The Tripartite (At Least) Structure of the Russian Hack Investigation

/22 Comments/in /by

As I mentioned in this post, on Saturday, Reuters offered the most comprehensive description of the structure of the FBI investigation into the DNC hack. As it describes there are “at least” three different distinct probes into the FBI hack: one led by counterintelligence agents based in DC, one in Pittsburgh targeted at the hack of the DNC itself, and one in San Francisco targeted at the Guccifer 2 persona.

That structure is interesting for a number of reasons, not least that, in recent years, FBI has assigned cyber investigative teams to geographical offices that have developed certain expertise. I’m most interested that FBI has split the Guccifer 2 side of the investigation off from the hack of the DC.

DC: The Counterintelligence investigation

Let’s start with the DC investigation. Contrary to what you may think, a good deal of the attention on Trump’s close advisors stems from behavior that barely involves the DNC hack, if at all, but instead focuses on larger discussions of quid pro quo. Here’s what has been publicly alleged, mostly in the Trump dossier. Reminder, these are only allegations! 

Paul Manafort, using Carter Page as a go between, conducts on-going quid pro quo about attacks on Hillary in response for distracting from Ukraine issues. (PDF 8)

Carter Page conducts a meeting with Rosneft CEO (and US sanction target) Igor Sechin in Moscow. The two discuss a quid pro quo tying 19% transfer of Rosneft to Page in exchange for the lifting of sanctions.(PDF 9, 30) On the same visit, Page meets top Kremlin official Diyevkin, where the latter explains to Page what kind of compromising information they had on both Trump and Hillary. (PDF 9)

A Kremlin figure describes Russian efforts to reach out to some in the US, including Jill Stein, Mike Flynn, and Carter Page. (PDF 15)

At a meeting in August, Yanukovych admits to Putin that he had paid off Manafort, but had covered it up. According to Steele’s sources, Putin doubts how well Yanukovych had covered his tracks. (PDF 20-21)

Trump lawyer Michael Cohen meets with Russian Presidential Administration figures, including Oleg Solodukhin, operating under the cover of the Rossotrudnichestvo organization, in Prague in August. According to two pre-election reports, this meeting was to clean up fall-out of prior contacts with Manafort (here described exclusively in terms of his involvement in Ukraine) and Page (described as the quid pro quo on sanctions). (PDF 18, 31-32) According to a post-election report, the meeting also discusses payments and cover-up of Europe-based hackers, who would be paid by both the Russians and Trump. (PDF 34-35) The role of Cohen — whose wife is Russian and whose father-in-law is a key Russian developer — as liaison to Russia is key. Note, information likely indicating intelligence sourcing is redacted in two of these reports. (PDF 30, 34)

The one other Trump figure mentioned in allegations of Russian ties, Roger Stone, is not mentioned in the dossier, though his role has exclusively been described as a potential knowing go-between with Wikileaks. (The error I mentioned I made in my the OTM interview was in forgetting Cohen, whose role is central, and instead mentioning Stone.)

In other words, while allegations of involvement with Russia do touch on the DNC hack, for both Manafort and Page, the evidence focuses more on old-fashioned influence peddling. The evidence against Flynn in the dossier is exclusively that of cultivation.

Only Cohen, though, is strongly and repeatedly alleged in the dossier to have had a role in both the influence peddling and arranging — and paying! — for the DNC hack (though a weak allegation against Manafort is made in an early report).

Yesterday, NYT reported that Cohen tried to pitch a crazy “peace” deal for Ukraine to Mike Flynn not long before the latter was caught on an intercept with Russia’s Ambassador.

A week before Michael T. Flynn resigned as national security adviser, a sealed proposal was hand-delivered to his office, outlining a way for President Trump to lift sanctions against Russia.

Mr. Flynn is gone, having been caught lying about his own discussion of sanctions with the Russian ambassador. But the proposal, a peace plan for Ukraine and Russia, remains, along with those pushing it: Michael D. Cohen, the president’s personal lawyer, who delivered the document; Felix H. Sater, a business associate who helped Mr. Trump scout deals in Russia; and a Ukrainian lawmaker [named Andrii Artemenko].

Note that Sater, who has mobbed up business ties with Trump the latter has denied, also allegedly has worked for the CIA.

All of this is a way of saying that several of Trump’s advisors — especially Cohen — have been alleged to have dodgy ties to Russian, but much if not most of that pertains to influence peddling tied to Ukraine and sanctions imposed in retaliation for Russian involvement in Ukraine. So even beyond the different technical and security requirements of the investigation (not to mention any sensitivity involving the CIA), such an investigation sensibly would reside in FBI’s CI world. Thus the DC investigation.

Pittsburgh: The DNC hackers

As Reuters describes it, the Pittsburgh inquiry is examining who hacked the DNC (curiously, it makes no mention of John Podesta or any other hack target).

The FBI’s Pittsburgh field office, which runs many cyber security investigations, is trying to identify the people behind breaches of the Democratic National Committee’s computer systems, the officials said. Those breaches, in 2015 and the first half of 2016, exposed the internal communications of party officials as the Democratic nominating convention got underway and helped undermine support for Hillary Clinton.

The Pittsburgh case has progressed furthest, but Justice Department officials in Washington believe there is not enough clear evidence yet for an indictment, two of the sources said.

It’s not just that Pittsburgh conducts a lot of cyber security investigations — though it has been involved in some key multinational cybercrime investigations (and perhaps as importantly, infrastructure take-downs). In addition to international partnerships in those investigations, it partners closely with Carnegie Mellon’s CERT, which is best known for developing an attack on Tor the FBI uses (the legal follow-up to the 2014 Operation Onymous operation that exposed it went through SDNY in Manhattan, though that would have been before FBI started assigning investigations by geography).

Pittsburgh is also where the most discussed indictment of a nation-state hacking group — that of Chinese People’s Liberation Army hackers, mostly for spying on negotiations — came through (most of the victim companies were there too, but that was probably because they could all serve as victims without compromising national security). I will be interested to see whether the FBI assigned this investigation to Pittsburgh before or after Crowdstrike declared the DNC hack a state-sponsored hack.

San Francisco: Guccifer 2

Finally, there is the investigation into Guccifer 2, the persona who claimed to have hacked the DNC, who took credit for handing the documents to WikiLeaks, and who allegedly had ties to DC Leaks. Here’s how Reuters describes this part of the investigation:

Meanwhile the bureau’s San Francisco office is trying to identify the people who called themselves “Guccifer 2” and posted emails stolen from Clinton campaign manager John Podesta’s account, the sources said. Those emails contained details about fundraising by the Clinton Foundation and other topics.

The language here is really curious. The strongest case that Russia’s GRU hacked a Democratic target involves Podesta. And Guccifer didn’t post any Podesta emails. Guccifer claimed to have posted Clinton Foundation documents, though the documents appeared to be DCCC documents, my comment on which elicited an unsolicited response from Guccifer.

Reuters is actually not the first outlet to report that San Francisco was investigating Guccifer. I believe credit for that goes to Ellen Nakashima’s report, the day before Obama imposed sanctions, on how the US might retaliate.

Criminal indictments of Russians might become an option, officials said, but the FBI has so far not gathered enough evidence that could be introduced in a criminal case. At one point, federal prosecutors and FBI agents in San Francisco considered indicting Guccifer 2.0, a nickname for a person or people believed to be affiliated with the Russian influence operation and whose true identity was unknown.

In December, at least, it appears the FBI did not know Guccifer’s identity though they still believed it to be tied to Russia. Nevertheless that part of the investigation had already been spun out to San Francisco, the other side of the country from the Pittsburgh hack investigation.

Now, there have always been reasons to doubt the interpretation that Russian metadata invoking Felix Dzerzhinsky was proof that Guccifer was Russian, rather than disinformation casting blame on Russia. Here are two more recent pieces making that argument. And in Guccifer’s most recent posting — posted on January 12 but fairly obviously written and posted in advance — the persona used proper English. Nevertheless, that’s presumably not why this part of the investigation got spun off.

