Josh Schulte Described the Damage Giving Russia Advance Access to the Vault 8 Files Would Have Caused

As part of a fight over whether the government obtained Josh Schulte’s explanation of his FBI interview via Schulte’s prison notebooks or via subpoena from a Schulte associate (probably a family member), the government released a redacted version of that explanation, ostensibly a chapter in his “Presumed Innocent” blog. It’s fascinating for a slew of reasons (including that he lays out that it would be a crime to expose the identities of his colleagues, and then does just that).

For now, though, I want to look at what Schulte claims he told the FBI about the damage sharing the CIA source code files with Russia would do (none of this appears in the 302 of the interview).

I told them the confluence server was the one that seemed to be compromised, and while horrible and damaging at least it wasn’t Stash; At least not at this point–Hopefully they could stop any additional leaks from the network at this point. From the news articles I’ve read, wikileaks claims to have source code, but we don’t know what code or from where. However, at this point, I knew the SOP was a complete stand down on all [redacted] operations. We had no idea what had been leaked, when, for how long, or even who else had seen the materials leaked. Have they been steadily accessing our network every day? Have all our ops been blown since we wrote the first line of code? Perhaps only confluence had been leaked, but the individual(s) responsible are/were planning to exfil the other parts of DEVLAN too? So much still unknown, and with potential (yet unconfirmed) link between wikileaks and Russia–Did the Russians have all the tools? How long? It seems very unlikely that an intelligence service would ever leak a nation’s “cyber weapons” as the media calls them. These tools are MUCH more valuable undiscovered by the media or the nation that lost them. Now, you can secretly trace and discover every operation that nation is conducting. I told them all this was certainly very disturbing and I felt bad for my friends and colleagues at the agency who likely weren’t doing anything and most likely had to completely re-write everything.

I’m frankly shocked that DOJ didn’t use this file in his first trial, as it accurately describes what multiple witnesses testified happened after WikiLeaks first published the leak: everything ground to a halt while CIA tried to mitigate damage. And as Schulte predicted, the Agency did have to rewrite everything. This is powerful evidence that, if Schulte is found guilty, he knew well what kind of damage he would cause.

Particularly given that I was told Schulte himself reached out to Russia at some point (I’m not convinced this is accurate; it may reflect a misunderstanding of discovery), I find what he said about another nation-state — and he named Russia — obtaining the documents to be particularly interesting.

To be fair to Schulte, when he allegedly leaked the documents (in April-May 2016), there was far less understanding of WikiLeaks’ ties to Russia. So these comments may reflect what he understood in March 2017, after WikiLeaks helped Russia tamper in the election.

But what Schulte describes is precisely what the CIA would have been panicking about in summer 2017, as they ratcheted up spying on WikiLeaks associates. What he described with respect to WikiLeaks’ publication is precisely what happened. With just a few exceptions (published at key moments), WikiLeaks published none of the CIA’s source code. Given what we now know of WikiLeaks’ ties to Russia, there’s a real possibility Russia obtained the files even before the US understood the full extent of Russia’s intervention in the 2016 election. As Schulte accurately describes (and I laid out here), Russia could have spent the months in the interim reverse engineering all the US operations targeting Russia and its clients.

This is something that overblown Yahoo article alluded to, but then never really considered. At precisely the moment US intelligence was beginning to understand that Assange was a Russian asset, they were never able to rule out that this is precisely what Russia did with the files.

15 replies
  1. WilliamOckham says:

    There’s a potentially significant typo in your transcription. This sentence:

    It seems very likely that an intelligence service would ever leak a nation’s “cyber weapons” as the media calls them.

    That should be unlikely.

  2. WilliamOckham says:

    Why, oh why, do people talk to the FBI without a lawyer? That’s a rhetorical question. Although, in this case, Schulte brings it up himself, claiming he had nothing to hide. He comes across as a stereotypical FIGJAM software developer (F*** I’m Good, Just Ask Me). Those guys (and in my experience, they’re always male) always overestimate their ability as developers and everything else. I especially loved how he couldn’t remember the FBI agents’ names, but he definitely remembered telling them that he was in Java functional programming lambdas class when he heard about the leaks. Dude, they’re FBI agents, you don’t have to establish your technical dominance.

    His analysis of the risks is pretty good. Better than I would expect from most developers. He’s obviously spent a lot of time thinking the potential vulnerabilities of the system he works on. I encourage developers to think like that because, having spent time as a sysadmin and a developer, it’s great when devs and admins work together to make the network more secure. And then he starts dissing the network admins to the FBI. He never says he suggested any improvements, only that he recommended firing all the infrastructure folks. He might as well have worn a sign that said “Me! Me! Arrest Me!”

