In my piece on Sunday on the package of sanctions the government released last week, I noted the likelihood the Joint Analysis Report would result in false positives.

But several of the reports also include some version of this conclusion from Lee: “the indicators are not very descriptive and will have a high rate of false positives for defenders that use them.”

That is, we may see more of what we saw Friday, when a Vermont utility did as instructed with the report — searched for the indicators included in the report — reported a positive hit, only to have anonymous sources immediately blow it up to mean Russia had hacked our grid. That find might turn out to be a Russian probe, or it might not; there’s little doubt that Russia can hack our electrical system. But what it did do is feed a panic.

Sure enough, that’s what Friday’s alarmist WaPo story turned out to be. Another WaPo story last night revealed that there’s no evidence Russian government hackers were in Burlington Electric — indeed, it sounds like what the utility might have found was one of the many Tor or other innocuous IP addresses included in the report.

As federal officials investigate suspicious Internet activity found last week on a Vermont utility computer, they are finding evidence that the incident is not linked to any Russian government effort to target or hack the utility, according to experts and officials close to the investigation.

An employee at Burlington Electric Department was checking his Yahoo email account Friday and triggered an alert indicating that his computer had connected to a suspicious IP address associated by authorities with the Russian hacking operation that infiltrated the Democratic Party. Officials told the company that traffic with this particular address is found elsewhere in the country and is not unique to Burlington Electric, suggesting the company wasn’t being targeted by the Russians. Indeed, officials say it is possible that the traffic is benign, since this particular IP address is not always connected to malicious activity.

As it happens, after the government took custody of they laptop, they found other malware, not associated with Russians, on the laptop, but which wasn’t found as a result of last week’s report and scan.

In the course of their investigation, though, they have found on the device a package of software tools commonly used by online criminals to deliver malware. The package, known as Neutrino, does not appear to be connected with Grizzly Steppe, which U.S. officials have identified as the Russian hacking operation. The FBI, which declined to comment, is continuing to investigate how the malware got onto the laptop.

But ultimately, Friday night’s scare, with comments from half of Vermont’s public officials, was about an IP address that has no definitive tie to the Russians.

And that wasn’t the only false positive arising from this report. A Dutch paper did a story accusing a key Dutch privacy person (Bits of Freedom is sort of like EFF) of running a Tor node used by the Russians, as if Tor node operators sign off on the traffic that transits their nodes.

Remember: one of the primary claimed goals of Russia’s hacking is to make Americans lose trust in our government. Because of the way this report and subsequent reporting was rolled out (and leaked to a White House beat reporter), both security professionals and the general public will lose confidence not just in the government’s ability to respond to hacks, but also in the government’s report claiming the Russians were behind the hack. Not to mention, the alarmist report has led the paper that pushed the PropOrNot bullshit to make this kind of claim, blaming sources but not their own reporting.

Authorities also were leaking information about the utility without having all the facts and before law enforcement officials were able to investigate further.

Remember: WaPo first published the story before getting any comment from Burlington Electric.

The government appears to be doing Vlad Putin’s work for him, damaging its own credibility in its efforts to combat his efforts to damage its credibility.

I’ve been eagerly anticipating the moment Rick Perlstein uses his historical work on Nixon to analyze Trump. Today, he doesn’t disappoint, calling Trump more paranoid than Nixon, warning of what Trump will do with the powerful surveillance machine laying ready for his use.

Revenge is a narcotic, and Trump of all people will be in need of a regular, ongoing fix. Ordering his people to abuse the surveillance state to harass and destroy his enemies will offer the quickest and most satisfying kick he can get. The tragedy, as James Madison could have told us, is that the good stuff is now lying around everywhere, just waiting for the next aspiring dictator to cop.

But along the way, Perlstein presents a bizarre picture of what happened to the Section 215 phone dragnet under Barack Obama.

That’s not to say that Obama hasn’t abused his powers: Just ask the journalists at the Associated Press whose phone records were subpoenaed by the Justice Department. But had he wanted to go further in spying on his enemies, there are few checks in place to stop him. In the very first ruling on the National Security Administration’s sweeping collection of “bulk metadata,” federal judge Richard Leon blasted the surveillance as downright Orwellian. “I cannot imagine a more ‘indiscriminate’ and ‘arbitrary’ invasion than this collection and retention of personal data,” he ruled. “Surely, such a program infringes on ‘that degree of privacy’ that the founders enshrined in the Fourth Amendment.”

But the judge’s outrage did nothing to stop the surveillance: In 2015, an appeals court remanded the case back to district court, and the NSA’s massive surveillance apparatus—soon to be under the command of President Trump—remains fully operational. The potential of the system, as former NSA official William Binney has described it, is nothing short of “turnkey totalitarianism.”

There are several things wrong with this.

First, neither Richard Leon nor any other judge has reviewed the NSA’s “sweeping collection of ‘bulk metadata.'” What Leon reviewed — in Larry Klayman’s lawsuit challenging the collection of phone metadata authorized by Section 215 revealed by Edward Snowden — was just a small fraction of NSA’s dragnet. In 2013, the collection of phone metadata authorized by Section 215 collected domestic and international phone records from domestic producers, but even there, Verizon had found a way to exclude collection of its cell records.

But NSA collected phone records — indeed, many of the very same phone records, as they collected a great deal of international records — overseas as well. In addition, NSA collected a great deal of Internet metadata records, as well as financial and anything else records. Basically, anything the NSA can collect “overseas” (which is interpreted liberally) it does, and because of the way modern communications works, those records include a significant portion of the metadata of Americans’ everyday communications.

It is important for people to understand that the focus on Section 215 was an artificial creation, a limited hangout, an absolutely brilliant strategy (well done, Bob Litt, who has now moved off to retirement) to get activists to focus on one small part of the dragnet that had limitations anyway and NSA had already considered amending. It succeeded in pre-empting a discussion of just what the full dragnet entailed.

Assessments of whether Edward Snowden is a traitor or a saint always miss this, when they say they’d be happy if Snowden had just exposed the Section 215 program. Snowden didn’t want the focus to be on just that little corner of the dragnet. He wanted to expose the full dragnet, but Litt and others succeeded in pretending the Section 215 dragnet was the dragnet, and also pretending that Snowden’s other disclosures weren’t just as intrusive on Americans.

Anyway, another place where Perlstein is wrong is in suggesting there was just one Appeals Court decision. The far more important one is the authorized by Gerard Lynch in the Second Circuit, which ruled that Section 215 was not lawfully authorized. It was a far more modest decision, as it did not reach constitutional questions. But Lynch better understood that the principle involved more than phone records; what really scared him was the mixing of financial records with phone records, which is actually what the dragnet really is.

