Posts

The Kushner-Comey Connection

/16 Comments/in , /by

The WaPo is reporting that the FBI probe into ties between Russia and Trump’s campaign is looking at a person still in the White House, in addition to Mike Flynn and Paul Manafort.

The law enforcement investigation into possible coordination between Russia and the Trump campaign has identified a current White House official as a significant person of interest, showing that the probe is reaching into the highest levels of government, according to people familiar with the matter.

Further down in the article, WaPo names some people that might be this other person of interest — but just one of them is actually in the White House.

Current administration officials who have acknowledged contacts with Russian officials include President Trump’s son-in-law, Jared Kushner, as well as Attorney General Jeff Sessions and Secretary of State Rex Tillerson.

Still further down, the WaPo covers what first got me believing Jared Kushner is the ultimate target of this probe: his meeting with Sergey Gorkov, the FSB-trained head of the sanctioned Russian bank, Vnesheconombank.

The White House also has acknowledged that Kushner met with Kislyak, the Russian ambassador to the United States, in late November. Kushner also has acknowledged that he met with the head of a Russian development bank, Vnesheconombank, which has been under U.S. sanctions since July 2014. The president’s son-in-law initially omitted contacts with foreign leaders from a national security questionnaire, though his lawyer has said publicly he submitted the form prematurely and informed the FBI soon after that he would provide an update.

Vnesheconombank handles development for the state, and in early 2015, a man purporting to be one of its New York-based employees was arrested and accused of being an unregistered spy.

That man — Evgeny Buryakov — ultimately pleaded guilty and was eventually deported. He had been in contact with former Trump adviser Carter Page, though Page has said he shared only “basic immaterial information and publicly available research documents” with the Russian. Page was the subject of a secret warrant last year issued by the Foreign Intelligence Surveillance Court, based on suspicions he might have been acting as an agent of the Russian government, according to people familiar with the matter. Page has denied any wrongdoing, and accused the government of violating his civil rights.

As I’ve noted since, there was a lot of smoke coming from Kushner’s direction: first, SSCI’s explicit interest in interviewing Kusher and then two competing stories about a Trump request for CIA’s Sergey Kislyak dossier that only makes sense if the audience were Kushner, not Flynn.

But there are a few more dots (in addition to people claiming to have confirmed this point) that support the idea that Kushner is the ultimate target here, and that Trump, in his clumsy attempts to protect Mike Flynn by firing Jim Comey, is actually attempt to protect the father of his grandchildren.

Back on March 2, Jim Comey’s then still secret Twitter account favorited this NYT article disclosing that Mike Flynn had a previously undisclosed face-to-face meeting with Sergey Kislyak at Trump Tower. (h/t TC)

Michael T. Flynn, then Donald J. Trump’s incoming national security adviser, had a previously undisclosed meeting with the Russian ambassador in December to “establish a line of communication” between the new administration and the Russian government, the White House said on Thursday.

Jared Kushner, Mr. Trump’s son-in-law and now a senior adviser, also participated in the meeting at Trump Tower with Mr. Flynn and Sergey I. Kislyak, the Russian ambassador. But among Mr. Trump’s inner circle, it is Mr. Flynn who appears to have been the main interlocutor with the Russian envoy — the two were in contact during the campaign and the transition, Mr. Kislyak and current and former American officials have said.

[snip]

They generally discussed the relationship and it made sense to establish a line of communication,” Ms. Hicks said. “Jared has had meetings with many other foreign countries and representatives — as many as two dozen other foreign countries’ leaders and representatives.”

The story was presented as White House confirmation of earlier New Yorker reporting that Kushner had the meeting, with the White House newly disclosing Flynn’s presence at it. But we now know that the representation that Kushner’s meeting with Kislyak was just one of a slew of meetings with foreign leaders wasn’t quite right. He had sent an aide to a subsequent meeting, and coming out of that meeting, he met with Gorkov, basically meeting with someone personally lobbying to get rid of Ukraine-related sanctions.

Later that month, though, Mr. Kislyak requested a second meeting, which Mr. Kushner asked a deputy to attend in his stead, officials said. At Mr. Kislyak’s request, Mr. Kushner later met with Sergey N. Gorkov, the chief of Vnesheconombank, which the United States placed on its sanctions list after President Vladimir V. Putin of Russia annexed Crimea and began meddling in Ukraine.

Of course, while we only learned that fact later, when Comey favorited that story on March 2, he would have known the full details of the follow-up communications. In other words, he would recognize that story as yet another case of the White House hiding Russian communications. He would also likely already know that Kushner had not included that meeting on his security clearance form.

We only learned that story on March 27, when the NYT revealed the Senate Intelligence Committee wanted to interview Kushner about the meeting. As I noted at the time, the discussion between Gorkov and Kushner, coming before Flynn’s December 29 discussions with Kislyak, would dramatically change the connotation of Flynn’s discussions of sanctions. Because, while the immediate context of the December 29 discussions would have been the new hacking related sanctions imposed on December 28, with the prior meeting with Gorkov, they would likely also include the Ukrainian ones. That was the payoff discussed in any quid pro quo related to the election: Putin would help elect Trump, and in exchange Trump would end economic sanctions.

Of course, to make the argument that Flynn was offering to give Russia the payoff for the election-related help, you’d have to get Flynn to cooperate. If you got Flynn to cooperate, he’d be able to tell the FBI whether or not those December 29 conversations pertained just to the hacking sanctions or also to the Ukrainian ones.

The FBI has a great many things they can and will use to get Flynn to cooperate, including his undisclosed foreign payments and his lies to the FBI in his January 24 interview.

[Large section based off erroneous reading of Wittes’ post removed.]

When Trump fired Comey, he claimed that Comey had thrice told him “he” wasn’t under investigation. Even assuming Comey did, consider how Trump would understand that and how normal people would. To us, “he” would include just Trump. But to someone like Trump whose only real loyalty is to family, “he” would include his family. Including Kushner.

Trump may well think Flynn is a nice man that deserves his loyalty. More likely, though, Trump knows that Flynn could sink his son-in-law. I believe that’s why Trump had to fire Comey in an effort to undercut the Flynn investigation.

And Rod Rosenstein, the survivor, just picked a partner from the firm of Kushner and Ivanka’s lawyer Jamie Gorelick, Robert Mueller, to take over the investigation into Flynn.

Update: Sure enough, Reuters is reporting that Mueller, by design, may not be able to investigate Kushner or Paul Manafort.

Within hours of Mueller’s appointment on Wednesday, the White House began reviewing the Code of Federal Regulations, which restricts newly hired government lawyers from investigating their prior law firm’s clients for one year after their hiring, the sources said.

An executive order signed by Trump in January extended that period to two years.

Mueller’s former law firm, WilmerHale, represents Trump’s son-in-law Jared Kushner, who met with a Russian bank executive in December, and the president’s former campaign manager Paul Manafort, who is a subject of a federal investigation.

Legal experts said the ethics rule can be waived by the Justice Department, which appointed Mueller. He did not represent Kushner or Manafort directly at his former law firm.

If the department did not grant a waiver, Mueller would be barred from investigating Kushner or Manafort, and this could greatly diminish the scope of the probe, experts said.

Minority Report: A Look at Timing of WannaCry and Trump’s Spillage

/13 Comments/in , /by

CAVEAT: Note well these two points before continuing —

1) Check the byline; this is Rayne, NOT Marcy; we may have very different opinions on matters in this post.

2) This post is SPECULATIVE. If you want an open-and-shut case backed by unimpeachable evidence this is not it. Because it addresses issues which may be classified, there may never be publicly-available evidence.

Moving on…

Like this past week’s post on ‘The Curious Timing of Flynn Events and Travel Ban EO‘, I noticed some odd timing and circumstances. Event timing often triggers my suspicions and the unfolding of the WannaCry ransomware attack did just that. WannaCry didn’t unfold in a vacuum, either.

Timeline (Italics: Trump spillage)

13-AUG-2016 — Shadow Brokers dumped first Equation Group/NSA tools online

XX-XXX-201X — Date TBD — NSA warned Microsoft about ETERNALBLUE, the exploit which Microsoft identified as MS17-010. It is not clear from report if this warning occurred before/after Trump’s inauguration.

XX-FEB-2017 — Computer security firm Avast Software Inc. said the first variant of WannaCry was initially seen in February.

14-MAR-2017 — Microsoft released a patch for vulnerability MS17-010.

14-APR-2017 — Easter weekend — Shadow Brokers dumps Equation Group/NSA tools on the internet for the fifth time, including ETERNALBLUE.

