Hack-and-Leak Operations and U.S. Cyber Policy
On Nov. 27, 2019, Jeremy Corbyn, then-leader of the U.K. Labour Party, held up some official-looking papers, heavily redacted with thick black lines, at a campaign press conference in the run-up to a crucial second election in three years after the United Kingdom’s vote to leave the European Union in June 2016. These documents purported to show the details of discussions between the U.K. and U.S. governments on a post-Brexit trade deal, including demands by U.S. representatives to open access to the United Kingdom’s National Health Service for American companies — an inflammatory issue for many voters.
Corbyn’s opponent, Conservative Prime Minister Boris Johnson, went on to win the election by a landslide, and Corbyn resigned shortly afterwards. But discussion of the documents and their provenances has outlasted Corbyn’s leadership. Shortly after Corbyn’s attempted exposé, cyber security company Graphika argued that the same documents had originally been posted on Reddit in a manner remarkably like a suspected Russian disinformation operation identified by the Atlantic Council’s Digital Forensics Research Lab earlier in 2019. In August 2020, Reuters reported that “suspected Russian hackers” had obtained the documents from the compromised email account of former U.K. Secretary for Trade and Defence Liam Fox.
This is one example of a hack-and-leak operation where malicious actors use cyber tools to gain access to sensitive or secret material and then release it in the public domain. Hack-and-leak operations pose difficult questions for scholars and policymakers on how best to conceptualize and respond to this new frontier in digital foreign interference. Scholars need to take hack-and-leak operations seriously as a challenge to theoretical understandings of the boundary between legitimate and impermissible political practice. But hack-and-leak operations are also an urgent policy challenge for both offensive and defensive cyber security policies as U.S. government agencies receive greater latitude to conduct such operations around the world.
In a recent article in Texas National Security Review, I argued that hack-and-leak operations should be seen as the “simulation of scandal”: strategic attempts to direct public moral judgement against the operation’s target. Hacking tools provide a new and relatively accessible means to obtain the secret information necessary to simulate scandals. However, they pose an equal danger for those who use them: that the target of the scandal will successfully portray the hack as more media-worthy than the content of the leak. Hack-and-leak operations are thus a double-edged sword, as their discovery often means the scandal becomes about the hack itself, not about the hacked information.
Perhaps the most well-known example of a hack-and-leak operation is the success of Russian intelligence agencies in obtaining and disseminating documents from the Democratic National Committee during the 2016 U.S. presidential election campaign. Although the campaigns of both Hilary Clinton and Donald Trump repeatedly revealed lies and transgressions of their opponent, the Democratic National Committee emails represented a crucial shift in momentum between the two candidates.
Following the Democratic National Committee leaks, hack-and-leak and other information operations were widely seen as a severe threat to liberal democratic structures, and U.S. policymakers have in turn mobilized significant resources in response, including threat intelligence and cyber security protections, increased election and voting security, legislative pressure on social media companies, and even offensive cyber attacks.
However, academic and policy understandings of hack-and-leak operations are over-reliant on a single case. The U.S. “whole-of-nation” approach to election cyber security is largely shaped by the events of the 2016 campaign, and specifically Russian interference in this election. It is hard to pinpoint the exact impact of this interference, especially the hack-and-leak element. Controversial candidates, a combative and polarized media environment, and entrenched economic and social divisions were all key factors in the 2016 result. Furthermore, foreign interest in the U.S. election was not limited to the Russian government. Other state and non-state actors also sought to influence campaigns in their favor.
Equally problematic, cyber security scholars may be limited in their theoretical resources for analyzing hack-and-leak operations. The extensive literature on cyber conflict has many insights relevant to hack-and-leak operations, not least indicating a propensity to conduct operations in the “grey zone” between peace and outright conflict.
It also highlights the creative and improvisatory nature of such operations in the context of rapidly evolving legal and technological responses. This includes a shifting background of “cyber norms” that offer a set of apparent constraints but, more realistically, serve as guiding lights for how the strategic pressure created by such operations can best be applied. The bar for legitimate cyber activity, whether “kinetic” actions in Israel and Iran that disrupt or sabotage adversaries’ infrastructure, or state-sponsored espionage in the case of China’s intrusion into the Office of Personnel Management, is constantly shifting. This encourages actors to go as close as possible to what they perceive to be current red lines, including on disinformation and hack-and-leak operations.
However, the characterization of hack-and-leak operations purely as an aspect of antagonistic foreign relations between states fails to appreciate the complexity of the globalized and congested media environment. Consequently, scholars need to also locate hack-and-leak operations within sociological approaches to digital media and information politics, especially the concept of scandal. In a fast-flowing digital media environment with constant accusations and leaks, the truth as revealed by scandal is always contested and challenged, and political actors seek to gain the upper hand through competing scandal-making. Seeing hack-and-leak operations as the simulation of scandal is a crucial first step in building a broader theoretical base for policy.
The Gulf States in U.S. Politics
Hack-and-leak operations are increasingly common, conducted by both allies and adversaries, and deeply enmeshed in domestic agendas. However, the political context for hack-and-leak operations worldwide varies widely, with uncertain implications for U.S. politics. For example, the leak of the Saudi cables by the “Yemen Cyber Army” had a very different impact than the Democratic National Committee leaks, while the Corbyn documents played out differently again.
I have sought to expand our understanding of hack-and-leak operations through a detailed qualitative analysis of four operations that reportedly targeted political figures in the United States in the period following the Democratic National Committee leaks, keeping the political and media environment constant as far as possible. The targeted individuals were Iranian-American businessman Farhad Azima, United Arab Emirates Ambassador Yousef Al-Otaiba, Republican lobbyist Elliott Broidy, and Amazon owner Jeff Bezos. These cases, despite their differences, replicate many of the striking features of the Democratic National Committee operation: access through phishing, the release of large collections of emails, publication in national media outlets, and even direct references to “DCLeaks,” the identity assumed by the Russian intelligence agencies to disseminate the Democratic National Committee documents.
