Russia Hacked the DNC. But What, Specifically, Did GRU Do?

/6 Comments/in , , /by

I’m working on a series of posts to point out existing holes in the claim that Russia hacked the DNC. None of them mean I am yet convinced it is someone besides Russia. But there are holes in the story that no one wants to acknowledge. And those who want to argue the case is solid would do well to at least answer them. In this one, I want to point to a curious piece of evidence in a necessary part of the evidence: how GRU is alleged to have hacked the DNC.

You need to separate attribution of FSB’s hack of the DNC from GRU’s hack of the DNC

One thing a lot of people don’t realize about the Russian hack attribution is there’s some slippage in the argument.

There are two groups in question: APT 29, which has been publicly associated with FSB, and APT 28, which has been publicly associated with GRU. As I laid out here, those two groups must be kept separate, because the story is that these two groups did different things: FSB hung around DNC’s servers for months and stole a lot of information, but never leaked it. That’s the kind of stuff intelligence services do all the time, including our own. Our government has no reason to make a case against that — which is unwanted but nevertheless normal espionage — because they do it too, such as when, in 2012, they stole communications between then Mexican presidential candidate Enrique Peña Nieto and his closest allies.

GRU, by contrast, was believed to have been in DNC’s servers briefly — and John Podesta’s Gmail account even more briefly — but to have, in that time, stolen the documents that ultimately made their way to Wikileaks. That’s the action that was deemed newly beyond the pale (even if the US has probably had documents leaked to Wikileaks itself).

In a sense, then, only the APT 28 attribution matters, because that’s the entity that is believed to have been involved in hacking and leaking; that’s the entity believed to have done things that might have affected the outcome of the election.

But people have long either intentionally or unknowingly conflated the two, claiming that “Russia” hacked the DNC. If FSB hacked the DNC, the claim is true, but that doesn’t prove that Russia is behind the tampering in the election, because unless you prove that GRU is APT 28, then the stuff you’re bugged about hasn’t been properly attributed.

I’ve come to distrust the claims of anyone who has paid close attention to this that doesn’t assiduously maintain the distinction between the APT 29 and APT 28 hacks.

The Administration’s creation of Grizzly Steppe conflates APT 29 and APT 28 more than ever before

So, reports on this hack should scrupulously avoid conflating the APT 29 hack and the APT 28 hack. But Obama’s response last month did the opposite. Whereas every infosec outfit treats APT 28 (which CrowdStrike calls Fancy Bear) and APT 29 (which CrowdStrike calls Cozy Bear) as distinct entities (regardless of how confident they are that one or the other are Russian intelligence), and even though within the reports the Administration retained this distinction, the materials released by the Obama Administration invented an entirely new entity: Grizzly Steppe.

Get it? This entity is not a soft and cuddly Cozy Bear or an entirely distinct suave Fancy Bear anymore. Put the two together and you get a Grizzly Bear!

RAWRRRRRRR!

Aside from just the fact that the Administration did this (which would permit them to say, correctly, that Russia hacked the DNC even if they were less certain about GRU, though I don’t think they are), there are two other interesting aspects of this conflation in their package of sanctions.

First, as I noted here, the Administration sanctioned FSB as well GRU. That’s weird because our intelligence community believes what FSB did is solidly within the norms of intelligence gathering. It’s possible the IC has some evidence that FSB did something to facilitate this operation that is not yet public. But the only explanation the sanctioning document offers is that, “The Federal Security Service (a.k.a. Federalnaya Sluzhba Bezopasnosti) (a.k.a FSB) assisted the GRU in conducting the activities described above.”

The other notable thing about the Obama package is the differential language the Joint Analysis Report uses to describe the APT 29 and APT 28 hacks, which I pointed out here.

In summer 2015, an APT29 spearphishing campaign directed emails containing a malicious link to over 1,000 recipients, including multiple U.S. Government victims. APT29 used legitimate domains, to include domains associated with U.S. organizations and educational institutions, to host malware and send spearphishing emails. In the course of that campaign, APT29 successfully compromised a U.S. political party. At least one targeted individual activated links to malware hosted on operational infrastructure of opened attachments containing malware. APT29 delivered malware to the political party’s systems, established persistence, escalated privileges, enumerated active directory accounts, and exfiltrated email from several accounts through encrypted connections back through operational infrastructure.

In spring 2016, APT28 compromised the same political party, again via targeted spearphishing. This time, the spearphishing email tricked recipients into changing their passwords through a fake webmail domain hosted on APT28 operational infrastructure. Using the harvested credentials, APT28 was able to gain access and steal content, likely leading to the exfiltration of information from multiple senior party members. The U.S. Government assesses that information was leaked to the press and publicly disclosed.

I admit I may be over-reading these differences. But there is a difference in the certitude with which this report speaks of the APT 29 hack and the APT 28 hack. Regarding the former, the report describes how APT 29 stole the documents: it “exfiltrated email from several accounts through encrypted connections back through operational infrastructure.” And whereas the report affirmatively says APT 28 “was able to gain access and steal content,” it seems far less sure about how much data it stole, saying the hack “likely [led] to the exfiltration of information from multiple senior party members.” Maybe that means it’s likely APT 28 stole documents from more than one person; maybe that means it is likely they exfiltrated documents period. But remember, matching precisely what documents GRU stole to those Wikileaks released was one of the things the FBI was still working on a month and a half after the DNC hack.

The bureau is trying to determine whether the emails obtained by the Russians are the same ones that appeared on the website of the anti-secrecy group WikiLeaks on Friday, setting off a firestorm that roiled the party in the lead-up to the convention.

The FBI is also examining whether APT 28 or an affiliated group passed those emails to WikiLeaks, law enforcement sources said.

That’s just one of several piece of evidence that suggests they don’t have (or at least didn’t have) as clear forensics on.

One more note about the JAR report: It makes no mention of Podesta. Again, we should not draw any conclusions for that, as they may have just chosen to focus on the DNC (which people often forget is a distinct entity from Hillary’s campaign). But, as I hope to show in a follow-up post, the IC may have either less information — or perhaps even some sheepishness — about the Podesta leak, which is remarkable because that’s the actual hack for which there is the best evidence tying it to APT 28.

The Administration materials endorse some, but not all, of what infosec companies have published

Which brings me to a point I’ve made before but deserves more focus. In the introduction to the JAR, the Administration has this to say about the great work infosec companies have done about this hack.

A great deal of analysis and forensic information related to Russian government activity has been published by a wide range of security companies. The U.S. Government can confirm that the Russian government, including Russia’s civilian and military intelligence services, conducted many of the activities generally described by a number of these security companies.

It confirms that Russia’s intelligence services have indeed done “many of the activities” described by “a number of these security companies.” That’s not a confirmation that Russia’s spooks have done all the things alleged by all the security companies. Indeed, it seems to suggest that the infosec reports are wrong on some (perhaps very minor) points. We just don’t know which ones those are.

What were FSB and GRU doing hacking the same target anyway?

Which brings me to an important side discussion, one for which everyone has an answer but about which there is no agreement.

While FSB and GRU have been portrayed as adversarial intelligence agencies (perhaps in the way that FBI and CIA don’t always get along, sometimes to spectacular effect), it’s not actually normal for them to be hacking the same target. The original CrowdStrike report on the hack noted that the two groups of hackers appeared not to be coordinating as they rooted around DNC’s servers.

At DNC, COZY BEAR intrusion has been identified going back to summer of 2015, while FANCY BEAR separately breached the network in April 2016. We have identified no collaboration between the two actors, or even an awareness of one by the other. Instead, we observed the two Russian espionage groups compromise the same systems and engage separately in the theft of identical credentials. While you would virtually never see Western intelligence agencies going after the same target without de-confliction for fear of compromising each other’s operations, in Russia this is not an uncommon scenario. “Putin’s Hydra: Inside Russia’s Intelligence Services”, a recent paper from European Council on Foreign Relations, does an excellent job outlining the highly adversarial relationship between Russia’s main intelligence services – Федеральная Служба Безопасности (FSB), the primary domestic intelligence agency but one with also significant external collection and ‘active measures’ remit, Служба Внешней Разведки (SVR), the primary foreign intelligence agency, and the aforementioned GRU. Not only do they have overlapping areas of responsibility, but also rarely share intelligence and even occasionally steal sources from each other and compromise operations. Thus, it is not surprising to see them engage in intrusions against the same victim, even when it may be a waste of resources and lead to the discovery and potential compromise of mutual operations.

It explains this away by the competition between the agencies. Still: note that according to CrowdStrike, there were two groups of Russians sniffing through the DNC servers that appeared unaware of each other’s presence.

A competing infosec company, Fire Eye, has come up with a completely different explanation for the presence of FSB and GRU in the same servers. It deems that proof of superior coordination.

