Grassley Continues to Ask Worthwhile Questions about the Steele Dossier

/4 Comments/in , /by

In this post, I noted several details made clear by Christopher Steele’s defense in a lawsuit pertaining to the dossier he did for opponents to Donald Trump:

  • Steele also shared his dossier with an active British intelligence official, which is a second channel via which the US intelligence community may have obtained the dossier in spite of their hilariously unconvincing denials
  • Steele’s claims he wasn’t sharing actual copies of the dossier with the press, at least, don’t accord with other public claims
  • Steele said absolutely nothing about how he shared the dossier with the FBI (which may have been an alternative channel via which it leaked)
  • Steele obtained the most inflammatory claims in the dossier at a time when he claims neither to have been paid nor to have been actively collecting intelligence (and paying sources)

Taken together, these inconsistencies suggest certain alternative stories about the dossier. For example, it’s possible the dossier was used as a way to launder intelligence gathered via other means, as a way to protect sources and methods. It’s likely the US IC had more awareness and involvement in the dossier than they’ve publicly claimed.

With that in mind, I find it very interesting that Chuck Grassley claims to have found inconsistencies in the story FBI and DOJ are giving him about the dossier.

As I noted at the time, Grassley raised some really good questions in a letter to FBI back on March 6, questions made all the more salient given three somewhat conflicting reports about whether the FBI ever paid Steele.

Yesterday, he held a presser to release another letter to FBI, which he sent last Friday. He explained that nine days after he sent his letter, Comey briefed him and Dianne Feinstein on the circumstances surrounding Mike Flynn’s ouster, and answered a few of the questions Grassley had asked in his March 6 letter. But FBI never did respond to the letter itself, beyond sending a four sentence boilerplate letter on April 19, claiming the questions had been answered in the briefing.

In the letter, Grassley makes clear that documents the committee received from DOJ since (are these not FBI? If so are they NSD?) conflict with what Comey relayed in the briefing in that FBI actually had a more substantive relationship than Comey let on.

There appear to be material inconsistencies between the description of the FBI’s relationship with Mr. Steele that you did provide in your briefing and information contained in Justice Department documents made available to the Committee only after the briefing.  Whether those inconsistencies were honest mistakes or an attempt to downplay the actual extent of the FBI’s relationship with Mr. Steele, it is essential that the FBI fully answer all of the questions from the March 6 letter and provide all the requested documents in order to resolve these and related issues.

Significantly, after having asked these questions about public reports that FBI had discussed paying Steele,

All FBI records relating to the agreement with Mr. Steele regarding his investigation of President Trump and his associates, including the agreement itself, all drafts, all internal FBI communications about the agreement, all FBI communications with Mr. Steele about the agreement, all FBI requests for authorization for the agreement, and all records documenting the approval of the agreement.

[snip]

Did the agreement with Mr. Steele ever enter into force?  If so, for how long?  If it did not, why not?

Grassley is restating that question, asking for documentation of all payments to Steele.

Documentation of all payments made to Mr. Steele, including for travel expenses, if any; the date of any such payments; the amount of such payments; the authorization for such payments.

He asked about it in today’s oversight hearing with Comey, and Comey insisted the appearance of conflict was easy to explain (and promised to explain it). I suspect DOJ may have paid for Steele’s travel to the US in October 2016, which might be fine, but that was also when Steele shared his dossier with David Corn. Otherwise, Comey refused to answer in a public forum questions about whether FBI made any representations to a judge relying on the dossier (for example for the FISA order), whether the FBI was aware that Steele paid sources who paid subsources, and whether Comey or the FBI knew that Fusion employed a former Russian intelligence officer who was (like Mike Flynn and Paul Manafort) were serving as an unregistered agent of a foreign power, in this case to help Russia fight Magnitsky sanctions.

The last question pertains to Fusion employee, Rinat Akhmetshin. In July 2016, Hermitage Capital Management filed a FARA complaint against him and number of other people alleging they were unregistered lobbyists for Prevezon Holdings, a Cyprus based firm that was seeking to push back against sanctions. The complaint alleges, among other things, that Akhmetshin is a former GRU officer, hired to generate negative publicity, and has been ” accused of organizing, on behalf of Russian oligarch Andrey Melnichenko, for the computers of International Mineral Resources to be hacked to steal “confidential, personal and otherwise sensitive information” so that it could be disseminated.”

Grassley surely raised the issue (as he also did in a March letter to Dana Boente in the latter’s role as Acting Attorney General) to accuse Steele’s associates of the same things Steele and others have accused Paul Manafort of (and Mike Flynn has admitted). But it seems an utterly valid issue in any case, not least because it raises questions of why Fusion brought in Steele when Akhmetshin could have collected Russian intelligence on Trump himself. Did he? If so, was that included in the parts of the dossier we haven’t seen. More importantly, was Akhmetshin still around when the dossier got leaked? Does he have any ongoing ties with Russia that might lead to the murder of sourced named in the dossier?

In today’s hearing, Grassley said that Fusion refused to cooperate with the questions he posed to them about the dossier. It seems the firms paid to compile that dossier are obfuscating on both sides of the Atlantic.

Share this entry

What Fake French News Looks Like (to a British Consulting Company)

/3 Comments/in , , /by

Along with reports that APT 28 targeted Emmanuel Macron that don’t prominently reveal that Macron believes he withstood the efforts to phish his campaign, the post-mortem on the first round of the French election has also focused on the fake news that supported Marine Le Pen.

As a result, this study — the headline from which claimed 25% of links shared during the French election pointed to fake news — has gotten a lot of attention.

The study, completed by a British consulting firm (though the lead on the study is a former French journalist) and released in full only in English, is as interesting for its assumptions as anything else.

Engagement studies aren’t clear what they’re showing, but this one is aware of that

Before I explain why, let me stipulate that accept the report’s conclusion that a ton of Le Pen supporters (though it doesn’t approach it from that direction) relied on fake news and/or Russian sources. The methodology appears to suffer from the same problem some of BuzzFeed’s reporting on fake news does, in that it doesn’t measure the value of shared news, but at least it admits that methodological problem (and promises to discuss it at more length in a follow-up).

Sharing is the overt act of taking an article or video or image that one sees in social media and, literally, sharing it digitally with one’s own followers or even into the public domain. Sharing therefore implies an elevated level of interest: people share articles that they feel others should see. While there are tools that help us track and quantify how many articles are shared, they cannot explain the sharer’s intention. It seems plausible, particularly in a political context, that sharing implies endorsement, yet even this is problematic as sharing can often imply shock and disagreement. In the third instalment [sic] of this study, Bakamo will explore in depth the extent to which people agree or disagree with what they share, but for this report (and the second, updated version), the simple act of sharing—whatever the intention—is nonetheless highly relevant. It provides a way of gauging activity and engagement.

[snip]

These are the “likes” or “shares” in Facebook, or “favourites” or “retweets” in Twitter. While these can be counted, we do not know whether the person has actually clicked through to read the content being shared before they like or retweet. This information is only available to the account owner. One of the questions that is often raised about social media is whether users do indeed read the article or respond simply to the headlines that appear in their newsfeed. We are unable to comment on this.

In real word terms, engagement can be two things. It can be agreement—whether reflexive or reflective—with the content shared. It can also, however, be disagreement: Facebook’s nuanced “like” system (in which anger is a valid form of engagement) or Twitter’s citations that enable a user to comment on the link while sharing it both permit these negative expressions.

The study is perhaps most interesting for what it shows about the differing sharing habits from different parts of its media economy, with no overlap between those who share what it deems “traditional” media and those who share what I’d deem conspiracist media. That finding, more than almost any other one, suggests what might be needed to engage in a dialogue across these clusters. Ultimately, what the study shows is increased media polarization not on partisan grounds, but on response to globalization.

Russian media looks very important when you only track Russian media

As I noted, one of the headlines that has been taken away from this study is that Le Pen voters shared a lot of Russian news sources — and I don’t contest that.

But there are two interesting details about how that finding came to be that important to this study.

First, the study defines everything in contradistinction from what it calls “traditional” media.

There are broad five sections of the Media Map. They are defined by their editorial distance from traditional media narratives. The less accepting a source is of traditional media narratives, the farther away it is (spatially) on the Map.

In the section defining traditional media, the study focuses on establishment and commercialism (including advertising), even while pointing to — but not proving — that all traditional media “adher[e] to journalistic standards” (which is perhaps a fairer assumption still in France than in the US or UK, but nevertheless it is an assumption).

This section of the Media Map is populated by media sources that belong to the established commercial and conventional media landscape, such as websites of national and regional newspapers, TV and radio stations, online portals adhering to journalistic standards, and news aggregators.

It does this, but insists that this structure that privileges “traditional” media without proving that it merits that privilege is not meant to “pass moral judgement or to define what is ‘good’ or ‘evil’.”

Most interesting of all, the study includes — without detail or interrogation — international media sources “exhibiting these same characteristics” in its traditional media category.

These are principally France-based sources; however, French-speaking international media sources exhibiting these same characteristics were also placed into the Traditional Media section.

But, having defined some international news sources as “traditional,” the study then uses Russian influence as a measure of whether a media cluster was non-traditional.

The analysis only identified foreign influence connected with Russia. No other foreign source of influence was detected.