That ruling, on top of better understanding the import of dragnets, is important because it is one of the things that led to the passage of USA Freedom Act, a law that, contrary to Perlstein’s claim, did change the phone dragnet, both for good and ill.

The USA Freedom Act, by imposing limitations on how broadly dragnet orders (for communications but not for financial and other dragnets) can be targeted, adds a check at the beginning of the process. It means only people 2 degrees away from a terrorism suspect will be collected under this program (even while the NSA continues to collect in bulk under EO 12333). So the government will have in its possession far fewer phone records collected under Section 215 (but it will still suck in massive amounts of phone records via EO 12333, including massive amounts of Americans’ records).

All that said, Section 215 now draws from a larger collection of records. It now includes the Verizon cell records not included under the old Section 215 dragnet, as well as some universe of metadata records deemed to be fair game under a loose definition of “phone company.” At a minimum, it probably includes iMessage, WhatsApp, and Skype metadata, but I would bet the government is trying to get Signal and other messaging metadata (note, Signal metadata cannot be collected retroactively; it’s unclear whether it can be collected with standing daily prospective orders). This means the Section 215 collection will be more effective in finding all the people who are 2 degrees from a target (because it will include any communications that exist solely in Verizon cell or iMessage networks, as well as whatever other metadata they’re collecting). But it also means far more innocent people will be impacted.

To understand why that’s important, it’s important to understand what purpose all this metadata collection serves.

It was never the case that the collection of metadata, however intrusive, was the end goal of the process. Sure, identifying someone’s communications shows when you’ve been to an abortion clinic or when you’re conducting an affair.

But the dragnet (the one that includes limited Section 215 collection and EO 12333 collection limited only by technology, not law) actually serves two other primary purposes.

The first is to enable the creation of dossiers with the click of a few keys. Because the NSA is sitting on so much metadata — not just phone records, but Internet, financial, travel, location, and other data — it can put together a snapshot of your life as soon as they begin to correlate all the identifiers that make up your identity. One advantage of the new kind of collection under USAF, I suspect, is it will draw from the more certain correlations you give to your communications providers, rather than relying more heavily on algorithmic analysis of bulk data. Facebook knows with certainty what email address and phone number tie to your Facebook account, whereas the NSA’s algorithms only guess that with (this is an educated guess) ~95+% accuracy.

This creation of dossiers is the same kind of analysis Facebook does, but instead of selling you plane tickets the goal is government scrutiny of your life.

The Section 215 orders long included explicit permission to subject identifiers found via 2-degree collection to all the analytical tools of the NSA. That means, for any person — complicit or innocent — identified via Section 215, the NSA can start to glue together the pieces of dossier it already has in its possession. While not an exact analogue, you might think of collection under Section 215 as a nomination to be on the equivalent of J Edgar Hoover’s old subversives list. Only, poor J Edgar mostly kept his list on index cards. Now, the list of those the government wants to have a network analysis and dossier on is kept in massive server farms and compiled using supercomputers.

Note, the Section 215 collection is still limited to terrorism suspects — that was an important win in the USA Freedom fight — but the EO 12333 collection, with whatever limits on nominating US persons, is not. Plus, it will be trivial for Trump to expand the definition of terrorist; the groundwork is already being laid to do so with Black Lives Matter.

The other purpose of the dragnet is to identify which content the NSA will invest the time and energy into reading. Most content collected is not read in real time. But Americans’ communications with a terrorism suspect will probably be, because of the concern that those Americans might be plotting a domestic plot. The same is almost certainly true of, say, Chinese-Americans conversing with scientists in China, because of a concern they might be trading US secrets. Likewise it is almost certainly true of Iranian-Americans talking with government officials, because of a concern they might be dealing in nuclear dual use items. The choice to prioritize Americans makes sense from a national security perspective, but it also means certain kinds of people — Muslim immigrants, Chinese-Americans, Iranian-Americans — will be far more likely to have their communications read without a warrant than whitebread America, even if those whitebread Americans have ties to (say) NeoNazi groups.

Of course, none of this undermines Perlstein’s ultimate categorization, as voiced by Bill Binney, who created this system only to see the privacy protections he believed necessary get wiped away: the dragnet — both that authorized by USAF and that governed by EO 12333 — creates the structure for turnkey totalitarianism, especially as more and more data becomes available to NSA under EO 12333 collection rules.

But it is important to understand Obama’s history with this dragnet. Because while Obama did tweak the dragnet, two facts about it remain. First, while there are more protections built in on the domestic collection authorized by Section 215, that came with an expansion of the universe of people that will be affected by it, which must have the effect of “nominating” more people to be on this late day “Subversives” list.

Obama also, in PPD-28, “limited” bulk collection to a series of purposes. That sounds nice, but the purposes are so broad, they would permit bulk collection in any area of the world, and once you’ve collected in bulk, it is trivial to then call up that data under a more broad foreign intelligence purpose. In any case, Trump will almost certainly disavow PPD-28.

Which makes Perlstein’s larger point all the more sobering. J Edgar and Richard Nixon were out of control. But the dragnet Trump will inherit is far more powerful.

I was still with family when the White House rolled out its retaliation against Russian hacks of the election the other day, so I didn’t have a chance to unpack what they released. I’ll do that here.

The actions — which retaliate not just for the DNC hack — consist of a package that includes:

• A “Voxsplainer” telling you “everything you need to know” about the package
• An Obama statement
• An expansion of cyber sanctions to include both our elections and those of our allies and partners
• State Department retaliation against Russia for harassing our personnel
• Two documents about Russian hacking: A Joint Analysis Report and an introduction to it

The Voxsplainer

In addition to promising to tell us “What You Need to Know” about “The Administration’s Response to Russia,” the Voxsplainer provides links to all the other pieces. There are two significant details.

First, the “response” is not just to “cyber operations aimed at our election” but also to “the Russian government’s aggressive harassment of U.S. officials.” Some of the most showy retaliation was actually specifically retaliation for the latter.

The other key detail is that, in describing Russia’s motive for the hack, the Voxsplainer steers very, very clear of the two more controversial motives (to retaliate for perceived and real covert operations against Russia, and to get Trump elected). Instead, the Voxsplainer provides the most wishy-washy description of Russia’s purpose.

Russia’s cyber activities were intended to influence the election, erode faith in U.S. democratic institutions, sow doubt about the integrity of our electoral process, and undermine confidence in the institutions of the U.S. government.

“Faith, integrity, and confidence” are pretty squishy things that don’t require much proof.

Obama’s statement

Obama’s statement is basically a description of what he ordered (here, he admits some of the individual sanctions are for cyber-crime, not the hack). The most important part of the statement is the last paragraph.

