Putin is well on his way to stealing the next US election

The rangy teenager, with neatly manicured brown hair and chunky glasses, had recently arrived at Stanford—his first semester of life away from home—and the 2018 midterm elections were less than two months away. Clicking back to his initial entry, he realized that he had accidentally typed an extraneous quotation mark into his home address. Despite his youth, Cable already enjoyed a global reputation as a gifted hacker—or, as he is prone to clarify, an “ethical hacker.” As a sophomore in high school, he had started participating in “bug bounties,” contests in which companies such as Google and Uber publicly invite attacks on their digital infrastructure so that they can identify and patchvulnerabilities before malicious actors can exploit them. Though it wouldn’t have given the average citizen a moment of pause, Cable recognized the error message on the Chicago Board of Elections website as a telltale sign of a gaping hole in its security. It suggested that the site was vulnerable to those with less beneficent intentions than his own, that they could read and perhaps even alter databases listing the names andaddresses of voters in the country’s third-largest city. He read about how, in 2016, when he was a junior in high school, Russian military intelligence—known by its initials, GRU—had hacked the Illinois State Board of Elections website, transferring the personal data of tensof thousands of voters to Moscow. These were the most basic lapses in cybersecurity—preventable with code learned in an introductory computer-science class—and theyremained even though similar gaps had been identified by the FBI and the Department of Homeland Security, not to mention widely reported in the media. Gallery: The richest world leaders today (Lovemoney) Between classes, Cable began running tests on the rest of the national electoral infrastructure. The embassy in Washington had attempted to persuade American officials to allow its functionaries to act as observers in polling places. Yet the hashtag is worth pausing over for a moment, because, though itwasnever put to its intended use, it remains an apt title for a mission that is still unfolding. Russia’s interference in the last presidential election is among the most closely studied phenomena in recent American history, having been examined by Special Counsel Robert Mueller and his prosecutors, by investigators working for congressional committees, by teams within Facebook and Twitter, by seemingly every think tank with access to a printing press. Through subsidiaries,the Russian government continued to funnel cash to viral-video channels with names like In the Now and ICYMI, which build audiences with ephemera (“Man Licks Store Shelves inOnline Post”),then hit unsuspecting readers with arguments about Syria and the CIA. This winter, the Russians even secured airtime for their overt propaganda outlet Sputnik on threeradiostations inKansas, bringing the network’s drive-time depictions of American hypocrisy to the heartland. While the Russians continued their efforts to undermine American democracy, the United States belatedly began to devise a response. Senators drafted legislation with grandiose titles; bureaucrats unfurled the blueprints for new units and divisions;law enforcement assigned bodies to dedicated task forces. After he spent the better part of a semester shouting into the wind, officials in Chicago and in the governor’s office finally took notice of his warnings and repaired their websites. He is part ofa team of competitive hackers at Stanford—national champions three years running—that caught the attention of Alex Stamos, a former head of security at Facebook, who now teaches attheuniversity. Earlier this year, Stamos asked the Department of Homeland Security if he could pull together a group of undergraduates, Cable included, to lend Washington a hand inthesearchfor bugs. DHS, which has an acute understanding of the problem at hand but limited resources to solve it, acceptedStamos’soffer.Lessthan six months before Election Day, the government will attempt to identify democracy’s most glaring weakness by deploying college kids on their summer break. The president, meanwhile, has dismissed Russian interference as a hoax and fired or threatened intelligence officials who have contradicted thatnarrative,all while professing his affinity for the very man who ordered this assault on American democracy. Fiona Hill, the scholar who served as the top Russia expert on Trump’sNationalSecurityCouncil, told me, “The fact that they faced so little consequence for their action gives them little reason to stop.” The Russians have learned much about American weaknesses, and how to exploit them. Having probed state voting systems far more extensively than is generally understood by the public, they are now surely more capable of mayhem on Election Day—and possibly without leaving a detectable trace of their handiwork. Hours earlier, pro-Kremlin hackers had taken