Nearly a decade and a half ago, as our nation’s leaders pondered the possibility of war with Iraq, the US Intelligence Community published a set of judgments on whether Iraq was hiding WMD programs despite international prohibitions. The individual elements of the analytic case were each perfectly reasonable: that Iraq had produced and used chemical weapons in the past, that it had not been forthcoming with inspectors seeking to verify compliance with UN Resolutions, that President Saddam Hussein was a brutal and deceptive dictator with a history of hiding illicit weapons programs, and that several intelligence sources indicated that Iraq had ongoing programs. The conclusion that Iraq was “continuing and in some areas expanding its chemical, biological, nuclear and missile programs contrary to UN resolutions” was widely shared in both the US and Europe. But it proved incorrect. In retrospect, analysts should have been more circumspect about their judgments and more open to alternative explanations of the evidence.
Today we wrestle with another vexing and politically charged analytic problem: Did Russia interfere in the US presidential election to aid the candidacy of Donald Trump? On the surface, the case against Moscow is intuitively obvious. Information detrimental to Hillary Clinton was clearly stolen from Democratic National Committee and other sensitive computer servers and then leaked to the media. Forensic data traceable to Russia were found in the intrusions. The operations were consistent with cyber techniques that Russia has used repeatedly in the past against both the US and other countries, and Moscow had an undeniable preference for one candidate over the other in the election.
The conclusion that Russia hacked its way toward a Trump victory is no slam dunk, however, despite its plausibility. Although the Intelligence Community has not published its evidence or analysis regarding this case, the analytic lessons learned from post-mortem reviews of the Iraq WMD failure argue for approaching the matter with a great deal of caution. Applying these lessons to the case of the election intrusions – an analytic “pre-mortem,” so to speak – is one of the best means of ensuring that we do not fall into the same cognitive traps.
Lesson One: Explore Alternative Explanations. One of the most significant problems facing intelligence analysts is that nearly always, the information available to them is consistent with multiple explanations. In Iraq, the most famous example was a communications intercept cited by Secretary of State Colin Powell, which quoted Baghdad as telling officials at an Iraqi military base that was about to be visited by UN inspectors to “clean out all the areas, the scrap areas, the abandoned areas. Make sure there is nothing there.” The meaning seemed clear: remove WMD before inspectors arrive. But in fact, Baghdad merely wanted base officials to remove traces of old, destroyed material that might have been misleading to inspectors. The intercept was not as conclusive as Powell or others suggested. Although it was used to support the judgment that Iraq was hiding illicit WMD stockpiles, the intercept was equally consistent with the hypothesis that Iraq had destroyed the stockpiles but was ambivalent about revealing this fact to the world.
In the case of Russia today, it is possible that the Intelligence Community has classified information that shows directly and conclusively that the Russian government ordered the intrusions and deployed the stolen data with the specific intent of aiding Trump’s candidacy. Illustrative examples of such conclusive evidence might include an intercepted communication in which a Russian government official directed or approved the operations, or a pilfered Russian government policy paper of good provenance outlining their approach to influencing the US elections. But public comments from individuals briefed on the matter suggest that the available evidence is circumstantial rather than diagnostic. Such a situation demands examination of alternative explanations of the evidence surrounding alleged Russian election hacking.
Take, for example, the forensic data on the DNC intrusion. In the world of cyber operations, attribution – determining who is responsible for penetration of a computer network – is a particularly difficult problem, because hackers can easily mask their locations and identities through the use of proxy systems and “botnets,” computers belonging to others that the hackers have electronically hijacked for the purpose of using them in an intrusion. Cyber operations rarely feature the equivalent of fingerprints or DNA evidence. Given the technologies that are available to hackers, “false flag” operations – which make it appear that an intrusion has originated in one country when in fact another is responsible – are fairly easy to pull off.
This argues for caution in assessing the evidence surrounding the DNC intrusions. According to analysis published by the cyber security firm CrowdStrike, hired by the DNC to investigate the breach of their servers, several clues point toward Russia’s responsibility: the tactics of the intruders closely resembled those typically used by two hacking groups thought to be Russian by numerous cyber experts; the activity by the intruders on the DNC network tended to take place during Moscow working hours; and some of the stolen documents released to the media contained signs that Russian speakers were involved.
While each of these facts indeed supports the judgment that the Russian government was behind the operations, each is also consistent with alternative explanations, including that it was a false flag effort or conducted by a private hacking group with the aim of selling the stolen information to the Russian government or others.
