A new bipartisan report from the U.S. Senate Select Committee on Intelligence reveals a number of underlying problems which helped Russia in its efforts to carry out cyber interference with the 2016 presidential election.
This includes viewing "cyber" as a risk for security people to handle instead of viewing it as an organizational risk. Some private sector CISOs are still working on that fight within their own companies.
The report also says the Obama administration looked at a variety of options for tackling the problem but then suffered from "analysis paralysis."
The bipartisan report includes the following key findings, which the authors hope the U.S. government has learned from.
The Committee found the U.S. government was not well-postured to counter Russian election interference activity with a full range of readily-available policy options.
"While high-level warnings were delivered to Russian officials, those warnings may or may not have tempered Moscow's activity, and Russia continued disseminating stolen emails, conducting social media-based influence operations, and working to access state voting infrastructure through Election Day 2016."
The Committee found that the Obama administration was constrained in its response by a number of external and internal concerns.
"Those factors included the highly politicized environment, concern that public warnings would themselves undermine confidence in the election, and a delay in definitive attribution to Russia, among other issues."
The Committee found that the Obama administration treated cyber and geopolitical aspects of the Russian active measures campaign as separate issues.
"This bifurcated approach may have prevented the Administration from understanding the full extent of the threat Russia posed, limiting its ability to respond."
"The Committee found that the decision to limit and delay information sharing about the foreign influence threat inadvertently constrained the Obama Administration's ability to respond."
The Committee recommends the U.S. exert its leadership in creating international cyber norms.
"The rules of cyber engagement are being written by hostile foreign actors, including Russia and China. U.S. leadership is necessary to establish any formalized international agreement on acceptable uses of cyber capabilities."
The Committee recommends the executive branch prepare for future attacks on U.S. elections.
"Preparations should include the development of a range of standing options that can be rapidly executed in the event of a foreign influence campaign, as well as regular, apolitical threat assessments from the Director of National Intelligence. The Intelligence Authorization Act covering FY2020, which was passed last year, requires DNI to provide such assessments before regularly scheduled elections."
The Committee recommends an integrated response to cyber events.
"Rather than treating cyber as an isolated domain separate from other geopolitical considerations, current and future Administrations should view cyber as an integral part of the foreign policy landscape."
The Committee recommends increased information sharing on foreign influence efforts, both within government and publicly.
"Credible information should be shared as broadly as appropriate within the federal government, including Congress, while still protecting intelligence sources and methods. Information should also be shared with relevant private sector partners and state and local authorities. In the event that an active measures campaign is detected, the public should be informed as soon as possible with a clear and succinct statement of the threat."
As we mentioned, this was a bipartisan report on the 2016 elections. However, the lead authors both managed to make a political dig or two toward the other party.
Senate Intelligence Chairman Richard Burr (R-NC) put it like this:
"After discovering the existence, if not the full scope, of Russia's election interference efforts in late-2016, the Obama Administration struggled to determine the appropriate response. Frozen by 'paralysis of analysis,' hamstrung by constraints both real and perceived, Obama officials debated courses of action without truly taking one.
Many of their concerns were understandable, including the fear that warning the public of the election threat would only alarm the American people and accomplish Russia's goal of undermining faith in our democratic institutions. In navigating those valid concerns, however, Obama officials made decisions that limited their options, including preventing internal information-sharing and siloing cyber and geopolitical threats. "
And Vice Chairman Mark Warner (D-VA) summed up the report like this:
"The 2016 Russian interference in our elections on behalf of Donald Trump was unprecedented in the history of our nation. This volume tries to describe how the Obama Administration grappled with this challenge as they began to learn the scope of the Russian assault on our democracy. I hope that the lessons we captured in this report will resonate with lawmakers, national security experts and the American public so that we might be better able to fight off future attacks.
I am particularly concerned however, that a legitimate fear raised by the Obama Administration—that warning the public of the Russian attack could backfire politically—is still present in our hyper-partisan environment. All Americans, particularly those of us in government and public office, must work together to push back on foreign interference in our elections without regard for partisan advantage."
Read it for yourself: U.S. Government Response to Russian Activities in the 2016 U.S. Election
[RELATED: 'Was the Iowa Caucus Hacked?' Is a Hot Google Search Question]