Posts

What Was the Relationship Between FSB and GRU in the DNC Hack, Redux?

/27 Comments/in , /by

I want to return to last week’s House Intelligence Hearing on Russia (because that fecker Devin Nunes canceled my birthday hearing with James Clapper and John Brennan today), to revisit a question I’ve asked a number of times (in most detail here): what was the relationship between Russia’s FSB and GRU intelligence services in the DNC hack?

The public narrative (laid out in this post) goes like this: Sometime in summer 2015, APT (Advanced Persistent Threat) 29 (associated with FSB, Russia’s top intelligence agency) hacked the DNC along with 1,000 other targets and because DNC ignored FBI’s repeated warnings, remained in their network unnoticed. Then, in March 2016, APT 28 (generally though not universally associated with GRU, Russia’s military intelligence) hacked DNC and John Podesta. According to the public story, GRU oversaw the release (via DC Leaks and Guccifer 2.0) and leaking (to Wikileaks via as-yet unidentified cut-outs) of the stolen documents.

Under the public story, then, FSB did the same kind of thing the US does (for example, with Enrique Peña Nieto in 2012), collecting intelligence on a political campaign, whereas GRU did something new (though under FBI-directed Sabu, we did something similar to Bashar al-Assad in 2012), leaking documents to Wikileaks.

Obama’s sanctions to retaliate for the hack primarily focused on GRU, but did target FSB as well, though without sanctioning any FSB officers by name. And in its initial report on the Russian hack, the government conflated the two separate groups, renaming attack tools previously dubbed Cozy and Fancy Bear the “Grizzly Steppe,” making any detailed discussion of how they worked together more confusing. As I noted, however, the report may have offered more detail about what APT 29 did than what APT 28 did.

Last week’s hearing might have been an opportunity to clarify this relationship had both sides not been interested in partisan posturing. Will Hurd even asked questions that might have elicited more details on how this worked, but Admiral Mike Rogers refused to discuss even the most basic details  of the hacks.

HURD: Thank you, Chairman.

And gentlemen, thank you all for being here. And thank you for your continued service to your country. I’ve learned recently the value of sitting in one place for a long period of time and listening and today I’m has added to that understanding and I’m going to try to ask questions that y’all can answer in this format and are within your areas of expertise. And Director Rogers, my first question to you — the exploit that was used by the Russian’s to penetrate the DNC, was it sophisticated? Was it a zero day exploit? A zero day being some type of — for those that are watching, an exploit that has never been used before?

ROGERS: In an open unclassified forum, I am not going to talk about Russian tactics, techniques or procedures about how they executed their hacks.

HURD: If members of the DNC had not — let me rephrase this, can we talk about spear fishing?

ROGERS: Sure, in general terms, yes sir.

HURD: Spear fishing is when somebody sends an email and they — somebody clicks on something in that email…

ROGERS: Right, the user of things (inaudible) they’re receiving an email either of interest or from a legitimate user, they open it up and they’ll often click if you will on a link — an attachment.

HURD: Was that type of tactic used in the…

ROGERS: Again, I’m not in an unclassified forum just not going to be…

The refusal to discuss the most basic details of this hack — even after the government listed 31 reports describing APT 28 and 29 (and distinguishing between the two) in its updated report on the hacks — is weird, particularly given the level of detail DOJ released on the FSB-related hack of Yahoo. Given that the tactics themselves are not secret (and have been confirmed by FBI, regardless of what information NSA provided), it seems possible that the government is being so skittish about these details because they don’t actually match what we publicly know. Indeed, at least one detail I’ve learned about the documents Guccifer 2.0 leaked undermines the neat GRU-FSB narrative.

Comey did confirm something I’ve been told about the GRU side of the hack: they wanted to be found (whereas the FSB side of the hack had remained undiscovered for months, even in spite of FBI’s repeated efforts to warn DNC).

COMEY: The only thing I’d add is they were unusually loud in their intervention. It’s almost as if they didn’t care that we knew what they were doing or that they wanted us to see what they were doing. It was very noisy, their intrusions in different institutions.

There is mounting evidence that Guccifer 2.0 went to great lengths to implicate Russia in the hack. Confirmation GRU also went out of its way to make noise during the DNC hack may suggest both within and outside of the DNC the second hack wanted to be discovered.

I have previously pointed to a conflict between what Crowdstrike claimed in its report on the DNC hack and what the FBI told FireEye. Crowdstrike basically said the two hacking groups didn’t coordinate at all (which Crowdstrike took as proof of sophistication). Whereas FireEye said they did coordinate (which it took as proof of sophistication and uniqueness of this hack). I understand the truth is closer to the latter. APT 28 largely operated on its own, but at times, when it hit a wall of sorts, it got help from APT 29 (though there may have been some back and forth before APT 29 did share).

All of which brings me to two questions Elise Stefanik asked. First, she asked — casually raising it because it had “been in the news recently” — whether the FSB was collecting intelligence in its hack of Yahoo.

STEFANIK: Thank you. Taking a further step back of what’s been in the news recently, and I’m referring to the Yahoo! hack, the Yahoo! data breech, last week the Department of Justice announced that it was charging hackers with ties to the FSB in the 2014 Yahoo! data breech. Was this hack done to your knowledge for intelligence purposes?

COMEY: I can’t say in this forum.

STEFANIK: Press reporting indicates that Yahoo! hacked targeted journalists, dissidence and government officials. Do you know what the FSB did with the information they obtained?

COMEY: Same answer.

Again, in spite of the great deal of detail in the indictment, Comey refused to answer these obvious questions.

The question is all the more interesting given that the indictment alleges that Alexsey Belan (who was sanctioned along with GRU in December) had access to Yahoo’s network until December 2016, well after these hacks. More interestingly, Belan was “minting” Yahoo account credentials at least as late as May 20, 2016. That’s significant, because one of the first things that led DNC to be convinced Russia was hacking it was when Ali Chalupa, who was then collecting opposition research on Paul Manafort from anti-Russian entities in Ukraine, kept having her Yahoo account hacked in early May. With the ability to mint cookies, the FSB could have accessed her account without generating a Yahoo notice. Chalupa has recently gone public about some, though not all, of the other frightening things that happened to her last summer (she was sharing them privately at the time). So at a time when the FSB could have accomplished its goals unobtrusively, hackers within the DNC network, Guccifer 2.0 outside of it, and stalkers in the DC area were all alerting Chalupa, at least, to their presence.

While it seems increasingly likely the FSB officers indicted for the Yahoo hack (one of whom has been charged with treason in Russia) were operating at least partly on their own, it’s worth noting that overlapping Russian entities had three different ways to access DNC targets.

Note, Dianne Feinstein is the one other person I’m aware of who is fully briefed on the DNC hack and who has mentioned the Yahoo indictment. Like Comey, she was non-committal about whether the Yahoo hack related to the DNC hack.

Today’s charges against hackers and Russian spies for the theft of more than 500 million Yahoo user accounts is the latest evidence of a troubling trend: Russia’s sustained use of cyber warfare for both intelligence gathering and financial crimes. The indictment shows that Russia used these cyberattacks to target U.S. and Russian government officials, Russian journalists and employees of cybersecurity, financial services and commercial entities.

There seems to be a concerted effort to obscure whether the Yahoo hack had any role in the hack of the DNC or other political targets.

Finally, Stefanik asked Comey a question I had myself.

STEFANIK: OK, I understand that. How — how did the administration determine who to sanction as part of the election hacking? How — how familiar with that decision process and how is that determination made?

COMEY: I don’t know. I’m not familiar with the decision process. The FBI is a factual input but I don’t recall and I don’t have any personal knowledge of how the decisions are made about who to sanction.

One place you might go to understand the relationship between GRU and FSB would be to Obama’s sanctions, which described the intelligence targets this way.

  • The Main Intelligence Directorate (a.k.a. Glavnoe Razvedyvatel’noe Upravlenie) (a.k.a. GRU) is involved in external collection using human intelligence officers and a variety of technical tools, and is designated for tampering, altering, or causing a misappropriation of information with the purpose or effect of interfering with the 2016 U.S. election processes.
  • The Federal Security Service (a.k.a. Federalnaya Sluzhba Bezopasnosti) (a.k.a FSB) assisted the GRU in conducting the activities described above.

[snip]

  • Sanctioned individuals include Igor Valentinovich Korobov, the current Chief of the GRU; Sergey Aleksandrovich Gizunov, Deputy Chief of the GRU; Igor Olegovich Kostyukov, a First Deputy Chief of the GRU; and Vladimir Stepanovich Alexseyev, also a First Deputy Chief of the GRU.

