What Was the Relationship Between FSB and GRU in the DNC Hack, Redux?

/27 Comments/in , /by

I want to return to last week’s House Intelligence Hearing on Russia (because that fecker Devin Nunes canceled my birthday hearing with James Clapper and John Brennan today), to revisit a question I’ve asked a number of times (in most detail here): what was the relationship between Russia’s FSB and GRU intelligence services in the DNC hack?

The public narrative (laid out in this post) goes like this: Sometime in summer 2015, APT (Advanced Persistent Threat) 29 (associated with FSB, Russia’s top intelligence agency) hacked the DNC along with 1,000 other targets and because DNC ignored FBI’s repeated warnings, remained in their network unnoticed. Then, in March 2016, APT 28 (generally though not universally associated with GRU, Russia’s military intelligence) hacked DNC and John Podesta. According to the public story, GRU oversaw the release (via DC Leaks and Guccifer 2.0) and leaking (to Wikileaks via as-yet unidentified cut-outs) of the stolen documents.

Under the public story, then, FSB did the same kind of thing the US does (for example, with Enrique Peña Nieto in 2012), collecting intelligence on a political campaign, whereas GRU did something new (though under FBI-directed Sabu, we did something similar to Bashar al-Assad in 2012), leaking documents to Wikileaks.

Obama’s sanctions to retaliate for the hack primarily focused on GRU, but did target FSB as well, though without sanctioning any FSB officers by name. And in its initial report on the Russian hack, the government conflated the two separate groups, renaming attack tools previously dubbed Cozy and Fancy Bear the “Grizzly Steppe,” making any detailed discussion of how they worked together more confusing. As I noted, however, the report may have offered more detail about what APT 29 did than what APT 28 did.

Last week’s hearing might have been an opportunity to clarify this relationship had both sides not been interested in partisan posturing. Will Hurd even asked questions that might have elicited more details on how this worked, but Admiral Mike Rogers refused to discuss even the most basic details  of the hacks.

HURD: Thank you, Chairman.

And gentlemen, thank you all for being here. And thank you for your continued service to your country. I’ve learned recently the value of sitting in one place for a long period of time and listening and today I’m has added to that understanding and I’m going to try to ask questions that y’all can answer in this format and are within your areas of expertise. And Director Rogers, my first question to you — the exploit that was used by the Russian’s to penetrate the DNC, was it sophisticated? Was it a zero day exploit? A zero day being some type of — for those that are watching, an exploit that has never been used before?

ROGERS: In an open unclassified forum, I am not going to talk about Russian tactics, techniques or procedures about how they executed their hacks.

HURD: If members of the DNC had not — let me rephrase this, can we talk about spear fishing?

ROGERS: Sure, in general terms, yes sir.

HURD: Spear fishing is when somebody sends an email and they — somebody clicks on something in that email…

ROGERS: Right, the user of things (inaudible) they’re receiving an email either of interest or from a legitimate user, they open it up and they’ll often click if you will on a link — an attachment.

HURD: Was that type of tactic used in the…

ROGERS: Again, I’m not in an unclassified forum just not going to be…

The refusal to discuss the most basic details of this hack — even after the government listed 31 reports describing APT 28 and 29 (and distinguishing between the two) in its updated report on the hacks — is weird, particularly given the level of detail DOJ released on the FSB-related hack of Yahoo. Given that the tactics themselves are not secret (and have been confirmed by FBI, regardless of what information NSA provided), it seems possible that the government is being so skittish about these details because they don’t actually match what we publicly know. Indeed, at least one detail I’ve learned about the documents Guccifer 2.0 leaked undermines the neat GRU-FSB narrative.

Comey did confirm something I’ve been told about the GRU side of the hack: they wanted to be found (whereas the FSB side of the hack had remained undiscovered for months, even in spite of FBI’s repeated efforts to warn DNC).

COMEY: The only thing I’d add is they were unusually loud in their intervention. It’s almost as if they didn’t care that we knew what they were doing or that they wanted us to see what they were doing. It was very noisy, their intrusions in different institutions.

There is mounting evidence that Guccifer 2.0 went to great lengths to implicate Russia in the hack. Confirmation GRU also went out of its way to make noise during the DNC hack may suggest both within and outside of the DNC the second hack wanted to be discovered.

I have previously pointed to a conflict between what Crowdstrike claimed in its report on the DNC hack and what the FBI told FireEye. Crowdstrike basically said the two hacking groups didn’t coordinate at all (which Crowdstrike took as proof of sophistication). Whereas FireEye said they did coordinate (which it took as proof of sophistication and uniqueness of this hack). I understand the truth is closer to the latter. APT 28 largely operated on its own, but at times, when it hit a wall of sorts, it got help from APT 29 (though there may have been some back and forth before APT 29 did share).

All of which brings me to two questions Elise Stefanik asked. First, she asked — casually raising it because it had “been in the news recently” — whether the FSB was collecting intelligence in its hack of Yahoo.

STEFANIK: Thank you. Taking a further step back of what’s been in the news recently, and I’m referring to the Yahoo! hack, the Yahoo! data breech, last week the Department of Justice announced that it was charging hackers with ties to the FSB in the 2014 Yahoo! data breech. Was this hack done to your knowledge for intelligence purposes?

COMEY: I can’t say in this forum.

STEFANIK: Press reporting indicates that Yahoo! hacked targeted journalists, dissidence and government officials. Do you know what the FSB did with the information they obtained?

COMEY: Same answer.

Again, in spite of the great deal of detail in the indictment, Comey refused to answer these obvious questions.

The question is all the more interesting given that the indictment alleges that Alexsey Belan (who was sanctioned along with GRU in December) had access to Yahoo’s network until December 2016, well after these hacks. More interestingly, Belan was “minting” Yahoo account credentials at least as late as May 20, 2016. That’s significant, because one of the first things that led DNC to be convinced Russia was hacking it was when Ali Chalupa, who was then collecting opposition research on Paul Manafort from anti-Russian entities in Ukraine, kept having her Yahoo account hacked in early May. With the ability to mint cookies, the FSB could have accessed her account without generating a Yahoo notice. Chalupa has recently gone public about some, though not all, of the other frightening things that happened to her last summer (she was sharing them privately at the time). So at a time when the FSB could have accomplished its goals unobtrusively, hackers within the DNC network, Guccifer 2.0 outside of it, and stalkers in the DC area were all alerting Chalupa, at least, to their presence.

While it seems increasingly likely the FSB officers indicted for the Yahoo hack (one of whom has been charged with treason in Russia) were operating at least partly on their own, it’s worth noting that overlapping Russian entities had three different ways to access DNC targets.

Note, Dianne Feinstein is the one other person I’m aware of who is fully briefed on the DNC hack and who has mentioned the Yahoo indictment. Like Comey, she was non-committal about whether the Yahoo hack related to the DNC hack.