These actions are not the sum total of our response to Russia’s aggressive activities. We will continue to take a variety of actions at a time and place of our choosing, some of which will not be publicized. In addition to holding Russia accountable for what it has done, the United States and friends and allies around the world must work together to oppose Russia’s efforts to undermine established international norms of behavior, and interfere with democratic governance. To that end, my Administration will be providing a report to Congress in the coming days about Russia’s efforts to interfere in our election, as well as malicious cyber activity related to our election cycle in previous elections.

As I’ll show in this and a follow-up post, some of what Obama ordered is silly or downright counterproductive. But the actions took place alongside a claim that there would also be covert retaliation we won’t see. So we’ve got silly and counterproductive overt retaliation, with the promise of covert retaliation that may be less silly.

Obama also stated what the presumed goal of these actions are, to prevent Russia from undermining democratic norms, norms which the President-Elect has expressed intent to violate.

New Cyber-Sanctions

Obama extended the application of an EO he signed in April 2015 to apply to election related hacking. The Voxsplainer doesn’t explicitly describe what’s new about the cyber-sanctions, leaving that to a separate fact sheet and an annex to the Executive Order extending the sanctions. Instead, the Voxsplainer describes what the original EO 13964 had done, which basically permitted the President to sanction entities that hacked critical infrastructure or big money.

Curiously, the White House doesn’t appear to have issued a new version of EO 13964, relying solely on the fact sheet to explain the newly expanded scope.

Just as interesting there’s a subtle difference in the way the attached fact sheet describes the addition, and how Obama did in his statement. The fact sheet does not specify whether these sanctions only apply for the targeting of our own election processes or institutions, or for others.

The increasing use of cyber-enabled means to undermine democratic processes at home and abroad, as exemplified by Russia’s recent activities, has made clear that a tool explicitly targeting attempts to interfere with elections is also warranted. As such, the President has approved amending Executive Order 13964 to authorize sanctions on those who:

• Tamper with, alter, or cause a misappropriation of information with the purpose or effect of interfering with or undermining election processes or institutions.

But Obama’s statement says the EO “provides additional authority for responding to certain cyber activity that seeks to interfere with or undermine our election processes and institutions, or those of our allies or partners.” [my emphasis] That Obama would extend such sanctions to protect our allies’ elections make sense, as there’s real concern about Russia’s plans for the upcoming French and German elections. But it’s also really funny given that the NSA and CIA have targeted the election institutions and processes of our allies Pakistan and Mexico. Does that mean we have to sanction the NSA and CIA now? This is so confusing.

As to the sanctions themselves, they target the following:

1. Main Intelligence Directorate (a.k.a. Glavnoe Razvedyvatel’noe Upravlenie) (a.k.a. GRU); Moscow, Russia
2. Federal Security Service (a.k.a. Federalnaya Sluzhba Bezopasnosti) (a.k.a FSB); Moscow, Russia
3. Special Technology Center (a.k.a. STLC, Ltd. Special Technology Center St. Petersburg); St. Petersburg, Russia
4. Zorsecurity (a.k.a. Esage Lab); Moscow, Russia
5. Autonomous Noncommercial Organization “Professional Association of Designers of Data Processing Systems” (a.k.a. ANO PO KSI); Moscow, Russia Individuals

1. Igor Valentinovich Korobov; DOB Aug 3, 1956; nationality, Russian
2. Sergey Aleksandrovich Gizunov; DOB Oct 18, 1956; nationality, Russian
3. Igor Olegovich Kostyukov; DOB Feb 21, 1961; nationality, Russian
4. Vladimir Stepanovich Alexseyev; DOB Apr 24, 1961; nationality, Russian

As I noted the other day, I find it particularly interesting that Obama included FSB in these sanctions, given that the public record only reflects them doing the kind of data collection that we also do all the time (and that China and others have done against us in the past). Perhaps that means there’s evidence they did more, or perhaps this is just gratuitous sanctioning. It will be interesting to see how seriously this part of the sanctions gets taken, given that we need to cooperate with Russian intelligence on things like bombing ISIS.

There has been some befuddlement about why Zorsecurity got included on the list, as its owner, Alisa Esage Shevchenko, claims she doesn’t work for the Russian state and has been celebrated for her security research in the past, though one anonymous source claims she has.

“I’m just trying not to freak out,” she told me over email. “My company never worked with the government. It never had the necessary licenses to do so in the first place. And I personally tried to stay as far away as possible from anything remotely suspicious, as I’m naturally a cosmopolitan person, and an introverted single woman. I wouldn’t want any job that would put me in danger or restrictions.”

Talking about the defunct state of the company, she added: “This is fixed in the public registry, and should be well known to any foreign intelligence that bothered to do any research.” A search on the public registry showed ZorSecurity as still active, however — Shevchenko said the firm stopped submitting any tax statements, which should be visible in the registry.

[snip]

One Russian hacker who claimed knowledge of Esage Lab’s business, and who asked to remain anonymous, said the company sold software exploits and hacking tools, and had worked with the Russian government. “Esage do exploits and offensive software,” said the well-connected Moscow source. “Esage worked with government customers … but I’m really not sure if they related to the DNC hack.”

That same anonymous Russian hacker also doesn’t see why the US sanctioned the two other Russian companies.

The anonymous Moscow source told me the list of organizations named in the sanctions – which also included the St. Petersburg-based Special Technology Center and the Autonomous Noncommercial Organization’s Professional Association of Designers of Data Processing Systems – did “not look professional at all.” “It looks like the U.S. government does not know who is behind this DNC thing,” they added.

So it’s possible the US just sanctioned some companies for the sake of sanctioning some companies. As MalwareJake notes in a critique of the sanctions, these companies don’t do business in the US so it’s not like the sanctions will have any effect anyway.

Four of the individuals sanctioned are top GRU officials (making this the equivalent of the post-Sony sanction on North Korean officials).

Sanctioned individuals include Igor Valentinovich Korobov, the current Chief of the GRU; Sergey Aleksandrovich Gizunov, Deputy Chief of the GRU; Igor Olegovich Kostyukov, a First Deputy Chief of the GRU; and Vladimir Stepanovich Alexseyev, also a First Deputy Chief of the GRU.

The Voxsplainer also notes that Treasury added two Russian criminals to its sanction list.

In addition, the Department of the Treasury is designating two Russian individuals, Evgeniy Bogachev and Aleksey Belan, under a pre-existing portion of the Executive Order for using cyber-enabled means to cause misappropriation of funds and personal identifying information.

• Evgeniy Mikhailovich Bogachev is designated today for having engaged in significant malicious cyber-enabled misappropriation of financial information for private financial gain.  Bogachev and his cybercriminal associates are responsible for the theft of over $100 million from U.S. financial institutions, Fortune 500 firms, universities, and government agencies.
• Aleksey Alekseyevich Belan engaged in the significant malicious cyber-enabled misappropriation of personal identifiers for private financial gain.  Belan compromised the computer networks of at least three major United States-based e-commerce companies.

