Do we really understand what happened in 2016?

Were the Russian cyberattacks on US election systems in 2016 a well-resourced diversion operation meant to overshadow the more significant operations in the information domain? It’s worth discussing.

So, we need to talk about 2016. 

I know, you say — it’s so close to the 2020 elections, can’t we just get on with it? Unfortunately not. Turns out that hindsight is not, in fact, 20/20 — not some naturally occurring phenomenon achieved as we speed on to the right of boom. Clarity of past events is earned by confronting hard truths and challenging assumptions. Did we see it all then? Do we have it right now? Are we sure? 

No, we aren’t sure. And no, we have not finished achieving clarity on 2016. This week’s revelation that the CIA has assessed that Russian President Vladimir Putin is directing the campaign to undermine former Vice President Biden — very much as he directed the campaign against Secretary Clinton to aid now-President Trump, only this time with the direct aid of a US Senator and members of Trump’s entourage — is further proof that we are trapped in a cycle of failing to understand what has happened to us. We are reliving 2016 with remarkably little pushback from any of the institutions that should have had time to figure out how to do this better. And this groundhog’s day hellscape — the hell of our own choosing, as Bill & Ted would say — remains a closed-loop until we actually assess what happened, and more importantly, why. 

In the case of 2016, a key assumption that needs to be challenged is that the Russian hacking operation targeting US election infrastructure was the most significant threat in 2016. This has been the prevailing narrative since even before the election in 2016. We’ve carried it along with us these four years, in how we talk about what the Kremlin did — “hacking” the election — and in how the skeptics of the significance of the attack deny it — “it didn’t change any votes.” Neither of these are, of course, a correct way to describe what the Kremlin did or to explain it away. But the usage comes from the narrative and in turn reinforces it: that the thing we should focus on is the cyber intrusions targeting US election systems. 

Since 2016, loads more detail about the expansive list of targets of the Russian cyberattacks has emerged from various investigations. There is consistent reporting on potential cyber vulnerabilities, be they theoretical or actual, and whether or not the US government is taking them seriously enough, and whether or not states are doing enough to address identified vulnerabilities in hardware, software, connectivity, and process. There is a particularly fervid subset of twitter that is constantly beating the drum on this issue, identifying it as a threat of untold proportions. 

But I think it’s important to question how and why this has become an accepted narrative. Is it just that there is more information available about this aspect of the Russian attack, and a greater potential to address identified weaknesses, so we talk about it more so we feel like we have done something — can do something? Does how we perceive what happened in 2016 accurately reflect all of the new information that has emerged, or it is being filtered or biased in ways we aren’t paying enough attention to? Was this really the greatest threat — or are we seeing it exactly how the Kremlin hoped we would? 

We have to evaluate all of these questions. We have to evaluate how pressure was applied to us in 2016, and how we reacted to it — as citizens and as government — so we can understand how we can get it less wrong in the ongoing iterations of attacks used by the Kremlin to weaken American society. 

From my perspective — based on past examples of Kremlin behavior in recent political warfare campaigns, and based on the thousands of pages of interviews and investigative findings we now have detailing the events of 2016 — I think it’s pretty likely that the operation to target US election systems with cyberattacks was a sophisticated, well-resourced, useful diversion operation, meant to overshadow and assist the far more important but less quantifiable influence operations that were underway. 

* * * * * 

First, let’s talk about what diversion is — particularly in the context of how it is used by the Kremlin. 

Understanding — or at least learning to identify — the Kremlin’s behavior requires developing a kind of pattern recognition that is cultivated by studying (or living through) past cases and examples. In this last decade or so, I’ve been on the frontlines in multiple countries that were being intensely targeted by the Kremlin, and I’ve had too many opportunities to learn from what we missed until it was too late. It’s a horrible way to learn. The cost is high. It impacts the lives and freedom and security of entire nations. (America is learning a bit about this now, in real time, though we still enjoy long bouts of make-believe about how none of it has really effected us, or really the problem has been us all along, or something.)