Remember, by the time Obama released these sanctions, several FSB officers, including Dmitry Dokuchaev (who was named in the Yahoo indictment) had been detained for treason for over three weeks. But the officers named in the sanctions, unlike the private companies and individual hackers, are unlikely to be directly affected by the sanctions.

The sanctions also obscured whether Belan was sanctioned for any role in the DNC hack.

  • Aleksey Alekseyevich Belan engaged in the significant malicious cyber-enabled misappropriation of personal identifiers for private financial gain.  Belan compromised the computer networks of at least three major United States-based e-commerce companies.

Again, all of this suggests that the intelligence community has reason to want to obscure how these various parts fit together, even while publicizing the details of the Yahoo indictment.

Which suggests a big part of the story is about how the public story deviates from the real story the IC is so intent on hiding.

Republicans Prepare to Accuse Hillary of Russian Ties

/27 Comments/in , /by

In Monday’s hearing, Devin Nunes asked Jim Comey for reassurances that if anyone — including a member of the public — brought allegations of Russian attempts to infiltrate the Hillary campaign to the FBI, the FBI would expand the investigation to include those efforts as well.

NUNES:Director Comey, you announced this morning that there’ll be an investigation into Trump associates possible and President Trump and anyone around the campaign and any association with the Russian government.

If this committee or anyone else for that matter, someone from the public, comes with information to you about the Hillary Clinton campaign or their associates or someone from the Clinton Foundation, will you add that to your investigation? They have ties to Russian intelligence services, Russian agents, would that be something of interest to you?

COMEY: People bring us information about what they think is improper unlawful activity of any kind, we will evaluate it. Not just in — not just in this context. Folks send us stuff all the time. They should keep going that.

NUNES: Do you think it’s possible that the Russians would not be trying to infiltrate Hillary Clinton’s campaign, get information on Hillary Clinton and try to get to people that are around that campaign or the Clinton Foundation?

COMEY: I’m not prepared to comment about the particular campaigns but the Russians in general are always trying to understand who the future leaders might be and what levers of influence there might be on them.

NUNES: I just hope that if — if information does surface about the other campaigns, not even just Hillary Clinton’s but any other campaigns, that you would take that serious also if the Russians were trying to infiltrate those campaigns around them.

COMEY: Of course we would.

Yesterday, Politico reported that the RNC paid an intelligence firm that employs a former KGB officer dig up dirt on Hillary.

The payments attracted attention in political and intelligence circles, largely because the Virginia-based firm, Hamilton Trading Group, had particular expertise in Russia, which was emerging as a major campaign issue at the time.

RNC officials and the president and co-founder of Hamilton Trading Group, an ex-CIA officer named Ben Wickham, insisted the payments, which eventually totaled $41,500, had nothing to do with Russia.

[snip]

But RNC officials now acknowledge that most of the cash$34,100 — went towards intelligence-style reports that sought to prove conflicts of interest between Democratic presidential candidate Hillary Clinton’s tenure as Secretary of State and her family’s foundation.

The firm produced two dossiers that tried to make the case that Clinton intervened in Bulgaria and Israel, respectively, on behalf of energy companies that had donated to the Clinton Foundation, according to people briefed on the reports.

The oppo firm’s story has been evolving, but thus far, it seems that the former KGB officer, Gennady Vasilenko, did not work on the Hillary project. That said, remember that the Christopher Steele dossier (which is effectively the Clinton counterpart to this oppo project) indicated that Russia held compromising information on Hillary. We don’t know if that was included in the earlier reports shared with Steele’s first, Republican client. If it was, I could imagine the RNC trying to replicate the same information via a different source.

Meanwhile, serial fabulist oppo hit man Jerome Corsi has a piece at Infowars purporting to explain Roger Stone’s August 21, 2016 tweet stating “it would soon be Podesta’s time in the barrel.” Corsi includes two reports from last summer — one done by Government Accountability Institute and another by himself in response to the Paul Manafort allegations — alleging ties between Hillary and Podesta and Russia.

When this article was published, I suggested to Roger Stone that the attack over Manafort’s ties to Russia needed to be countered.

My plan was to publicize the Government Accountability Institute’s report, “From Russia With Money,” that documented how Putin paid substantial sums of money to both Hillary Clinton and John Podesta.

Putin must have wanted Hillary to win in 2016, if only because Russian under-the-table cash payments to the Clintons and to Podesta would have made blackmailing her as president easy.

On Aug. 14, 2016, I began researching for Roger Stone a memo that I entitled “Podesta.”

I completed that memo on Aug. 31, 2016, and is embedded here in its entirety.

It’s not clear Corsi’s explanation works to absolve Stone: while the earlier (July 31) report does focus on John Podesta, Corsi’s August 31 report focuses primarily on John’s brother Tony.

But it does dig out these Russian allegations just after Nunes raised the possibility private citizens might provide FBI with evidence implicating the Hillary campaign.

I’d say this is all ridiculous, and within the counterintelligence department it probably is, but remember that similar allegations from Steve Bannon got the NY office of the FBI chasing after the Clinton Foundation for months and months.

FBI Is Examining Possible Coordination with Russia, Not Collusion

/9 Comments/in , /by

Jim Comey’s statement confirming an investigation including the Trump campaign on Monday said the following:

I have been authorized by the Department of Justice to confirm that the FBI, as part of our counterintelligence mission, is investigating the Russian government’s efforts to interfere in the 2016 presidential election, and that includes investigating the nature of any links between individuals associated with the Trump campaign and the Russian government and whether there was any coordination between the campaign and Russia’s efforts. As with any counterintelligence investigation, this will also include an assessment of whether any crimes were committed. [my emphasis]

In spite of that careful, pre-approved word choice, “coordination,” members of Congress in the hearing, as well as the press both before and after the hearing, have used the term “collusion.”

But Comey made it clear much later in the hearing that the term coordination was deliberate. Mike Quigley asked for more details about how the FBI might find collusion with a foreign power. Comey corrected him, stating that he was investigating whether there had been coordination.

Collusion is not a legal term. It is not one I have used today. I said we are investigating to see if there is any coordination between people associated with the campaign–

I think — though the lawyers should correct me if I’m wrong — this suggests the FBI is thinking in terms of conspiracy.

That, along with Comey’s focus on knowing coordination, may put things like Roger Stone’s interactions in the limelight — though the case that Guccifer 2.0 is a Russian cut-out is and always has been one of the weakest parts of the public case against Russia, and even top intelligence community people stop short of calling Wikileaks a Russian cut-out (meaning Stone would be able to deny knowingly working with Russians).

It does, however, put the events surrounding the release of Podesta’s emails on October 7 in interesting light, though the lefty case on that is neither the best case for that period, nor does it account for all the details that would be of interest.

When a White Republican Gets Spied On, Privacy Suddenly Matters

/38 Comments/in , , /by

As expected, much of today’s hearing on the Russian hack consisted of members of Congress — from both parties — posturing for the camera.

At first, it seemed that the Republican line of posturing — complaining about the leak that exposed Mike Flynn’s conversations with Ambassador Sergey Kislyak — tracked Donald Trump’s preferred approach, to turn this into a witch hunt for the leakers.

But it was actually more subtle than that. It appears Republicans believe the leaks about Flynn have (finally) made Congress skittish about incidental collection of US person communications as part of FISA collection. And so both Tom Rooney and Trey Gowdy spent much of their early hearing slots discussing how much more difficult the leak of Flynn’s name will make Section 702 reauthorization later this year. In the process, they should have created new fears about how painfully ignorant the people supposedly overseeing FISA are.

Rooney, who heads the subcommittee with oversight over NSA, started by quizzing Mike Rogers about the process by which a masked US person identity can be disclosed. Along the way, it became clear Rooney was talking about Section 702 reauthorization even while he was talking traditional FISA collection, which doesn’t lapse this year.

Rooney: If what we’re talking about is a serious crime, as has been alleged, in your opinion would leaking of a US person who has been unmasked and disseminated by intelligence community officials, would that leaking hurt or help our ability to conduct national security.

Rogers: Hurt.

Rooney: Ok, if it hurts, this leak, which through the 702 tool, which we all agree is vital–or you and I at least agree to that–do you think that that leak actually threatens our national security. If it’s a crime, and if it unmasks a US person, and this tool is so important it could potentially jeopardize this tool when we have to try to reauthorize it in a few months, if this is used against our ability to reauthorize this tool, and we can’t get it done because whoever did this leak, or these nine people that did this leak, create such a stir, whether it be in our legislative process or whatever, that they don’t feel confident a US person, under the 702 program, can be masked, successfully, and not leaked to the press, doesn’t that hurt–that leak–hurt our national security.

