TIME photo-illustration. Putin: Mikhail Svetlov/Getty Images. Sticker: Laura Beach–EyeEm/Getty Images

How Russia Wants to Undermine the U.S. Election

A campaign event for Democratic presidential candidate Bernie Sanders at Pinkerton Academy in Derry, N.H., on Feb. 8, 2016.
Landon Nordeman for TIME A campaign event at Pinkerton Academy in Derry, NH for Democratic candidate Bernie Sanders

What's behind Russia's effort to influence the U.S. election

The leaders of the U.S. government, including the President and his top national-security advisers, face an unprecedented dilemma. Since the spring, U.S. intelligence and law-enforcement agencies have seen mounting evidence of an active Russian influence operation targeting the 2016 presidential election. It is very unlikely the Russians could sway the actual vote count, because our election infrastructure is decentralized and voting machines are not accessible from the Internet. But they can sow disruption and instability up to, and on, Election Day, more than a dozen senior U.S. officials tell TIME, undermining faith in the result and in democracy itself.

The question, debated at multiple meetings at the White House, is how aggressively to respond to the Russian operation. Publicly naming and shaming the Russians and describing what the intelligence community knows about their activities would help Americans understand and respond prudently to any disruptions that might take place between now and the close of the polls. Senior Justice Department officials have argued in favor of calling out the Russians, and that position has been echoed forcefully outside of government by lawmakers and former top national-security officials from both political parties.

[video id=YH4HSUuc]

Unfortunately, it’s not that simple. The President and several of his closest national-security advisers are concerned about the danger of a confrontation in the new and ungoverned world of cyberspace, and they argue that while the U.S. has powerful offensive and defensive capabilities there, an escalating confrontation carries significant risks. National Security Council officials warn that our critical infrastructure–including the electricity grid, transportation sector and energy networks–is vulnerable to first strikes; others say attacks on private companies, stock exchanges and the media could affect the economy. Senior intelligence officials even worry about Russia exposing U.S. espionage operations in retaliation. And while U.S. officials have “high confidence” that Russia is behind what they describe as a major influence operation, senior U.S. officials tell TIME, their evidence would not yet stand up in court.

And so with five weeks to go, the White House is, for now, letting events unfold. On one side, U.S. law-enforcement agencies are scrambling to uncover the extent of the Russian operation, counter it and harden the country’s election infrastructure. On the other, a murky network of Russian hackers and their associates is stepping up the pace of leaks of stolen documents designed to affect public opinion and give the impression that the election is vulnerable, including emails from the computers of the Democratic National Committee (DNC). Meanwhile, the FBI alerted all 50 states to the danger in mid-August, and the states have delivered evidence of a “significant” number of new intrusions into their election systems that the bureau and their colleagues at the Department of Homeland Security “are still trying to understand,” a department official tells TIME.

All of which makes Donald Trump’s repeated insertion of himself into the U.S.-Russia story all the more startling. Trump has praised Putin during the campaign, and at the first presidential debate, on Sept. 26, he said it wasn’t clear the Russians were behind the DNC hack. But the U.S. intelligence community has “high confidence” that Russian intelligence services were in fact responsible, multiple intelligence and national security officials tell TIME. Trump was informed of that assessment during a recent classified intelligence briefing, a U.S. official familiar with the matter tells TIME. “I do not comment on information I receive in intelligence briefings, however, nobody knows with definitive certainty that this was in fact Russia,” Trump told TIME in a statement. “It may be, but it may also be China, another country or individual.”

Russia’s interference in the U.S. election is an extraordinary escalation of an already worrying trend. Over the past 2½ years, Russia has executed a westward march of election meddling through cyberspace, starting in the states of the former Soviet Union and moving toward the North Atlantic. “On a regular basis they try to influence elections in Europe,” President Obama told NBC News on July 26. With Russia establishing beachheads in the U.S. at least since April, officials worry that in the final weeks of the campaign the Russian cybercapability could be used to fiddle with voter rolls, election-reporting systems and the media, resulting in confusion that could cast a shadow over both the next President and the democratic process.