There are several other possibilities explaining why the Guccifer investigation is in San Francisco. That office, too, does a ton of cyber investigations, but virtually all of those involve Bay Area companies targeted as victims. So it’s possible the San Francisco office is leading the investigation because of some tie with an area company. Guccifer posted on WordPress, which is headquartered in San Francisco, so that could explain it. It’s also possible FBI believes there is a tie between Guccifer and Shadow Brokers. The latter persona is not mentioned by Reuters, but they are surely also being investigated, perhaps even separately from the Hal Martin investigation in Maryland. If that’s the case, the victim American firewall companies exposed in the first release are all headquartered in Silicon Valley (though they were initially victimized by NSA’s TAO hackers, unless the companies knew NSA was using those back doors).

There are two other interesting cases that might suggest why the Guccifer part of the investigation is out in San Francisco. First, the corrupt government agents who stole Bitcoin while they were investigating Silk Road were investigated and tried out there. I’ve always suspected that was done to make it harder for Ross Ulbricht to access information on that investigation in discovery (if that was the intent, it worked like a charm!). I’m not suggesting there’s anything like that going on here, but I can imagine reasons why the FBI might want to firewall some parts of this investigation from others.

Finally, note that Yevgeniy Aleksandrovich Nikulin, the credential theft hacker arrested in Prague in October, was investigated out of San Francisco, explicitly because his alleged victims are also located in the Bay Area. There have always been hints that that arrest might tie into the Russian investigation (not least because Nikulin is Russian), but this would seem to suggest there’s a tangential tie to it. So perhaps by the time FBI split up this investigation that theory had been developed.

Update: Laura Rozen reminds me via Twitter that Russia’s San Francisco Consulate was one of the locales from which diplomats were expelled.

A final comment. As interesting as it is that this investigation has split into three, I find it just as interesting that EDVA is not involved in it, which is where most international hacking investigations take place. I’ve got no explanation for why that might be, but it is as interesting a question as why the Guccifer investigation got sent out to San Francisco.

One thing is clear, though: For some reason, FBI thought it best to split two parts of what have widely believed to have been part of the same operation — the hacking and (some of) the leaking — and conduct them completely across the country from each other.

Share this entry

Why We Should Remain Skeptical of the Five (!!) Congressional Investigations into the Russian Hack

/5 Comments/in /by

I was interviewed (on Thursday) about the Flynn resignation and larger investigation into the Russia hack for Saturday’s On the Media. In what made the edit, I made one error (which I’ll explain later), but a key point I made holds. The leaking about Flynn and other Russian events are hypocritical and out of control. But they may create pressure to fix two problems with the current investigations into the Russian hack: the role of Jeff Sessions overseeing the DOJ-led investigations, and the role of Trump advisory officials Devin Nunes and Richard Burr overseeing the most appropriate congressional investigations.

In this post I’ll look at the latter conflicts. In a follow-up I’ll look at what the FBI seems to be doing.

As I noted in the interview, contrary to what you might think from squawking Democrats, there are five congressional investigations pertaining to Russian hacks, though some will likely end up focusing on prospective review of Russian hacking (for comparison, there were seven congressional Benghazi investigations). They are:

  • Senate Intelligence Committee: After months of Richard Burr — who served on Trump’s campaign national security advisory council — saying an inquiry was not necessary and going so far as insisting any inquiry wouldn’t review the dossier leaked on Trump, SSCI finally agreed to do an inquiry on January 13. Jim Comey briefed that inquiry last Friday, February 17.
  • House Intelligence Committee: In December, James Clapper refused to brief the House Intelligence Committee on the latest intelligence concluding Russian hacked the DNC with the goal of electing Trump, noting that HPSCI had been briefed all along (as was clear from some of the leaks, which clearly came from HPSCI insiders). In January, they started their own investigation of the hack, having already started fighting about documents by late January. While Ranking Democratic Member Adam Schiff has long been among the most vocal people complaining about the treatment of the hack, Devin Nunes was not only a Trump transition official, but made some absolutely ridiculous complaints after Mike Flynn’s side of some conversations got legally collected in a counterintelligence wiretap. Nunes has since promised to investigate the leaks that led to Flynn’s forced resignation.
  • Senate Armed Services Committee: In early January, John McCain announced he’d form a new subcommittee on cybersecurity, with the understanding it would include the Russian hack in its focus. Although he originally said Lindsey Graham would lead that committee, within weeks (and after Richard Burr finally capitulated and agreed to do a SSCI inquiry), McCain instead announced Mike Rounds would lead it.
  • Senate Foreign Relations Committee: In December, Bob Corker announced the SFRC would conduct an inquiry, scheduled to start in January. At a hearing in February, the topic came up multiple times, and both Corker and Ben Cardin reiterated their plans to conduct such an inquiry.
  • Senate Judiciary Subcommittee on Crime and Terrorism: After Graham was denied control of the SASC panel, he and Sheldon Whitehouse announced they’d conduct their own inquiry, including a prospective review of “the American intelligence community’s assessment that Russia did take an active interest and play a role in the recent American elections.”

All the while, some Senators — McCain, Graham, Chuck Schumer, and Jack Reed — have called for a Select Committee to conduct the investigation, though in true McCainesque fashion, the maverick has at times flip-flopped on his support of such an inquiry.

Also, while not an investigation, on February 9, Jerry Nadler issued what I consider (strictly as it relates to the Russian hack, not the other conflicts) an ill-advised resolution of inquiry calling for the Administration to release materials relating to the hack, among other materials. Democrats in both the House and Senate have introduced legislation calling for an independent commission, but have gotten no support even from the mavericky Republicans.

As you can see from these descriptions, it took pressure from other committees, especially Lindsey Graham getting control of one of the inquiries, before Richard Burr let himself be convinced by SSCI Vice Chair Mark Warner to conduct an inquiry. Thus far, Mitch McConnell has staved off any Select Committee. As soon as SSCI did claim to be launching an investigation, a bunch of Republicans tried to shut down the others, claiming it was all simply too confusing.

Let me be clear: as I noted in the OTM interview, the intelligence committees are the appropriate place to conduct this investigation, as it concerns really sensitive counterintelligence matters — people who could be witnesses to it are getting killed! — and an ongoing investigation. The only way to conduct a responsible inquiry is to do so in secret, and unless a select committee with clearance is formed, that means doing so in the dysfunctional intelligence committees.

That’s made worse by Nunes and Burr’s obvious conflicts, having served on Trump’s pre-inauguration advisory teams (at a time when Mike Flynn was chatting about ongoing sanctions with Russia), and their equally obvious disinterest in conducting the investigation. Remember that the intelligence committees successfully bolloxed up the independent investigation into Iran-Contra. While neither Nunes nor Burr is as smart as Dick Cheney, who had a key role in that intentional bolloxing, Democrats should be cognizant of the ways that such bolloxing has happened in the past.

And now that SSCI has finally started its inquiry, Ali Watkins published an uncharacteristically credulous report on Burr’s role in the investigation, slathering on the colorful vocabulary — “brutally yanked;” “underground cohort;” “dark shadow of Langley;” “Wearily, they’re trudging forward on a probe littered with potential political landmines;” — before portraying the allegedly difficult position Burr is in:

That he’s now in charge of the sweeping Russia inquiry puts the North Carolina Republican in between a rock and a hard place. Since taking over the helm of the intelligence committee, Burr has pressed for more active and aggressive oversight, and has kept a rigorous travel schedule to match. But his decisive reelection victory in November came at a cost — throughout the contentious race, Burr towed Trump’s line, and hasn’t yet directly criticized the White House publicly.

