Hack-and-leak operations (HLO) are a new frontier in digital forms of foreign interference, epitomized by the success of Russian intelligence agencies in obtaining and disseminating documents from the Democratic National Committee (DNC) during the 2016 U.S. presidential election campaign.1 HLOs and other information operations are widely seen as a severe threat to liberal democratic structures and U.S. policymakers have mobilized significant resources in response, including threat intelligence and cybersecurity protections, increased election and voting security, legislative pressure on social media companies, and even offensive cyberattacks.2
This “whole-of-nation” approach is largely based on the events of the 2016 U.S. election, and specifically Russian interference in the election process.3 However, it is hard to pinpoint the exact impact of the Russian disinformation operations.4 Controversial candidates, a combative and polarized media environment, and entrenched economic and social divisions were all key factors in the 2016 election result. Furthermore, foreign interest in the U.S. election was not limited to the Russian government; other state and non-state actors also sought to influence candidate campaigns in their favor.5 The danger is that academic and policy understandings of HLO are over-reliant on a single case. This article therefore asks: How do other HLO cases alter our understanding of this new phenomenon, including motives, means, and consequences?
HLO occur frequently worldwide, but their political contexts vary widely and have uncertain implications for U.S. politics.6 Consequently, this article expands our understanding of HLO through a detailed qualitative analysis of four operations that targeted political figures in the United States in the period following the DNC operation (October 2016 to January 2019), thus keeping the political and media environment constant as far as possible. These cases replicate many of the striking features of the DNC operation: access through phishing, the release of large collections of emails, publication in national media outlets, and even direct references to “DCLeaks,” the identity assumed by the Russian intelligence agencies to disseminate the DNC documents. These cases have been publicly attributed to governments in the Middle East, namely Qatar, Saudi Arabia, and the United Arab Emirates (UAE), and thus broaden conceptions of digital foreign interference to allies as well as adversaries.
This article argues that HLO are the “simulation of scandal”: deliberate attempts to direct public moral judgement against their target. The success of HLO depends on the shifting power dynamic between the scandal-maker and the scandal-subject; referred to in Arabic as kāshif and makshūf, respectively. At the center of this dynamic are the digital technologies used to obtain and release secret information. These hacking tools are a double-edged sword, as their discovery often means the scandal becomes about the hack itself, not about the hacked information; in other words, the kāshif becomes the makshūf. These cases also highlight other overlooked aspects of HLO: the utility of “activist” cover, the involvement of new actors such as public relations (PR) agencies and law firms, and the leaker’s wary reliance on mistrustful relationships with traditional media. Finally, the article identifies wider consequences for cyber competition in situations of constraint where both sides are strategic partners. In such situations, HLO offer a powerful but indirect and unpredictable means of influence.
The first section places HLO within the literature on cyber conflict and information operations. The second section draws on sociological accounts of mediatized and digitalized leaks to explore the simulation of scandal. The rest of the article concerns the four case studies: The third section provides an overview of each case; the fourth analyzes their coverage in prominent media outlets; and the fifth discusses reasons behind their differing effects. A conclusion places this discussion in a broader strategic context, highlights limitations, and suggests further work.
The contemporary media environment is congested, globalized, and securitized. Online publications and social media platforms compete for the scarce resource of users’ attention, driven by logics of ranking, profiling, and advertising.7 Users can access content from almost anywhere in the world, produced by a variety of actors with intertwined (geo)political, commercial, and normative motivations.8 Media organizations and publications are increasingly enfolded into narratives of national security that demand urgent legislative and policy solutions. These three characteristics destabilize existing media authorities and gatekeepers with both positive and negative effects: They democratize debate while lowering editorial standards; provide a safe space for alternative identities while encouraging extremist positions; and offer new opportunities for both education and foreign interference. This Janus-like evolution is now most commonly represented with its uglier face forward, wearing the labels of “fake news,” “post-truth,” and “the end of objectivity.”9 Hastily proposed remedies are uncomfortable in some states where they strain creaking structures of liberal democracy. Yet these measures are music to the ears of authoritarian leaders in other states where repressive information controls and restrictions on speech resonate with efforts to mobilize the threat of foreign propaganda to bolster the incumbent regime.10
Leaks — the release of secret or confidential information into the public domain — occupy a special place in this divisive and frenetic world. In an era where trust online is frequently misplaced, the term “leak” is a rare marker of authenticity, intimating unmediated truth and unbalancing its targets. The amount of information released by leaks has increased dramatically, creating “mega” or “deluge” leaks, although this increase probably remains proportionate to the amount of data held by organizations.11 Leaks have precipitated seismic recent events in world politics, from the U.S. cables that prompted Tunisian anger at elite corruption in late 2010 and contributed to the Arab Spring revolutions, to the Snowden revelations in 2013 that exposed the hypocrisy of the United States and its allies in extolling the benefits of global online access while simultaneously expanding digital surveillance architectures.
In an era where trust online is frequently misplaced, the term “leak” is a rare marker of authenticity, intimating unmediated truth and unbalancing its targets.