According to data provided for this article by the private cybersecurity company, FireEye, two separate but coordinated teams under the Kremlin are running the campaign. APT 28, also known as “FancyBear,” has been tied to Russia’s foreign military intelligence agency, the Main Intelligence Agency or GRU. APT 29, aka “CozyBear,” has been tied to the Federal Security Service or FSB. Both have been actively targeting the United States. According to FireEye, they have only appeared in the same systems once, which suggests a high level of coordination — a departure from what we have seen and come to expect from Russian intelligence.

Frankly, I’m agnostic about what the answer to this question might be, and find either one plausible. Or, it’s possible we should pay more attention to how unusual it is to have FSB and GRU digging in the same holes and think about whether it might, instead, tell us something else about who did this hack. But it is a datapoint that any theory of the hack should at least acknowledge and try to explain. Most don’t.

Why is GRU using open source tools?

All of which is my long-winded explanation for why I went back and re-read specifically what CrowdStrike said about APT 28 (at a time, we now know but didn’t then, CrowdStrike only had “medium” confidence that the APT 28 hackers of DNC were GRU). It made me realize why the stakes on the APT 28 tool X-Agent — which is not the only tool associated with APT 28 — are so high.

FANCY BEAR adversary used different tradecraft, deploying X-Agent malware with capabilities to do remote command execution, file transmission and keylogging. It was executed via rundll32 commands such as:

rundll32.exe “C:\Windows\twain_64.dll”

In addition, FANCY BEAR’s X-Tunnel network tunneling tool, which facilitates connections to NAT-ed environments, was used to also execute remote commands. Both tools were deployed via RemCOM, an open-source replacement for PsExec available from GitHub. They also engaged in a number of anti-forensic analysis measures, such as periodic event log clearing (via wevtutil cl System and wevtutil cl Security commands) and resetting timestamps of files.

So after a longer section describing APT 29’s tools (which we now know, but which was not known then, were the less important part of the hack), Crowdstrike describes APT 28’s use of X-Agent and X-Tunnel (the latter of which I may come back to), but then also explains that these hackers deployed the APT 28 tools via an open source tool available on GitHub.

I’m no tech wizard, but this detail seems to beg some explanation, as it is awfully curious to have GRU resorting to an outdated open source tool to hack an American political party.

None of this is definitive. None of it changes my inclination that Russia probably is behind the APT 28 hack of the DNC (and, even more convincingly, behind the hack of John Podesta). But these are some details that deserve more attention amid the claims that all the case against GRU (as distinct from Russia) is rock solid.

On CrowdStrike’s Curiously Timed Report Claiming Newfound “High” Confidence in Its GRU Attribution

/13 Comments/in , , /by

Back on December 22, the security firm CrowdStrike released a report claiming that a tool used in the DNC hack had also been used — rewritten for Android — in malware that appeared in an application used by Ukrainian artillery units. The report itself purported to show that a hacking tool used in the DNC hack had also been used to kill Ukrainians fighting Russian separatists.

This implant represents further advancements in FANCY BEAR’s development of mobile malware for targeted intrusions and extends Russian cyber capabilities to the front lines of the battlefield.

But the release of the report — released just a few weeks after President Obama called for a review of the intelligence relating to the DNC hack — was pitched to the press as the piece of evidence that CrowdStrike’s confidence that Russia’s GRU had hacked the DNC was now solid.

While CrowdStrike, which was hired by the DNC to investigate the intrusions and whose findings are described in a new report, had always suspected that one of the two hacker groups that struck the DNC was the GRU, Russia’s military intelligence agency, it had only medium confidence.

Now, said CrowdStrike co-founder Dmitri Alperovitch, “we have high confidence” it was a unit of the GRU. CrowdStrike had dubbed that unit “Fancy Bear.”

The logic for that claim went this way:

  • Two entities hacked the DNC, the first using tools associated with APT 29 (which Crowdstrike believes is FSB), the second using one tool (X-Agent) associated with APT 28 (which Crowdstrike believes is GRU). As I’ve explained, only the GRU attribution matters, because they’re the ones associated with leaking the DNC documents to Wikileaks.
  • Crowdstrike found X-Agent, rewritten for the Android platform, infecting an application used by the Ukrainian military, which is an obvious application for Russia’s military intelligence GRU unit.
  • Since X-Agent was found being used in an operation with obvious Russian military application, which therefore must be GRU, then GRU must be the entity that also hacked the DNC, because it used a common tool.

CrowdStrike’s founder, Dmitri Alperovitch, told PBS that this amounted to DNA tying Russia to both the DNC hack and the Ukrainian artillery app.

Essentially the DNA of this malicious code that matches to the DNA that we saw at the DNC.

Yesterday, the chief infosec skeptic of the claims that Russian hacked the DNC, Jeffrey Carr, did a post criticizing the CrowdStrike report. He makes several points:

  • Two other entities (including an anti-Russian Ukrainian hacker) have gotten access to X-Agent — the tool in question — meaning that any use of it by GRU in one application cannot be said to be proof its use in another application means it was GRU.
  • The hacking of the artillery app probably couldn’t have had the complete functionality or the effect (devastating Ukrainian artillery units) CrowdStrike says it had.

The second point is interesting. I’d add that the timeline CrowdStrike develops to explain how Russian malware would end up in a Ukrainian artillery app by December 2014, in time to play a part in devastating losses, has some problems, notably that it assumes GRU was developing a tailored app to target Ukrainian soldiers more than six months before Viktor Yanukovich’s ouster, at a time when a Russian-Ukrainian war was unforeseen. Why would Russia start developing an app to kill Ukrainian soldiers at a time when they were still led by someone who was a Russian client? That development timetable appears to be dictated by the necessity of arguing that huge artillery losses that took place in July and August 2014 were due in part to this malware.

None of that is fatal to CrowdStrike’s argument that the malware infecting the Ukrainian artillery app was put there by Russia. I actually think that quite likely, though think CrowdStrike’s various explanations for it are unpersuasive.

But it does highlight how speculative the December 22 report was, creating explanations that had to be true because the conclusion — that the same malware used against the DNC had been used to kill Ukrainian soldiers — was presumed. Frankly, the report doesn’t hide that. Here’s just some of the uncertain language it uses:

Successful deployment of the FANCY BEAR malware within this application may have facilitated reconnaissance

The collection of such tactical artillery force positioning intelligence by FANCY BEAR further supports CrowdStrike’s previous assessments that FANCY BEAR is likely affiliated with the Russian military intelligence (GRU)

Therefore, the implant likely targeted military artillery units operating against pro-Russian separatists in Eastern Ukraine.

The promotion of the program was likely limited to social media,

At the time of this writing, it is unclear to what degree and for how long this specific application was utilized by the entirety of the Ukrainian Artillery Forces.

CrowdStrike Intelligence assesses that the application likely came to the attention of Russia-based adversaries around this time frame as a result of ongoing Russian reconnaissance

Because the Android malware could facilitate gross position information, its successful deployment could have facilitated anticipatory awareness of Ukrainian artillery force troop movement,

Although traditional overhead intelligence surveillance and reconnaissance (ISR) assets were likely still needed to finalize tactical movements, the ability of this application to retrieve communications and gross locational data from infected devices, could provide insight for further planning, coordination, and tasking of ISR, artillery assets, and fighting forces. [my emphasis]

While Carr’s piece is not fatal to the argument that the X-Agent in the Ukrainian artillery app came from GRU, it does highlight how one person, in less than two weeks, could have found answers to some of things that CrowdStrike still hadn’t even tried to answer (say, by interviewing the application developer) at least six months after they started looking into this malware.

More importantly, the first point Carr makes — that others have access to X-Agent — is very important. He notes that the anti-Russian hacker Sean Townsend not only knows that it could be used by others, but that it has been.

In fact, Sean Townsend believes that the Russian security services DO use it but he also knows that they aren’t the only ones.

That doesn’t mean that GRU wasn’t the entity using X-Agent in the DNC server last year. It just means it is not, as CrowdStrike has always claimed, definitive proof that it had to be. If multiple people have access to X-Agent, the Ukrainian app, with its clear Russian military function, may be Russia while the DNC hack may be someone else.

I’ll come back to that point later, but for the moment I want to look at how CrowdStrike came to release a speculative report tying the malware in the DNC servers to dead Ukrainians on December 22, less than two weeks after Obama called for a review of the intelligence on the hack.

I asked Alperovitch some questions about the genesis of the report on Twitter.

Alperovitch revealed that no one had paid for this report: CrowdStrike was apparently doing this work for free (!!). They found the X-Agent malware in the artillery app because they had set out to look for X-Agent implants. But when I asked about timing and/or where they found it, he got less responsive. Indeed, the timing of these discoveries is something the report itself is sort of funny about.

In late June and August 2016, CrowdStrike Intelligence provided initial reporting and technical analysis of a variant of the FANCY BEAR implant X-Agent that targeted the Android mobile platform2.

2-For more information, contact CrowdStrike

Barring more clarification on whether they started looking for X-Agents before or after they very publicly accused GRU of hacking the DNC in June, what appears to have happened is this: CrowdStrike found the X-Agent in the DNC servers, accused GRU of doing the hack, and then set out — on their own dime — to find more instances of X-Agent deployment. They did not, however, do basic research (like calling the developer of the Android app, Jaroslav Sherstuk) to confirm their speculative conclusions about it, not over six months time.