Eventually Admiral Rogers broke in to explain to his congressional overseer very basic facts about surveillance, including that Flynn was not and could not have been surveilled under Section 702.

Rogers: FISA collection on targets in the United States has nothing to do with 702, I just want to make sure we’re not confusing the two things here. 702 is collection overseas against non US persons.

Rooney: Right. And what we’re talking about here is incidentally, if a US person is talking to a foreign person that we’re listening to whether or not that person is unmasked.

Nevertheless, Rooney made it very clear he’s very concerned about how much harder the Flynn leak will make it for people like him to convince colleagues to reauthorize Section 702, which is even more of a privacy concern than traditional FISA.

Rooney: But it’s really going to hurt the people on this committee and you in the intelligence community when we try to retain this tool this year and try to convince some of our colleagues that this is really important for national security when somebody in the intelligence community says, you know what the hell with it, I’m gonna release this person’s name, because I’m gonna get something out of it. We’re all gonna be hurt by that. If we can’t reauthorize this tool. Do you agree with that?

A little later, Trey Gowdy got his second chance to complain about the leak. Referencing Rogers’ earlier explanation that only 20 people at NSA can unmask a US person identity, Gowdy tried to figure out how many at FBI could, arguing (this is stunning idiocy here) that by finding a finite number of FBI officials who could unmask US person identities might help assuage concerns about potential leaks of US persons caught in FISA surveillance.

Comey: I don’t know for sure as I sit here. Surely more, given the nature of the FBI’s work. We come into contact with US persons a whole lot more than the NSA does because we may be conducting — we only conduct our operations in the United States to collect electronic surveillance. I can find out the exact number. I don’t know it as I sit here.

Gowdy: I think Director Comey given the fact that you and I agree that this is critical, vital, indispensable. A similar program is coming up for reauthorization this fall with a pretty strong head wind right now, it would be nice to know the universe of people who have the power to unmask a US citizen’s name. Cause that might provide something of a road map to investigate who might have actually disseminated a masked US citizen’s name.

Here’s why this line of questioning from Gowdy is unbelievably idiotic. Both for traditional FISA, like the intercept targeting Kislyak that caught Flynn, and for Section 702, masking and unmasking identities at FBI is not the concern. That’s because the content from both authorities rests in FBI’s databases, and anyone cleared for FISA can access the raw data. And those FBI Agents not cleared for FISA can and are encouraged just to ask a buddy who is cleared to do it.

In other words, every Agent at FBI has relatively easy way to access the content on Flynn, so long as she can invent a foreign intelligence or criminal purpose reason to do so.

Which is probably why Comey tried to pitch something he called “culture” as adequate protection, rather than the very large number of FBI Agents who are cleared into FISA.

Comey: The number is … relevant. What I hope the US–the American people will realize is the number’s important but the culture behind it is in fact more important. The training, the rigor, the discipline. We are obsessive about FISA in the FBI for reasons I hope make sense to this committee. But we are, everything that’s FISA has to be labeled in such a way to warn people this is FISA, we treat this in a special way. So we can get you the number but I want to assure you the culture in the FBI and the NSA around how we treat US person information is obsessive, and I mean that in a good way.

So then Gowdy asks Comey something he really has a responsibility to know: what other agencies have Standard Minimization Procedures. (The answer, at least as the public record stands, is NSA, CIA, FBI, and NCTC have standard minimization procedures, with Main Justice using FBI’s SMPs.)

Gowdy: Director Comey I am not arguing with you and I agree the culture is important, but if there are 100 people who have the ability to unmask and the knowledge of a previously masked name, then that’s 100 different potential sources of investigation. And the smaller the number is, the easier your investigation is. So the number is relevant. I can see the culture is relevant. NSA, FBI, what other US government agencies have the authority to unmask a US citizen’s name?

Comey: Well I think all agencies that collect information pursuant to FISA have what are called standard minimization procedures which are approved by the FISA court that govern how they will treat US person information. So I know the NSA does, I know the CIA does, obviously the FBI does, I don’t know for sure beyond that.

Gowdy: How about Main Justice?

Comey: Main Justice I think does have standard minimization procedures.

Gowdy: Alright, so that’s four. NSA, FBI, CIA, Main Justice. Does the White House has the authority to unmask a US citizen’s name?

Comey: I think other elements of the government that are consumers of our can ask the collectors to unmask. The unmasking resides with those who collected the information. And so if Mike Rogers’ folks collected something, and they send it to me in a report and it says it’s US person #1 and it’s important for the FBI to know who that is, our request will go back to them. The White House can make similar requests of the FBI or NSA but they don’t on their own collect, so they can’t on their own unmask.

That series of answers didn’t satisfy Gowdy, because from his perspective, if Comey isn’t able to investigate and find a head for the leak of Flynn’s conversation with Kislyak — well, I don’t know what he thinks but he’s sure an investigation, possibly even the prosecution of journalists, is the answer.

Gowdy: I guess what I’m getting at Director Comey, you say it’s vital, you say it’s critical, you say that it’s indispensable, we both know it’s a threat to the reauthorization of 702 later on this fall and oh by the way it’s also a felony punishable by up to 10 years. So how would you begin your investigation, assuming for the sake of argument that a US citizen’s name appeared in the Washington Post and the NY Times unlawfully. Where would you begin that investigation?

This whole series of questions frankly mystifies me. I mean, these two men who ostensibly provide oversight of FISA clearly didn’t understand what the biggest risk to privacy is –back door searches of US person content — which at the FBI doesn’t even require any evidence of wrong-doing. That is the biggest impediment to reauthorizing FISA.

And testimony about the intricacies of unmasking a US person identity — particularly when a discussion of traditional FISA serves as stand-in for Section 702 — does nothing more than expose that the men who supposedly oversee FISA closely have no fucking clue — and I mean really, not a single fucking clue — how it works. Devin Nunes, too, has already expressed confusion on how access to incidentally collected US person content works.

Does anyone in the House Intelligence Committee understand how FISA works? Bueller?

In retrospect, I’m really puzzled by what is so damning about the Flynn leak to them. I mean, don’t get me wrong, I’m very sympathetic to the complaint that the contents of the intercepts did get leaked. If you’re not, you should be. Imagine how you’d feel if a Muslim kid got branded as a terrorist because he had a non-criminal discussion with someone like Anwar al-Awlaki? (Of course, in actual fact what happened is the Muslim kids who had non-criminal discussions with Awlaki had FBI informants thrown at them until they pressed a button and got busted for terrorism, but whatever.)

But Rooney and Gowdy and maybe even Nunes seemed worried that their colleagues in the House have seen someone like them — not a young Muslim, but instead a conservative white man — caught up in FISA, which has suddenly made them realize that they too have conversations all the time that likely get caught up in FISA?

Or are they worried that the public discussion of FISA will expose them for what they are, utterly negligent overseers, who don’t understand how invasive of privacy FISA currently is?

If it’s the latter, their efforts to assuage concerns should only serve to heighten those concerns. These men know so little about FISA they don’t even understand what questions to ask.

In any case, after today’s hearing I am beginning to suspect the IC doesn’t like to have public hearings not because someone like me will learn something, but because we’ll see how painfully little most of the so-called overseers have learned in all the private briefings the IC has given them. If these men don’t understand the full implications of incidental collection, two months after details of Flynn’s conversations have been leaked, then it seems likely they’ve been intentionally mis or underinformed.

Or perhaps they’re just not so bright.

FBI Delayed Telling the Gang of Four about Trump-Related Investigation Because It Is So Serious

/59 Comments/in , , /by

As every newspaper in town has reported, at today’s hearing into Russia’s hack of the DNC, Jim Comey confirmed that the FBI has a counterintelligence investigation into the hack that includes whether Trump’s associates coordinated with Russian actors. Along the way, Comey refused to join in James Clapper’s statement that there was no evidence of collusion between Trump’s aides and Russia. When the now retired Director of National Intelligence said that, Clapper had emphasized that his statement only extended through the end of his service, January 20; he warned that some evidence may have been discovered after that.

A far more telling detail came close to the end of the hearing, during NY Congresswoman Elise Stefanik’s questioning. She started by asking what typical protocols were for informing the DNI, the White House, and senior Congressional leadership about counterintelligence investigations.