Unfortunately, not all mega leaks land on fortuitously aligned domestic and geopolitical fault lines. The documentation of horrifically bureaucratic torture and murder in Syrian jails, smuggled out by a former forensic photographer, has met the same silence and stalemate as other war crimes in that complex, grinding conflict.12 Furthermore, although anonymous official sources and whistleblowers have always been an important element of political reportage, leaks are an everyday occurrence. Politicians and other media figures — and, unfortunately, ordinary young people — are now resigned to the expectation that classified documents, compromising photos, or candid conversations will eventually appear in their supposed (sometimes doctored) entirety.13 Organizations, individuals, and digital devices are, in Wendy Hui Kyong Chun and Sarah Friedland’s words, very “promiscuous”: they “routinely work through an alleged ‘leaking’ that undermines the separation of the personal and the networked.”14
Digital media are not only the means of dissemination for leaked information, but often also their source, through data breaches and HLO, also known as “doxing.” Doxing — the acquisition and publication of another individual’s private information — is one of the oldest practices in cyberspace. Originally, to “dox” (from “documents”) someone meant simply revealing their offline identity, either for “lulz” — for little discernible reason beyond personal enjoyment — or to embarrass those who transgressed early norms of behavior on the internet.15 As the internet grew, doxing became more sophisticated, using both intensive open-source investigation and intrusion into the target’s systems to obtain sensitive information. The targets changed too, from tit-for-tat spats within hacker communities to the publication of personally identifiable information for thousands of government and corporate employees.16 These later events are “public-interest hacks,” in Gabriella Coleman’s description of the hacker collective Anonymous,17 or what Bruce Schneier has called “political” or “organizational” doxing.18 Both leaks and doxes can release objects and capabilities in the form of computer code, as well as more traditional text documents.19
Finally, doxing and leaking actors have strong motivations to muddy the distinction between the two. Apparently leaked information may in fact result from an external intrusion obscured by journalists or lawyers for legal reasons, while victims may claim to have been hacked for the opposite reason, to facilitate insurance claims and avoid scrutiny. To make the overlap between doxing and leaking clear, I use “hack-and-leak operation (HLO),” which reminds us of both the usual sequence of events (hack and then leak), as well as the frequent blurring of boundaries between hacking and leaking.
Hack-and-leak operations fit into a long history of the manipulation of information for national security purposes, which is centrally the preserve and currency of intelligence agencies.20 Espionage in the modern era relies as much on signals intelligence — telecoms, radio, and now internet communications — as traditional human sources, sometimes competing but now largely integrated.21 Intelligence agencies have also dominated the weaponization of espionage tools for “effects” such as disruption or damage.22 Intelligence practices have a complex relationship with leaking. First, third-party leaks are valuable sources and the extent of private information on the internet means open- or all-source intelligence can be as powerful as secret methods. Second, intelligence agencies in democracies rely on popular support, regularly shaping policy and public perception through non-classic routes, leading to David Pozen’s description of the U.S. government as a strategically “leaky leviathan.”23 Third, leaking — and the threat of leaking — is an effective way to damage adversaries or to convince people to provide information.24 Leaking, for intelligence agencies, is thus both a powerful tool and their greatest fear, leading to insularity and internal suspicion.25
Hack-and-leak operations are at the pinnacle of digital disinformation operations conducted by intelligence agencies, combining intrusion into networks with coordinated and doctored dissemination through traditional and social media. The growing literature on cyber conflict in strategic studies and international relations has astutely recognized how cyber operations in general are one means of exploiting economic, social, and technological openness on the internet for strategic gain.26 This scholarship has many insights relevant to HLO, indicating a propensity for actors to conduct operations in the “gray zone” between peace and outright conflict.27 It also highlights the creative and improvisatory nature of such operations in the context of rapidly evolving legal and technological responses, including a shifting background of “cyber norms” that offer a set of apparent constraints but, more realistically, serve as guiding lights for how the strategic pressure created by such operations can best be applied.28
However, the characterization of hack-and-leak operations purely as an aspect of antagonistic foreign relations between states fails to appreciate the complexity of the globalized and congested media environment sketched above. Consequently, hack-and-leak operations, especially those linked to the idea of “scandal,” need to be located within sociological models of digital media and information politics outside national security contexts.
Scandal and Simulation
Scandals are a subset of leaks, as there can be no scandal without a disclosure of secret information (even if this information is only “secret” in the oxymoronic sense noted by Eva Horn, i.e. spoken of ad infinitum as secret).29 Although nearly all scholars of scandal agree that moral transgression is at the core of the concept, they disagree over how best to theorize it.30 Some distinguish the type of transgression; John B. Thompson’s influential work suggests that values of trust and reputation separate political scandals from other forms.31 In contrast, more anthropological approaches focus instead on the role of scandals in maintaining and reinforcing existing societal norms and values by providing an opportunity — and an obligation — to condemn a specific action that transgresses those norms.32 Scandal thus requires what might be termed normative dissonance: a divergence between expected and observed or practiced norms and moral standards.33
This is illustrated most clearly through the figure of a whistleblower: One who witnesses or participates in actions that are contrary to their values, and yet is informed by those around them that these actions are normal or otherwise legitimate.34 Michael Walzer calls whistleblowing “moral risk-taking” due to the bet that the whistleblower’s moral position will resonate more with society at large than that of their peers.35 We can see the power of scandal in the DNC leaks, turning the release of private information into condemnation of a moral transgression.36 These leaks portrayed a clear normative dissonance between Hilary Clinton’s projected image of trust and competence and accusations of “crooked Hilary” representing the “swamp” which came after the leak.
Although the concept of scandal enriches our understanding of the impact of HLO, the scholarship on scandal above does not directly address the issue of disinformation. The focus of these works is the presence of moral norms and their violation, rather than whether leaked information is verifiably true. Other sociological thought on scandal, especially that of Jean Baudrillard, explicitly cautions us against seeing leaks as simply revealing the truth. Baudrillard extends the anthropological insight of social reinforcement through scandal from purely moral norms to norms of truth, rationality, and reason. In his words, “It is always a question of proving the real by the imaginary, proving truth by scandal, [and] proving the law by transgression.”37 Scandals thus not only involve the airing and confirmation of certain values, but also commitment to rational argument and standards of truth.