Having not done that research, however, they released a report claiming they now had high confidence in their earlier attribution at precisely the time when it would affect the debate about whether GRU really did this hack or not.

Again, none of this means CrowdStrike was wrong about GRU hacking the DNC last spring. Just that this report — the timing of which is as interesting as the speculative claims — should not be regarded as providing the high confidence it claims.

The Dragnet Donald Trump Will Wield Is Not Just the Section 215 One

/4 Comments/in , , /by

I’ve been eagerly anticipating the moment Rick Perlstein uses his historical work on Nixon to analyze Trump. Today, he doesn’t disappoint, calling Trump more paranoid than Nixon, warning of what Trump will do with the powerful surveillance machine laying ready for his use.

Revenge is a narcotic, and Trump of all people will be in need of a regular, ongoing fix. Ordering his people to abuse the surveillance state to harass and destroy his enemies will offer the quickest and most satisfying kick he can get. The tragedy, as James Madison could have told us, is that the good stuff is now lying around everywhere, just waiting for the next aspiring dictator to cop.

But along the way, Perlstein presents a bizarre picture of what happened to the Section 215 phone dragnet under Barack Obama.

That’s not to say that Obama hasn’t abused his powers: Just ask the journalists at the Associated Press whose phone records were subpoenaed by the Justice Department. But had he wanted to go further in spying on his enemies, there are few checks in place to stop him. In the very first ruling on the National Security Administration’s sweeping collection of “bulk metadata,” federal judge Richard Leon blasted the surveillance as downright Orwellian. “I cannot imagine a more ‘indiscriminate’ and ‘arbitrary’ invasion than this collection and retention of personal data,” he ruled. “Surely, such a program infringes on ‘that degree of privacy’ that the founders enshrined in the Fourth Amendment.”

But the judge’s outrage did nothing to stop the surveillance: In 2015, an appeals court remanded the case back to district court, and the NSA’s massive surveillance apparatus—soon to be under the command of President Trump—remains fully operational. The potential of the system, as former NSA official William Binney has described it, is nothing short of “turnkey totalitarianism.”

There are several things wrong with this.

First, neither Richard Leon nor any other judge has reviewed the NSA’s “sweeping collection of ‘bulk metadata.'” What Leon reviewed — in Larry Klayman’s lawsuit challenging the collection of phone metadata authorized by Section 215 revealed by Edward Snowden — was just a small fraction of NSA’s dragnet. In 2013, the collection of phone metadata authorized by Section 215 collected domestic and international phone records from domestic producers, but even there, Verizon had found a way to exclude collection of its cell records.

But NSA collected phone records — indeed, many of the very same phone records, as they collected a great deal of international records — overseas as well. In addition, NSA collected a great deal of Internet metadata records, as well as financial and anything else records. Basically, anything the NSA can collect “overseas” (which is interpreted liberally) it does, and because of the way modern communications works, those records include a significant portion of the metadata of Americans’ everyday communications.

It is important for people to understand that the focus on Section 215 was an artificial creation, a limited hangout, an absolutely brilliant strategy (well done, Bob Litt, who has now moved off to retirement) to get activists to focus on one small part of the dragnet that had limitations anyway and NSA had already considered amending. It succeeded in pre-empting a discussion of just what the full dragnet entailed.

Assessments of whether Edward Snowden is a traitor or a saint always miss this, when they say they’d be happy if Snowden had just exposed the Section 215 program. Snowden didn’t want the focus to be on just that little corner of the dragnet. He wanted to expose the full dragnet, but Litt and others succeeded in pretending the Section 215 dragnet was the dragnet, and also pretending that Snowden’s other disclosures weren’t just as intrusive on Americans.

Anyway, another place where Perlstein is wrong is in suggesting there was just one Appeals Court decision. The far more important one is the authorized by Gerard Lynch in the Second Circuit, which ruled that Section 215 was not lawfully authorized. It was a far more modest decision, as it did not reach constitutional questions. But Lynch better understood that the principle involved more than phone records; what really scared him was the mixing of financial records with phone records, which is actually what the dragnet really is.

That ruling, on top of better understanding the import of dragnets, is important because it is one of the things that led to the passage of USA Freedom Act, a law that, contrary to Perlstein’s claim, did change the phone dragnet, both for good and ill.

The USA Freedom Act, by imposing limitations on how broadly dragnet orders (for communications but not for financial and other dragnets) can be targeted, adds a check at the beginning of the process. It means only people 2 degrees away from a terrorism suspect will be collected under this program (even while the NSA continues to collect in bulk under EO 12333). So the government will have in its possession far fewer phone records collected under Section 215 (but it will still suck in massive amounts of phone records via EO 12333, including massive amounts of Americans’ records).

All that said, Section 215 now draws from a larger collection of records. It now includes the Verizon cell records not included under the old Section 215 dragnet, as well as some universe of metadata records deemed to be fair game under a loose definition of “phone company.” At a minimum, it probably includes iMessage, WhatsApp, and Skype metadata, but I would bet the government is trying to get Signal and other messaging metadata (note, Signal metadata cannot be collected retroactively; it’s unclear whether it can be collected with standing daily prospective orders). This means the Section 215 collection will be more effective in finding all the people who are 2 degrees from a target (because it will include any communications that exist solely in Verizon cell or iMessage networks, as well as whatever other metadata they’re collecting). But it also means far more innocent people will be impacted.

To understand why that’s important, it’s important to understand what purpose all this metadata collection serves.

It was never the case that the collection of metadata, however intrusive, was the end goal of the process. Sure, identifying someone’s communications shows when you’ve been to an abortion clinic or when you’re conducting an affair.

But the dragnet (the one that includes limited Section 215 collection and EO 12333 collection limited only by technology, not law) actually serves two other primary purposes.

The first is to enable the creation of dossiers with the click of a few keys. Because the NSA is sitting on so much metadata — not just phone records, but Internet, financial, travel, location, and other data — it can put together a snapshot of your life as soon as they begin to correlate all the identifiers that make up your identity. One advantage of the new kind of collection under USAF, I suspect, is it will draw from the more certain correlations you give to your communications providers, rather than relying more heavily on algorithmic analysis of bulk data. Facebook knows with certainty what email address and phone number tie to your Facebook account, whereas the NSA’s algorithms only guess that with (this is an educated guess) ~95+% accuracy.

This creation of dossiers is the same kind of analysis Facebook does, but instead of selling you plane tickets the goal is government scrutiny of your life.

The Section 215 orders long included explicit permission to subject identifiers found via 2-degree collection to all the analytical tools of the NSA. That means, for any person — complicit or innocent — identified via Section 215, the NSA can start to glue together the pieces of dossier it already has in its possession. While not an exact analogue, you might think of collection under Section 215 as a nomination to be on the equivalent of J Edgar Hoover’s old subversives list. Only, poor J Edgar mostly kept his list on index cards. Now, the list of those the government wants to have a network analysis and dossier on is kept in massive server farms and compiled using supercomputers.

Note, the Section 215 collection is still limited to terrorism suspects — that was an important win in the USA Freedom fight — but the EO 12333 collection, with whatever limits on nominating US persons, is not. Plus, it will be trivial for Trump to expand the definition of terrorist; the groundwork is already being laid to do so with Black Lives Matter.

The other purpose of the dragnet is to identify which content the NSA will invest the time and energy into reading. Most content collected is not read in real time. But Americans’ communications with a terrorism suspect will probably be, because of the concern that those Americans might be plotting a domestic plot. The same is almost certainly true of, say, Chinese-Americans conversing with scientists in China, because of a concern they might be trading US secrets. Likewise it is almost certainly true of Iranian-Americans talking with government officials, because of a concern they might be dealing in nuclear dual use items. The choice to prioritize Americans makes sense from a national security perspective, but it also means certain kinds of people — Muslim immigrants, Chinese-Americans, Iranian-Americans — will be far more likely to have their communications read without a warrant than whitebread America, even if those whitebread Americans have ties to (say) NeoNazi groups.

Of course, none of this undermines Perlstein’s ultimate categorization, as voiced by Bill Binney, who created this system only to see the privacy protections he believed necessary get wiped away: the dragnet — both that authorized by USAF and that governed by EO 12333 — creates the structure for turnkey totalitarianism, especially as more and more data becomes available to NSA under EO 12333 collection rules.

But it is important to understand Obama’s history with this dragnet. Because while Obama did tweak the dragnet, two facts about it remain. First, while there are more protections built in on the domestic collection authorized by Section 215, that came with an expansion of the universe of people that will be affected by it, which must have the effect of “nominating” more people to be on this late day “Subversives” list.

Obama also, in PPD-28, “limited” bulk collection to a series of purposes. That sounds nice, but the purposes are so broad, they would permit bulk collection in any area of the world, and once you’ve collected in bulk, it is trivial to then call up that data under a more broad foreign intelligence purpose. In any case, Trump will almost certainly disavow PPD-28.