But Burr has shown no indication that he’s ever angled for a Trump administration job, and says he’s not running for re-election. How seriously he takes his obligation to carry his president’s water remains to be seen.

Burr has been slammed by colleagues in recent days, who fear he’s slow-rolling an investigation into a fast-moving story. But much of the inquiry’s slow start was due to bureaucratic wrangling — some intelligence agencies insisted products be viewed on site rather than sent to the Hill, and some of the intelligence was so tightly controlled that it was unclear if staffers could even view it.

This is just spin. There is abundant public record that Burr has thwarted oversight generally (he has said things supporting that stance throughout his history on both the Senate and House Intelligence Committee, even ignoring his role in covering up torture, and Watkins’ earlier incorrect claims about Burr’s open hearings remain only partly corrected). There is no mention in this article that Burr was on Trump’s national security advisory committee. Nor that SSCI had reason to do hearings about this hack well before January 2017, back when it might have made a difference — at precisely the time when Burr apparently had time to advise Trump about national security issues as a candidate. Plus, it ignores all the things laid out here, Burr’s continued equivocation about whether there should even be a hearing.

There is no reason to believe Burr or Nunes intend to have a truly rigorous investigation (bizarrely, Warner seems to have had more success pushing the issue than Schiff — or Dianne Feinstein when she was Vice Chair — though that may be because the Ranking position is stronger in the Senate than in the House). And history tells us we should be wary that their investigations will be counterproductive.

As I noted, on Friday — the Friday before a recess — Jim Comey briefed the SSCI on the Russian hack. That briefing was unusual for the date (regular SSCI meetings happen on Tuesday and Thursday, and little business of any kinds happens right before a recess). Reporters have interpreted that, along with the presumed silence about the content of the briefing, as a sign that things are serious. That may be true — or it may be that that was the only time a 3-hour briefing could be scheduled. In the wake of the briefing, it was reported that the SSCI sent broad preservation requests tied to the inquiry (that is, they sent the request long after the inquiry was started). And while the press has assumed no one is talking, the day after the briefing, Reuters reported outlines of at least three parts of the FBI investigation into the Russian hack, attributed to former and current government officials.

Share this entry

David Ignatius’ Curious Role in the Mike Flynn Story

/86 Comments/in /by

I’m traveling again, so I’m running on delayed coverage of the Trump circus.

But I wanted to point out something that has been puzzling me: David Ignatius’ curious role in the events leading up to the forced resignation of Mike Flynn as President Trump’s National Security Adviser.

After all, Ignatius set off the events with this article. The article included two curious details. First, in an update to the story, Ignatius stated as fact that the Russian plane carrying a military choir to Syria had been shot down.

This official later added that Flynn’s initial call was to express condolences to Kislyak after the terrorist killing of the Russian ambassador to Ankara Dec. 19, and that Flynn made a second call Dec. 28 to express condolences for the shoot-down of a Russian plane carrying a choir to Syria.

Perhaps this was a mistake, but no cause for the crash has been reported (and it’d be even more curious if Trump’s people knew this was a shoot-down right away, given the lack of public accounting for it). There has been no follow-up about who shot down this plane (and little claim that it was terrorism).

More importantly for the Flynn story, Ignatius reported the December 29 calls between Sergey Kislyak and Flynn, the first public mention of them.

According to a senior U.S. government official, Flynn phoned Russian Ambassador Sergey Kislyak several times on Dec. 29, the day the Obama administration announced the expulsion of 35 Russian officials as well as other measures in retaliation for the hacking. What did Flynn say, and did it undercut the U.S. sanctions? The Logan Act (though never enforced) bars U.S. citizens from correspondence intending to influence a foreign government about “disputes” with the United States. Was its spirit violated? The Trump campaign didn’t immediately respond to a request for comment.

If the Trump team’s contacts helped discourage the Russians from a counter-retaliation, maybe that’s a good thing. But we ought to know the facts.

Ignatius not only knew of the calls, but he knew enough to ask the question — which the FBI would later pose to Flynn in an interview — about whether Flynn had undercut US sanctions. In response to his mention of the calls, other journalists followed up with Mike Pence, which ultimately led to the excused reason for Flynn’s firing, that he had lied to Pence about the calls. Frankly, that questioning also clearly led to Flynn correcting his story between February 8 and 9, which suggests he may have reviewed the transcripts in the interim.

While Ignatius’ report is mentioned in a WaPo timeline of these events, he’s not bylined in either of the two big bombshells from WaPo on this, even though up to seven journalists are mentioned.

There are two obvious explanations. First, that Ignatius’ column, which serves as a mouthpiece for the IC (and especially CIA), is not generally treated in the same way other journalism at the WaPo is. And possibly, specifically in this case, if that reference were treated as reporting rather than speculation, it might lead Trump’s leak investigation back to the source that kicked off this leak fest. But by posing it as speculative questioning, it protects that original source.

Whatever the explanation is, I think the odd circumstances surrounding the story invite further attention to two of the other questions Ignatius poses in that column. He asked, for example, whether Obama delayed his response to the Russian out of fears Russia would do something worse to Hillary.

Did the administration worry that the Russians would take additional steps to hurt Clinton and help Trump, and might disrupt balloting itself?

According to public reports, Obama twice raised probes of registration databases directly with Putin; after the election the IC included them among Russia’s roles. What exactly was the Obama Administration worried about here?

And Ignatius also asked a question I’ve heard floated (which is one reason I focused so intently on the curious forensic details about the dossier): that the Russians themselves released the anti-Trump dossier compiled by Christopher Steele to sow further chaos (and, presumably, to hurt Trump).

Finally, what’s the chance that Russian intelligence has gamed its covert action more subtly than we realize? Applying a counter-intelligence lens, it’s worth asking whether the Russians hoped to be discovered, and whether Russian operatives fed the former MI6 officer’s controversial dossier deliberately, to sow further chaos.

Clearly, Ignatius’ source on the Flynn call with Kislyak advanced the story in a direction that led to Flynn’s firing. What else were Ignatius’ source or sources for the this story trying to lead reporting to?

Share this entry

Four Details about Surveillance and the Flynn Ouster

/60 Comments/in , /by

It turns out Trump is on pace to fire a person every week, just like in his reality show. As you surely know, Mike Flynn has been ousted as National Security Advisor, along with his Deputy, KT McFarland.

There has been some confusion about what intelligence the spooks who just caused Flynn to be fired relied on. So let’s start with this detail from last night’s WaPo story:

After the sanctions were rolled out, the Obama administration braced itself for the Russian retaliation. To the surprise of many U.S. officials, Russian President Vladimir Putin announced on Dec. 30 that there would be no response. Trump praised the decision on Twitter.

Intelligence analysts began to search for clues that could help explain Putin’s move. The search turned up Kislyak’s communications, which the FBI routinely monitors, and the phone call in question with Flynn, a retired Army lieutenant general with years of intelligence experience.

From that call and subsequent intercepts, FBI agents wrote a secret report summarizing ­Flynn’s discussions with Kislyak.

That is, in response to questions elicited by Putin’s response, analysts actually read the intercepts of the Flynn-Kislyak call, which led to further monitoring of the conversations. And contrary to what HPSCI Chair Devin Nunes is whining, FBI would have access to Flynn’s side of the call right away, because they would own the tap (and in any case, they’d get unminimized copies of anything from NSA).

Some have pointed to this passage to suggest that the FBI was always listening in.

U.S. intelligence reports during the 2016 presidential campaign showed that Kislyak was in touch with Flynn, officials said. Communications between the two continued after Trump’s victory on Nov. 8, according to officials with access to intelligence reports on the matter.

It’s quite likely that’s not the case. After all, even Michael McFaul (who served as Ambassador to Russia at the beginning of the Obama Administration) said it was normal to have such calls before inauguration. Moreover, the FBI wouldn’t need to access the content of communications to learn that they were taking place. The metadata would be enough. And the actual content of the contacts would remain in some server in Utah.