Stefanik: My first set of questions are directed at Director Comey. Broadly, when the FBI has any open counterintelligence investigation, what are the typical protocols or procedures for notifying the DNI, the White House, and senior congressional leadership?

Comey: There is a practice of a quarterly briefing on sensitive cases to the Chair and Ranking of the House and Senate Intelligence Committees. The reason I hesitate is, thanks to feedback we’ve gotten, we’re trying to make it better. And that involves a briefing briefing the Department of Justice, I believe the DNI, and the — some portion of the National Security Council at the White House. We brief them before Congress is briefed.

Stefanik: So it’s quarterly for all three, then, senior congressional leadership, the White House, and the DNI?

Comey: I think that’s right. Now that’s by practice, not by rule or by written policy. Which is why, thanks to the Chair and Ranking giving us feedback, we’re trying to tweak it in certain ways.

Note that point: the practice has been that FBI won’t brief the Gang of Four until after they’ve briefed DOJ, the DNI, and the White House. Stefanik goes on to ask why, if FBI normally briefs CI investigations quarterly, why FBI didn’t brief the Gang of Four before the last month, at least seven months after the investigation started. Comey explains they delayed because of the sensitivity of the investigation.

Stefanik: So since in your opening statement you confirmed that there is a counterintelligence investigation currently open and you also referenced that it started in July, when did  you notify the DNI, the White House, or senior Congressional leadership?

Comey: Congressional leadership, sometime recently — they were briefed on the nature of the investigation and some details, as I said. Obviously the Department of Justice must have been aware of it all along. The DNI … I don’t know what the DNI’s knowledge of it was, because we didn’t have a DNI until Mr. Coats took office and I briefed him his first morning in office.

Stefanik: So just to drill down on this, if the open investigation began in July, and the briefing of Congressional leadership only occurred recently, why was there no notification prior to the recent — the past month.

Comey: I think our decision was it was a matter of such sensitivity that we wouldn’t include it in the quarterly briefings.

Stefanik: So when you state “our decision,” is that your decision, is it usually your decision what gets briefed in those quarterly updates?

Comey: No. It’s usually the decision of the head of our counterintelligence division.

Stefanik: And just again, to get the details on the record, why was the decision not to brief senior congressional leadership until recently, when the investigation had been open since July, a very serious investigation. Why was that decision made to wait months?

Comey: Because of the sensitivity of the matter.

Stefanik then got Comey to reconfirm what the IC report says: that Russia had hacked numerous entities, he would later say over a thousand, including Republican targets.

Stefanik then turned to the Yahoo investigation. She asked whether the FSB officers involved conducted the hack for intelligence purposes — a question Comey refused to answer. He also refused to answer what the FSB did with the information stolen.

Stefanik: Taking a further step back of what’s been in the news recently and I’m referring to the Yahoo hack, the Yahoo data breach, last week the Department of Justice announced it was charging hackers with ties to the FSB in the 2014 data breach. Was this hack done, to your knowledge, for intelligence purposes?

Comey: I can’t say in this forum.

Stefanik: Press reporting indicates the Yahoo hack targeted journalists, dissidents and government officials. Do you know what the FSB did with the information they obtained?

Comey: Same answer.

Stefanik: Okay, I understand that.

This is important for a number of reasons, including the evidence that the FSB was hiding their hacking from others in Russia.

Stefanik then turned to the sanctions, asking if Comey had any insight into how the Obama Administration chose who got sanctioned in December — which included Alexsey Belan but not the FSB officers involved (one of whom, Dmitry Dokuchaev, was already under arrest for treason by the time of the sanctions).

Stefanik: How did the Administration determine who to sanction as part of the election hacking? How familiar are [] with that decision process and how is that determination made?

Comey: I don’t know. I’m not familiar with the decision-making process. The FBI is a factual input but I don’t recall — I don’t have any personal knowledge about how the decisions were made about who to sanction.

Again, her interest in this is significant — I’ll explain why in a follow-up.

Stefanik then asked what the intelligence agencies would do going forward to keep entities safe from Russian hacking. As part of the response, Mike Rogers revealed (unsurprisingly) that NSA first learned of FSB’s hacking of those many targets in the summer of 2015.

Finally, Stefanik returned to her original point, when Congress gets briefed on CI investigations. Comey’s response was remarkable.

Stefanik: It seems to me, in my first line of questioning, the more serious a counterintelligence investigation is, that would seem to trigger the need to update not just the White House, the DNI, but also senior congressional leadership. And you stated it was due to the severity. I think moving forward, it seems the most severe and serious investigations should be notified to senior congressional leadership. And with that thanks for your lenience, Mr. Chairman, I yield back.

Comey could have been done with Stefanik yielding back. But instead, he interrupted, and suggested part of the delay had to do with the practice of briefing within the Executive Branch NSC before briefing Congress.

Comey: That’s good feedback, Ms. Stefanik, the challenge for is, sometimes we want to keep it tight within the executive branch, and if we’re going to go brief congressional leaders, the practice has been then we brief inside the executive branch, and so we have to try to figure out how to navigate that in a good way.

Which seems to suggest one reason why the FBI delayed briefing the Gang of Four (presumably, this is the Gang of Eight) is because they couldn’t brief all Executive Branch people the White House, and so couldn’t brief Congress without first having briefed the White House.

Which would suggest Mike Flynn may be a very central figure in this investigation.

Update: I’ve corrected my last observation to match Comey’s testimony that the delay had to do with keeping things on a close hold within the Executive Branch. That may be nothing, it may reflect the delay on confirming Dan Coats, it may be Flynn (if you normally brief the NSC, after all the National Security Advisor would be among the first to be briefed), but it also could be Jeff Sessions.

Why We Should Remain Skeptical of the Five (!!) Congressional Investigations into the Russian Hack

/5 Comments/in /by

I was interviewed (on Thursday) about the Flynn resignation and larger investigation into the Russia hack for Saturday’s On the Media. In what made the edit, I made one error (which I’ll explain later), but a key point I made holds. The leaking about Flynn and other Russian events are hypocritical and out of control. But they may create pressure to fix two problems with the current investigations into the Russian hack: the role of Jeff Sessions overseeing the DOJ-led investigations, and the role of Trump advisory officials Devin Nunes and Richard Burr overseeing the most appropriate congressional investigations.

In this post I’ll look at the latter conflicts. In a follow-up I’ll look at what the FBI seems to be doing.

As I noted in the interview, contrary to what you might think from squawking Democrats, there are five congressional investigations pertaining to Russian hacks, though some will likely end up focusing on prospective review of Russian hacking (for comparison, there were seven congressional Benghazi investigations). They are:

  • Senate Intelligence Committee: After months of Richard Burr — who served on Trump’s campaign national security advisory council — saying an inquiry was not necessary and going so far as insisting any inquiry wouldn’t review the dossier leaked on Trump, SSCI finally agreed to do an inquiry on January 13. Jim Comey briefed that inquiry last Friday, February 17.
  • House Intelligence Committee: In December, James Clapper refused to brief the House Intelligence Committee on the latest intelligence concluding Russian hacked the DNC with the goal of electing Trump, noting that HPSCI had been briefed all along (as was clear from some of the leaks, which clearly came from HPSCI insiders). In January, they started their own investigation of the hack, having already started fighting about documents by late January. While Ranking Democratic Member Adam Schiff has long been among the most vocal people complaining about the treatment of the hack, Devin Nunes was not only a Trump transition official, but made some absolutely ridiculous complaints after Mike Flynn’s side of some conversations got legally collected in a counterintelligence wiretap. Nunes has since promised to investigate the leaks that led to Flynn’s forced resignation.
  • Senate Armed Services Committee: In early January, John McCain announced he’d form a new subcommittee on cybersecurity, with the understanding it would include the Russian hack in its focus. Although he originally said Lindsey Graham would lead that committee, within weeks (and after Richard Burr finally capitulated and agreed to do a SSCI inquiry), McCain instead announced Mike Rounds would lead it.
  • Senate Foreign Relations Committee: In December, Bob Corker announced the SFRC would conduct an inquiry, scheduled to start in January. At a hearing in February, the topic came up multiple times, and both Corker and Ben Cardin reiterated their plans to conduct such an inquiry.
  • Senate Judiciary Subcommittee on Crime and Terrorism: After Graham was denied control of the SASC panel, he and Sheldon Whitehouse announced they’d conduct their own inquiry, including a prospective review of “the American intelligence community’s assessment that Russia did take an active interest and play a role in the recent American elections.”

