once again, the need for the question is reinforced.
No serious crisis going to waste
But there’s a coda to the 2016 cyber-attack narrative. As alert readers will remember, one of the last acts of the Obama administration was, in fact, designating the state electoral systems as national critical infrastructure. President Trump has not had that decision reversed (although the states have asked him to).
It’s no surprise that the Election Assistance Commission has been made a central point of contact for the states (DHS is the lead agency). While Trump is the president, his DHS officials are unlikely to try to exercise undue control over state voting operations. But Trump won’t always be the president.
The House of Representatives sought in 2017 to defund the EAC – basically, to prevent it from getting overly established in centralizing the management of state electoral systems. Mission creep in that area is not in the best interests of our Republic.
But ultimately, the EAC did get its funding renewed. The Obama administration may not have addressed the cyber threat from Russia in any useful way in 2016. But to the extent that it made the critical infrastructure designation on the way out, and opened the door for undue federal supervision of state electoral operations down the road, Team Obama did manage to not let a crisis go to waste.