However, for Baudrillard, these standards are not objective and so scandals are “an arbitrary stop to this revolving causality,” a last-ditch attempt to save “a principle of political reality.”38 This arbitrariness means there is no such thing as a “true” scandal. Instead, all scandals are simulated, an arbitrary attempt at resisting relativism within a world of ungrounded uncertainty. Hence, he declares that “Watergate is not a scandal” but that “Watergate succeeded in imposing the idea that Watergate was a scandal … the reinjection of a large dose of political morality on a global scale.”39 Baudrillard’s ideas, although developed half a century ago, have clear relevance today, when standards of truth are a frequent object of manipulation and a tool in power struggles.40 We should be skeptical of taking scandals at face value and should instead see exposure, denunciation, and counter-denunciation all as part of a single phenomenon.
However, Baudrillard’s view deliberately bypasses the specific motives, tactics, and identities of the entities involved. In contrast, more recent scholarship, especially the work of Tarek El-Ariss on digital culture and literature in the Arab world, highlights how people confront normative dissonance. As he argues, there are “two forms of knowledge: a knowledge that is already known or assumed to be true, and an embarrassing if not scandalous knowledge from which no one can turn away … Simultaneous acts of reading and knowing – knowing together, all at the same time – constitute the scandalous effect of the leak and make it embarrassing to those in power.”41 El-Ariss’ argument goes on to make a useful distinction between the subject and object of the scandal: in Arabic, between kāshif (revealer) and makshūf (revealed).42 He suggests that these two roles exchange and even overlap, especially as leaks develop and spread. Consequently, “scene-making and exposure … capture the breakdown of subject/object relation in a new digital landscape.”43
Like Baudrillard, El-Ariss traces the larger political implications of this delicately balanced and constantly shifting kāshif/makshūfrelationship, concluding that “the dialectics of leaking and containing the leak expose the mechanism of prohibition and the failure or porousness of this mechanism at the same time.”44 We can see this political contest and shifting boundaries in the 2016 election, as both the Clinton and Trump campaigns repeatedly vied to portray themselves as kāshif, revealing lies and transgressions of their opponent, and avoid the identity of makshūf, the morally culpable and uncovered subject. More specifically, the DNC emails represented a crucial shift between the two, as a leaked recording of Donald Trump (the “Access Hollywood” tape) was overshadowed by the documents from the DNC focusing on Clinton’s record in government.45
…in a fast-flowing digital media environment with constant accusations and leaks, political actors seek to gain the upper hand through competing scandal-making…
Our understanding of HLO is deepened in several ways by sociological works on scandal. First, scandal is prevalent across different moral contexts, leading to a focus on its mechanics rather than content. Second, the truth as revealed by scandal is always contested and challenged. Sometimes it is even simulated. Third, in a fast-flowing digital media environment with constant accusations and leaks, political actors seek to gain the upper hand through competing scandal-making, jostling to be kāshif rather than makshūf. Cases of HLOs in U.S. politics demonstrate how hacking tools are the fulcrum of this struggle over identities, altering the balance of power between adversaries. The use of cyber tools brings the identity of whistleblower (kāshif al-ʾasrār, leaker of secrets) close to that of hacker (hakar, mukhtariq). When the hack becomes the focus of moral judgement and attention, rather than the leak itself, the kāshif becomes the makshūf.
HLO in U.S. Politics
The selected cases of HLO examined in this section all took place in the United States in the three years following the 2016 U.S. presidential election. This section provides an overview of the publicly available detail of each case in chronological order. The four cases, and selected characteristics, are summarized in Table 1. The cases were selected to keep the political and media environment constant as far as possible, in comparison to selecting cases from other countries. They were also selected because all four subjects are political actors of some form, even if they do not all hold official positions in government. Only one (Al-Otaiba) has such a position (as the UAE ambassador); the others are politically influential due to their connections and/or financial power. As such, the concept of politics I use for case selection is broad, encapsulating other individuals and organizations that have a significant influence over knowledge, policy, and action.46
In each case, as will become clear in the overviews, the individuals involved are enmeshed in a variety of schemes and relationships with Gulf leaders, local governments, or influential companies (and the three overlap to a significant extent). Consequently, these cases were selected not only because they all take place within the scope of U.S. politics, but also because they illustrate how domestic politics in the United States are inseparable from U.S. foreign policy, especially in the Middle East.47 Some media commentators cited below have therefore described the United States as merely a “battleground” for Gulf rivalries, but this goes too far in the opposite direction. Although U.S. politics is clearly not immune to the influences of other states, the United States is not a neutral place for Gulf struggles to play out: Domestic divisions and coalitions matter just as much as foreign interests or objectives.
