The Russians Are Coming! The Russians Are — Oops! No Russians!

/14 Comments/in , /by

In my piece on Sunday on the package of sanctions the government released last week, I noted the likelihood the Joint Analysis Report would result in false positives.

But several of the reports also include some version of this conclusion from Lee: “the indicators are not very descriptive and will have a high rate of false positives for defenders that use them.”

That is, we may see more of what we saw Friday, when a Vermont utility did as instructed with the report — searched for the indicators included in the report — reported a positive hit, only to have anonymous sources immediately blow it up to mean Russia had hacked our grid. That find might turn out to be a Russian probe, or it might not; there’s little doubt that Russia can hack our electrical system. But what it did do is feed a panic.

Sure enough, that’s what Friday’s alarmist WaPo story turned out to be. Another WaPo story last night revealed that there’s no evidence Russian government hackers were in Burlington Electric — indeed, it sounds like what the utility might have found was one of the many Tor or other innocuous IP addresses included in the report.

As federal officials investigate suspicious Internet activity found last week on a Vermont utility computer, they are finding evidence that the incident is not linked to any Russian government effort to target or hack the utility, according to experts and officials close to the investigation.

An employee at Burlington Electric Department was checking his Yahoo email account Friday and triggered an alert indicating that his computer had connected to a suspicious IP address associated by authorities with the Russian hacking operation that infiltrated the Democratic Party. Officials told the company that traffic with this particular address is found elsewhere in the country and is not unique to Burlington Electric, suggesting the company wasn’t being targeted by the Russians. Indeed, officials say it is possible that the traffic is benign, since this particular IP address is not always connected to malicious activity.

As it happens, after the government took custody of they laptop, they found other malware, not associated with Russians, on the laptop, but which wasn’t found as a result of last week’s report and scan.

In the course of their investigation, though, they have found on the device a package of software tools commonly used by online criminals to deliver malware. The package, known as Neutrino, does not appear to be connected with Grizzly Steppe, which U.S. officials have identified as the Russian hacking operation. The FBI, which declined to comment, is continuing to investigate how the malware got onto the laptop.

But ultimately, Friday night’s scare, with comments from half of Vermont’s public officials, was about an IP address that has no definitive tie to the Russians.

And that wasn’t the only false positive arising from this report. A Dutch paper did a story accusing a key Dutch privacy person (Bits of Freedom is sort of like EFF) of running a Tor node used by the Russians, as if Tor node operators sign off on the traffic that transits their nodes.

Remember: one of the primary claimed goals of Russia’s hacking is to make Americans lose trust in our government. Because of the way this report and subsequent reporting was rolled out (and leaked to a White House beat reporter), both security professionals and the general public will lose confidence not just in the government’s ability to respond to hacks, but also in the government’s report claiming the Russians were behind the hack. Not to mention, the alarmist report has led the paper that pushed the PropOrNot bullshit to make this kind of claim, blaming sources but not their own reporting.

Authorities also were leaking information about the utility without having all the facts and before law enforcement officials were able to investigate further.

Remember: WaPo first published the story before getting any comment from Burlington Electric.

The government appears to be doing Vlad Putin’s work for him, damaging its own credibility in its efforts to combat his efforts to damage its credibility.

Share this entry

Your Weekly Alarming Anonymous Friday Night WaPo Dump: Vermont Electrical Grid Edition

/43 Comments/in , /by

It seems like every Friday this month, there has been an alarming Friday night news dump in the WaPo based off anonymous leaks. This time, it’s a story claiming that,

Russian hackers penetrated U.S. electricity grid through a utility in Vermont

The anonymous officials behind this story have just squandered the efforts of a slew of infosecurity professionals trying to get non-experts to take the attribution of the DNC hack seriously.

The story, which features WaPo White House bureau chief Julie Eilperin first on the byline (followed by the usually strong Adam Entous) but does not include WaPo’s cybersecurity reporter Ellen Nakashima at all, claims that “a code” associated with the family of signatures associated with several Russian hacking groups that Obama dubbed Grizzly Steppe for the purposes of yesterday’s CERT report was found “within the system of a Vermont utility.” The language of the report — what do they mean by “code”??? — exhibited no certitude about what the report actually meant.

The original version of the story included no comment from Burlington Electric Department, though added one after the Burlington Free Press revealed that the “code” was not actually in the grid at all, but in a laptop unattached to it. As the Free Press explained, there’s really no reason to worry this would affect the grid.

The utility found the malware Friday on a laptop after the Obama administration released code associated with the campaign, dubbed Grizzly Steppe, on Thursday.

The aim of the release was to allow utilities, companies and organizations to search their computers for the digital signatures of the attack code, to see if they had been targeted.

The computer on which the malware was found was not connected to the operation of the grid, Vermont Public Service Commissioner Christopher Recchia said.

Based on his knowledge, Recchia said Friday night he did not believe the electrical power grid was at risk from the incident. “The grid is not in danger,” Recchia said. “The utility flagged it, saw it, notified appropriate parties and isolated that one laptop with that malware on it.”

So here’s what appears to have happened.

Yesterday, along with all the sanction-related information, DHS released a US-CERT report attempting to draw together all the signatures from the two Russian related hacking groups accused of hacking the DNC. Numerous security experts have criticized it, noting that it reads like “a poorly done vendor intelligence report stringing together various aspects of attribution without evidence” and finding that “21% (191 of 876) of [IP addresses included in the report] were TOR exit nodes,” meaning there are a lot of worse-than-useless details in the report.

That in and of itself was a problem. But then potential Russian targets, including utilities, started scanning their system for the malware included in the report and one of two Vermont utilities found one malware signature on a laptop and alerted the government. The other one is spending its Friday night insisting it was unaffected.

At which point multiple “US officials” (which can include Congressional staffers) and one Senior Administration Official (who, given Eilperin’s involvement, is likely at the White House) ran to the press and insinuated that Russia had hacked our grid, even while admitting they don’t really know what the fuck this is.

American officials, including one senior administration official, said they are not yet sure what the intentions of the Russians might have been. The incursion may have been designed to disrupt the utility’s operations or as a test to see whether they could penetrate a portion of the grid.

Officials said that it is unclear when the code entered the Vermont utility’s computers, and that an investigation will attempt to determine the timing and nature of the intrusion, as well as whether other utilities were similarly targeted.

“The question remains: Are they in other systems and what was the intent?” a U.S. official said.

Of course, by the time this report was amended to make it clear the malware was not in the grid at all, the story itself had gotten picked up by other outlets, even in spite of the many many many security professionals mocking the report as soon as it came out.

So now a slew of people are convinced that Russia has hacked (a word that has lost all meaning in the last month) our electrical grid — I’ve even seen some people assuming this occurred this week! — even though no actual analysis of what is going on has happened yet.

Here’s the thing. Some of these security professionals are the same ones who’ve been saying for months that the DNC hack can be reliably attributed to the Russian state. I mostly agree (though I’ve got some lingering doubts). And while those of us who follow this closely can distinguish the two different kind of analyses, the general public will not. And — having been alarmed off a premature report here that was not sufficiently researched before publicized — they will be utterly justified in believing the government is making baseless claims to generate fear among the public.