It isn’t so much that there is a specific Kremlin “playbook” for certain events, or a checklist of steps they go down when trying to disrupt or subvert target countries. It’s more that there are categories of things that they try, and different kinds of options that they prepare. In a serious campaign, there’s never just one line of effort, reliant on only one side or one main set of actors who are aware of all the parts, or even fully aware of their own. There will be parallel initiatives in different spaces, often quite modest seeming, sometimes integrated with each other or connected by common personalities or financing or infrastructure, but just as often insulated from each other but working toward the same objectives, usually from many sides of a major issue. 

I know this sounds like voodoo or something. It’s actually born from a straightforward premise: why be on one side when if you can impact all the sides you are more likely to be able to direct outcomes in ways that are favorable to your objectives? This idea is reflected in Soviet and Russian doctrine — in how they describe the use of partisan and guerrilla forces in particular, and how they describe the use of unconventional covert operations inside “enemy territory” (that would be us) to create a “permanently operating front through the entire territory of the enemy state” (this is what “sow discord” really means, by the way — not to support one side, but to build the capacity to escalate manageable chaos).

And no, this isn’t because Putin is 17 feet tall or because the Kremlin is a bunch of genius puppetmasters. It’s because they encourage creativity in operations, and push on doors until they find ones that are open, and they take risks, and they contingency plan. As I’ve written before, there is a high tolerance for trying things that fail, because sometimes they get lucky. It’s a completely different mindset for clandestine intelligence programs — what Great Power contributor and former CIA officer John Sipher describes as an orientation toward operations/doing things to influence systems versus collection of information about those systems (which is primarily what we do). 

The collective impact of all of these low-level operations is a lot of churn. After awhile, this churn starts to sound and feel familiar. There are patterns of money, associations, techniques, intermediaries, and narratives if you know where to look. This is the pattern recognition of Russian influence. 

One of these techniques is a broad category of diversion operations, which, if following the terminology of military/intelligence operations, is a subcategory of deception (if you want to read through all the definitions, this is a useful primer). The technical definition of diversion is “to mislead an enemy away from your real operations and objectives” — but in the context of modern Kremlin operations, I would define it a bit more specifically as making an unlikely line of effort seem like a greater threat than more significant lines of effort in order to divert and consume the resources and attention of the enemy into focusing on the wrong thing. The diversion can be a real operation — it’s just that its importance or the potential of success is inflated in an intentionally manipulative way. 

Diversion can be many different things, but in its essence it’s about promoting a flashy, high-profile, extreme, unlikely option as the thing you are supposed to look at so you don’t take other, more significant threats as seriously. Whatever the diversion is, it is meant to prey on emotion: it will feel dire and terrifying and like something you absolutely have to pay attention to. The goal is to get the target of a diversion operation to obsess about how bad this option could be so they lose sight of other activities that are far more likely to succeed. 

For example — and here I will greatly simplify what is actually a complex story — in the elections in Georgia in 2012, the Kremlin had a wide array of influence operations underway to help ensure the defeat of the government it failed to topple by invading Georgia in 2008. The opposition faction — led by a Russian-made oligarch who lived in a glass castle on a hill with a shark tank inside —was drenched in money and came with lots of international support (the oligarch even set up a TV station that had Larry King, now a host for Russian state media, on its “advisory board”; the station was shut down as soon as the election was over). 

I worked with the Georgian government at the time, for the National Security Council and the Prime Minister, and was part of the team registered to represent them in Washington, and it is hard to describe the suffocating environment of the election, and the countless well-resourced lines of effort that were used to create a distorted perception of Georgia and the election — a war of perception being fought in Brussels and Paris and Washington as well as Tbilisi. 

Only after the election, which was won by the oligarch, was it possible to assess the many shady things that had gone on in the full context of all the other things. And by then it became clear that one of the things about which we had been most concerned — the constant threat of violence and unrest during and after the election — was actually a diversion operation. There were local groups, international lobbyists, paid “election observers,” media, and proxies pushing this message, inflating false rumors that the government was training and arming militias to take over the country if they lost, which made the government think that some faction of this opposition was planning to use violence if the opposition lost. This became an all-consuming fear — that there was a plan for violence, or for a provocation meant to look like government-sponsored violence. And to be sure, there was a shell of a plan for this from certain actors. But this wasn’t a serious plan — more cosplay than Red Dawn. It was just meant to consume our time and attention. And it did. And while we had to deal with it, it meant we missed other, far more important things.