All the while, some Senators — McCain, Graham, Chuck Schumer, and Jack Reed — have called for a Select Committee to conduct the investigation, though in true McCainesque fashion, the maverick has at times flip-flopped on his support of such an inquiry.

Also, while not an investigation, on February 9, Jerry Nadler issued what I consider (strictly as it relates to the Russian hack, not the other conflicts) an ill-advised resolution of inquiry calling for the Administration to release materials relating to the hack, among other materials. Democrats in both the House and Senate have introduced legislation calling for an independent commission, but have gotten no support even from the mavericky Republicans.

As you can see from these descriptions, it took pressure from other committees, especially Lindsey Graham getting control of one of the inquiries, before Richard Burr let himself be convinced by SSCI Vice Chair Mark Warner to conduct an inquiry. Thus far, Mitch McConnell has staved off any Select Committee. As soon as SSCI did claim to be launching an investigation, a bunch of Republicans tried to shut down the others, claiming it was all simply too confusing.

Let me be clear: as I noted in the OTM interview, the intelligence committees are the appropriate place to conduct this investigation, as it concerns really sensitive counterintelligence matters — people who could be witnesses to it are getting killed! — and an ongoing investigation. The only way to conduct a responsible inquiry is to do so in secret, and unless a select committee with clearance is formed, that means doing so in the dysfunctional intelligence committees.

That’s made worse by Nunes and Burr’s obvious conflicts, having served on Trump’s pre-inauguration advisory teams (at a time when Mike Flynn was chatting about ongoing sanctions with Russia), and their equally obvious disinterest in conducting the investigation. Remember that the intelligence committees successfully bolloxed up the independent investigation into Iran-Contra. While neither Nunes nor Burr is as smart as Dick Cheney, who had a key role in that intentional bolloxing, Democrats should be cognizant of the ways that such bolloxing has happened in the past.

And now that SSCI has finally started its inquiry, Ali Watkins published an uncharacteristically credulous report on Burr’s role in the investigation, slathering on the colorful vocabulary — “brutally yanked;” “underground cohort;” “dark shadow of Langley;” “Wearily, they’re trudging forward on a probe littered with potential political landmines;” — before portraying the allegedly difficult position Burr is in:

That he’s now in charge of the sweeping Russia inquiry puts the North Carolina Republican in between a rock and a hard place. Since taking over the helm of the intelligence committee, Burr has pressed for more active and aggressive oversight, and has kept a rigorous travel schedule to match. But his decisive reelection victory in November came at a cost — throughout the contentious race, Burr towed Trump’s line, and hasn’t yet directly criticized the White House publicly.

But Burr has shown no indication that he’s ever angled for a Trump administration job, and says he’s not running for re-election. How seriously he takes his obligation to carry his president’s water remains to be seen.

Burr has been slammed by colleagues in recent days, who fear he’s slow-rolling an investigation into a fast-moving story. But much of the inquiry’s slow start was due to bureaucratic wrangling — some intelligence agencies insisted products be viewed on site rather than sent to the Hill, and some of the intelligence was so tightly controlled that it was unclear if staffers could even view it.

This is just spin. There is abundant public record that Burr has thwarted oversight generally (he has said things supporting that stance throughout his history on both the Senate and House Intelligence Committee, even ignoring his role in covering up torture, and Watkins’ earlier incorrect claims about Burr’s open hearings remain only partly corrected). There is no mention in this article that Burr was on Trump’s national security advisory committee. Nor that SSCI had reason to do hearings about this hack well before January 2017, back when it might have made a difference — at precisely the time when Burr apparently had time to advise Trump about national security issues as a candidate. Plus, it ignores all the things laid out here, Burr’s continued equivocation about whether there should even be a hearing.

There is no reason to believe Burr or Nunes intend to have a truly rigorous investigation (bizarrely, Warner seems to have had more success pushing the issue than Schiff — or Dianne Feinstein when she was Vice Chair — though that may be because the Ranking position is stronger in the Senate than in the House). And history tells us we should be wary that their investigations will be counterproductive.

As I noted, on Friday — the Friday before a recess — Jim Comey briefed the SSCI on the Russian hack. That briefing was unusual for the date (regular SSCI meetings happen on Tuesday and Thursday, and little business of any kinds happens right before a recess). Reporters have interpreted that, along with the presumed silence about the content of the briefing, as a sign that things are serious. That may be true — or it may be that that was the only time a 3-hour briefing could be scheduled. In the wake of the briefing, it was reported that the SSCI sent broad preservation requests tied to the inquiry (that is, they sent the request long after the inquiry was started). And while the press has assumed no one is talking, the day after the briefing, Reuters reported outlines of at least three parts of the FBI investigation into the Russian hack, attributed to former and current government officials.

Trump Raises the Axe over the Intelligence Community, Again

/7 Comments/in /by

The Intelligence Community is finishing its report on the intelligence regarding Russia’s influence in our elections. The report is expected to be delivered to President Obama tomorrow and briefed to President Elect Trump on Friday.

That’s the context for — and surely at least part of the explanation for — this WSJ story reporting that Trump plans to reorganize the intelligence community.

[A]dvisers also are working on a plan to restructure the Central Intelligence Agency, cutting back on staffing at its Virginia headquarters and pushing more people out into field posts around the world. The CIA declined to comment on the plan.

“The view from the Trump team is the intelligence world [is] becoming completely politicized,” said the individual, who is close to the Trump transition operation. “They all need to be slimmed down. The focus will be on restructuring the agencies and how they interact.”

[snip]

The Office of the Director of National Intelligence was established in 2004 in large part to boost coordination between intelligence agencies following the Sept. 11, 2001 terror attacks.

Many Republicans have proposed cutting the ODNI before, but this has proven hard to do in part because its mission centers are focused on core national security issues, such as counterterrorism, nuclear proliferation, and counterintelligence.

“The management and integration that DNI focuses on allows agencies like the CIA to better hone in on its own important work,” said Rep. Adam Schiff (D., Calif.), the ranking Democrat on the House Intelligence Committee, who believes dismantling the ODNI could lead to national security problems.

Mr. Trump’s advisers say he has long been skeptical of the CIA’s accuracy, and the president-elect often mentions faulty intelligence in 2002 and 2003 concerning Iraq’s weapons programs. But he has focused his skepticism of the agencies squarely on their Russia assessments, which has jarred analysts who are accustomed to more cohesion with the White House.

The report repeats earlier reporting — in part from some of the same WSJ reporters — that Trump planned this briefing. Back then, in mid-November, Trump was merely disdainful of the IC and much of the reorganization appeared to be a mix of vengeance on the part of Mike Flynn and, frankly, some reasonable ideas (things like splitting NSA and reversing some of the questionable changes John Brennan made). At the center of it all was a plan to make Admiral Mike Rogers Director of National Intelligence.

The day after that reporting, however, outlets reported that Ash Carter and James Clapper had been planning to fire Rogers, partly because the NSA had remained a leaky sieve under his tenure and partly because he had delayed cyber-bombing ISIS (perhaps to preserve intelligence collection). And that’s before it became public that the NSA hadn’t adopted four security measures recommended after the Snowden leaks.

After that, of course, Democrats and the CIA started leaking that Russia hacked the DNC with the purpose of electing Trump, which gave Trump the entrée to suggest this discussion is all politicized, which has escalated to this week. Trump seems to have orchestrated the Sean Hannity interview at which Julian Assange said what he has long said — that he didn’t get the DNC files from Russia.

Reuters is now reporting that after the election the IC determined that third parties had gotten the files from Russian entities to Wikileaks, which means Assange likely has no idea where the files came from.

But the timing of this story, sourced significantly to the Trump camp, seems to be a warning to those who will brief Trump on Friday. While Clapper and Brennan are on their way out (the fate of Comey and Rogers is still undecided), they certainly will want to protect their agencies.

Which should make for an interesting briefing Friday.

The Conspiracy Theory in YouGov’s Conspiracy Theory Poll

/12 Comments/in /by

YouGov has a poll showing that “belief in conspiracy theories largely depends on political identity.” For example, it shows that Republicans believe Obama is Kenyan.

It focuses on several things it considers conspiracy theories tied to this election, including pizzagate, millions of alleged illegal votes, and claims about the Russian hack.

Interestingly, it shows that half of Clinton voters believe that Russia tampered with vote tallies to get Trump elected, in spite of the White House’s assurances that did not happen.

It’s the other tested question about Russian hacking that strikes me as more curious. 87% of Clinton voters believe Russia hacked Democratic emails “in order to help Donald Trump,” whereas only 20% of Trump voters believe that.