As I said, I mostly agree with reports attributing the DNC hack to the Russians. But seeing inflammatory shit like this peddled anonymously to the press makes me far more inclined to believe the government is blowing smoke.

Share this entry

Sanctioning GRU … and FSB

/7 Comments/in , , /by

While I was out and about today, President Obama rolled out his sanctions against Russia to retaliate for the Russian hack of Democrats this year. Effectively, the White House sanctioned two Russian intelligence agencies (GRU — Main Intelligence, and FSB –Federal Security Service), top leaders from one of them, and two named hackers.

In addition to sanctioning GRU, the White House also sanctioned FSB. I find that interesting because (as I laid out here), GRU has always been blamed for the theft of the DNC and John Podesta documents that got leaked to WikiLeaks. While FSB also hacked the DNC, there’s no public indication that it did anything aside from collect information — the kind of hacking the NSA and CIA do all the time (and have done during other countries’ elections). Indeed, as the original Crowdstrike report described, FSB and GRU weren’t coordinating while snooping around the DNC server.

At DNC, COZY BEAR intrusion has been identified going back to summer of 2015, while FANCY BEAR separately breached the network in April 2016. We have identified no collaboration between the two actors, or even an awareness of one by the other. Instead, we observed the two Russian espionage groups compromise the same systems and engage separately in the theft of identical credentials. While you would virtually never see Western intelligence agencies going after the same target without de-confliction for fear of compromising each other’s operations, in Russia this is not an uncommon scenario. “Putin’s Hydra: Inside Russia’s Intelligence Services”, a recent paper from European Council on Foreign Relations, does an excellent job outlining the highly adversarial relationship between Russia’s main intelligence services – Федеральная Служба Безопасности (FSB), the primary domestic intelligence agency but one with also significant external collection and ‘active measures’ remit, Служба Внешней Разведки (SVR), the primary foreign intelligence agency, and the aforementioned GRU. Not only do they have overlapping areas of responsibility, but also rarely share intelligence and even occasionally steal sources from each other and compromise operations. Thus, it is not surprising to see them engage in intrusions against the same victim, even when it may be a waste of resources and lead to the discovery and potential compromise of mutual operations.

Data provided by FireEye to War on the Rocks much later in the year suggested that the DNC hack was the only time both showed up in a server, which it took to mean the opposite of what Crowdstrike had, particularly high degree of coordination.

According to data provided for this article by the private cybersecurity company, FireEye, two separate but coordinated teams under the Kremlin are running the campaign. APT 28, also known as “FancyBear,” has been tied to Russia’s foreign military intelligence agency, the Main Intelligence Agency or GRU. APT 29, aka “CozyBear,” has been tied to the Federal Security Service or FSB. Both have been actively targeting the United States. According to FireEye, they have only appeared in the same systems once, which suggests a high level of coordination — a departure from what we have seen and come to expect from Russian intelligence.

The sanctioning materials offers only this explanation for the FSB sanction: “The Federal Security Service (a.k.a. Federalnaya Sluzhba Bezopasnosti) (a.k.a FSB) assisted the GRU in conducting the activities described above.”

So I’m not sure what to make of the fact that FSB was sanctioned along with GRU. Perhaps it means there was some kind of serial hack, with FSB identifying an opportunity that GRU then implemented — the more extensive coordination that FireEye claims. Perhaps it means the US has decided it’s going to start sanctioning garden variety information collection of the type the US does.

But I do find it an interesting aspect of the sanctions.

Share this entry

The Latest Chinese Hacking Story: Bots within Bots

/5 Comments/in /by

Because the press tends to report what the government wants it to on indictments of Chinese hackers, rather than what they’ve really indicted, I wanted to look closely at the case against three Chinese nationals accused — per the news reports — of engaging in insider trading. Here’s how Reuters describes the case against Iat Hong, Bo Zheng, and Chin Hung.

Three Chinese citizens have been criminally charged in the United States with trading on confidential corporate information obtained by hacking into networks and servers of law firms working on mergers, U.S. prosecutors said on Tuesday.

Iat Hong of Macau, Bo Zheng of Changsha, China, and Chin Hung of Macau were charged in an indictment filed in Manhattan federal court with conspiracy, insider trading, wire fraud and computer intrusion.

Prosecutors said the men made more than $4 million by placing trades in at least five company stocks based on inside information from unnamed law firms, including about deals involving Intel Corp and Pitney Bowes Inc.

The indictment does, indeed, accuse the three men of hacking (probably by phishing) into a number of law firms — definitely Cravath Swain & Moore and probably Weil Gotshal to steal information on upcoming mergers and acquisitions. The indictment focuses on the contemplated acquisition of Intermune, by Intel of Altera, and by Pitney Bowes of Borderfree.

Note the indictment never says who was trying to buy Intermune (that is, who the M&A customer of the law firm was). Indeed, in actuality that customer never bought Intermune; Roche did.

That is, for this one transaction, the insider information didn’t necessarily help, because the best information would have involved hacking Roche’s firm.

Other potential buyers of Intermune listed in what may be an article cited in the indictment were Sanofi, Actelion, and GlaxoSmithKline.

That’s not all that big a deal. The indictment at least alleges insider trading accomplished after hacking the lawyers advising on the deals.

Though note that M&A information may not be the only thing to find at the target firms. Christine Varney is the Cravath partner overseeing AT&T’s purchase of Time Warner. That deal was first announced on October 22. This indictment was actually dated October 13 and the first item in the docket dates to June. There would be far more interesting information to some entities, including the Chinese state, about merger involving AT&T that would reside on Cravath’s servers than offering prices, especially given Varney’s close ties to government. That merger necessarily deals with communications policy, up to and including certain surveillance agreements. One would assume the FBI wouldn’t let Cravath to continue to be hacked after the first discovery of this (though John Podesta would argue differently); but if someone like Varney were targeted, there would be far more interesting information than just deal terms.

That said, the detail I found particularly interesting is the way the indictment alleges intellectual property theft. On top of being traders hacking for insider trading information, the indictment claims, the defendants also ran a robotics start-up.

And in addition to stealing information from M&E law firms, the indictment claims the defendants also stole information from a US and a Taiwanese firm involved in robotics.

Indeed, the indictment claims that the defendants were stealing key intellectual property from competitors, from the very beginning of the charged period.

This is interesting to me for several reasons. First, as I have noted, the government likes to claim a Pittsburgh indictment involves IP theft, but in reality, the indictment mostly charges the theft of information pertaining to negotiations, something the US does as well. The sole exception is the theft of nuclear reactor information between companies that already had an information sharing deal.

But also note the timing laid out in the indictment gets awfully vague when it describes the end of the theft of IP. “Late 2015” might or might not be sometime after Obama got Xi Jinpeng to agree to cut down on the hacking of the US in September 2015.

The US has generally played up any possible instance of IP theft involving Chinese nationals. That’s not what happened here. Instead, this is a story about insider trading theft.