|Subject of leak||Farhad Azima||Yusuf Al-Otaiba||Elliot Broidy||Jeff Bezos|
|Date of first leak||October 22, 2016||June 2, 2017||March 2, 2018||January 21, 2019|
|Public attribution (denied, all cases)||UAE/Iran||Qatar/Russia||Qatar||Saudi Arabia|
|Leaker's assumed identify||—||Activist||Activist||—|
|Intermediaries allegedly involved||PR agencies||—||PR agencies, cybersecurity companies||Commercial spyware company|
|Type of release||Coordinated with papers of record||Coordinated with papers of record||Coordinated with papers of record||Coordinated with tabloid|
|Type of scandal||Financial, political||Moral, financial, political||Financial, political||Moral|
|Responses from subject of leak||Lawsuits||Downplay relevance||Media messaging, lawsuits, technical investigation||Media messaging, lawsuits, technical investigation|
|Format||Emails, documents, iCloud||Email scans, emails||Emails, documents||Texts, photos|
Table 1: Selected HLOs in U.S. Politics
Farhad Azima is an Iranian-American businessman in the aviation sector who was reportedly an asset for the CIA during the Iran-Contra scandal in the 1980s.48 He was also named as the owner of a British Virgin Islands-based air transport company in the Panama Papers, a leak exposing corruption in tax havens, in early 2016. On Oct. 22, 2016, the UAE newspaper The Nationalstated that Azima and the investment fund of the emirate Ras Al-Khaimah (RAKIA) had issued simultaneous lawsuits on Sept. 30, 2016 against each other in Washington, D.C. and London, regarding his role as a broker for a hotel purchase in Tbilisi, Georgia. Later lawsuits suggested that the dispute also involved accusations of arbitrary detention and prisoner abuse in Ras Al-Khaimah. Azima’s 2016 submission claimed that “a massive volume of emails and other electronic data” had been taken by RAKIA through an intrusion into his computers in August 2016.49
RAKIA denied the claim and sympathetic Arab media only covered RAKIA’s submission.50 Later court documents stated that Azima’s devices had first been compromised in October 2015, and then in mid-2016 websites had appeared with names such as “Farhad Azima Scammer,” including BitTorrent links to Azima’s emails and iCloud data.51 Eight months later, on June 21, 2017, the Associated Press published an article on Azima’s past relying on “a recently obtained collection of tens of thousands of emails his lawyers say was stolen by hackers.”52 This was accompanied by a separate article detailing how contact between Azima and The Wall Street Journal correspondent Jay Solomon had led the paper to terminate Solomon’s contract. The Wall Street Journal claimed that Solomon had violated ethical obligations and professional standards in his contact with Azima.53
Solomon’s own account of this contact emphasized that the hacked data, posted online on Sept. 13, 2016, included a file named “Fraud Between Farhad Azima and Jay Solomon.” Solomon thus inferred that he was one of the targets of the hack, and blamed Iranian state-sponsored actors due to the Iranian focus of his reporting at The Wall Street Journal.54 Solomon also repeated Azima’s lawyers’ claim that the hackers “inserted spyware into his [Azima’s] computer.” Solomon claimed that RAKIA’s public relations consultants, Bell Pottinger, had sent the hacked data to international media outlets, including The Wall Street Journal, suggesting that “the information operation had been incredibly effective.” A friend of Solomon’s published an article in Bloomberg stating that the “biased curation” of the data by the Associated Press constituted a clear information operation.55 In June 2018 the Qatari outlet Al Jazeera used further court documents to attribute the hack to RAKIA, noting that the judge found it was “beyond dispute” that hackers had been involved and that Azima’s claim of RAKIA’s involvement was “plausible.”56 Most recently, a court judgement in the United Kingdom in May 2020 found against Azima on the matter of the Tbilisi hotel, instructing him to pay $4 million to RAKIA, and decided that his claim of RAKIA’s responsibility for the hack-and-leak operation was not proven by the circumstantial evidence provided.57
This case demonstrates the complexity of HLO. The provenance of the leak in a hacking operation was quickly seized upon by Azima’s opponents and questioned by his supporters, with subsidiary effects on Azima’s contacts, such as Solomon. Lawsuits ongoing before, during, and after the leak struggled to deal adequately with the information revealed, but their careful conclusions were nonetheless leveraged by polarized media to shift the scandal as it developed.
On June 2, 2017, three days before a diplomatic split between Qatar on one hand and the UAE, Saudi Arabia, Bahrain, and Egypt on the other, several news organizations in the United States received messages from a group called GlobalLeaks, containing copies of emails from the Hotmail account of the UAE ambassador to the United States, Yusuf Al-Otaiba, between 2014 and 2017. As reported by The Daily Beast, the purpose of GlobalLeaks was to “reveal how million[s] of dollars were used to hurt [the] reputation[s] of American allies and cause policy change,” and thus show “how a small rich country/company used lobbyists to hurt American interests and those of it[s] allies.”58 Although GlobalLeaks claimed the emails came from a paid whistleblower based in Washington, D.C., The Daily Beast suggested they were printed out directly from a hacked Hotmail account. GlobalLeaks used a free email account with a Russian provider, and the subject line of their email was “DC Leaks – The Lobbyist Edition Part 1,” referencing the website used to publish emails from the DNC hack. According to The Huffington Post, GlobalLeaks denied any allegiance to Qatar or another government.59
Other news outlets continued to publish revelations from Al-Otaiba’s account after what The Wall Street Journal called a “new release” of emails at the end of July 2017. The New York Times published a story about the opening of a Taliban embassy in Doha rather than Abu Dhabi,60 while The Wall Street Journal focused on Al-Otaiba’s relationship with a Malaysian state development fund. The Wall Street Journal named GlobalLeaks as their source, with the stated motivation to “expose corruption, [and] financial frauds which are done by rich governments.”61 At the end of August 2017, The Intercept reported on Al-Otaiba’s personal life, including sexual conduct and a “party” lifestyle, using emails beginning in 2007. This story claimed that some of Al-Otaiba’s emails had already been posted to an online chatroom in 2009 but were then removed. These emails were seen by the journalist for The Intercept in 2015.62 A further release occurred on Sept. 13, 2017, including stories in The Intercept and Middle East Eye on Egyptian lobbying in the United States.63
In terms of political consequences, the Al-Otaiba leaks were significant in demonstrating how Al-Otaiba worked both sides of the aisle in Washington, D.C. He was close to the Obama administration, arranging closed high-level meetings and disparaging the Trump campaign. He then became equally close to the Trump administration, with some media reports suggesting that the investigation into election interference by Special Counsel Robert Mueller took an “interest” in the emails as evidence of contact with Trump advisors prior to the election.64 Although UAE contacts are dealt with extensively in the Mueller report, redactions mean it is unclear what role, if any, these leaked emails played in Mueller’s investigation. 65
This case demonstrates how a single HLO has a bearing on several domestic and geopolitical planes simultaneously...