[video id=oPCLT6WZ]

Obama’s decision not to call out the Russian espionage operation has so far left the effort to educate Americans about it to lawmakers and national-security experts. On Sept. 22, the ranking Democrats on the Senate and House Intelligence Committees, California’s Senator Dianne Feinstein and Representative Adam Schiff, released an unusually blunt statement. “Based on briefings we have received, we have concluded that the Russian intelligence agencies are making a serious and concerted effort to influence the U.S. election,” they said. “At the least, this effort is intended to sow doubt about the security of our election.” Orders for Russian intelligence agencies to conduct electoral-influence operations, they added, could come only from very senior levels of government. “We call on [Russian] President [Vladimir] Putin to immediately order a halt to this activity.” The statement, though not endorsed publicly by the Administration, was cleared with the CIA.

To understand why Putin would want to undercut the legitimacy of the U.S. election, it helps to step back from the long and ugly presidential campaign and remember why we’re voting in the first place. Elections are the ultimate source of authority in our democracy. Because Republicans and Democrats have agreed for decades that spreading democracy is good for everyone, America has pushed for free and fair elections around the world. And many nations have embraced them: peasants in the Balkans put on their Sunday best to go to the polls, and burqa-clad women in Afghanistan brave terrorist attacks to stand in line for hours to cast their ballots.

Not surprisingly, quasi-authoritarian rulers in the former Soviet Union, latter-day communists in China and medieval theocrats in the Middle East, among many others, see America’s sometimes aggressive evangelism about the benefits of liberal democracy as a direct threat to their own claims to authority. Putin has taken particular umbrage, accusing the U.S.–and former Secretary of State Hillary Clinton in particular–of meddling in Russia’s presidential election in 2012. He has publicly questioned the validity of past U.S. presidential elections, saying, on June 17, of the Electoral College, “You call that democracy?” Now, experts say, Putin is expanding his anti-American campaign into cyberspace. “More than any attempt to get one candidate or another elected, this [Russian influence operation] is about discrediting the entire idea of a free and fair election,” says Dmitri Alperovitch, co-founder and chief technology officer of CrowdStrike, the cybersecurity company that did the analysis of the DNC hack.

[video id=bvGlxZ18]

No one knows that better than Arizona secretary of state Michele Reagan. One day in June she was in her backyard in Phoenix when she got a call from her chief of staff. “Are you sitting down?” he asked. The FBI had been monitoring a corner of the so-called dark web, the network of hidden sites used by criminals to buy and sell drugs, pedophilic pornography and stolen identities. A group of hackers known collectively as Fancy Bear, which the U.S. government believes is controlled by Russian military intelligence, was trying to sell a user name and password that belonged to someone in an Arizona county election official’s office, which holds the personal data of almost 4 million people. “My first reaction was, Well, this is like the worst thing that you want to hear,” Reagan recalls.

Reagan and the FBI scrambled to figure out how the Russians had gotten into Arizona’s system and what needed to be done to secure it. It turned out that an election official in rural Gila County, pop. 54,000, had opened a Word document on her desktop computer that contained malicious software. Fortunately, while Fancy Bear had penetrated a local computer system, it hadn’t accessed the statewide registration database. Others weren’t so lucky. Fancy Bear’s electronic fingerprints were found on the hack into the DNC computers. In Illinois, the feds found that Fancy Bear had stolen 85,000 voter records from that state’s registration systems in mid-July. Later that month, the Democratic Congressional Campaign Committee (DCCC) revealed that it, too, had been hacked by Fancy Bear.

With other states now reporting intrusions of unknown origin, the government wants to reassure the public that the vote count itself is safe. “We have confidence in the overall integrity of our electoral systems,” Homeland Security chief Jeh Johnson said on Sept. 16. “It is diverse, subject to local control, and has many checks and balances built in.” Each of the U.S.’s more than 9,000 polling places uses machines not connected to the Internet, precincts count and report their results independently, and most have paper or electronic backups in case a recount is needed.