It did this — measuring Russian influence as a measure of non-traditional status — even though the study showed this was true primarily on the hard right and among conspiracists.

Syria as a measure of journalistic standards

Among the other kinds of content that this study measures, it repeatedly describes how those outlets it has clustered as non-traditional (primarily those it calls reframing outlets) deal with Syria.

It asserts that those who treat Bashar al-Assad as a “protagonist” in the Syrian civil war as being influenced by Russian sources.

A dominant theme reflected by sources where Russian influence is detected is the war in Syria, the various actors involved, and the refugee crisis. In these articles, Bachar Assad becomes the protagonist, a perspective opposite to that which is reported by traditional media. Articles touching on refugees and migrants tend to reinforce anti-Islam and anti-migrant positions.

The anti-imperialists focus on Trump’s ineffectual missile strike on Syria which — the study concludes — must derive from Russian influence.

Trump’s “téléréalité” attack on Syria is a more recent example of content in this cluster. This is not surprising, however, as Russian influence is detectable on a number of sites in this cluster.

It defines conspiracists as such because they say the US supports terrorist groups (and also because they portray Assad as trustworthy).

Syria is an important theme in this cluster. Per these sources, and contrary to reports in traditional media, the Western powers are supporting the terrorist, while Bashar Assad is trustworthy and tolerant leader, as witness reports prove.

The pro-Islam non-traditional (!!) cluster is defined not because of its distance from “traditional” news (which the study finds it generally is not) but in part because its outlets suggest the US has been supporting Assad.

American imperialism is another dominant theme in this cluster, driven by the belief that the US has been secretly supporting the Assad regime.

You can see, now, the problem here. It is a demonstrable fact that America’s covert funding did, for some time, support rebel groups that worked alongside Al Qaeda affiliates (and predictably and with the involvement of America’s Sunni allies saw supplies funneled to al Qaeda or ISIS as a result). It is also the case that both historically (when the US was rendering Maher Arar to Syria to be tortured) and as an interim measure to forestall the complete collapse of Syria under Obama, the US’ opposition to Assad has been half-hearted, which may not be support but certainly stopped short of condemnation for his atrocities.

And while we’re not supposed to talk about these things — and don’t, in part, because they are an openly acknowledged aspect of our covert operations — they are a better representation of the complex clusterfuck of American intervention in Syria than one might get — say — from the French edition of the BBC. They are, of course, similar to the American “traditional” news insistence that Obama has done “nothing” in Syria, long after Chuck Hagel confirmed our “covert” operations there. Both because the reality is too complex to discuss easily, and because there is a “tradition” of not reporting on even the most obvious covert actions if done by the US, Syria is a subject on which almost no one is providing an adequately complex picture of what is going on.

On both sides of the Atlantic, the measure of truth on Syria has become the simplified narrative you’re supposed to believe, not what the complexity of the facts show. And that’s before you get to where we are now, pretending to be allied with both Turkey and the Kurds they’re shooting at.

The shock at the breakdown of the left-right distinction

What’s most fascinating about the study, however, is the seeming distress with which it observes that “reframing” media — outlets it claims is reinterpreting the real news — doesn’t break down into a neat left-right axis.

Media sources in the Reframe section share the motivation to counter the Traditional Media narrative. The media sources see themselves as part of a struggle to “reinform” readers of the real contexts and meanings hidden from them when they are informed by Traditional Media sources. This section breaks with the traditions of journalism, expresses radical opinions, and refers to both traditional and alternative sources to craft a disruptive narrative. While there is still a left-right distinction in this section, a new narrative frame emerges where content is positioned as being for or against globalisation and not in left-right terms. Indeed, the further away media sources are from the Traditional section, the less a conventional left-right attribution is possible.

[snip]

The other narrative frame detectable through content analysis is the more recent development referred to in this study as the global versus local narrative frame. Content published in this narrative frame is positioned as being for or against globalisation and not in left-right terms. Indeed, the further away media sources are from the Traditional section, the less a conventional left-right attribution is possible. While there are media sources in the Reframe section on both on the hard right and hard left sides, they converge in the global versus local narrative frame. They take concepts from both left and right, but reframe them in a global-local context. One can find left or right leanings of media sources located in the middle of Reframe section, but this mainly relates to attitudes about Islam and migrants. Otherwise, left and right leaning media sources in the Reframe section share one common enemy: globalisation and the liberal economics that is associated with it.

Now, I think some of the study’s clustering is artificial to create this split (for example, in the way it treats environmentalism as an extend rather than reframe cluster).

But even more, I find the confusion fascinating. Particularly in the absence of — as it did for Syria coverage — any indication of what is considered the “true” or “false” news about globalization. Opposition to globalization, as such, is the marker, not a measure of whether an outlet is reporting in factual manner on the status and impact and success at delivering the goals of globalization.

And if the patterns of sharing in the study are in fact accurate, what the study actually shows is that the ideologies of globalization and nationalism have become completely incoherent to each other. And purveyors of globalization as the “traditional” view do not, here, consider the status of globalization (on either side) as a matter of truth or falseness, as a measure whether the media outlet taking a side in favor of or against globalization adheres to the truth.

I’ve written a fair amount of the failure of American ideology — and of the confusion among priests of that ideology as it no longer exacts unquestioning sway.

This study on fake news in France completed by a British consulting company in English is very much a symptom of that process.

But the Cold War is outdated!

Which brings me to the funniest part of the paper. As noted above, the paper claims that anti-imperialists are influenced by Russian sources, which it explains for criticism of Trump’s Patriot missile strike on Syria. But it’s actually talking about what it calls a rump Communist Cold War ideology.

This cluster contains the remains of the traditional Communist groupings. They publish articles on the imperialist system. They concentrate on foreign politics and ex-Third World countries. They frame their worldview through a Cold War logic: they see the West (mainly the US) versus the East, embodied by Russia. Russia is idolised, hence these sites have a visible anti-American and antiZionist stance. The antiquated nature of a Cold War frame given the geo-political transformations of the last 25 years means these sources are often forced to borrow ideas from the extreme right.

Whatever the merit in its analysis here, consider what it means for a study the assumptions of which treat Russian influence as a special kind of international influence, even while conducting no reflection on whether the globalization/nationalization polarization it finds so striking can be measured in terms of fact claims.

The new Cold War seems unaware that the old Cold War isn’t so out of fashion after all.

Share this entry

Facebook Claims Just .1% of Election Related Sharing Was Information Operations

/2 Comments/in , , , /by

In a fascinating report on the use of the social media platform for Information Operations released yesterday, Facebook make a startling claim. Less than .1% of what got shared during the election was shared by accounts set up to engage in malicious propaganda.

Concurrently, a separate set of malicious actors engaged in false amplification using inauthentic Facebook accounts to push narratives and themes that reinforced or expanded on some of the topics exposed from stolen data. Facebook conducted research into overall civic engagement during this time on the platform, and determined that the reach of the content shared by false amplifiers was marginal compared to the overall volume of civic content shared during the US election.12

In short, while we acknowledge the ongoing challenge of monitoring and guarding against information operations, the reach of known operations during the US election of 2016 was statistically very small compared to overall engagement on political issues.

12 To estimate magnitude, we compiled a cross functional team of engineers, analysts, and data scientists to examine posts that were classified as related to civic engagement between September and December 2016. We compared that data with data derived from the behavior of accounts we believe to be related to Information Operations. The reach of the content spread by these accounts was less than one-tenth of a percent of the total reach of civic content on Facebook.

That may seem  like a totally bogus number — and it may well be! But to assess it, understand what they’re measuring.

That’s one of the laudable aspects of the report: it tries to break down the various parts of the process, distinguishing things like “disinformation” — inaccurate information spread intentionally — from “misinformation” — inaccurate information spread without malicious intent.

Information (or Influence) Operations – Actions taken by governments or organized non-state actors to distort domestic or foreign political sentiment, most frequently to achieve a strategic and/or geopolitical outcome. These operations can use a combination of methods, such as false news, disinformation, or networks of fake accounts (false amplifiers) aimed at manipulating public opinion.

False News– News articles that purport to be factual, but which contain intentional misstatements of fact with the intention to arouse passions, attract viewership, or deceive.

False Amplifiers – Coordinated activity by inauthentic accounts with the intent of manipulating political discussion (e.g., by discouraging specific parties from participating in discussion, or amplifying sensationalistic voices over others).

Disinformation – Inaccurate or manipulated information/content that is spread intentionally. This can include false news, or it can involve more subtle methods, such as false flag operations, feeding inaccurate quotes or stories to innocent intermediaries, or knowingly amplifying biased or misleading information. Disinformation is distinct from misinformation, which is the inadvertent or unintentional spread of inaccurate information without malicious intent.

Having thus defined those terms, Facebook distinguishes further between false news sent with malicious intent from that sent for other purposes — such as to make money. In this passage, Facebook also acknowledges the important detail for it: false news doesn’t work without amplification.

Intent: The purveyors of false news can be motivated by financial incentives, individual political motivations, attracting clicks, or all the above. False news can be shared with or without malicious intent. Information operations, however, are primarily motivated by political objectives and not financial benefit.