This case demonstrates how a single HLO has a bearing on several domestic and geopolitical planes simultaneously, including the Qatar split, U.S. strategy in the Gulf, investigations into Russian interference and other influences on the U.S. election, and salacious stereotypes of rich Arab lifestyles in the United States. It also reveals how closely HLO actors can mimic other operations, sowing confusion about attribution.
Elliot Broidy is a Republican lobbyist with extensive business ties to the UAE. The Huffington Post first reported leaked emails from Broidy’s email account on March 2, 2018, from a group named “L.A. Confidential” whose stated purpose was to “expose people associated with Hollywood” (Broidy’s wife, Robin Rosenzweig, is a Hollywood lawyer). The documents included emails Broidy wrote to himself, offering insights into his personal thoughts as well as private communications.66 A second release of documents was published by the Associated Press on May 21, 2018.67 The New York Times published a comprehensive story on Broidy’s relationships with other lobbyists and fixers at the same time.68 The BBC used Broidy’s emails to reveal that former U.S. Secretary of State Rex Tillerson was under political pressure prior to his resignation, and quoted a spokesman for Broidy claiming that “we have reason to believe this hack was sponsored and carried out by registered and unregistered agents of Qatar.”69 In May 2018, Bloomberg reported that the compromise probably occurred when Rosenzweig received an email on Dec. 27, 2017 with an apparent Gmail security alert. She reportedly reset her password while on the spoofed page, allowing the malicious actor access to a Google Doc with more passwords including an account at Broidy’s finance company.70
Further details of the compromise have emerged from a series of lawsuits issued by Broidy against the state of Qatar and its agents. The first lawsuit claimed that from January to March 2018 an email server at Broidy’s finance company had been compromised, with an initial forensic analysis identifying IP addresses for VPN services in the Netherlands and the United Kingdom. Later analysis also identified non-VPN connections from Qatari IP addresses.71 The lawsuit was dismissed as the court had no jurisdiction over foreign sovereign entities.72 A separate lawsuit in a New York court against a U.N. official was also dismissed.73 According to Broidy’s lawsuits, Qatar’s public relations firms called many news outlets during this period and spoke frequently with the Associated Press just before the story about Broidy’s emails was published. The most recent lawsuit, in documents filed in March 2020, alleges that a company named Global Risk Advisors (GRA) was responsible for the hack, although no further evidence is provided.74 Overall, one of the main consequences of the leaked documents was to expose Broidy’s commercial relationships with the UAE and Saudi governments through a military contracting company, Circinus. The documents also highlighted his contacts with individuals indicted for channeling “illicit donations” from the UAE to the Trump presidential campaign, and Broidy is reportedly under federal investigation for his relationship to the UAE.75
This case reinforces several aspects of the first two, including supposedly activist or ideological motivations and a swift descent into “lawfare” (legal warfare) as a response to the leak. This leak was assimilated into several orthogonal agendas, again including the Qatar split and election interference, and highlights the key role of PR companies on both sides of the HLO.
Jeff Bezos is the founder and CEO of Amazon and owner of The Washington Post. On Jan. 21, 2019 The National Enquirerpublished a report about Bezos’ extra-marital relationship with Lauren Sanchez, a television host in Los Angeles, based on text messages between the two in late 2016.76 Within days, several news outlets speculated that the leak was politically motivated due to The Washington Post’s coverage of President Trump, although at this stage “a digital forensic analysis turned up no evidence of a hack and the theory was quickly discounted.”77 On Feb. 7, 2019, Bezos wrote an article claiming that the owner of The National Enquirer had attempted to blackmail him with “intimate photos” Bezos had sent to Sanchez. Bezos linked this attempt to his own investigation of how his text messages had been leaked, as well as The Washington Post’s coverage of murdered Saudi journalist Jamal Khashoggi, because the letter he claimed to have received stated he should publicly state that he has “no knowledge or basis for suggesting that [The National Enquirer’s] coverage was politically motivated or influenced by political forces.”78 The Saudi foreign minister, Adel Jubair, denied any involvement.79 On Feb. 12, 2019, the Associated Presspublished a story claiming that Bezos’ investigation had determined that Lauren Sanchez’s brother, Michael Sanchez, was the source of the message and photos.80
In March 2019, Bezos’ private investigator published his own account, stating that “our investigators and several experts concluded with high confidence that the Saudis had access to Bezos’ phone, and gained private information.”81 He did not provide any further details other than interviews with “leading cybersecurity experts who have tracked Saudi spyware.” He also stated that The National Enquirer appeared to have access to Bezos’ messages before contacting Michael Sanchez, basing his conclusion on media reports. The private investigator implied that the Saudi government targeted Bezos in several ways due to The Washington Post’s coverage of the Khashoggi killing, including on social media, and that the leaked messages were part of this targeting. Saudi Arabia repeated its denial of involvement following this article.82 Finally, in January 2020 several news outlets used the leaked contents of a technical investigation into Bezos’ phone to conclude that it was likely compromised with malware that behaves in a manner similar to a commercial product alleged to be used by the Saudi government.83 This report contained only circumstantial evidence,84 but the association with Saudi Arabia was repeated by United Nations special rapporteurs investigating Saudi Arabia’s human rights record.85
Following this report, media articles stated that Bezos met and swapped phone numbers with Saudi Crown Prince Muhammad bin Salman at a dinner with other Silicon Valley investors several weeks before the alleged hack, during bin Salman’s visit promoted heavily by The National Enquirer.86 However, disagreements over sourcing continued, as The Wall Street Journalused leaked documents from a federal investigation to argue that Michael Sanchez provided the original texts to The National Enquirer.87 These explanations are not mutually exclusive: It is possible that Bezos’ phone was infected and that Michael Sanchez provided the texts, or that the leak was double-sourced, or that either is incorrect.