a digital sledgehammer to a vital piece of Ukraine’s democratic infrastructure, the network that collects vote tallies from across the nation. The graphic purported to show that a right-wing nationalist had sprinted to the lead in the presidential race.Although the public couldn’t access the chart, Russian state television flashed the forged results on its highly watched newscast. The Russians had the capacity to cause far greater damage than they did—at the very least to render Election Day a chaotic mess—but didn’t act on it, because they deemedsuch an operation either unnecessary or not worth the cost. One theory holds thatBarackObama forced Russian restraint when he pulled Vladimir Putin aside at the end of the G20 Summit in Hangzhou, China, on September 5, 2016. Matt Masterson is a senior adviser at the Department of Homeland Security’s freshly minted Cybersecurity and Infrastructure Security Agency, a bureau assigned to help states protect elections from outside attack; it’s where Jack Cable will work this summer. These are malicious bits of code that encrypt data and files, essentially placing a lock on a system; money is thendemanded inexchange for the key. Such meddling could stop short of purging voters from the rolls and still cause significant disruptions: Hackers could flip the digits in addresses, so that voters’ photo IDs no longer match theofficial records. In August 2016, President Obama’s homeland-security secretary, Jeh Johnson, held a conference call with state election officials and informed them ofthe need to safeguard their infrastructure. A year after the election, the Department of Homeland Security told 21 states that Russia had attempted to hack their electoral systems. When then–DHS Secretary Kirstjen Nielsen tried to raise the subject of electoral security with thepresident,actingWhite House Chief of Staff Mick Mulvaney reportedly told her to steer clear of it. The Secure Elections Act wouldn’t have provided perfect insulation from Russian attacks, but it would have been a meaningful improvement on the status quo, and it briefly looked as if it could pass. Then, on the eve of a session to mark up the legislation—a moment for lawmakers to add their final touches—Senate Republicans suddenly withdrew their support, effectively killingthe bill. Afterward, Democrats mocked Senate Majority Leader Mitch McConnell as “Moscow Mitch,” an appellation that stung enough that the senator ultimately agreed to legislationthatsupplied the states with hundreds of millions of dollars to buy new voting systems—but without any security demands placed on the states or any meaningful reforms to abrokensystem.McConnell made it clear that he despised the whole idea of a legislative fix to the electoral-security problem: “I’m not going to let Democrats and their water carriers inthemediauseRussia’s attack on our democracy as a Trojan horse for partisan wish-list items that would not actually make our elections any safer.” For McConnell, suppressing voteswasahigherprioritythan protecting them from a foreign adversary. But I wanted his help tabulating a more precise toll of Russian hacking—how it leaves a messy trail of hurt feelings, saps precious mental space, and reshapes the course of a campaign. After repeatedly prodding him for an interview, I finally met with Hillary Clinton’s old campaign chief in hisWashington office, which stares down onto the steeple of the church Abraham Lincoln attended during the Civil War. Dressed in a plaid shirt, with a ballpoint pen clipped into thepocket,Podesta rocked back and forth in a swivel chair as he allowed me to question him about one of the most wince-inducing moments in recent political history. As hefinished a session of debate preparation with Clinton, he learned that Julian Assange intended to unfurl the contents of his inbox over the remaining month of the campaign. They covered a glass door in opaque paper to prevent voyeurs from observing their work and began to pore over every word of his 60,000 emails—every forwarded PDF, every gripe from an employee, even the meticulous steps of his risotto recipe. In the middle of meetings, staffers would find theirdevicesvibrating incessantly; strangers would fill their voicemails with messages like I hope you’re raped in prison. Identity thieves quickly circled Podesta, attempting to claimhisSocialSecurity benefits and applying for credit cards in his name. Despite a political career that has permitted him to whisper into the ears of presidents, the legendarilyfrugalPodestahadcommuted to New York on Vamoose, a discount bus line. Through Microsoft’s work with political parties and campaigns around the world—the company offers them training andsells them security software at a discount—Burt has accumulated lengthy dossiers on past actions. Podesta fell victim to a generic spear-phishing attack: a spoofed security warning urging him to change his Gmail password. If acampaignconsultant has told his circle of friends about an upcoming bass-fishing trip, the GRU will