Medium: False news is primarily a phenomenon related to online news stories that purport to come from legitimate outlets. Information operations, however, often involve the broader information ecosystem, including old and new media.

Amplification: On its own, false news exists in a vacuum. With deliberately coordinated amplification through social networks, however, it can transform into information operations

So the stat above — the amazingly low .1% — is just a measure of the amplification of stories by Facebook accounts created for the purpose of maliciously amplifying certain fake stories; it doesn’t count the amplification of fake stories by people who believe them or who aren’t formally engaged in an information operation. Indeed, the report notes that after an entity amplifies something falsely, “organic proliferation of the messaging and data through authentic peer groups and networks [is] inevitable.” The .1% doesn’t count Trump’s amplification of stories (or of his followers).

Furthermore, the passage states it is measuring accounts that “reinforced or expanded on some of the topics exposed from stolen data,” which would seem to limit which fake stories it tracked, including things like PizzaGate (which derived in part from a Podesta email) but not the fake claim that the Pope endorsed Trump (though later on the report says it identifies false amplifiers by behavior, not by content).

The entire claim raises questions about how Facebook identifies which are the false amplifiers and which are the accounts “authentically” sharing false news. In a passage boasting of how it has already suspended 30,000 fake accounts in the context of the French election, the report includes an image that suggests part of what it does to identify the fake accounts is identifying clusters of like activity.

But in the US election section, the report includes a coy passage stating that it cannot definitively attribute who sponsored the false amplification, even while it states that its data does not contradict the Intelligence Community’s attribution of the effort to Russian intelligence.

Facebook is not in a position to make definitive attribution to the actors sponsoring this activity. It is important to emphasize that this example case comprises only a subset of overall activities tracked and addressed by our organization during this time period; however our data does not contradict the attribution provided by the U.S. Director of National Intelligence in the report dated January 6, 2017.

That presents the possibility (one that is quite likely) that Facebook has far more specific forensic data on the .1% of accounts it deems malicious amplifiers that it coyly suggests it knows to be Russian intelligence. Note, too, that the report is quite clear that this is human-driven activity, not bot-driven.

So the .1% may be a self-serving number, based on a definition drawn so narrowly as to be able to claim that Russian spies spreading propaganda make up only a tiny percentage of activity within what it portrays as the greater vibrant civic world of Facebook.

Alternately, it’s a statement of just how powerful Facebook’s network effect is, such that a very small group of Russian spies working on Facebook can have an outsized influence.

 

Share this entry

Turns Out Alaskans Won’t Get to See Russian Hacker Pyotr Levashov from Their Windows

/4 Comments/in , /by

Earlier this month, DOJ got some good press by releasing the first known Rule 41 nationwide hacking warrant. It targeted Pyotr Levashov, who ran a big botnet infecting tons of Americans’ computers. He was arrested on April 9 in Barcelona and DOJ shut down the botnet.

The good press continued when EFF lauded the way the Rule 41 hacking warrant was handled. I’m not aware that anyone has reviewed the Pen Register application that went along with the warrant, about which I have more concerns, but having EFF’s blessing goes some way to rolling out a new authority without controversy.

Last week, DOJ announced the indictment, last Thursday, of Levashov. Whereas the Rule 41 warrant was submitted in Alaska, the indictment (and much of the investigation) was done in New Haven. Levashov was charged with eight different counts. Of note, the indictment includes two conspiracy-related charges against Levashov without naming any co-conspirators.

What I find interesting about all this is that there’s a still sealed complaint, dated March 24, against Levashov in the New Haven docket, with its own affidavit.

So I’m wondering why the Rule 41 action was taken in Alaska whereas the prosecution (assuming Levashov is extradited) appears slotted for New Haven.

The Alaska affidavit makes abundant reference to the investigative activities in New Haven. It describes that New Haven FBI Agents tested the Kelihos malware, identified how Kelihos harvested credentials, and tracked how Kelihos installed WinPCAP to intercept traffic.

It also includes a footnote describing other cases against Levashov.

I am also aware that an indictment was filed in 2007 in the Eastern District of Michigan for conspiracy to commit electronic mail fraud, mail fraud, and wire fraud in violation of 18 U.S.C. $$ 371, 1037(a)(2)-(a)(B), 1037(b)(2)(C), 1341, and 1343 and several substantive counts of violating 18 U.S.C. $$ 1037(a)(2), 1037(b)(2)(C), and Section 2. That indictment remains pending. I am also aware that a criminal complaint fi1ed in the U.S. District Court for the District of Columbia, which in 2009 charged LEVASHOV in his true name with two substantive counts of violating 18 U.S.C. $$ 1030(a)(5)(A)(i), 1030(a)(5)(B)(i), 1030(a)(5)(A)(i) and 1030(a)(5XBXV), as well as one count of conspiracy to commit these offenses in violation of 18 U.S.C. $ 371. These charges resulted from LEVASHOV’s operating the Storm Botnet from January 2007 until September 22,2008. That botnet, like that which is the subject of this prosecution, sent spam to facilitate pump and dump schemes and the purchase of grey market pharmaceuticals. Because the government was unable to apprehend and detain LEVASHOV, it dismissed the complaint in 2014.

But it doesn’t mention the complaint, which had already been filed, in CT — unless that’s what the almost paragraph long redaction in the affidavit was.

One possible explanation for the jurisdictional oddity is just that DOJ could. To test their new authorities, perhaps, they chose to obtain a warrant in a totally different jurisdiction from the one they were prosecuting in, just to lay out the precedent of doing so. And as noted, it’s possible the big redacted passage in the AK affidavit explains all this.

I’d feel better about that if the FBI affidavit submitted in AK hadn’t (possibly) hidden the already existing complaint in CT, though.

I’ve got a question into DOJ and will update if they provide an explanation. But for now, know that Alaska won’t get to host a high profile hacking trial after all.

Upated, fixed DOJ announce date h/t EG.

Share this entry

The Virgin Birth of the Most Inflammatory Trump Dossier Claims

/3 Comments/in /by

In a response to Alexsej Gubarev’s British libel lawsuit, Christopher Steele has submitted a defense making certain claims about the dossier on Trump he reportedly did for Trump’s opponents. (Washington Times published the filing along with this story.) The defense provides some limited information on the dossier, while remaining entirely silent about known details.

The defense provides further explanation of how Steele came to share the dossier with John McCain. Sir Andrew Wood is an Associate of Steele’s firm, which is how he knew about the dossier. At an undated meeting between Wood and John McCain and his associate David Kramer, Wood told the Americans about the dossier. That piqued McCain’s interest, so Kramer met with Steele in Surrey on November 28. After Kramer returned to DC, he arranged to get a hard copy of the dossier for McCain, and requested that “any further intelligence gathered by the Defendants about alleged Russian interference in the US Presidential election” be provided to him on behalf of McCain.

Steele denies he shared the dossier with journalists

Of critical importance, to substantiate a claim that he wasn’t spreading the document all over creation, Steele states,

The Defendants did not, however, provide any of the pre-election memoranda to media organizations or journalists. Nor did they authorize anyone to do so. Nor did they provide the confidential December memorandum to media organizations or journalists. Nor did they authorize anyone to do so.

[snip]

[Steele] gave off the record briefings to a small number of journalists about the pre-election memoranda in late summer/autumn 2016.

I find the claim rather suspicious.

The changing (BBC) story about how it got (shown) the Steele dossier

Steele’s claim that he wasn’t sharing the dossier itself is dubious for several reasons. For example, the defense makes no mention of Steele sharing the dossier with the FBI, in spite of multiple reports of him doing so.

More damning, one of the reporters with whom the dossier was shared before the election, BBC’s Paul Wood, has changed a published story about receiving the dossier on two occasions. The original story appeared like this.

Sometime between the original publication and 14:06 GMT, the paragraph claiming the American oppo research company, Fusion, disseminated the document was removed from the story.

Then, by 15:32 GMT — roughly 20 minutes after I did a post noting the first change — that passage was again changed, this time to suggest the pages were shown, but not given, to journalists.

I’ve been told second-hand that actual pages were given, not shown, to at least one journalist, suggesting the middle story may be the accurate one. Moreover, the actual dossier would have had to have been shared for James Clapper’s claim that the dossier “was widely circulated … among the media, members of Congress and Congressional staff ” to be true.

Steele’s free report based off unsolicited intelligence

All that pertains to the dossier, generally, though. It’s actually irrelevant to the lawsuit, since Gubarev is suing over claims made in the last report, dated December 13 (see this post for why that date is important).

Here’s what Steele claims about that last report.

The Defendants continued to receive unsolicited intelligence on the matters covered by the pre-election memoranda after the US Presidential election and the conclusion of the assignment for Fusion.

After receiving some such intelligence [Steele] prepared the confidential December memorandum, … on his own initiative on or around 13 December 2016.

[snip]

Accordingly, [Steele] provided a copy of the December memorandum to:

a. A senior UK government national security official acting in his official capacity, on a confidential basis in hard copy form; and

b. Fusion, by enciphered email with an instruction to Fusion to provide a hard copy to Sen. McCain via Mr Kramer.

Nowhere in this defense does Steele specify when he gave McCain the dossier, aside from sometime after November 28. Presumably it was on or before December 9, when McCain reportedly handed the dossier over to the FBI (though McCain was a bit sketchier about when he got and handed on the dossier and — very significantly — doesn’t describe doing so twice).