This case amplifies the prurient strains of the Al-Otaiba case, with headlines dominated by details of the affair, divorce, and division of assets of the world’s richest man. But there was also a constant political undertone, with Saudi overtures to Silicon Valley and subsequent fissures generating ample grist to a speculative mill well before the results of any investigation. Overall, these four cases have both evident similarities and several key differences. The trajectory of each case turns on whether the media chooses to focus on the leaker or the subject of the leak as their main story: in other words, whether the scandal is about the kāshif or the makshūf.
Although it is extremely difficult to judge the overall impact of a hack-and-leak operation, there were several immediate consequences from the four cases considered here. According to the UK judge, the Azima leak was decisive in his decision instructing Azima to pay $4 million to RAKIA.88 Although the Azima leak led to the termination of Solomon’s employment at The Wall Street Journal, Solomon was apparently only an incidental target. Bezos and those in his personal life were severely affected by the leak, but his political and economic influence has not diminished. In the Al-Otaiba and Broidy cases, their targets were temporarily excluded from their usual lobbying circuits. For example, Broidy’s lawyers cite in a claim document WhatsApp messages between Qatari agents, indicating some direct consequences for Broidy’s lobbying career.89 However, Broidy and Al-Otaiba returned quickly to these political circles afterwards.90 Due to redactions, it remains unclear whether Broidy is mentioned in the Mueller report following connections revealed through his and Al-Otaiba’s leaked emails, though Broidy is reportedly under investigation for other activities during the election.
Although it is extremely difficult to judge the overall impact of a hack-and-leak operation, there were several immediate consequences from the four cases considered here.
Overall, in contrast to the DNC leaks, the long-term impact from these leaks remains uncertain. However, it is possible to gauge the impact of each leak through the coverage in major media outlets. All four cases involved relationships with traditional media outlets: Broidy, Al-Otaiba, and Azima were associated with highly regarded news services or papers of record, while the Bezos case involved the celebrity tabloid The National Enquirer. This focus on traditional media seems slightly anachronistic, as people now consume much of their news and commentary through social media. However, traditional media outlets still play a foundational role in political debate. Although their role as gatekeepers is no longer well-defined, many such outlets have adapted to the new media environment, though they now have new commercial incentives for production and content. Moreover, this focus appears to have been a strategic choice by the leakers. In the Azima case, Solomon describes the leaker contacting many media outlets until the Associated Press “bit” and published the documents.91 The Broidy case suggests even closer relationships with specific organizations, as there were allegedly repeated conversations with news organizations prior to each release.92
I measured the media coverage of these cases by identifying the top fifty results of a structured Google search conducted in June 2019 (Figure 1).93 Google’s algorithm ranks websites based on a complex mix of content, search frequency, and connections, serving as an adequate proxy for the popularity of an online news article without measuring specific page visits or visitor behavior.94 In each case nearly all results were news articles and the total count was sufficient to capture the main waves of publication, as relevant results after fifty were usually recycled articles from secondary sites. The exception is the Azima case, where there were 31 results in total. Plotting the dates of these results shows that media coverage of these leaks occurred in short spikes, representing a brief news cycle: The story hits the press, is covered by various outlets in the following days, then disappears. These spikes occur multiple times for each case, so there are repeated “waves” when new documents are leaked.
Figure 1: Hack-and-leak Media Coverage, 2016-2019
Although the analysis above provides an indication of media coverage over time, it does not distinguish between two forms of coverage crucial to my argument on the simulation of scandal: stories that focused on the content of the leak, and stories that focused on the details of the hack. The former implies that the kāshif (revealer, divulger) responsible for the HLO has successfully portrayed their target as makshūf (revealed, uncovered). The latter implies that these roles have been reversed, and the actor that conducted the HLO has become makshūf — they are the one whose secrets have been revealed. The relationship between these two forms of coverage demonstrates the weight of coverage of the scandal overall, with each story’s focus directed towards the hacking operation itself or towards the content revealed by the hack. Although most stories collected in Figure 1 mentioned both elements, there was usually a clear prioritization of one angle over the other.
This prioritization is illustrated in an extreme form by two disinformation websites present in the media coverage analyzed here: one, promoting negative stories about Qatar, called Qatarileaks, and the other doing the same for the UAE, called Emiratesleaks. The Qatarileaks website and Twitter account were created in May 2017, while the Emiratesleaks website was created on Jan. 2, 2018. The Qatarileaks website covered Broidy’s accusations of hacking by Qatar and did not mention the Al-Otaiba leaks at all. Conversely, the Emiratesleaks website covered the revelations in Broidy’s emails but not the accusations of hacking (Table 2).
|Broidy leaks||Broidy files new lawsuit against Qatar||Qatari mercenaries accused of Broidy email hack are in trouble||n/a||Emirati academic boasts of his country's role in the toppling of U.S. foreign minister|
|Al-Otaiba leaks||n/a/||n/a/||Millions of dollars spent by UAE to lobbyists in Washington||Arrangement with Trump advisers to give UAE "sensitive" information|
These two forms of coverage were also represented in the other news articles collected, albeit in a less extreme form. I therefore coded all articles as prioritizing either the hack or the leak elements of the scandal, based on a qualitative judgement of the headline of the article (Figure 2).The results indicate interesting variation: Media coverage of the Al-Otaiba case mainly focused on the leak contents; coverage of the Bezos case focused on the hack; and the Broidy and Azima cases were split roughly evenly, with more coverage overall of the Broidy case.100
Figure 2: Hack-and-leak Media Coverage Focus, 2016-2019
Explaining the Trajectory of Simulated Scandals
There are several potential explanations for the differing media coverage pertaining to each of the four hack-and-leak case studies. These HLO cases are complex, multi-causal events, and the explanations are complementary rather than competing. The fluid identities of kāshif and makshūf are relevant throughout, with both sides vying to maintain control of the narrative and avoid being portrayed as the object of scandal.