Which makes Perlstein’s larger point all the more sobering. J Edgar and Richard Nixon were out of control. But the dragnet Trump will inherit is far more powerful.

A Deep Dive on the Obama Response to Russian DNC Hack (and Theft and Harassment)

/11 Comments/in , /by

I was still with family when the White House rolled out its retaliation against Russian hacks of the election the other day, so I didn’t have a chance to unpack what they released. I’ll do that here.

The actions — which retaliate not just for the DNC hack — consist of a package that includes:

  • A “Voxsplainer” telling you “everything you need to know” about the package
  • An Obama statement
  • An expansion of cyber sanctions to include both our elections and those of our allies and partners
  • State Department retaliation against Russia for harassing our personnel
  • Two documents about Russian hacking: A Joint Analysis Report and an introduction to it

The Voxsplainer

In addition to promising to tell us “What You Need to Know” about “The Administration’s Response to Russia,” the Voxsplainer provides links to all the other pieces. There are two significant details.

First, the “response” is not just to “cyber operations aimed at our election” but also to “the Russian government’s aggressive harassment of U.S. officials.” Some of the most showy retaliation was actually specifically retaliation for the latter.

The other key detail is that, in describing Russia’s motive for the hack, the Voxsplainer steers very, very clear of the two more controversial motives (to retaliate for perceived and real covert operations against Russia, and to get Trump elected). Instead, the Voxsplainer provides the most wishy-washy description of Russia’s purpose.

Russia’s cyber activities were intended to influence the election, erode faith in U.S. democratic institutions, sow doubt about the integrity of our electoral process, and undermine confidence in the institutions of the U.S. government.

“Faith, integrity, and confidence” are pretty squishy things that don’t require much proof.

Obama’s statement

Obama’s statement is basically a description of what he ordered (here, he admits some of the individual sanctions are for cyber-crime, not the hack). The most important part of the statement is the last paragraph.

These actions are not the sum total of our response to Russia’s aggressive activities. We will continue to take a variety of actions at a time and place of our choosing, some of which will not be publicized. In addition to holding Russia accountable for what it has done, the United States and friends and allies around the world must work together to oppose Russia’s efforts to undermine established international norms of behavior, and interfere with democratic governance. To that end, my Administration will be providing a report to Congress in the coming days about Russia’s efforts to interfere in our election, as well as malicious cyber activity related to our election cycle in previous elections.

As I’ll show in this and a follow-up post, some of what Obama ordered is silly or downright counterproductive. But the actions took place alongside a claim that there would also be covert retaliation we won’t see. So we’ve got silly and counterproductive overt retaliation, with the promise of covert retaliation that may be less silly.

Obama also stated what the presumed goal of these actions are, to prevent Russia from undermining democratic norms, norms which the President-Elect has expressed intent to violate.

New Cyber-Sanctions

Obama extended the application of an EO he signed in April 2015 to apply to election related hacking. The Voxsplainer doesn’t explicitly describe what’s new about the cyber-sanctions, leaving that to a separate fact sheet and an annex to the Executive Order extending the sanctions. Instead, the Voxsplainer describes what the original EO 13964 had done, which basically permitted the President to sanction entities that hacked critical infrastructure or big money.

Curiously, the White House doesn’t appear to have issued a new version of EO 13964, relying solely on the fact sheet to explain the newly expanded scope.

Just as interesting there’s a subtle difference in the way the attached fact sheet describes the addition, and how Obama did in his statement. The fact sheet does not specify whether these sanctions only apply for the targeting of our own election processes or institutions, or for others.

The increasing use of cyber-enabled means to undermine democratic processes at home and abroad, as exemplified by Russia’s recent activities, has made clear that a tool explicitly targeting attempts to interfere with elections is also warranted. As such, the President has approved amending Executive Order 13964 to authorize sanctions on those who:

  • Tamper with, alter, or cause a misappropriation of information with the purpose or effect of interfering with or undermining election processes or institutions.

But Obama’s statement says the EO “provides additional authority for responding to certain cyber activity that seeks to interfere with or undermine our election processes and institutions, or those of our allies or partners.” [my emphasis] That Obama would extend such sanctions to protect our allies’ elections make sense, as there’s real concern about Russia’s plans for the upcoming French and German elections. But it’s also really funny given that the NSA and CIA have targeted the election institutions and processes of our allies Pakistan and Mexico. Does that mean we have to sanction the NSA and CIA now? This is so confusing.

As to the sanctions themselves, they target the following:

1. Main Intelligence Directorate (a.k.a. Glavnoe Razvedyvatel’noe Upravlenie) (a.k.a. GRU); Moscow, Russia
2. Federal Security Service (a.k.a. Federalnaya Sluzhba Bezopasnosti) (a.k.a FSB); Moscow, Russia
3. Special Technology Center (a.k.a. STLC, Ltd. Special Technology Center St. Petersburg); St. Petersburg, Russia
4. Zorsecurity (a.k.a. Esage Lab); Moscow, Russia
5. Autonomous Noncommercial Organization “Professional Association of Designers of Data Processing Systems” (a.k.a. ANO PO KSI); Moscow, Russia Individuals

1. Igor Valentinovich Korobov; DOB Aug 3, 1956; nationality, Russian
2. Sergey Aleksandrovich Gizunov; DOB Oct 18, 1956; nationality, Russian
3. Igor Olegovich Kostyukov; DOB Feb 21, 1961; nationality, Russian
4. Vladimir Stepanovich Alexseyev; DOB Apr 24, 1961; nationality, Russian

As I noted the other day, I find it particularly interesting that Obama included FSB in these sanctions, given that the public record only reflects them doing the kind of data collection that we also do all the time (and that China and others have done against us in the past). Perhaps that means there’s evidence they did more, or perhaps this is just gratuitous sanctioning. It will be interesting to see how seriously this part of the sanctions gets taken, given that we need to cooperate with Russian intelligence on things like bombing ISIS.

There has been some befuddlement about why Zorsecurity got included on the list, as its owner, Alisa Esage Shevchenko, claims she doesn’t work for the Russian state and has been celebrated for her security research in the past, though one anonymous source claims she has.

“I’m just trying not to freak out,” she told me over email. “My company never worked with the government. It never had the necessary licenses to do so in the first place. And I personally tried to stay as far away as possible from anything remotely suspicious, as I’m naturally a cosmopolitan person, and an introverted single woman. I wouldn’t want any job that would put me in danger or restrictions.”

Talking about the defunct state of the company, she added: “This is fixed in the public registry, and should be well known to any foreign intelligence that bothered to do any research.” A search on the public registry showed ZorSecurity as still active, however — Shevchenko said the firm stopped submitting any tax statements, which should be visible in the registry.

[snip]

One Russian hacker who claimed knowledge of Esage Lab’s business, and who asked to remain anonymous, said the company sold software exploits and hacking tools, and had worked with the Russian government. “Esage do exploits and offensive software,” said the well-connected Moscow source. “Esage worked with government customers … but I’m really not sure if they related to the DNC hack.”

That same anonymous Russian hacker also doesn’t see why the US sanctioned the two other Russian companies.

The anonymous Moscow source told me the list of organizations named in the sanctions – which also included the St. Petersburg-based Special Technology Center and the Autonomous Noncommercial Organization’s Professional Association of Designers of Data Processing Systems – did “not look professional at all.” “It looks like the U.S. government does not know who is behind this DNC thing,” they added.

So it’s possible the US just sanctioned some companies for the sake of sanctioning some companies. As MalwareJake notes in a critique of the sanctions, these companies don’t do business in the US so it’s not like the sanctions will have any effect anyway.

Four of the individuals sanctioned are top GRU officials (making this the equivalent of the post-Sony sanction on North Korean officials).

Sanctioned individuals include Igor Valentinovich Korobov, the current Chief of the GRU; Sergey Aleksandrovich Gizunov, Deputy Chief of the GRU; Igor Olegovich Kostyukov, a First Deputy Chief of the GRU; and Vladimir Stepanovich Alexseyev, also a First Deputy Chief of the GRU.

The Voxsplainer also notes that Treasury added two Russian criminals to its sanction list.

In addition, the Department of the Treasury is designating two Russian individuals, Evgeniy Bogachev and Aleksey Belan, under a pre-existing portion of the Executive Order for using cyber-enabled means to cause misappropriation of funds and personal identifying information.

  • Evgeniy Mikhailovich Bogachev is designated today for having engaged in significant malicious cyber-enabled misappropriation of financial information for private financial gain.  Bogachev and his cybercriminal associates are responsible for the theft of over $100 million from U.S. financial institutions, Fortune 500 firms, universities, and government agencies.
  • Aleksey Alekseyevich Belan engaged in the significant malicious cyber-enabled misappropriation of personal identifiers for private financial gain.  Belan compromised the computer networks of at least three major United States-based e-commerce companies.