Which brings me to one other interesting passage from the indictment, which explains how the defendants tried to hack a bunch of other law firms.

Here, the indictment does list an end date: September 2015, the same month Obama and Xi reached their agreement.

What follows that accusation is a list of five more victim law firms the defendants allegedly tried to hack. All the attempted hacks listed took place on either March 31, or April 3, or April 6, 2015 (so nowhere close to September). Because the information is attempt focused, it might not derive from the targeted law firms (though it could come from a contractor who worked with multiple law firms), but from an attack point.

In any case, thus far this indictment has been spun as another of Preet Bharara’s insider trading indictments. But there may be more here.

Share this entry

Lefties Learn to Love Leaks Again

/12 Comments/in , , , , /by

Throughout the presidential campaign, observers have noted with irony that many on the right discovered a new-found love for WikiLeaks. Some of the same people who had earlier decried leaks, even called Chelsea Manning a traitor, were lapping up what Julian Assange was dealing on a daily basis.

There was a similar, though less marked, shift on the left. While many on the left had criticized — or at least cautioned about — WikiLeaks from the start, once Assange started targeting their presidential candidate, such leaks became an unprecedented, unparalleled assault on decency, which no one seemed to say when similar leaks targeted Bashar al-Assad.

Which is why I was so amused by the reception of this story yesterday.

After revealing that Donald Trump’s Secretary of State nominee “was the long-time director of a US-Russian oil firm based in the tax haven of the Bahamas, leaked documents show” in the first paragraph, the article admits, in the fourth paragraph that,

Though there is nothing untoward about this directorship, it has not been reported before and is likely to raise fresh questions over Tillerson’s relationship with Russia ahead of a potentially stormy confirmation hearing by the US senate foreign relations committee. Exxon said on Sunday that Tillerson was no longer a director after becoming the company’s CEO in 2006.

The people sharing it on Twitter didn’t seem to notice that (nor did the people RTing my ironic tweet about leaks seem to notice). Effectively, the headline “leaks reveal details I have sensationalized” served its purpose, with few people reading far enough to the caveats that admit this is fairly standard international business practice (indeed, it’s how Trump’s businesses work too). This is a more sober assessment of the import of the document detailing Tillerson’s ties with the Exxon subsidiary doing business in Russia.

This Guardian article worked just like all the articles about DNC and Podesta emails worked, even with — especially with — the people decrying the press for the way it irresponsibly sensationalized those leaks.

The response to this Tillerson document is all the more remarkable given the source of this leak. The Guardian reveals it came from an anonymous source for Süddeutsche Zeitung, which in turn shared the document with the Guardian and the International Consortium of Investigative Journalists.

The leaked 2001 document comes from the corporate registry in the Bahamas. It was one of 1.3m files given to the Germany newspaper Süddeutsche Zeitung by an anonymous source.

[snip]

The documents from the Bahamas corporate registry were shared by Süddeutsche Zeitung with the Guardian and the International Consortium of Investigative Journalists in Washington DC.

That is, this document implicating Vladimir Putin’s buddy Rex Tillerson came via the very same channel that the Panama Papers had, which Putin claimed, back in the time Russia was rifling around the DNC server, was a US intelligence community effort to discredit him and his kleptocratic cronies, largely because that was the initial focus of the US-NGO based consortium that managed the documents adopted, a focus replicated at outlets participating.

See this column for a worthwhile argument that Putin hacked the US as retaliation for the Panama Papers, which makes worthwhile points but would only work chronologically if Putin had advance notice of the Panama Papers (because John Podesta got hacked on March 19, before the first releases from the Panama Papers on April 3).

There really has been a remarkable lack of curiosity about where these files came from. That’s all the more striking in this case, given that the document (barely) implicating Tillerson comes from the Bahamas, where the US at least was collecting every single phone call made.

That’s all the more true given the almost non-existent focus on the Bahamas leaks before — from what I can tell just one story has been done on this stash, though the documents are available in the ICIJ database. Indeed, if the source for the leaks was the same, it would seem to point to an outside hacker rather than an inside leaker. That doesn’t mean the leak was done just to hurt Tillerson. The leak, which became public on September 21, precedes the election of Trump, much less the naming of Tillerson. But it deserves at least some notice.

For what it’s worth, I think it quite possible the US has been involved in such leaks — particularly given how few Americans get named in them. But I don’t think the Panama Papers, which implicated plenty of American friends and even the Saudis, actually did target Putin.

Still, people are going to start believing Putin’s claims that this effort is primarily targeted at him if documents conveniently appear from the leak as if on command.

I am highly interested in who handed off documents allegedly stolen by Russia’s GRU to Wikileaks. But I’m also interested in who the source enabling asymmetric corruption claims, as if on demand, is.

Share this entry

Obama’s Response to Russia’s Hack: An Emphasis on America’s More Generalized Vulnerability

/10 Comments/in , , /by

President Obama’s comments Friday about the Russian hack of the DNC were a rare occasion where I liked one of his speeches far more than more partisan Democrats.

I think Democrats were disappointed because Obama declined to promise escalation. The press set Obama up, twice (first Josh Lederman and then Martha Raddatz), with questions inviting him to attack Putin directly. Similarly, a number of reporters asked questions that betrayed an expectation for a big showy response. Rather than providing that, Obama did several things:

  • Distinguish the integrity of the process of voting from our larger political discourse
  • Blame our political discourse (and the press) as much as Putin
  • Insist on a measured response to Putin

Distinguish the integrity of the process of voting from our larger political discourse

From the very start, Obama distinguished between politics and the integrity of our election system.

I think it is very important for us to distinguish between the politics of the election and the need for us, as a country, both from a national security perspective but also in terms of the integrity of our election system and our democracy, to make sure that we don’t create a political football here.

This gets to a point that most people are very sloppy about when they claim Putin “tampered” with the election. Throughout this election, the press has at times either deliberately or incompetently conflated the theft and release of emails (which the intelligence community unanimously agrees was done by Putin) with the hacking of voting-related servers (reportedly done by “Russians,” but not necessarily the Russian state, which is probably why the October 7 IC statement pointedly declined to attribute those hacks to Russia).

Obama, after having laid out how the IC provided the press and voters with a way to account for the importance of the Russian hack on the election, then returns to what he says was a successful effort to ensure Russia didn’t hack the actual vote counting.

What I was concerned about, in particular, was making sure that that wasn’t compounded by potential hacking that could hamper vote counting, affect the actual election process itself.

And so in early September, when I saw President Putin in China, I felt that the most effective way to ensure that that didn’t happen was to talk to him directly and tell him to cut it out, and there were going to be some serious consequences if he didn’t. And, in fact, we did not see further tampering of the election process.

This is consistent with the anonymous statement the White House released over Thanksgiving weekend, which the press seems unaware of. In it, the White House emphasized that it was aware of no malicious election-related tampering, while admitting they had no idea whether Russia had ever planned any in the first place.

Blame our political discourse (and the press) as much as Putin

By far the most important part of Obama’s comments, I think, were his comments about why he believed this to be the right approach.