First, in terms of comparative analysis with the DNC leaks, one potential explanation is that political affiliation influences coverage, so that in the case of the DNC leaks the Russian hack-and-leak operation received greater coverage than the contents of Clinton’s emails due to the leftward leanings of the “mainstream media.” If treated as a serious hypothesis rather than conspiracy theory, a political spectrum explanation is neither clearly supported nor disproved by the cases considered here. Three cases do not have a clear domestic political affiliation (Al-Otaiba, Azima, Bezos). The one case with a clear affiliation, Broidy, has evenly split media coverage. Recognizing that these cases are transnational as well as domestic, a similar argument based on different sides of political divisions in the Gulf is also unsupported, as these cases come from both sides of the 2017 Qatar split, with differing results.
The scandal literature suggests that the type of scandal — moral, political, financial, and so on — may affect impact. In these cases, the leaking actor occasionally named a specific type of transgression. For Al-Otaiba, the claimed rationale was to “expose corruption” and “hurt [the] reputation of American allies and cause policy change.”101 In the Broidy case, the alleged leakers sought to “expose” him, although a court judged that leaking details of political and business meetings did not constitute a disclosure of private facts in Californian law because they did not sufficiently “shock … decency and propriety.”102 Although there is no explicit rationale available in the Azima or Broidy case, the content of the initial publications — “scammer” for Azima and “illicit affair” for Bezos — also point to specific types of transgression. Overall, the leaked information covers a broad range of topics, neither supporting nor disproving the view that a certain kind of scandalous information has greater impact.
The scandal literature suggests that the type of scandal — moral, political, financial, and so on — may affect impact.
More specifically, it is not clear that “moral” scandals lead to a focus on content rather than hacking. Both the Bezos and Al-Otaiba cases highlighted supposedly transgressive sexual conduct, with an opposite focus for media coverage.103 The common element between these cases is therefore not a particular type of scandal, but that the hack-and-leak operation aimed to show that expected standards were not met — what I earlier termed “normative dissonance.”
Other potential explanations include the competence and resources of the leaking actor. Competence does not appear to be a good explanation, as reported attributions in all cases suggest highly motivated foreign state actors that are familiar with U.S. politics and possess sufficient financial and technical resources to accomplish their aims. Furthermore, all four cases appeared to use either relatively simple but effective techniques, such as spear-phishing (sending emails deliberately crafted to convince their recipient to click on a malicious link), suggesting a relatively low level of investment for state actors. The news organizations that covered these stories also saw them as part of strategically planned operations. One journalist claimed that “there was thought and calculation behind how this material was being distributed.”104 Others labelled it a new level of cybersecurity threat.105 Journalists published these stories despite being aware of this strategic aim. As The New York Time’s David Kirkpatrick explained: “If we were to start rejecting information from sources with agendas, we might as well stop putting out the paper.”106 Nonetheless, the format of leaked information may have played a role in deciding the impact of the scandal: Extensive document leaks lend themselves to multiple releases, while a few texts and pictures have limited potential to sustain attention across news cycles.
Another explanation suggested by these cases is that a cover identity for the leaking actor shifts focus onto the content of the leak, even if such a cover is implausibly deniable.107 Attribution is a notoriously difficult element of any cyber intrusion.108 In addition to limited information and ulterior motives on the part of the attributing party, state actors in general rarely claim responsibility for cyber operations, either staying silent or issuing denials (as in these cases). Attribution is also affected by the interests and capabilities of investigating experts. For example, some commentators linked the Al-Otaiba case to a spoof website registered by the Russian intelligence services for the UAE Ministry of Foreign Affairs; it is unclear whether the two are in fact related.109
Consequently, fake identities that deliberately confuse attribution, acting as “false flags,”110 may prevent media coverage focusing on the hack and shift attention to the content, changing the direction of the scandal. In the Al-Otaiba and Broidy cases — the two with the most media coverage of leaked content — the leak came from “activist” identities (GlobalLeaks and L.A. Confidential, respectively). This tactic echoes other HLO activist identities such as the DNC’s DCLeaks, Football Leaks, and Hollywood Leaks.111
It is likely that the target’s response to the initial leak also partly determines whether media coverage focuses on the hack or the leak elements of the incident. Al-Otaiba’s response consisted mainly of downplaying the relevance and credibility of the leaked information. In the Bezos case, the impact of the “blackmail,” as Bezos termed it, was diminished because he published the same information himself, accompanied by blogs speculating on the origin of the hack and followed by professional technical reports. Both the Azima and Broidy cases involved exchanges of lawsuits between the target and the claimed intruder, as well as public relations (PR) agencies. Some of these PR agencies and associated cybersecurity firms were reportedly involved in the initial leaks: Bell Pottinger for the Azima case and Stonington Strategies, Bluefort Public Relations, and Global Risk Advisors in the Broidy case.112
Overall, a strong and carefully managed publicity campaign, whether conducted on highly visible open sources (as for Bezos), or through lawsuits and lobbying (as for Broidy), seems to deflect media attention from the content of the leak. Crucially, these responses supplied a clear alternative message, capitalizing on a recognized media appetite for cybersecurity and hacking topics to portray the incident as primarily a hack rather than a leak.113 Hacking tools were no longer just a useful means to generate a story; they became the story itself. In these cases, the struggle between kāshif and makshūf hinged on whether an opponent’s use of hacking tools could be successfully exploited by supportive media or commercially retained PR agencies as a superior scandal to the original leak.