Note, however, that at least Bogachev has been implicated in surveillance in the past. So it’s possible these sanctions are designed to nod towards related activity, the sanctioned (heh) permission of cybercrime by entities willing to help out the Russian government.

Diplomatic retaliation

As noted above, this package of actions actually responds not just to the election (and Bogachev and Belan’s crimes), but also to harassment of US personnel in Russia.

The beginning of the Voxsplainer says that the diplomatic measures were in retaliation for harassment that has gone on in the last year. “Moreover, our diplomats have experienced an unacceptable level of harassment in Moscow by Russian security services and police over the last year.”

The part of the Voxsplainer that explains the actual actions says it responds to two years of harassment.

Over the past two years, harassment of our diplomatic personnel in Russia by security personnel and police has increased significantly and gone far beyond international diplomatic norms of behavior. Other Western Embassies have reported similar concerns. In response to this harassment, the President has authorized the following actions:

Today the State Department declared 35 Russian government officials from the Russian Embassy in Washington and the Russian Consulate in San Francisco “persona non grata.” They were acting in a manner inconsistent with their diplomatic status. Those individuals and their families were given 72 hours to leave the United States.

In addition to this action, the Department of State has provided notice that as of noon on Friday, December 30, Russian access will be denied to two Russian government-owned compounds, one in Maryland and one in New York.

I find the temporal inconsistency interesting, especially since neither period extends back to the post-Boston Marathon period when numerous CIA officers, most notably Randy Fogle, were getting expelled from Russia. It does, however, cover incidents that have been reported since at least July, including this apparent attempt to detain someone who just barely made it into the US embassy, with ABC providing more detail in October.

In any case, the closure of the two recreational facilities had the excellent effect of getting journalists scurrying to the sites, one of which US officials misidentified:

Articles on Friday about the Obama administration’s decision to close two Russian-owned compounds in the United States misidentified one of the compounds, using information from the White House and F.B.I. officials. The administration ordered the closure of Norwich House in Upper Brookville, N.Y., owned by Russia — not the nearby Killenworth Mansion in Glen Cove, N.Y., also owned by the Russians. An accompanying picture that showed Killenworth Mansion should have been of Norwich House.

Every outlet was able to highlight pictures of big mansions and interview neighbors about weird interactions with Russians. All perfectly scripted just like the Americans.

Putin, of course, threatened to retaliate by kicking out 35 diplomats, but instead invited the children of American diplomats to a party at the Kremlin. Also perfectly scripted.

Two documents on Russian hacking

Finally, the government released two documents on Russian hacking: a document introducing a Joint Analysis Report and the Joint Analysis Report itself. It appears the introductory document served mostly to get FBI, ODNI, and DHS all listed on one document — so there’s no doubt that this comes from the entire IC, as there was of the October 7 report that FBI declined to sign off on. It has this odd endorsement of many — but not all — claims made by a number of — but not all — security industry reports.

A great deal of analysis and forensic information related to Russian government activity has been published by a wide range of security companies.  The U.S. Government can confirm that the Russian government, including Russia’s civilian and military intelligence services, conducted many of the activities generally described by a number of these security companies.

I guess we’ll just have to guess which parts the security firms got right and which they did not.

As for the Joint Analysis Report (JAR), it purports to be an alert to make everyone more vigilant against Russian hacks. A number of tech experts have criticized the contents. Robert Graham calls them a “political tool, to prove they have evidence pointing to Russia. They have limited utility to defenders, or those publicly analyzing attacks.” Robert M Lee says the report “reads like a poorly done vendor intelligence report stringing together various aspects of attribution without evidence.” Jerry Gamblin notes that a fifth of the IP addresses included were Tor exit nodes, meaning they could be used by anyone. Wordfence analyzes one malware sample and finds that it “is old, widely used and appears to be Ukrainian. It has no apparent relationship with Russian intelligence.” Ultimately, the tech folks are complaining that the report is not very useful for defensive purposes, which is ostensibly what it is supposed to do.

But several of the reports also include some version of this conclusion from Lee: “the indicators are not very descriptive and will have a high rate of false positives for defenders that use them.”

That is, we may see more of what we saw Friday, when a Vermont utility did as instructed with the report — searched for the indicators included in the report — reported a positive hit, only to have anonymous sources immediately blow it up to mean Russia had hacked our grid. That find might turn out to be a Russian probe, or it might not; there’s little doubt that Russia can hack our electrical system. But what it did do is feed a panic.

And even though the report is supposed to only address defense (with the report to Congress designed to report on the actual attacks) there is an odd detail in the narrative about the attack. After describing APT 29 (associated with FSB) and APT 28 (associated with GRU) generally, the report includes these two paragraphs.

In summer 2015, an APT29 spearphishing campaign directed emails containing a malicious link to over 1,000 recipients, including multiple U.S. Government victims. APT29 used legitimate domains, to include domains associated with U.S. organizations and educational institutions, to host malware and send spearphishing emails. In the course of that campaign, APT29 successfully compromised a U.S. political party. At least one targeted individual activated links to malware hosted on operational infrastructure of opened attachments containing malware. APT29 delivered malware to the political party’s systems, established persistence, escalated privileges, enumerated active directory accounts, and exfiltrated email from several accounts through encrypted connections back through operational infrastructure.

In spring 2016, APT28 compromised the same political party, again via targeted spearphishing. This time, the spearphishing email tricked recipients into changing their passwords through a fake webmail domain hosted on APT28 operational infrastructure. Using the harvested credentials, APT28 was able to gain access and steal content, likely leading to the exfiltration of information from multiple senior party members. The U.S. Government assesses that information was leaked to the press and publicly disclosed.

Of FSB’s attack (APT29 ), the report states that at least one person clicked a bad link. After infesting (not a technical term!) the DNC server, the report describes, FSB “exfiltrated email from several accounts through encrypted connections.”

That is, the government is saying it (or someone else) watched FSB steal documents.

Now compare that to the GRU description (APT 28). I guess the narrative vaguely suggests that recipients changed their passwords after being phished, though there’s nowhere near the exactitude of at least one user clicking a bad link as used with FSB. And on the critical issue — whether any data was exfiltrated — the report only says it was “likely” that the information was exfiltrated. There’s no claim here, as there was with FSB, to have watched the documents be exfiltrated.

That’s important because GRU is the presumed source for the dump to Wikileaks (as the “assessment” that follows states). We’ve long known that the government wasn’t certain how the documents got from GRU to Wikileaks, but here, they seem to go further and say they only believe it “likely” that the documents were exfiltrated.

And note what’s not in the report? Any mention of John Podesta, whose leaked emails took up the final month of the campaign.