Today’s charges against hackers and Russian spies for the theft of more than 500 million Yahoo user accounts is the latest evidence of a troubling trend: Russia’s sustained use of cyber warfare for both intelligence gathering and financial crimes. The indictment shows that Russia used these cyberattacks to target U.S. and Russian government officials, Russian journalists and employees of cybersecurity, financial services and commercial entities.

There seems to be a concerted effort to obscure whether the Yahoo hack had any role in the hack of the DNC or other political targets.

Finally, Stefanik asked Comey a question I had myself.

STEFANIK: OK, I understand that. How — how did the administration determine who to sanction as part of the election hacking? How — how familiar with that decision process and how is that determination made?

COMEY: I don’t know. I’m not familiar with the decision process. The FBI is a factual input but I don’t recall and I don’t have any personal knowledge of how the decisions are made about who to sanction.

One place you might go to understand the relationship between GRU and FSB would be to Obama’s sanctions, which described the intelligence targets this way.

  • The Main Intelligence Directorate (a.k.a. Glavnoe Razvedyvatel’noe Upravlenie) (a.k.a. GRU) is involved in external collection using human intelligence officers and a variety of technical tools, and is designated for tampering, altering, or causing a misappropriation of information with the purpose or effect of interfering with the 2016 U.S. election processes.
  • The Federal Security Service (a.k.a. Federalnaya Sluzhba Bezopasnosti) (a.k.a FSB) assisted the GRU in conducting the activities described above.

[snip]

  • Sanctioned individuals include Igor Valentinovich Korobov, the current Chief of the GRU; Sergey Aleksandrovich Gizunov, Deputy Chief of the GRU; Igor Olegovich Kostyukov, a First Deputy Chief of the GRU; and Vladimir Stepanovich Alexseyev, also a First Deputy Chief of the GRU.

Remember, by the time Obama released these sanctions, several FSB officers, including Dmitry Dokuchaev (who was named in the Yahoo indictment) had been detained for treason for over three weeks. But the officers named in the sanctions, unlike the private companies and individual hackers, are unlikely to be directly affected by the sanctions.

The sanctions also obscured whether Belan was sanctioned for any role in the DNC hack.

  • Aleksey Alekseyevich Belan engaged in the significant malicious cyber-enabled misappropriation of personal identifiers for private financial gain.  Belan compromised the computer networks of at least three major United States-based e-commerce companies.

Again, all of this suggests that the intelligence community has reason to want to obscure how these various parts fit together, even while publicizing the details of the Yahoo indictment.

Which suggests a big part of the story is about how the public story deviates from the real story the IC is so intent on hiding.

The Temporal Feint in Adam Schiff’s Neat Narrative

/32 Comments/in , , , /by

I did four — count them! four! — interviews on the Russian hearing yesterday. And one thing I realized over the course of the interviews is that people were far more impressed with Adam Schiff’s opening speech than they should have been.

I want to look closely at this passage which — if it were accurate — would be a tight little presentation of quid pro quo tied to the change of platform at the July 18-21, 2016 RNC. But it’s not. I’ve bolded the two claims that are most problematic, though the presentation as a whole is misleading.

In early July, Carter Page, someone candidate Trump identified as one of his national security advisors, travels to Moscow on a trip approved by the Trump campaign. While in Moscow, he gives a speech critical of the United States and other western countries for what he believes is a hypocritical focus on democratization and efforts to fight corruption.

According to Christopher Steele, a former British intelligence officer who is reportedly held in high regard by U.S. Intelligence, Russian sources tell him that Page has also had a secret meeting with Igor Sechin (SEH-CHIN), CEO of Russian gas giant Rosneft. Sechin is reported to be a former KGB agent and close friend of Putin’s. According to Steele’s Russian sources, Page is offered brokerage fees by Sechin on a deal involving a 19 percent share of the company. According to Reuters, the sale of a 19.5 percent share in Rosneft later takes place, with unknown purchasers and unknown brokerage fees.

Also, according to Steele’s Russian sources, the Trump campaign is offered documents damaging to Hillary Clinton, which the Russians would publish through an outlet that gives them deniability, like Wikileaks. The hacked documents would be in exchange for a Trump Administration policy that de-emphasizes Russia’s invasion of Ukraine and instead focuses on criticizing NATO countries for not paying their fare share – policies which, even as recently as the President’s meeting last week with Angela Merkel, have now presciently come to pass.

In the middle of July, Paul Manafort, the Trump campaign manager and someone who was long on the payroll of Pro-Russian Ukrainian interests, attends the Republican Party convention. Carter Page, back from Moscow, also attends the convention. According to Steele, it was Manafort who chose Page to serve as a go-between for the Trump campaign and Russian interests. Ambassador Kislyak, who presides over a Russian embassy in which diplomatic personnel would later be expelled as likely spies, also attends the Republican Party convention and meets with Carter Page and additional Trump Advisors JD Gordon and Walid Phares. It was JD Gordon who approved Page’s trip to Moscow. Ambassador Kislyak also meets with Trump campaign national security chair and now Attorney General Jeff Sessions. Sessions would later deny meeting with Russian officials during his Senate confirmation hearing.

Just prior to the convention, the Republican Party platform is changed, removing a section that supports the provision of “lethal defensive weapons” to Ukraine, an action that would be contrary to Russian interests. Manafort categorically denies involvement by the Trump campaign in altering the platform. But the Republican Party delegate who offered the language in support of providing defensive weapons to Ukraine states that it was removed at the insistence of the Trump campaign. Later, JD Gordon admits opposing the inclusion of the provision at the time it was being debated and prior to its being removed.

Later in July, and after the convention, the first stolen emails detrimental to Hillary Clinton appear on Wikileaks. A hacker who goes by the moniker Guccifer 2.0 claims responsibility for hacking the DNC and giving the documents to Wikileaks. But leading private cyber security firms including CrowdStrike, Mandiant, and ThreatConnect review the evidence of the hack and conclude with high certainty that it was the work of APT28 and APT29, who were known to be Russian intelligence services. The U.S. Intelligence community also later confirms that the documents were in fact stolen by Russian intelligence and Guccifer 2.0 acted as a front. [emphasis on most problematic claims mine]

What Schiff tries to do here is suggest that the Russians offered Trump kompromat on Hillary, Trump’s team changed the GOP platform, and then in response the Russians started releasing the DNC emails through Wikileaks.

Later in the hearing, several Republicans disputed the nature of the change in the platform. Both in and outside of the hearing, Republicans have noted that the changed platform matched the policy in place by the Obama Administration at the time: to help Ukraine, but stop short of arming them. All that said, the story on this has clearly changed. The change in the platform clearly shows the influence of Russophiles moving the party away from its hawkish stance, but it’s not enough, in my opinion, to sustain the claims of quid pro quo. [Update: One of the outside the hearing arguments that the platform was not weakened is this Byron York piece b linked, which argues the platform actually got more anti-Russian.]