(Oddly, no one noted the convenience to Christian countries celebrating a long holiday weekend; convenient, too, that both western and eastern Orthodox Christian sects observed Easter on the same date this year.)

10-MAY-2017White House meeting between Trump, Foreign Minister Sergei Lavrov, and Ambassador Sergey Kislyak. No US media present; Russian media outlet TASS’ Washington bureau chief and a photographer were, however.

12-MAY-2017 — ~8:00 a.m. CET — Avast noticed increased activity in WannaCry detections.

[graphic: Countries with greatest WannaCry infection by 15-MAY-2017; image via Avast Software, Inc.]

12-MAY-2017 — 3:24 a.m. EDT/8:24 a.m. BST London/9:24 a.m. CET Madrid/10:24 a.m. MSK Moscow — early reports indicated telecommunications company Telefonica had been attacked by malware. Later reports by Spanish government said, “the attacks did not disrupt the provision of services or network operations…” Telefonica said the attack was “limited to some computers on an internal network and had not affected clients or services.”

12-MAY-2017 — 10:00 a.m. CET — WannaCry “escalated into a massive spreading,” according to Avast.

12-MAY-2017 — timing TBD — Portugal Telecom affected as was UK’s National Health Service (NHS). “(N)o services were impacted,” according to Portugal Telecom’s spokesperson. A Russian telecom firm was affected as well, along with the Russian interior ministry.

12-MAY-2017 — ~6:23 p.m. BST — Infosec technologist MalwareTechBlog ‘sinkholes’ a URL to which WannaCry points during execution. The infection stops spreading after the underlying domain is registered.

13-MAY-2017 — Infosec specialist MalwareTechBlog posts a tick-tock and explainer outlining his approach to shutting down WannaCry the previous evening

15-MAY-2017 — ~5:00 p.m. EDT — Washington Post reported Trump disclosed classified “code worded” intelligence to Lavrov and Kislyak during his meeting the previous Wednesday.

16-MAY-2017 — National Security Adviser H. R. McMaster said “I wanted to make clear to everybody that the president in no way compromised any sources or methods in the course of this conversation” with Lavrov and Kislyak. But McMaster did not say information apart from sources or methods had been passed on; he did share that “‘the president wasn’t even aware of where this information came from’ and had not been briefed on the source.”

The information Trump passed on spontaneously with the Russian officials was related to laptop bomb threats originating from a specific city inside ISIS-held territory. The city was not named by media though it was mentioned by Trump.

16-MAY-2017 — Media outlets reported Israel was the ally whose classified intelligence was shared by Trump.

Attack attribution

You’ll recall I was a skeptic about North Korea as the source of the Sony hack. There could be classified information cinching the link, but I don’t have access to it. I remain skeptical since Sony Group’s entities leaked like sieves for years.

I’m now skeptical about the identity of the hacker(s) behind WannaCry ransomware this past week.

At first it looked like Russia given Cyrillic character content within the malware. But this map didn’t make any sense. Why would a Russian hacker damage their own country most heavily?

[graphic: WannaCry distribution; image via BBC]

The accusations have changed over time. North Korea has been blamed as well as the Lazarus Group. Convenient, given the missile test this past week which appeared focused on rattling Russia while President Putin was attending a conference in China. And some of the details could be attributed to North Korea.

But why did the ransomware first spread in Spain through telecom Telefonica? Why did it spread to the UK so quickly?

This didn’t add up if North Korea is the origin.

Later reports said the first infections happened in western Asia; the affected countries still don’t make sense if North Korea is the perpetrator, and/or China was their main target.

Malware capability

Given the timing of the ransomware’s launch and the other events also unfolding concurrently — events we only learned about last evening — here’s what I want to know:

Can vulnerability MS17-010, on which WannaCry was based, be used as a remote switch?

Think about the kind and size of laptops still running Windows XP and Windows 8, the operating systems Microsoft had not patched for the Server Message Block 1.0 (SMBv1) vulnerability. They’re not the slim devices on which Windows 10 runs; they’re heavier, more often have hard disk drives (HDDs) and bulkier batteries. I won’t go into details, but these older technologies could be replaced by trimmer technologies, leaving ample room inside the laptop case — room that would allow an older laptop to host other resources.

Let’s assume SMBv1 could be used to push software; this isn’t much of an assumption since this is what WannaCry does. Let’s assume the software looks for specific criteria and takes action or shuts down depending on what it finds. And again, it’s not much of an assumption based on WannaCry and the tool set Shadow Brokers have released to date.

Let’s assume that the software pushed via SMBv1 finds the right criteria in place and triggers a detonation.

Yes. A trigger. Not unlike Stuxnet in a way, though Stuxnet only injected randomness into a system. Nowhere near as complicated as WannaCry, either.

Imagine an old bulky laptop running Windows XP, kitted out internally as an IED, triggered by a malware worm. Imagine several in a cluster on the same local network.

Is this a realistic possibility? I suspect it is based on U.S. insistence that a thinly-justified laptop ban on airplanes is necessary.

Revisit timing

Now you may grasp why the timing of events this past week gave me pause, combined with the details of location and technology.

The intelligence Trump spilled to Lavrov and Kislyak had been linked to the nebulous laptop threat we’ve heard so much about for months — predating the inauguration. Some outlets have said the threat was “tablets and laptops” or “electronic devices” carried by passengers onto planes, but this may have been cover for a more specific threat. (It’s possible the MS17-010 has other counterparts not yet known to public so non-laptop threats can’t be ruled out entirely.)

The nature of the threat may also offer hints at why an ally’s assets were embedded in a particular location. I’ll leave it to you to figure this out on your own; this post has already spelled out enough possibilities.

Trump spilled, the operation must be rolled up, but the roll up also must include closing backdoors along the way to prevent damage if the threat has been set in motion by Trump’s ham-handed spillage.

Which for me raises these questions:

1) Was Shadow Brokers the force behind WannaCry — not just some hacker(s) — and not just the leaking of the underlying vulnerability?

2) Was WannaCry launched in order to force telecoms and enterprise networks, device owners, and Microsoft to patch this particular vulnerability immediately due to a classified ‘clear and present danger’?

3) Was WannaCry launched to prevent unpatched MS17-010 from being used to distribute either a malware-as-trigger, or to retaliate against Russia — or both? The map above shows a disproportionate level of impact suggesting Russia was a potential target if secondary to the operation’s aim. Or perhaps Russia screwed itself with the intelligence entities behind Shadow Brokers, resulting in a lack of advance notice before WannaCry was unleashed?

4) Was WannaCry launched a month after the Shadow Brokers’ dump because there were other increasing threats to the covert operation to stop the threat?

5) Are Shadow Brokers really SHADOW BROKERS – a program of discrete roll-up operations? Is Equation Group really EQUATION GROUP – a program of discrete cyber defense operations united by a pile of cyber tools? Are their interactions more like red and blue teams?

6) Is China’s response to WannaCry — implying it was North Korea but avoiding directly blaming them — really cover for the operation which serves their own (and Microsoft’s) interests?

The pittance WannaCry’s progenitor raised in ransom so far and the difficulty in liquidating the proceeds suggests the ransomware wasn’t done for the money. Who or what could produce a snappy looking ransomware project and not really give a rat’s butt about the ransom?

While Microsoft complains about the NSA’s vulnerability hording, they don’t have much to complain about. WannaCry will force many users off older unsupported operating systems like XP, Win 7 and 8, and Windows Server 2003 in a way nothing else has done to date.

[graphic: 5-year chart, MSFT performance via Google Finance]

Mother’s Day ‘gift’?

I confess I wrestled with writing this; I don’t want to set in motion even more ridiculous security measures that don’t work simply because a software company couldn’t see their software product had an inherent risk, and at least one government felt the value of that risk as a tool was worth hiding for years. It’s against what I believe in — less security apparatus and surveillance, more common sense. But if a middle-aged suburban mom in flyover country can line up all these ducks and figure out how it works, I could’t just let it go, either.

Especially when I figured out the technical methodology behind a credible threat on Mother’s Day. Don’t disrespect the moms.

Hot and Cold Running Sources and Methods Outrage

/30 Comments/in /by

Let’s stipulate that Donald Trump is an incompetent president. Let’s stipulate that his fondness for the Russians exhibits at least naiveté about their intentions, if not out and out compromise. Let’s agree that when he fucks up, it is fair game to scream about it as a way to limit his power. Let’s acknowledge ruefully, again, that the man who got elected heckling “Lock her up!” continues to engage in far more egregious mistreatment of classified information than an email server.