Maybe I’m overreading this (wouldn’t be the first time). But after going out of its way to include a narrative that isn’t necessary to the point of the report, the report stops short of making certain statements about the issues we most care about, that GRU stole the documents that Wikileaks got.

I’ll have a bit more on this report later. But it just seems odd from both the technical side and the narrative side.

Because security professionals are so confident in the Russian attribution of the DNC hack, they have largely ignored alternative theories from the likes of Wikileaks and Bill Binney. That’s unfortunate, because Craig Murray, in his description of his own role in getting the Podesta files to Wikileaks, at least, revealed a detail that needs greater attention. He believes he received something (perhaps the documents themselves, perhaps something else) from a person with ties to US national security.

[I]f we believe that Murray believes this, we know that the intermediary can credibly claim to have ties to American national security.

So on September 25, Murray met a presumed American in DC for a hand-off related to the Podesta hack.

I raise that because Trump is now promising we’ll learn something this week about the hack that may cast doubt on the claims Russia was behind it.

He added: “And I know a lot about hacking. And hacking is a very hard thing to prove. So it could be somebody else. And I also know things that other people don’t know, and so they cannot be sure of the situation.”

When asked what he knew that others did not, Mr. Trump demurred, saying only, “You’ll find out on Tuesday or Wednesday.”

If Murray met an American claiming to have done the hack, then Trump may have too. That doesn’t mean the Russians didn’t do the hack (though it could mean an American borrowed GRU’s tools to do it). It could just as easily mean the Russians have an American cut-out, and that while the security community has been looking for Russian-speaking proxies, they’ve ignored the possibility of American ones.

I have a suspicion that Trump’s campaign did meet with such a person (I even have a guess about when it would have happened).

I guess we’ll learn more this week.

It seems like every Friday this month, there has been an alarming Friday night news dump in the WaPo based off anonymous leaks. This time, it’s a story claiming that,

Russian hackers penetrated U.S. electricity grid through a utility in Vermont

The anonymous officials behind this story have just squandered the efforts of a slew of infosecurity professionals trying to get non-experts to take the attribution of the DNC hack seriously.

The story, which features WaPo White House bureau chief Julie Eilperin first on the byline (followed by the usually strong Adam Entous) but does not include WaPo’s cybersecurity reporter Ellen Nakashima at all, claims that “a code” associated with the family of signatures associated with several Russian hacking groups that Obama dubbed Grizzly Steppe for the purposes of yesterday’s CERT report was found “within the system of a Vermont utility.” The language of the report — what do they mean by “code”??? — exhibited no certitude about what the report actually meant.

The original version of the story included no comment from Burlington Electric Department, though added one after the Burlington Free Press revealed that the “code” was not actually in the grid at all, but in a laptop unattached to it. As the Free Press explained, there’s really no reason to worry this would affect the grid.

The utility found the malware Friday on a laptop after the Obama administration released code associated with the campaign, dubbed Grizzly Steppe, on Thursday.

The aim of the release was to allow utilities, companies and organizations to search their computers for the digital signatures of the attack code, to see if they had been targeted.

The computer on which the malware was found was not connected to the operation of the grid, Vermont Public Service Commissioner Christopher Recchia said.

Based on his knowledge, Recchia said Friday night he did not believe the electrical power grid was at risk from the incident. “The grid is not in danger,” Recchia said. “The utility flagged it, saw it, notified appropriate parties and isolated that one laptop with that malware on it.”

So here’s what appears to have happened.

Yesterday, along with all the sanction-related information, DHS released a US-CERT report attempting to draw together all the signatures from the two Russian related hacking groups accused of hacking the DNC. Numerous security experts have criticized it, noting that it reads like “a poorly done vendor intelligence report stringing together various aspects of attribution without evidence” and finding that “21% (191 of 876) of [IP addresses included in the report] were TOR exit nodes,” meaning there are a lot of worse-than-useless details in the report.

That in and of itself was a problem. But then potential Russian targets, including utilities, started scanning their system for the malware included in the report and one of two Vermont utilities found one malware signature on a laptop and alerted the government. The other one is spending its Friday night insisting it was unaffected.

At which point multiple “US officials” (which can include Congressional staffers) and one Senior Administration Official (who, given Eilperin’s involvement, is likely at the White House) ran to the press and insinuated that Russia had hacked our grid, even while admitting they don’t really know what the fuck this is.

American officials, including one senior administration official, said they are not yet sure what the intentions of the Russians might have been. The incursion may have been designed to disrupt the utility’s operations or as a test to see whether they could penetrate a portion of the grid.

Officials said that it is unclear when the code entered the Vermont utility’s computers, and that an investigation will attempt to determine the timing and nature of the intrusion, as well as whether other utilities were similarly targeted.

“The question remains: Are they in other systems and what was the intent?” a U.S. official said.

Of course, by the time this report was amended to make it clear the malware was not in the grid at all, the story itself had gotten picked up by other outlets, even in spite of the many many many security professionals mocking the report as soon as it came out.

So now a slew of people are convinced that Russia has hacked (a word that has lost all meaning in the last month) our electrical grid — I’ve even seen some people assuming this occurred this week! — even though no actual analysis of what is going on has happened yet.

Here’s the thing. Some of these security professionals are the same ones who’ve been saying for months that the DNC hack can be reliably attributed to the Russian state. I mostly agree (though I’ve got some lingering doubts). And while those of us who follow this closely can distinguish the two different kind of analyses, the general public will not. And — having been alarmed off a premature report here that was not sufficiently researched before publicized — they will be utterly justified in believing the government is making baseless claims to generate fear among the public.

As I said, I mostly agree with reports attributing the DNC hack to the Russians. But seeing inflammatory shit like this peddled anonymously to the press makes me far more inclined to believe the government is blowing smoke.

While I was out and about today, President Obama rolled out his sanctions against Russia to retaliate for the Russian hack of Democrats this year. Effectively, the White House sanctioned two Russian intelligence agencies (GRU — Main Intelligence, and FSB –Federal Security Service), top leaders from one of them, and two named hackers.

In addition to sanctioning GRU, the White House also sanctioned FSB. I find that interesting because (as I laid out here), GRU has always been blamed for the theft of the DNC and John Podesta documents that got leaked to WikiLeaks. While FSB also hacked the DNC, there’s no public indication that it did anything aside from collect information — the kind of hacking the NSA and CIA do all the time (and have done during other countries’ elections). Indeed, as the original Crowdstrike report described, FSB and GRU weren’t coordinating while snooping around the DNC server.