The bigger problem with Schiff’s neat narrative is the way it obscures the timeline of events, putting the release of DNC emails after the change in platform. That is true with regards to the Wikileaks release, but not the Guccifer 2 release, which preceded the platform change.  Moreover, the references in Steele’s dossier Schiff invokes are not so clear cut — the dossier alleges Russia offered kompromat on Hillary unrelated to the stolen emails before any discussion of the Wikileaks emails. I’ve put what Schiff’s timeline would look like if it were not aiming to play up the quid pro quo of the RNC below (note this timeline doesn’t include all Steele reports, just those specifically on point; see also this site for a comprehensive Guccifer related timeline). It shows several things:

  • The changes to the platform preceded the meetings with Sergey Kislyak. Indeed, the first public report on the change in platform even preceded the Kislyak meetings by a day.
  • The stolen documents began to be released well before the platform got changed.
  • The early Steele report on discussions of sharing a dossier of kompromat on Hillary pertains to a dossier dating back decades (even though these reports all post-date the first Guccifer releases, so could have included a discussion of hacked materials). The first explicit reference to the DNC hack comes after Wikileaks started releasing documents (and earlier reports which ought to include such references don’t).
  • The later Steele report tying the Wikileaks release to a change in policy came after the policy had already changed and documents had already been released.
  • The alleged quid pro quo tied to the early July Carter Page meeting was for the lifting of sanctions, not the shift on NATO and Ukraine; the Steele dossier describes the latter as the quid pro quo in exchange for the Wikileaks release only after the emails start coming out from Wikileaks.

Also note: the report that first ties Wikileaks (but not Guccifer) to a quid pro quo is one of the reports that made me raise questions about the provenance of the report as we received it.

This is not lethal for the argument that the Trump campaign delivered on a quid pro quo. For example, if there was extensive coordination, Trump could have changed his policy in March after learning that the Russian military intelligence hack — the one allegedly designed to collect documents to leak — had started. Or perhaps the Guccifer leaks were a down-payment on the full batch. But there’s no evidence of either.

In any case, the narrative, as laid out by Adam Schiff, doesn’t hold together on several points. Trump’s team has not yet delivered on the quid pro quo allegedly tied to the Rosneft brokerage fees that were paid to someone (it’s not public whom) in December — that is, the lifting of sanctions. As laid out here, the descriptions of an offer of a dossier of information on Hillary prior to the Republican platform pertained to stuff going back decades, not explicitly to Wikileaks; the shift of discussion to Wikileaks only came after the emails had already appeared and any Ukraine related policy changes had already been made.

There’s plenty of smoke surrounding Trump and his associates. It doesn’t require fudging the timeline in order to make it appear like a full quid pro quo (and given Jim Comey’s reliance on “coordination” rather than “collusion” in Monday’s discussion, it’s not even clear such quid pro quo would be necessary for a conspiracy charge). Adam Schiff can and should be more careful about this evidence in future public hearings.

Update: Given how remarkably late the references to the stolen emails are in the dossier, I’m linking this post showing how later entries included a feedback loop.

March 19: John Podesta phished (DNC compromise generally understood to date to same time period).

March 31: Trump reportedly embraces pro-Russian stance in foreign policy meeting with advisors.

April 19th: DCLeaks.com registered.

June 8th: DCLeaks.com posts leaks (from post dates).

June 13th: First archived record of DCLeaks posts.

June 15: Crowdstrike report names Russia in DNC hack, first Guccifer 2.0 releases via TSG and Gawker.

June 18: Guccifer releases at WordPress site.

June 20: Steele report presents obviously conflicting information on exchanging intelligence with Trump. A senior Russian Foreign Ministry figure said “the Kremlin had been feeding TRUMP and his team valuable intelligence on his opponents, including … Hillary CLINTON, for several years.” A former top level intelligence officer still active in the Kremlin stated that the Kremlin had been collating a dossier on Hillary, “for many years, dating back to her husband Bill’s presidency, and comprised mainly eavesdropped conversations of various sorts. … Some of the conversations were from bugged comments CLINTON had made on her various trips to Russia and focused on things she had said which contradicted her current position on various issues.” A senior Kremlin official, however, said that the dossier “had not as yet been made available abroad, including to TRUMP or his campaign team.”

July 7-8: Carter Page in Moscow. Allegedly (per later Steele dossier reports) he is offered brokerage fees for the sale of a stake in Rosneft in exchange for ending sanctions on Russia.

July 11-12: Platform drafted.

July 18-21: RNC.

July 18: First report of changes to platform.

July 19: Sergey Kislyak meets numerous Trump associates after a Heritage sponsored Jeff Sessions talk.

July 19: Steele report provides first details of Carter Page meeting in Russia during which Divyekin raises “a dossier of ‘kompromat’ the Kremlin possessed on TRUMP’s Democratic presidential rival, Hillary CLINTON, and its possible release to the Republican’s campaign team.” In context (especially because the same report also warns Trump of kompromat Russia holds on him), this seems to be the dossier going back years also mentioned in the June 20 report, not Wikileaks emails. Certainly no explicit mention of Wikileaks or the hack appears in the report, even though the report is based off July reporting that post-date the first Guccifer 2.0 leaks.

July 22: Wikileaks starts releasing DNC emails.

July 26: Steele report describing conversations from June describes Russian hacking efforts in terms already publicly known to be false. For example, the report claims FSB had not yet had success penetrating American or other “first tier” targets. FSB had success hacking American targets the previous year, including the DNC. This report includes no discussion of the DNC hack or Wikileaks.

Undated July, probably because of report number between July 26 and 30: An “ethnic Russian close associate of Republican US presidential candidate Donald TRUMP” includes the first reference to the DNC hack and WikiLeaks:

[T]he Russian regime had been behind the recent leak of embarrassing e-mail messages, emanating from the Democratic National Committee (DNC) to the Wikileaks platform. The reason for using WikiLeaks was “plausible deniability” and the operation had been conducted with the full knowledge and support of TRUMP and senior members of his campaign team. In return the TRUMP team had agreed to sideline Russian intervention in Ukraine as a campaign issue and to raise US/NATO defence commitments in the Baltics and Eastern Europe to deflect attention away from Ukraine, a priority for PUTIN who needed to cauterise the subject.

July 30: A Russian emigre close to Trump describes concern in the campaign about the DNC email fallout. This report mentions that the Kremlin “had more intelligence on CLINTON and her campaign but he did not know the details or when or if it would be released.” In context, it is unclear whether this refers to stolen documents, though the reference to the campaign suggests that is likely.

August 5: Steele report describes Russian interference as a botched operation, discusses wishful thinking of Trump withdrawing.

August 10: Steele report discusses the “impact and results of Kremlin intervention in the US presidential election to date” claiming Russia’s role in the DNC hack was “technically deniable.” This report conflicts in some ways with the August 5 report, specifically with regards to the perceived success of the operation.