Again — diversion can take many forms. It’s a close cousin of maskirovka — military deception, but also strategic deception in hybrid domains more broadly — but serves a specific purpose within a given operation. 

* * * * * 

So, back to 2016 and the Russian cyber operations. 

Starting from the October 7, 2016 joint statement on Russian attempts to interfere with the election, we’ve known that there were multiple lines of effort underway. By now, we have the 400+ pages of the Mueller report, all five volumes of the bipartisan Senate report, statements from the intelligence community, memoirs from senior Obama administration officials, countless interviews and stories written and recorded about the events of 2016 and how they may have impacted the outcome of the election. 

All of this outlines three broad categories of influence targeting the election: first, operations in the information domain; second, hacking/cyber initiatives; and third, attempts by human assets and proxies to infiltrate and influence politically-significant persons and organizations in the United States. Each of these was well-resourced; each included Russian intelligence operatives; each occurred under the direction of senior officials or oligarchs with close connections to Putin; each occurred with the knowledge of the Kremlin. I think this is important to keep in mind, as we tend to transpose our own American sense of “what was important to the Kremlin” on assessing the values of these different initiatives. These operations, whether formal or informal, structured or entrepreneurial, were understood as a part of a holistic landscape of operations working to achieve specific outcomes regarding the United States, its elections, and its role in the world. 

The line of effort we know the most about, in terms of concrete forensics which are supported by allied intelligence services, and in terms of contemporary accounts from senior officials, is the cyber operations. We know that hackers aligned with Russian intelligence worked in two directions: targeting election systems, including voter registries and voting systems, in all 50 states with cyber attacks; and gaining access to email and other data files from the DNC and RNC (yes, never forget they hacked the Republicans too), which fueled public-facing “hack and dump” operations of this illegally obtained material. But it’s this first piece — targeting election systems — that has dominated the threat narrative in discussions of 2016. 

I think that we think this because this was the perspective of the officials in the Obama administration who were dealing with the Kremlin’s attack as it occurred. From the very first extensive reporting in 2017 on the sequence of events as the Obama White House was alerted by intelligence officials about the Russian campaign in summer 2016, all the way through the declassified Mueller report and the Senate reports, with all their supporting interviews and evidence, the most available and transparent sources have been the officials from the Obama team who were responsible for monitoring the attack and deciding what to to about it — and what they are focused on is the idea that Russia could hack or confuse the execution of the election or sow doubt in the validity of the results via its hacking operations. It is apparent that this was the consuming fear of the small circle read-in on what was happening. 

In the past four years, via interviews and articles and memoirs and testimony, we’ve seen that some of these officials argued for a stronger response or pushed for response measures earlier than they came — but they are remarkably consistent as they explain what they think the threat was. 

But we may need to consider that this is not an objective lens. One of the biggest challenges we have when discussing US policy on Russia is that the train wreck of President Trump’s “we’ve got a lot of killers” approach to Putin — and the cartoonish way in which he blames President Obama for everything — overshadows our ability to objectively reflect on the policy of the Obama administration toward Russia. Which wasn’t — and I say this as a person working on the periphery of Russia for the duration of the Obama presidency, in countries that valued US partnership and invested in those relationships to help bolster their shield against the various forms of Kremlin aggression — good. 

To be blunt, the “reset” was a disaster. It gave Russia time to rebuild and revamp their military after their semi-failed invasion of Georgia in 2008; it frustrated our allies in the newer European/NATO nations and NATO partner countries like Georgia, who felt their interests and concerns about Russia were sidelined and diminished by the prioritization of engagement with Russia; it influenced and colored our policy and decisions on Iran and Syria and Iraq in unhelpful ways; and it de facto left a big open field for Putin to walk into — and he did. Putin expanded his influence operations and political warfare in Europe; he systematically targeted and weakened countries like Ukraine and Georgia and Moldova, which were left in a gray zone when the US agreed Russia had “regional interests” in these states; he built a propaganda empire and a mercenary army; he supported Assad to cement Russia’s expanding foothold in the southern Mediterranean and access into subsaharan Africa, while using Syria as an arms expo to sell Russia’s new weapons systems and drive a migration crisis that realigned the politics of Europe; and he used the Sochi Olympics as cover to prepare for an invasion of Ukraine. And this is just the short list that doesn’t include all the terrible things he was doing to Russians. 