Note, however, that at least Bogachev has been implicated in surveillance in the past. So it’s possible these sanctions are designed to nod towards related activity, the sanctioned (heh) permission of cybercrime by entities willing to help out the Russian government.

Diplomatic retaliation

As noted above, this package of actions actually responds not just to the election (and Bogachev and Belan’s crimes), but also to harassment of US personnel in Russia.

The beginning of the Voxsplainer says that the diplomatic measures were in retaliation for harassment that has gone on in the last year. “Moreover, our diplomats have experienced an unacceptable level of harassment in Moscow by Russian security services and police over the last year.”

The part of the Voxsplainer that explains the actual actions says it responds to two years of harassment.

Over the past two years, harassment of our diplomatic personnel in Russia by security personnel and police has increased significantly and gone far beyond international diplomatic norms of behavior. Other Western Embassies have reported similar concerns. In response to this harassment, the President has authorized the following actions:

Today the State Department declared 35 Russian government officials from the Russian Embassy in Washington and the Russian Consulate in San Francisco “persona non grata.” They were acting in a manner inconsistent with their diplomatic status. Those individuals and their families were given 72 hours to leave the United States.

In addition to this action, the Department of State has provided notice that as of noon on Friday, December 30, Russian access will be denied to two Russian government-owned compounds, one in Maryland and one in New York.

I find the temporal inconsistency interesting, especially since neither period extends back to the post-Boston Marathon period when numerous CIA officers, most notably Randy Fogle, were getting expelled from Russia. It does, however, cover incidents that have been reported since at least July, including this apparent attempt to detain someone who just barely made it into the US embassy, with ABC providing more detail in October.

In any case, the closure of the two recreational facilities had the excellent effect of getting journalists scurrying to the sites, one of which US officials misidentified:

Articles on Friday about the Obama administration’s decision to close two Russian-owned compounds in the United States misidentified one of the compounds, using information from the White House and F.B.I. officials. The administration ordered the closure of Norwich House in Upper Brookville, N.Y., owned by Russia — not the nearby Killenworth Mansion in Glen Cove, N.Y., also owned by the Russians. An accompanying picture that showed Killenworth Mansion should have been of Norwich House.

Every outlet was able to highlight pictures of big mansions and interview neighbors about weird interactions with Russians. All perfectly scripted just like the Americans.

Putin, of course, threatened to retaliate by kicking out 35 diplomats, but instead invited the children of American diplomats to a party at the Kremlin. Also perfectly scripted.

Two documents on Russian hacking

Finally, the government released two documents on Russian hacking: a document introducing a Joint Analysis Report and the Joint Analysis Report itself. It appears the introductory document served mostly to get FBI, ODNI, and DHS all listed on one document — so there’s no doubt that this comes from the entire IC, as there was of the October 7 report that FBI declined to sign off on. It has this odd endorsement of many — but not all — claims made by a number of — but not all — security industry reports.

A great deal of analysis and forensic information related to Russian government activity has been published by a wide range of security companies.  The U.S. Government can confirm that the Russian government, including Russia’s civilian and military intelligence services, conducted many of the activities generally described by a number of these security companies.

I guess we’ll just have to guess which parts the security firms got right and which they did not.

As for the Joint Analysis Report (JAR), it purports to be an alert to make everyone more vigilant against Russian hacks. A number of tech experts have criticized the contents. Robert Graham calls them a “political tool, to prove they have evidence pointing to Russia. They have limited utility to defenders, or those publicly analyzing attacks.” Robert M Lee says the report “reads like a poorly done vendor intelligence report stringing together various aspects of attribution without evidence.” Jerry Gamblin notes that a fifth of the IP addresses included were Tor exit nodes, meaning they could be used by anyone. Wordfence analyzes one malware sample and finds that it “is old, widely used and appears to be Ukrainian. It has no apparent relationship with Russian intelligence.” Ultimately, the tech folks are complaining that the report is not very useful for defensive purposes, which is ostensibly what it is supposed to do.

But several of the reports also include some version of this conclusion from Lee: “the indicators are not very descriptive and will have a high rate of false positives for defenders that use them.”

That is, we may see more of what we saw Friday, when a Vermont utility did as instructed with the report — searched for the indicators included in the report — reported a positive hit, only to have anonymous sources immediately blow it up to mean Russia had hacked our grid. That find might turn out to be a Russian probe, or it might not; there’s little doubt that Russia can hack our electrical system. But what it did do is feed a panic.

And even though the report is supposed to only address defense (with the report to Congress designed to report on the actual attacks) there is an odd detail in the narrative about the attack. After describing APT 29 (associated with FSB) and APT 28 (associated with GRU) generally, the report includes these two paragraphs.

In summer 2015, an APT29 spearphishing campaign directed emails containing a malicious link to over 1,000 recipients, including multiple U.S. Government victims. APT29 used legitimate domains, to include domains associated with U.S. organizations and educational institutions, to host malware and send spearphishing emails. In the course of that campaign, APT29 successfully compromised a U.S. political party. At least one targeted individual activated links to malware hosted on operational infrastructure of opened attachments containing malware. APT29 delivered malware to the political party’s systems, established persistence, escalated privileges, enumerated active directory accounts, and exfiltrated email from several accounts through encrypted connections back through operational infrastructure.

In spring 2016, APT28 compromised the same political party, again via targeted spearphishing. This time, the spearphishing email tricked recipients into changing their passwords through a fake webmail domain hosted on APT28 operational infrastructure. Using the harvested credentials, APT28 was able to gain access and steal content, likely leading to the exfiltration of information from multiple senior party members. The U.S. Government assesses that information was leaked to the press and publicly disclosed.

Of FSB’s attack (APT29 ), the report states that at least one person clicked a bad link. After infesting (not a technical term!) the DNC server, the report describes, FSB “exfiltrated email from several accounts through encrypted connections.”

That is, the government is saying it (or someone else) watched FSB steal documents.

Now compare that to the GRU description (APT 28). I guess the narrative vaguely suggests that recipients changed their passwords after being phished, though there’s nowhere near the exactitude of at least one user clicking a bad link as used with FSB. And on the critical issue — whether any data was exfiltrated — the report only says it was “likely” that the information was exfiltrated. There’s no claim here, as there was with FSB, to have watched the documents be exfiltrated.

That’s important because GRU is the presumed source for the dump to Wikileaks (as the “assessment” that follows states). We’ve long known that the government wasn’t certain how the documents got from GRU to Wikileaks, but here, they seem to go further and say they only believe it “likely” that the documents were exfiltrated.

And note what’s not in the report? Any mention of John Podesta, whose leaked emails took up the final month of the campaign.

Maybe I’m overreading this (wouldn’t be the first time). But after going out of its way to include a narrative that isn’t necessary to the point of the report, the report stops short of making certain statements about the issues we most care about, that GRU stole the documents that Wikileaks got.

I’ll have a bit more on this report later. But it just seems odd from both the technical side and the narrative side.

 

Is Trump’s Revelation the Same as Craig Murray’s Revelation: An American Cut-Out?

/24 Comments/in , /by

Because security professionals are so confident in the Russian attribution of the DNC hack, they have largely ignored alternative theories from the likes of Wikileaks and Bill Binney. That’s unfortunate, because Craig Murray, in his description of his own role in getting the Podesta files to Wikileaks, at least, revealed a detail that needs greater attention. He believes he received something (perhaps the documents themselves, perhaps something else) from a person with ties to US national security.

[I]f we believe that Murray believes this, we know that the intermediary can credibly claim to have ties to American national security.

So on September 25, Murray met a presumed American in DC for a hand-off related to the Podesta hack.

I raise that because Trump is now promising we’ll learn something this week about the hack that may cast doubt on the claims Russia was behind it.

He added: “And I know a lot about hacking. And hacking is a very hard thing to prove. So it could be somebody else. And I also know things that other people don’t know, and so they cannot be sure of the situation.”

When asked what he knew that others did not, Mr. Trump demurred, saying only, “You’ll find out on Tuesday or Wednesday.”

If Murray met an American claiming to have done the hack, then Trump may have too. That doesn’t mean the Russians didn’t do the hack (though it could mean an American borrowed GRU’s tools to do it). It could just as easily mean the Russians have an American cut-out, and that while the security community has been looking for Russian-speaking proxies, they’ve ignored the possibility of American ones.

I have a suspicion that Trump’s campaign did meet with such a person (I even have a guess about when it would have happened).

I guess we’ll learn more this week.

The Conspiracy Theory in YouGov’s Conspiracy Theory Poll

/12 Comments/in /by

YouGov has a poll showing that “belief in conspiracy theories largely depends on political identity.” For example, it shows that Republicans believe Obama is Kenyan.

It focuses on several things it considers conspiracy theories tied to this election, including pizzagate, millions of alleged illegal votes, and claims about the Russian hack.

Interestingly, it shows that half of Clinton voters believe that Russia tampered with vote tallies to get Trump elected, in spite of the White House’s assurances that did not happen.