September 14: Steele report referencing kompromat on Hillary clearly in context of further emails.

October 18: More detailed Steele report account of Carter Page meeting, including date. It asserts that “although PAGE had not stated it explicitly to SECHIN, he had clearly implied that in terms of his comment on TRUMP’s intention to lift Russian sanctions if elected president, he was speaking with the Republican candidate’s authority.”

October 19: More Steele report accounting of Michael Cohen’s August attempts to clean up after Manafort and Page.

When a White Republican Gets Spied On, Privacy Suddenly Matters

/38 Comments/in , , /by

As expected, much of today’s hearing on the Russian hack consisted of members of Congress — from both parties — posturing for the camera.

At first, it seemed that the Republican line of posturing — complaining about the leak that exposed Mike Flynn’s conversations with Ambassador Sergey Kislyak — tracked Donald Trump’s preferred approach, to turn this into a witch hunt for the leakers.

But it was actually more subtle than that. It appears Republicans believe the leaks about Flynn have (finally) made Congress skittish about incidental collection of US person communications as part of FISA collection. And so both Tom Rooney and Trey Gowdy spent much of their early hearing slots discussing how much more difficult the leak of Flynn’s name will make Section 702 reauthorization later this year. In the process, they should have created new fears about how painfully ignorant the people supposedly overseeing FISA are.

Rooney, who heads the subcommittee with oversight over NSA, started by quizzing Mike Rogers about the process by which a masked US person identity can be disclosed. Along the way, it became clear Rooney was talking about Section 702 reauthorization even while he was talking traditional FISA collection, which doesn’t lapse this year.

Rooney: If what we’re talking about is a serious crime, as has been alleged, in your opinion would leaking of a US person who has been unmasked and disseminated by intelligence community officials, would that leaking hurt or help our ability to conduct national security.

Rogers: Hurt.

Rooney: Ok, if it hurts, this leak, which through the 702 tool, which we all agree is vital–or you and I at least agree to that–do you think that that leak actually threatens our national security. If it’s a crime, and if it unmasks a US person, and this tool is so important it could potentially jeopardize this tool when we have to try to reauthorize it in a few months, if this is used against our ability to reauthorize this tool, and we can’t get it done because whoever did this leak, or these nine people that did this leak, create such a stir, whether it be in our legislative process or whatever, that they don’t feel confident a US person, under the 702 program, can be masked, successfully, and not leaked to the press, doesn’t that hurt–that leak–hurt our national security.

Eventually Admiral Rogers broke in to explain to his congressional overseer very basic facts about surveillance, including that Flynn was not and could not have been surveilled under Section 702.

Rogers: FISA collection on targets in the United States has nothing to do with 702, I just want to make sure we’re not confusing the two things here. 702 is collection overseas against non US persons.

Rooney: Right. And what we’re talking about here is incidentally, if a US person is talking to a foreign person that we’re listening to whether or not that person is unmasked.

Nevertheless, Rooney made it very clear he’s very concerned about how much harder the Flynn leak will make it for people like him to convince colleagues to reauthorize Section 702, which is even more of a privacy concern than traditional FISA.

Rooney: But it’s really going to hurt the people on this committee and you in the intelligence community when we try to retain this tool this year and try to convince some of our colleagues that this is really important for national security when somebody in the intelligence community says, you know what the hell with it, I’m gonna release this person’s name, because I’m gonna get something out of it. We’re all gonna be hurt by that. If we can’t reauthorize this tool. Do you agree with that?

A little later, Trey Gowdy got his second chance to complain about the leak. Referencing Rogers’ earlier explanation that only 20 people at NSA can unmask a US person identity, Gowdy tried to figure out how many at FBI could, arguing (this is stunning idiocy here) that by finding a finite number of FBI officials who could unmask US person identities might help assuage concerns about potential leaks of US persons caught in FISA surveillance.

Comey: I don’t know for sure as I sit here. Surely more, given the nature of the FBI’s work. We come into contact with US persons a whole lot more than the NSA does because we may be conducting — we only conduct our operations in the United States to collect electronic surveillance. I can find out the exact number. I don’t know it as I sit here.

Gowdy: I think Director Comey given the fact that you and I agree that this is critical, vital, indispensable. A similar program is coming up for reauthorization this fall with a pretty strong head wind right now, it would be nice to know the universe of people who have the power to unmask a US citizen’s name. Cause that might provide something of a road map to investigate who might have actually disseminated a masked US citizen’s name.

Here’s why this line of questioning from Gowdy is unbelievably idiotic. Both for traditional FISA, like the intercept targeting Kislyak that caught Flynn, and for Section 702, masking and unmasking identities at FBI is not the concern. That’s because the content from both authorities rests in FBI’s databases, and anyone cleared for FISA can access the raw data. And those FBI Agents not cleared for FISA can and are encouraged just to ask a buddy who is cleared to do it.

In other words, every Agent at FBI has relatively easy way to access the content on Flynn, so long as she can invent a foreign intelligence or criminal purpose reason to do so.

Which is probably why Comey tried to pitch something he called “culture” as adequate protection, rather than the very large number of FBI Agents who are cleared into FISA.

Comey: The number is … relevant. What I hope the US–the American people will realize is the number’s important but the culture behind it is in fact more important. The training, the rigor, the discipline. We are obsessive about FISA in the FBI for reasons I hope make sense to this committee. But we are, everything that’s FISA has to be labeled in such a way to warn people this is FISA, we treat this in a special way. So we can get you the number but I want to assure you the culture in the FBI and the NSA around how we treat US person information is obsessive, and I mean that in a good way.

So then Gowdy asks Comey something he really has a responsibility to know: what other agencies have Standard Minimization Procedures. (The answer, at least as the public record stands, is NSA, CIA, FBI, and NCTC have standard minimization procedures, with Main Justice using FBI’s SMPs.)

Gowdy: Director Comey I am not arguing with you and I agree the culture is important, but if there are 100 people who have the ability to unmask and the knowledge of a previously masked name, then that’s 100 different potential sources of investigation. And the smaller the number is, the easier your investigation is. So the number is relevant. I can see the culture is relevant. NSA, FBI, what other US government agencies have the authority to unmask a US citizen’s name?

Comey: Well I think all agencies that collect information pursuant to FISA have what are called standard minimization procedures which are approved by the FISA court that govern how they will treat US person information. So I know the NSA does, I know the CIA does, obviously the FBI does, I don’t know for sure beyond that.

Gowdy: How about Main Justice?

Comey: Main Justice I think does have standard minimization procedures.

Gowdy: Alright, so that’s four. NSA, FBI, CIA, Main Justice. Does the White House has the authority to unmask a US citizen’s name?

Comey: I think other elements of the government that are consumers of our can ask the collectors to unmask. The unmasking resides with those who collected the information. And so if Mike Rogers’ folks collected something, and they send it to me in a report and it says it’s US person #1 and it’s important for the FBI to know who that is, our request will go back to them. The White House can make similar requests of the FBI or NSA but they don’t on their own collect, so they can’t on their own unmask.