Steele does confirm he also shared the dossier with “a senior UK government national security official,” which is another way the US intelligence community might have gotten the dossier they shared with Trump before BuzzFeed leaked it, contrary to their utterly ridiculous claims to have been the last to know of it.

In any case, the timeline suggests that, after sources started leaking aggressively about Putin affirmatively trying to elect Trump on December 9 (even as Obama called for a review of the intelligence), Steele all of a sudden got new intelligence (or, less plausibly, decided to write down the intelligence he had before he sent McCain the dossier but hadn’t written up).

Multiple reports have said that Steele was working for free in that period. Apparently, too, the sources that Steele had been paying up to this point decided they would provide unsolicited intelligence.

Did they get paid, either?

The virgin birth of the most inflammatory claims

And this is all very interesting because — as I have noted before — this last brief includes three far more inflammatory claims than Steele had ever provided before.

First, as part of the claims Gubarev is suing over, Steele claimed he had been told that in addition to using botnets to “transmit viruses, plant bugs, and steal data,” (which sounds nothing like what allegedly actually happened in the hack), XBT also conducted “altering operations,” a suggestion that Russia was tampering with data rather than just stealing it.

Second, whereas earlier reporting on Michael Cohen’s role had been more vague, this report described him discussing “deniable cash payments to the hackers who had worked in Europe under Kremlin direction against the CLINTON campaign.” That is, the dossier made far stronger claims that Trump’s team had discussed the hack itself, rather than making quid pro quo deals to alter US policy.

Finally, and most importantly, Steele’s “unsolicited” intelligence claimed that Trump had paid the hackers.

On payments, IVANOV’s associate said that the operatives involved had been paid by both TRUMP’s team and the Kremlin, though their orders and ultimate loyalty lay with IVANOV.

This is the report that wraps up all the allegations in a neat little bow, setting up the impeachment of Trump, and it came unsolicited after the spooks were upping the pressure on McCain.

Right wing outlets are (rightly) making much of the fact that Steele claimed the intelligence “needed to be analysed and further investigated/verified.” But I’m just as struck by the rather neat claim that by far the most inflammatory intelligence in the dossier came in the days after Democrats and the IC started ratcheting up pressure on Trump, and that it came unsolicited.

Update: This post has been updated for clarity.

Update: David Corn’s account of interacting with Steele is inconsistent on the point of whether he got the dossier. At first he says he was able to “review” the memos.

I also was able to review the memos the former spy had written, and I quoted a few key portions in my article.

But by the end of the paragraph, he says the reason he didn’t publish the dossier is not because he didn’t have it, but because it would have revealed some of Steele’s sources (as it eventually did).

I also didn’t post the memos, as BuzzFeed did this week, because the documents contained information about the former spy’s sources that could place these people at risk.

And technically, Corn’s description of how Steele directed him to treat the information is not “off the record” (though I can still remember the moment during the Scooter Libby trial when, after one after another top journalist provided a different definition of the term on the stand, journalists in the media room — Corn was there — acknowledged that everyone has a different definition of the term). In his article, Corn says he was simply told not to ID Steele’s nationality or MI6 but suggests he was permitted to quote the dossier, which he did.

For my story in October, I spoke with the former spy who wrote these memos, under the condition that I not name him or reveal his nationality or the spy service where he had worked for nearly two decades, mostly on Russian matters.

Update: It’s worth comparing Steele’s claims with those made in this Vanity Fair feature on the dossier. Of particular note, VF makes no mention of Wood being an associate of Steele’s firm, and instead suggests he may have been sent to the conference in question to contact McCain.

It was at some point in this busy weekend that Senator John McCain and David J. Kramer, a former State Department official whose bailiwick was Russia and who now toils at Arizona State University’s Washington-based McCain Institute for International Leadership, found themselves huddling with Sir Andrew Wood, a former British ambassador to Russia.

Sir Andrew, 77, had served in Moscow for five years starting in 1995, a no-holds-barred time when Putin was aggressively consolidating power. And in London Station, the M.I.6 puppeteer pulling all the clandestine strings was Christopher Steele. Sir Andrew knew Steele well and liked what he knew. And the former diplomat, who always had a few tough words to say about Putin, had heard the rumors about Steele’s memo.

Had Sir Andrew arrived in Halifax on his own covert mission? Was it just an accident that his conversation with Senator McCain happened to meander its way to the findings in Steele’s memos? Or are there no accidents in international intrigue? Sir Andrew offered no comment to Vanity Fair. He did, however, tell the Independent newspaper, “The issue of Donald Trump and Russia was very much in the news and it was natural to talk about it.

Note, this account would put Kramer in Surrey meeting Steele around December 5, which would mean Steele’s most inflammatory intelligence came in (“unsolicited,” he claimed) during a period of 11 days. It also says that Kramer brought the dossier back with him, undermining Steele’s claims that Fusion had been in the loop. VF also suggests there may have been more to the dossier Steele handed Kramer; Steele goes so far out of his way in his defense to claim he did no reports in November that I suspect he did report in November (perhaps directly for FBI?).

Share this entry

NSA’s Spying on Le Pen Is Probably Working Better than GRU’s Spying on Macron

/9 Comments/in , /by

In advance of this report on APT 28 (the hacking group presumed to be tied to Russia’s military intelligence, GRU, blamed for the DNC hack-and-leak), Trend Micro got a lot of publicity for its report that APT 28 had targeted Emmanuel Macron, who just won the most votes in France’s presidential election and will face a run-off against Marine Le Pen in a few weeks.

At least according to Macron’s campaign, the attempts to phish his campaign were unsuccessful.

Mounir Mahjoubi, digital director of Mr. Macron’s campaign, confirmed the attempted hacking, saying that several staffers had received emails leading to the fake websites. The phishing emails were quickly identified and blocked, and it was unlikely others went undetected, Mr. Mahjoubi said.

“We can’t be 100% sure,” he said, “but as soon as we saw the intrusion attempts, we took measures to block access.”

The timing of all this is all rather interesting. Back in early February, France’s Le Canard Enchaîné exclusively reported that France’s security officials worried that Macron would be hacked, a vague report that was picked up really broadly without confirmation. Shortly thereafter, Macron claimed that his campaign had been the target of thousands of attacks from entities within Russia’s border, including a DDOS attack that took down his website for nine minutes. According to the sole mention of Macron in the Trend Micro report, the OneDrive-based phish targeting Macron took place a month later, on March 15.

These hacking attempts accompanied a great deal of fake news (and leaked gossip) targeting Macron. But at least if Macron’s own campaign is to believed, APT 28 never succeeded in its attempt to hack the favorite to be France’s next president, and so presumably has not yet succeeded in stealing emails that Russia might use to attack Macron during the run-off.

Which gives the hype about APT 28’s attempted hack a really curious character. It is treated as if Russia is the only state actor that might be spying on French presidential candidates.

Does anyone honestly believe that the United States is not spying on Le Pen, for example, given that the CIA and NSA have a history of spying on candidates with whom the US is even friendlier than Le Pen? Indeed, earlier this year, WikiLeaks published a tasking order for CIA to collect HUMINT and open source intelligence on all the parties in the 2012 French election, though without any cyber element specified. In 2010, the incumbent Pakistan People’s Party was included in NSA’s foreign government Section 702 certificate by name. And in 2012, CIA and NSA partnered to target Enrique Peña Nieto and nine of his closest associates in the weeks leading up to his victory. With both the PPP and EPN, these were nominally political parties friendly to US interests.

By comparison, it would seem that targeting Le Pen, at a time when the intelligence community has a very public concern about collusion between Russia and populist parties in Europe to destabilize Europe, would be a no-brainer.

And here’s what else gets left out of the coverage of GRU’s attempts to spy on Macron: how much easier a job the NSA might have than GRU, even ignoring NSA’s greater capabilities.

Many (though not all) of the phishing attempts detailed in the Trend Micro report pretend to be the email log-ins for US-based email providers: with virtually all the most detailed attention on Yahoo, Gmail, and Microsoft. The attempted Macron targeting exploited his campaign’s use of OneDrive. That means all the entities GRU targeted with phishes pretending to be US providers are available to NSA via Section 702, or PRISM.

In other words, to collect on the very same targets that GRU is targeting via phishing attacks that users continue to be better informed about (and that Macron claims to have withstood entirely), the NSA could just add LePen’s email address to the list over 93,000 targets being targeted under Section 702 (as they presumably did with PPP in 2010). And unlike a phishing campaign, which can be made more difficult with the use of two factor authentication, Le Pen would have no defense against collection targeting her or her campaign’s PRISM provider accounts, beyond encrypting everything that resided in an American-owned cloud (and even there, there would be a great deal of interesting metadata available). If she or key aides uses any of the major American tech providers, stealing their emails would be as easy as providing a foreign intelligence justification (one that would be bolstered by her close ties with Russia) and tracking to make sure her accounts are detasked when she comes to the US to visit Trump Tower.

All that’s on top of any more sophisticated targeting of Le Pen akin to what CIA and NSA did against EPN.

And therein lies the rub, the reason you shouldn’t be saying, “So what? We should spy on that fascist Le Pen, she’s a menace to civilization” (though I agree she is).