These cases have been publicly attributed to governments in the Middle East, namely Qatar, Saudi Arabia, and the United Arab Emirates, although these attributions are tentative and contested. Uncertainty about attribution is not merely an aftershock of the initial incident, prolonged due to well-known difficulties in technical and political attribution for any cyber operation. Instead, such uncertainty is a key part of the simulation of scandal. It stems from the shifting balance of media coverage between stories that focus on the content of the leak and stories that focus on the details of the hack. This ebb and flow occurs as protagonists on each side seek to direct the weight of coverage towards the hacking operation or away from it, towards the content revealed by the hack.
In addition to the shifting power dynamic between the scandal-maker and the scandal-subject that is the crux of any attempt to simulate scandal, these cases demonstrate four other key points.
First, hack-and-leak operations are a comparatively low resource option. All four cases appeared to use simple but effective techniques, such as spear-phishing (sending emails deliberately crafted to convince their recipient to click on a malicious link), suggesting a relatively low level of investment for state actors.
Second, the format of leaked information may have played a role in deciding the impact of the scandal: Extensive document leaks lend themselves to multiple releases, while a few texts and pictures have limited potential to sustain attention across news cycles.
Third, the target’s response to the initial leak also determines whether media coverage focuses on the hack or the leak elements of the incident. A strong and carefully managed publicity campaign can capitalize on the media appetite for cyber security to portray the incident as primarily a hack, rather than a leak.
Fourth, a cover identity for the leaking actor shifts focus onto the content of the leak, even if such a cover is implausibly deniable. Fake identities that deliberately confuse attribution, acting as “false flags,” may prevent media coverage focusing on the hack and shift attention to the content, changing the direction of the scandal overall. These identities are deliberately murky, evoking what I have previously described as “cyber-noir.”
Implications for U.S. Defense and Offense
This analysis has several implications for cyber policy. The cast list in these manufactured morality plays is clearly wider than limited notions of the state that focus on elected officials or government employees. But it is also wider than the usual cast list of cyber conflict, already extended to include many non- and semi-state actors. Cyber conflict studies should widen their lens still further to the range of legal, reputational, and public relations services that are involved in scandals caused by hack-and-leak operations. Different policy tools will be appropriate for a hack-and-leak operation staged by state-sponsored actors, the cybercriminal underground, a D.C. lobbying company, or even college political associations. The impact of hack-and-leak operations should also be analyzed along gender-based and intersectional lines. Cyber security already has a blind spot for some gender-differentiated harms, and hack-and-leak operations are likely to disproportionately impact women and people of color due to prevalent societal expectations around what constitutes scandalous behavior.
These cases also illustrate how domestic politics in the United States is inseparable from its foreign policy, especially in the Middle East. Some media commentators have therefore described the United States as merely a “battleground” for Gulf rivalries, but this goes too far in the opposite direction. Although U.S. politics is clearly not immune to the influences of other states, the United States is not a neutral place for Gulf struggles to play out: Domestic divisions and coalitions, partisan and others, are entwined with foreign interests and objectives. Recent extensions to the use of the Foreign Agents Registration Act to state disinformation show that U.S. policymakers are aware of these difficulties and the need for nuanced regulation, but it is not clear that such legislation is the best route to deter hack-and-leak operations in the future.
More broadly, these cases show that cyber threats to the United States from adversarial states such as Russia and China should not be the only policy focus, as states that are strong military allies and strategic partners also employ cyber techniques to influence U.S. domestic politics. Such longstanding relationships mean that the strategic options for interference available to allied actors are limited, making covert cyber operations even more attractive. Such actors seek to bend rules and norms around interactions between allies, carefully pushing boundaries rather than breaking them. U.S. policy towards the Gulf states needs to be more transparent and more consistent to discourage further hack-and-leak operations. At the moment, opaque, high-level contacts and mixed messages on diplomatic differences are taking the United States in the opposite direction.
Finally, these cases highlight the risks of engaging in hack-and-leak operations, as they can easily backfire and create scandal around the operation itself rather than its intended subject. The United States operates in this sphere, as illustrated by the shift to persistent engagement in the Department of Defense’s cyber strategy, and more recently leaked executive orders that make it easier for the CIA to “engage in the kind of hack-and-dump operations that Russian hackers and WikiLeaks popularized.” Russian President Vladimir Putin already believes that the Panama Papers leak was a targeted U.S. intelligence operation, and last year’s releases of Iranian offensive cyber tools online look like exactly the kind of operation that would be authorized under this order. U.S. offensive policy on hack-and-leak operations needs to acknowledge their risks at tactical, strategic, and normative levels, building these risks into operational decision-making — especially in the run-up to the November 2020 election.
Overall, the erratic dance of hack-and-leak operations means that their impact is difficult to determine, let alone predict, both for perpetrators and targets. Successes in simulating scandal are likely to be temporary, creating just enough pressure and distraction to prevent action in other areas. In a landscape of permanently competing narratives, this dynamic is never fully decided, and a new scandal — especially one revolving around illicit hacking — can open a crucial window of opportunity for adversaries.
James Shires is an assistant professor in cyber security governance at the Institute of Security and Global Affairs, University of Leiden, in the Netherlands. He is also a nonresident fellow with the Cyber Statecraft Initiative at the Atlantic Council. He was formerly a postdoctoral fellow at the Cyber Project of the Belfer Center for Science and International Affairs, Harvard Kennedy School, where the bulk of the research for this article was conducted. He can be reached at jamesshires.com or on Twitter @jamessshires.