But it’s worth looking at one paragraph in the WaPo story on how Donald Trump shared code word intelligence with the two Russian Sergeys, Foreign Minister Sergey Lavrov and the omnipresent Ambassador to the US Sergey Kislyak last week.

First, some background.

The whole point of the story, which is sourced to “current and former U.S. officials,” just one of whom is described as a former intelligence official (meaning the others could be members of Congress), is that Trump’s actions are particularly egregious because he revealed the city from which ISIS was allegedly plotting a laptop attack on US planes that has led US Homeland Security to consider ineffective bans on laptops in passenger areas of planes.

Trump went on to discuss aspects of the threat that the United States learned only through the espionage capabilities of a key partner. He did not reveal the specific intelligence-gathering method, but he described how the Islamic State was pursuing elements of a specific plot and how much harm such an attack could cause under varying circumstances. Most alarmingly, officials said, Trump revealed the city in the Islamic State’s territory where the U.S. intelligence partner detected the threat. [my emphasis]

Revealing the city, these US officials sharing the information anonymously because of “the sensitivity of the subject” explain, might help ID the US ally or capability involved in revealing this laptop threat.

The identification of the location was seen as particularly problematic, officials said, because Russia could use that detail to help identify the U.S. ally or intelligence capability involved. Officials said the capability could be useful for other purposes, possibly providing intelligence on Russia’s presence in Syria. Moscow would be keenly interested in identifying that source and perhaps disrupting it.

Hmmm. How many cities does ISIS still hold…?

The other problem with sharing this information is that it is not ours to share. This ally gets very frustrated when it discovers we shared information that it hasn’t permitted us to share.

At a more fundamental level, the information wasn’t the United States’ to provide to others. Under the rules of espionage, governments — and even individual agencies — are given significant control over whether and how the information they gather is disseminated, even after it has been shared. Violating that practice undercuts trust considered essential to sharing secrets.

[snip]

At a more fundamental level, the information wasn’t the United States’ to provide to others. Under the rules of espionage, governments — and even individual agencies — are given significant control over whether and how the information they gather is disseminated, even after it has been shared. Violating that practice undercuts trust considered essential to sharing secrets.

The officials declined to identify the ally but said it has previously voiced frustration with Washington’s inability to safeguard sensitive information related to Iraq and Syria.

“If that partner learned we’d given this to Russia without their knowledge or asking first, that is a blow to that relationship,” the U.S. official said.

So: bad to share because this ally gets to veto any sharing of this information, and “if that partner learned we’d given this to Russia without their knowledge or asking first, that is a blow to that relationship.” And especially bad to share the city (even though there can’t be many possibilities) because that would make it easier to figure out the underlying sources and methods.

This stuff is so sensitive, the WaPo explains, that if anyone else were to share it (with an adversary, they caveat), it’d be illegal.

For almost anyone in government, discussing such matters with an adversary would be illegal.

You with me so far? Sharing bad without okay of frustrated ally, sharing location especially bad, illegal if you’re not the President.

Okay. Now read this paragraph:

The Post is withholding most plot details, including the name of the city, at the urging of officials who warned that revealing them would jeopardize important intelligence capabilities.

So multiple people learned of this event, and went out and leaked it (which is illegal to do for most anyone besides the President, the WaPo helpfully notes), not just with the WaPo’s two reporters, but with reporters from Buzzfeed, NYT, WSJ, and more. They leaked it to reporters who they presumably knew would then report it, alerting the frustrated ally that Trump had shared the information, which is a blow to that relationship, and also alerting the frustrated ally that they then proceeded to go leak it more.

I’m confused, is that a blow to that relationship too, leaking the sharing so it can be revealed? Or did, say, the Saudis call up a bunch of members of Congress and former spooks and permit them to leak this to the press so Donald and his close relationship with the Russians can be undermined?

And these sources who are outraged that Trump shared the city where our frustrated ally that shouldn’t learn we’re leaking it without its permission learned of the plot? These sources shared plot details, including the name of the city, with journalists whose job it is to publish stuff like this, though the journalists didn’t share it with us or the Russians.

Now, I’ll grant you, WaPo’s reporters aren’t an adversary (depending on who you ask), though neither are they tasked with keeping a nation that has already lost a plane to ISIS safe. WaPo’s reporters aren’t fighting for power in Syria like Russia (and our frustrated ally), so they can’t personally use this information for advantage there.

So, yeah, it’s different. But these very outraged sources are still sharing the information that it is so outrageous to share.

Me? I’m hoping all this sharing and leaking about sharing will reveal what the underlying threat really is supposed to be. Because some of our frustrated allies have a habit of exaggerating threats so we implement stupid transportation policies and grow ever more reliant on their intelligence that they seem to keep sharing even though it seems to keep getting leaked.

The Implications of the Competing Flynn-Billingslea Stories

/4 Comments/in /by

In advance of Sally Yates’ testimony Monday, the WaPo and AP have released stories on concerns about Mike Flynn’s ties with Russia during the transition period.

The stories themselves are interesting enough. But that and how they differ make them all the more interesting.

The WaPo story makes the Trump White House — and very specifically Marshall Billingslea, whom Trump recently nominated to be Treasury’s terrorist finance Assistant Secretary — look the hero of a story about warnings Trump’s people gave Mike Flynn about Russia. In this version, after growing concerned that Flynn had showed more interest in meeting Sergey Kislyak than any of the other ambassadors who were pestering him for meetings, Billingslea intervened to obtain CIA’s profile of Kislyak in time for a November 28 meeting Flynn and (though this receives far less emphasis) Jared Kushner attended.

Billingslea warned Flynn that Kislyak was likely a target of U.S. surveillance and that his communications — whether with U.S. persons or superiors in Moscow — were undoubtedly being monitored by the FBI and National Security Agency, according to officials familiar with the exchange. Flynn, a retired Army lieutenant general who led the Defense Intelligence Agency, would presumably have been aware of such surveillance.

Billingslea then said that he would obtain a copy of the profile of Kislyak, officials said, a document that Billingslea urged Flynn to read if he were going to communicate with the Russian envoy. Flynn’s reaction was noncommittal, officials said, neither objecting to the feedback nor signaling agreement.

Shortly thereafter, during the week of Nov. 28, Billingslea and other transition officials met with lower-level Obama administration officials in the Situation Room at the White House.

At the end of the meeting, which covered a range of subjects, Billingslea asked for the CIA profile. “Can we get material on Kislyak?” one recalled Billingslea asking.

Days later, Flynn took part in a meeting with Kislyak at Trump Tower. White House spokeswoman Hope Hicks has confirmed that both Flynn and Jared Kushner, Trump’s adviser and son-in-law, took part in that session, which was not publicly disclosed at the time.

In that story of the Trump Administration’s effort to warn off someone who (unlike the barely mentioned Kushner) had spent a lifetime working with spies of spying, the CIA dossier, which reportedly doesn’t say Kislyak is a spy (though other outlets have claimed he is this year) gets placed in the transition SCIF.

The CIA bio on Kislyak was placed in a room in the Trump transition offices set up to handle classified material. Officials familiar with the document said that even if Flynn had read it, there was little in it that would have triggered alarms.

The file spanned three or four pages, describing Kislyak’s diplomatic career, extensive involvement in arms negotiations, and reputation as a determined proponent of Russian interests. It noted that he routinely reported information back to Moscow and that any information he gathered would be shared with Russia’s intelligence services. But the file did not say Kislyak was a spy.

Compare that key detail to something that appears in the AP version, which is told from the perspective of Obama officials. That story reveals that documents (they’re not described as the CIA dossier) were copied and removed from the SCIF.

After learning that highly sensitive documents from a secure room at the transition’s Washington headquarters were being copied and removed from the facility, Obama’s national security team decided to only allow the transition officials to view some information at the White House, including documents on the government’s contingency plans for crises.

In the AP story, Billingslea’s request was seen as a warning sign about Flynn’s preparation (who, again, had a lifetime of working with spies) to deal with America’s adversarial relationship with Russia.

In late November, a member of Donald Trump’s transition team approached national security officials in the Obama White House with a curious request: Could the incoming team get a copy of the classified CIA profile on Sergey Kislyak, Russia’s ambassador to the United States?

Marshall Billingslea, a former Pentagon and NATO official, wanted the information for his boss, Michael Flynn, who had been tapped by Trump to serve as White House national security adviser. Billingslea knew Flynn would be speaking to Kislyak, according to two former Obama administration officials, and seemed concerned Flynn did not fully understand he was dealing with a man rumored to have ties to Russian intelligence agencies.