At DNC, COZY BEAR intrusion has been identified going back to summer of 2015, while FANCY BEAR separately breached the network in April 2016. We have identified no collaboration between the two actors, or even an awareness of one by the other. Instead, we observed the two Russian espionage groups compromise the same systems and engage separately in the theft of identical credentials. While you would virtually never see Western intelligence agencies going after the same target without de-confliction for fear of compromising each other’s operations, in Russia this is not an uncommon scenario. “Putin’s Hydra: Inside Russia’s Intelligence Services”, a recent paper from European Council on Foreign Relations, does an excellent job outlining the highly adversarial relationship between Russia’s main intelligence services – Федеральная Служба Безопасности (FSB), the primary domestic intelligence agency but one with also significant external collection and ‘active measures’ remit, Служба Внешней Разведки (SVR), the primary foreign intelligence agency, and the aforementioned GRU. Not only do they have overlapping areas of responsibility, but also rarely share intelligence and even occasionally steal sources from each other and compromise operations. Thus, it is not surprising to see them engage in intrusions against the same victim, even when it may be a waste of resources and lead to the discovery and potential compromise of mutual operations.

Data provided by FireEye to War on the Rocks much later in the year suggested that the DNC hack was the only time both showed up in a server, which it took to mean the opposite of what Crowdstrike had, particularly high degree of coordination.

According to data provided for this article by the private cybersecurity company, FireEye, two separate but coordinated teams under the Kremlin are running the campaign. APT 28, also known as “FancyBear,” has been tied to Russia’s foreign military intelligence agency, the Main Intelligence Agency or GRU. APT 29, aka “CozyBear,” has been tied to the Federal Security Service or FSB. Both have been actively targeting the United States. According to FireEye, they have only appeared in the same systems once, which suggests a high level of coordination — a departure from what we have seen and come to expect from Russian intelligence.

The sanctioning materials offers only this explanation for the FSB sanction: “The Federal Security Service (a.k.a. Federalnaya Sluzhba Bezopasnosti) (a.k.a FSB) assisted the GRU in conducting the activities described above.”

So I’m not sure what to make of the fact that FSB was sanctioned along with GRU. Perhaps it means there was some kind of serial hack, with FSB identifying an opportunity that GRU then implemented — the more extensive coordination that FireEye claims. Perhaps it means the US has decided it’s going to start sanctioning garden variety information collection of the type the US does.

But I do find it an interesting aspect of the sanctions.

YouGov has a poll showing that “belief in conspiracy theories largely depends on political identity.” For example, it shows that Republicans believe Obama is Kenyan.

It focuses on several things it considers conspiracy theories tied to this election, including pizzagate, millions of alleged illegal votes, and claims about the Russian hack.

Interestingly, it shows that half of Clinton voters believe that Russia tampered with vote tallies to get Trump elected, in spite of the White House’s assurances that did not happen.

It’s the other tested question about Russian hacking that strikes me as more curious. 87% of Clinton voters believe Russia hacked Democratic emails “in order to help Donald Trump,” whereas only 20% of Trump voters believe that.

That’s about the result I’d expect. But to explain why this is a conspiracy theory, YouGov writes,

Similarly, even after the Central Intelligence Agency and the Federal Bureau of Investigation reported that Russia was responsible for the leaks of damaging information from the Democratic National Committee and the Clinton campaign and that the hacking was done to help Donald Trump win the Presidency, only one in five say that is definitely true, about the same percentage as believe it is definitely not true.

So YouGov bases this “truth” on a claim that the CIA and FBI “reported that Russia was responsible for the leaks … and that the hacking was done to help Donald Trump win the Presidency.”

Except there has been no such report, not from CIA and FBI, anyway.

There was an official report finding that,

The U.S. Intelligence Community (USIC) is confident that the Russian Government directed the recent compromises of e-mails from US persons and institutions, including from US political organizations. … These thefts and disclosures are intended to interfere with the US election process.

That is, the official report stated that the hack was “intended to interfere with the US election process;” it did not say the hack was done to help Trump.

Moreover, while the report speaks for the entire IC (including the FBI), the report itself came from DHS and ODNI, not FBI or CIA.

It is absolutely true that anonymous leakers — at least some of whom appear to be Democratic Senate sources — claim that CIA said the hack happened to get Trump elected. It is also true that anonymous sources passed on the substance of a John Brennan letter that said in separate conversations with Jim Comey and James Clapper, each agreed with Brennan about the purpose of the hack, which WaPo edited its previous reporting to say included electing Trump as one of a number of purposes, but that’s a third-hand report about what Jim Comey believes.

But that was not an official report, not even from CIA. Here’s what John Brennan said when interviewed about this topic by NPR’s Mary Louise Kelly:

You mentioned the FBI director and the director of national intelligence. And NPR confirmed with three sources that after the three of you meeting last week, you sent a memo to your workforce and that the memo read: There is strong consensus among us on the scope, nature and intent of Russian interference in our presidential elections. Is that an accurate quote from your memo?

I certainly believe that, that there is strong consensus.

Was there ever not?

Well, sometimes in the media, there is claims, allegations, speculation about differences of view. Sometimes I think that just feeds concerns about, you know, the strength of that intelligence and …

And in this case it was reports of tension between FBI and CIA …

… and differences of view. And I want to make sure that our workforce is kept as fully informed as possible so that they understand that what we’re doing, we’re doing in close coordination with our partners in the intelligence community. And so I try to keep my workforce informed on a periodic basis. But aside from whatever message I might have sent out to the workforce, there is, I strongly believe, very strong consensus among the key players — but not just the leaders of these organizations, but also the institutions themselves. And that’s why we’re going through this review. We want to make sure that we scrub this data, scrub the information and make sure that the assessment and analysis is as strong and as grounded as it needs to be.

That quote I read you about the memo that you sent mentioned that there is agreement on scope, nature and intent of Russian interference. And intent is the one that’s been controversial recently, the question of motive. How confident are you in the intelligence on that? It seems like proving motive is an infinitely harder thing than proving that somebody did something. The “why” is tough.

I will not disagree with you that the why is tough. And that’s why there needs to be very careful consideration of what it is that we know, what it is that we have insight into and what our analysis needs to be. But even back in early October when Jim Clapper and Jeh Johnson put out this statement, it said “the intent to interfere in the election.” Now, there are different elements that could be addressed in terms of how it wanted to interfere. And so that’s why this review is being done to make sure that there is going to be a thorough look at the nature, scope and intent of what transpired.

What’s been reported is that the CIA has concluded the intent was to interfere with the election with the purpose of swinging at Donald Trump. Is that an accurate characterization?

That’s an accurate characterization of what’s been appearing in the media. Yes.

Is it an accurate characterization of where the CIA is on this?

Well, that’s what the review is going to do. And we will be as forward-leaning as the intelligence and analysis allows us to be, and we will make sure that, again, President Obama and the incoming administration understands what the intelligence community has assessed and determined to have happened during the run-up to this election.

Why not confirm that that’s where the CIA is on this? Why not confirm if you have the evidence that you believe is …

Because I don’t work for NPR, Mary Louise. I work for the president, I work for the administration, and it is my responsibility to give them the best information and judgment possible.