That’s about the result I’d expect. But to explain why this is a conspiracy theory, YouGov writes,

Similarly, even after the Central Intelligence Agency and the Federal Bureau of Investigation reported that Russia was responsible for the leaks of damaging information from the Democratic National Committee and the Clinton campaign and that the hacking was done to help Donald Trump win the Presidency, only one in five say that is definitely true, about the same percentage as believe it is definitely not true.

So YouGov bases this “truth” on a claim that the CIA and FBI “reported that Russia was responsible for the leaks … and that the hacking was done to help Donald Trump win the Presidency.”

Except there has been no such report, not from CIA and FBI, anyway.

There was an official report finding that,

The U.S. Intelligence Community (USIC) is confident that the Russian Government directed the recent compromises of e-mails from US persons and institutions, including from US political organizations. … These thefts and disclosures are intended to interfere with the US election process.

That is, the official report stated that the hack was “intended to interfere with the US election process;” it did not say the hack was done to help Trump.

Moreover, while the report speaks for the entire IC (including the FBI), the report itself came from DHS and ODNI, not FBI or CIA.

It is absolutely true that anonymous leakers — at least some of whom appear to be Democratic Senate sources — claim that CIA said the hack happened to get Trump elected. It is also true that anonymous sources passed on the substance of a John Brennan letter that said in separate conversations with Jim Comey and James Clapper, each agreed with Brennan about the purpose of the hack, which WaPo edited its previous reporting to say included electing Trump as one of a number of purposes, but that’s a third-hand report about what Jim Comey believes.

But that was not an official report, not even from CIA. Here’s what John Brennan said when interviewed about this topic by NPR’s Mary Louise Kelly:

You mentioned the FBI director and the director of national intelligence. And NPR confirmed with three sources that after the three of you meeting last week, you sent a memo to your workforce and that the memo read: There is strong consensus among us on the scope, nature and intent of Russian interference in our presidential elections. Is that an accurate quote from your memo?

I certainly believe that, that there is strong consensus.

Was there ever not?

Well, sometimes in the media, there is claims, allegations, speculation about differences of view. Sometimes I think that just feeds concerns about, you know, the strength of that intelligence and …

And in this case it was reports of tension between FBI and CIA …

… and differences of view. And I want to make sure that our workforce is kept as fully informed as possible so that they understand that what we’re doing, we’re doing in close coordination with our partners in the intelligence community. And so I try to keep my workforce informed on a periodic basis. But aside from whatever message I might have sent out to the workforce, there is, I strongly believe, very strong consensus among the key players — but not just the leaders of these organizations, but also the institutions themselves. And that’s why we’re going through this review. We want to make sure that we scrub this data, scrub the information and make sure that the assessment and analysis is as strong and as grounded as it needs to be.

That quote I read you about the memo that you sent mentioned that there is agreement on scope, nature and intent of Russian interference. And intent is the one that’s been controversial recently, the question of motive. How confident are you in the intelligence on that? It seems like proving motive is an infinitely harder thing than proving that somebody did something. The “why” is tough.

I will not disagree with you that the why is tough. And that’s why there needs to be very careful consideration of what it is that we know, what it is that we have insight into and what our analysis needs to be. But even back in early October when Jim Clapper and Jeh Johnson put out this statement, it said “the intent to interfere in the election.” Now, there are different elements that could be addressed in terms of how it wanted to interfere. And so that’s why this review is being done to make sure that there is going to be a thorough look at the nature, scope and intent of what transpired.

What’s been reported is that the CIA has concluded the intent was to interfere with the election with the purpose of swinging at Donald Trump. Is that an accurate characterization?

That’s an accurate characterization of what’s been appearing in the media. Yes.

Is it an accurate characterization of where the CIA is on this?

Well, that’s what the review is going to do. And we will be as forward-leaning as the intelligence and analysis allows us to be, and we will make sure that, again, President Obama and the incoming administration understands what the intelligence community has assessed and determined to have happened during the run-up to this election.

Why not confirm that that’s where the CIA is on this? Why not confirm if you have the evidence that you believe is …

Because I don’t work for NPR, Mary Louise. I work for the president, I work for the administration, and it is my responsibility to give them the best information and judgment possible.

That is, the CIA Director specifically avoided stating what he or his agency believes the motive to be, deferring to the ongoing review of the evidence, something that Obama also did in his press conference earlier this month.

Q Mr. President, I want to talk about Vladimir Putin again. Just to be clear, do you believe Vladimir Putin himself authorized the hack? And do you believe he authorized that to help Donald Trump? And on the intelligence, one of the things Donald Trump cites is Saddam Hussein and the weapons of mass destruction, and that they were never found. Can you say, unequivocally, that this was not China, that this was not a 400-pound guy sitting on his bed, as Donald Trump says? And do these types of tweets and kinds of statements from Donald Trump embolden the Russians?

THE PRESIDENT: When the report comes out, before I leave office, that will have drawn together all the threads. And so I don’t want to step on their work ahead of time.

What I can tell you is that the intelligence that I have seen gives me great confidence in their assessment that the Russians carried out this hack.

None of that is to say that CIA and (perhaps to a lesser extent) FBI don’t think Russia hacked Democrats to help Trump, as one of several — probably evolving over the course of the election — reasons. CIA surely does (but then it has a big incentive to downplay the most obvious motivation, that Russia was retaliating for perceived and real CIA covert actions against it). FBI probably does.

But there has been no “report” that they believe that, just anonymous reports of reports. The official stance of the Executive Branch is that they’re conducting a review of the evidence on this point.

Perhaps if YouGov wants to test conspiracy theories, it should start by sticking to topics about which there aren’t a slew of anonymous leaks and counter-leaks contravened by public deferral?

The ObamaCare Not Comey Effect

/12 Comments/in , /by

Just after the election I did two posts considering the relative impact of the Jim Comey letter announcing FBI was reviewing the Anthony Weiner derived emails and the announcement of a huge ObamaCare premium spike.

I still think we don’t have enough data about the relative effect of the two events.

But a number of people are pointing to this post from Sam Wang, which ends,

In the above graph of the Comey effect, each point shows the median margin for polls that were in the field on that day. As you can see, the immediate effect of Comey’s letter was a swing toward Trump of 4 percentage points, about half of which stuck. This was enough to swing Michigan, Pennsylvania, Florida, and Wisconsin. It seems likely that Comey’s letter was a critical factor in the election outcome.

Nowhere in the post does Wang note what date Comey sent his letter, though. It was October 28.

Unless Wang’s chart is totally mislabeled (Update: In an “explanation” added to his post, Wang effectively says his graph is off by three — though not four — days due to the way he presents multi-day polls; he has, at least, now told his readers when the actual letter came out) but what it shows seems to be consistent with what I showed in this post, which shows a Hillary dip and a Trump spike moving in concert on before October 28), then his chart show doesn’t support a Comey effect at all — it shows the opposite. The differential started narrowing after October 24. By October 28, when the letter was released, the differential had plateaued before it turned up again.

As it turns out, the ObamaCare spike was announced on October 24 (and reported heavily starting October 25).

That’s precisely when we see the differential moving.

If we’re assuming an immediate response in polls in response to an event, then the ObamaCare premium spike would be a far better explanation than the Comey letter, which took place later.

Frankly, I suspect both had an impact, and further suspect there may have been something else driving the differential late turn to Trump in the Rust Belt. And I suspect we still don’t have the data to explain what made a bunch of Rust Belt voters move to Trump right before the election.

The Evidence to Prove the Russian Hack

/39 Comments/in , , /by

In this post, I’m going to lay out the evidence needed to fully explain the Russian hack. I think it will help to explain some of the timing around the story that the CIA believes Russia hacked the DNC to help win Trump win the election, as well as what is new in Friday’s story. I will do rolling updates on this and eventually turn it into a set of pages on Russia’s hacking.

As I see it, intelligence on all the following are necessary to substantiate some of the claims about Russia tampering in this year’s election.