Now, given the timing of when Obama became president — after Putin was done consolidating internal power in Russia, after his 2007 Munich speech alerted the world that Russia was done being quiet, after the cyberattack and Bronze Night riots in Estonia in 2007, and after the invasion of Georgia in August 2008 — you could argue that this was just where Putin was in his evolution, and it was going to happen anyway. But that thing about the open playing field we left for Putin should haunt a lot of people. Putin advanced, waiting to hit the usual pushback and walls, and negotiate around them and find new ways to wriggle by — but instead he got a lot of easy walking. We let Putin aid Assad in wholesale civilian slaughter, and looked away. We let Putin invade and annex Crimea, and told the Ukrainians we expected them not to fight for their own territory. Even after Russia waged a crushing cyberattack on Estonia, and it was clear the Kremlin was focused on honing their skills in this vital aspect of asymmetric warfare, we encouraged a program of technology exchange with Russia that undoubtedly ended up aiding their subsequent attacks on the United States. This latter was part of a wholesale, multi-faceted cooperation effort to bolster President Medvedev in the imaginary “internal power struggle” between Medvedev and Putin (who had already finished his two allowed terms as president, and was pretending to be prime minister while the constitution was changed so he could be president again) — which was never, ever a real thing, but which was used in a tremendously successful way to build a relationship with Obama and get the US to give stuff to Russia, even while we pulled our punches on the usual “concerns.” 

Then Putin became president again, and then there was Crimea, and all of this was the groundwork leading up to 2015, when Russia started testing our election systems and trying out information operations against the United States — and it was the impossible-to-ignore context as we arrive at the Russian attack on US democracy and American citizens in 2016. 

The Obama administration, and President Obama in particular, were consistently wrong in analysis and judgement about Russia, and the Kremlin learned to play that to their advantage. They were very, very successful in how they did this. In the same way that the Kremlin knows how to play the obvious psychology of President Trump, they understood the psychology of President Obama and his deliberative approach. This approach did not aid him in 2016. And I think it’s reasonable to believe that the same thinking that had underlaid a holistically misguided approach on Russia may have influenced the assessment of events in 2016 in a way that the Kremlin was counting on. 

* * * * *

In all the accounts of what the White House was doing in 2016 after they were alerted to the Russian interference, there is a hyper-focus on the idea that hacking elections systems was the most significant threat amongst the activities the Kremlin was conducting. And while there was awareness amongst top officials that a component of this may be about undermining public confidence in the election process rather than actually disrupting the election process, they don’t seem to wonder if they themselves were the intended target of the psychological aspects of this operation. 

If diversion is about misleading the enemy from your true operations or objectives — which operations would have had the most effective covert impact in terms of aiding the Kremlin’s preferred candidate, Donald Trump? And how could you protect those operations, draw attention away from their significance until it was too late, knowing that it would be a decision made by President Obama that would determine the US response? 

By now, I think we know that the operations in the information domain — be they social media influence campaigns run by false persona accounts and networks amplifying certain narratives, the hack-and-dump operations that were critical to creating a perception of wrongdoing used to continually smear Clinton, how various narratives were amplified by Russian state media and affiliated proxies, how conspiracies were used, and the overall attempts to shape perceptions and impact behavior — were the most significant assistance to Trump and his campaign. It’s just that so much of this is interwoven in and overlapping with what the far right media landscape and what Trump himself were doing anyway, it’s hard assign the forensics in the same way you can assign attribution in a cyber attack. But the Russian information operations were a factor in a radically reshaped American information environment that became the context of how voters made decisions, how they decided to vote or not, and ultimately, how the outcomes Russia was working toward were achieved. This truth is inescapable. I know it remains fashionable to argue that really, it didn’t do anything, and really, the problem is that Americans need to read more and consume information better — but this buck-passing evades acknowledging that an adversarial nation was using a tool of warfare on the American public. Let’s be real about this. 