Also, some have suggested that Flynn must be the Trump associate against whom a single FISA order was obtained in October. That’s unlikely, first of all, because if there were a FISA order on Flynn, then the FBI wouldn’t have needed the weird Putin response to lead them to read the actual content of calls (not to mention, the WaPo is clear that the contacts were collected as a result of normal monitoring of a foreign diplomat). Furthermore, most reports of that FISA order suggest the FBI first asked for four orders (in June and July) but only got one, in October. So it’s likely that FISA order covers another of Trump’s Russian buddies.

Finally, remember that for a great deal of SIGINT, FBI wouldn’t need a warrant. That’s because Obama changed the EO 12333 sharing rules just 4 days after the IC started getting really suspicious about Flynn’s contacts with Russia. That would make five years of intercepts available to FBI without a warrant in any counterintelligence cases, as this one is.

Update: Corrected KT McFarland instead of KC. Also, I’ve been informed she’ll stick around until Trump names a new NSA.

Share this entry

Why Are NINE Sources Coming Forward Now on Flynn’s Conversations with Russia?

/22 Comments/in /by

WaPo had a huge scoop last night. Contrary to the Administration’s public claims, National Security Advisor Mike Flynn did discuss US sanctions on Russia when he spoke with Russia’s Ambassador to the US on December 29.

Flynn on Wednesday denied that he had discussed sanctions with Kislyak. Asked in an interview whether he had ever done so, he twice said, “No.”

On Thursday, Flynn, through his spokesman, backed away from the denial. The spokesman said Flynn “indicated that while he had no recollection of discussing sanctions, he couldn’t be certain that the topic never came up.”

[snip]

“They did not discuss anything having to do with the United States’ decision to expel diplomats or impose censure against Russia,” Pence said in an interview with CBS News last month, noting that he had spoken with Flynn about the matter. Pence also made a more sweeping assertion, saying there had been no contact between members of Trump’s team and Russia during the campaign. To suggest otherwise, he said, “is to give credence to some of these bizarre rumors that have swirled around the candidacy.”

Neither of those assertions is consistent with the fuller account of Flynn’s contacts with Kislyak provided by officials who had access to reports from U.S. intelligence and law enforcement agencies that routinely monitor the communications of Russian diplomats. Nine current and former officials, who were in senior positions at multiple agencies at the time of the calls, spoke on the condition of anonymity to discuss intelligence matters.

The most interesting detail in the story is that Sergei Kislyak refused to say how long he had been in contact with Flynn.

The ambassador would not discuss the origin of his relationship with Flynn.

The article describes Flynn claiming he first worked with Kislyak in conjunction with a trip to Russia he made in 2013 while in charge of DIA. But Kislyak’s silence raises questions for me about that. (Note, the Russian press was reporting even before this story that Kislyak would be replaced by Anatoly Antonov.)

But the bigger question for me is why WaPo’s astounding nine sources for this story, described as people who were in senior positions in what must be, at a minimum, FBI and CIA, are coming forward now? As WaPo notes, someone told David Ignatius (who is not bylined on yesterday’s story) about the call by January 12, but at that point didn’t share the damning contents of it. It also describes that Obama officials pulled the intercepts of Kislyak to attempt to explain why Putin didn’t respond more aggressively to the sanctions imposed on December 28. So presumably top people knew that Flynn had discussed the new sanctions within days after the conversation.

And yet we’re only hearing about it — and we are hearing about it — from a veritable flood of anonymous sources.

Perhaps the sources have decided that Flynn can’t be charged under the Logan Act (as the article notes, that’s never been done before, and doing so would criminalize conversations that are fairly normal), so now want to apply political pressure to get rid of him. Perhaps, too, the spooks have decided that Flynn’s recent actions — including an attempt to gin up war with Iran based off false claims that it launched a missile this week and struck a Saudi ship off Yemen — have become too dangerous and he must be targeted. Perhaps, even, this is retaliation for stuff related to the failed raid in Yemen.

Whatever it is, it is remarkable to see so many knives come out for Flynn in one story.

Share this entry

Democrats Demand DOJ Release the Information that Has Christopher Steele Hiding for His Life

/24 Comments/in /by

I have to say, the Democrats are beginning to convince me Russia’s involvement in the DNC hack is just one hoax.

Don’t get me wrong. I believe there is plenty of evidence — in public and stuff I’ve been told by people close to the hack — that the Russians did hack the DNC and John Podesta and share those documents with Wikileaks.

But given the bozo way the Democrats are trying to politicize it, I can only conclude the Democrats think this is less serious than I have believed and than Democrats claim. That’s because they’re now demanding that FBI give them the very same information that — we’ve been told by public reporting — led former MI6 officer Christopher Steele to hide for his life.

This morning, David Corn wrote a piece complaining about “the mysterious disappearance of the biggest scandal in Washington.”

After reviewing some of the facts in this case (and asserting without proof that Putin’s interference in the election “achieved its objectives,” which is only partly backed by declassified intelligence reports on the hack) and giving an incomplete list of the congressional committees that have announced investigations into the hack, Corn gave this inventory of what he claims to be the lack of outcry over the hack.

Yet these behind-closed-doors inquiries have generated minimum media notice, and, overall, there has not been much outcry.

Certainly, every once in a while, a Democratic legislator or one of the few Republican officials who have bothered to express any disgust at the Moscow meddling (namely Sens. John McCain, Lindsey Graham, and Marco Rubio) will pipe up. House Democratic leader Nancy Pelosi days ago called on the FBI to investigate Trump’s “financial, personal and political connections to Russia” to determine “the relationship between Putin, whom he admires, and Donald Trump.” Sen. Chris Murphy (D-Conn.), responding to Trump’s comparison of the United States to Putin’s repressive regime, said on CNN, “What is this strange relationship between Putin and Trump? And is there something that the Russians have on him that is causing him to say these really bizarre things on an almost daily basis?” A few weeks ago, Graham told me he wanted an investigation of how the FBI has handled intelligence it supposedly has gathered on ties between Trump insiders and Russia. And last month, Sen. Ron Wyden (D-Ore.) pushed FBI Director James Comey at a public hearing to release this information. Yet there has been no drumbeat of sound bites, tweets, or headlines. In recent days, the story has gone mostly dark.

The funniest detail in this is how Corn describes Chris Murphy’s response to the exchange that took up the entire weekend of news — Trump’s nonplussed response when Bill O’Reilly called Putin a killer.

O’Reilly: Do you respect Putin?

Trump: I do respect him but —

O’Reilly: Do you? Why?

Trump: Well, I respect a lot of people but that doesn’t mean I’m going to get along with him. He’s a leader of his country. I say it’s better to get along with Russia than not. And if Russia helps us in the fight against ISIS, which is a major fight, and Islamic terrorism all over the world — that’s a good thing. Will I get along with him? I have no idea.

O’Reilly: But he’s a killer though. Putin’s a killer.

Trump: There are a lot of killers. We’ve got a lot of killers. What do you think — our country’s so innocent. You think our country’s so innocent?

O’Reilly: I don’t know of any government leaders that are killers.

Trump: Well — take a look at what we’ve done too. We made a lot of mistakes. I’ve been against the war in Iraq from the beginning.

O’Reilly: But mistakes are different than —

Trump: A lot of mistakes, but a lot of people were killed. A lot of killers around, believe me.

This was a Super Bowl interview, for fuck’s sake, and both before and after the interview, political pundits on both sides of the aisle were up in arms about Trump’s affinity for Putin’s murderous ways! Google counts more than 70,000 articles on the exchange.

But to Corn, that translated into only one comment from Murphy.

From there, Corn goes onto complain that the White House press briefings — which have been a noted shitshow inhabited by people like Infowars — has only featured direct questions about the investigation twice, and that the questions about Trump’s call to Putin weren’t about the investigation (as opposed to, say, Trump’s ignorant comments about the START treaty, which could get us all killed).

