Nearly a decade and a half ago, as our nation’s leaders pondered the possibility of war with Iraq, the US Intelligence Community published a set of judgments on whether Iraq was hiding WMD programs despite international prohibitions. The individual elements of the analytic case were each perfectly reasonable: that Iraq had produced and used chemical weapons in the past, that it had not been forthcoming with inspectors seeking to verify compliance with UN Resolutions, that President Saddam Hussein was a brutal and deceptive dictator with a history of hiding illicit weapons programs, and that several intelligence sources indicated that Iraq had ongoing programs. The conclusion that Iraq was “continuing and in some areas expanding its chemical, biological, nuclear and missile programs contrary to UN resolutions” was widely shared in both the US and Europe. But it proved incorrect. In retrospect, analysts should have been more circumspect about their judgments and more open to alternative explanations of the evidence.
Today we wrestle with another vexing and politically charged analytic problem: Did Russia interfere in the US presidential election to aid the candidacy of Donald Trump? On the surface, the case against Moscow is intuitively obvious. Information detrimental to Hillary Clinton was clearly stolen from Democratic National Committee and other sensitive computer servers and then leaked to the media. Forensic data traceable to Russia were found in the intrusions. The operations were consistent with cyber techniques that Russia has used repeatedly in the past against both the US and other countries, and Moscow had an undeniable preference for one candidate over the other in the election.
The conclusion that Russia hacked its way toward a Trump victory is no slam dunk, however, despite its plausibility. Although the Intelligence Community has not published its evidence or analysis regarding this case, the analytic lessons learned from post-mortem reviews of the Iraq WMD failure argue for approaching the matter with a great deal of caution. Applying these lessons to the case of the election intrusions – an analytic “pre-mortem,” so to speak – is one of the best means of ensuring that we do not fall into the same cognitive traps.
Lesson One: Explore Alternative Explanations. One of the most significant problems facing intelligence analysts is that nearly always, the information available to them is consistent with multiple explanations. In Iraq, the most famous example was a communications intercept cited by Secretary of State Colin Powell, which quoted Baghdad as telling officials at an Iraqi military base that was about to be visited by UN inspectors to “clean out all the areas, the scrap areas, the abandoned areas. Make sure there is nothing there.” The meaning seemed clear: remove WMD before inspectors arrive. But in fact, Baghdad merely wanted base officials to remove traces of old, destroyed material that might have been misleading to inspectors. The intercept was not as conclusive as Powell or others suggested. Although it was used to support the judgment that Iraq was hiding illicit WMD stockpiles, the intercept was equally consistent with the hypothesis that Iraq had destroyed the stockpiles but was ambivalent about revealing this fact to the world.
In the case of Russia today, it is possible that the Intelligence Community has classified information that shows directly and conclusively that the Russian government ordered the intrusions and deployed the stolen data with the specific intent of aiding Trump’s candidacy. Illustrative examples of such conclusive evidence might include an intercepted communication in which a Russian government official directed or approved the operations, or a pilfered Russian government policy paper of good provenance outlining their approach to influencing the US elections. But public comments from individuals briefed on the matter suggest that the available evidence is circumstantial rather than diagnostic. Such a situation demands examination of alternative explanations of the evidence surrounding alleged Russian election hacking.
Take, for example, the forensic data on the DNC intrusion. In the world of cyber operations, attribution – determining who is responsible for penetration of a computer network – is a particularly difficult problem, because hackers can easily mask their locations and identities through the use of proxy systems and “botnets,” computers belonging to others that the hackers have electronically hijacked for the purpose of using them in an intrusion. Cyber operations rarely feature the equivalent of fingerprints or DNA evidence. Given the technologies that are available to hackers, “false flag” operations – which make it appear that an intrusion has originated in one country when in fact another is responsible – are fairly easy to pull off.
This argues for caution in assessing the evidence surrounding the DNC intrusions. According to analysis published by the cyber security firm CrowdStrike, hired by the DNC to investigate the breach of their servers, several clues point toward Russia’s responsibility: the tactics of the intruders closely resembled those typically used by two hacking groups thought to be Russian by numerous cyber experts; the activity by the intruders on the DNC network tended to take place during Moscow working hours; and some of the stolen documents released to the media contained signs that Russian speakers were involved.
While each of these facts indeed supports the judgment that the Russian government was behind the operations, each is also consistent with alternative explanations, including that it was a false flag effort or conducted by a private hacking group with the aim of selling the stolen information to the Russian government or others.