The Administration has a message for Russia too. The U.S. has privately warned that any effort to sway the election would be unacceptable, intelligence and other Administration officials tell TIME. Secretary of State John Kerry delivered the message to his counterpart, Russian Foreign Minister Sergei Lavrov, in Laos on July 27. During a 90-minute meeting with Putin on the sidelines of the G-20 meeting on Sept. 6, Obama pulled Putin aside and discussed the cyberconcerns one-on-one, with no aides present, a White House official tells TIME. In a press conference later, the President called for restraint on all sides in the use of cyberweapons and issued a veiled threat about America’s cyberpowers. “Frankly, we’ve got more capacity than anybody both offensively and defensively,” Obama said.

Putin’s history of using influence operations against opponents begins, appropriately enough, with himself. As he was rising quickly through the Kremlin ranks in 1999, one of his main opponents, Prosecutor General Yuri Skuratov, was caught on tape having sex with two women in a hotel room in what Skuratov later claimed was a Putin-run espionage operation traditionally known as a “honey trap.” Putin, who had risen from a Soviet-era KGB operative to head the country’s intelligence services, denied he was behind it but said on TV that his agents had confirmed that the man in the grainy video was Skuratov. Putin went on to win the presidency the next year. Skuratov, who ran against him, got less than 1% of the popular vote.

With the expansion of the Internet in the decade that followed, the Russians adopted cyberweapons as a standard tool of political meddling. Nowhere has their tactic of spreading chaos around a vote been clearer than in Ukraine, where three days before the presidential election on May 25, 2014, the computer systems of the Central Electoral Commission went dark. “The servers wouldn’t turn on. The links to the local election authorities were cut off,” says Victor Zhora, director of the cybersecurity firm Infosafe, which had been hired to defend the system. “Literally, nothing worked.”

As Zhora and his team worked successfully to restore the system in time for the vote, they became convinced that the collective behind the hack, known as CyberBerkut, was a front for Russian security services. The malware that crashed the system was not available on the market and had been built from scratch. And the effect of the attack supported Russia’s strategic goal of undermining the validity of the election. The hackers could have manipulated the outcome of the vote, Zhora says, but “their main goal was to take out the system itself, to destroy the data, to wipe out the hard drives before the elections started.” Moreover, the CyberBerkut efforts appeared to be coordinated with Russian state propaganda. Zhora and his team stopped a subsequent effort by CyberBerkut to post false voting results on the election commission’s website that would have showed a far-right militant ahead in the polls. But a screenshot of the fake web page appeared anyway on Russia’s main state-run news network as the vote was still going on.

Russia has also meddled in the elections of major U.S. allies that have imposed sanctions on Russia for its invasion of Ukraine, and many of the Russian cyberoperations have benefited populist, anti-immigrant parties that oppose Western European unity in the face of rising Russian aggression. In August, a spear-phishing e-mail attack targeted German party officials, including some members of Chancellor Angela Merkel’s Christian Democrats. The emails contained malware that bore the signatures of Fancy Bear, according to Germany’s top cyberdefense official, Arne Schönbohm, who warned on Sept. 9 that the attack could be an attempt to manipulate parliamentary elections next year. Merkel had previously ordered German intelligence agencies to look into Russia’s peddling of a false story about a Russian girl raped by migrants in Germany–a story that has helped fuel the rise of the right-wing opposition party AfD. That party beat Merkel’s Christian Democrats in a regional ballot in the Chancellor’s home district in September.

Farther west, in France, a Russian bank with close ties to the Kremlin lent the far-right party of Marine Le Pen some 9 million euros in November 2014, helping it prepare for regional elections a year later, when it received its best results ever. Russia also tried a more subtle information operation designed to fuel the anti-immigrant and national-security fears that have contributed to Le Pen’s rise. In April 2015, the programming of the French broadcaster TV5Monde was blocked by unknown hackers, and for 18 hours the channel’s websites transmitted only the image of the signature black flag of ISIS. French intelligence officials and the British signals-intelligence agency, the GCHQ, found it was not ISIS but in fact Fancy Bear that was behind the hack, according to a Sept. 25 article by the London Sunday Times and U.S. officials.