Obama described the October 7 DHS/ODNI statement as an effort to inform all voters of the hack and leak (and high level involvement in it), without trying to tip the scale politically.

And at that time, we did not attribute motives or any interpretations of why they had done so. We didn’t discuss what the effects of it might be. We simply let people know — the public know, just as we had let members of Congress know — that this had happened.

And as a consequence, all of you wrote a lot of stories about both what had happened, and then you interpreted why that might have happened and what effect it was going to have on the election outcomes. We did not. And the reason we did not was because in this hyper-partisan atmosphere, at a time when my primary concern was making sure that the integrity of the election process was not in any way damaged, at a time when anything that was said by me or anybody in the White House would immediately be seen through a partisan lens, I wanted to make sure that everybody understood we were playing this thing straight — that we weren’t trying to advantage one side or another, but what we were trying to do was let people know that this had taken place, and so if you started seeing effects on the election, if you were trying to measure why this was happening and how you should consume the information that was being leaked, that you might want to take this into account.

And that’s exactly how we should have handled it.

Again, I get why Democrats are furious about this passage: they wanted and still want the IC to attack Trump for benefitting from the Russian hack. Or at the very least, they want to legitimize their plan to delegitimize Trump by using his Russian ties with Obama endorsement. From a partisan view, I get that. But I also very much agree with Obama’s larger point: if Russia’s simple hack decided the election, it’s as much a statement about how sick our democracy is, across the board, as it is a big win for Putin.

To lead into that point, Obama points out how many of the people in the room — how the press — obsessed about every single new leak, rather than focusing on the issues that mattered to the election.

[W]e allowed you and the American public to make an assessment as to how to weigh that going into the election.

And the truth is, is that there was nobody here who didn’t have some sense of what kind of effect it might have. I’m finding it a little curious that everybody is suddenly acting surprised that this looked like it was disadvantaging Hillary Clinton because you guys wrote about it every day. Every single leak. About every little juicy tidbit of political gossip — including John Podesta’s risotto recipe. This was an obsession that dominated the news coverage.

So I do think it’s worth us reflecting how it is that a presidential election of such importance, of such moment, with so many big issues at stake and such a contrast between the candidates, came to be dominated by a bunch of these leaks. What is it about our political system that made us vulnerable to these kinds of potential manipulations — which, as I’ve said publicly before, were not particularly sophisticated.

This was not some elaborate, complicated espionage scheme. They hacked into some Democratic Party emails that contained pretty routine stuff, some of it embarrassing or uncomfortable, because I suspect that if any of us got our emails hacked into, there might be some things that we wouldn’t want suddenly appearing on the front page of a newspaper or a telecast, even if there wasn’t anything particularly illegal or controversial about it. And then it just took off.

And that concerns me.

He returns to that more generally, with one of the most important lines of the presser. “Our vulnerability to Russia or any other foreign power is directly related to how divided, partisan, dysfunctional our political process is.”

The more [the review of the hack] can be nonpartisan, the better served the American people are going to be, which is why I made the point earlier — and I’m going to keep on repeating this point: Our vulnerability to Russia or any other foreign power is directly related to how divided, partisan, dysfunctional our political process is. That’s the thing that makes us vulnerable.

If fake news that’s being released by some foreign government is almost identical to reports that are being issued through partisan news venues, then it’s not surprising that that foreign propaganda will have a greater effect, because it doesn’t seem that far-fetched compared to some of the other stuff that folks are hearing from domestic propagandists.

To the extent that our political dialogue is such where everything is under suspicion, everybody is corrupt and everybody is doing things for partisan reasons, and all of our institutions are full of malevolent actors — if that’s the storyline that’s being put out there by whatever party is out of power, then when a foreign government introduces that same argument with facts that are made up, voters who have been listening to that stuff for years, who have been getting that stuff every day from talk radio or other venues, they’re going to believe it.

So if we want to really reduce foreign influence on our elections, then we better think about how to make sure that our political process, our political dialogue is stronger than it’s been.

Now, the Democrats who have celebrated hopey changey Obama have, over the years, recognized that his effort to be bipartisan squandered his opportunity, in 2009, to really set up a structure that would make us more resilient. It is, admittedly, infuriating that in his last presser Obama still endorses bipartisanship when the last 8 years (and events rolling out in North Carolina even as he was speaking) prove that the GOP will not play that game unless forced to.

So I get the anger here.

But, it is also true that our democracy was fragile well before Vladimir Putin decided he was going to fuck around. Even if Putin hadn’t hacked John Podesta, the way in which the email investigation rolled out accomplished the same objective. (Indeed, at one point I wondered whether Putin wasn’t jealous of Comey for having a much bigger effect on the election). Even if some Russians didn’t put out fake news, others were still going to do that, playing to the algorithmically enhanced biases of Trump voters. Even without Putin hacking voting machines, we can be certain that in places like Wisconsin and North Carolina the vote had already been hacked by Republicans suppressing Democratic vote.

The effect Putin was seeking was happening, happened, anyway, even without his involvement. That doesn’t excuse his involvement, but it does say that if we nuked Putin off the face of this earth tomorrow, our democracy would remain just as fragile as it was with Putin playing in it during this election.

So Obama is right about our vulnerability, though I think he really hasn’t offered a way to fix it. That’s what we all need to figure out going forward. But I can assure you: focusing exclusively on Russia, as if that is the problem and not the underlying fragility, is not going to fix it.

Insist on a measured response to Putin

Which leads us to his comments on a response. In spite of repeated efforts to get him to say “Vlad Putin is a big fat dick who personally elected Donald Trump,” Obama refused (though that didn’t stop some papers from adopting headings suggesting he had). Rather, Obama used the language used in the October 7 statement, saying the hacks were approved by the highest levels of the Russian government, which necessarily means Putin authorized them.

We have said, and I will confirm, that this happened at the highest levels of the Russian government. And I will let you make that determination as to whether there are high-level Russian officials who go off rogue and decide to tamper with the U.S. election process without Vladimir Putin knowing about it.

Q So I wouldn’t be wrong in saying the President thinks Vladimir Putin authorized the hack?

THE PRESIDENT: Martha, I’ve given you what I’m going to give you.

Similarly, Obama refused to respond to journalists’ invitation to announce some big retaliation.

I know that there have been folks out there who suggest somehow that if we went out there and made big announcements, and thumped our chests about a bunch of stuff, that somehow that would potentially spook the Russians. But keep in mind that we already have enormous numbers of sanctions against the Russians. The relationship between us and Russia has deteriorated, sadly, significantly over the last several years. And so how we approach an appropriate response that increases costs for them for behavior like this in the future, but does not create problems for us, is something that’s worth taking the time to think through and figure out.

I’m going to return to this to discuss a detail no one seems to get about Obama’s choices right now. But for the moment, note his emphasis on a response that increases costs for such hacks that do “not create problems for us.”

Unsurprisingly (and, given America’s own aggressive cyberattacks, possibly unrealistically), Obama says he is most seeking norm-setting.

