At a conference Tuesday at the Yale Law School, panelists agreed on one point: the United States is uniquely vulnerable to cyberattacks.
Two panels, part of the “Hacking the Election” Conference, focused on the effects of cyberattacks and the ways technology can be used to manipulate elections. Panelists Harvard Law School professor Jack Goldsmith LAW ’89, an internet law expert; Yale Law School professor Oona Hathaway LAW ’97, an expert in international law; and Brookings Institution Fellow and cybersecurity expert Susan Hennessey addressed about 45 students and community members..
At the first panel, legal experts discussed cybersecurity and espionage in the wake of the news this April that the Democratic National Committee had been hacked.
That panel was moderated by Scott Shapiro LAW ’90, a professor of law and philosophy at the Law School, who began by explaining the DNC hack, starting with the detection of suspicious activity on the committee’s servers in late April. CrowdStrike, the same cybersecurity company that worked on the Sony Pictures hack in 2014, identified two infiltrations — one by “Cozy Bear” and another by “Fancy Bear.” Each is believed to have connections to competing Russian intelligence agencies. After being discovered, stolen documents and emails from the DNC were released by the hackers via WikiLeaks.
One focus of the panel was on the question of how the United States government should respond to cyberattacks on private American organizations, especially political ones.
“The United States is at its most vulnerable during our electoral period, a time in which there are fewer adults at home and because people are intensely focused on short-term political gains,” Hennessey said.
The panelists discussed how media coverage of the DNC leak suggested that it was an attempt to bolster Donald Trump’s presidential campaign. However, as Hennessey pointed out, the “Fancy Bear” infiltration began before Trump seemed likely to secure the Republican nomination. Another possible motivation of the hacks, according to Goldsmith, may have been U.S. sanctions against Russia. Or, he said, the hackers may never even have originally intended to release the documents and only decided to do so after being discovered.
Goldsmith seemed to downplay the severity of the attack, noting that only authentic documents were released, with no false propaganda slipped in among them. He added that espionage, including digital theft, and the publication of stolen information is common in the intelligence world, and that during the Cold War, the U.S. and the Soviet Union frequently intervened in elections across the world. The major difference today, he believes, is the unprecedented ease and scale of the digital operations attempting to influence elections.
“Influencing elections is nothing new,” he said.
Hennessey agreed that the DNC hack was not particularly novel, though she said the U.S.’s history of executing similar operations means the nation forgoes the right to be morally outraged, and not the responsibility to respond. She believes it is imperative for the U.S. to develop a new system of deterrence for lower-level cyber threats that can disincentivize hackers, without escalating cyberattacks. Currently, she stated, the U.S. faces a “paralysis of too many choices.”
Hathaway said that one major intent of the DNC hack was to undermine national trust in the election. Worries about the vulnerability of voting machines are largely unfounded, she said.
“Our terrible elections infrastructure might actually be in our favor; it’s very hard to hack the election given how old and decentralized these machines are,” she said.
Hathaway then dove into the technicalities of international law and other factors that make it difficult to identify the cyberattack as a violation of international law. She finished by listing the three most important actions for the U.S. to take: remedying private organizations’ lack of “cyber hygiene,” using domestic criminal-law statutes as a way of stating the illegality of cyberattacks and collective sanctions by the U.S. and other major actors against hackers’ countries.
After each panelist spoke and before opening the floor to questions, Shapiro asked the panelists how the federal government can show outrage over the attack while half the country — namely Republicans and Bernie Sanders supporters — was happy it happened. The panelists responded that such a reaction was not unexpected. Hathaway added that because the emails reveal crass and inappropriate behavior, the leak seems justified to some.
Yishai Schwartz LAW ’18 asked the panelists if there was any evidence that low-grade deterrents could be effective in stopping hackers. Hennessey replied that “the best example I can point to is my two-year-old,” and clarified that when dealing with persistent behavior deterrents should strategically consume the money and resources of enemy hackers and thereby disincentivize attacks.
The “Hacking the Election” Conference was arranged in conjunction with the Yale Information Society Project and the Yale Law School Center for Global Legal Challenges.
Correction, Sept. 21: Due to an editing error, a previous version of this story contained unauthorized quotations. The News regrets the error.