The crazier thing is that, best as I can tell, Mother Jones — the media outlet that David Corn has a bit of influence over — seems to have ignored the indictment of Hal Martin yesterday, the arrest on treason charges of two FSB officers, allegedly for sharing information with the US intelligence community, or even today’s Senate Foreign Relations Committee hearing on our relations with Russia. Among other things, today’s hearing discussed the hack, Trump’s comments about Putin the killer, weaponization of information, sanctions, Trump’s lukewarm support for NATO. It also included multiple Democratic calls for a bipartisan investigation and assurances from Chairman Corker and Ranking Member Cardin that that would happen.

So effectively, David Corn should be complaining about his own outlet, which isn’t covering the things relating to the hack others of us are covering.

No matter. Corn made his sort of ridiculous call, that call got liked or RTed over 3,000 times, and as if magically in response, Jerry Nadler introduced a resolution of inquiry, calling on the Administration to (in part) release any document that relates or refers to “any criminal or counterintelligence investigation targeting President Donald J. Trump, National Security Advisor Michael Flynn, Paul Manafort, Carter Page, Roger Stone, or any employee of the Executive Office of the President.”

As I’ve already noted, two FSB officers recently got arrested on treason charges, an event many people fear came in response to details revealed about this investigation and if so would badly undermine any investigation. People equally wonder whether the curious death of former FSB General Oleg Erovinkin relates to the leaked Steele dossier that Corn himself played a central role in magnifying, which would represent another lost intelligence source. And, of course, there are the reports that the former MI6 officer that compiled the dossier, Christopher Steele, on which these allegations rest fled from his home out of fear for his life because of the way it got publicized.

Either Putin is a ruthless thug or he’s not. Either Steele had reason to flee because the dossier is true or he didn’t. Either this thuggery is serious or it’s just a political stunt.

I really do believe it is the former (though I have real questions about the provenance of the dossier, questions which Corn could but has not helped to provide clarity on). Which is why I’m absolutely mystified that Democrats are demanding every document pertaining to any counterintelligence investigation into it, the kind of exposure which —  recent history may already show — is totally counterproductive to actually pursuing that investigation.

As I’ll write shortly, I do deeply suspect the Senate Intelligence Committee investigation (especially) is designed to be counterproductive. The Hal Martin indictment yesterday seems to suggest FBI doesn’t have the evidence to figure out who Shadow Brokers is, if even it has ties to the DNC hack (as much evidence suggests it does). But I also think political stunts like this don’t help things.

But maybe that’s not the point?

Share this entry

How Hal Martin Stole 75% of NSA’s Hacking Tools: NSA Failed to Implement Required Security Fixes for Three Years after Snowden

/4 Comments/in , , /by

The other day, Ellen Nakashima reported that Hal Martin, the Booz Allen contractor who has been in custody for months based on allegations he stole terabytes of NSA’s hacking tools, may be indicted this week. The story raises some interesting questions — such as how, absent some proof that Martin leaked this information to a third party, prosecutors intend to distinguish Martin’s hoarding from David Petraeus’ sharing of code word information with his girlfriend Paula Broadwell. One detail Nakashima included — that Martin had stolen “operational plans against ‘a known enemy’ of the United States” — may suggest prosecutors plan to insinuate Martin stole the information to alert that known enemy (especially if the known enemy is Russia).

All that said, the detail in Nakashima’s story that has attracted the most notice is the claim that Martin stole 75% of NSA’s hacking tools.

Some U.S. officials said that Martin allegedly made off with more than 75 percent of TAO’s library of hacking tools — an allegation which, if true, would be a stunning breach of security.

Frankly, this factoid feels a lot like the claim that Edward Snowden stole 1.5 million documents from NSA, a claim invented at least in part because Congress wanted an inflammatory detail they could leak and expand budgets with. That’s especially true given that the 75% number comes from “US officials,” which sometimes include members of Congress or their staffers.

Still, the stat is pretty impressive: even in the wake of the Snowden leak, a contractor was able to walk out the door, over time, with most of NSA’s most dangerous hacking tools.

Except it should in no way be a surprise. Consider what the House Intelligence Report on Snowden revealed, which I mentioned here. Buried way back at the end of the report, it describes how in the wake of Snowden’s leaks, NSA compiled a list of security improvements that would have stopped Snowden, which it dubbed, “Secure the Net.” This initiative included the following, among other things:

  • Imposing two person control for transferring data by removable media (making it harder for one individual to put terabytes of data on a thumb drive and walk out the door with it)
  • Reducing the number of privileged and authorized data transfer agents (making it easier to track those who could move terabytes of data around)
  • Moving towards continuous evaluation model for background investigations (which might reveal that someone had debt problems, as Martin did)

By July 2014, the report reveals, even some of the most simple changes included in the initiative had not been implemented. On August 22, 2016 — nine days after an entity calling itself Shadow Brokers first offered to auction off what have since been verified as NSA tools — NSA reported that four of the initiatives associated with the Secure the Net remained unfulfilled.

All the while, according to the prosecutors’ allegations, Martin continued to walk out of NSA with TAO’s hacking tools.

Parallel to NSA’s own Secure the Net initiative, in the intelligence authorization for 2016 the House directed the DOD Inspector General to assess NSA’s information security. I find it interesting that HPSCI had to order this review and that they asked DOD’s IG, not NSA’s IG, to do it.

DOD IG issued its report on August 29, 2016, two days after a search of Martin’s home had revealed he had taken terabytes of data and the very day he was arrested. The report revealed that NSA needed to do more than its proposed fixes under the Secure the Net initiative. Among the things it discovered, for example, is that NSA did not consistently secure server racks and other sensitive equipment in data centers, and did not extend two-stage authentication controls to all high risk users.

So more than three years after Snowden walked out of the NSA with thousands of documents on a thumb drive, DOD Inspector General discovered that NSA wasn’t even securing all its server racks.

“Recent security breaches at NSA underscore the necessity for the agency to improve its security posture,” The HPSCI report stated dryly, referring obliquely to Martin and (presumably) another case Nakashima has reported on.

Then the report went on to reveal that CIA didn’t even require a physical token for general or privileged users of its enterprise or mission systems.

So yes, it is shocking that a contractor managed to walk out the door with 75% of NSA’s hacking tools, whatever that means. But it is also shocking that even the Edward Snowden breach didn’t lead NSA to implement some really basic security procedures.

Share this entry

Updates from the Russian Front

/30 Comments/in , /by

I’m working on a post on the fight over Congressional investigations into the Russian hack, but for the moment I wanted to point to two other pieces of news.

Buzzfeed gets sued

First, BuzzFeed is getting sued.

One of the people named in the partial Trump dossier published by BuzzFeed last month, Aleksej Gubarev, has sued for defamation to himself and his companies, which include the hosting company Webzilla. Gubarev also sued Christopher Steele in the UK. In an interview with CNN, Gubarev described the injury suffered as a result of the publication of the unredacted dossier.

The lawsuit criticizes BuzzFeed for publishing the memos, alleging that “BuzzFeed itself admitted it had no idea what — if anything — in the dossier was truthful.”

Indeed, when the news website published the memos on January 10, it justified “publishing the full document so that Americans can make up their own minds about allegations about the president-elect that have circulated at the highest levels of the US government.”

The lawsuit notes that the BuzzFeed story has been viewed almost six million times, and the news site has written eight follow-up articles that all link back to the unsubstantiated dossier.

Before he filed the lawsuit, Gubarev spoke to CNNMoney about the damage he had already experienced from the leaked dossier.

“I’m really damaged by this story. This is why I’m ready to spend money and go to court about this,” he told CNNMoney in mid-January.