  1. FSB-related hackers hacked the DNC
  2. GRU-related hackers hacked the DNC
  3. Russian state actors hacked John Podesta’s emails
  4. Russian state actors hacked related targets, including Colin Powell and some Republican sites
  5. Russian state actors hacked the RNC
  6. Russian state actors released information from DNC and DCCC via Guccifer 2
  7. Russian state actors released information via DC Leaks
  8. Russian state actors or someone acting on its behest passed information to Wikileaks
  9. The motive explaining why Wikileaks released the DNC and Podesta emails
  10. Russian state actors probed voter registration databases
  11. Russian state actors used bots and fake stories to make information more damaging and magnify its effects
  12. The level at which all Russian state actors’ actions were directed and approved
  13. The motive behind the actions of Russian state actors
  14. The degree to which Russia’s efforts were successful and/or primary in leading to Hillary’s defeat

I explain all of these in more detail below. For what it’s worth, I think there was strong publicly available information to prove 3, 4, 7, 11. I think there is weaker though still substantial information to support 2. It has always been the case that the evidence is weakest at point 6 and 8.

At a minimum, to blame Russia for tampering with the election, you need high degree of confidence that GRU hacked the DNC (item 2), and shared those documents via some means with Wikileaks (item 8). What is new about Friday’s story is that, after months of not knowing how the hacked documents got from Russian hackers to Wikileaks, CIA now appears to know that people close to the Russian government transferred the documents (item 8). In addition, CIA now appears confident that all this happened to help Trump win the presidency (item 13).

1) FSB-related hackers hacked the DNC

The original report from Crowdstrike on the DNC hack actually said two separate Russian-linked entities hacked the DNC: one tied to the FSB, which it calls “Cozy Bear” or APT 29, and one tied to GRU, which it calls “Fancy Bear” or APT 28. Crowdstrike says Cozy Bear was also responsible for hacks of unclassified networks at the White House, State Department, and US Joint Chiefs of Staff.

I’m not going to assess the strength of the FSB evidence here. As I’ll lay out, the necessary hack to attribute to the Russians is the GRU one, because that’s the one believed to be the source of the DNC and Podesta emails. The FSB one is important to keep in mind, as it suggests part of the Russian government may have been hacking US sites solely for intelligence collection, something our own intelligence agencies believe is firmly within acceptable norms of spying. In the months leading up to the 2012 election, for example, CIA and NSA hacked the messaging accounts of a bunch of Enrique Peña Nieto associates, pretty nearly the equivalent of the Podesta hack, though we don’t know what they did with that intelligence. The other reason to keep the FSB hack in mind is because, to the extent FSB hacked other sites, they also may be deemed part of normal spying.

2) GRU-related hackers hacked the DNC

As noted, Crowdstrike reported that GRU also hacked the DNC. As it explains, GRU does this by sending someone something that looks like an email password update, but which instead is a fake site designed to get someone to hand over their password. The reason this claim is strong is because people at the DNC say this happened to them.

Note that there are people who raise questions of whether this method is legitimately tied to GRU and/or that the method couldn’t be stolen and replicated. I will deal with those questions at length elsewhere. But for the purposes of this post, I will accept that this method is a clear sign of GRU involvement. There are also reports that deal with GRU hacking that note high confidence GRU hacked other entities, but less direct evidence they hacked the DNC.

Finally, there is the real possibility that other people hacked the DNC, in addition to FSB and GRU. That possibility is heightened because a DNC staffer was hacked via what may have been another method, and because DNC emails show a lot of password changes off services for which DNC staffers had had their accounts exposed in other hacks.

All of which is a way of saying, there is some confidence that DNC got hacked at least twice, with those two revealed efforts being done by hackers with ties to the Russian state.

3) Russian state actors (GRU) hacked John Podesta’s emails

Again, assuming that the fake Gmail phish is GRU’s handiwork, there is probably the best evidence that GRU hacked John Podesta and therefore that Russia, via some means, supplied Wikileaks, because we have a copy of the actual email used to hack him. The Smoking Gun has an accessible story describing how all this works. So in the case of Podesta, we know he got a malicious phish email, we know that someone clicked the link in the email, and we know that emails from precisely that time period were among the documents shared with Wikileaks. We just have no idea how they got there.

4) Russian state actors hacked related targets, including some other Democratic staffers, Colin Powell and some Republican sites

That same Gmail phish was used with victims — including at a minimum William Rinehart and Colin Powell — that got exposed in a site called DC Leaks. We can have the same high degree of confidence that GRU conducted this hack as we do with Podesta. As I note below, that’s more interesting for what it tells us about motive than anything else.

5) Russian state actors hacked the RNC

The allegation that Russia also hacked the RNC, but didn’t leak those documents — which the CIA seems to rely on in part to argue that Russia must have wanted to elect Trump — has been floating around for some time. I’ll return to what we know of this. RNC spox Sean Spicer is denying it, though so did Hillary’s people at one point deny that they had been hacked.

There are several points about this. First, hackers presumed to be GRU did hack and release emails from Colin Powell and an Republican-related server. The Powell emails (including some that weren’t picked up in the press), in particular, were detrimental to both candidates. The Republican ones were, like a great deal of the Democratic ones, utterly meaningless from a news standpoint.

So I don’t find this argument persuasive in its current form. But the details on it are still sketchy precisely because we don’t know about that hack.

6) Russian state actors released information from DNC and DCCC via Guccifer 2

Some entity going by the name Guccifer 2 started a website in the wake of the announcement that the DNC got hacked. The site is a crucial part of this assessment, both because it released DNC and DCCC documents directly (though sometimes misattributing what it was releasing) and because Guccifer 2 stated clearly that he had shared the DNC documents with Wikileaks. The claim has always been that Guccifer 2 was just a front for Russia — a way for them to adopt plausible deniability about the DNC hack.

That may be the case (and obvious falsehoods in Guccifer’s statements make it clear deception was part of the point), but there was always less conclusive (and sometimes downright contradictory) evidence to support this argument (this post summarizes what it claims are good arguments that Guccifer 2 was a front for Russia; on the most part I disagree and hope to return to it in the future). Moreover, this step has been one that past reporting said the FBI couldn’t confirm. Then there are other oddities about Guccifer’s behavior, such as his “appearance” at a security conference in London, or the way his own production seemed to fizzle as Wikileaks started releasing the Podesta emails. Those details of Guccifer’s behavior are, in my opinion, worth probing for a sense of how all this was orchestrated.

Yesterday’s story seems to suggest that the spooks have finally figured out this step, though we don’t have any idea what it entails.

7) Russian state actors released information via DC Leaks

Well before many people realized that DC Leaks existed, I suspected that it was a Russian operation. That’s because two of its main targets — SACEUR Philip Breedlove and George Soros — are targets Russia would obviously hit to retaliate for what it treats as a US-backed coup in Ukraine.

DC Leaks is also where the publicly released (and boring) GOP emails got released.

Perhaps most importantly, that’s where the Colin Powell emails got released (this post covers some of those stories). That’s significant because Powell’s emails were derogatory towards both candidates (though he ultimately endorsed Hillary).

It’s interesting for its haphazard targeting (if someone wants to pay me $$ I would do an assessment of all that’s there, because some just don’t make any clear sense from a Russian perspective, and some of the people most actively discussing the Russian hacks have clearly not even read all of it), but also because a number of the victims have been affirmatively tied to the GRU phishing methods.

So DC Leaks is where you get obvious Russian targets and Russian methods all packaged together. But of the documents it released, the Powell emails were the most interesting for electoral purposes, and they didn’t target Hillary as asymmetrically as the Wikileaks released documents did.

8) Russian state actors or someone acting on its behest passed information to Wikileaks

The basis for arguing that all these hacks were meant to affect the election is that they were released via Wikileaks. That is what was supposed to be new, beyond just spying (though we have almost certainly hacked documents and leaked them, most probably in the Syria Leaks case, but I suspect also in some others).

And as noted, how Wikileaks got two separate sets of emails has always been the big question. With the DNC emails, Guccifer 2 clearly said he had given them to WL, but the Guccifer 2 ties to Russia was relatively weak. And with the Podesta emails, I’m not aware of any known interim step between the GRU hack and Wikileaks.

A late July report said the FBI was still trying to determine how Russia got the emails to Wikileaks or even if they were the same emails.

The FBI is still investigating the DNC hack. The bureau is trying to determine whether the emails obtained by the Russians are the same ones that appeared on the website of the anti-secrecy group WikiLeaks on Friday, setting off a firestorm that roiled the party in the lead-up to the convention.

The FBI is also examining whether APT 28 or an affiliated group passed those emails to WikiLeaks, law enforcement sources said.

An even earlier report suggested that the IC wasn’t certain the files had been passed electronically.

And the joint DHS/ODNI statement largely attributed its confidence that Russia was involved in the the leaking (lumping Guccifer 2, DC Leaks, and Wikileaks all together) not because it had high confidence in that per se (a term of art saying, effectively, “we have seen the evidence”), but instead because leaking such files is consistent with what Russia has done elsewhere.