To the Obama White House, Billingslea’s concerns were startling: a member of Trump’s own team suggesting the incoming Trump administration might be in over its head in dealing with an adversary.

But later in the AP story, it describes the Obama’s team’s concern that the Kislyak dossier was the only one requested.

Leading up to the revelation that Trump officials copied classified documents from the SCIF (which is how it ends), the AP first warns that some of this story will come out in Sally Yates’ testimony next Monday. It also reveals that the Obama Administration withheld information from Trump’s team, worried they’d share it with Russia.

In late December, as the White House prepared to levy sanctions and oust Russians living in the in the U.S. in retaliation for the hacks, Obama officials did not brief the Trump team on the decision until shortly before it was announced publicly. The timing was chosen in part because they feared the transition team might give Moscow lead time to clear information out of two compounds the U.S. was shuttering, one official said.

While it’s not inappropriate for someone in Flynn’s position to have contact with a diplomat, Obama officials said the frequency of his discussions raised enough red flags that aides discussed the possibility Trump was trying to establish a one-to-one line of communication — a so-called back channel — with Russian President Vladimir Putin. Obama aides say they never determined why Flynn was in close contact with the ambassador.

Viewed in comparison, the stories seem like competing efforts to get ahead of what both sides know will come out on Monday. The Trump team, knowing some of what Yates will say (in testimony they tried to prevent), is now making the remaining White House officials look good, and providing a somewhat plausible explanation for obtaining just the Kislyak dossier. But AP’s revelation that Trump’s people were copying documents from the SCIF that held the dossier raise questions about whether the reason it was obtained was to share the dossier. Neither story mentions what Adam Schiff has, which is that one really interesting detail will be the delay in ousting Flynn after Yates first told the White House of her concerns.

Both the stories leave out a detail the NYT previously reported that seems important, however: that Kislyak meeting, which the spook-savvy Flynn and the young Kushner attended, led to a second and a third, ultimately leading Kushner to meet the FSB-trained head of a sanctioned bank.

Until now, the White House had acknowledged only an early December meeting between Mr. Kislyak and Mr. Kushner, which occurred at Trump Tower and was also attended by Michael T. Flynn, who would briefly serve as the national security adviser.

Later that month, though, Mr. Kislyak requested a second meeting, which Mr. Kushner asked a deputy to attend in his stead, officials said. At Mr. Kislyak’s request, Mr. Kushner later met with Sergey N. Gorkov, the chief of Vnesheconombank, which drew sanctions from the Obama administration after President Vladimir V. Putin of Russia annexed Crimea and began meddling in Ukraine.

The subtext of taking the two Billingslea stories and the Sergey Gorkov one together is that Flynn — or even the President’s son-in-law — may have provided intelligence to the Russians, in events that led up to the closest thing we’ve seen to a possible quid pro quo.

In any case, the dossier seems either better suited to warning Kushner, not Flynn, of the dangers he was navigating, or a document that, if copied and handed to its subject, would be interesting though not devastating intelligence to share.

One final point: this story helps to explain why both the December 28 sanctions and the early January hack report were so awful; remember, too, when first announced, the press had the wrong location of the Long Island compound in question. At the time, I thought both were designed to be a document, any document, ones that didn’t reveal what the intelligence community actually knew (aside from the identities of the 35 expelled diplomats), particularly regarding who actually conducted the DNC hack. The AP story reveals Obama’s team was particularly worried Trump’s team would warn the Russians in time to dismantle some of the communications equipment at the two compounds. The crummy documents, plus the delay in informing Congress of the scope of the investigation until Flynn had been ousted, are both best explained by a concern that the National Security Advisor would share the information directly with Russia.

So will we learn that Flynn — or Kushner — did share such information?

CIA or NSA Warrantlessly Accessed the Content of More than 300 US Persons (Probably More than 1,300) Who Aren’t Terror Suspects

/4 Comments/in /by

Because Circa did a really sloppy report on the I Con the Record Transparency Report and Rand Paul quoted, there is a great deal of confusion about what back door searches are.

With the help of the NSA, the FBI collects information via traditional FISA orders. They got 1,559 of them last year, of which 1,477 were targeted at someone in the United States, and of which 336 were targeted at American citizens or permanent residents. All that data goes into a cloud server at the FBI and a separate one at NSA.

In addition, NSA collects information targeted at people overseas under Section 702. FBI can also ask NSA to collect on people they’ve come across in their investigations. Altogether, NSA collected on over 106,000 individual targets last year, via both upstream collection and by asking American providers (Google, Facebook, Yahoo, and the like) for any data they’ve got on those 106,000 targets. They’ll get both sides of targets’ conversations, stored documents and photos, calendar information, and other information.

After NSA gets that information, it will share the parts of that are most relevant to the CIA and the FBI’s missions with them, in raw form. At the FBI, that data is stuck on the same cloud server as the domestic-focused FISA data is in. It is understood that FBI receives any terrorism, counterproliferation, or spying data that has a domestic component (such as Russian spies or ISIS recruiters trying to recruit Americans).

All three agencies — NSA, CIA, and FBI — can then search their own collections of FISA information using the identifier of a US person (a citizen or permanent resident). At NSA and CIA, the analyst has to have a foreign intelligence purpose, such as they think Russians are trying to recruit Mike Flynn. At FBI, an agent has to be looking for criminal information, national security information, or even doing an assessment (such as to figure out whether Carter Page would make a good informant on what the Trump campaign is doing). FBI does so many of these searches they can’t count them.

If there are conversations involving these people in the relevant databases, it appears to the analyst or agent in unmasked form. Yes, if CIA and NSA want to write reports to the White House about what they found, then the name might be masked (but in the vast majority of reports based off 702 reports involving US persons — perhaps 74% — the US person identities eventually get unmasked), but the FBI may dump that data into investigative files.

To understand how and who this might impact in the United States, take this comment from Jim Comey the other day. When asked how many active terrorist investigations the FBI has, he said there were 1,000 investigations where the target was known to be talking to terrorist overseas, and 1,000 where the target embraced radicalism all by him or herself, without talking to an ISIS or any other overseas recruiter.

COMEY: Yes I do. If — we have about 1,000 home grown violent extremist investigations and we probably have another 1,000 or so that are — I should define my terms. Home grown violent extremists, we mean somebody — we have no indication that they’re in touch with any terrorists.

TILLIS: Any foreign touch. Right.

COMEY: Yes. Then we have another big group of people that we’re looking at who we see some contact with foreign terrorists. So you take that 2,000 plus cases, about 300 of them are people who came to the United States as refugees.

Let’s take the higher number, and say there are 2,000 people in the US the intelligence community thinks might be terrorists or susceptible to being convinced to become one.

Now let’s look at the back door search numbers. The NSA used the identifiers (say, their cell phone identifier or their email) of US persons and searched the metadata from their stash of 702 data 30,355 times last year. (The CIA and FBI refuse to count how many metadata searches they did.) That means that NSA tried to do a network analysis on over 28,000 Americans and permanent residents who are not the subject of investigations by the FBI for being terrorists.

Between CIA and FBI combined, they did 5,288 queries on US persons last year. Back in 2013, the CIA did far more searches than the NSA (on 1,400 selectors as compared to NSA’s 198); we don’t know how the split works now. But assume that at least one agency is doing at least 2,644 searches. At the NSA, all 336 traditional FISA targets can be (and I assume are) tasked for back door searches; presumably a chunk of the 336 people targeted under are being investigated for terrorism, though that would also include people like (allegedly) Carter Page, people the FBI has gotten the FISA court to believe are agents of foreign powers). But even if we assume none of the people targeted under FISA are terrorists and all domestic terrorists are being back door searched at NSA, that leaves over 300 people (2,644 – 1,000 – 1,000 – 336) who are having their content accessed without a warrant by the NSA (to say nothing of the FBI, which does it so often it can’t count it). The number is probably higher, though, given that 1,000 of those terrorist suspects aren’t conversing with foreigners. The NSA (or CIA) is only going to access content if they know it exists from metadata, and Comey comment suggests there’s no metadata indicating such conversations. And at least some of those 336 targeted US persons are terror suspects.

Which means one agency — NSA or CIA — is likely accessing the raw content of 1,300 people who aren’t terrorist suspects.

That’s fine. There are other things they might be: suspected weapons proliferators, suspected Russian or Chinese spies, people the government is worried are being recruited by spies, suspected hackers, suspected leakers, Americans who’ve been kidnapped.

But the numbers make clear that the presumption that all of this spying is targeted at terrorists is simply wrong. There are at least 300 people — and probably more like 1,300 people — who even the NSA is accessing the content of without a warrant who are not terrorist suspects.