“I have a multimillion dollar business. Why do I need these connections with hackers?” he said, speaking by phone from the Mediterranean island of Cyprus where he lives. “It’s absolutely not true, and I can go to the court and say this.”

In his interview with CNNMoney, Gubarev said that three of XBT’s European bank partners froze the company’s $5 million credit line because of reports about the memos. Gubarev declined to provide CNNMoney proof of those frozen credit lines.

After the suit got filed, Buzzfeed redacted Gubaev’s names from the still-published dossier and apologized.

I’m interested in this development for several reasons. First, Donald Trump has repeatedly suggested that he might have sued Steele had the former British spy not gone into hiding. Furthermore, this feels a bit like Peter Thiel. So I wonder whether Gubarev has been advanced as a proxy to go after Buzzfeed.

Also, as noted, the (now-redacted) reference to Gubarev appears in the last entry of the partial dossier Buzzfeed published. As I explained, that last entry is significant because it post-dates any known sharing of the dossier on the part of Steele. That, plus some other aspects of the dossier as released, might have raised more caution in Buzzfeed about provenance before publication. If this suit goes forward, Gubarev would have an opportunity to probe these areas.

Wikileaks didn’t release all DNC emails

Then there’s this story, that reveals numerous DNC staffers and reporters have identified emails of theirs that didn’t get released by WikiLeaks. While multiple people quoted in the story suggest the emails may have been curated to take out worthwhile context, they also admit that there was nothing “explosive” that was excluded.

The question of whether the emails were curated in some way, to appear as damaging as possible to the Democratic Party, has long been whispered about among campaign staffers.

“There was the fact that they were released in drips and drabs, and then, the fact that entire parts of an email chain were missing, which would have given a bit of context to the discussion, but a lot of us weren’t about to say, ‘Hey, you missed some emails!’” said one Democratic Party campaign staffer, who, like others, asked for anonymity to discuss the data breach while investigations continue.

“I think it is unknown that these emails were not just dumped, there was curation happening here,” said another campaign staffer, who also requested anonymity in exchange for discussing the emails. “I would find part of an email chain, but not other parts. At times, the parts missing were the parts that would have given context to the whole discussion.”

Still, he said, among the missing emails was nothing “explosive, or holy shit… a lot of it was mundane stuff or stuff that flushed out and gave context.”

The implication in the story is that WikiLeaks curated the emails (and Assange did not answer Buzzfeed’s query about the missing files).

“The idea that Wikileaks and Julian Assange is about some kind of high minded transparency is totally completely full of shit,” said one former Democratic campaign staffer. “What they wanted was to create the maximum amount of political pain.”

There is precedent for a time when Wikileaks did not publish the entire set of a known dataset — in 2012, when Wikileaks’ version of the Syria files did not include a letter from a Syrian bank to a Russian one reflecting 2 billion Euro in deposits.

[T]he Syria Files should still contain the central bank’s emails from Oct. 26, 2011, concerning its €2 billion and bank account in Moscow: For one, WikiLeaks has published several emails received by the same account (treasury@bcs.gov.sy) from that day. Secondly, the court records leaked to the Daily Dot reveal the Moscow bank’s emails were, in fact, part of the larger backup file containing numerous emails currently found on the WikiLeaks site. One such email, discussed in depth by RevoluSec members more than nine months before the WikiLeaks release, details the transfer of €5 million from a bank in Frankfurt, Germany, to a European central bank in Austria, the recipient of the email being Central Bank of Syria.

When asked about the missing file, a WikiLeaks spox responded aggressively.

In response to a request for comment, WikiLeaks said the preceding account “is speculation and it is false.” The spokesperson continued: “The release includes many emails referencing Syrian-Russian relations. As a matter of long standing policy we do not comment on claimed sources. It is disappointing to see Daily Dot pushing the Hillary Clinton campaign’s neo-McCarthyist conspiracy theories about critical media.” (WikiLeaks threatened to retaliate against the reporters if they pursued the story: “Go right ahead,” they said, “but you can be sure we will return the favour one day.”)

[snip]

Asked about the possibility it could be duped, WikiLeaks responded flatly: “All Syria files obtained by WikiLeaks have been published and are authentic.”

In both cases, of course, it is possible that WikiLeaks didn’t get all of the documents.

Indeed, perhaps the most interesting detail in this new report — one noted without considering the implications of it — is that at least some staffers at DNC had emails set to delete after 30 days.

Many of the Democratic Party campaign staffers who spoke to BuzzFeed News said it was hard to tell exactly how many messages were missing, since their emails were set to automatically delete every 30 days.

The emails go back to early 2015. Yet GRU — the Russian intelligence service attributed with stealing these emails — didn’t break in until March 2016. The emails would have been backed up (or perhaps not all staffers did have their emails set to delate). But the detail may suggest other things about how the emails obtained by Wikileaks were stolen.

Remember: when the emails were first released, FBI was unsure whether the emails hacked by GRU were the same ones released by Wikileaks.

Trump eyes Poland

Finally, to the actual Russian front. According to this review of Trump’s foreign policy so far, his aides have been seeking information on an alleged incursion by Poland into Belarus, a close Russian ally.

According to one U.S. official, national security aides have sought information about Polish incursions in Belarus, an eyebrow-raising request because little evidence of such activities appears to exist. Poland is among the Eastern European nations worried about Trump’s friendlier tone on Russia.

That suggests the aides in question are getting some wacky ideas from … somewhere.

Share this entry

The FSB Purge: Two Narratives

/6 Comments/in /by

I first mentioned the arrest of a Kaspersky researcher for treason last week.  Since then, more of the American press has been focusing on it, often simply assuming that what are now reported to be up to six arrests must have some tie to the Russian hack of the DNC and other election-related targets.

One way or another, the arrests—according to the Russian media accounts—are linked to the country’s hacking of the US election.

Such assumptions don’t even engage with some of the most obvious questions, such as what all these FSB-related arrests would have to do with the hack-and-leak of DNC and Podesta emails allegedly done by Russia’s military intelligence GRU.

Obviously, the timing of the arrests would suggest there might be a connection, but the presumption has been downright sloppy. So in an effort to unpack this story, I’m going to lay out some of the known claimed details

Some of the better English language sources on the arrests are stories in Bloomberg, Guardian, FT, NYT, and Forbes (as well as the Brian Krebs story quoted in detail below).

Committing crimes pre-dating 2012

When news of Stoyanov’s arrest was made public, Kaspersky released a statement saying the activity pre-dated his employment at the security firm, so before 2013. That would seem to rule out involvement in the DNC hack.

Exposing King Servers as key infrastructure in Russian hacks

A more public explanation behind the purge is that Stoyanov and Mikhailov served as sources for the FBI on the investigation into the probes of the state election sites.

On August 18, the FBI released a flash about two probes of US state election websites. Among the details, it released an IP address, 5.149.249.172, associated with the probe. “The FBI received information of an additional IP address, 5.149.249.172, which was detected in the July 2016 compromise of a state’s Board of Election Web site.” Why you would need two human sources for this information, I’m not sure, but the implication in this narrative is that it came from the Russians.

On September 2, ThreatConnect released a report analyzing the IP address, tying it to other suspected Russian hacks.

However, as we looked into the 5.149.249[.]172 IP address within the FBI Flash Bulletin, we uncovered a spearphishing campaign targeting Turkey’s ruling Justice and Development (AK) Party, Ukrainian Parliament, and German Freedom Party figures from March – August 2016 that fits a known Russian targeting focus and modus operandi. As we explored malicious activity in the IP ranges around 5.149.249[.]172 we found additional linkages back to activity that could be evidence of Russian advanced persistent threat (APT) activity. This connection around the 5.149.249[.]172 activity is more suggestive of state-backed rather than criminally motivated activity, although we are unable to assess which actor or group might be behind the attacks based on the current evidence.