What we’ve also tried to do is to start creating some international norms about this to prevent some sort of cyber arms race, because we obviously have offensive capabilities as well as defensive capabilities. And my approach is not a situation in which everybody is worse off because folks are constantly attacking each other back and forth, but putting some guardrails around the behavior of nation-states, including our adversaries, just so that they understand that whatever they do to us we can potentially do to them.

Obama’s approach is “not a situation in which everybody is worse off because folks are constantly attacking each other back and forth.” Does that suggest the US has already been hacking Russia? Why do we never consider whether Putin was retaliating against us? Who started this cyberwar, anyway?

Funny how Americans assume the answer must be Putin.

In any case, we do need norms about this stuff, but that likely would require some honestly about what, if anything, is different about cyber election tampering than all the election tampering Russia and the US have engaged in for decades — which is a point Chilean Ariel Dorfman makes after pointing out the irony of CIA “crying foul because its tactics have been imitated by a powerful international rival.”

Even assuming we’ll never learn the full extent of America’s own recent tampering, that’s likely to be something that Obama is thinking about as journalists and Democrats wail that he isn’t taking a more aggressive stance.

Share this entry

The DNC’s Evolving Story about When They Knew They Were Targeted by Russia

/29 Comments/in , , /by

This week’s front page story about the Democrats getting hacked by Russia starts with a Keystone Kops anecdote explaining why the DNC didn’t respond more aggressively when FBI first warned them about being targeted in September. The explanation, per the contractor presumably covering his rear-end months later, was that the FBI Special Agent didn’t adequately identify himself.

When Special Agent Adrian Hawkins of the Federal Bureau of Investigation called the Democratic National Committee in September 2015 to pass along some troubling news about its computer network, he was transferred, naturally, to the help desk.

His message was brief, if alarming. At least one computer system belonging to the D.N.C. had been compromised by hackers federal investigators had named “the Dukes,” a cyberespionage team linked to the Russian government.

The F.B.I. knew it well: The bureau had spent the last few years trying to kick the Dukes out of the unclassified email systems of the White House, the State Department and even the Joint Chiefs of Staff, one of the government’s best-protected networks.

Yared Tamene, the tech-support contractor at the D.N.C. who fielded the call, was no expert in cyberattacks. His first moves were to check Google for “the Dukes” and conduct a cursory search of the D.N.C. computer system logs to look for hints of such a cyberintrusion. By his own account, he did not look too hard even after Special Agent Hawkins called back repeatedly over the next several weeks — in part because he wasn’t certain the caller was a real F.B.I. agent and not an impostor.

This has led to (partially justified) complaints from John Podesta about why the FBI didn’t make the effort of driving over to the DNC to warn the higher-ups (who, the article admitted, had decided not to spend much money on cybersecurity).

This NYT version of the FBI Agent story comes from a memo that DNC’s contractor, Yared Tamene, wrote at some point after the fact. The NYT describes the memo repeatedly, though it never describes the recipients of the memo nor reveals precisely when it was written (it is clear it had to have been written after April 2016).

“I had no way of differentiating the call I just received from a prank call,” Mr. Tamene wrote in an internal memo, obtained by The New York Times, that detailed his contact with the F.B.I.

[snip]

“The F.B.I. thinks the D.N.C. has at least one compromised computer on its network and the F.B.I. wanted to know if the D.N.C. is aware, and if so, what the D.N.C. is doing about it,” Mr. Tamene wrote in an internal memo about his contacts with the F.B.I. He added that “the Special Agent told me to look for a specific type of malware dubbed ‘Dukes’ by the U.S. intelligence community and in cybersecurity circles.”

[snip]

In November, Special Agent Hawkins called with more ominous news. A D.N.C. computer was “calling home, where home meant Russia,” Mr. Tamene’s memo says, referring to software sending information to Moscow. “SA Hawkins added that the F.B.I. thinks that this calling home behavior could be the result of a state-sponsored attack.”

[DNC technology director Andrew] Brown knew that Mr. Tamene, who declined to comment, was fielding calls from the F.B.I. But he was tied up on a different problem: evidence suggesting that the campaign of Senator Bernie Sanders of Vermont, Mrs. Clinton’s main Democratic opponent, had improperly gained access to her campaign data.

[snip]

One bit of progress had finally been made by the middle of April: The D.N.C., seven months after it had first been warned, finally installed a “robust set of monitoring tools,” Mr. Tamene’s internal memo says. [my emphasis]

The NYT includes a screen cap of part of that memo (which reveals that the DNC had already been exposed to ransomware attacks by September 2015), but not the other metadata or a link to the full memo.

One reason I raise all this is because the evidence laid out in the story contradicts, in several ways, this August report, relying on three anonymous sources (at least some of whom are probably members of Congress, but then so was the DNC Chair at the time).

The FBI did not tell the Democratic National Committee that U.S officials suspected it was the target of a Russian government-backed cyber attack when agents first contacted the party last fall, three people with knowledge of the discussions told Reuters.

And in months of follow-up conversations about the DNC’s network security, the FBI did not warn party officials that the attack was being investigated as Russian espionage, the sources said.

The lack of full disclosure by the FBI prevented DNC staffers from taking steps that could have reduced the number of confidential emails and documents stolen, one of the sources said. Instead, Russian hackers whom security experts believe are affiliated with the Russian government continued to have access to Democratic Party computers for months during a crucial phase in the U.S. presidential campaign, the source said.

[snip]

In its initial contact with the DNC last fall, the FBI instructed DNC personnel to look for signs of unusual activity on the group’s computer network, one person familiar with the matter said. DNC staff examined their logs and files without finding anything suspicious, that person said.

When DNC staffers requested further information from the FBI to help them track the incursion, they said the agency declined to provide it. In the months that followed, FBI officials spoke with DNC staffers on several other occasions but did not mention the suspicion of Russian involvement in an attack, sources said.

The DNC’s information technology team did not realize the seriousness of the incursion until late March, the sources said. It was unclear what prompted the IT team’s realization.

In August, anonymous sources told Reuters that FBI never told DNC they were being attacked by Russians until … well, Reuters doesn’t actually tell us when the FBI told DNC the Russians were behind the attack, just that Democrats started taking it seriously in March.

But in the pre-Trump Russian hack bonanza, the NYT has now revealed that an internal memo says that the DNC had been informed in November, not March.

And even that part of the explanation doesn’t make sense. As a number of people have noted, Brown is basically saying he didn’t respond to a warning — given in November — that a DNC server was calling home to Russia because he was dealing with a NGP-VAN breach that happened on December 18. He would have had over two weeks to respond to Russia hacking the DNC before the NGP-VAN issue, and that would have been significantly handled by NGP.

Moreover, even the September narrative invites some skepticism. Tamene admits the FBI Special Agent, “told me to look for a specific type of malware dubbed ‘Dukes’ by the U.S. intelligence community and in cybersecurity circles.” And he describes “His first moves were to check Google for “the Dukes” and conduct a cursory search of the D.N.C. computer system logs to look for hints of such a cyberintrusion.” Had Tamene Googled for “dukes malware” any time after September 17, 2015, this is what he would have found.

