On June 13, 2017, Attorney General Jeff Sessions testified to the Senate Intelligence committee about Russian interference in the 2016 presidential election. After fielding hours of questions about his knowledge of the plot, Sessions was greeted by an abrupt change in topic from Senator John McCain. “Quietly, the Kremlin has been trying to map the United States telecommunications infrastructure,” McCain announced, and described a series of alarming moves, including Russian spies monitoring the fiber optic network in Kansas and Russia’s creation of “a cyber weapon that can disrupt the United States power grids and telecommunications infrastructure.”
When McCain asked if Sessions had a strategy to counter Russia’s attacks, Sessions admitted they did not.
In a normal year, McCain’s inquiries about documented, dangerous threats to U.S. infrastructure would have dominated the news. His concerns are well founded: in recent years, Ukraine’s power grid has been repeatedly hacked in what cybersecurity experts believe was part a test run for the United States. Russian hackers have also hacked many centers of U.S. power, including the State Department, the White House, and everyone with a Yahoo email address in 2014, the Department of Defense in 2015, and, of course, the Democratic National Committee, Republican National Committee, state and local voter databases, and personal email accounts of various US officials in 2016.
But while the role of hacks in the election is the subject of several ongoing probes, the hacks of other U.S. institutions and infrastructures have been largely ignored by the Trump administration, even as the hacking became more aggressive throughout 2017. In June, shortly after McCain’s testimony, the Department of Homeland Security and the FBI released an urgent joint report stating that U.S. nuclear power stations and other energy facilities had been hacked. In July, Bloomberg and the Washington Post confirmed that the hackers worked for the Russian government.
While U.S. government officials stressed that the public was not yet at serious risk, claiming the hackers had not yet gained the ability to control the grid, intelligence officers warned that infrastructure attacks by a hostile state can also operate as a form of political leverage. Most analyses of the 2016 election hacks have framed leverage in personal terms: kompromat stolen from hacked emails used to blackmail individuals into submission or to humiliate officials as part of a propaganda campaign. Less examined is the form of leverage McCain raised at the Sessions hearing: the possibility of vital infrastructure, like the power grid, being crippled, potentially causing massive financial and humanitarian consequences. In this formulation, an entire government could ostensibly be held hostage to another government’s whim out of fear of triggering a cataclysmic attack.
As 2017 wore on, Russia continued to hack infrastructure around the world , again crippling government and corporate offices across Ukraine, along with energy sectors in the United Kingdom and government officials in France, and ending the year targeting NATO countries through unprecedented focus on underwater North Atlantic cables that provide internet service to the U.S. and Europe. Disrupting these cables, one British naval official said, would “immediately and potentially catastrophically affect both our economy and other ways of living.”
In September, security firm Symantec said it had notified more than 100 energy companies in the U.S., Turkey, Switzerland, Afghanistan, and elsewhere about Dragonfly 2.0—a set of intrusions into industrial and energy-related companies suspected to originate in Russia. Using targeted phishing emails and compromised websites designed to capture users’ credentials, the hackers gained access in some cases not just to front-office networks but to “operational machines.” As a Symantec security analyst told Fast Company, “We’re talking about machines that are controlling elements that are plugged into the power grid.” A month later, the Dept. of Homeland Security and FBI warned critical infrastructure providers in nuclear, energy, and other key sectors about the ongoing attacks, noting that “threat actors are actively pursuing their ultimate objectives over a long-term campaign.”
Despite the increasingly clarity and severity of Russia’s intentions, Trump said in July after a meeting at the G20 that he believes Vladimir Putin “that when he tells me [Russia didn’t carry out cyberattacks ahead of the U.S. election], he means it.” (He later stated “I am with our [intelligence] agencies, especially as currently constituted with the leadership.”) And while his administration has done little in response, he did offer to partner with our attackers. After the G20, Trump tweeted: “Putin & I discussed forming an impenetrable Cyber Security unit so that election hacking, & many other negative things, will be guarded.” Kremlin officials later verified that, yes, this actually happened.
While this plan has thankfully not come to fruition (that we know of), the fact that it was even floated showcases the fundamental obstacle in keeping U.S. infrastructure protected from foreign threats. Trump’s deference to the Kremlin–one of his few unwavering stances over the decades—remains even after years of Russian hacks, likely in part because Russian hacks helped put him into office.
As a result, Americans remain unprotected, and the true extent of Kremlin leverage over the U.S. government remains unknown. In August, a quarter of the president’s National Infrastructure Advisory Council quit their posts, saying that the president had devoted “insufficient attention” to cybersecurity threats to critical infrastructure. A report on Russian interference released this week by Senate Democrats highlighted “President Trump’s refusal to publicly acknowledge the threat posed by the Russian government,” and offers over 30 recommendations to protect the country’s elections and infrastructure, including new sanctions to punish states that initiate cyberattacks and an international summit meeting focused on such threats.
Though Trump signed an executive order vowing stronger cybersecurity in May, the administration did nothing substantial until December, when it released a document noting the threats to infrastructure and vaguely vowing that hackers from a number of countries–including China, North Korea, Iran, and Russia–will be defeated. Notably, in the document, elections were no longer counted as part of “critical infrastructure,” despite President Obama designating them as such shortly before he left office–another indicator that the Trump administration’s unwillingness to take on Russian hacks is marred by self-protection and partisanship.
While the Trump administration stalls, America’s power grid remains vulnerable. In the last month alone, there have been several dramatic mass outages, including a blackout at the Atlanta airport due to a fire that crippled both the main system and the backup, and a blackout at Disneyland, due to a problem with a transformer, that left people trapped on rides. That these outages were a result of flawed infrastructure and not purposeful hacks should not reassure anyone, as they showcase weaknesses and highlight how easy it would be for a hostile state actor to cause chaos and panic without ever crossing the border.
As a candidate, Trump spoke frequently of his desire to repair U.S. infrastructure, a plan which would have provided jobs while strengthening national security. Like most of his campaign promises, this one was broken, but it is essential that both decaying infrastructure and hackers who seek to exploit it be seriously addressed. It is also critical that elections be again counted as critical infrastructure so that attempted Russian hacks of voter databases and institutions in the 2018 midterms are thwarted. And if the Trump administration makes no move to remedy these obvious threats to American democracy and public safety, Americans should consider what kind of leverage the Kremlin may already have.