That series of answers didn’t satisfy Gowdy, because from his perspective, if Comey isn’t able to investigate and find a head for the leak of Flynn’s conversation with Kislyak — well, I don’t know what he thinks but he’s sure an investigation, possibly even the prosecution of journalists, is the answer.

Gowdy: I guess what I’m getting at Director Comey, you say it’s vital, you say it’s critical, you say that it’s indispensable, we both know it’s a threat to the reauthorization of 702 later on this fall and oh by the way it’s also a felony punishable by up to 10 years. So how would you begin your investigation, assuming for the sake of argument that a US citizen’s name appeared in the Washington Post and the NY Times unlawfully. Where would you begin that investigation?

This whole series of questions frankly mystifies me. I mean, these two men who ostensibly provide oversight of FISA clearly didn’t understand what the biggest risk to privacy is –back door searches of US person content — which at the FBI doesn’t even require any evidence of wrong-doing. That is the biggest impediment to reauthorizing FISA.

And testimony about the intricacies of unmasking a US person identity — particularly when a discussion of traditional FISA serves as stand-in for Section 702 — does nothing more than expose that the men who supposedly oversee FISA closely have no fucking clue — and I mean really, not a single fucking clue — how it works. Devin Nunes, too, has already expressed confusion on how access to incidentally collected US person content works.

Does anyone in the House Intelligence Committee understand how FISA works? Bueller?

In retrospect, I’m really puzzled by what is so damning about the Flynn leak to them. I mean, don’t get me wrong, I’m very sympathetic to the complaint that the contents of the intercepts did get leaked. If you’re not, you should be. Imagine how you’d feel if a Muslim kid got branded as a terrorist because he had a non-criminal discussion with someone like Anwar al-Awlaki? (Of course, in actual fact what happened is the Muslim kids who had non-criminal discussions with Awlaki had FBI informants thrown at them until they pressed a button and got busted for terrorism, but whatever.)

But Rooney and Gowdy and maybe even Nunes seemed worried that their colleagues in the House have seen someone like them — not a young Muslim, but instead a conservative white man — caught up in FISA, which has suddenly made them realize that they too have conversations all the time that likely get caught up in FISA?

Or are they worried that the public discussion of FISA will expose them for what they are, utterly negligent overseers, who don’t understand how invasive of privacy FISA currently is?

If it’s the latter, their efforts to assuage concerns should only serve to heighten those concerns. These men know so little about FISA they don’t even understand what questions to ask.

In any case, after today’s hearing I am beginning to suspect the IC doesn’t like to have public hearings not because someone like me will learn something, but because we’ll see how painfully little most of the so-called overseers have learned in all the private briefings the IC has given them. If these men don’t understand the full implications of incidental collection, two months after details of Flynn’s conversations have been leaked, then it seems likely they’ve been intentionally mis or underinformed.

Or perhaps they’re just not so bright.

FBI Delayed Telling the Gang of Four about Trump-Related Investigation Because It Is So Serious

/59 Comments/in , , /by

As every newspaper in town has reported, at today’s hearing into Russia’s hack of the DNC, Jim Comey confirmed that the FBI has a counterintelligence investigation into the hack that includes whether Trump’s associates coordinated with Russian actors. Along the way, Comey refused to join in James Clapper’s statement that there was no evidence of collusion between Trump’s aides and Russia. When the now retired Director of National Intelligence said that, Clapper had emphasized that his statement only extended through the end of his service, January 20; he warned that some evidence may have been discovered after that.

A far more telling detail came close to the end of the hearing, during NY Congresswoman Elise Stefanik’s questioning. She started by asking what typical protocols were for informing the DNI, the White House, and senior Congressional leadership about counterintelligence investigations.

Stefanik: My first set of questions are directed at Director Comey. Broadly, when the FBI has any open counterintelligence investigation, what are the typical protocols or procedures for notifying the DNI, the White House, and senior congressional leadership?

Comey: There is a practice of a quarterly briefing on sensitive cases to the Chair and Ranking of the House and Senate Intelligence Committees. The reason I hesitate is, thanks to feedback we’ve gotten, we’re trying to make it better. And that involves a briefing briefing the Department of Justice, I believe the DNI, and the — some portion of the National Security Council at the White House. We brief them before Congress is briefed.

Stefanik: So it’s quarterly for all three, then, senior congressional leadership, the White House, and the DNI?

Comey: I think that’s right. Now that’s by practice, not by rule or by written policy. Which is why, thanks to the Chair and Ranking giving us feedback, we’re trying to tweak it in certain ways.

Note that point: the practice has been that FBI won’t brief the Gang of Four until after they’ve briefed DOJ, the DNI, and the White House. Stefanik goes on to ask why, if FBI normally briefs CI investigations quarterly, why FBI didn’t brief the Gang of Four before the last month, at least seven months after the investigation started. Comey explains they delayed because of the sensitivity of the investigation.

Stefanik: So since in your opening statement you confirmed that there is a counterintelligence investigation currently open and you also referenced that it started in July, when did  you notify the DNI, the White House, or senior Congressional leadership?

Comey: Congressional leadership, sometime recently — they were briefed on the nature of the investigation and some details, as I said. Obviously the Department of Justice must have been aware of it all along. The DNI … I don’t know what the DNI’s knowledge of it was, because we didn’t have a DNI until Mr. Coats took office and I briefed him his first morning in office.

Stefanik: So just to drill down on this, if the open investigation began in July, and the briefing of Congressional leadership only occurred recently, why was there no notification prior to the recent — the past month.

Comey: I think our decision was it was a matter of such sensitivity that we wouldn’t include it in the quarterly briefings.

Stefanik: So when you state “our decision,” is that your decision, is it usually your decision what gets briefed in those quarterly updates?

Comey: No. It’s usually the decision of the head of our counterintelligence division.

Stefanik: And just again, to get the details on the record, why was the decision not to brief senior congressional leadership until recently, when the investigation had been open since July, a very serious investigation. Why was that decision made to wait months?

Comey: Because of the sensitivity of the matter.

Stefanik then got Comey to reconfirm what the IC report says: that Russia had hacked numerous entities, he would later say over a thousand, including Republican targets.

Stefanik then turned to the Yahoo investigation. She asked whether the FSB officers involved conducted the hack for intelligence purposes — a question Comey refused to answer. He also refused to answer what the FSB did with the information stolen.

Stefanik: Taking a further step back of what’s been in the news recently and I’m referring to the Yahoo hack, the Yahoo data breach, last week the Department of Justice announced it was charging hackers with ties to the FSB in the 2014 data breach. Was this hack done, to your knowledge, for intelligence purposes?

Comey: I can’t say in this forum.