Today we release a new whitepaper on an APT group commonly referred to as “the Dukes”. We believe that the Dukes are a well-resourced, highly dedicated, and organized cyber-espionage group that has been working for the Russian government since at least 2008 to collect intelligence in support of foreign and security policy decision-making. [my emphasis]

So had this initial report taken place after September 17, Tamene would have learned, thanks to the second sentence of a top Google return, that he was facing a “highly dedicated, and organized cyber-espionage group that has been working for the Russian government. ” Had he done the Google search he said he did, that is, he would almost certainly have learned he was facing down Russian hackers.

Had he clicked through to the report — which is where he would have gone to find the malware signatures to look for — he would have seen a big pink graphic tying the Dukes to Russia.

It’s certainly possible the alert came before the white paper was released (though if it came after, it explains why the FBI would have thought simply mentioning the Dukes would be sufficient). But that would suggest Tamene remembered the call and his Google search for the Dukes in detail sometime in April but not in September when this report got a fair amount of attention.

None of this is to excuse the FBI (I’ve already started a post on that part of this). But it’s clear that Democrats have been — at a minimum — inconsistent in their story to the press about why they didn’t respond to warnings sooner. And given the multiple problems with their explanation about what happened last fall, it’s likely they did get some warning, but just didn’t heed it.

Update: When I wrote this this morning, I had read this tweet stream and this story but not the underlying Shadow Brokers related post, by someone writing under the pseudonym Boceffus Cleetus it relates to, which is basically a Medium post introducing the latest sale of Shadow Broker tools. It wasn’t until I read this post — and then the second Boceffus Cleetus post that I realized Boceffus Cleetus posted (his) original post — along with a reference to the name magnified back when this hack started — the day after the NYT wrote a story of the hack from DNC’s perspective.

As the tweet stream lays out, Boceffus Cleetus is a play on ventriloquism, (duh, speaking for others) and the Dukes of Hazard. Both analyses of this argue that the reference to “Dukes of Hazard” is, in turn, a reference to the name given to the FSB hacking efforts (the other I’ve used is “Cozy Bear”) in the report I linked above — that is, to the name F-Secure had given the FSB hackers, most notably in the report I linked above. I didn’t make too much of it until I read this second Boceffus Cleetus post, which in seemingly one sentence lays out Bill Binney’s theory of the DNC hack (that is, that NSA handed it on) with a country drawl and a lot of conspiracy theory added.

After my shadow brokers tweet I was contacted by an anonymous source claiming to be FBI. Yep I know prove it? I wasn’t able to get’em to verify their identity. But y’all don’t be runnin away yet, suspend yer disbelief and check out their claims. What if the Russian’s ain’t hacking nothin? What if the shadow brokers ain’t Russian? Whatcha got as the next best theory? What if its a deep state civil war tween CIA and ole NSA? A deep state civil war to see who really runs things. NSA is Department of Defense, military. The majority of the military are high school grads, coming from rural “Red States”, conservatives. The NSA has the global surveillance capabilities to intercept all the DNC and Podesta emails. CIA is college grads only and has the traditions of the urban yankee northeastern and east coast ivy leaguers, “Blue State”, liberals.

It’s all mostly gratuitous — an attempt to feed (as explicitly named “fake news”) some of the alternate explanations out there right now.

But I find the portrayal of an NSA-CIA feud notable, in part, because the mostly likely reason FBI (which is where Boceffus Cleetus’ fictional source came from) didn’t tell the DNC who was hacking them back in September 2015 is because the actual tip — that Russia was hacking the DNC — came from the NSA. But FBI had to hide that. So instead, they used the name for FSB that was current at the time.

I’ll add, too, that this plays on Craig Murray’s claim that a national security person leaked him the Podesta documents.

So what’s the point? Dunno. I defer to theGrugq’s third post, in which he argues this post is signaling to show NSA the Russian hackers must have access to NSA’s classified networks, because they’ve accessed a map of everything.

This dump has a bit of everything. In fact, it has too much of everything. The first drop was a firewall ops kit. It had everything that was supposed to be used against firewalls. This dump, on the other hand, has too much diversity and each tool is comprehensive.

The depth and breadth of the tooling they reveal can only possibly be explained by:

  1. an improbable sequence of hack backs which got, in sequence, massive depth of codenamed implants, exploits, manuals,
  2. access to high side data

[snip]

It is obvious that this data would never leave NSA classified networks except by some serious operator error (as I believe was the case with the first ShadowBrokers leak.) For this dump though, it is simply not plausible. There is no way that such diverse and comprehensive ops tooling was accidentally exposed. It beggars belief to think that any operator could be so careless that they’d expose this much tooling, on multiple diverse operations.

There are, based on my count, twenty one (21) scripts/manuals for operations contained in this dump. They cover too many operations for a mistake, and they are too comprehensive for a mistake.

Remember, Obama has been stating assuredly that the US has far more defensive and offensive capability than Russia. The latter might well be true. But the latter is nuts, if for no other reason than we have so much more to secure. The former might be true. But not if hackers can log into NSA’s fridge and steal their beer.

I’m not entirely sure what to make of this. But against the background of increasing dick-wagging, it’ll be interesting to see how it plays out.

Share this entry

Unpacking the New CIA Leak: Don’t Ignore the Aluminum Tube Footnote

/57 Comments/in , , /by

This post will unpack the leak from the CIA published in the WaPo tonight.

Before I start with the substance of the story, consider this background. First, if Trump comes into office on the current trajectory, the US will let Russia help Bashar al-Assad stay in power, thwarting a 4-year effort on the part of the Saudis to remove him from power. It will also restructure the hierarchy of horrible human rights abusing allies the US has, with the Saudis losing out to other human rights abusers, potentially up to and including that other petrostate, Russia. It will also install a ton of people with ties to the US oil industry in the cabinet, meaning the US will effectively subsidize oil production in this country, which will have the perhaps inadvertent result of ensuring the US remains oil-independent even though the market can’t justify fracking right now.

The CIA is institutionally quite close with the Saudis right now, and has been in charge of their covert war against Assad.

This story came 24 days after the White House released an anonymous statement asserting, among other things, “the Federal government did not observe any increased level of malicious cyber activity aimed at disrupting our electoral process on election day,” suggesting that the Russians may have been deterred.

This story was leaked within hours of the time the White House announced it was calling for an all-intelligence community review of the Russia intelligence, offered without much detail. Indeed, this story was leaked and published as an update to that story.

Which is to say, the CIA and/or people in Congress (this story seems primarily to come from Democratic Senators) leaked this, apparently in response to President Obama’s not terribly urgent call to have all intelligence agencies weigh in on the subject of Russian influence, after weeks of Democrats pressuring him to release more information. It was designed to both make the White House-ordered review more urgent and influence the outcome.

So here’s what that story says.

In September, the spooks briefed “congressional leaders” (which for a variety of reasons I wildarseguess is either a Gang of Four briefing including Paul Ryan, Nancy Pelosi, Mitch McConnell, and Harry Reid or a briefing to SSCI plus McConnell, Reid, Jack Reed, and John McCain). Apparently, the substance of the briefing was that Russia’s intent in hacking Democratic entities was not to increase distrust of institutions, but instead to elect Trump.