package its malware in an email offering discounts on bass-fishing gear. Video: Putin presides over slimmed down Victory Day as coronavirus cases rise (Reuters) Many of these techniques are borrowed from Russian cybercrime syndicates, which hack their way into banks and traffic in stolen credit cards. The same GRU unit that hacked Podesta has allegedly sent operatives to Rio de Janeiro, Kuala Lumpur, and The Hague to practice what is known as “close-access hacking.” Once on the ground, they use off-the-shelf electronic equipment to pry open the Wi-Fi network of whomever they’respying on. Of all the Russian tactics deployed in 2016, the hacking and leaking of documents did the most immediate and palpable damage—distracting attention from the Access Hollywood tape, and fueling theories that theDemocratic Party had rigged its process to squash Bernie Sanders’s campaign. It’s impossible to know their reasoning, but Russian hackers made what would prove to be a clever decision not to alter Podesta’s email.Many media outlets accepted whatever emails WikiLeaks published without pausing to verify every detail, and they weren’t punished for their haste. The Podesta leaks thus establishedaprecedent, an expectation that hacked material is authentic—perhaps the most authentic version of reality available, an opportunity to see past a campaign’s messaging and spinand readitsinnermost thoughts. The Macron leaks suggested a dangerous new technique, a sinister mixing of the hacked and the fabricated intended toexploittheelectorate’s hunger for raw evidence and faith in purloined documents. Sitting in front of a computer screen on the second floor of a squat concrete office building, the trolls waited to see if they could influence the behavior of Americans from the comfort of Russian soil. In the Soviet Union’s earliest days, the state came to believe that it could tip the world toward revolution through psychological warfare and deception, exploiting the divisions and weaknesses of bourgeois society. It forged letters from the Ku Klux Klan that threatened to murder African athletes at the 1984 Summer Olympics in Los Angeles. Itfomentedconspiracies about the CIA—that the agency had orchestrated the spread of the AIDS virus in a laboratory and plotted the assassination of President John F. Kennedy. Whereas the KGB once needed to find journalistic vehicles to plant their stories—usually the small-audience fringes of the radical press—Facebook and Twitter hardly distinguished between mainstream outlets and clickbait upstarts. As the political scientist Thomas Rid recounts in his powerful new history, Active Measures, a post on Facebook promised that free hot dogs would be available to anyone who arrived on a specific corner at a prescribedtime. The ruse was innocuous, but it proved a theory that could be put to far more nefarious ends: Social media had made it possible, at shockingly low cost, for Russians to steer the emotions and even movements of Americans. No study has quantified how many votes have been swayed by the 10 million tweets that the IRA has pumped into the digital world; no metric captures how its postson Facebook and Instagram altered America’s emotional valence as it headed to the polls in 2016. In the end, the IRA’s menagerie of false personas and fusillades of splenetic memeswerearguably more effective at garnering sensationalistic headlines than shifting public opinion. Its previous handiwork, much of which was riddled with poor syntax and grammatical errors, hardly required a discerning eye to identify. When white supremacists applied for a permit to hold a march in 2018 to commemorate the first anniversary of their protests in Charlottesville, Virginia, a Facebook group organized a counterprotest in Washington, D.C. Infact, itwas hard to pinpoint where the Active Measures ended and the genuine action began—the sort of tradecraft that the KGB would have admired. On the day of the 2018 midterm elections, a group claiming to be the IRA published a grandiloquent manifesto on its website that declared:“Soonafter November 6, you will realize that your vote means nothing. When the Iowa Democratic Party struggled to implement new technology used to tally results for the state’s caucus, television panelists, Twitter pundits, and even a member of Congress speculated about the possibility of hacking, despite a lack of evidence to justify such loose talk.American incompetence had been confused for a plot against America. Ostensibly it had been Alex Stamos’s job to prevent the last attack, and now he faced another wave of disinformation, with midterm elections fastapproaching.Stamos worried that, in the absence of an orchestrated defense, his company, as well as the nation, would repeat the mistakes of 2016. In the spring of 2018, he invited executives from the big tech companies and leaders of intelligence agencies to Facebook’s headquarters in Menlo Park, California. What shocked him more was a realization he had as the meeting convened: Few of these people even knew one another.