Stefanik: Press reporting indicates the Yahoo hack targeted journalists, dissidents and government officials. Do you know what the FSB did with the information they obtained?

Comey: Same answer.

Stefanik: Okay, I understand that.

This is important for a number of reasons, including the evidence that the FSB was hiding their hacking from others in Russia.

Stefanik then turned to the sanctions, asking if Comey had any insight into how the Obama Administration chose who got sanctioned in December — which included Alexsey Belan but not the FSB officers involved (one of whom, Dmitry Dokuchaev, was already under arrest for treason by the time of the sanctions).

Stefanik: How did the Administration determine who to sanction as part of the election hacking? How familiar are [] with that decision process and how is that determination made?

Comey: I don’t know. I’m not familiar with the decision-making process. The FBI is a factual input but I don’t recall — I don’t have any personal knowledge about how the decisions were made about who to sanction.

Again, her interest in this is significant — I’ll explain why in a follow-up.

Stefanik then asked what the intelligence agencies would do going forward to keep entities safe from Russian hacking. As part of the response, Mike Rogers revealed (unsurprisingly) that NSA first learned of FSB’s hacking of those many targets in the summer of 2015.

Finally, Stefanik returned to her original point, when Congress gets briefed on CI investigations. Comey’s response was remarkable.

Stefanik: It seems to me, in my first line of questioning, the more serious a counterintelligence investigation is, that would seem to trigger the need to update not just the White House, the DNI, but also senior congressional leadership. And you stated it was due to the severity. I think moving forward, it seems the most severe and serious investigations should be notified to senior congressional leadership. And with that thanks for your lenience, Mr. Chairman, I yield back.

Comey could have been done with Stefanik yielding back. But instead, he interrupted, and suggested part of the delay had to do with the practice of briefing within the Executive Branch NSC before briefing Congress.

Comey: That’s good feedback, Ms. Stefanik, the challenge for is, sometimes we want to keep it tight within the executive branch, and if we’re going to go brief congressional leaders, the practice has been then we brief inside the executive branch, and so we have to try to figure out how to navigate that in a good way.

Which seems to suggest one reason why the FBI delayed briefing the Gang of Four (presumably, this is the Gang of Eight) is because they couldn’t brief all Executive Branch people the White House, and so couldn’t brief Congress without first having briefed the White House.

Which would suggest Mike Flynn may be a very central figure in this investigation.

Update: I’ve corrected my last observation to match Comey’s testimony that the delay had to do with keeping things on a close hold within the Executive Branch. That may be nothing, it may reflect the delay on confirming Dan Coats, it may be Flynn (if you normally brief the NSC, after all the National Security Advisor would be among the first to be briefed), but it also could be Jeff Sessions.

Why Would FSB Officer Dmitry Dokuchaev Use a Yahoo Email Account to Spy for Russia?

/9 Comments/in , /by

At the Atlantic, I expanded on this post to explore how Russia has to do by hacking what the US can do using Section 702. As I lay out, for a lot of foreign spying involving US tech companies, Russia has to do things like phish or hack Yahoo’s servers to gain the kind of access the NSA gets just by asking nicely.

But as Jeffrey Carr notes in this post, that’s not true for unencrypted communications that originate in Russia. FSB — the agency where alleged Yahoo hackers Dmitry Dokuchaev and Igor Sushchin worked — have access to anything that originates in Russia.

To put it another way, the FSB has total information awareness on every type of communication that originates in Russia or passes through Russian servers.

Carr uses that detail to argue that this probably means Dokuchaev — who was charged by Russia with treason in December — and Suschin were operating on their own.

[W]hy would the FSB, with their vast resources and legal authorities, need to collect information on Russian targets in Russia via Yahoo?

The obvious answer is — they don’t. And since all of the defendants with the exception of one person are either criminals or charged by the Russian government with treason, the Yahoo breach was most likely the act of corrupt FSB employees and criminal hackers rather than an official FSB operation.

Now, many if not most accounts identified in the indictment (I made a list of the described targets in this post) wouldn’t be officially available, because they’re located in countries adjoining Russia or the US.

But there are a few other details that do support Carr’s argument.

First, in addition to Yahoo and Google accounts, the conspirators targeted a Russian webmail service — probably Yandex.

In or around April 2016, the conspirators sought access to an account of a senior officer at a Russian webmail and internet-related services provider (the “Russian Webmail Provider”). On or about April 25, 2016, DOKUCHAEV successfully minted a cookie to gain access to the victim user’s account.

Admittedly, FSB might not want to go to Yandex (or whichever provider it is) to ask for information on one of their senior officers, but nevertheless, this information should be available officially in Russia. Another passage that describes the Russian webmail service lists only Russian targets, though that section also includes Google targets, so those may have been the GMail accounts of Russians unavailable in Russia.

In addition, the day after the indictment, Sushchin got fired from Renaissance Capital (which is owned by Nets owner Mikhail Prokhorov), where he was embedded. That suggests his was not an official embed noticed to the company (though it still may have been a legitimate FSB placement).

Most interesting of all is that Dokuchaev used US resources to conduct the hack. He had a Paypal account, which he presumably used to pay Karim Baratov.

All funds which constitute proceeds that are held on deposit in PayPal account number xxxxxxxxxxxxxxx2639, held by DOKUCHAEV;

And, according to the G&M (and this is the most amazing part), Dokuchaev used a Yahoo account to communicate with Baratov.

Mr. Dokuchaev is alleged in the court documents to have used a Yahoo e-mail account to contact Mr. Baratov and hire him to get the log-in information for about 80 accounts belonging to victims of the Yahoo hack.

I get why you wouldn’t email Baratov from your [email protected] account, because that would alert Canadian and US authorities he was working with Russian spies. But surely a Russian spy knows enough not to communicate via an account that is readily available to US authorities under Section 702, even if the conspirators’ persistent presence in the Yahoo servers might alert you to such surveillance? Even if you wanted to use an account in North America there are surely better options.

In other words, there are a lot of reasons to believe that Dokuchaev was making more effort to keep this activity out of easy reach of Russian authorities then he did to hide it from the US.

How Was Karim Baratov Paid?

/1 Comment/in , /by

The indictment accusing two FSB officers and two hackers of compromising Yahoo in 2014-2016 is remarkably detailed. It describes how Alexsey Belan accessed individual Yahoo accounts (though not how he broke in the first time). It provides lists and lists of who got hacked, in enough detail that any victims who didn’t already know would learn they had been targeted — as would anyone else in Moscow who might find these details of interest.

I want to look closely, though, at what it tells us about how one of the hackers, Karim Baratov, got paid.

The question is not that interesting as it pertains to Belan. In his case, the indictment describes a number of ways he profited off the hack — with marketing commissions for erectile dysfunction drugs, with spam targets based off millions of hacked Yahoo accounts, and with credit and gift card numbers stolen from specific accounts. Moreover, any additional payment to Belan would be internal to Russia — a cinch to pull off without attracting the attention of the FBI or Department of Treasury.