In June 2016, the White House was already aware that Russian hackers had infiltrated election systems in at least some US states. The list grew quickly. At the time, the belief was more that they could potentially alter voter lists and registrations or things like how results were reported, rather than that they could alter any vote counts (the idea being to undermine the legitimacy of the election). By July, it was known that hackers tied to Russian intelligence had had access to some Democratic and Republican computer networks for more than a year, and the FBI was tracking a new wave of hacking attempts on the parties, think tanks, and other targets. The FBI started investigating the Trump campaign’s weird contacts with Russian nationals. In late July, thousands of DNC emails were dumped on Wikileaks — one of many information campaigns being pushed by Russian trolls. In August, the US intelligence community finally assessed that Putin himself was directing this campaign — to weaken Clinton and help elect Trump.  

During summer, the White House cybersecurity team, working with the people who understood Russia, started developing a list of potential responses. The National Security Adviser told them to stop. The president and the small team in charge of managing this crisis believed their response could “provoke” Moscow into doing something worse than what they were already doing, or would disrupt the vote itself. Yes, there were the concerns we’ve all heard about how the Obama team wanted to avoid the appearance they were interfering in the politics of the election on Clinton’s behalf — but really, this was the classic over-deliberative, paralytic thinking of the Obama White House. A last manifestation of their forever-belief that doing something could be worse than doing nothing — a belief which tarnished their legacy in foreign affairs almost every time they relied on it. 

This also meant that communication to the public was sparse — something the a Senate report, in volume 3, identified as a crucial missing aspect of the administration’s response. Throughout the Senate report, the interviews with former senior administration officials reinforce the idea that the focus was not to “poke the bear.” The Senate report also notes that Russian behavior was undeterred by the warning and fingerwaggling from the Obama team to their Russian counterparts. The election came. There was no Election Day cyber attack. There are a couple ways to interpret that. One is certainly that a “worse attack” was prevented, an interpretation reflected from the Post reporting

Those closest to Obama defend the administration’s response to Russia’s meddling. They note that by August it was too late to prevent the transfer to WikiLeaks and other groups of the troves of emails that would spill out in the ensuing months. They believe that a series of warnings — including one that Obama delivered to Putin in September — prompted Moscow to abandon any plans of further aggression, such as sabotage of U.S. voting systems.

As recently as this August interview with former national security adviser Susan Rice, for example, the assessment that the worse threat is the cyber one has been repeated: 

“We need to be worried not only about Russian disinformation — its activity on social media which is constant, aimed at misleading and dividing and instilling fear and hatred between and among Americans — but we need to be concerned also about what efforts it might make again to infiltrate our voting systems, and corrupt either our voting rolls or even potentially the voting count itself,” Rice said. “That's very hard to do, and hopefully in the intervening years, even more steps have been taken to harden our system, I believe in many cases that's the case, but I also think the Russians aren't going to stop trying.” 

It’s precisely this haunting, obsessive quality about the idea of election hacking that makes it such a good subject for a diversion operation.

The interpretation that a worse attack was averted doesn’t have a lot of support in the investigations. For one thing, we know from volume 1 of the Senate report that the election infrastructure seems to have been targeted for the purposes of mapping systems or identifying vulnerabilities, over an extended period of time, in some cases finding “open doors” to walk through, rather than operationalizing the next steps. Where successful intrusions are noted, it was for the exfiltration of data, not the alteration of it within systems. It was louder than it was effective, more about preparing an option that operationalizing one. It could have been intended to generate noise — as the Senate report also notes. Just going through the motions was enough to create a narrative of doubt about the electoral process if they decided to use it (for example, in the case of a Clinton victory). This also makes it more deniable than actually messing about in US election systems. As I learned in Georgia — chaos on Election Day is a pretty bad plan when there was a good chance the Kremlin’s preferred candidate would win. And in the US, that possibility was achieved by campaigns in the information domain, not by hacking election systems. 

Moscow doesn’t pull punches when they are close to achieving a target objective and have paid no price for what they have done. They know facts on the ground win the day. The Kremlin was, by then — after pretending they didn’t invade Crimea, and then pretending they didn’t invade eastern Ukraine, and then pretending they weren’t responsible for a civilian passenger jet being shot down by their goons in eastern Ukraine, and really not paying much of a price for any of it — quite accomplished at listening to the warnings and fingerwagglings, and nodding and denying it all, and walking away and continuing on with what they were doing anyway when they are pretty sure a punch in the nose isn’t coming. 