Britain, too, has been targeted. The Times article quoted David Anderson, an independent watchdog appointed under British law, as saying the GCHQ had blocked a Russian attempt to disrupt the May 7, 2015, general election there. The Times said Fancy Bear planned to target government servers and major TV broadcasters. But not all stations were to be hit. In the fall of 2014, the pro-Moscow RT network, which is funded by the Kremlin, launched a 24-hour news network in the U.K. aimed at British viewers. The message, Russia experts say, is that Western democracy is not so hot. “It’s a cynical message: No one is democratic,” says Peter Kreko, an expert on the European right and a visiting professor at Indiana University.

The most pessimistic Kremlin watchers worry how far Putin will go with the combination of psychological manipulation and cyberwarfare. They view the pattern of Russia’s electoral meddling in the context of Putin’s recent embrace of what is known as the Gerasimov doctrine, a nontraditional approach to military conflict named after the chief of the Russian general staff, Valery Gerasimov, that relies heavily on cyberwar and influence operations. “A perfectly thriving state can, in a matter of months and even days, be transformed into an arena of fierce armed conflict,” Gerasimov posited in a now famous 2013 manifesto, through “political, economic, informational, humanitarian and other nonmilitary measures applied in coordination with the protest potential of the population.”

That is how Putin stoked a separatist rebellion in eastern Ukraine in 2014. But the current and former senior intelligence and national-security officials interviewed for this story agree that the principal benefit Putin gains from his Western European and U.S. meddling is the leg up it gives him with his own political and diplomatic challenges at home. “In the long run, if people start to question the integrity of our election system,” says one senior U.S. intelligence official, “potentially to Russia that’s a plus. But I would argue more strongly that this is as much about domestic constituents and his public,” the official says. The more chaos in Europe and the U.S., the better.

Putin has shown little sign of stopping, even when meddling is discovered. In April, the DNC suspected it had been hacked and called in the cyberforensics firm CrowdStrike, which was co-founded in 2011 by Alperovitch and employs a number of former government cybersecurity experts. CrowdStrike was familiar with Fancy Bear: it had previously found the group’s hacks in Canada, Japan and the former Soviet republic of Georgia. It identifies the group based on the Russians’ unique cybertradecraft, including nonpublic code in its malware, its infrastructure of servers around the world and the techniques that it uses to move and hide within the systems it penetrates. After inspecting the DNC computers, Alperovitch concluded that the hack was indeed executed by the Russians. And while CrowdStrike usually keeps its findings secret, the DNC told the company it was outraged that the Russians were trying to interfere with our political system, and “they wanted us to come forward,” Alperovitch says.

Twelve hours after the DNC break-in was revealed in June, a hacker who insisted he was Romanian and who called himself Guccifer 2.0 popped up online and tried to discredit CrowdStrike’s attribution to Russian military intelligence. Guccifer 2.0 started leaking information from the DNC hack in blog posts and on Twitter, but his professed identity wasn’t very convincing. When reporters reached out to him online, for example, the responses he sent in Romanian were riddled with errors. U.S. government officials privately confirm that they believe Fancy Bear and Russian military intelligence are behind the DNC and DCCC hacks.

The pace of leaks has accelerated as the election approaches, revealing a murky network of actors. Around the time of the DNC hack, a website called DCleaks.net was established by a group identifying themselves as “hacktivists.” By June the group began posting hacked documents, including emails from retired General Philip Breedlove, the former commander of NATO and U.S. forces in Europe, asking former Secretary of State Colin Powell how to persuade Obama to more forcefully oppose Russian meddling in Ukraine.

Initially, there was no evidence of a connection between DCleaks and Russian hackers, and even now it is not clear who is behind the site. In late June, however, Guccifer 2.0 contacted the website the Smoking Gun and provided it with a link to material from the DNC hack that DCleaks was preparing to publish. In recent weeks, DCleaks has published new emails belonging to Powell, which included damaging remarks about Clinton, even though the overall gist of his emails was supportive. And recently, the site published what purported to be a copy of Michelle Obama’s passport.

The leaks tend to favor isolationist policies over ones aimed at confronting Russia. The Breedlove leaks showed an embarrassing and unsuccessful effort to build U.S.-led pushback against Russia in Ukraine. The DNC documents, which made their way to WikiLeaks through unknown channels, weakened Putin’s old foe, Clinton, on the eve of the Democratic National Convention. And DCleaks claimed that its ability to obtain the First Lady’s passport demonstrated U.S. vulnerability to terrorism.