“People who ran different agencies working on foreign interference met for the first time at Menlo Park, even though they were 10 Metro stops away in D.C.,” he told me. Prior to the meeting, one tech company would identify and disable Russian accounts but fail to warn its competitors, allowing the same trolls to continue operating with impunity. When one company spies a nascent operation, it can now ring a bell for theothers.This winter, Facebook and Twitter jointly shut down dozens of accounts associated with a single residential address in Accra, Ghana, where the Russians had set up a troll factoryandhiredlocal 20-somethings to impersonate African Americans and stoke online anger. Despite the engineering prowess of the social-media companies, they haven’t yet built algorithms capable of reliably identifying coordinated campaigns run by phony Russian accounts. Rising from their denialist crouch, the social-media companies have proved themselves capable of aggressivepolicing;aftertreating the IRA as a harmless interloper, they came to treat it with the sort of disdain they otherwise reserve for terrorists and deviants. Even if Russian disinformation can be tamped down on social media—and the efforts here, on balance, are encouraging—there are other ways, arguably more consequential, to manipulate American politics, and scant defense against them. On an early-March afternoon, I typed the Federal Election Commission as a destination into Uber and was disgorged at a building the agency hasn’t occupied for two years. The antiquated address placed me on course to arrive half an hour late for an appointment with Ellen Weintraub, the longest-serving and most vociferous member of the commission nominally assigned to blockthe flow of foreign money into political campaigns. It has collected examples of Russian money flowing into campaigns around the world: a 9.4-million-euro loan made to the French nationalist Marine LePen’s party; operatives arriving in Madagascar before an election with backpacks full of cash to buy TV ads on behalf of Russia’s preferred candidate and to pay journalists to coverhisrallies. When I asked Weintraub if she had a sense of how many such examples exist in American politics, she replied, “We know there’s stuff going on out there, and we’re just not doing anything.” Since the Supreme Court’s 2010 Citizens United decision, which lifted restrictions on campaign finance, hardly any systemic checks preclude foreigners from subsidizing politicians using thecover of anonymous shell companies. With that decision, the high court opened the door for Russia to pursue one of its favored methods of destabilizing global democracy. H. R. McMaster, who briefly served as Donald Trump’s national security adviser, sounded it when he proposed a new task force to focus the government’s oftenshambolic efforts to safeguard the election. Adam Schiff, the chairman of the House Intelligence Committee, sounded it when he realized how poorly the bureaucracy was sharing the informationit wasgathering about the Russian threat. In the summer of 2018, he attended a security conference in Aspen, Colorado, where Tom Burt revealed that Microsoft had detected Russian phishing attacks targeting Democratic senatorial candidates. The answer was no.” That the chairman of the House Intelligence Committee had to learn this elemental fact about his own branch ofgovernment at apublic gathering is troubling; that the people charged with protecting the country didn’t know it is flabbergasting. But there is another reason for the government’s alarmingly inadequate response: a president who sees attempts to counter the Russia threat as a personal affront. After McMaster was fired, having made little if any progress on Russia, the director of national intelligence, Dan Coats, took up the cause, installing in his office an election-security adviser named Shelby Pierson. This past February, Pierson briefed Schiff’s committee that the Russians were planning to interfere in the upcoming election, and that Trump remained Moscow’spreferred candidate. “I don’t knowtheanswerto that,” he replied, “and that bothers me.” Vladimir Putin dreams of discrediting the American democratic system, and he will never have a more reliable ally than Donald Trump. If Russia wants to tarnish the politicalprocess as hopelessly rigged, it has a bombastic amplifier standing behind the seal of the presidency, a man who reflexively depicts his opponents as frauds and any system thatproduces anoutcome he doesn’t like as fixed. If Russia wants to spread disinformation, the president continually softens an audience for it, by instructing the public todisregardauthoritativejournalism as the prevarications of a traitorous elite and by spouting falsehoods on Twitter. Even without interventions from abroad, it is shockingly easy to imagine how a pandemic might provide a pretext for indefinitely delaying an election or how this president, narrowly dispatched at the polls, might refuse to accept defeat.