That is, the CIA Director specifically avoided stating what he or his agency believes the motive to be, deferring to the ongoing review of the evidence, something that Obama also did in his press conference earlier this month.

Q Mr. President, I want to talk about Vladimir Putin again. Just to be clear, do you believe Vladimir Putin himself authorized the hack? And do you believe he authorized that to help Donald Trump? And on the intelligence, one of the things Donald Trump cites is Saddam Hussein and the weapons of mass destruction, and that they were never found. Can you say, unequivocally, that this was not China, that this was not a 400-pound guy sitting on his bed, as Donald Trump says? And do these types of tweets and kinds of statements from Donald Trump embolden the Russians?

THE PRESIDENT: When the report comes out, before I leave office, that will have drawn together all the threads. And so I don’t want to step on their work ahead of time.

What I can tell you is that the intelligence that I have seen gives me great confidence in their assessment that the Russians carried out this hack.

None of that is to say that CIA and (perhaps to a lesser extent) FBI don’t think Russia hacked Democrats to help Trump, as one of several — probably evolving over the course of the election — reasons. CIA surely does (but then it has a big incentive to downplay the most obvious motivation, that Russia was retaliating for perceived and real CIA covert actions against it). FBI probably does.

But there has been no “report” that they believe that, just anonymous reports of reports. The official stance of the Executive Branch is that they’re conducting a review of the evidence on this point.

Perhaps if YouGov wants to test conspiracy theories, it should start by sticking to topics about which there aren’t a slew of anonymous leaks and counter-leaks contravened by public deferral?

Because the press tends to report what the government wants it to on indictments of Chinese hackers, rather than what they’ve really indicted, I wanted to look closely at the case against three Chinese nationals accused — per the news reports — of engaging in insider trading. Here’s how Reuters describes the case against Iat Hong, Bo Zheng, and Chin Hung.

Three Chinese citizens have been criminally charged in the United States with trading on confidential corporate information obtained by hacking into networks and servers of law firms working on mergers, U.S. prosecutors said on Tuesday.

Iat Hong of Macau, Bo Zheng of Changsha, China, and Chin Hung of Macau were charged in an indictment filed in Manhattan federal court with conspiracy, insider trading, wire fraud and computer intrusion.

Prosecutors said the men made more than $4 million by placing trades in at least five company stocks based on inside information from unnamed law firms, including about deals involving Intel Corp and Pitney Bowes Inc.

The indictment does, indeed, accuse the three men of hacking (probably by phishing) into a number of law firms — definitely Cravath Swain & Moore and probably Weil Gotshal to steal information on upcoming mergers and acquisitions. The indictment focuses on the contemplated acquisition of Intermune, by Intel of Altera, and by Pitney Bowes of Borderfree.

Note the indictment never says who was trying to buy Intermune (that is, who the M&A customer of the law firm was). Indeed, in actuality that customer never bought Intermune; Roche did.

That is, for this one transaction, the insider information didn’t necessarily help, because the best information would have involved hacking Roche’s firm.

Other potential buyers of Intermune listed in what may be an article cited in the indictment were Sanofi, Actelion, and GlaxoSmithKline.

That’s not all that big a deal. The indictment at least alleges insider trading accomplished after hacking the lawyers advising on the deals.

Though note that M&A information may not be the only thing to find at the target firms. Christine Varney is the Cravath partner overseeing AT&T’s purchase of Time Warner. That deal was first announced on October 22. This indictment was actually dated October 13 and the first item in the docket dates to June. There would be far more interesting information to some entities, including the Chinese state, about merger involving AT&T that would reside on Cravath’s servers than offering prices, especially given Varney’s close ties to government. That merger necessarily deals with communications policy, up to and including certain surveillance agreements. One would assume the FBI wouldn’t let Cravath to continue to be hacked after the first discovery of this (though John Podesta would argue differently); but if someone like Varney were targeted, there would be far more interesting information than just deal terms.

That said, the detail I found particularly interesting is the way the indictment alleges intellectual property theft. On top of being traders hacking for insider trading information, the indictment claims, the defendants also ran a robotics start-up.

And in addition to stealing information from M&E law firms, the indictment claims the defendants also stole information from a US and a Taiwanese firm involved in robotics.

Indeed, the indictment claims that the defendants were stealing key intellectual property from competitors, from the very beginning of the charged period.

This is interesting to me for several reasons. First, as I have noted, the government likes to claim a Pittsburgh indictment involves IP theft, but in reality, the indictment mostly charges the theft of information pertaining to negotiations, something the US does as well. The sole exception is the theft of nuclear reactor information between companies that already had an information sharing deal.

But also note the timing laid out in the indictment gets awfully vague when it describes the end of the theft of IP. “Late 2015” might or might not be sometime after Obama got Xi Jinpeng to agree to cut down on the hacking of the US in September 2015.

The US has generally played up any possible instance of IP theft involving Chinese nationals. That’s not what happened here. Instead, this is a story about insider trading theft.

Which brings me to one other interesting passage from the indictment, which explains how the defendants tried to hack a bunch of other law firms.

Here, the indictment does list an end date: September 2015, the same month Obama and Xi reached their agreement.

What follows that accusation is a list of five more victim law firms the defendants allegedly tried to hack. All the attempted hacks listed took place on either March 31, or April 3, or April 6, 2015 (so nowhere close to September). Because the information is attempt focused, it might not derive from the targeted law firms (though it could come from a contractor who worked with multiple law firms), but from an attack point.

In any case, thus far this indictment has been spun as another of Preet Bharara’s insider trading indictments. But there may be more here.

On Friday, October 14 at 8:30 PM, NBC posted a story promising, “CIA Prepping for Possible Cyber Strike Against Russia.”

The Obama administration is contemplating an unprecedented cyber covert action against Russia in retaliation for alleged Russian interference in the American presidential election, U.S. intelligence officials told NBC News.

Current and former officials with direct knowledge of the situation say the CIA has been asked to deliver options to the White House for a wide-ranging “clandestine” cyber operation designed to harass and “embarrass” the Kremlin leadership.

The sources did not elaborate on the exact measures the CIA was considering, but said the agency had already begun opening cyber doors, selecting targets and making other preparations for an operation.

On Friday December 9, just hours after President Obama announced a review of the intelligence on Russia hacking the election, at least one senior US official (which I said at the time “seems primarily to come from Democratic Senators”) told the WaPo,

The CIA has concluded in a secret assessment that Russia intervened in the 2016 election to help Donald Trump win the presidency, rather than just to undermine confidence in the U.S. electoral system.