    • P J Evans says:

      Oh that’s a wonderful description of some of the programmers I’ve met. (Some may actually be good, in limited areas. But they’re never as good as they believe.)

      • WilliamOckham says:

        Right? It’s so frustrating to work with those guys. I’m really thankful there’s none of those on my current team.

        • P J Evans says:

          First person I thought of is friend’s ex. He worked as a programmer on various things, including games. Could say much more, but it would be a long comment and irrelevant.

    • Greg Hunter says:

      In my experience actually having a genius software developer and then trying to do work for the government was never compatible.  Of course our stuff was designed and built at the dawn of the internet and in my experience, it was upper level management that could not discern the difference between quality work from a small shop like mine or the allure of the lies being sold by the entrenched main frame contractors employed by the US Government.  Upper management also loved the outsourcing of code writing to overseas developers as they seemed to think that writing more lines of code at a cheaper price equated to a good piece of software.  It was always the elegance of the architecture and not the lines of code.

      I watched all of this in real time in DC as we were getting shutdown from developing software for the FAA by CSC and Booze Allen Hamilton through the Volpe Center in Boston at the same time Dynamac was shutting us down inside the Navy.  The Navy contractors actually got their servers moved to Fort Huachuca in an attempt to slow us down but at that time the networks were swiss cheese and using a password as the name of the software exemplified “high security”.  Lather, rinse repeat at USDA, US Army COE and Department of Energy.  Developing high quality software without a large company that could in the future hire retiring GS-14s and 15s did not meet the objectives of any DC operator.

      The quintessential case that exemplifies my experience is captured in the 2000 City Time affair as it describes how software or vaporware developed by SAIC for NYC  resulted in the breakup of that company into Leidos and SAIC.  

      While some of our software that was developed in the 1998-2000 time frame is still in use by the government today, my genius developer is doing the work of 40 for a billionaire in Dayton, Ohio.  Our stuff still works, but based on my experience, I can see how people like Snowden are manufactured.

      In my experience having an actual genius software developer and not getting the best out of them, no matter the quirks, is the fault of management and not the genius.

  3. mospeck says:

    love ya ew, you are tip top, but right now there’s larger fish to fry than Russian stooge JS — personally, im on pins and needles . For ex this slight disagreement on modus operandi between mobster bosses and their oberleutnants has got me set on edge.

    vlad’s gotta love the song
    “I have never met Napoleon
    But I plan to find the time
    I have never met Napoleon
    But I plan to find the time
    ‘Cause he looks so fine upon that hill
    They tell me he was lonely, he’s lonely still
    Those days are gone forever
    Over a long time ago, oh yeah”

    • Owen McNamara says:

      I think it’s more likely that he’s asking “Is there gas in the car? Is there gas in the caaaar?”

    • earlofhuntingdon says:

      I see that the partially-privatized Post Office is claiming it can’t possibly pay all the legitimate claims stemming from it and its contractors’ serial fuck-ups, so HMG will have to step in. And still Tories and half of Labour insist that privatization equals lower cost and better service, despite reality always being the opposite.

      Happy Valentine’s Day.

      • Valley girl says:

        You just gave me huge laugh! Happy Valentines Day indeed! TY

        I really needed such to counter how depressingly awful that story was. I found it by chance poking around the Guardian. I kept on reading, in part b/c the comments of WilliamOckham and others above were in the back of my mind.

      • Valley girl says:

        p.s. Not meaning to ignore your excellent summary of the consequences of privatisation– I suppose the victims have no further legal recourse b/c of UK legal system restrictions?

        • earlofhuntingdon says:

          I’m not up on details of how the GPO was privatized, or whether, as it claims, HMG is its sole shareholder.

          The GPO seems to be making a political argument that it “cannot” meet its obligations to pay compensation to people it seriously wronged. The claim requires investigation. If true, it should lead to liquidation, an unlikely outcome. But the claim seems designed to excuse inexcusable delay, a common neoliberal tactic.

          And as any neoliberal can recite by heart, shareholders come first when it comes to resource extraction, but last, or not at all, when it comes to paying claims. In reality, the first part is exactly backwards: shareholders come last, after all other claims are settled.

          What the GPO seems intent on doing is claiming the benefits of partial government ownership – having the Treasury bail it out when managers fuck up – while operating under the benefits of being partially privatized. In other words, it’s gaming the system. It’s one reason I hate so-called public-private “partnerships.”

          Politically, though, this is the government’s problem and it should fix it immediately. It should then bring the GPO back within full government ownership and control. It’s not a business: it’s a public service that should be operated at cost. Same in the US.

Comments are closed.