And the number at FBI is so high it can’t count it.

How to Spy on Carter Page

/2 Comments/in , , /by

I have no personal knowledge of the circumstances surrounding the alleged wiretapping of Carter Page, aside from what WaPo and NYT have reported. But, in part because the release of the new, annual FISC report has created a lot of confusion, I wanted to talk about the legal authorities that might have been involved, as a way of demonstrating (my understanding, anyway, of) how FISA works.

FISC did not (necessarily) reject more individual orders last year

First, let’s talk about what the FISC report is. It is a new report, mandated by the USA Freedom Act. As the report itself notes, because it is new (a report covering the period after passage of USAF), it can’t be compared with past years. More importantly, because the FISA Court uses a different (and generally more informative) reporting approach, you cannot — as both privacy groups and journalists erroneously have — compare these numbers with the DOJ report that has been submitted for years (or even the I Con the Record report that ODNI has released since the Snowden leaks); that’s effectively an apples to grapefruit comparison. Those reports should be out this week, which (unless the executive changes its reporting method) will tell us how last year compared with previous years.

But comparing last year’s report to the report from the post-USAF part of 2015 doesn’t sustain a claim that last year had record rejections. If we were to annualize last year’s report (covering June to December 2015) showing 5 rejected 1805/1824 orders (those are the individual orders often called “traditional FISA”) across roughly 7 months, it is actually more (.71 rejected orders a month or .58% of all individual content applications) than the 8 rejected 1805/1824 orders last year (.67 rejected orders a month or .53% of all individual content applications). In 2016, the FISC also rejected an 1861 order (better known as Section 215), but we shouldn’t make too much of that either given that that authority changed significantly near the end of 2015, plus we don’t have this counting methodology for previous years (as an example, 2009 almost surely would have at least one partial rejection of an entire bulk order, when Reggie Walton refused production of Sprint records in the summertime).

Which is a long-winded way of saying we should not assume that the number of traditional content order rejections reflects the reports that FBI applied for orders on four Trump associates but got rejected (or maybe only got one approved for Page). As far as we can tell from this report, 2016 had a similar number of what FISC qualifies as rejections as 2015.

The non-approval of Section 702 certificates has no bearing on any Russian-related spying, which means Page would be subject to back door searches

Nor should my observation — that the FISC did not approve any certifications for 1881a (better known as Section 702, which covers both upstream and PRISM) reflect on any Carter Page surveillance. Given past practice when issues delayed approvals of certifications, it is all but certain FISC just extended the existing certifications approved in 2015 until the matters that resulted in an at least 2 month delay were resolved.

Moreover, the fact that the number of certificates (which is probably four) is redacted doesn’t mean anything either: it was redacted last year as well. That number would be interesting because it would permit us to track any expansions in the application of FISA 702 to new uses (perhaps to cover cybersecurity, or transnational crime, for example). But the number of certificates pertains to the number of people targeted only insofar as any additional certificates represent one more purpose to use Section 702 on.

In any case, Snowden documents, among other things, show that a “foreign government” certificate has long been among the existing certificates. So we should assume that the NSA has collected the conversations of known or suspected Russian spies located overseas conducted on PRISM providers; we should also assume that as a counterintelligence issue implicating domestic issues, these intercepts are routinely shared in raw form with FBI. Therefore, unless last year’s delay involved FBI’s back door searches, we should assume that when the FBI started focusing on Carter Page again last spring or summer, they would have routinely searched on his known email addresses and phone numbers in a federated search and found any PRISM communications collected. In the same back door search, they would have also found any conversations Page had with Russians targeted domestically, such as Sergey Kislyak.

The import of the breakdown between 1805 and 1824

Perhaps the most important granular detail in this report — one that has significant import for Carter Page — is the way the report breaks down authorizations for 1805 and 1824.

1805 covers electronic surveillance — so the intercept of data in motion. It might be used to collect phone calls and other telephony communication, as well as (perhaps?) email communication collected via upstream collection (that is, non-PRISM Internet communication that is not encrypted); it may well also cover prospective PRISM and other stored communication collection. 1824 covers “physical search,” which when it was instituted probably covered primarily the search of physical premises, like a house or storage unit. But it now also covers the search of stored communication, such as someone’s Gmail or Dropbox accounts. In addition, a physical search FISA order covers the search of hard drives on electronic devices.

As we can see for the first time with these reports, most individual orders cover both 1805 and 1824 (92% last year, 88% in 2015), but some will do just one or another. (I wonder if FBI sometimes gets one kind of order to acquire evidence to get the other kind?)

As filings in the Keith Gartenlaub case make clear, “physical search” conducted under a FISA order can be far more expansive than the already overly expansive searches of devices under a Article III warrant. Using a FISA 1824 order, FBI Agents snuck into Gartenlaub’s house and imaged the hard drives from a number of his devices, ostensibly looking for proof he was spying on Boeing for China. They found no evidence to support that. They did, however, find some 9-year old child pornography files, which the government then “refound” under a criminal search warrant and used to prosecute him. Among the things Gartenlaub is challenging on appeal is the breadth of that original FISA search.

Consider how this would work with Carter Page. The NYT story on the Page order makes it clear that FBI waited until Page had left the Trump campaign before it requested an order covering him.

The Foreign Intelligence Surveillance Court issued the warrant, the official said, after investigators determined that Mr. Page was no longer part of the Trump campaign, which began distancing itself from him in early August.

I suspect this is a very self-serving description on the part of FBI sources, particularly given reports that FISC refused orders on others. But regardless of whether FISC or the FBI was the entity showing discretion, let’s just assume that someone was distinguishing any communications Page may have had while he was formally tied to the campaign from those he had after — or before.

This is a critical distinction for stored communications because (as the Gartenlaub case makes clear) a search of a hard drive can provide evidence of completely unrelated crime that occurred nine years in the past; in Gartenlaub’s case, they reportedly used it to try to get him to spy on China and they likely would do the equivalent for Page if they found anything. For Page, a search of his devices or stored emails in September 2016 would include emails from during his service on Trump’s campaign, as well as emails between the time Page was interviewed by FBI on suspicion of being recruited by Victor Podobnyy and the time he started on the campaign, as well as communications going back well before that. So if FISC (or, more generously, the FBI) were trying to exclude materials from during the campaign, that might involve restrictions built into the request or the final order

The report covering 2016 for the first time distinguishes between orders FISC modifies (FISC interprets this term more broadly than DOJ has in its reports) and orders FISC partly denies. FISC will modify an order to, among other things,

(1) impos[e] a new reporting requirement or modifying one proposed by the government;

(2)  chang[e] the description or specification of a targeted person, of a facility to be subjected to electronic surveillance or of property to be searched;

(3)  modify[] the minimization procedures proposed by the government; or

(4)  shorten[] the duration of some or all of the authorities requested

Using Page as an example, if the FISC were permitting FBI to obtain communications from before the time Page joined the campaign but not during it, it might modify an order to require additional minimization procedures to ensure that none of those campaign communications were viewed by the FBI.

The FISC report explains that the court will partly deny orders and “by approving some targets, some facilities, places, premises, property or specific selection terms, and/or some forms of collection, but not others.” Again, using Page as an example, if the court wanted to really protect the election related communications, it might permit a search of Page’s homes and offices under 1824, but not his hard drives, making any historic searches impossible.

There’s still no public explanation of how Section 704/Section 705b work, which would impact Page

Finally, the surveillance of Carter Page implicates an issue that has been widely discussed during and since passage of the FISA Amendments Act in 2008, but not in a way that fully supports a democratic debate: how NSA spies on Americans overseas.

Obviously, the FBI would want to spy on Page both while he was in the US, but especially when he was traveling abroad, most notably on his frequent trips to Russia.

The FISA Amendments Act for the first time required the NSA to obtain FISC approval before doing that. As I explain in this post, for years, public debate has claimed that was done under Section 703 (1881b in this report). But abundant evidence shows it is all done under 704 (1881c in this report). The biggest difference between the two, according to an internal NSA document, is the government doesn’t explain its methods in the latter case. With someone who would be spied on both in the US and overseas, that spying would be done under 705b (conducted under 1881d section b), which permits the AG to approve of spying overseas (effectively, 704 authority) for those already approved under a traditional order.

This matters in the context of spying on Carter Page for two reasons. First, as noted government doesn’t share details about how it spies overseas with the court. And some of the techniques we know NSA to use — such as XKeyscore searches drawing on bulk overseas collection — would seem to present additional privacy concerns on top of the domestic authorities. If the FBI (or more likely, the FISC) is going to try to bracket off any communications that occur during the period Page was associated with the campaign, that would have to be done for overseas surveillance as well, most critically, for Page’s July trip to Russia.

