Civilian privacy officers and counsel have a rare opportunity following the publication of the January 6, 2017 report from the Office of the Director of National Intelligence, commissioned by Former President Obama, regarding Russian hacking and influence efforts in “recent US elections”. Insight from the U.S. intelligence community regarding foreign state-actor targets, hacking, and foreign state-actors’ means and methods is typically unavailable to persons responsible for maintaining the privacy of sensitive data in corporate America. Accordingly, a comprehensive report on a recent hacking using state of the art means, would seem to be a must-read. Unfortunately, readers of the unclassified version of the report will be disappointed with the absence of detail, and in the end, the report is more useful as a kind of “travel advisory”—a reminder that “there be monsters here,” and that foreign state-actors have and will target not only high profile national group targets, but personal emails and county-level public officials and systems, and the means used will include not only apparent exploitation of network vulnerability, but more plebeian spear-fishing efforts to compromise the unwary.
The report reads much like an expert opinion report familiar to civil litigators, except without the footnotes citing the record. Persons unaccustomed to receiving opinions from the U.S. intelligence community will find explanations of what terms such as “likely” and “high confidence” mean on a numerical and textual scale. For those definitions alone, the report is worth reading, as it may be a useful dictionary to keep handy for future intelligence community announcements and findings.
Leaving aside the serious political implications inherent in the report, the conclusions that should be of most interest to privacy officers and counsel are that:
- Individuals’ private emails as well as the proprietary DNC network were hacked (by means not described) and content was transmitted to DCLeaks.com and Wikipedia by agents of Russian military intelligence;
- Not only primary campaigns and campaign individuals were targeted, but U.S. think tanks and lobbying groups were targeted and compromised, and information was only selectively released to serve the hackers’ non-economic purposes;
- Guccifer 2.0 is not a single individual, but is instead a fictitious persona that is a front for Russian military intelligence;
- Prior to Election Day, when it appeared that Hillary Clinton would prevail, Russian agents were prepared to launch a Twitter hashtag (#DemocracyRIP), ostensibly to foment popular suspicion regarding the election results;
- Russian agents obtained access to elements of multiple state and local electoral boards (though not systems involved in vote tallying); and
- Immediately following the election, Russian agents began cyber operations such as narrow-target spearfishing campaigns against US government employees and individuals associated with US think tanks, as well as non-governmental organizations involved in national security, defense, and foreign policy, with the goal of using any material obtained for future influence efforts.
There is no description in the unclassified report of the nature of the spearfishing schemes, nor any description of the means by which the DNC proprietary network or state or local electoral boards were compromised. The bulk of the report recounts public statements and actions taken by various Russian state actors and individuals which, in the collective judgment of the CIA, FBI, and NSA, establish that the hacking and influence efforts were motivated by, originated in and directed by Russia specifically to influence the election in favor of one candidate over the other.Privacy officers and counsel seeking guidance about what systems to secure, or seeking to determine where specifically to shore up their systems and protocols to fend off a future foreign state-actor cyberattack, will not find it here. As a result, officers and counsel can treat this report as a “travel advisory,” reminding them that employees using personal emails remain at great risk, that spearfishing schemes are alive and well and continue to be a prime source of intelligence for sophisticated hackers, and that anyone who has intelligence that could be of use to the government in the future is a potential (and perhaps even current) target.