Lesson Two: Look for Disconfirming Information. The temptation to regard a piece of evidence as diagnostic when in fact it is consistent with multiple explanations is a type of “confirmation bias” – the tendency to see what we expect to see – to which all humans are prone. In the case of Iraq, this bias was evident in analysts’ gravitational attraction to reporting that aligned with their well-founded suspicions that Baghdad was hiding WMD stockpiles, and in their reluctance to give weight to reports that Iraq had destroyed them. This tendency was so strong that the WMD Commission report said analysts simply “disregarded evidence that did not support their hypotheses.”
One of the best ways that analysts can mitigate their susceptibility to confirmation bias is actively to seek information that is inconsistent with their leading hypotheses. In the case of the DNC intrusions, press reporting suggests that cyber investigators have two interrelated “what” and “why” hypotheses: that the Russian government directed or approved the hacks, and that it purposively used the stolen data to bolster the candidacy of Trump. Is there information available that is inconsistent with these hypotheses?
The public record indicates that there is. According to CrowdStrike’s report, the two hacking groups that penetrated the DNC (which it dubbed “Fancy Bear” and “Cozy Bear”) have engaged in “extensive targeting of defense ministries and other military victims … that closely mirrors the strategic interests of the Russian government.” In other words, the DNC hackers probably worked for the Russian government because they have a track record of technically sophisticated operations against targets relevant to the Russian state.
But have they also targeted organizations that would seemingly be irrelevant to – or even inconsistent with – Russian national interests? Yes. The CrowdStrike report is mum on this matter, but other cyber investigators point out that both Fancy Bear and Cozy Bear have engaged in a wide variety of targeting that includes web service providers and finance companies. Such operations are explainable – they could for example reflect efforts to gather information that could be useful in separate attempts to penetrate national security targets – but they could also be a sign that the DNC hackers are a diverse group of cyber entrepreneurs who may or may not have Russian government connections and who generate their own target lists independent of outside direction. The targeting history of the purported DNC hackers does not by itself disprove Russian government involvement, but it raises questions about how confident we can be of that involvement.
The CrowdStrike report includes a second red flag: the DNC was breached at least twice, first in the summer of 2015, and then again in March 2016. Each intrusion was conducted by a separate hacking group, and each stole many of the same documents. CrowdStrike acknowledges that this is unusual; the more often an organization is targeted, the more likely the intrusion will be detected and blocked. Failure to coordinate what information was taken suggests a lack of central direction. But CrowdStrike explains this anomaly as the product of inter-service rivalry between Russia’s military intelligence directorate (the GRU) and its civilian intelligence agency (the FSB), each of which presumably wanted in on the DNC action. This explanation is not implausible – Russia is at least as prone to bureaucratic squabbles as any other government – but the implication that the Russian leadership would compromise operational security in the interest of managing lower-level infighting begs for alternative explanations. Might the impetus for the hacks have come independently from the hackers themselves rather than the Kremlin? Or might Moscow have wanted the intrusions detected, perhaps to send a signal to Washington that it was retaliating for perceived US interference in Russian elections?
The timing of the intrusions is also out of step with the hypothesis on motivation. Trump did not declare his candidacy until June 2015. Few observers took him seriously until well into 2016, and nearly every poll and forecasting model gave him little chance to win as late as the eve of the election. To suggest that the Russian government launched the DNC intrusions with the specific intent to support Trump is to accord the Russians a political prescience that no one in the United States shared. Indeed, Russian press reporting suggests that Trump’s victory took the Russian leadership by surprise. At a minimum, the timing suggests that the intruders did not start out with the intent to support Trump, even if they ultimately pursued that objective.
Finally, the intrusions include a degree of sloppiness that is uncharacteristic of Russian cyber operations. For years, cyber experts have regarded the Chinese as brash and careless in their hacks, typically leaving behind so many forensic clues that they appeared indifferent to the likelihood that investigators might piece them together. Russian operations have been far stealthier. According to published reports, investigators did not detect Russia’s famous Moonlight Maze intrusion for two years after the initial breach in 1996, and it took nearly a year after detection to trace it to Russia.
By contrast, the batch of DNC emails released to the media included one document that was modified using Cyrillic language settings by a user named Feliks Edmundovich – an apparent reference to Feliks Edmundovich Derzhinskiy, the founding father of the Soviet intelligence service. Why would Moscow, known for its razor-sharp tradecraft, leave such seemingly incriminating clues behind? Investigators have attributed the uncharacteristic operational sloppiness to a newfound Russian brazenness. But it might equally suggest that the intrusion was a false flag operation or that Moscow was sending a message that it could interfere in US politics as easily as the US could in Russia’s, perhaps with the intent of negotiating an informal code of conduct with Washington.