And when it came to the Obama White House, they could be pretty certain a punch on the nose wasn’t coming. It seems far more likely that the cyberattacks against US election systems were never a primary operation but a diversion operation, meant to distract and overwhelm the attention of the White House until it was too late to matter. The Kremlin knew the psychology of the president. They knew he would ask for more information and fall into the binder while deliberating what to do, fearing doing anything could make it worse when the extent of the probing seemed so vast. The cyber operations seem almost uniquely designed to capture the attention of the parts of the US government that would have been alert to malign Russian influence. 

They believed, and still believe, that they deterred a more serious attack. But what if they actually just fell for the diversion?

The closest thing I have seen to real reflection on this is the following (also from the Post reporting):

“In many ways . . . we dealt with this as a cyberthreat and focused on protecting our cyber infrastructure,” [former deputy national security adviser Ben Rhodes] said in an interview. “Meanwhile, the Russians were playing this much bigger game, which included elements like released hacked materials, political propaganda and propagating fake news, which they’d pursued in other countries... We weren’t able to put all of those pieces together in real time, and in many ways that complete picture is still being filled in.”

* * * * * 

Over the long final months of 2016, the Obama administration “secretly debated dozens of options for deterring or punishing Russia, including cyberattacks on Russian infrastructure, the release of CIA-gathered material that might embarrass Putin and sanctions that officials said could ‘crater’ the Russian economy.” Many members of the administration tried to make the case for action before the election. They were overruled by the president and the small team around him.

Finally, a package of punitive measures including expelling 35 Russian “diplomats,” seizing two Russian diplomatic compounds in the US, and some targeted economic sanctions was agreed. I don’t think anyone felt this was enough. Obama signed off on the package on December 29 while he was on vacation in Hawaii. Somehow, this seemed a particularly poetic bookend to how a persistently wrong approach on Russia undermined how Obama’s presidency would be remembered. 

In August 2008, it was also from Hawaii that then-candidate Obama responded to the outbreak of war between Russia and Georgia. His initial comment on the conflict was some version of “both sides need to show restraint” — which the McCain campaign jumped all over — and days later Obama finally issued a more detailed statement which concluded with his hope for new engagement with Moscow. Just over eight years later, probably looking out at the same beach, he was dealing with the consequences of the bold, expansive Russian attack on American democracy and against American citizens that was the reward for that engagement. It’s unclear to me that he connected the two. 

In mid-December 2016, a frustrated Obama responded to questions about Russia at a press conference, saying:

“The Russians can’t change us or significantly weaken us. They are a smaller country. They are a weaker country. Their economy doesn’t produce anything that anybody wants to buy, except oil and gas and arms.”

At the time, there had been no real response to what Russia had done, and I remember that this statement hurt my head. Somehow, he still didn’t get that those metrics didn’t matter. In fact, those metrics were precisely the reason that Moscow relies on covert, asymmetric, hybrid tactics — like hacking and information operations and informal access agents — in its modern campaigns to weaken adversaries and achieve Russia’s strategic goals. Used well, these asymmetric tools level the paying field with bigger, richer, stronger adversaries — especially those who prefer to believe that Russia isn’t a serious threat. 

We convince ourselves to disarm when really most concrete examples show the opposite is true: Russia stops when they meet a barrier to their actions, not when they find more open space.

Russia excels at convincing us to downplay the significance of their behavior— convincing us that inaction against their aggression is the “wisest” course. This message of “anything you do to punish Putin will prove his point and make him stronger” has been nurtured and cultivated as a core aspect of the soft Kremlin narrative that echoes around the internet.

“It is our conclusion,” reads volume 5 of the Senate report, which focuses on counterintelligence issues, “based on the facts detailed in the Committee's Report, that the Russian intelligence services’ assault on the integrity of the 2016 US electoral process and Trump and his associates’ participation in and enabling of this Russian activity, represents one of the single most grave counterintelligence threats to American national security in the modem era.” 

If we don’t respond to this — then what? When our response to this first serious attack on our elections has been so wrong, and we haven’t really reflected on how and why that is, how will we ever get it right? 

How we got to 2016 matters. It is not just the minds and perceptions of the American public that have been exploited and manipulated by Kremlin attacks — but that of our policymakers, as well. It’s time to stop getting Russia wrong. The cost to our republic is too high. 

— MM