It’s the other tested question about Russian hacking that strikes me as more curious. 87% of Clinton voters believe Russia hacked Democratic emails “in order to help Donald Trump,” whereas only 20% of Trump voters believe that.

That’s about the result I’d expect. But to explain why this is a conspiracy theory, YouGov writes,

Similarly, even after the Central Intelligence Agency and the Federal Bureau of Investigation reported that Russia was responsible for the leaks of damaging information from the Democratic National Committee and the Clinton campaign and that the hacking was done to help Donald Trump win the Presidency, only one in five say that is definitely true, about the same percentage as believe it is definitely not true.

So YouGov bases this “truth” on a claim that the CIA and FBI “reported that Russia was responsible for the leaks … and that the hacking was done to help Donald Trump win the Presidency.”

Except there has been no such report, not from CIA and FBI, anyway.

There was an official report finding that,

The U.S. Intelligence Community (USIC) is confident that the Russian Government directed the recent compromises of e-mails from US persons and institutions, including from US political organizations. … These thefts and disclosures are intended to interfere with the US election process.

That is, the official report stated that the hack was “intended to interfere with the US election process;” it did not say the hack was done to help Trump.

Moreover, while the report speaks for the entire IC (including the FBI), the report itself came from DHS and ODNI, not FBI or CIA.

It is absolutely true that anonymous leakers — at least some of whom appear to be Democratic Senate sources — claim that CIA said the hack happened to get Trump elected. It is also true that anonymous sources passed on the substance of a John Brennan letter that said in separate conversations with Jim Comey and James Clapper, each agreed with Brennan about the purpose of the hack, which WaPo edited its previous reporting to say included electing Trump as one of a number of purposes, but that’s a third-hand report about what Jim Comey believes.

But that was not an official report, not even from CIA. Here’s what John Brennan said when interviewed about this topic by NPR’s Mary Louise Kelly:

You mentioned the FBI director and the director of national intelligence. And NPR confirmed with three sources that after the three of you meeting last week, you sent a memo to your workforce and that the memo read: There is strong consensus among us on the scope, nature and intent of Russian interference in our presidential elections. Is that an accurate quote from your memo?

I certainly believe that, that there is strong consensus.

Was there ever not?

Well, sometimes in the media, there is claims, allegations, speculation about differences of view. Sometimes I think that just feeds concerns about, you know, the strength of that intelligence and …

And in this case it was reports of tension between FBI and CIA …

… and differences of view. And I want to make sure that our workforce is kept as fully informed as possible so that they understand that what we’re doing, we’re doing in close coordination with our partners in the intelligence community. And so I try to keep my workforce informed on a periodic basis. But aside from whatever message I might have sent out to the workforce, there is, I strongly believe, very strong consensus among the key players — but not just the leaders of these organizations, but also the institutions themselves. And that’s why we’re going through this review. We want to make sure that we scrub this data, scrub the information and make sure that the assessment and analysis is as strong and as grounded as it needs to be.

That quote I read you about the memo that you sent mentioned that there is agreement on scope, nature and intent of Russian interference. And intent is the one that’s been controversial recently, the question of motive. How confident are you in the intelligence on that? It seems like proving motive is an infinitely harder thing than proving that somebody did something. The “why” is tough.

I will not disagree with you that the why is tough. And that’s why there needs to be very careful consideration of what it is that we know, what it is that we have insight into and what our analysis needs to be. But even back in early October when Jim Clapper and Jeh Johnson put out this statement, it said “the intent to interfere in the election.” Now, there are different elements that could be addressed in terms of how it wanted to interfere. And so that’s why this review is being done to make sure that there is going to be a thorough look at the nature, scope and intent of what transpired.

What’s been reported is that the CIA has concluded the intent was to interfere with the election with the purpose of swinging at Donald Trump. Is that an accurate characterization?

That’s an accurate characterization of what’s been appearing in the media. Yes.

Is it an accurate characterization of where the CIA is on this?

Well, that’s what the review is going to do. And we will be as forward-leaning as the intelligence and analysis allows us to be, and we will make sure that, again, President Obama and the incoming administration understands what the intelligence community has assessed and determined to have happened during the run-up to this election.

Why not confirm that that’s where the CIA is on this? Why not confirm if you have the evidence that you believe is …

Because I don’t work for NPR, Mary Louise. I work for the president, I work for the administration, and it is my responsibility to give them the best information and judgment possible.

That is, the CIA Director specifically avoided stating what he or his agency believes the motive to be, deferring to the ongoing review of the evidence, something that Obama also did in his press conference earlier this month.

Q Mr. President, I want to talk about Vladimir Putin again. Just to be clear, do you believe Vladimir Putin himself authorized the hack? And do you believe he authorized that to help Donald Trump? And on the intelligence, one of the things Donald Trump cites is Saddam Hussein and the weapons of mass destruction, and that they were never found. Can you say, unequivocally, that this was not China, that this was not a 400-pound guy sitting on his bed, as Donald Trump says? And do these types of tweets and kinds of statements from Donald Trump embolden the Russians?

THE PRESIDENT: When the report comes out, before I leave office, that will have drawn together all the threads. And so I don’t want to step on their work ahead of time.

What I can tell you is that the intelligence that I have seen gives me great confidence in their assessment that the Russians carried out this hack.

None of that is to say that CIA and (perhaps to a lesser extent) FBI don’t think Russia hacked Democrats to help Trump, as one of several — probably evolving over the course of the election — reasons. CIA surely does (but then it has a big incentive to downplay the most obvious motivation, that Russia was retaliating for perceived and real CIA covert actions against it). FBI probably does.

But there has been no “report” that they believe that, just anonymous reports of reports. The official stance of the Executive Branch is that they’re conducting a review of the evidence on this point.

Perhaps if YouGov wants to test conspiracy theories, it should start by sticking to topics about which there aren’t a slew of anonymous leaks and counter-leaks contravened by public deferral?

Now the Spooks Are Leaking Criticism of Obama’s Sole Use of the “Red Phone”

/13 Comments/in , /by

NBC, which seems to be sharing the role of spook leak central with WaPo, has upped the ante on previous leaks. Last night, it revealed that on October 31, Obama used the “Red Phone” (which is in reality an email system) designed to avert disasters with Russia for the first time in his Administration to warn Vladimir Putin not to fuck with our election process.

A month later, the U.S. used the vestige of an old Cold War communications system — the so-called “Red Phone” that connects Moscow to Washington — to reinforce Obama’s September warning that the U.S. would consider any interference on Election Day a grave matter.

This time Obama used the phrase “armed conflict.”

The reason we’re getting this leak seems fairly clear. Not only are Democrats peeved that Obama didn’t manage to recall or suppress documents already leaked to WikiLeaks, but one “senior intelligence official” is angry that Obama laid down no bright line.

A senior intelligence official told NBC News the message ultimately sent to the Russians was “muddled” — with no bright line laid down and no clear warning given about the consequences. The Russian response, said the official, was non-committal.

I’m pretty favorable to leaks (though not their use to preempt deliberative assessment of intelligence). They serve an important check on government, even on the President.

But it alarms me that someone decided it was a good idea to go leak criticisms of a Red Phone exchange. It would seem that such an instrument depends on some foundation of trust that, no matter how bad things have gotten, two leaders of nuclear armed states can speak frankly and directly.

Without that conversation being broadcast to the entire world via leaks.

It would seem such a leak might lead Putin to take such exchanges less seriously in the future knowing that the spooks reviewing the exchange don’t take the gravity of it all that seriously.

Ah well. Good things these spooks are so successfully combatting the inappropriate leak of information by leaking more information.

Matt Olsen Admits He Didn’t Bargain on a President Trump

/11 Comments/in , , /by

Something predictable, but infuriating, happened at least week’s Cato conference on surveillance.

A bunch of spook lawyers did a panel, at which they considered the state of surveillance under Trump. Former White House Director of Privacy and Civil Liberties Tim Edgar asked whether adhering to basic norms, which he suggested would otherwise be an adequate on surveillance, works in a Trump Administration.

In response, former NSA General Counsel Matt Olsen provided an innocuous description of the things he had done to expand the dragnet.

I fought hard … in the last 10 [years] when I worked in national security, for increasing information sharing, breaking down barriers for sharing information, foreign-domestic, within domestic agencies, and for the modernization of FISA, so we could have a better approach to surveillance.

Then, Olsen admitted that he (who for three years after he left NSA headed up the National Counterterrorism Center managing a ton of analysts paid to imagine the unimaginable) did not imagine someone like Trump might come along.

As I fought for these changes, I did not bargain on a President Trump. That was beyond my ability to imagine as a leader of the country in thinking about how these policies would actually be implemented by the Chief Executive.

It was beyond his ability [breathe, Marcy, breathe] to imagine someone who might abuse power to come along!!!

What makes Olsen’s comment even more infuriating that I called out Olsen’s problematic efforts to “modernize” FISA and sustain the phone dragnet even in spite of abuse in September, in arguing that Hillary could not, in fact, be supporting a balanced approach on intelligence if she planned on hiring him, as seemed likely.