Finally, this reversal of the kāshif/makshūf relationship is not merely a simple dynamic of punch and counterpunch, but becomes more complicated when we examine the details of Broidy’s response. Specifically, it appears that Broidy’s lawyers and PR agents used digital tools in at least two ways to obtain evidence which they then deployed to accuse Qatari agents of the original hack. First, they engaged in standard cybersecurity incident response including legal and technical measures. For example, once Broidy’s team had identified a TinyURL shortening service used to construct the initial phishing website, they then reportedly “issued subpoenas for every website created by the TinyURL user who made the phishing websites.”114 It is possible the L.A. Confidential email address used to leak the documents was registered by the same person who registered these websites and shortened links, which would have enabled Broidy’s team to link them together. Second, and more importantly, Broidy’s lawsuits rely on phone records and WhatsApp messages from the devices of individuals employed by PR agencies contracted by Qatar for the period in which the leaks occurred. There is no public data to indicate how these records and messages were obtained, although a story by The New York Times suggests that a private conversation between these individuals had been covertly recorded in addition to the collection of metadata with call times and contacts.115 If those investigating the hack-and-leak also engaged in covert recording and leaking of private conversations, then the delicate balance between kāshif and makshūf could shift once again.
This article has sought to widen the empirical basis of academic and policy debates around hack-and-leak operations by analyzing four cases of HLO in U.S. politics in the three years following the 2016 presidential election. These HLO are examples of what sociological theories term the simulation of scandal: strategic attempts to exploit normative dissonance — a divergence between expected norms and standards and actual practices — to gain advantage in domestic and international political struggles.
Although hacking tools provide a new and relatively accessible means to obtain secret information necessary to simulate scandals, they pose an equal danger for those who use them: The risk that the target of the scandal will successfully portray the hack as more media-worthy than the content of the leak, reversing identities of kāshif (revealer) and makshūf (revealed). The cast list in this manufactured morality play is wider than a typical list of state actors, one that includes elected officials or government employees. It is also wider than the usual cast list of cyber conflict, already extended to include many non- and semi-state actors, and now extended still further to the wide range of legal, reputational, and PR services that are called upon during scandals caused by HLO.
Although hacking tools provide a new and relatively accessible means to obtain secret information necessary to simulate scandals, they pose an equal danger for those who use them.
This article has multiple limitations, which highlight the importance of further work on this topic. These cases continue to evolve, with new data emerging between the initial analysis and the time of writing. The media analysis conducted here could be augmented in many ways. For example, more data on the impact of these cases, rather than inferred impact from popular news articles, could be included in the data set. Data on participation in the reception of scandal by consumers of these news articles, especially on large social media platforms, would also test this article’s conclusions. It is beyond the scope of this article to tackle in detail the relationship of HLO to other forms of disinformation. But the theoretical stance taken here poses a note of caution for studies of HLO impact, as it is difficult for such studies not to be caught up in the unfolding dynamic of scandal itself.
The qualitative judgements taken throughout this article represent a position on how the scandal unfolded, including an assessment of source reliability and the events of the HLO, that is inescapably part of the continued development of these events. This article therefore cannot hold on to a pretense of complete objectivity. Furthermore, judgements of strategic intent are especially tentative in this environment. Although the HLO considered here sought to induce normative dissonance, a separate and possibly secondary strategic goal may simply to be to instill doubt and uncertainty about the event itself — the operations may have been designed to generate apathy rather than condemnation. Measuring HLO impact against that aim would be still more difficult.
Nonetheless, this article has several implications for strategic cyber competition. It highlights the risks of engaging in HLO operations, which can easily backfire and create scandal around the operation itself, rather than its intended subject. It emphasizes that cyber threats to the United States from adversarial states such as Russia and China should not be the only policy focus, as states that are strong military allies and strategic partners also employ cyber techniques to influence U.S. domestic politics. Such relationships mean that the strategic options for interference available to allied actors are limited, making covert cyber operations even more attractive. Such actors seek to bend rules and norms around interactions between allies, carefully pushing boundaries rather than breaking them. The involvement of multiple commercial entities, from cybersecurity companies to the less frequently noticed actions of PR agencies, makes clear rule-setting even more difficult. Finally, the erratic dance between kāshif and makshūf in hack-and-leak operations means that their impact is difficult to determine, let alone predict, both for perpetrators and targets. Successes are likely to be temporary, creating just enough pressure and distraction to prevent action in other areas. In a landscape of permanently competing narratives, this kāshif/makshūf dynamic is never fully decided and a new scandal, especially one revolving around illicit hacking, can open a crucial window of opportunity for adversaries.
James Shires is an assistant professor in Cybersecurity Governance at the Institute of Security and Global Affairs, University of Leiden, in the Netherlands. He is also a nonresident fellow with the Cyber Statecraft Initiative at the Atlantic Council. He was formerly a postdoctoral fellow at the Cyber Project of the Belfer Center for Science and International Affairs, Harvard Kennedy School, where the bulk of the research for this paper was conducted.
The author would like to thank the editors of the special issue, Max Smeets and Robert Chesney, and the editors of Texas National Security Review, Doyle Hodges and Gregory Brew, for their feedback, assistance, and encouragement throughout the process. I would also like to thank two anonymous reviewers for their insightful comments, although of course all remaining errors are mine. Finally, I would like to thank everyone at the Belfer Center Cyber Project and elsewhere who provided feedback on this article prior to publication, including several earlier drafts, in no particular order: Andrew Leber, Bruce Schneier, David Eaves, Julia Voo, Lauren Zabierek, and Talia Gifford.
Image: Max Pixel