The NSA’s spying on Marine Le Pen is likely having more success than GRU’s spying on Emmanuel Macron. But is there any reason to believe — particularly given CIA’s targeting of all French parties in 2012 and given Trump’s stated preference for Le Pen — to think that NSA is not also targeting Macron, targeting his OneDrive in a way that would be immune from whatever defenses he is using against phishing attacks?

Here’s where folks will say, “but we don’t leak stolen communications,” in spite of some evidence that we have in the past, albeit perhaps not in a democratic election. (On that note, this Politico story exposing Mike Flynn’s ties, via his Turkish lobbying client, to Russia, relies on a WikiLeaks-released email, which is a notable instance where evidence made available by WikiLeaks may help those investigating Russia’s influence on the Trump administration.). Of course, GRU can only leak what it can steal, and Macron believes that GRU hasn’t succeeded in stealing anything.

Furthermore, we have no visibility what US policymakers in the past have done with intelligence collected on political parties. We certainly have no current limits on what Trump can do with it, aside from limits on the dissemination of that actual raw emails. We’ve always given the President great discretion on such issues, in the name of ensuring a unified foreign policy. And there are plenty of ways Trump’s administration could intervene to help Le Pen beyond just leaking any derogatory information on Macron.

All this is not to say that GRU’s reported continued attempts to hack democratic targets is not a concern (indeed, I’m at least as worried that FSB is conducting similar intelligence collection without the same easily identifiable tracks).

But it is to say that, particularly in the era where Donald Trump sets this country’s foreign policy, we need to be a lot more mindful of NSA’s own far more considerable ability to steal information on democratic candidates.

Share this entry

How to Spy on Carter Page

/2 Comments/in , , /by

I have no personal knowledge of the circumstances surrounding the alleged wiretapping of Carter Page, aside from what WaPo and NYT have reported. But, in part because the release of the new, annual FISC report has created a lot of confusion, I wanted to talk about the legal authorities that might have been involved, as a way of demonstrating (my understanding, anyway, of) how FISA works.

FISC did not (necessarily) reject more individual orders last year

First, let’s talk about what the FISC report is. It is a new report, mandated by the USA Freedom Act. As the report itself notes, because it is new (a report covering the period after passage of USAF), it can’t be compared with past years. More importantly, because the FISA Court uses a different (and generally more informative) reporting approach, you cannot — as both privacy groups and journalists erroneously have — compare these numbers with the DOJ report that has been submitted for years (or even the I Con the Record report that ODNI has released since the Snowden leaks); that’s effectively an apples to grapefruit comparison. Those reports should be out this week, which (unless the executive changes its reporting method) will tell us how last year compared with previous years.

But comparing last year’s report to the report from the post-USAF part of 2015 doesn’t sustain a claim that last year had record rejections. If we were to annualize last year’s report (covering June to December 2015) showing 5 rejected 1805/1824 orders (those are the individual orders often called “traditional FISA”) across roughly 7 months, it is actually more (.71 rejected orders a month or .58% of all individual content applications) than the 8 rejected 1805/1824 orders last year (.67 rejected orders a month or .53% of all individual content applications). In 2016, the FISC also rejected an 1861 order (better known as Section 215), but we shouldn’t make too much of that either given that that authority changed significantly near the end of 2015, plus we don’t have this counting methodology for previous years (as an example, 2009 almost surely would have at least one partial rejection of an entire bulk order, when Reggie Walton refused production of Sprint records in the summertime).

Which is a long-winded way of saying we should not assume that the number of traditional content order rejections reflects the reports that FBI applied for orders on four Trump associates but got rejected (or maybe only got one approved for Page). As far as we can tell from this report, 2016 had a similar number of what FISC qualifies as rejections as 2015.

The non-approval of Section 702 certificates has no bearing on any Russian-related spying, which means Page would be subject to back door searches

Nor should my observation — that the FISC did not approve any certifications for 1881a (better known as Section 702, which covers both upstream and PRISM) reflect on any Carter Page surveillance. Given past practice when issues delayed approvals of certifications, it is all but certain FISC just extended the existing certifications approved in 2015 until the matters that resulted in an at least 2 month delay were resolved.

Moreover, the fact that the number of certificates (which is probably four) is redacted doesn’t mean anything either: it was redacted last year as well. That number would be interesting because it would permit us to track any expansions in the application of FISA 702 to new uses (perhaps to cover cybersecurity, or transnational crime, for example). But the number of certificates pertains to the number of people targeted only insofar as any additional certificates represent one more purpose to use Section 702 on.

In any case, Snowden documents, among other things, show that a “foreign government” certificate has long been among the existing certificates. So we should assume that the NSA has collected the conversations of known or suspected Russian spies located overseas conducted on PRISM providers; we should also assume that as a counterintelligence issue implicating domestic issues, these intercepts are routinely shared in raw form with FBI. Therefore, unless last year’s delay involved FBI’s back door searches, we should assume that when the FBI started focusing on Carter Page again last spring or summer, they would have routinely searched on his known email addresses and phone numbers in a federated search and found any PRISM communications collected. In the same back door search, they would have also found any conversations Page had with Russians targeted domestically, such as Sergey Kislyak.

The import of the breakdown between 1805 and 1824

Perhaps the most important granular detail in this report — one that has significant import for Carter Page — is the way the report breaks down authorizations for 1805 and 1824.

1805 covers electronic surveillance — so the intercept of data in motion. It might be used to collect phone calls and other telephony communication, as well as (perhaps?) email communication collected via upstream collection (that is, non-PRISM Internet communication that is not encrypted); it may well also cover prospective PRISM and other stored communication collection. 1824 covers “physical search,” which when it was instituted probably covered primarily the search of physical premises, like a house or storage unit. But it now also covers the search of stored communication, such as someone’s Gmail or Dropbox accounts. In addition, a physical search FISA order covers the search of hard drives on electronic devices.

As we can see for the first time with these reports, most individual orders cover both 1805 and 1824 (92% last year, 88% in 2015), but some will do just one or another. (I wonder if FBI sometimes gets one kind of order to acquire evidence to get the other kind?)

As filings in the Keith Gartenlaub case make clear, “physical search” conducted under a FISA order can be far more expansive than the already overly expansive searches of devices under a Article III warrant. Using a FISA 1824 order, FBI Agents snuck into Gartenlaub’s house and imaged the hard drives from a number of his devices, ostensibly looking for proof he was spying on Boeing for China. They found no evidence to support that. They did, however, find some 9-year old child pornography files, which the government then “refound” under a criminal search warrant and used to prosecute him. Among the things Gartenlaub is challenging on appeal is the breadth of that original FISA search.

Consider how this would work with Carter Page. The NYT story on the Page order makes it clear that FBI waited until Page had left the Trump campaign before it requested an order covering him.

The Foreign Intelligence Surveillance Court issued the warrant, the official said, after investigators determined that Mr. Page was no longer part of the Trump campaign, which began distancing itself from him in early August.

I suspect this is a very self-serving description on the part of FBI sources, particularly given reports that FISC refused orders on others. But regardless of whether FISC or the FBI was the entity showing discretion, let’s just assume that someone was distinguishing any communications Page may have had while he was formally tied to the campaign from those he had after — or before.

This is a critical distinction for stored communications because (as the Gartenlaub case makes clear) a search of a hard drive can provide evidence of completely unrelated crime that occurred nine years in the past; in Gartenlaub’s case, they reportedly used it to try to get him to spy on China and they likely would do the equivalent for Page if they found anything. For Page, a search of his devices or stored emails in September 2016 would include emails from during his service on Trump’s campaign, as well as emails between the time Page was interviewed by FBI on suspicion of being recruited by Victor Podobnyy and the time he started on the campaign, as well as communications going back well before that. So if FISC (or, more generously, the FBI) were trying to exclude materials from during the campaign, that might involve restrictions built into the request or the final order

The report covering 2016 for the first time distinguishes between orders FISC modifies (FISC interprets this term more broadly than DOJ has in its reports) and orders FISC partly denies. FISC will modify an order to, among other things,

(1) impos[e] a new reporting requirement or modifying one proposed by the government;

(2)  chang[e] the description or specification of a targeted person, of a facility to be subjected to electronic surveillance or of property to be searched;

(3)  modify[] the minimization procedures proposed by the government; or

(4)  shorten[] the duration of some or all of the authorities requested

Using Page as an example, if the FISC were permitting FBI to obtain communications from before the time Page joined the campaign but not during it, it might modify an order to require additional minimization procedures to ensure that none of those campaign communications were viewed by the FBI.

The FISC report explains that the court will partly deny orders and “by approving some targets, some facilities, places, premises, property or specific selection terms, and/or some forms of collection, but not others.” Again, using Page as an example, if the court wanted to really protect the election related communications, it might permit a search of Page’s homes and offices under 1824, but not his hard drives, making any historic searches impossible.

There’s still no public explanation of how Section 704/Section 705b work, which would impact Page

Finally, the surveillance of Carter Page implicates an issue that has been widely discussed during and since passage of the FISA Amendments Act in 2008, but not in a way that fully supports a democratic debate: how NSA spies on Americans overseas.