This report shows that 704, like the domestic authorities, also gets modified sometimes, so it may be that FISC did just that — permitted NSA to collect information covering that July meeting, but imposed some minimization procedures to protect the campaign.

But it’s unclear whether the court would have an opportunity to do so for 705b, which derives from Attorney General authorization, not court authorization. I assume that’s why 1881d was not included in this reporting requirement, but it seems adding 705b reporting to Title VII reauthorization this year would be a fairly minor change, but one that might reveal how often the government uses more powerful overseas spying techniques on Americans. It’s unclear to me, for example, whether any modifications or partial approvals the FISC made on a joint 1805/1824 order covering Page would translate into a 705b order, particularly if the modifications in question included additional reporting to the FISC.

Carter Page might one day be the first American to get review of his FISA dossier

All of which is why, no matter what you think of Carter Page’s alleged role in influencing the Trump campaign to favor Russia, I hope he one day gets to review his FISA dossier.

No criminal defendant has ever gotten a review of the FISA materials behind the spying, in spite of clear Congressional intent, when the law was passed in 1978, to allow that in certain cases. Because of the publicity surrounding this case, and the almost unprecedented leaking about FISA orders, Page stands a better chance than anyone else of getting such review (particularly if, as competing stories from CNN and Business Insider claim, the dossier formed a key, potentially uncorroborated part of the case against him). Whatever else happens with this case, I think Page should get that review.

Why Susan Rice May Be a Shiny Object

/30 Comments/in , , /by

A bunch of Republican propagandists are outraged that the press isn’t showing more interest in PizzaGate Mike Cernovich’s “scoop” that the woman in charge of ensuring our national security under President Obama, then National Security Advisor Susan Rice, sought to fully understand the national security intercepts she was being shown.

There are two bases for their poutrage, which might have merit — but coming from such hacks, may not.

The first is the suggestion, based off Devin Nunes’ claim (and refuted by Adam Schiff) that Rice unmasked things she shouldn’t have. Thus far, the (probably illegally) leaked details — such as that family members, perhaps like Jared Kushner (who met with an FSB officer turned head of a sanctioned Russian bank used as cover for other spying operations), Sean Hannity (who met with an already-targeted Julian Assange at a time he was suspected of coordinating with Russians), and Erik Prince (who has literally built armies for foreign powers) got spied on — do nothing but undermine Nunes’ claims. All the claimed outrageous unmaskings actually seem quite justifiable, given the accepted purpose for FISA intercepts.

The other suggestion — and thus far, it is a suggestion, probably because (as I’ll show) it’s thus far logically devoid of evidence — is that because Rice asked to have the names of people unmasked, she must be the person who leaked the contents of the intercepts of Sergey Kislyak discussing sanctions with Mike Flynn. (Somehow, the propagandists always throw Ben Rhodes’ name in, though it’s not clear on what basis.)

Let me start by saying this. Let’s assume those intercepts remained classified when they were leaked. That’s almost certain, but Obama certainly did have the authority to declassify them, just as either George Bush or Dick Cheney allegedly used that authority to declassify Valerie Plame’s ID (as some of these same propagandists applauded back in the day). But assuming the intercepts did remain classified, I agree that it is a problem that they were leaked by nine different sources to the WaPo.

But just because Rice asked to unmask the identities of various Trump (and right wing media) figures doesn’t mean she and Ben Rhodes are the nine sources for the WaPo.

That’s because the information on Flynn may have existed in a number of other places.

Obviously, Rice could not have been the first person to read the Flynn-Kislyak intercepts. That’s because some analyst(s) would have had to read them and put them into a finished report (most, but not all, of Nunes’ blathering comments about these reports suggest they were finished intelligence). Assuming those analysts were at NSA (which is not at all certain) someone would have had to have approved the unmasking of Flynn’s name before Rice saw it.

In addition, it is possible — likely even, at least by January 2017, when we know people were asking why Russia didn’t respond more strongly to Obama’s hacking sanctions — that there were two other sets of people who had access to the raw intelligence on Flynn’s conversations with Kislyak: the CIA and, especially, the FBI, which would have been involved in any FISA-related collection. Both CIA and FBI can get raw data on topics they’re working on. Likely, in this case, the multi-agency task force was getting raw collection related to their Russian investigation.

And as I’ve explained, as soon as FBI developed a suspicion that either Kislyak was at the center of discussions on sanctions or that Flynn was an unregistered agent of multiple foreign powers, the Special Agents doing that investigation would routinely pull up everything in their databases on those people by name, which would result in raw Title I and 702 FISA collection (post January 3, it probably began to include raw EO 12333 data as well).

So already you’re up to about 15 to 20 people who would have access to the raw intercepts, and that’s before they brief their bosses, Congress (though the Devin Nunes and Adam Schiff briefing, at least, was delayed a bit), and DOJ, all the way up to Sally Yates, who wanted to warn the White House. Jim Comey has suggested it is likely that the nine sources behind the WaPo story were among these people briefed secondarily on the intercepts. And it’s worth noting that David Ignatius, who first broke the story of Flynn’s chats with Kislyak but was not credited on the nine source story, has known source relationships in other parts of the government than the National Security Advisor, though he also has ties to Rice.

All of which is to say that the question of who leaked the contents of Mike Flynn’s conversations with Sergey Kislyak is a very different question from whether Susan Rice’s requests to unmask Trump associates’ names were proper or not. It is possible that Rice leaked the intercepts without declassifying them first. But it’s also possible that any of tens of other people did, most of whom would have a completely independent channel for that information.

And the big vulnerability is not — no matter what Eli Lake wants to pretend — the unmasking of individual names by the National Security Advisor. Rather, it’s that groups of investigators can access the same intelligence in raw form without a warrant tied to the American person in question.

Raw Versus Cooked: Could NSC Monitor FBI’s Investigation?

/16 Comments/in , , , /by

Multiple people,including Bart Gellman and Josh Marshall, are now arguing that the reason Ezra Cohen-Watnick and Michael Ellis found intercepts involving Trump’s people is that they were monitoring FBI’s investigation of the investigation.

I certainly think the Trump people would like to do that — and would be willing to stoop to that. I even believe that the response to the Russian hack last year had some counterintelligence problems, though probably not on the FBI side.

But there are some details that may limit how much the NSC can monitor the investigation.

First, Devin Nunes has always been very clear: the intercepts he was shown have nothing to do with Russia. That’s not, itself, determinative. After all, Cohen-Watnick and Ellis might have found a bunch of Russian intercepts, but only shared the non-Russian ones so Nunes could make a stink without being accused of endangering the investigation. Also, it’s possible that intercepts involving other countries — most notably Turkey, but there are other countries that might be even more interesting, including Ukraine or Syria — would impact any Russian investigation.

Also note that among the many things Nunes appears not to understand about surveillance is that there are two ways an American’s name can be visible outside the circle of analysts doing the initial review of them: their names can be put into finished intelligence reports that get circulated more broadly, with customers asking to have the name unmasked after the fact. Alternately, their names can be found off of subsequent searches of raw data. At the NSA and CIA, searches for US person content are somewhat controlled. At FBI they are not only not controlled, but they are routine even for criminal investigations. So if, say, General Flynn (or Paul Manafort) were under investigation for failing to register as a foreign agent, the FBI would routinely search their database of raw FISA material on his name. (These are the “back door searches” Ron Wyden has been screaming about for years, concerns which people like Devin Nunes have previously dismissed on national security grounds.) And we have every reason to believe that counterintelligence intercepts of Russians in the US are among the raw feeds that the FBI gets. So if Flynn had conversations with Russians (or Turks) in the US, we should assume that FBI saw them as a routine matter if Flynn became the subject of an investigation at all. We should also assume that the FBI did a search on every Sergey Kislyak intercept in their possession, so they will have read everything that got picked up, including all recorded calls with Trump aides.

On March 15, the House Intelligence Committee asked the NSA, CIA, and FBI for information on unmasking. I don’t believe that request asked about access to US person names on subsequent searches or raw material. Furthermore, at least as of last week, the FBI was not rushing to comply with that request. As I noted after the Jim Comey hearing before HPSCI, none of the Republicans concerned about these issues seemed to have any basic clue about FBI’s searches on raw data. If Nunes doesn’t know (and he appears not to), it’s unlikely Ellis knows, who was until this month Nunes’ aide.