But Baratov, the phisher that broke into Google and (presumably) Yandex accounts for the FSB men after they were identified via Yahoo metadata, is in Canada, meaning financial transfers would be international.

The indictment explains that he demanded payment of about $100 via online payment system per successful phish, and that FSB officer Dmirty Dokuchaev had to pay before obtaining the credentials.

During the conspiracy DOKUCHAEV tasked BARATOV with obtaining unauthorized access to at least 80 identified email accounts, including at least 50 identified Google accounts.

[snip]

When BARATOV successfully obtained unauthorized access to a victim’s account, he notified DOKUCHAEV and provided evidence of that access. He then demanded payment-generally approximately U.S. $100-via online payment services.

Once DOKUCHAEV sent BARATOV a payment,’ BARATOV provided DOKUCHAEV with valid, illicitly obtained account credentials permitting DOKUCHAEV, SUSHCHIN, and others known and unknown to thereafter access the victim’s account without further assistance from BARATOV.

[snip]

Upon successfully gaining the credentials for a tasked account, BARATOV informed DOKUCHAEV thathe could be paid for his work in Russian rubles, U.S. dollars, Ukrainian hryvnia, or Euros through online payment services. DOKUCHAEV then paid BARATOV using these means.

Altogether, Baratov provided access to upwards 80 accounts, for a total profit of not much more than $8,000 for crimes that expose him to decades in prison.

At least once (though I believe just this once), the indictment actually records Dokuchaev paying Baratov.

On or about November 17, 2015, BARATOV sent DOKUCHAEV the password for ****[email protected], to which account DOKUCHAEV had tasked BARATOV to gain unauthorized access.

On or about November 17, 2015, DOKUCHAEV paid BARATOV U.S. $104.20.

We also learn that — in addition to seizing Baratov’s Aston Martin and Mercedes — the government will be seizing the contents of a Paypal account in his name.

All funds which constitute proceeds that are held on deposit in PayPal account number xxxxxxxxxxxxxxx9844, held by BARATOV in the name of “Elite Space Corporation”;

Brian Krebs pointed to one of Baratov’s hacker for hire sites that also accepted payment in WebMoney and YandexMoney.

According to this G&M article, the documents filed in support for extraditing Baratov say the Paypal account was tied to a Royal Bank checking account. (It also says Dokuchaev communicated with Baratov via a Yahoo account!)

The payments are alleged to have travelled through Web accounts including a PayPal account that links to a Royal Bank chequing account in Mr. Baratov’s name. Between February, 2013, and October, 2016, Mr. Baratov received more than $211,000 via that PayPal account, the court records say, adding, however, that the amounts he is alleged to have earned from the Yahoo scheme are smaller.

And the indictment also lists a Dokuchaev Paypal account for forfeiture.

All funds which constitute proceeds that are held on deposit in PayPal account number xxxxxxxxxxxxxxx2639, held by DOKUCHAEV;

So we have a pretty good idea of how the Paypal payments got to Baratov: from Dokuchaev’s account to Baratov’s to Baratov’s Royal Bank checking account.

But we don’t know where the money in Dokuchaev’s account came from — and whether it made the FSB tie clear.

Jeffrey Carr has asked whether this operation was an official or rogue operation from the FSB side — a question which has merit and which I’ll return to. That question certainly raises the stakes on where the money in Dokuchaev’s Paypal account came from.

There’s also the other question. Baratov clearly made more than the $211,000 that came into his Royal Bank account. $211,000 would barely cover his fancy cars, much less the ability to throw $100 bills at trick or treaters. So where is the rest of Baratov’s hacking income coming from?

Incidentally, according to the G&M, Baratov was put under surveillance by the RCMP around March 7. His $900K house was put on sale on March 13, but then delisted after the indictment. The indictment was actually dated February 28.

Password: 0sbP@ss

/24 Comments/in , /by

Remember how infosec people made fun of John Podesta when they learned his iCloud password — which got exposed in the Wikileaks dump of his stolen emails — was Runner4567? 4Chan used the password to hack a bunch of Podesta’s accounts.

Among the pages that got exposed in this week’s Wikileaks dumps of CIA’s hacking tools was a page of Operational Support Branch passwords. For some time the page showed the root password for the network they used for development purposes.

These passwords, as well as one (“password”) for another part of their server, were available on the network site as well.

Throughout the period of updates, it included a meme joking about setting your password to Incorrect.

At the beginning of January 2015, it included the passwords for two unclassified laptops used by the department, one of which was the very guessable 0sbP@ass.

OSB unclass laptop #1 password (tag 2005K676, Dell service tag: 7731Y32): “OSBDemoLap9W53!” (Without quotes)

OSB unclass laptop #2 password (tag 2005K677, Dell service tag: CN81Y32): “0sbP@ss” (no quotes, first chracter is a zero)

Remember, Assange has claimed that CIA treated its exploits as unclassified so they could be spread outside of CIA facilities.

A discussion ensued about what a bad security practice this was.

2015-01-30 14:30 [User #14588054]:

Am I the only one who looked at this page and thought, “I wonder if security would have a heart attack if they saw this.”?

2015-01-30 14:50 [User #7995631]:

Its locked down to the OSB group… idk if that helps.

2015-01-30 15:10 [User #14588054]:

I noticed, but I still cringed when I first saw the page.

I have no idea whether these passwords exacerbated CIA’s exposure. The early 2015 discussion happened well before — at least as we currently understand it — the compromise that led to Wikileaks’ obtaining the files. The laptops themselves were unclassified, and would only be a problem if someone got physical custody of them. Though shared devices like laptops were one of the things for which CIA had a multi-factor authentication problem up until at least August of 2016.

But if we’re going to make fun of John Podesta for password hygiene exposed in a Wikileaks dump, we ought to at least acknowledge that CIA’s hackers, people who spent their days exploiting hygiene sloppiness like this, had (simple) passwords lying around on a server that — as it turns out — was nowhere near as secure as it needed to be.

CIA Did Not Have Multi-Factor Authentication Controls for All Users as Recently as August 2016

/19 Comments/in , /by

I know I keep harping on the disclosures about the intelligence community’s security practices disclosed in the House Intelligence Report on Edward Snowden. But they go some way to explain why people keep walking out of spy agencies with those agencies’ hacking tools.

Over three years after the Snowden leaks, multiple Intelligence Inspector General Reports show, agencies still hadn’t plugged holes identified in response to Snowden’s leaks. When the CIA did an audit mandated by 2015’s CISA bill, for example, it revealed that “CIA has not yet implemented multi-factor authentication controls such as a physical token for general or privileged users of the Agency’s enterprise or mission systems.”

As I understand it, this had something to do with multi-factor use on devices used by multiple persons. So it may not have been as bad as this sounds (and — again, as I understand it, the problem has since been fixed).