Obviously, the FBI would want to spy on Page both while he was in the US, but especially when he was traveling abroad, most notably on his frequent trips to Russia.

The FISA Amendments Act for the first time required the NSA to obtain FISC approval before doing that. As I explain in this post, for years, public debate has claimed that was done under Section 703 (1881b in this report). But abundant evidence shows it is all done under 704 (1881c in this report). The biggest difference between the two, according to an internal NSA document, is the government doesn’t explain its methods in the latter case. With someone who would be spied on both in the US and overseas, that spying would be done under 705b (conducted under 1881d section b), which permits the AG to approve of spying overseas (effectively, 704 authority) for those already approved under a traditional order.

This matters in the context of spying on Carter Page for two reasons. First, as noted government doesn’t share details about how it spies overseas with the court. And some of the techniques we know NSA to use — such as XKeyscore searches drawing on bulk overseas collection — would seem to present additional privacy concerns on top of the domestic authorities. If the FBI (or more likely, the FISC) is going to try to bracket off any communications that occur during the period Page was associated with the campaign, that would have to be done for overseas surveillance as well, most critically, for Page’s July trip to Russia.

This report shows that 704, like the domestic authorities, also gets modified sometimes, so it may be that FISC did just that — permitted NSA to collect information covering that July meeting, but imposed some minimization procedures to protect the campaign.

But it’s unclear whether the court would have an opportunity to do so for 705b, which derives from Attorney General authorization, not court authorization. I assume that’s why 1881d was not included in this reporting requirement, but it seems adding 705b reporting to Title VII reauthorization this year would be a fairly minor change, but one that might reveal how often the government uses more powerful overseas spying techniques on Americans. It’s unclear to me, for example, whether any modifications or partial approvals the FISC made on a joint 1805/1824 order covering Page would translate into a 705b order, particularly if the modifications in question included additional reporting to the FISC.

Carter Page might one day be the first American to get review of his FISA dossier

All of which is why, no matter what you think of Carter Page’s alleged role in influencing the Trump campaign to favor Russia, I hope he one day gets to review his FISA dossier.

No criminal defendant has ever gotten a review of the FISA materials behind the spying, in spite of clear Congressional intent, when the law was passed in 1978, to allow that in certain cases. Because of the publicity surrounding this case, and the almost unprecedented leaking about FISA orders, Page stands a better chance than anyone else of getting such review (particularly if, as competing stories from CNN and Business Insider claim, the dossier formed a key, potentially uncorroborated part of the case against him). Whatever else happens with this case, I think Page should get that review.

Share this entry

Thoughts on the NYT Comey Blockbuster

/15 Comments/in , , /by

The NYT has a big piece on Jim Comey’s involvement in the election you should definitely read. Rather than share my thoughts in a tweet storm I thought I’d share here so we can all gab about it.

Consensus coming closer to Jim Comey being self-righteous

As long time readers know, I think Jim Comey is self-righteous. He creates a heroic self-image that is often overblown (as it was regarding the post hospital hero events). So I was happy to see this paragraph — and observations matching it — through out the story.

Mr. Comey made those decisions with the supreme self-confidence of a former prosecutor who, in a distinguished career, has cultivated a reputation for what supporters see as fierce independence, and detractors view as media-savvy arrogance.

Comey deserves all the criticism he has gotten for his statements about the Hillary investigation. But we’re stuck with Comey for now; he’s one of the few checks against Trump’s arbitrary rule (and Comey is enough of a media hound to be able to create the space to conduct the investigation into Trump).

But one way or another I’m happy people are beginning to understand Comey not as the hospital hero, nor as a partisan, but as someone who doesn’t (or didn’t?) assess his own actions with a fair measure.

The secret David Margolis meeting

One of two really interesting new details in this story is that, when Comey was trying to decide what to do, he consulted with David Margolis, who has long been treated as the conscience of DOJ by DOJers. (See this bmaz post for more background on Margolis.)

Mr. Comey sought advice from someone he has trusted for many years. He dispatched his deputy to meet with David Margolis, who had served at the Justice Department since the Johnson administration and who, at 76, was dubbed the Yoda of the department.

What exactly was said is not known. Mr. Margolis died of heart problems a few months later. But some time after that meeting, Mr. Comey began talking to his advisers about announcing the end of the Clinton investigation himself, according to a former official.

This meeting (and the description of how they staged Margolis’ funeral so the DOJ people criticizing Comey wouldn’t have to share a stage with him) plays a weird role in the story, as if just the mention of the meeting serves to exonerate Comey’s terrible decision to announce the end of the Hillary investigation.

But what the story doesn’t note is that Comey was effectively consulting with the person who for years always intervened to make sure DOJ’s lawyers don’t get held accountable for their misconduct (most notably, he did this for John Yoo). Now, I’m not sure whether as FBI Director Comey’s behavior might have been reviewed by the Office of Professional Responsibility; as it happens DOJ IG is doing so. But it is not ethical to have the guy who, later on, would bless your actions, bless them before the fact. It’s like getting pre-approval to break the rules.

Loretta Lynch should have recused

One of the details others find most interesting is that the FBI acted as they did, in part, because a Democratic operative suggested in an email that Loretta Lynch would ensure nothing came of the investigation.

During Russia’s hacking campaign against the United States, intelligence agencies could peer, at times, into Russian networks and see what had been taken. Early last year, F.B.I. agents received a batch of hacked documents, and one caught their attention.

The document, which has been described as both a memo and an email, was written by a Democratic operative who expressed confidence that Ms. Lynch would keep the Clinton investigation from going too far, according to several former officials familiar with the document.

Read one way, it was standard Washington political chatter. Read another way, it suggested that a political operative might have insight into Ms. Lynch’s thinking.

Normally, when the F.B.I. recommends closing a case, the Justice Department agrees and nobody says anything. The consensus in both places was that the typical procedure would not suffice in this instance, but who would be the spokesman?

The document complicated that calculation, according to officials. If Ms. Lynch announced that the case was closed, and Russia leaked the document, Mr. Comey believed it would raise doubts about the independence of the investigation.

I’ve got a slew of hacking related questions about this document — starting with why it hasn’t, as far as I know, been leaked. The described timing as “early last year” suggests that it may have been hacked in the FSB phase of the hacking. But the document would have solidified the narrative the Russians were reportedly fostering about Hillary.

The article doesn’t pursue those questions, but it notes that in response to finding it, Comey did not ask Lynch to recuse. He should have. You recuse whether or not there’s basis for recusal but because of appearances as well. Moreover, so much awfulness could have been avoided had she recused. This was one of the big own goals of this whole mess.

CIA Directors should not meet with just one Gang of Eight member

The second detail I find most interesting in this story is that John Brennan privately briefed Harry Reid about his concerns about the Russians.

John O. Brennan, the C.I.A. director, was so concerned about the Russian threat that he gave an unusual private briefing in the late summer to Harry Reid, then the Senate Democratic leader.

Top congressional officials had already received briefings on Russia’s meddling, but the one for Mr. Reid appears to have gone further. In a public letter to Mr. Comey several weeks later, Mr. Reid said that “it has become clear that you possess explosive information about close ties and coordination between Donald Trump, his top advisors, and the Russian government — a foreign interest openly hostile to the United States.”

While I’m generally sympathetic to Democrats’ complaints that DOJ should have either remained silent about both investigations or revealed both of them, it was stupid for Brennan to give this private briefing (and I hope he gets grilled about it by HPSCI when he testifies in a few weeks). In addition to the things Reid said publicly about the investigation, it’s fairly clear he and his staffers were also behind some of the key leaks here (and, as CNN reported yesterday, leaks about the investigation actually led targets of it to alter their behavior). For reasons beyond what appears in this story, I think it likely Reid served as a cut-out for Brennan.

And that’s simply not appropriate. There may well have been reasons to avoid briefing Richard Burr (who was advising Trump). But spooks should not be sharing information with just one party. CIA did so during its torture cover-up in ways that are particularly troubling and I find this — while not as bad — equally problematic.

Two missing details: the leaks and the delayed notice to Congress

While this is already a comprehensive story (though its telling of October 7 omits key details), there are two parts that seem critical that are missing: the flood of leaks from FBI and the decision to delay notifying the Gang of Four of the CI investigation.

This week, CNN reported that the FBI was “clarifying” an earlier policy fostering more contact between FBI employees with the media in response to leaks about the Trump campaign. (Click through to read about the TV series coming out focusing on FBI heroism that the FBI exercised editorial control over!!!)

The FBI is overhauling its media policy, restricting contacts between the news media and its employees amid controversy over alleged leaks, bureau officials told CNN.

The new media policy was rolled out this week at a conference in Washington attended by FBI special agents in charge of its 56 field offices, according to officials who attended.
Media access to top officials at the FBI became more common in recent years under FBI Director James Comey, part of a transparency effort he said was aiming at demystifying the FBI and helping the public understand its mission. But the new policy appears to curtail that access.
An official familiar with the development of the new policy described it as largely a “clarification” intended to reinforce existing rules on who is authorized to talk to reporters, not a step back from Comey’s transparency initiatives.

Not only should this policy have been put in place before people leaked details of FISA orders, but it should have been put in place in early 2016, when it was clear FBI Agents were leaking details of the Hillary investigation to try to force their supervisors to expand its scope to include the Clinton Foundation.