But there’s one other thing that may prevent NSC from obtaining information about the investigation: FBI sometimes uses what are called “ad hoc databases” that include raw FISA data (and probably, post EO 12333 sharing rule changes, raw EO 12333 data) tied to particular investigations. It’s unclear what conditions might necessitate the use of an ad hoc database (see page 25ff for a discussion of them), but if security concerns would encourage their use, it would be likely to have one here, an investigation which Comey described as being so sensitive he delayed briefing the Gang of Four. Ad hoc databases are restricted to those working on investigations, and include specific records of those authorized to access the database. So if FBI were using an ad hoc database for this investigation, it would be even harder for the NSC to learn what they were looking at.

If the FBI’s investigation relies on raw intelligence — and it would be unfathomable that it does not, because it would probably receive the raw FISA data tied to such an investigation routinely, and EO 12333 sharing rules specifically envision the sharing of raw data associated with counterintelligence investigations — then the NSC’s access to finished intelligence reports would provide little insight into the investigation (Nunes was a bit unclear on whether that’s what he was looking at, but the entire premise of his complaints is that these were finished reports).

But while we’re worrying about whether and how Trump would monitor an investigation into his aides, remember that in 2002, Jay Bybee wrote a memo authorizing the sharing of grand jury information with the President and his close advisors including for counterintelligence investigations.

In addition, the Patriot Act recently amended 6(e) and Title III specifically to provide that matters involving foreign intelligence or counterintelligence or foreign intelligence information may be disclosed by any attorney for the government (and in the case of Title III, also by an investigative or law enforcement officer) to certain federal officials in order to assist those officials in carrying out their duties. Federal officials who are included within these provisions may include, for example, the President, attorneys within the White House Counsel’s Office, the President’s Chief of Staff, the National Security Advisor, and officials within the Central Intelligence Agency and the Department of Defense.

[snip]

Although the new provision in Rule 6(e) permitting disclosure also requires that any disclosures be reported to the district court responsible for supervising the grand jury, we conclude that disclosures made to the President fall outside the scope of the reporting requirement contained in that amendment, as do related subsequent disclosures made to other officials on the President’s behalf.

In other words, Trump could demand that he — or his National Security Advisor! — get information on any grand jury investigations, including those covering counterintelligence cases. And no judge would be given notice of that.

With Jeff Sessions’ recusal, that’s far less likely to happen than it might have been. But understand that the Executive Branch believes that the President can learn about the happenings in grand jury investigations of the sort that might target his aides.

Update: additional details have been added to this post after it was first posted.

The Jared Kushner Meeting Gets Closer to Quid Pro Quo

/15 Comments/in , /by

Last week, several members of Congress anonymously told the press they had, for the first time, seen evidence that might support charges of collusion between Trump’s associates and the Russians. The frenzied speculation mostly focused on the usual suspects: Paul Manafort, Mike Flynn, Roger Stone, or Carter Page (somehow, the frenzied speculation often forgets Trump lawyer Michael Cohen).

Today, the NYT has a story reporting that the Senate Intelligence Committee wants to talk to Jared Kushner about a previously undisclosed meeting arranged by Russian Ambassador to the US, Sergey Kislyak.

Until now, the White House had acknowledged only an early December meeting between Mr. Kislyak and Mr. Kushner, which occurred at Trump Tower and was also attended by Michael T. Flynn, who would briefly serve as the national security adviser.

Later that month, though, Mr. Kislyak requested a second meeting, which Mr. Kushner asked a deputy to attend in his stead, officials said. At Mr. Kislyak’s request, Mr. Kushner later met with Sergey N. Gorkov, the chief of Vnesheconombank, which drew sanctions from the Obama administration after President Vladimir V. Putin of Russia annexed Crimea and began meddling in Ukraine.

The NYT only notes this obliquely by stating the committee has access to routine intercepts involving the Ambassador, but remember that FBI went through Kislyak’s intercepted communications in hopes of explaining why Vladimir Putin didn’t respond more aggressively to sanctions Obama imposed in December. So SSCI likely discovered this undisclosed meeting that way.

Which is interesting, because Kushner did not reveal it to some senior Trump officials (likely including White House Counsel Don McGahn).

The extent of Mr. Kushner’s interactions with Mr. Kislyak caught some senior members of Mr. Trump’s White House team off guard, in part because he did not mention them last month during a debate then consuming the White House: how to handle the disclosures about Mr. Flynn’s interactions with the Russian ambassador.

Ms. Hicks said that Mr. Trump had authorized Mr. Kushner to have meetings with foreign officials that he felt made sense, and to report back to him if those meetings produced anything of note. She said that because in Mr. Kushner’s view the meetings were inconsequential, it did not occur to him to mention them to senior staff members earlier.

NYT raises the possibility that Kushner discussed his efforts to fund one of his family’s business in NYC, though Hope Hicks claimed it — and the sanctions — did not come up.

But consider how this meeting might interact with another known Kislyak conversation, the multiple calls with Flynn on December 29 after Obama imposed hacking related sanctions. In context, that conversation was about the hacking sanctions, not the more onerous Ukraine ones. But if Kushner had just met with a sanctioned bank and discussed those sanctions, that could change Kislyak’s understanding of what Flynn was saying.

One mistake of a lot of the frenzied speculation is a focus on changing US policy towards Ukraine, a focus not borne out by the public evidence. The result of that focus is to ignore what the Christopher Steele dossier makes clear was the real Russian goal, unsurprisingly: the lifting of the Ukraine-related sanctions.

There still is no evidence that’s what happened at this meeting that Kushner succeeded in hiding from people within the White House. But if it did, then it might amount to far more than all the smoke swirling around Manafort, Page, and Stone.

The Temporal Feint in Adam Schiff’s Neat Narrative

/32 Comments/in , , , /by

I did four — count them! four! — interviews on the Russian hearing yesterday. And one thing I realized over the course of the interviews is that people were far more impressed with Adam Schiff’s opening speech than they should have been.

I want to look closely at this passage which — if it were accurate — would be a tight little presentation of quid pro quo tied to the change of platform at the July 18-21, 2016 RNC. But it’s not. I’ve bolded the two claims that are most problematic, though the presentation as a whole is misleading.

In early July, Carter Page, someone candidate Trump identified as one of his national security advisors, travels to Moscow on a trip approved by the Trump campaign. While in Moscow, he gives a speech critical of the United States and other western countries for what he believes is a hypocritical focus on democratization and efforts to fight corruption.

According to Christopher Steele, a former British intelligence officer who is reportedly held in high regard by U.S. Intelligence, Russian sources tell him that Page has also had a secret meeting with Igor Sechin (SEH-CHIN), CEO of Russian gas giant Rosneft. Sechin is reported to be a former KGB agent and close friend of Putin’s. According to Steele’s Russian sources, Page is offered brokerage fees by Sechin on a deal involving a 19 percent share of the company. According to Reuters, the sale of a 19.5 percent share in Rosneft later takes place, with unknown purchasers and unknown brokerage fees.

Also, according to Steele’s Russian sources, the Trump campaign is offered documents damaging to Hillary Clinton, which the Russians would publish through an outlet that gives them deniability, like Wikileaks. The hacked documents would be in exchange for a Trump Administration policy that de-emphasizes Russia’s invasion of Ukraine and instead focuses on criticizing NATO countries for not paying their fare share – policies which, even as recently as the President’s meeting last week with Angela Merkel, have now presciently come to pass.

In the middle of July, Paul Manafort, the Trump campaign manager and someone who was long on the payroll of Pro-Russian Ukrainian interests, attends the Republican Party convention. Carter Page, back from Moscow, also attends the convention. According to Steele, it was Manafort who chose Page to serve as a go-between for the Trump campaign and Russian interests. Ambassador Kislyak, who presides over a Russian embassy in which diplomatic personnel would later be expelled as likely spies, also attends the Republican Party convention and meets with Carter Page and additional Trump Advisors JD Gordon and Walid Phares. It was JD Gordon who approved Page’s trip to Moscow. Ambassador Kislyak also meets with Trump campaign national security chair and now Attorney General Jeff Sessions. Sessions would later deny meeting with Russian officials during his Senate confirmation hearing.

Just prior to the convention, the Republican Party platform is changed, removing a section that supports the provision of “lethal defensive weapons” to Ukraine, an action that would be contrary to Russian interests. Manafort categorically denies involvement by the Trump campaign in altering the platform. But the Republican Party delegate who offered the language in support of providing defensive weapons to Ukraine states that it was removed at the insistence of the Trump campaign. Later, JD Gordon admits opposing the inclusion of the provision at the time it was being debated and prior to its being removed.