Nevertheless, the CIA is whining about how evil Wikileaks is for publishing documents that (per Wikileaks, anyway) CIA stored with inadequate protection.

The American public should be deeply troubled by any Wikileaks disclosure designed to damage the Intelligence Community’s ability to protect America against terrorists and other adversaries. Such disclosures not only jeopardize US personnel and operations, but also equip our adversaries with tools and information to do us harm.

Sorry. I mean, Americans can be pissed that its premier intelligence agency got pwned.

But Americans should also be pissed that CIA is storing powerful weapons in a way such that they can easily be leaked. We wouldn’t excuse this with CIA’s anthrax stash. We should not give the Agency a pass here.

The Border Invasion Trump Didn’t Mention

/7 Comments/in , /by

As most people have noted, Trump spent a lot of time bashing immigrants last night. Trump mentioned immigrants 11 times. He also mentioned borders five times, in this context.

We’ve defended the borders of other nations, while leaving our own borders wide open, for anyone to cross — and for drugs to pour in at a now unprecedented rate.

[snip]

At the same time, my Administration has answered the pleas of the American people for immigration enforcement and border security. By finally enforcing our immigration laws, we will raise wages, help the unemployed, save billions of dollars, and make our communities safer for everyone. We want all Americans to succeed –- but that can’t happen in an environment of lawless chaos. We must restore integrity and the rule of law to our borders.

For that reason, we will soon begin the construction of a great wall along our southern border. It will be started ahead of schedule and, when finished, it will be a very effective weapon against drugs and crime.

As we speak, we are removing gang members, drug dealers and criminals that threaten our communities and prey on our citizens. Bad ones are going out as I speak tonight and as I have promised.

To any in Congress who do not believe we should enforce our laws, I would ask you this question: what would you say to the American family that loses their jobs, their income, or a loved one, because America refused to uphold its laws and defend its borders? [my emphasis]

But there was one kind of border invasion Trump didn’t mention: that of Russia (and other state hackers) across our borders. In spite of lots of bombast about cybersecurity (and an early focus on a new cybersecurity EO that has apparently been indefinitely delayed), Trump made no mention of cybersecurity.

To be fair, it’s not like the President always mentions cybersecurity. According to my quick review, Obama only did in half his SOTUs.

2015:

Third, we’re looking beyond the issues that have consumed us in the past to shape the coming century.  No foreign nation, no hacker, should be able to shut down our networks, steal our trade secrets, or invade the privacy of American families, especially our kids.  (Applause.)  So we’re making sure our government integrates intelligence to combat cyber threats, just as we have done to combat terrorism.

And tonight, I urge this Congress to finally pass the legislation we need to better meet the evolving threat of cyber attacks, combat identity theft, and protect our children’s information.  That should be a bipartisan effort.

2014:

Here at home, we’ll keep strengthening our defenses, and combat new threats like cyberattacks.

2013:

America must also face the rapidly growing threat from cyber-attacks.  (Applause.)  Now, we know hackers steal people’s identities and infiltrate private emails.  We know foreign countries and companies swipe our corporate secrets.  Now our enemies are also seeking the ability to sabotage our power grid, our financial institutions, our air traffic control systems.  We cannot look back years from now and wonder why we did nothing in the face of real threats to our security and our economy.

And that’s why, earlier today, I signed a new executive order that will strengthen our cyber defenses by increasing information sharing, and developing standards to protect our national security, our jobs, and our privacy.  (Applause.)

But now Congress must act as well, by passing legislation to give our government a greater capacity to secure our networks and deter attacks.  This is something we should be able to get done on a bipartisan basis.  (Applause.)

2012:

To stay one step ahead of our adversaries, I’ve already sent this Congress legislation that will secure our country from the growing dangers of cyber-threats.

Like Trump, Obama didn’t mention cybersecurity the year after disclosure of a massive state-based attack, that of China’s theft of the OPM files.

Still, given how Trump raised the alarm about all sorts of evil infiltrators threatening America, you might think he would have mentioned the Russians (and other state actors) secretly invading and stealing our stuff. “What would you say to the American that loses their credit card number, their identity, their passwords,” Trump might be asked, “because America refused to uphold its laws and defend its borders?”

US Indicts Hal Martin — But Offers No Hint He’s the Source for Shadow Brokers, Or Anyone Else

/2 Comments/in /by

After David Petraeus shared notebooks full of code word intelligence with his girlfriend (and boxes of other classified information), then lied about it to the FBI, the government let Petraeus off with two years of probation.

DOJ just indicted Hal Martin — the Booz Allen contractor who allegedly stole terabytes of NSA information — with 20 charges each carrying up to 10 years of punishment. The indictment includes no hint that Martin did anything but hoard the files he stole. There’s no allegation he shared them with anyone (though, like Petraeus, he definitely kept very sensitive documents in highly insecure fashion).

Significantly, there’s no mention of the Shadow Brokers or even a description of the hacking tools Martin allegedly stole (though that’s likely because DOJ would draw up the indictment to avoid confirming that NSA even has hacking tools, much less the ones released to the public).

The only description of a document specifically targeting an adversary akin to the one described to the WaPo seems to target a terrorist organization, not Russia (meaning that they’re not presenting evidence Martin preferentially collected information on Russia, though again, if he were, they might hide that).

And the indictment alleges that Martin continued to steal documents up until 12 days before he was arrested, and significantly, three days after the first Shadow Brokers post on August 13.

It would be the height of folly for someone who knew he was the source for the Shadow Brokers to keep stealing documents after Shadow Brokers had gone public (though at that point, it wasn’t clear precisely what Shadow Brokers was going to release).

Certainly, the way in which DOJ has charged this — larding on 20 different charges — suggests they’re trying to coerce him into cooperating. The case against Chelsea Manning, which was partly an attempt to coerce Manning to testify against Julian Assange and Wikileaks, was very nearly parallel in the charging of many documents. In Manning’s case, there was no way for her to cooperate to implicate Assange except to lie; there’s nothing Assange did to elicit the files. That may be the case for Martin, too.

The big difference here is there’s absolutely no hint that Martin shared any of this. Given the Petraeus and Hillary precedents, the government will have a difficult time coercing Martin further, given that Petraeus didn’t even do prison time for hoarding and then sharing equally classified documents (albeit not as many of them).

Nevertheless, it appears that that DOJ is trying to coerce Martin to get information it offers no proof he even has.

Update: As it happens, DOJ indicted Hal Martin just over 4 hours before Jeff Sessions, who has refused to recuse himself in investigations of the Russian hack of the DNC, was confirmed as Attorney General. Again, there’s no evidence whatsoever that DOJ has any evidence Martin was a source for Shadow Brokers, who are presumed to have a tie to the DNC hack. But if they suspect it, indicting Martin with such extensive charges before Sessions comes in will make it hard for Sessions to reverse what seems to be an effort to coerce Martin to reveal any tie to the hack.