Instead, the possibility that FBI Agents would leak was one of the reasons why Comey did what he did. The correct thing, instead of making unprecedented public statements as he did, would have been to shut down the leaking.

Additionally, according to Comey’s testimony, FBI actually delayed notifying at least the heads of the Intelligence Committees  until fairly recently. The NYT acknowledges that this detail was hidden. But I’d love to understand how this departure from normal briefing affected all the other decisions (particularly in light of the the Brennan meeting).

In any case, read the whole thing. It’s very frustrating. But it also lays out a series of things that Comey — and other Obama officials — should have done differently.

Share this entry

The Think Tank Story Actually Suggests the Think Tank Wasn’t That Important

/3 Comments/in , , /by

Reuters has what at first seemed to be an important story, based on three current and four former US officials (a descriptor which can include members of Congress or their staffers) noting that a think tank close to Putin laid out a plan to influence the US election in two separate reports last year. But in fact, the story actually may undermine some of its own claims.

Before I describe the reports, consider two inconsistent claims made in the story. First, the article claims that these two reports were central to the Obama Administration’s conclusions on Russian interference.

The documents were central to the Obama administration’s conclusion that Russia mounted a “fake news” campaign and launched cyber attacks against Democratic Party groups and Clinton’s campaign, the current and former officials said.

These officials — seven of them!! — suggest there’s a tie between these two reports and the total conclusion, the fake news and the hacking.

But then later in the story, half the officials state that the reports never once mentioned the hacks. They explain that detail away by saying that the two parts of the campaign — the hacking and the propaganda — reinforced each other because RT and Sputnik do what RT and Sputnik allegedly do anyway, make the most of opportunities to cause the US discomfort.

Neither of the Russian institute documents mentioned the release of hacked Democratic Party emails to interfere with the U.S. election, according to four of the officials. The officials said the hacking was a covert intelligence operation run separately out of the Kremlin.

The overt propaganda and covert hacking efforts reinforced each other, according to the officials. Both Russia Today and Sputnik heavily promoted the release of the hacked Democratic Party emails, which often contained embarrassing details.

Again, before we get into the reports themselves, note that the sources here appear to have oversold this story. Or the Obama Administration thinking on this is … problematic. Because there’s no way two reports on propaganda — of the sort American think tanks and the CIA develop for elections and adversaries all over the world, even if the CIA doesn’t run state media outlets like Russia does to implement them — that don’t mention the hack should be presented as proof of (or proof against) the whole kit and kaboodle, the hack-and-leak plus propaganda. Either these reports weren’t central to the plan, or the propaganda effort had nothing to do with the hacking one. In other words, these documents should in no way lead Obama (or us) to conclude anything about the hacking.

That’s all the more true when you consider the description of these reports.

[The seven sources] described two confidential documents from the think tank as providing the framework and rationale for what U.S. intelligence agencies have concluded was an intensive effort by Russia to interfere with the Nov. 8 election. U.S. intelligence officials acquired the documents, which were prepared by the Moscow-based Russian Institute for Strategic Studies [en.riss.ru/], after the election.

The institute is run by retired senior Russian foreign intelligence officials appointed by Putin’s office.

The first Russian institute document was a strategy paper written last June that circulated at the highest levels of the Russian government but was not addressed to any specific individuals.

It recommended the Kremlin launch a propaganda campaign on social media and Russian state-backed global news outlets to encourage U.S. voters to elect a president who would take a softer line toward Russia than the administration of then-President Barack Obama, the seven officials said.

A second institute document, drafted in October and distributed in the same way, warned that Democratic presidential candidate Hillary Clinton was likely to win the election. For that reason, it argued, it was better for Russia to end its pro-Trump propaganda and instead intensify its messaging about voter fraud to undermine the U.S. electoral system’s legitimacy and damage Clinton’s reputation in an effort to undermine her presidency, the seven officials said.

The first report was done in June (no date specified). Per the description, it didn’t even take an anti-Hillary stance, but instead an anti-Obama stance, which translates into anti-Hillary but not as strongly as it could, given Hillary’s specific actions that have infuriated Putin. The second was done in October (again, no date specified) and by description adopted a stance Republicans in this country have adopted towards elections for decades, to delegitimize elections your preferred candidate loses.

The dates are more important (and I find the non-disclosure of the actual dates to be telling, whether that decision was made by the seven sources or by Reuters, as the dates would provide another detail that would allow us to assess the credibility of this story).

Let’s review the timeline of the hack-and-leak narrative. APT 29, associated with FSB, hacked the DNC during summer 2015, and stayed there, quietly. Then, according to the existing narrative, as part of the kind of operation we’ve seen many times, in mid-March 2016 APT 28, associated with GRU also hacked the DNC, as well as John Podesta. DC Leaks, which is supposed to be part of the same operation, registered its domain on April 19. As Thomas Rid pointed out yesterday, FireEye believes the same people tried to register “electionleaks” a week earlier, on April 12. A persona calling himself Guccifer 2.0 appeared on June 15 and started leaking documents currently (and not entirely correctly, I believe) attributed to the DNC hack, immediately after the WaPo and Crowdstrike revealed the hack and attributed it to Russia. Which is to say the first think tank document (which again, is described as anti-Obama, not anti-Hillary) post-dated the beginning of what is considered the hack-and-leak campaign by three months and the beginning of the set-up to leak stolen documents by two. If the report is dated after June 15, it post-dated the first Guccifer 2.0 leaks, yet made no mention of their possible exploitation as part of the propaganda campaign (there are still unexplained problems with claims about the Guccifer persona, but I will bracket them here).

Then there’s the second report, from some unrevealed date in October. Again, it’s crucially important whether the report was done before or after October 7, when even outside observers learned there was going to be a second batch of leaks because Wikileaks started releasing the Podesta emails. Nevertheless, anyone following closely would have known (at least from Roger Stone) more might be coming, and insiders in both the Democratic Party and the Kremlin knew there were more documents that could be released. But this second report once again made no mention of hacked documents, not the ones that had leaked in the summer, and not the ones that were already or were about to be leaked.

That’s some pretty remarkable disinterest in available propaganda material that everyone following closely knew about. Though it’s worth noting that the Podesta emails didn’t support the “illegitimate election” narrative being pushed by the think tank in October as well as the DNC emails that were already public and available for propaganda purposes.

Taking just the think tank documents as evidence, which is what the seven sources behind this story do in advancing them as proof, you would conclude that there was actually not a strong tie between the hack-and-leak campaign and the propaganda one, because even after the entire world knew about the former, those strategizing the latter didn’t accommodate for the former.

All of which is to say that if we’re to believe these think tank documents provided “the framework and rationale” for the Russian election operation story, then we should conclude the dominant narrative is incorrect, that there actually was no intention of coordinating the hack-and-leak part of the operation with the propaganda part, or even that the hack-and-leak wasn’t part of that grand framework. Alternately, we might conclude that these think tank documents represent what tangential people with close ties to Putin thought smart advice, but which aren’t actually proof of Putin’s intent except insofar as sycophants reflect the perceived intent of those they’re serving.

Later the article does provide an explanation that sustains the current narrative of a coordinated hack-and-leak and propaganda campaign. Even before the first strategy document that purportedly provided the rationale and framework for the campaign, Reuters’ sources reveal, the Kremlin had already instructed media outlets to favor Trump.

Four of the officials said the approach outlined in the June strategy paper was a broadening of an effort the Putin administration launched in March 2016. That month the Kremlin instructed state-backed media outlets, including international platforms Russia Today and Sputnik news agency, to start producing positive reports on Trump’s quest for the U.S. presidency, the officials said.

That order, coming from the Kremlin itself which therefore might accommodate for what Reuters’ sources call a covert campaign even though by all reports, starting in March, the second wave of hacking stopped all effort at maintaining persistent secrecy from its targets, certainly could reflect coordination between the propaganda and the hack-and-leak parts of the campaign. It would suggest the Kremlin moved its propaganda arms at the same time APT 28 set out to ostentatiously collect what APT 29 had already been secretly collecting, documents that could provide material for the propaganda.

If so (and I have no problem interpreting it as such), then it suggests that the think tank documents should not be considered all that informative, as they appear to ignore stuff even Americans were commenting heavily on. Indeed, the story provides more evidence to suggest they weren’t that key in directing the campaign. In the US, at least, think tanks often recommend policies that coincide with (blatantly obvious) policies already chosen; it’s a good way to appear to influence policy even while chasing it. But that doesn’t mean we or anyone else should take it as definitive proof of anything.

One more comment. As stunning as it is to learn of Russian think tank documents that made no mention of the hack-and-leak campaign, or even the documents that became available as a result, months after the leaking started, it’s worth reminding that the Trump dossier, for whatever juicy evidence it presents about Trump associates potentially colluding with Russians, also doesn’t reflect any prospective knowledge of the hack-and-leak campaign (though it certainly discusses its implementation after the fact). In fact, its retrospective reports suggest that in mid-September, the consensus was that the hack-and-leak campaign was backfiring, with advisors suggesting they didn’t need to release more documents to make Hillary look “weak and stupid.” And when, five days after the Podesta emails first started coming out, the dossier reported on the emails being released, it suggested a great deal of anger within the Kremlin both that the emails hadn’t done more besides create backlash and that Trump was such a divisive figure.