Lesson Three: Take a Walk in the Other Guy’s Shoes. One of the reasons that analysts misunderstood Iraq’s behavior in obscuring its destruction of WMD stockpiles was their difficulty seeing the situation through the eyes of the Iraqi leader. To US observers, it was obvious that our threats to attack Iraq were real, and that the only way Saddam Hussein could avoid war was to provide full transparency for UN inspections. Failure to do so could only be regarded as a sign that Iraq was cheating on its WMD obligations.
But from Saddam’s vantage point, there were two even more immediate threats looming: Iran, with whom he had fought a bloody eight-year war in which Iraq had barely avoided defeat, largely due to its use of chemical weapons; and his own elites, whose temptations to unseat him were tempered by Saddam’s reputation for ruthlessness at home and his fierce defiance of enemies abroad. Revealing to Iran and to domestic rivals that he had caved in to pressure to destroy Iraq’s WMD might put Saddam in a precarious situation. Under the circumstances, a policy of equivocation – trying to provide the US with enough WMD inspection compliance to stave off an attack, while leaving enough uncertainty to keep Iran and would-be successors at bay – made sense. The challenge for analysts was to step outside their familiar cultural perspectives and see things from an Iraqi vantage point.
Applying this lesson to the current situation, analysts must envision how the circumstances of the DNC operations might look to key Russian players, assuming Russians were indeed responsible. Would low-level Russian cyber operators have targeted the DNC without specific Kremlin authorization? To answer this question in the absence of direct evidence, one must necessarily engage in some informed speculation. But it is not hard to imagine that Russia’s intelligence services have standing lists of subjects that are priorities for collection: the plans and intentions of various governments, the technical specifications of foreign military systems, the political successions in key countries, and so on. They might be given fairly wide latitude to collect information relevant to these topics, and rewards would flow to those who gather particularly valuable data. It is not improbable that the DNC intrusions had such mundane bureaucratic origins.
But how would things look after the cyber intrusions had uncovered a treasure trove of information about the Clinton campaign? Surely the Russian leadership would recognize that deploying that data publicly would cross a dangerous line separating common espionage from active and illegitimate interference in electoral politics? Here, it is important to consider the possibility that Putin and other Russian leaders believe the US has itself habitually crossed that line, both in Russian elections and in numerous neighboring states. The Russians have repeatedly complained about such activities, at both the presidential and working levels. The publication in 2014 of a telephone conversation between US Assistant Secretary of State Victoria Nuland and US Ambassador to Ukraine Geoffrey Pyatt in which they revealed deep US involvement in Ukrainian politics – a leak that almost certainly came from Russia – could be read as a sign that Moscow was frustrated that its repeated diplomatic protests had failed to quell what it regarded as illegitimate US practices. The temptation to give the US a dose of its own medicine might have been great under such circumstances, even though few Russians believed Trump had any real chance of victory, and might have been rationalized as a way to press Washington to reconsider its involvement in the domestic affairs of Russia and its neighbors.
Lesson Four: High Stakes Require Great Caution. Attempting to understand – not justify – the perspectives of the Russians is particularly important in light of press reports that the US is considering possible retaliatory steps against Moscow. Just as the flawed National Intelligence Estimate on Iraq WMD figured prominently in the arguments for going to war, analytic judgments about Russia’s involvement and intent in the election intrusions are likely to be important variables in future US policy decisions about dealing with Russia.
As Robert Jervis points out in his classic work, Perception and Misperception in International Politics, differing perceptions of an adversary’s intentions are often at the heart of policy disputes. Some adversaries fall into the category of “vulgar minded bullies,” or what he calls the “deterrence model.” In these cases, the “submission to an outrage only encourages the commission of another one and a greater one.” Their aggression must be resisted, often by force, or they will increase their aggressiveness. Nazi Germany is the textbook example.
Other states fit what he terms the “spiral model.” Their apparent aggression is motivated by fear and insecurity rather than ambition and aggrandizement. Deterrence and coercion, so appropriate when dealing with bullying states, become counter-productive in spiral model situations, because they exacerbate the insecurities at the root of the adversary’s aggression and trigger a dangerous escalatory spiral of hostility.
So in the case of Russia’s role in the US elections, are we dealing with a deterrence model or a spiral model? The answer is not immediately obvious. Yet answering this question correctly has important implications for the policies we adopt toward Moscow.
The stakes are high. The intrusions highlight the importance of addressing broader questions of how we protect the integrity of our political system and deal with other cyber actors who might have an interest in intrusions. Retaliation could preclude working with Moscow against ISIL and other terrorist groups, encourage further cooperation between Russia and China against US interests, and even escalate into kinetic warfare. Failure to draw a tough enough line, on the other hand, might invite even more damaging Russian interference in US affairs. Crafting an effective policy depends to a great degree on a rigorous and objective analytic approach to understanding exactly what occurred and why.