At the time, the guy who owns King Servers, which hosts that IP, Vladimir Fomenko, played dumb, claiming that the entities tied to the election website hacks owed him money and that the FBI had never contacted him but that he’d be happy to provide information.

More recently, Brian Krebs pulled up some of his old reporting to note that Fomenko has long-established ties to spam businessman Pavel Vrublevsky, including with these servers. Vrublevsky has been trying to implicate Mikhaylov and Stoyanov in leaking Russian investigative details to people in the west for years.

Multiple Russian media outlets covering the treason case mention that King-Servers and its owner Fomenko rented the servers from a Dutch company controlled by Vrublevsky.

Both Fomenko and Vrublevsky deny this, but the accusations got me looking more deeply through my huge cache of leaked ChronoPay emails for any mention of Mikhaylov or Stoyanov — the cybercrime investigators arrested in Russia last week and charged with treason. I also looked because in phone interviews in 2011 Vrublevsky told me he suspected both men were responsible for leaking his company’s emails to me, to the FBI, and to Kimberly Zenz, a senior threat analyst who works for the security firm iDefense (now owned by Verisign).

In that conversation, Vrublevsky said he was convinced that Mikhaylov was taking information gathered by Russian government cybercrime investigators and feeding it to U.S. law enforcement and intelligence agencies and to Zenz. Vrublevsky told me then that if ever he could prove for certain Mikhaylov was involved in leaking incriminating data on ChronoPay, he would have someone “tear him a new asshole.”

Krebs’ story would date Stoyanov’s actions to before his ties with Kaspersky, which would explain that part. But it would also suggest this might be product of a long-standing feud — or that the long-standing feud provides cover for a fight for power within the FSB.

One thing that’s interesting about all this is that, for some time, the US intelligence community did not attribute the probes of voter registration databases to Russian intelligence. A September 20 DHS alert attributed it to criminal hackers seeking identity theft data. The October 7 ODNI/DHS statement affirmatively declined to attribute it. It was not until the January 6, 2017 report on the hacks that the IC first blamed Russian intelligence (without specifying whether it was FSB or GRU) for the probes.

So if the FSB purge pertains to revealing details about the voter database probes to US intelligence, the first US public acknowledgment of that intelligence came after most people allegedly involved in exposing the tie had been arrested (though people like former Russian Ambassador Michael McFaul were yapping about such things in public statements, and the WaPo had gotten soft leaks about it). That is, in spite of complaints that US reporting might have set off this molehunt, for the registration databases, the molehunt preceded the IC’s affirmative (public) use of the data.

Hack-and-leaking top Russians

The other major allegation against the Russians is that they were involved with a hacking group Shaltai Boltai (which translates as Humpty Dumpty from Alice in Wonderland). The group has blackmailed and/or exposed the emails of a number of top Russian leaders, including Prime Minister Dmitry Medvedev and his deputy Arkady Dvorkovich.

Reports claim that Anikeev started the group years earlier, and the FSB either tried to infiltrate it, but then got swept up, or always had ties to it. Ultimately, though, the implication is that FSB was working both sides, using an Anonymous-modeled hacking group to acquire materials on powerful Russians even while, perhaps, using such hackers for Russian ends.

In mid-to-late October, the group released the emails of Vladislav Surkov, the architect of Putin’s Ukrainian policy. There wasn’t much revealed, though it did make it clear planning for Russia’s Ukrainian intervention went back some time. The understanding behind this narrative is that releasing these emails got too close to Putin, which led to the crack-down on the group.

Even when the emails got released, there was no public discussion of the possibility that this was US retaliation against Russia — not even after NBC published a really dick-wagging story on October 14 promising CIA retaliation. That’s the public story, anyway, which was really weird, given that exposing Putin’s plotting in Ukraine would be a really logical retaliation for the DNC hack (even if American exceptionalists like to pretend we would never do a hack and dump). The private story is different, but any private opinions I’ve heard don’t describe who might have conducted such a hack.

It’s also not entirely clear the timing works out. But it’s not clear we’ve got all those details yet.

I’m still working through these issues — and warnings from Russian observers that both of these narratives may just be convenient front stories for something else and/or for pure power consolidation are well taken.

What has also gone unmentioned is that at a time when Russia and the US would be staring each other down on a “cyber” battlefield, Putin just apparently took out a number of the key players in that field. No one has mentioned that, but even if these guys were working both sides in a manner that brought value to Putin, having them removed may leave holes in Russia’s cyber offense for the near future.

Update: This FT piece, based off an interview with what is alleged to be the last remaining Shaltai Boltai member at large, would seem to confirm that that explains the arrests (it explains the SB got FSB handlers in early 2016). Though I’d ask why someone would return from Thailand to apply for asylum in Estonia if Putin were after them.

Known arrestees

Colonel Sergey Mikhailov, deputy head of the Information Security Center at the FSB

Major Dmitry Dokuchaev (AKA Forb), also with ISC

Ruslan Stoyanov, now with Kaspersky but with earlier with cybercrime investigation firm Indryk and before that Ministry of Interior’s Cyber Crime Unit

Journalist Vladimir Anikeev, believed to have been in Ukraine and alleged to have led the hack ofVladislav Surkov

Known dates

August 18: FBI flash identifying new King Servers-related IP address used in probes of election related sites

September 2: ThreatConnect report implicating King Servers

September 5: Obama and Putin discuss hacks at G-20

September 20: DHS alert attributes voter registration probes to criminal hackers in search of PII

September 27: King Servers owner Vladimir Fomenko claims FBI hasn’t contacted him

October 7: ODNI/DHS statement on Russian hacking declines to attribute voter database hacks to Russian state

October 14: CIA preparing possible cyber response on Russia

October 23-25: Hackers release emails of Vladislav Surkov, exposing Putin’s Ukrainian plans

October 31: Obama contacts Putin on red cyber phone for first time

November 9: Anikeev reportedly detained, begins cooperating

November 26: Anonymous White House statement affirms integrity of election

December 4: Arrests of Mikhailov and Stoyanov

December 9: CIA-based leaks (based off recent human intelligence) claim DNC hack designed to get Trump elected

December 13: Last date on (partial) dossier implicating Trump

January 6, 2017: In declassified Russian Hack Report, US Intelligence Community for the first time attributes probes of voter websites to Russian intelligence (not specifying FSB or GRU): “Russian intelligence obtained and maintained access to elements of multiple US state or local electoral boards.”

January 11: Partial anti-Trump dossier published by BuzzFeed; Christopher Steele flees his home

January 23: GCHQ head Robert Hannigan quits to spend more time with his family

January 25: Kommersant announces arrests

Share this entry

The Ironies of the EO 12333 Sharing Expansion for Obama and Trump

/8 Comments/in , , /by

In one of his first acts as leader of the Democratic party in 2008, Barack Obama flipped his position on telecom immunity under FISA Amendments Act, which cleared the way for its passage. That was a key step in the legalization of the Stellar Wind dragnet illegally launched by George Bush in 2001, the normalization of turnkey surveillance of the rest of the world, surveillance that has also exposed countless Americans to warrantless surveillance.

Bookends of the Constitutional law president’s tenure: codifying and expanding Stellar Wind

So it is ironic that, with one of his final acts as President, Obama completed the process of normalizing and expanding Stellar Wind with the expansion of EO 12333 information sharing.

As I laid out some weeks ago, on January 3, Loretta Lynch signed procedures that permit the NSA to share its data with any of America’s other 16 intelligence agencies. This gives CIA direct access to NSA data, including on Americans. It gives all agencies who jump through some hoops that ability to access US person metadata available overseas for the kind of analysis allegedly shut down under USA Freedom Act, with far fewer limits in place than existed under the old Section 215 dragnet exposed by Edward Snowden.

And it did so just as an obvious authoritarian took over the White House.

I’ve was at a privacy conference in Europe this week (which is my partial explanation for being AWOL all week), and no one there, American or European, could understand why the Obama Administration would give Trump such powerful tools.

