On Tuesday, a trifecta of tech companies announced that they had thwarted what appear to be significant cyberattacks from Russia and Iran. First, Microsoft CEO Brad Smith announced that the company had caught another round of phishing attacks on political groups in the United States, which it attributed to the Russian hacking group Fancy Bear. Then it was Facebook's turn. On a call with reporters, CEO Mark Zuckerberg said his company had shut down 652 pages, accounts, and groups affiliated primarily with Iran, though some had ties to Russia. Twitter almost instantly followed suit, saying it too had taken 284 accounts offline, which appeared to have originated in Iran.
In Washington, the news was met with a mixture of gratitude and anxiety. Gratitude, because these companies are finally stepping up their efforts to stop attacks on democracy like the Russian government unleashed on the US during the 2016 election. Anxiety, because with 75 days left before the midterm elections, the announcements served as yet another reminder that these ad hoc efforts from the tech industry may be the country’s best hope at preventing another crisis.
“I’m glad that more and more people are engaged and want to help fix these things,” Raffi Krikorian, chief technology officer of the Democratic National Committee, said following Microsoft's announcement. “But it obviously freaks me out that they have to do this ... Where is the government on this?” On Tuesday, a private security firm also alerted the DNC to an attempted attack on its voter database, which the DNC has since reported to the FBI.
When it comes to protecting democratic institutions, the tech industry is in a contradictory position. On one hand, it's been blamed for allowing trolls and cybercriminals to run amok on its platforms during the 2016 election. On the other, it's been quicker to respond to these threats than Washington has been. Companies like Facebook, Twitter, and YouTube are staffing up on human content reviewers, cracking down on bots and fake accounts, and developing new technology and methodologies to curb the spread of disinformation. Google, Microsoft, and Cloudflare, meanwhile, have launched free tools to protect US campaigns from cyberattacks.
But that blend of resourcing and concrete action has hardly been matched by the government, where several simultaneous attempts to address the issue have stalled. The Department of Justice has issued scathing indictments of Russian hackers and trolls this year, but without international jurisdiction they're largely symbolic. The White House axed its top cyber policy position following the departure of former cybersecurity czar Tom Bossert in April. The Global Engagement Center, a State Department initiative that was directed to counter Russian propaganda, has been starved for resources for much of the past year. And it's anyone's guess who, exactly, is responsible for making sure that information gets shared with the right people across the public and private sector.
"Every agency is off doing its own thing. No one is in charge," says Brett Bruen, former White House director of global engagement under President Obama. "We continue to have a very siloed process within the government, let alone bringing the private sector to the table to try to figure this out together."
"Even if you have a big shield like Microsoft does, there is a wide gap between them and the next tech company, and Russia's going to run right through that."
Brett Bruen, Global Situation Room
Nowhere was that more evident than on Capitol Hill Tuesday, where representatives from an alphabet soup of government agencies testified before a Senate subcommittee hearing about their respective departments' approaches to cyber threats. There was the deputy attorney general of the United States, who touted the DOJ's Cyber-Digital Task Force. There was the deputy director of the newly formed Cyber Threat Intelligence Integration Center, which is housed under the Office of the Director of National Intelligence. And finally, there was the director of the National Risk Management Center, run out of the Department of Homeland Security.
But several lawmakers pointed out the lack of a single point person, like a cybersecurity czar, to coordinate these parallel efforts. "Someone needs to be responsible," said Republican senator James Lankford, who also testified before the subcommittee. "A 'whole of government approach' often means no one is watching, because everyone’s supposed to be watching."
Congress, meanwhile, has introduced a litany of promising bipartisan bills aimed at addressing the problem. The Honest Ads Act, introduced by senators Mark Warner, Amy Klobuchar, and John McCain, would impose new ad disclosure requirements on digital political ads, similar to the standards that print and broadcast ads are already held to. The DETER Act, meanwhile, introduced by senators Marco Rubio and Chris Van Hollen, proposed giving the Director of National Intelligence the authority to immediately trigger harsh sanctions against Russia if it's found to have interfered with future elections. The Defending American Security from Kremlin Aggression Act, introduced by senators Lindsey Graham and Bob Menendez, would introduce strict sanctions on the Russian energy industry, its banks, and its oligarchs. Senators Chris Coons and Cory Gardner have introduced legislation that would set up a separate committee in the Senate to handle cyber threats. And last month, Senator Warner circulated a white paper with 20 potential policy changes that could help mitigate threats to American tech companies.
None of the bills have moved forward, however. Progress on Capitol Hill has been stagnant.
As for the executive branch, President Trump has repeatedly downplayed the threat from Russia. "One of the reasons why this is harder than it should be is the absence of the White House," Warner told WIRED. "In a normal White House, you'd have someone on the National Security Council that would use the power of the White House, at least in terms of convening all the groups."
In the absence of that leadership, tech companies have carried out their own crackdowns. "They have to step up to fill this gap," Krikorian says. "If I were in their shoes, I would look at this like: We have a whole bunch of customers. No one else is taking care of them. We have to go do it."
And yet, Bruen, who is now president of the consulting firm Global Situation Room, says that the country loses when private businesses are tasked with protecting national security interests as they see fit. "This is like the Roman shields aligning on the battlefield," Bruen says. "Right now, even if you have a big shield like Microsoft does, there is a wide gap between them and the next tech company, and Russia's going to run right through that."
Warner agrees. "While I appreciate what the companies are doing, I'm not convinced the self-regulatory initiative alone will fix the problem," he says, noting that not all companies have been equally responsive to the threat. "We focus a lot on the big three platforms, but there’s Reddit and a host of other smaller platforms that are doing some, but could also still up their game."
Former National Security Agency director Keith Alexander used another analogy in recent a statement to the House Armed Services Committee. Entrusting tech companies to defend against state-sponsored cyber threats, he explained, would be akin to expecting Walmart or Target to have surface-to-air missiles on the roofs of their warehouses to defend against Russian bombers.
"This policy simply makes no sense; expecting individual companies, standing alone, to defend themselves against all comers, including nation-states—which, to be fair, is our current expectation—is a policy designed to fail," Alexander wrote.
There's plenty that tech companies need to do to make their platforms safer and more trustworthy for their users. But there is so much else that they don't have the authority to do. They can advocate, as Microsoft has, for a digital Geneva Convention that creates a set of international norms to protect cyberspace, but they can't make it happen. They can try to assign blame in these attacks, as Facebook and Twitter have done, but they don't have access to all of the intelligence community's insights about escalating threats. And of course, when they detect a threat, they can't retaliate. Only the government can make those calls, and yet, the US still has no single doctrine that signals to its adversaries what the consequences of such a cyberattack would be. That all but invites foreign attackers to give it a go, explained Senator Lankford in his testimony.
"If our enemies don’t know what we may do in response, they may try it," he said.
So while the progress made by tech companies may be both necessary and useful, it's hardly enough. As Republican senator Ben Sasse warned forebodingly at the end of Tuesday's hearing, "Both the executive branch and the legislative branch are just waiting for the catastrophe. It’s ridiculous, and everybody around here ought to be fired when that moment comes, and this institution did nothing to prepare for it."