The two data points, taken together, might support a close hold on the hack-and-leak effort (in spite of the obviousness with which it was carried out). But it’s worth noting that in spite of rampant leaking and some vague allegations of more, we have yet to see or learn of a data point that predicted the hack-and-leak campaign, not even via intelligence agencies that knew about the earlier APT 29 hack for nine months.

One final note. I’ve long mocked the intelligence community for calling the combined efforts of APT 28 and 29, along with the propaganda effort, “Grizzly Steppe” for the way it dissolves all distinction between the various parts of the program. This is an example of why I think it unwise: because it clouds people’s ability to assess and try to address flaws in the individual parts of the campaign which may be quite important.

Share this entry
[Photo: National Security Agency, Ft. Meade, MD via Wikimedia]

The Doxing of Equation Group Hackers Raises Questions about the Legal Role of Nation-State Hackers

/6 Comments/in , /by

Update: I should have caveated this post much more strongly. I did not confirm the names and IDs released in the dump are NSA’s hackers. It could be Shadow Brokers added names to cast blame on someone else. So throughout, take this as suspected doxing, with the possibility that it is, instead, disinformation. 

In 2014, DOJ indicted five members of China’s People Liberation Army, largely for things America’s own hackers do themselves. Contrary to what you’ve read in other reporting, the overwhelming majority of what those hackers got indicted for was the theft of information on international negotiations, something the US asks its NSA (and military industrial contractor) hackers to do all the time. The one exception to that — the theft of information on nuclear reactors from Westinghouse within the context of a technology transfer agreement — was at least a borderline case of a government stealing private information for the benefit of its private companies, but even there, DOJ did not lay out which private Chinese company received the benefit.

A month ago, DOJ indicted two Russian FSB officers and two criminal hackers (one, Alexey Belan, who was already on FBI’s most wanted list) that also worked for the Russian government. Rather bizarrely, DOJ deemed the theft of Yahoo tools that could be used to collect on Yahoo customers “economic espionage,” even though it’s the kind of thing NSA’s hackers do all the time (and notably did do against Chinese telecom Huawei). The move threatens to undermine the rationalization the US always uses to distinguish its global dragnet from the oppressive spying of others: we don’t engage in economic espionage, US officials always like to claim. Only, according to DOJ’s current definition, we do.

On Friday, along with details about previously unknown, very powerful Microsoft vulnerabilities and details on the 2013 hacking of the SWIFT financial transfer messaging system, ShadowBrokers doxed a number of NSA hackers (I won’t describe how or who it did so — that’s easy enough to find yourself). Significantly, it exposed the name of several of the guys who personally hacked EastNets SWIFT service bureau, targeting (among other things) Kuwait’s Fund for Arab Economic Development and the Palestinian al Quds bank. They also conducted reconnaissance on at least one Belgian-based EastNets employee. These are guys who — assuming they moved on from NSA into the private sector — would travel internationally as part of their job, even aside from any vacations they take overseas.

In other words, ShadowBrokers did something the Snowden releases and even WikiLeaks’ Vault 7 releases have avoided: revealing the people behind America’s state-sponsored hacking.

Significantly, in the context of the SWIFT hack, it did so in an attack where the victims (particularly our ally Kuwait and an apparent European) might have the means and the motive to demand justice. It did so for targets that the US has other, legal access to, via the Terrorist Finance Tracking Program negotiated with the EU and administered by Europol. And it did so for a target that has subsequently been hacked by people who might be ordinary criminals or might be North Korea, using access points (though not the sophisticated techniques) that NSA demonstrated the efficacy of targeting years earlier and which had already been exposed in 2013. Much of the reporting on the SWIFT hack has claimed — based on no apparent evidence and without mentioning the existing, legal TFTP framework — that these hacks were about tracking terrorism finance. But thus far, there’s no reason to believe that’s all that the NSA was doing, particularly with targets like the Kuwait development fund.

Remember, too, that in 2013, just two months after NSA continued to own the infrastructure for a major SWIFT service bureau, the President’s Review Group advised that governments should not use their offensive cyber capabilities to manipulate financial systems.

Governments should not use their offensive cyber capabilities to change the amounts held in financial accounts or otherwise manipulate the financial systems;

[snip]

[G]overnments should abstain from penetrating the systems of financial institutions and changing the amounts held in accounts there. The policy of avoiding tampering with account balances in financial institutions is part of a broader US policy of abstaining from manipulation of the financial system. These policies support economic growth by allowing all actors to rely on the accuracy of financial statements without the need for costly re-verification of account balances. This sort of attack could cause damaging uncertainty in financial markets, as well as create a risk of escalating counter-attacks against a nation that began such an effort. The US Government should affirm this policy as an international norm, and incorporate the policy into free trade or other international agreements.

No one has ever explained where the PRG came up with the crazy notion that governments might tamper with the world’s financial system. But since that time, our own spooks continue to raise concerns that it might happen to us, Keith Alexander — the head of NSA for the entire 5-year period we know it to have been pawning SWIFT — is making a killing off of such fears, and the G-20 recently called for establishing norms to prevent it.

A number of the few people who’ve noted this doxing publicly have suggested that it clearly supports the notion that a nation-state — most likely Russia — is behind the Shadow Brokers leak. As such, the release of previously unannounced documents to carry out this doxing would be seen as retaliation for the US’ naming of Russia’s hackers, both in December’s election hacking related sanctions and more recently in the Yahoo indictment, to say nothing of America’s renewed effort to arrest Russian hackers worldwide while they vacation outside of Russia.

While that’s certainly a compelling argument, there may be another motive that could explain it.

In a little noticed statement released between its last two file dumps, Shadow Brokers did a post explaining (and not for the first time) that what gets called its “broken” English is instead operational security (along with more claims about what it’s trying to do). As part of that statement, Shadow Brokers claims it writes (though the tense here may be suspect) documents for the federal government and remains in this country.

The ShadowBrokers is writing TRADOC, Position Pieces, White Papers, Wiki pages, etc for USG. If theshadowbrokers be using own voices, theshadowbrokers be writing peoples from prison or dead. TheShadowBrokers is practicing obfuscation as part of operational security (OPSEC). Is being a spy thing. Is being the difference between a contractor tech support guy posing as a infosec expert but living in exile in Russia (yes @snowden) and subject matter experts in Cyber Intelligence like theshadowbrokers. TheShadowBrokers has being operating in country for many months now and USG is still not having fucking clue.

On the same day and, I believe though am still trying to confirm the timing, before that post, Shadow Brokers had reacted to a Forbes piece asking whether it was about to be unmasked (quoting Snowden), bragging that “9 months still living in homeland USA USA USA our country theshadowbrokers not run, theshadowbrokers stay and fight.” Shadow Brokers then started attacking Jake Williams for having a big mouth for writing this post, claiming to expose him as a former Equation Group member, specifically invoking OddJob (the other file released on Friday that doxed NSA hackers, though not Williams), and raising the “gravity” of talking to Q Group, NSA’s counterintelligence group.

trying so hard so helping out…you having big mouth for former member what was name of.

leak OddJob? Windows BITS persistence? CCI? Maybe not understand gravity of situation USG investigating members talked to Q group yet

theshadowbrokers ISNOT in habit of outing members but had make exception for big mouth, keep talking shit your next

Which is to say that, four days before Shadow Brokers started doxing NSA hackers, Shadow Brokers made threats against those who’ve commented on the released Shadow Brokers files specifically within the context of counterintelligence investigations, even while bragging about having gone unexposed thus far even while remaining in the United States.

Whatever else this doxing may do, it will also make the investigation into how internal NSA files have come to be plastered all over the Internet more difficult, because Shadow Brokers is now threatening to expose members of TAO.

Which is not to say such a motivation, if true, is mutually exclusive of Russia retaliating for having its own hackers exposed.

All of which brings me back to the question of norms. Even as the US has been discussing other norms about hacking in recent years, I’ve seen next to no discussion about how state hackers — and remember, this post discusses NSA hackers, including uniformed members of the Armed Services, government contractors, spies, and criminal hackers working for a state (a practice we do too, though in a different form than what Russia does) — fit into international law and norms about immunities granted to individuals acting on behalf of the state. The US seems to have been proceeding half-blindly, giving belated consideration to how the precedents it sets with its offensive hacking might affect the state, without considering how it is exposing the individuals it relies on to conduct that hacking.

If nothing else, Shadow Brokers’ doxing of NSA’s own hackers needs to change that. Because these folks have just been directly exposed to the kind of international pursuit that the US aggressively conducts against Russians and others.

Because of international legal protections, our uniformed service members can kill for the US without it exposing them to legal ramifications for the rest of their lives. The folks running our spying and justice operations, however, apparently haven’t thought about what it means that they’re setting norms that deprive our state-sponsored hackers of the same protection.

Update: I forgot to mention the most absurd example of us indicting foreign hackers: when, last year, DOJ indicted 7 Iranians for DDOS attacks. In addition to the Jack Goldsmith post linked in that post, which talks about the absurdity of it,  Dave Aitel and Jake Williams talked about how it might expose people like them to international retaliation.

Share this entry