The CIA has concluded in a secret assessment that Russia intervened in the 2016 election to help Donald Trump win the presidency, rather than just to undermine confidence in the U.S. electoral system, according to officials briefed on the matter.

The difference between this story and other public assessments is that it seems to identify the people — who sound like people with ties to the Russian government but not necessarily part of it — who funneled documents from Russia’s GRU to Wikileaks.

Intelligence agencies have identified individuals with connections to the Russian government who provided WikiLeaks with thousands of hacked emails from the Democratic National Committee and others, including Hillary Clinton’s campaign chairman, according to U.S. officials. Those officials described the individuals as actors known to the intelligence community and part of a wider Russian operation to boost Trump and hurt Clinton’s chances.

[snip]

[I]ntelligence agencies do not have specific intelligence showing officials in the Kremlin “directing” the identified individuals to pass the Democratic emails to WikiLeaks, a second senior U.S. official said. Those actors, according to the official, were “one step” removed from the Russian government, rather than government employees.

This is the part that has always been missing in the past: how the documents got from GRU, which hacked the DNC and John Podesta, to Wikileaks, which released them. It appears that CIA now thinks they know the answer: some people one step removed from the Russian government, funneling the documents from GRU hackers (presumably) to Wikileaks to be leaked, with the intent of electing Trump.

Not everyone buys this story. Mitch McConnell doesn’t buy the intelligence.

In September, during a secret briefing for congressional leaders, Senate Republican Leader Mitch McConnell (Ky.) voiced doubts about the veracity of the intelligence, according to officials present.

That’s one doubt raised about CIA’s claim — though like you all, I assume Mitch McConnell shouldn’t be trusted on this front.

But McConnell wasn’t the only one. One source for this story — which sounds like someone like Harry Reid or Dianne Feinstein — claimed that this CIA judgment is the “consensus” view of all the intelligence agencies, a term of art.

“It is the assessment of the intelligence community that Russia’s goal here was to favor one candidate over the other, to help Trump get elected,” said a senior U.S. official briefed on an intelligence presentation made to U.S. senators. “That’s the consensus view.”

Except that in a briefing this week (which may have been what impressed John McCain and Lindsey Graham to do their own investigation), that’s not what this represented.

The CIA shared its latest assessment with key senators in a closed-door briefing on Capitol Hill last week, in which agency officials cited a growing body of intelligence from multiple sources. Agency briefers told the senators it was now “quite clear” that electing Trump was Russia’s goal, according to the officials, who spoke on the condition of anonymity to discuss intelligence matters.

The CIA presentation to senators about Russia’s intentions fell short of a formal U.S. assessment produced by all 17 intelligence agencies. A senior U.S. official said there were minor disagreements among intelligence officials about the agency’s assessment, in part because some questions remain unanswered. [my emphasis]

That’s a conflict. Some senior US official (often code for senior member of Congress) says this is the consensus view. Another senior US official (or maybe the very same one) says there are “minor disagreements.”

Remember: we went to war against Iraq, which turned out to have no WMD, in part because no one read the “minor disagreements” from a few agencies about some aluminum tubes. A number of Senators who didn’t read that footnote closely (and at least one that did) are involved in this story. What we’re being told is there are some aluminum tube type disagreements.

Let’s hear about those disagreements this time, shall we?

Here’s the big takeaway. The language “a formal US assessment produced by all 17 intelligence agencies” is, like “a consensus view,” a term of art. It’s an opportunity for agencies which may have differing theories of what happened here to submit their footnotes.

That may be what Obama called for today: the formal assessment from all agencies (though admittedly, the White House purposely left the scope and intent of it vague).

Whatever that review is intended to be, what happened as soon as Obama announced it is that the CIA and/or Democratic Senators started leaking their conclusion. That’s what this story is.

Update: One other really critical detail. When the White House announced the Obama review today, Wikileaks made what was a bizarre statement. Linking to a CNN story on the Obama ordered review that erred on the side of blaming Russia for everything, it said, “CNN: Obama orders report into WikiLeaks timed for release just prior to Trump presidency.” Even though none of the statements on the review focused on what this story does — that is, on the way that the DNC and Podesta emails got to Wikileaks — Wikileaks nevertheless interpreted it as an inquiry targeted at it.

Update: And now David Sanger (whose story on the Obama-ordered review was particularly bad) and Scott Shane reveal the RNC also got hacked, and it is the differential leaking that leads the spooks to believe the Russians wanted Trump to win.

They based that conclusion, in part, on another finding — which they say was also reached with high confidence — that the Russians hacked the Republican National Committee’s computer systems in addition to their attacks on Democratic organizations, but did not release whatever information they gleaned from the Republican networks.

In the months before the election, it was largely documents from Democratic Party systems that were leaked to the public.

This may be a fair assessment. But you would have to account for two things before making it. First, you’d need to know the timing and hacker behind the RNC hack. That’s because two entities are believed to have hacked the DNC: an FSB appearing hacking group, and a GRU one. The FSB is not believed to have leaked. GRU is believed to have. So if the FSB hacked the RNC but didn’t leak it, it would be completely consistent with what FSB did with DNC.

NYT now says the RNC hack was by GRU in the spring, so it is a fair question why the DNC things got leaked but RNC did not.

Also, Sanger and Shane say “largely documents” from Dems were leaked. That’s false. There were two streams of non-Wikileaks releases, Guccifer, which did leak all-Dem stuff, and DC Leaks, which leaked stuff that might be better qualified as Ukrainian related. The most publicized of documents from the latter were from Colin Powell, which didn’t help Trump at all.

Update: It’s clear that Harry Reid (who of course is retiring and so can leak speech and debate protected classified information without worrying he’ll be shut off in the future) is one key driver of this story. Last night he was saying, “”I was right. Comey was wrong. I hope he can look in the mirror and see what he did to this country.” This morning he is on the TV saying he believes Comey had information on this before the election.

Update, 12/10: This follow-up from WaPo is instructive, as it compares what CIA briefed the Senate Intelligence Committee about the current state of evidence with what FBI briefed the House Intelligence Committee about the current state of evidence. While the focus is on different Republican and Democratic understandings of both, the story also makes it clear that FBI definitely doesn’t back what WaPo’s sources from yesterday said was a consensus view.

Share this entry

The Game of Telephone about the Election Hacking Review

/6 Comments/in , , /by

This morning, the White House announced that Obama has ordered a review of election-related hacking, to be completed before Donald Trump takes over. I want to capture the varying descriptions of what the review will entail.

Politico: The review will look at the hacks blamed on the Russians this year and malicious cyber activity (publicly understood to be China in 2008 and someone else in 2012) going back to 2008

The review will put the spate of hacks — which officials have blamed on Russia — “in a greater context” by framing them against the “malicious cyber activity” that may have occurred around the edges of the 2008 and 2012 president elections, said White House principal deputy press secretary Eric Schultz at a briefing.