Later in July, and after the convention, the first stolen emails detrimental to Hillary Clinton appear on Wikileaks. A hacker who goes by the moniker Guccifer 2.0 claims responsibility for hacking the DNC and giving the documents to Wikileaks. But leading private cyber security firms including CrowdStrike, Mandiant, and ThreatConnect review the evidence of the hack and conclude with high certainty that it was the work of APT28 and APT29, who were known to be Russian intelligence services. The U.S. Intelligence community also later confirms that the documents were in fact stolen by Russian intelligence and Guccifer 2.0 acted as a front. [emphasis on most problematic claims mine]

What Schiff tries to do here is suggest that the Russians offered Trump kompromat on Hillary, Trump’s team changed the GOP platform, and then in response the Russians started releasing the DNC emails through Wikileaks.

Later in the hearing, several Republicans disputed the nature of the change in the platform. Both in and outside of the hearing, Republicans have noted that the changed platform matched the policy in place by the Obama Administration at the time: to help Ukraine, but stop short of arming them. All that said, the story on this has clearly changed. The change in the platform clearly shows the influence of Russophiles moving the party away from its hawkish stance, but it’s not enough, in my opinion, to sustain the claims of quid pro quo. [Update: One of the outside the hearing arguments that the platform was not weakened is this Byron York piece b linked, which argues the platform actually got more anti-Russian.]

The bigger problem with Schiff’s neat narrative is the way it obscures the timeline of events, putting the release of DNC emails after the change in platform. That is true with regards to the Wikileaks release, but not the Guccifer 2 release, which preceded the platform change.  Moreover, the references in Steele’s dossier Schiff invokes are not so clear cut — the dossier alleges Russia offered kompromat on Hillary unrelated to the stolen emails before any discussion of the Wikileaks emails. I’ve put what Schiff’s timeline would look like if it were not aiming to play up the quid pro quo of the RNC below (note this timeline doesn’t include all Steele reports, just those specifically on point; see also this site for a comprehensive Guccifer related timeline). It shows several things:

  • The changes to the platform preceded the meetings with Sergey Kislyak. Indeed, the first public report on the change in platform even preceded the Kislyak meetings by a day.
  • The stolen documents began to be released well before the platform got changed.
  • The early Steele report on discussions of sharing a dossier of kompromat on Hillary pertains to a dossier dating back decades (even though these reports all post-date the first Guccifer releases, so could have included a discussion of hacked materials). The first explicit reference to the DNC hack comes after Wikileaks started releasing documents (and earlier reports which ought to include such references don’t).
  • The later Steele report tying the Wikileaks release to a change in policy came after the policy had already changed and documents had already been released.
  • The alleged quid pro quo tied to the early July Carter Page meeting was for the lifting of sanctions, not the shift on NATO and Ukraine; the Steele dossier describes the latter as the quid pro quo in exchange for the Wikileaks release only after the emails start coming out from Wikileaks.

Also note: the report that first ties Wikileaks (but not Guccifer) to a quid pro quo is one of the reports that made me raise questions about the provenance of the report as we received it.

This is not lethal for the argument that the Trump campaign delivered on a quid pro quo. For example, if there was extensive coordination, Trump could have changed his policy in March after learning that the Russian military intelligence hack — the one allegedly designed to collect documents to leak — had started. Or perhaps the Guccifer leaks were a down-payment on the full batch. But there’s no evidence of either.

In any case, the narrative, as laid out by Adam Schiff, doesn’t hold together on several points. Trump’s team has not yet delivered on the quid pro quo allegedly tied to the Rosneft brokerage fees that were paid to someone (it’s not public whom) in December — that is, the lifting of sanctions. As laid out here, the descriptions of an offer of a dossier of information on Hillary prior to the Republican platform pertained to stuff going back decades, not explicitly to Wikileaks; the shift of discussion to Wikileaks only came after the emails had already appeared and any Ukraine related policy changes had already been made.

There’s plenty of smoke surrounding Trump and his associates. It doesn’t require fudging the timeline in order to make it appear like a full quid pro quo (and given Jim Comey’s reliance on “coordination” rather than “collusion” in Monday’s discussion, it’s not even clear such quid pro quo would be necessary for a conspiracy charge). Adam Schiff can and should be more careful about this evidence in future public hearings.

Update: Given how remarkably late the references to the stolen emails are in the dossier, I’m linking this post showing how later entries included a feedback loop.

March 19: John Podesta phished (DNC compromise generally understood to date to same time period).

March 31: Trump reportedly embraces pro-Russian stance in foreign policy meeting with advisors.

April 19th: DCLeaks.com registered.

June 8th: DCLeaks.com posts leaks (from post dates).

June 13th: First archived record of DCLeaks posts.

June 15: Crowdstrike report names Russia in DNC hack, first Guccifer 2.0 releases via TSG and Gawker.

June 18: Guccifer releases at WordPress site.

June 20: Steele report presents obviously conflicting information on exchanging intelligence with Trump. A senior Russian Foreign Ministry figure said “the Kremlin had been feeding TRUMP and his team valuable intelligence on his opponents, including … Hillary CLINTON, for several years.” A former top level intelligence officer still active in the Kremlin stated that the Kremlin had been collating a dossier on Hillary, “for many years, dating back to her husband Bill’s presidency, and comprised mainly eavesdropped conversations of various sorts. … Some of the conversations were from bugged comments CLINTON had made on her various trips to Russia and focused on things she had said which contradicted her current position on various issues.” A senior Kremlin official, however, said that the dossier “had not as yet been made available abroad, including to TRUMP or his campaign team.”

July 7-8: Carter Page in Moscow. Allegedly (per later Steele dossier reports) he is offered brokerage fees for the sale of a stake in Rosneft in exchange for ending sanctions on Russia.

July 11-12: Platform drafted.

July 18-21: RNC.

July 18: First report of changes to platform.

July 19: Sergey Kislyak meets numerous Trump associates after a Heritage sponsored Jeff Sessions talk.

July 19: Steele report provides first details of Carter Page meeting in Russia during which Divyekin raises “a dossier of ‘kompromat’ the Kremlin possessed on TRUMP’s Democratic presidential rival, Hillary CLINTON, and its possible release to the Republican’s campaign team.” In context (especially because the same report also warns Trump of kompromat Russia holds on him), this seems to be the dossier going back years also mentioned in the June 20 report, not Wikileaks emails. Certainly no explicit mention of Wikileaks or the hack appears in the report, even though the report is based off July reporting that post-date the first Guccifer 2.0 leaks.

July 22: Wikileaks starts releasing DNC emails.

July 26: Steele report describing conversations from June describes Russian hacking efforts in terms already publicly known to be false. For example, the report claims FSB had not yet had success penetrating American or other “first tier” targets. FSB had success hacking American targets the previous year, including the DNC. This report includes no discussion of the DNC hack or Wikileaks.

Undated July, probably because of report number between July 26 and 30: An “ethnic Russian close associate of Republican US presidential candidate Donald TRUMP” includes the first reference to the DNC hack and WikiLeaks:

[T]he Russian regime had been behind the recent leak of embarrassing e-mail messages, emanating from the Democratic National Committee (DNC) to the Wikileaks platform. The reason for using WikiLeaks was “plausible deniability” and the operation had been conducted with the full knowledge and support of TRUMP and senior members of his campaign team. In return the TRUMP team had agreed to sideline Russian intervention in Ukraine as a campaign issue and to raise US/NATO defence commitments in the Baltics and Eastern Europe to deflect attention away from Ukraine, a priority for PUTIN who needed to cauterise the subject.

July 30: A Russian emigre close to Trump describes concern in the campaign about the DNC email fallout. This report mentions that the Kremlin “had more intelligence on CLINTON and her campaign but he did not know the details or when or if it would be released.” In context, it is unclear whether this refers to stolen documents, though the reference to the campaign suggests that is likely.

August 5: Steele report describes Russian interference as a botched operation, discusses wishful thinking of Trump withdrawing.

August 10: Steele report discusses the “impact and results of Kremlin intervention in the US presidential election to date” claiming Russia’s role in the DNC hack was “technically deniable.” This report conflicts in some ways with the August 5 report, specifically with regards to the perceived success of the operation.

September 14: Steele report referencing kompromat on Hillary clearly in context of further emails.

October 18: More detailed Steele report account of Carter Page meeting, including date. It asserts that “although PAGE had not stated it explicitly to SECHIN, he had clearly implied that in terms of his comment on TRUMP’s intention to lift Russian sanctions if elected president, he was speaking with the Republican candidate’s authority.”

October 19: More Steele report accounting of Michael Cohen’s August attempts to clean up after Manafort and Page.