Russia Didn’t Hack the U.S. Election. It Hacked the Voters.

For months
now, there’s been a blur of speculation and information suggesting Russia was
interfering in our presidential election. Early on, officials in the Obama
administration figured that the objective was simply to undermine faith and
confidence
in the electoral process. But over the weekend, a new CIA assessment brought it
all into focus: Russia turned to cyberspace to help Donald Trump win the election.

But
Russia’s cyberventionism—its apparent proclivity for conducting interventionism
via cyberspace—didn’t take the form of an attack we’d typically expect to see.
There were no denial-of-service attacks on state election systems or website
defacements like it conducted against Estonian and Georgian governments and
political parties in 2007 and 2008, respectively.  And despite a number of pre-election reports citing voting-machine vulnerabilities,
anyone going in search of hacked precinct electoral computers is likely to come
up empty-handed.

So how
exactly did Russia hack the election? Well, it didn’t. It hacked us—the voters.

Why screw
around with inefficient, resource-intensive brute force hacks on voting
machines to flip ballots when you can simply convince voters to do it for you? In
other words, by targeting voters’ decision-making processes instead of the
machines that record their decisions, Russia could influence the election
without breaking into a single electoral computer. 

This isn’t
new thinking. Hackers learned long ago that the most efficient way to break
into a computer wasn’t to try to outsmart firewalls and other network security
measures. It’s far easier to trick users into giving up their credentials or
unknowingly installing malware. Computer engineering turned to good
old-fashioned social engineering, in the form of phishing. (As you probably
know, phishing is when a hacker tries to dupe a user into giving up personal
information or credentials that can be used to compromise computers and
networks.) And it worked. Allan Paller, the director of research at the SANS
Institute, estimated in 2013 that 95 percent of all successful cyberattacks on
enterprise networks are the result of phishing, and cybersecurity firm
FireEye found in a report issued this year that phishing is the most
prevalent delivery method for advanced persistent threats.

In
cybersecurity circles, this is a well-known dilemma. So much so that network problems
are often traced to a phenomenon called PEBCAK, or “Problem Exists Between
Chair and Keyboard”—that is, a user. Russia aimed between the campaign and the
ballot box, and it targeted voters.

No one
familiar with Russian operations is particularly surprised by this approach. It’s
called information warfare, and its goal is to employ disinformation to
manipulate a target population into making choices it might not otherwise make.
I spent two decades as an information-warfare officer in the United States Navy,
and it’s common knowledge in military and intelligence circles that deception,
propaganda, and psychological operations are hallmarks of Russian doctrine. So on
Sunday when Sen. Claire McCaskill called Russia’s intervention in the election
“a form of warfare,” this is exactly what
she meant.  

How’d they
do it? Basically, by doxxing the Democrats and unleashing fake news. Russia was
behind the stories that dominated our headlines, both real and fabricated, for
several weeks leading up to the election. In doing so, it bet that casting
further doubt on Clinton’s honesty and character while also polluting the
information environment with false stories would affect the decisions of enough
voters to increase Trump’s chances. It wagered that in a close election,
perhaps it could be the difference 

We now
know that two Russian intelligence groups hacked into the Democratic National
Committee’s email server in the spring and, over time, stole tens of thousands
of emails and documents. Then in July, just before the start of the Democratic
National Convention, WikiLeaks released nearly 30,000 of them, revealing the
DNC’s inner workings, private conversations between staffers, and campaign
tactics. In October, it made publicly available the text of some of Hillary
Clinton’s high-paid speeches to Wall Street, which she’d refused to discuss at
length. Shortly thereafter, nearly a full month before the election, the Clinton campaign accused
WikiLeaks
of being “nothing but a propaganda arm of the Kremlin with a political agenda
doing Putin’s dirty work to help elect Donald Trump.” Welp.

These
leaks seemed to further the narrative that Clinton was untrustworthy,
disingenuous, unfairly favored, and allowed to play by a different set of
rules. They also fueled the heat she took for separate issues, like classified
emails on her private server or questions about the Clinton Foundation, which only
added to the sense that she wasn’t being straight with the American people.
This perception of her contributed to strikingly high unfavorability ratings
and helps explain why nearly half of registered voters who supported Trump
proclaimed that they were actually voting against Clinton.

Then there
was the fake news. These fabricated stories ranged from purported admissions
that Clinton was paying people $3,500 to protest at Trump rallies to a supposed
declaration by the pope that he supported Donald Trump. These stories
questioned Clinton’s health, reported a murder-suicide of an FBI agent involved
in the Clinton email leaks, and placed a Trump-Pence campaign sign in the yard
of FBI Director James Comey.

 Reporting
has shown that Russian propaganda is likely behind the intentional spread of such
stories,
even when it wasn’t the originator. These stories showed up at the top of
search engine results and were shared on social media sites, which have
increasingly become echo chambers for our personal politics. Trump campaign
officials amplified some of these stories on social media, and even traditional
media outlets were fooled on occasion. Analysis since the election has shown
that fake news stories
outperformed real news by the end of the campaign, and most Americans, but
especially Trump voters, tended to believe the fake stories to be true.

 Russia set
out to intentionally manipulate the information that voters consumed in order
to influence the decisions they made on Election Day. The goal wasn’t to change
the minds of the entire populace, but seed just enough doubt in the minds of
undecided and tentatively committed voters to improve Trump’s chances. Just
like the phishing email that appears to be an update on the status of the
Christmas gifts you ordered or warning that there’s a problem with your tax
return, disinformation only has to deceive a very small percentage of the right
people to be successful. 

And we
aren’t the only targets. Russia has used fake news to influence discussions
concerning Sweden forming a
military partnership with NATO, coupled propaganda with cyberattacks on
Ukraine’s power grid, and is presently spreading disinformation
in Germany to
influence its politics. As the Institute for the Study of War astutely put it,
Russia
uses information warfare to “take advantage of pre-existing dispositions among
its enemies to choose its preferred courses of action.”

 We will
never know if Russia’s prolonged hackathon of American citizens definitively
changed the outcome of the election. But what is certain is that the ballots
cast by Americans—not Russian malware—gave Trump enough electoral votes to win
the election. And voters did not make those choices in a vacuum. The media
coverage of the doxxed DNC emails and the proliferation of fake news stories
changed the information we considered when making our electoral choices.

That is the
art of information warfare. It is misdirection. We were all on alert for how
Russia could hack election systems. And while we reeled in that red herring,
Russia phished the voting public.

 This article was originally published in Future Tense, a collaboration among Arizona State University, New America, and Slate.