“This will be a review that is broad and deep at the same time,” he added.

[snip]

In 2008, the campaigns for both Sen. John McCain (R-Ariz.) and Obama were bombarded by suspected Chinese hackers, according to U.S. intelligence officials. The digital intruders were reportedly after internal policy papers and the emails of top advisers.

And in 2012, Gawker reported that hackers had broken into Republican presidential candidate Mitt Romney’s personal Hotmail account after correctly answering his backup security question: “What is your favorite pet?”

“We will be looking at all foreign actors and any attempt to interfere with the elections,” Schultz said.

WaPo: The review will be a “full review” of Russian hacking during the November election

President Obama has ordered a “full review” of Russian hacking during the November election, as pressure from Congress has grown for greater public understanding of exactly what Moscow did to interfere in the electoral process.

[snip]

U.S. intelligence and law enforcement agencies had already been probing what they see as a broad covert Russian operation to sow distrust in the presidential election process. It was their briefings of senior lawmakers that led a number of them to press for more information to be made public.

[snip]

Though Russia has long conducted cyberspying on U.S. agencies, companies and organizations, this presidential campaign marks the first time Russia has attempted through cyber means to interfere in, if not actively influence, the outcome of an election, the officials said.

CNN: The review will look at “hacking by the Russians aimed at influencing US elections going back to 2008” (CNN notes that the IC “never said there was strong evidence that [hacks of voter registration systems were] tied to the Russian government”)

President Barack Obama has ordered a full review into hacking by the Russians aimed at influencing US elections going back to 2008, the White House said Friday.

“The President has directed the Intelligence Community to conduct a full review of what happened during the 2016 election process. It is to capture lessons learned from that and to report to a range of stakeholders,” White House Homeland Security and Counterterrorism Adviser Lisa Monaco said at a Christian Science Monitor breakfast with reporters Friday. “This is consistent with the work that we did over the summer to engage Congress on the threats that we were seeing.”
White House spokesman Eric Schultz added later that the review would encompass malicious cyber activity related to US elections going back to 2008. [my emphasis]

Wikileaks (relying on the CNN story): The review will look at Wikileaks

CNN: Obama orders report into WikiLeaks timed for release just prior to Trump presidency

NYT: The review will look at all Russian efforts to influence the 2016 election, including publishing email contents and probing the “vote-counting system” (presumably a reference to voter lists that have nothing to do with vote counting)

President Obama has ordered American intelligence agencies to produce a full report on Russian efforts to influence the 2016 presidential election, his homeland security adviser said on Friday. He also directed them to develop a list of “lessons learned” from the broad campaign the United States has accused Russia of carrying out to steal emails, publish their contents and probe the vote-counting system.

Share this entry

CYBERCOM versus NSA: On Fighting Isis or Spying on Them

/6 Comments/in /by

I keep thinking back to this story, in which people in the immediate vicinity of Ash Carter and James Clapper told Ellen Nakashima that they had wanted to fire Admiral Mike Rogers, the dual hatted head of CyberCommand and NSA, in October. The sexy reason given for firing Rogers — one apparently driven by Clapper — is that NSA continued to leak critical documents after Rogers was brought in in the wake of the Snowden leaks.

But further down in the story, a description of why Carter wanted him fired appears. Carter’s angry because Rogers’ offensive hackers had not, up until around the period he recommended to Obama Rogers be fired, succeeded in sabotaging ISIS’ networks.

Rogers has not impressed Carter with his handling of U.S. Cyber Command’s cyberoffensive against the Islamic State. Over the past year or so, the command’s operations against the terrorist group’s networks in Syria and Iraq have not borne much fruit, officials said. In the past month, military hackers have been successful at disrupting some Islamic State networks, but it was the first time they had done that, the officials said.

Nakashima presents this in the context of the decision to split CYBERCOM from NSA and — click through to read that part further down in the piece — with Rogers’ decision to merge NSA’s Information Assurance Directorate (its defensive wing) with the offensive spying unit.

The expectation had been that Rogers would be replaced before the Nov. 8 election, but as part of an announcement about the change in leadership structure at the NSA and Cyber Command, a second administration official said.

“It was going to be part of a full package,” the official said. “The idea was not for any kind of public firing.” In any case, Rogers’s term at the NSA and Cyber Command is due to end in the spring, officials said.

The president would then appoint an acting NSA director, enabling his successor to nominate their own person. But a key lawmaker, Sen. John McCain (R-Ariz.), the chairman of the Senate Armed Services Committee, threatened to block any such nominee if the White House proceeded with the plan to split the leadership at the NSA and Cyber Command.

I was always in favor of splitting these entities — CYBERCOM, NSA, and IAD — into three, because I believed that was one of the only ways we’d get a robust defense. Until then, everything will be subordinated to offensive interests. But Nakashima’s article focuses on the other split, CYBERCOM and NSA, describing them as fundamentally different missions.

The rationale for splitting what is called the “dual-hat” arrangement is that the agencies’ missions are fundamentally different, that the nation’s cyberspies and military hackers should not be competing to use the same networks, and that the job of leading both organizations is too big for one person.

They are separate missions: CYBERCOM’s job is to sabotage things, NSA’s job is to collect information. That is made clear by the example that apparently irks Carter: CYBERCOM wasn’t sabotaging ISIS like he wanted.

It is not explicit here, but the suggestion is that CYBERCOM was not sabotaging ISIS because someone decided it was more important to collect information on it. That sounds like an innocent enough trade-off until you consider CIA’s prioritization for overthrowing Assad over eliminating ISIS, and its long willingness to overlook that its trained fighters were fighting with al Qaeda and sometimes even ISIS. Add in DOD’s abject failure at training their own rebels, such that the job reverted to CIA along with all the questionably loyalties in that agency.

There was a similar debate way back in 2010, when NSA and CIA and GCHQ were fighting about what to do with Inspire magazine: sabotage it (DOD’s preference, based on the understanding it might get people killed), tamper with it (GCHQ’s cupcake recipe), or use it to information gather (almost certainly with the help of NSA, tracking the metadata associated with the magazine). At the time, that was a relatively minor turf battle (though perhaps hinting at a bigger betrayed by DOD’s inability to kill Anwar al-Alwaki and CIA’s subsequent success as soon as it had built its own drone targeting base in Saudi Arabia).

This one, however, is bigger. Syria is a clusterfuck, and different people in different corners of the government have different priorities about whether Assad needs to go before we can get rid of ISIS. McCain is clearly on the side of ousting Assad, which may be another reason — beyond just turf battles — why he opposed the CYBERCOM/NSA split.

Add in the quickness with which Devin Nunes, Donald Trump transition team member, accused Nakashima’s sources of leaking classified information. The stuff about Rogers probably wasn’t classified (in any case, Carter and Clapper would have been the original classification authorities on that information). But the fact that we only just moved from collecting intelligence on ISIS to sabotaging them likely is.

CYBERCOM and NSA do have potentially conflicting missions. And it sounds like that was made abundantly clear as Rogers chose to prioritize intelligence gathering on ISIS over doing things that might help to kill them.

Share this entry