Thomas Rid - Active Measures

In March 2017, the U.S. Senate Select Committee on Intelligence invited me to testify in the first open expert hearing on Russian interference in the 2016 presidential election. Committee staffers from both parties wanted me to help present to the American public the available forensic evidence that implicated Russia, evidence that at the time was still hotly contested among the wider public, and that, of course, the Russian government deniedas did the president of the United States. The situation was unprecedented.

The other two witnesses were Keith Alexander, former head of the National Security Agency, and Kevin Mandia, CEO of FireEye, a leading information security firm. Just before the hearing began, a staffer brought us from the greenroom to the witness table. Everybody else was seated already. As we walked in, I looked at the row of senators in front of us. Most of the committee members were present. Their faces looked familiar. The room was crowded; press photographers, lying on the floor with cameras slung around their necks, were soon ushered out. I envied them for a moment.

The senators sat behind a giant semicircular, heavy wooden table that seemed to encroach on the witnesses. Early on in the hearing, soon after our opening statements, Senator Mark Warner, D-VA, asked if we had any doubt that Russian agents had perpetrated the hack of the Democratic National Committee and the disinformation operation that took place during the campaign. He wanted a short answer. I considered my response as Mandia and Alexander spoke. The digital forensic evidence that I had seen was strong: a range of artifactsnot unlike fingerprints, bullet casings, and license plates of getaway cars at a crime sceneclearly pointed to Russian military intelligence. But despite the evidence, the offense seemed abstract, hypothetical, unreal. Then I thought of a conversation Id had just two days earlier with an old Soviet bloc intelligence officer and disinformation engineer.

On the way to the Senate hearing in Washington, I had stopped in Boston. It was biting cold. I drove out to Rockport, a small town at the tip of Cape Ann, surrounded on three sides by the Atlantic Ocean. Ladislav Bittman had agreed to meet me at his studio there. Bittman, who died a year and a half later, was perhaps the single most important Soviet bloc defector to ever testify and write about the intelligence discipline of disinformation. A former head of the KGBs mighty disinformation unit once praised Bittmans 1972 book, The Deception Game, as one of the two best books on the subject. Bittman had defected in 1968, before an experimental prototype of the internet was even invented, and seven years before I was born.

We spoke the entire afternoon in a calm, wood-paneled room. Bittman was bald, his face wizened, with youthful eyes. He listened carefully, paused to think, and spoke with deliberation. Indeed, Bittmans memory and his attention to detail were intimidating, and he would not answer my questions if he didnt know how. I was impressed. Bittman explained how entire bureaucracies were created in the Eastern bloc in the 1960s for the purpose of bending the facts, and how these projects were proposed, authorized, and evaluated. He outlined how he learned to mix accurate details with forged ones; that for disinformation to be successful, it must at least partially respond to reality, or at least accepted views. He explained how leaking stolen documents had been a standard procedure in disinformation activities for more than half a century. He estimated that individual disinformation operations during the Cold War numbered more than ten thousand. And he brought the examples to life with stories: of a make-believe German neo-Fascist group with an oak-leaf logo, of forged Nazi documents hidden in a forest lake in Bohemia, of U.S. nuclear war plans leaked again and again all over Europe, of a Soviet master-forger flustered in a strip club in Prague. This careful and thoughtful old man taught me more about the subject of my forthcoming testimony than any technical intelligence report I had read or any digital forensic connections I could make. He made it real.

In early 2016, I was in the middle of an extensive two-year technical investigation into MOONLIGHT MAZE, the first known state-on-state digital espionage campaign in history, a prolific, high-end Russian spying spree that began in the mid-1990s and never stopped. With luck and persistence, I was able to track down one of the actual servers used by Russian operators in 1998 to engineer a sprawling breach of hundreds of U.S. military and government networks. A retired systems administrator had kept the server, an old, clunky machine, under his desk at his home outside London, complete with original log files and Russian hacking tools. It was like finding a time machine. The digital artifacts from London told the story of a vast hacking campaign that could even be forensically linked to recent espionage activity. Our investigation showed the persistence and skill that large spy agencies bring to the table when they hack computer networks. Those big spy agencies that had invested in expensive technical signals intelligence collection during the Cold War seemed to be especially good at hackingand good at watching others hack.

Then, on June 14, news of the Democratic National Committee computer network break-in hit. Among the small community of people who research high-end computer network breaches, there was little doubt, from that day forward, that we were looking at another Russian intelligence operation. The digital artifacts supported no other conclusion.

The following day, the leaking started, and the lying. A hastily created online account suddenly popped up, claiming that a lone hacker had stolen files from Democrats in Washington. The account published a few pilfered files as proofindeed offering evidence that the leak was real, but not that the leaker was who they claimed. It was clear then, on June 16, that some of the worlds most experienced and aggressive intelligence operators were escalating a covert attack on the United States.

Over the next days and weeks, I watched the election interference as it unfolded, carefully collecting some of the digital breadcrumbs that Russian operators were leaving behind. In early July, I decided to write up a first draft of this remarkable story. I published two investigative pieces on the ongoing disinformation campaign, the first in late July 2016, on the day of the Democratic Convention, and the second three weeks before the general election. But I noticed that I was not adequately prepared for the task. I had a good grasp of digital espionage and its history, but not of disinformationwhat intelligence professionals used to call active measures.

We live in an age of disinformation. Private correspondence gets stolen and leaked to the press for malicious effect; political passions are inflamed online in order to drive wedges into existing cracks in liberal democracies; perpetrators sow doubt and deny malicious activity in public, while covertly ramping it up behind the scenes.

This modern era of disinformation began in the early 1920s, and the art and science of what the CIA once called political warfare grew and changed in four big waves, each a generation apart. As the theory and practice of disinformation evolved, so did the terms that described what was going on. The first wave of disinformation started forming in the interwar years, during the Great Depression, in an era of journalism transformed by the radio, newly cutthroat and fast-paced. Influence operations in the 1920s and early 1930s were innovative, conspiratorial, twistedand nameless for now. The forgeries of this period were often a weapon of the weak, and some targeted both the Soviet Union and the United States at the same time.