Putin has done what he can to maintain deniability. Asked by Bloomberg TV on Sept. 2 whether Russia was behind the DNC hack, he said, “I don’t know anything about that.” But he seemed admiring, if not proud, of Fancy Bear’s work. “They work so much like fine jewelers, so delicately, that they can leave their tracks, or someone else’s tracks, at just the right place and just the right time in order to camouflage their work and make it look like the work of some other hackers from somewhere else, some other country.”

In fact, it might take a real jewel thief–or an army of them–to rig the U.S. presidential election. Because they are not connected to the Internet and are controlled by thousands of independent precincts, U.S. voting machines are largely safe from meddling, says Merle King, executive director of Kennesaw State University’s Center for Elections Systems. The feds have pushed out patches for known vulnerabilities in state computers and offered security scans. America’s cyber and counterespionage forces will be looking “to see if there’s anything coming from overseas or even domestically that looks like an effort to target election offices,” says George W. Bush’s Homeland Security chief, Michael Chertoff. The FBI has opened a formal investigation into the DNC, DCCC, Arizona and Illinois hacks

But with the election fast approaching, some experts in and out of government say the Administration is moving too slowly to publicize the Russian influence operation and explain it to Americans. A bipartisan group of former national-security officials that included Chertoff and others called on Obama in July to name the perpetrators of the DNC hack. Alperovitch says the U.S. is misreading the battlefield in cyberspace. “The U.S. government for the last 20 years was so focused on how to achieve kinetic effects in cyberspace, how to produce what they call cyberbombs, because that’s what we’re used to,” he says. “But the Russians understand that the real power of this domain is in influence operations, psychological warfare, changing people’s perceptions of what’s truly going on.”

For much of the summer, Trump made casting doubt on the validity of the U.S. electoral system a prominent feature of his campaign. “I’m afraid the election’s gonna be rigged,” Trump said in Ohio on Aug. 1. ” I have to be honest.” Trump backers who sign up to be “Trump Election Observers” are told the campaign will “stop crooked Hillary from rigging this election.”

Asked at the first debate whether they would support the outcome of the vote, both candidates said they would. But Trump has a record of doing the opposite. As results came in on election night in 2012, he falsely tweeted that the Republican had won the popular vote and urged an uprising. “The phoney Electoral College made a laughingstock out of our nation,” Trump tweeted. “The world is laughing at us. More votes equals a loss … revolution! This election is a total sham and a travesty. We are not a democracy!”

Clinton has said Putin is trying to get Trump elected; there is no evidence of that. Trump does have some ties to Russia. Trump’s former campaign manager worked for Putin’s proxy in Ukraine until the pro-Western uprising there, and Trump, his family and a foreign policy adviser have done tens of millions of dollars of business in Russia. The exact amount is unclear, and Trump has declined to disclose details of his Russian business partners.

The links worry even rock-ribbed Republicans. Chertoff led the Senate Whitewater investigation of Bill and Hillary Clinton’s obscure Arkansas land deal in the mid-’90s and has been critical of the Democratic presidential candidate. But he is alarmed by Trump’s talk of a rigged election. “This business about talking about rigged elections is very dangerous,” Chertoff says.

On the ground in Arizona, Michele Reagan, a Republican, has been working to make the vote safe. She took the entire state voter database offline for 10 days after learning of the Fancy Bear hack to ensure the system was secure. In conversations with the FBI and her own cybersecurity team she has learned phrases like SQL injection and dual-factor authentication. “Yes, we believe we’re safe,” she now says.

That doesn’t mean she isn’t worried about Russian attempts to undermine the credibility of the vote. “We know there’s these bad actors out there that are coming in from other countries and they’re trying to scare us,” she says. “This isn’t about stealing information or altering information. The entire conversation I believe needs to be shifted to what this is really doing to the confidence of the American electorate.” Does she have a message for Americans on how to respond to Putin’s effort? “Our job is to try to encourage people to get involved and to be connected in government, to go out and vote.”


Your browser is out of date. Please update your browser at http://update.microsoft.com