Olsen was the DOJ lawyer who oversaw the Yahoo challenge to PRISM in 2007 and 2008. He did two things of note. First, he withheld information from the FISC until forced to turn it over, not even offering up details about how the government had completely restructured PRISM during the course of Yahoo’s challenge, and underplaying details of how US person metadata is used to select foreign targets. He’s also the guy who threatened Yahoo with $250,000 a day fines for appealing the FISC decision.

Olsen was a key player in filings on the NSA violations in early 2009, presiding over what I believe to be grossly misleading claims about the intent and knowledge NSA had about the phone and Internet dragnets. Basically, working closely with Keith Alexander, he hid the fact that NSA had basically willfully treated FISA-collected data under the more lenient protection regime of EO 12333.

These comments were used, in this post by former NSA Compliance chief John DeLong and former NSA lawyer Susan Hennessey (the latter of whom was on this panel) to unbelievably dishonestly suggest that surveillance skeptics, embodied by me and EFF’s Nate Cardozo (who has been litigating some of these issues for years), took our understanding of NSA excesses from one footnote in a FISA Court opinion, rather than from years of reading underlying documents.

Readers are likely aware of the incident, which has become a persistent reference point for NSA’s most ardent critics. One such critic recently pointed to a FISC memorandum referencing the episode as evidence that “NSA lawyers routinely lie, even to the secret rubber stamp FISA court”; another cited it in claiming DOJ’s attorneys made “misleading claims about the intent and knowledge NSA had about the phone and Internet dragnets” and that “NSA had basically willfully treated FISA-collected data under the more lenient protection regime of EO 12333.”

These allegations are false. And by insisting that government officials routinely mislead and lie, these critics are missing one of the most important stories in the history of modern intelligence oversight.

Never mind that I actually hadn’t cited the footnote. Never mind that then FISA Judge Reggie Walton was the first to espouse my “false” view, even before seven more months of evidence came out providing further support for it.

The underlying point is that these two NSA people were so angry that I called out Matt Olsen for documented actions he had taken that they used it as a foil to make some pretty problematic claims about the oversight over NSA spying. But before they did so, they assured us of the integrity of the people involved (that is, Olsen and others).

It’s tempting to respond to these accusations by defending the integrity of the individuals involved. After all, we know from firsthand experience that our former colleagues—both within the NSA and across the Department of Justice, the Office of the Director of National Intelligence, and the Department of Defense—serve the public with a high degree of integrity. But we think it is important to move beyond the focus on who is good and who is bad, and instead explore the history behind that footnote and the many lessons learned and incorporated into practice. After all, we are ultimately a “government of laws,” not of people.

 

 

We are a government of laws, not people, they said in October, before laying out oversight that (they don’t tell you, but I will once I finally get back to responding to this post) has already proven to be inadequate. I mean, I agree with their intent — that we need(ed) to build a bureaucracy that could withstand the craziest of Executives. But contrary to what they claim in their piece and the presumably best intent of DeLong, they didn’t do that.

They now seem to realize that.

In the wake of the Trump victory, a number of these people are now admitting that maybe their reassurances about the bureaucracy they contributed to — which were in reality based on faith in the good intentions and honesty and competence of their colleagues — were overstated. Maybe these tools are too dangerous for an unhinged man to wield.

And, it turns out, one of the people largely responsible for expanding the dragnet that its former defenders now worry might be dangerous for Donald Trump to control never even imagined that someone like Trump might come along.

Lefties Learn to Love Leaks Again

/12 Comments/in , , , , /by

Throughout the presidential campaign, observers have noted with irony that many on the right discovered a new-found love for WikiLeaks. Some of the same people who had earlier decried leaks, even called Chelsea Manning a traitor, were lapping up what Julian Assange was dealing on a daily basis.

There was a similar, though less marked, shift on the left. While many on the left had criticized — or at least cautioned about — WikiLeaks from the start, once Assange started targeting their presidential candidate, such leaks became an unprecedented, unparalleled assault on decency, which no one seemed to say when similar leaks targeted Bashar al-Assad.

Which is why I was so amused by the reception of this story yesterday.

After revealing that Donald Trump’s Secretary of State nominee “was the long-time director of a US-Russian oil firm based in the tax haven of the Bahamas, leaked documents show” in the first paragraph, the article admits, in the fourth paragraph that,

Though there is nothing untoward about this directorship, it has not been reported before and is likely to raise fresh questions over Tillerson’s relationship with Russia ahead of a potentially stormy confirmation hearing by the US senate foreign relations committee. Exxon said on Sunday that Tillerson was no longer a director after becoming the company’s CEO in 2006.

The people sharing it on Twitter didn’t seem to notice that (nor did the people RTing my ironic tweet about leaks seem to notice). Effectively, the headline “leaks reveal details I have sensationalized” served its purpose, with few people reading far enough to the caveats that admit this is fairly standard international business practice (indeed, it’s how Trump’s businesses work too). This is a more sober assessment of the import of the document detailing Tillerson’s ties with the Exxon subsidiary doing business in Russia.

This Guardian article worked just like all the articles about DNC and Podesta emails worked, even with — especially with — the people decrying the press for the way it irresponsibly sensationalized those leaks.

The response to this Tillerson document is all the more remarkable given the source of this leak. The Guardian reveals it came from an anonymous source for Süddeutsche Zeitung, which in turn shared the document with the Guardian and the International Consortium of Investigative Journalists.

The leaked 2001 document comes from the corporate registry in the Bahamas. It was one of 1.3m files given to the Germany newspaper Süddeutsche Zeitung by an anonymous source.

[snip]

The documents from the Bahamas corporate registry were shared by Süddeutsche Zeitung with the Guardian and the International Consortium of Investigative Journalists in Washington DC.

That is, this document implicating Vladimir Putin’s buddy Rex Tillerson came via the very same channel that the Panama Papers had, which Putin claimed, back in the time Russia was rifling around the DNC server, was a US intelligence community effort to discredit him and his kleptocratic cronies, largely because that was the initial focus of the US-NGO based consortium that managed the documents adopted, a focus replicated at outlets participating.

See this column for a worthwhile argument that Putin hacked the US as retaliation for the Panama Papers, which makes worthwhile points but would only work chronologically if Putin had advance notice of the Panama Papers (because John Podesta got hacked on March 19, before the first releases from the Panama Papers on April 3).

There really has been a remarkable lack of curiosity about where these files came from. That’s all the more striking in this case, given that the document (barely) implicating Tillerson comes from the Bahamas, where the US at least was collecting every single phone call made.

That’s all the more true given the almost non-existent focus on the Bahamas leaks before — from what I can tell just one story has been done on this stash, though the documents are available in the ICIJ database. Indeed, if the source for the leaks was the same, it would seem to point to an outside hacker rather than an inside leaker. That doesn’t mean the leak was done just to hurt Tillerson. The leak, which became public on September 21, precedes the election of Trump, much less the naming of Tillerson. But it deserves at least some notice.

For what it’s worth, I think it quite possible the US has been involved in such leaks — particularly given how few Americans get named in them. But I don’t think the Panama Papers, which implicated plenty of American friends and even the Saudis, actually did target Putin.

Still, people are going to start believing Putin’s claims that this effort is primarily targeted at him if documents conveniently appear from the leak as if on command.

I am highly interested in who handed off documents allegedly stolen by Russia’s GRU to Wikileaks. But I’m also interested in who the source enabling asymmetric corruption claims, as if on demand, is.

Obama’s Response to Russia’s Hack: An Emphasis on America’s More Generalized Vulnerability

/10 Comments/in , , /by

President Obama’s comments Friday about the Russian hack of the DNC were a rare occasion where I liked one of his speeches far more than more partisan Democrats.

I think Democrats were disappointed because Obama declined to promise escalation. The press set Obama up, twice (first Josh Lederman and then Martha Raddatz), with questions inviting him to attack Putin directly. Similarly, a number of reporters asked questions that betrayed an expectation for a big showy response. Rather than providing that, Obama did several things:

  • Distinguish the integrity of the process of voting from our larger political discourse
  • Blame our political discourse (and the press) as much as Putin
  • Insist on a measured response to Putin

Distinguish the integrity of the process of voting from our larger political discourse

From the very start, Obama distinguished between politics and the integrity of our election system.

I think it is very important for us to distinguish between the politics of the election and the need for us, as a country, both from a national security perspective but also in terms of the integrity of our election system and our democracy, to make sure that we don’t create a political football here.

This gets to a point that most people are very sloppy about when they claim Putin “tampered” with the election. Throughout this election, the press has at times either deliberately or incompetently conflated the theft and release of emails (which the intelligence community unanimously agrees was done by Putin) with the hacking of voting-related servers (reportedly done by “Russians,” but not necessarily the Russian state, which is probably why the October 7 IC statement pointedly declined to attribute those hacks to Russia).