George Beebe is the President of BehaviorMatrix LLC, a text analytics company. He formerly served as chief of Russia analysis at the CIA, and as special advisor to Vice President Cheney on Russia and the Former Soviet Union.
Image: Vladimir Putin at his April 2016 “Direct Line” appearance. Kremlin.ru
 National Intelligence Estimate, “Iraq’s Continuing Programs for Weapons of Mass Destruction,” October 2002, accessed at http://nsaarchive.gwu.edu/NSAEBB/NSAEBB129/nie.pdf
 “US Secretary of State Colin Powell’s Speech to the United Nations Security Council,” published in The Guardian, 5 February 2003, https://www.theguardian.com/world/2003/feb/05/iraq.usa
 “C.I.A. Judgment on Russia Built on Swell of Evidence,” Mark Mazetti and Eric Lichtblau, The New York Times, December 11 2016, http://www.nytimes.com/2016/12/11/us/politics/cia-judgment-intelligence-russia-hacking-evidence.html
 "Advance Questions for Lieutenant General Keith Alexander USA, Nominee for Commander, United States Cyber Command," published by Senate Armed Services Committee, accessed at: http://armed-services.senate.gov/statemnt/2010/04%20April/Alexander%2004- 15-10.pdf
 Shaun Waterman, “Chinese Cyberspy Network Pervasive,” Washington Times, 30 March 2009.
 “Bears in the Midst: Intrusion into the Democratic National Committee,” https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/, June 15, 2016
 “What we know about Russia’s role in the DNC email leak,” Lauren Carroll, Politifact, 31 July 2016, http://www.politifact.com/truth-o-meter/article/2016/jul/31/what-we-know-about-russias-role-dnc-email-leak/
 “Report to the President of the United States,” The Commission on the Intelligence Capabilities of the United States Regarding Weapons of Mass Destruction, March 31, 2005, p. 175.
 “The Perfect Weapon: How Russian Cyberpower Invaded the U.S.,” The New York Times, 13 December 2016, http://www.nytimes.com/2016/12/13/us/politics/russia-hack-election-dnc.html
 “Bears in the Midst: Intrusion into the Democratic National Committee,” https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/, June 15, 2016
 “Sofacy Phishing,” Cyber Threat Operations, Tactical Intelligence Bulletin, October 22 2014, Price Waterhouse Coopers, http://pwc.blogs.com/tactical-intelligence-bulletin---sofacy-phishing.pdf
 “The Paradox of Russia’s Support for Trump,” Wilson Center, November 10 2016, https://www.wilsoncenter.org/article/the-paradox-russias-support-for-trump
 “Chinese Cyber Espionage,” Testimony of James C. Mulvenon before the Congressional-Executive Commission on China hearing entitled “Hearing on Chinese Hacking: Impact on Human Rights and Commercial Rule of Law,” 25 June 2013, accessed at https://www.cecc.gov/sites/chinacommission.house.gov/files/CECC%20Hearing%20-%20Chinese%20Hacking%20-%20James%20Mulvenon%20Written%20Statement.pdf
 “The First Cyber Espionage Attacks: How Operation Moonlight Maze made history,” July 7 2016, accessed at https://medium.com/@chris_doman/the-first-sophistiated-cyber-attacks-how-operation-moonlight-maze-made-history-2adb12cc43f7#.h6bot1rzo
 “Don’t be so sure Russia hacked the Clinton emails,” James Bamford, Reuters, 2 November 2016, accessed at www.reuters.com/article/us-russia-cyberwar-commentary-idUSKBN12X075
 “Report to the President of the United States,” The Commission on the Intelligence Capabilities of the United States Regarding Weapons of Mass Destruction, March 31, 2005, p. 180.
 “Vladimir Putin accuses Hillary Clinton of encouraging Russian protests,” Miriam Elder, The Guardian, 8 December 2011, https://www.theguardian.com/world/2011/dec/08/vladimir-putin-hillary-clinton-russia
 “Ukraine Crisis: Transcript of leaked Nuland-Pyatt Call,” BBC News, 7 February 2014, http://www.bbc.com/news/world-europe-26079957
 “White House says U.S. will retaliate against Russia for hacking,” Louis Nelson, Politico, October 11 2016, http://www.politico.com/story/2016/10/white-house-russia-hacking-retaliate-229622
 Robert Jervis, Perception and Misperception in International Politics, Princeton University Press, 1976, p. 65.
 Jervis, p. 62.