Over the following week, caveats on that story got leaked to the press. But on Friday, December 16, literally as the White House press corps was waiting for President Obama to speak, the WaPo reported that John Brennan released a letter to CIA’s workforce telling them FBI and DNI agreed one reason Russia hacked the election was to get Trump elected.

FBI Director James B. Comey and Director of National Intelligence James R. Clapper Jr. are in agreement with a CIA assessment that Russia intervened in the 2016 election in part to help Donald Trump win the White House, officials disclosed Friday, as President Obama issued a public warning to Moscow that it could face retaliation.

[snip]

The positions of Comey and Clapper were revealed in a message that CIA Director John Brennan sent to the agency’s workforce Friday.

“Earlier this week, I met separately with FBI [Director] James Comey and DNI Jim Clapper, and there is strong consensus among us on the scope, nature, and intent of Russian interference in our presidential election,” Brennan said, according to U.S. officials who have seen the message.

As I noted, the quoted parts of the letter didn’t actually say what the purpose of the hack was, and it made clear that Brennan had met separately with Jim Comey and James Clapper, meaning any claim of consensus was merely Brennan’s view of the serial meetings. In its report, the WaPo made no note that a week earlier it had reported that getting Trump elected was the (singular) goal of the hack, whereas here it was saying getting Trump elected was one of the goals.

On December 20, a senior intelligence official suggested to me this leakapalooza came from Congress, not the CIA. I noted I had made that so clear that a Harry Reid aide had given me shit about it. I also noted that the second leak came from a Brennan letter, which of course was carefully crafted and easily leaked.

On Thursday December 22 at 9:27 PM, NPR posted an interview between Mary Louise Kelly and John Brennan. It played the interview during Morning Edition and All Things Considered. Here’s the full transcript.

In one version of the interview, Kelly explained to Steve Inskeep that the interview wasn’t supposed to cover Russia at all but in fact spent 20 minutes (out of 52) on it.

He did not want to talk about Russia at all. When his team was confirming the interview with me they said, he’s not gonna go there, he’s not gonna talk about Russia. I said, well, I gotta ask about Russia. And they said, well, you can try. So I did and we ended up talking about Russia for close to 20 minutes.

After Kelly asked, “hand over heart, is [the intelligence] solid?” Brennan assured her Russia did in fact “try to interfere” in the US election. Brennan explained,

There is very strong consensus among not just the leaders of these organizations but also the institutions themselves. And that’s why we’re going through this review. We want to make sure that we scrub the information and make sure that the assessment and analysis is as strong and as grounded as it needs to be.

Kelly then goes on to prod him about motive specifically, mentioning that his letter said FBI and DNI agreed on the “nature, scope, and intent” of the hack. But she doesn’t yet raise what the conflict had been — whether Putin wanted to get Trump elected or not — or even any of the stated motives at all. Brennan responded by not addressing that issue either,

I will not disagree with you that the why is tough. And that’s why there needs to be very very careful consideration of what it is that we know and what it is that we have insight into and what our analysis needs to be. That’s why this review is being done, to make sure that there is going to be a thorough look at the nature, scope, and intent of what transpired.

Kelly reminds him that what had been appearing in the press is that Russia hacked the election “with the purpose of swinging it to Donald Trump.” Brennan responds,

Kelly: Is that an accurate characterization?

Brennan: That’s an accurate characterization of what’s been appearing in the media, yes.

Kelly: Is that an accurate characterization of where the CIA is on this?

Brennan: Well, that’s what the review is going to do. And we will make sure that President Obama and the incoming administration understands what the intelligence community has assessed and determined to have happened during the run-up to this election.

Which brings NPR to the big headline of their story from an interview in which Brennan didn’t want to discuss Russia at all. Kelly explains that Brennan doesn’t want to hack Russia in retaliation for its hack. Here’s why:

Well, this country is based on the democratic principles that our nation was founded upon. And there is a lot of challenges throughout the world to those principles of freedom, liberty, freedom of speech and the will of the people in order to govern as they see fit. And the election process is one of those foundational elements of our democracy. And I individually believe that there are certain things that this government, our country, should not be engaged in because it is inconsistent with those precepts, those tenets of the United States of America. So this was what’s making, you know, this challenging, which is how to safeguard our system, safeguard our digital domain, and make sure that there are decisions that can be taken that will deter, maybe sometimes punish those who violate the law, as well as try to attack our national security and try to undermine the democracy that we are.

Kelly asked how retaliating in kind would undermine American democratic principles.

Help me understand. Connect that line for me. How would retaliating in kind — so, a cyberattack against Russia — how would that undermine American democratic principles?

Well, I think if we hold dear the principles of democracy, liberty, freedom and freedom of speech and the right of people everywhere to have governments of their choosing, preventing the conduct of a free and fair and open election, devoid of interference and foreign manipulation, is something that I think the United States government, as well as the American people, would certainly want to make sure that’s going to be who we are.

And so there are a lot of things that those adversaries, enemies that we have, whether they be terrorists or proliferators or … whomever. Nation-states. They do some things that I think are beyond the pale. That’s why I don’t think we should resort to some of the tactics and techniques that our adversaries employ against us. I think we need to remember what we’re fighting for. We’re fighting for our country, our democracy, our way of life, and to engage in the skulduggery that some of our opponents and adversaries engage in, I think, is beneath this country’s greatness.

[snip]

We need to make sure that we are going to lead the way when it comes to allowing countries and people to choose their leaders, free of that foreign interference. And that’s the concerns we have, as we’ve seen, not just the United States but in other countries as well, the hand of foreign actors. And I don’t think it’s a secret that the the Russians have tried to influence the outcome of elections in other countries as well. So this is not just a question of their cyber activity. It’s a question of their using their influence in ways that are inconsistent, I believe, with what should be happening in these countries’ electoral processes.

Brennan goes on to state that the CIA has never tampered in elections in the 21st century (though he admits CIA does do what it can to ensure people get to vote), even while asserting that the rebels in Aleppo have not gotten adequate outside support.

So to sum up: CIA doesn’t want to retaliate against Russia because that’s not consistent with the democratic principles on which this country was founded.

For the last several weeks, all of DC has been wailing that Russia hacked the election, in part because John Podesta didn’t have two-factor authentication on his Gmail account.

So it should scare all of you shitless that, as of August 29, 2016, not all high risk users at NSA had 2FA.

That revelation comes 35 pages  into the 38 page HPSCI report on Edward Snowden. It describes how an IG Report finished on August 29 found that NSA still had not closed the Privileged Access-Related holes in the NSA’s network.

That’s not the only gaping hole: apparently even server racks in data centers were not secure.

And note that date: August 29? Congress would have heard about these glaring problems just two weeks after the first Shadow Brokers leak, and days after Hal Martin got arrested with terabytes of NSA data in his backyard shed.

I think I can understand why James Clapper and Ash Carter want to fire Mike Rogers.