Obama, after having laid out how the IC provided the press and voters with a way to account for the importance of the Russian hack on the election, then returns to what he says was a successful effort to ensure Russia didn’t hack the actual vote counting.

What I was concerned about, in particular, was making sure that that wasn’t compounded by potential hacking that could hamper vote counting, affect the actual election process itself.

And so in early September, when I saw President Putin in China, I felt that the most effective way to ensure that that didn’t happen was to talk to him directly and tell him to cut it out, and there were going to be some serious consequences if he didn’t. And, in fact, we did not see further tampering of the election process.

This is consistent with the anonymous statement the White House released over Thanksgiving weekend, which the press seems unaware of. In it, the White House emphasized that it was aware of no malicious election-related tampering, while admitting they had no idea whether Russia had ever planned any in the first place.

Blame our political discourse (and the press) as much as Putin

By far the most important part of Obama’s comments, I think, were his comments about why he believed this to be the right approach.

Obama described the October 7 DHS/ODNI statement as an effort to inform all voters of the hack and leak (and high level involvement in it), without trying to tip the scale politically.

And at that time, we did not attribute motives or any interpretations of why they had done so. We didn’t discuss what the effects of it might be. We simply let people know — the public know, just as we had let members of Congress know — that this had happened.

And as a consequence, all of you wrote a lot of stories about both what had happened, and then you interpreted why that might have happened and what effect it was going to have on the election outcomes. We did not. And the reason we did not was because in this hyper-partisan atmosphere, at a time when my primary concern was making sure that the integrity of the election process was not in any way damaged, at a time when anything that was said by me or anybody in the White House would immediately be seen through a partisan lens, I wanted to make sure that everybody understood we were playing this thing straight — that we weren’t trying to advantage one side or another, but what we were trying to do was let people know that this had taken place, and so if you started seeing effects on the election, if you were trying to measure why this was happening and how you should consume the information that was being leaked, that you might want to take this into account.

And that’s exactly how we should have handled it.

Again, I get why Democrats are furious about this passage: they wanted and still want the IC to attack Trump for benefitting from the Russian hack. Or at the very least, they want to legitimize their plan to delegitimize Trump by using his Russian ties with Obama endorsement. From a partisan view, I get that. But I also very much agree with Obama’s larger point: if Russia’s simple hack decided the election, it’s as much a statement about how sick our democracy is, across the board, as it is a big win for Putin.

To lead into that point, Obama points out how many of the people in the room — how the press — obsessed about every single new leak, rather than focusing on the issues that mattered to the election.

[W]e allowed you and the American public to make an assessment as to how to weigh that going into the election.

And the truth is, is that there was nobody here who didn’t have some sense of what kind of effect it might have. I’m finding it a little curious that everybody is suddenly acting surprised that this looked like it was disadvantaging Hillary Clinton because you guys wrote about it every day. Every single leak. About every little juicy tidbit of political gossip — including John Podesta’s risotto recipe. This was an obsession that dominated the news coverage.

So I do think it’s worth us reflecting how it is that a presidential election of such importance, of such moment, with so many big issues at stake and such a contrast between the candidates, came to be dominated by a bunch of these leaks. What is it about our political system that made us vulnerable to these kinds of potential manipulations — which, as I’ve said publicly before, were not particularly sophisticated.

This was not some elaborate, complicated espionage scheme. They hacked into some Democratic Party emails that contained pretty routine stuff, some of it embarrassing or uncomfortable, because I suspect that if any of us got our emails hacked into, there might be some things that we wouldn’t want suddenly appearing on the front page of a newspaper or a telecast, even if there wasn’t anything particularly illegal or controversial about it. And then it just took off.

And that concerns me.

He returns to that more generally, with one of the most important lines of the presser. “Our vulnerability to Russia or any other foreign power is directly related to how divided, partisan, dysfunctional our political process is.”

The more [the review of the hack] can be nonpartisan, the better served the American people are going to be, which is why I made the point earlier — and I’m going to keep on repeating this point: Our vulnerability to Russia or any other foreign power is directly related to how divided, partisan, dysfunctional our political process is. That’s the thing that makes us vulnerable.

If fake news that’s being released by some foreign government is almost identical to reports that are being issued through partisan news venues, then it’s not surprising that that foreign propaganda will have a greater effect, because it doesn’t seem that far-fetched compared to some of the other stuff that folks are hearing from domestic propagandists.

To the extent that our political dialogue is such where everything is under suspicion, everybody is corrupt and everybody is doing things for partisan reasons, and all of our institutions are full of malevolent actors — if that’s the storyline that’s being put out there by whatever party is out of power, then when a foreign government introduces that same argument with facts that are made up, voters who have been listening to that stuff for years, who have been getting that stuff every day from talk radio or other venues, they’re going to believe it.

So if we want to really reduce foreign influence on our elections, then we better think about how to make sure that our political process, our political dialogue is stronger than it’s been.

Now, the Democrats who have celebrated hopey changey Obama have, over the years, recognized that his effort to be bipartisan squandered his opportunity, in 2009, to really set up a structure that would make us more resilient. It is, admittedly, infuriating that in his last presser Obama still endorses bipartisanship when the last 8 years (and events rolling out in North Carolina even as he was speaking) prove that the GOP will not play that game unless forced to.

So I get the anger here.

But, it is also true that our democracy was fragile well before Vladimir Putin decided he was going to fuck around. Even if Putin hadn’t hacked John Podesta, the way in which the email investigation rolled out accomplished the same objective. (Indeed, at one point I wondered whether Putin wasn’t jealous of Comey for having a much bigger effect on the election). Even if some Russians didn’t put out fake news, others were still going to do that, playing to the algorithmically enhanced biases of Trump voters. Even without Putin hacking voting machines, we can be certain that in places like Wisconsin and North Carolina the vote had already been hacked by Republicans suppressing Democratic vote.

The effect Putin was seeking was happening, happened, anyway, even without his involvement. That doesn’t excuse his involvement, but it does say that if we nuked Putin off the face of this earth tomorrow, our democracy would remain just as fragile as it was with Putin playing in it during this election.

So Obama is right about our vulnerability, though I think he really hasn’t offered a way to fix it. That’s what we all need to figure out going forward. But I can assure you: focusing exclusively on Russia, as if that is the problem and not the underlying fragility, is not going to fix it.

Insist on a measured response to Putin

Which leads us to his comments on a response. In spite of repeated efforts to get him to say “Vlad Putin is a big fat dick who personally elected Donald Trump,” Obama refused (though that didn’t stop some papers from adopting headings suggesting he had). Rather, Obama used the language used in the October 7 statement, saying the hacks were approved by the highest levels of the Russian government, which necessarily means Putin authorized them.

We have said, and I will confirm, that this happened at the highest levels of the Russian government. And I will let you make that determination as to whether there are high-level Russian officials who go off rogue and decide to tamper with the U.S. election process without Vladimir Putin knowing about it.

Q So I wouldn’t be wrong in saying the President thinks Vladimir Putin authorized the hack?

THE PRESIDENT: Martha, I’ve given you what I’m going to give you.

Similarly, Obama refused to respond to journalists’ invitation to announce some big retaliation.

I know that there have been folks out there who suggest somehow that if we went out there and made big announcements, and thumped our chests about a bunch of stuff, that somehow that would potentially spook the Russians. But keep in mind that we already have enormous numbers of sanctions against the Russians. The relationship between us and Russia has deteriorated, sadly, significantly over the last several years. And so how we approach an appropriate response that increases costs for them for behavior like this in the future, but does not create problems for us, is something that’s worth taking the time to think through and figure out.

I’m going to return to this to discuss a detail no one seems to get about Obama’s choices right now. But for the moment, note his emphasis on a response that increases costs for such hacks that do “not create problems for us.”

Unsurprisingly (and, given America’s own aggressive cyberattacks, possibly unrealistically), Obama says he is most seeking norm-setting.

What we’ve also tried to do is to start creating some international norms about this to prevent some sort of cyber arms race, because we obviously have offensive capabilities as well as defensive capabilities. And my approach is not a situation in which everybody is worse off because folks are constantly attacking each other back and forth, but putting some guardrails around the behavior of nation-states, including our adversaries, just so that they understand that whatever they do to us we can potentially do to them.

Obama’s approach is “not a situation in which everybody is worse off because folks are constantly attacking each other back and forth.” Does that suggest the US has already been hacking Russia? Why do we never consider whether Putin was retaliating against us? Who started this cyberwar, anyway?

Funny how Americans assume the answer must be Putin.

In any case, we do need norms about this stuff, but that likely would require some honestly about what, if anything, is different about cyber election tampering than all the election tampering Russia and the US have engaged in for decades — which is a point Chilean Ariel Dorfman makes after pointing out the irony of CIA “crying foul because its tactics have been imitated by a powerful international rival.”

Even assuming we’ll never learn the full extent of America’s own recent tampering, that’s likely to be something that Obama is thinking about as journalists and Democrats wail that he isn’t taking a more aggressive stance.