The recent disclosures of alleged hacked e-mails on sites like DCLeaks.com and WikiLeaks and by the Guccifer 2.0 online persona are consistent with the methods and motivations of Russian-directed efforts.

Importantly, that statement came out on October 7, so well after the September briefing at which CIA claimed to have further proof of all this.

Now, Julian Assange has repeatedly denied that Russia was his source. Craig Murray asserted, after having meeting with Assange, that the source is not the Russian state or a proxy. Wikileaks’ tweet in the wake of yesterday’s announcement — concluding that an inquiry directed at Russia in this election cycle is targeted at Wikileaks — suggests some doubt. Also, immediately after the election, Sergei Markov, in a statement deemed to be consistent with Putin’s views, suggested that “maybe we helped a bit with WikiLeaks,” even while denying Russia carried out the hacks.

That’s what’s new in yesterday’s story. It stated that “individuals with connections to the Russian government” handed the documents to Wikileaks.

Intelligence agencies have identified individuals with connections to the Russian government who provided WikiLeaks with thousands of hacked emails from the Democratic National Committee and others, including Hillary Clinton’s campaign chairman, according to U.S. officials. Those officials described the individuals as actors known to the intelligence community and part of a wider Russian operation to boost Trump and hurt Clinton’s chances.

[snip]

[I]ntelligence agencies do not have specific intelligence showing officials in the Kremlin “directing” the identified individuals to pass the Democratic emails to WikiLeaks, a second senior U.S. official said. Those actors, according to the official, were “one step” removed from the Russian government, rather than government employees. Moscow has in the past used middlemen to participate in sensitive intelligence operations so it has plausible deniability.

I suspect we’ll hear more leaked about these individuals in the coming days; obviously, the IC says it doesn’t have evidence of the Russian government ordering these people to share the documents with Wikileaks.

Nevertheless, the IC now has what it didn’t have in July: a clear idea of who gave Wikileaks the emails.

9) The motive explaining why Wikileaks released the DNC and Podesta emails

There has been a lot of focus on why Wikileaks did what it did, which notably includes timing the DNC documents to hit for maximum impact before the Democratic Convention and timing the Podesta emails to be a steady release leading up to the election.

I don’t rule out Russian involvement with all of that, but it is entirely unnecessary in this case. Wikileaks has long proven an ability to hype its releases as much as possible. More importantly, Assange has reason to have a personal gripe against Hillary, going back to State’s response to the cable release in 2010 and the subsequent prosecution of Chelsea Manning.

In other words, absent really good evidence to the contrary, I assume that Russia’s interests and Wikileaks’ coincided perfectly for this operation.

10) Russian state actors probed voter registration databases

Back in October, a slew of stories reported that “Russians” had breached voter related databases in a number of states. The evidence actually showed that hackers using a IP tied to Russia had done these hacks. Even if the hackers were Russian (about which there was no evidence in the first reports), there was also no evidence the hackers were tied to the Russian state. Furthermore, as I understand it, these hacks used a variety of methods, some or all of which aren’t known to be GRU related. A September DHS bulletin suggested these hacks were committed by cybercriminals (in the past, identity thieves have gone after voter registration lists). And the October 7 DHS/ODNI statement affirmatively said the government was not attributing the probes to the Russians.

Some states have also recently seen scanning and probing of their election-related systems, which in most cases originated from servers operated by a Russian company. However, we are not now in a position to attribute this activity to the Russian Government.

In late November, an anonymous White House statement said there was no increased malicious hacking aimed at the electoral process, though remains agnostic about whether Russia ever planned on such a thing.

The Federal government did not observe any increased level of malicious cyber activity aimed at disrupting our electoral process on election day. As we have noted before, we remained confident in the overall integrity of electoral infrastructure, a confidence that was borne out on election day. As a result, we believe our elections were free and fair from a cybersecurity perspective.

That said, since we do not know if the Russians had planned any malicious cyber activity for election day, we don’t know if they were deterred from further activity by the various warnings the U.S. government conveyed.

Absent further evidence, this suggests that reports about Russian trying to tamper with the actual election infrastructure were at most suspicions and possibly just a result of shoddy reporting conflating Russian IP with Russian people with Russian state.

11) Russian state actors used bots and fake stories to make information more damaging and magnify its effects

Russia has used bots and fake stories in the past to distort or magnify compromising information. There is definitely evidence some pro-Trump bots were based out of Russia. RT and Sputnik ran with inflammatory stories. Samantha Bee famously did an interview with some Russians who were spreading fake news. But there were also people spreading fake news from elsewhere, including Macedonia and Surburban LA. A somewhat spooky guy even sent out fake news in an attempt to discredit Wikileaks.

As I have argued, the real culprit in this economy of clickbait driven outrage is closer to home, in the algorithms that Silicon Valley companies use that are exploited by a whole range of people. So while Russian directed efforts may have magnified inflammatory stories, that was not a necessary part of any intervention in the election, because it was happening elsewhere.

12) The level at which all Russian state actors’ actions were directed and approved

The DHS/ODNI statement said clearly that “We believe, based on the scope and sensitivity of these efforts, that only Russia’s senior-most officials could have authorized these activities.” But the WaPo story suggests they still don’t have proof of Russia directing even the go-between who gave WL the cables, much less the go-between directing how Wikileaks released these documents.

Mind you, this would be among the most sensitive information, if the NSA did have proof, because it would be collection targeted at Putin and his top advisors.

13) The motive behind the actions of Russian state actors

The motive behind all of this has varied. The joint DHS/ODNI statement said it was “These thefts and disclosures are intended to interfere with the US election process.” It didn’t provide a model for what that meant though.

Interim reporting — including the White House’s anonymous post-election statement — had suggested that spooks believed Russia was doing it to discredit American democracy.

The Kremlin probably expected that publicity surrounding the disclosures that followed the Russian Government-directed compromises of e-mails from U.S. persons and institutions, including from U.S. political organizations, would raise questions about the integrity of the election process that could have undermined the legitimacy of the President-elect.

At one level, that made a lot of sense — the biggest reason to release the DNC and Podesta emails, it seems to me, was to confirm the beliefs a lot of people already had about how power works. I think one of the biggest mistakes of journalists who have political backgrounds was to avoid discussing how the sausage of politics gets made, because this material looks worse if you’ve never worked in a system where power is about winning support. All that said, there’s nothing in the emails (especially given the constant release of FOIAed emails) that uniquely exposed American democracy as corrupt.

All of which is to say that this explanation never made any sense to me; it was mostly advanced by people who live far away from people who already distrust US election systems, who ignored polls showing there was already a lot of distrust.

Which brings us to the other thing that is new in the WaPo story: the assertion that CIA now believes this was all intended to elect Trump, not just make us distrust elections.

The CIA has concluded in a secret assessment that Russia intervened in the 2016 election to help Donald Trump win the presidency, rather than just to undermine confidence in the U.S. electoral system, according to officials briefed on the matter.

[snip]

“It is the assessment of the intelligence community that Russia’s goal here was to favor one candidate over the other, to help Trump get elected,” said a senior U.S. official briefed on an intelligence presentation made to U.S. senators. “That’s the consensus view.”

For what it’s worth, there’s still some ambiguity in this. Did Putin really want Trump? Or did he want Hillary to be beat up and weak for an expected victory? Did he, like Assange, want to retaliate for specific things he perceived Hillary to have done, in both Libya, Syria, and Ukraine? That’s unclear.

14) The degree to which Russia’s efforts were successful and/or primary in leading to Hillary’s defeat

Finally, there’s the question that may explain Obama’s reticence about this issue, particularly in the anonymous post-election statement from the White House, which stated that the “election results … accurately reflect the will of the American people.” It’s not clear that Putin’s intervention, whatever it was, had anywhere near the effect as (for example) Jim Comey’s letters and Bret Baier’s false report that Hillary would be indicted shortly. There are a lot of other factors (including Hillary’s decision to ignore Jake Sullivan’s lonely advice to pay some attention to the Rust Belt).

And, as I’ve noted repeatedly, it is no way the case that Vladimir Putin had to teach Donald Trump about kompromat, the leaking of compromising information for political gain. Close Trump associates, including Roger Stone (who, by the way, may have had conversations with Julian Assange), have been rat-fucking US elections since the time Putin was in law school.

But because of the way this has rolled out (and particularly given the cabinet picks Trump has already made), it will remain a focus going forward, perhaps to the detriment of other issues that need attention.