About the only one who has tried to explain it is former NSA lawyer Susan Hennessey in this Atlantic interview.

12333 is not constrained by statute; it’s constrained by executive order. In theory, a president could change an executive order—that’s within his constitutional power. It’s not as easy as just a pen stroke, but it’s theoretically possible.

[snip]

When they were in rewrites, they were sort of vulnerable. There was the possibility that an incoming administration would say, “Hey! While you’re in the process of rewriting, let’s go ahead and adjust some of the domestic protections.” And I think a reasonable observer might assume that while the protections the Obama administration was interested in putting into place increased privacy protections—or at the very least did not reduce them—that the incoming administration has indicated that they are less inclined to be less protective of privacy and civil liberties. So I think it is a good sign that these procedures have been finalized, in part because it’s so hard to change procedures once they’re finalized.

[snip]

I think the bottom line is that it’s comforting to a large national-security community that these are procedures that are signed off by Director of National Intelligence James Clapper and Attorney General Loretta Lynch, and not by the DNI and attorney general that will ultimately be confirmed under the Trump Administration.

Hennessey’s assurances ring hollow. That’s true, first of all, because it is actually easier to change an EO — and EO 12333 specifically — than “a pen stroke.” We know that because John Yoo did just that, in authorizing Stellar Wind, when he eliminated restrictions on SIGINT sharing without amending EO 12333 at all. “An executive order cannot limit a President,” Yoo wrote in the 2001 memo authorizing Stellar Wind. “There is no constitutional requirement for a President to issue a new executive order whenever he wishes to depart from the terms of a previous executive order. Rather than violate an executive order, the President has instead modified or waived it.” And so it was that the NSA shared Stellar Wind data with CIA, in violation of the plain language of EO 12333 Section 2.3, until that sharing was constrained in 2004.

Yes, in 2008, the Bush Administration finally changed the language of 2.3 to reflect the SIGINT sharing it had started to resume in 2007-2008. Yes, this year the Obama Administration finally made public these guidelines that govern that sharing. But recent history shows that no one should take comfort that EOs can bind a president. They cannot. The Executive has never formally retracted that part of the 2001 opinion, which in any case relies on a 1986 OLC opinion on Iran-Contra arguing largely the same thing.

No statutorily independent oversight over vastly expanded information sharing

Which brings us to whether the EO sharing procedures, as released, might bind Trump anymore than EO 12333 bound Bush in 2001.

In general, the sharing procedures are not even as stringent as other surveillance documents from the Obama Administration. The utter lack of any reasonable oversight is best embodied, in my opinion, by the oversight built into the procedures. A key cog in that oversight is the Department of National Intelligence’s Privacy and Civil Liberties Officer — long inhabited by a guy, Alex Joel, who had no problem with Stellar Wind. That role will lead reviews of the implementation of this data sharing. In addition to DNI’s PCLO, NSA’s PCLO will have a review role, along with the General Counsels of the agencies in question, and in some limited areas (such as Attorney Client communications), so will DOJ’s National Security Division head.

What the oversight of these new sharing procedures does not include is any statutorily independent position, someone independently confirmed by the Senate who can decide what to investigate on her own. Notably, there is not a single reference to Inspectors General in these procedures, even where other surveillance programs rely heavily on IGs for oversight.

There is abundant reason to believe that the PATRIOT Act phone and Internet dragnets violated the restrictions imposed by the FISA Court for years in part because NSA’s IG’s suggestions were ignored, and it wasn’t until, in 2009, the FISC mandated NSA’s IG review the Internet dragnet that NSA’s GC “discovered” that every single record ingested under the program violated FISC’s rules after having not discovered that fact in 25 previous spot checks. In the past, then, internal oversight of surveillance has primarily come when IGs had the independence to actually review the programs.

Of course, there won’t be any FISC review here, so it’s not even clear whether explicit IG oversight of the sharing would be enough, but it would be far more than what the procedures require.

I’d add that the Privacy and Civil Liberties Oversight Board, which provided key insight into the Section 215 and 702 programs, also has no role — except that PCLOB is for all intents and purposes defunct at this point, and there’s no reason to believe it’ll become operational under Trump.

Obama vastly expanded information sharing with these procedures without implementing the most obvious and necessary oversight over that sharing, statutorily independent oversight.

Limits on using the dragnet to affect political processes

There is just one limit in the new procedures that I think will have any effect whatsoever — but I think Trump may have already moved to undercut it.

The procedures explicitly prohibit what everyone should be terrified about under Trump — that he’ll use this dragnet to persecute his political enemies. Here’s that that prohibition looks like.

Any IC element that obtains access to raw SIGINT under these Procedures will:

[snip]

Political process in the United States. Not engage in any intelligence activity authorized by these Procedures, including disseminations to the White House, for the purpose of affecting the political process in the United States. The IC element will comply with the guidance applicable to NSA regarding the application of this prohibition. Questions about whether a particular activity falls within this prohibition will be resolved in consultation with the element’s legal counsel and the General Counsel of the Office of the Director of National Intelligence (ODNI) (and the DoD’s Office of the General Counsel in the case of a DoD IC element).

If you need to say the IC should not share data with the White House for purposes of affecting the political process, maybe your info sharing procedures are too dangerous?

Anyway, among the long list of things the IC is not supposed to do, this is the only one that I think is so clear that it would likely elicit leaks if it were violated (though obviously that sharing would have to be discovered by someone inclined to leak).

All that said, note who is in charge of determining whether something constitutes affecting political processes? The IC agency’s and ODNI’s General Counsel (the latter position is vacant right now). Given that the Director of National Intelligence is one of the positions that just got excluded from de facto participation in Trump’s National Security Council (in any case, Republican Senator Dan Coats has been picked for that position, which isn’t exactly someone you can trust to protect Democratic or even democratic interests), it would be fairly easy to hide even more significant persecution of political opponents.

FBI and CIA’s expanded access to Russian counterintelligence information

There is, however, one aspect of these sharing guidelines that may have work to limit Trump’s power.

In the procedures, the conditions on page 7 and 8 under which an American can be spied on under EO 12333 are partially redacted. But the language on page 11 (and in some other parallel regulations) make it clear one purpose under which such surveillance would be acceptable, as in this passage.

Communications solely between U.S. persons inadvertently retrieved during the selection of foreign communications will be destroyed upon recognition, except:

When the communication contains significant foreign intelligence or counterintelligence, the head of the recipient IC element may waive the destruction requirement and subsequently notify the DIRNSA and NSA’s OGC;

Under these procedures generally, communications between an American and a foreigner can be read. But communications between Americans must be destroyed except if there is significant foreign intelligence or counterintelligence focus. This EO 12333 sharing will be used not just to spy on foreigners, but also to identify counterintelligence threats (which would presumably include leaks but especially would focus on Americans serving as spies for foreign governments) within the US.

Understand: On January 3, 2017, amid heated discussions of the Russian hack of the DNC and public reporting that at least four of Trump’s close associates may have had inappropriate conversations with Russia, conversations that may be inaccessible under FISA’s probable cause standard, Loretta Lynch signed an order permitting the bulk sharing of data to (in part) find counterintelligence threats in the US.

This makes at least five years of information collected on Russian targets available, with few limits, to both the CIA and FBI. So long as the CIA or FBI were to tell DIRNSA or NSA’s OGC they were doing so, they could even keep conversations between Americans identified “incidentally” in this data.

I still don’t think giving the CIA and FBI (and 14 other agencies) access to NSA’s bulk SIGINT data with so little oversight is prudent.

But one of the only beneficial aspects of such sharing might be if, before Trump inevitably uses bulk SIGINT data to persecute his political enemies, CIA and FBI use such bulk data to chase down any Russian spies that may have had a role in defeating Hillary Clinton.

Share this entry