Posts

How to Charge Americans in Conspiracies with Russian Spies?

As I laid out a few weeks ago, I provided information to the FBI on issues related to the Mueller investigation, so I’m going to include disclosure statements on Mueller investigation posts from here on out. I will include the disclosure whether or not the stuff I shared with the FBI pertains to the subject of the post. 

In general, Jack Goldsmith and I have long agreed about the problems with charging nation-state spies in the United States. So I read with great interest his post laying out “Uncomfortable Questions in the Wake of Russia Indictment 2.0 and Trump’s Press Conference With Putin.” Among other larger normative points, Goldsmith asks two questions. First, does indicting 12 GRU officers in the US expose our own nation-state hackers to be criminally prosecuted in other countries?

This is not a claim about the relative moral merits of the two countries’ cyber intrusions; it is simply a claim that each side unequivocally breaks the laws of the other in its cyber-espionage activities.

How will the United States respond when Russia and China and Iran start naming and indicting U.S. officials?  Maybe the United States thinks its concealment techniques are so good that the type of detailed attribution it made against the Russians is infeasible.  (The Shadow Brokers revealed the identities of specific NSA operators, so even if the National Security Agency is great at concealment as a matter of tradecraft that is no protection against an insider threat.)  Maybe Russia and China and Iran won’t bother indicting U.S. officials unless and until the indictments actually materialize into a trial, which they likely never will.  But what is the answer in principle?  And what is the U.S. policy (if any) that is being communicated to military and civilian operators who face this threat?  What is the U.S. government response to former NSA official Jake Williams, who worked in Tailored Access Operations and who presumably spoke for many others at NSA when he said that “charging military/gov hackers is dumb and WILL eventually hurt the US”?

And, how would any focus on WikiLeaks expose journalists in the United States to risks of prosecution themselves.

There is a lot of anger against WikiLeaks and a lot of support for indicting Julian Assange and others related to WikiLeaks for their part in publishing the information stolen by the Russians.  If Mueller goes in this direction, he will need to be very careful not to indict Assange for something U.S. journalists do every day.  U.S. newspapers publish information stolen via digital means all the time.  They also openly solicit such information through SecureDrop portals.  Some will say that Assange and others at WikiLeaks can be prosecuted without threatening “real journalists” by charging a conspiracy to steal and share stolen information. I am not at all sure such an indictment wouldn’t apply to many American journalists who actively aid leakers of classified information.

I hope to come back to the second point. As a journalist who had a working relationship with someone she came to believe had a role in the attack, I have thought about and discussed the topic with most, if not all, the lawyers I consulted on my way to sitting down with the FBI.

For the moment, though, I want to focus on Goldsmith’s first point, one I’ve made in the past repeatedly. If we start indicting uniformed military intelligence officers — or even contractors, like the trolls at Internet Research Agency might be deemed — do we put the freedom of movement of people like Jake Williams at risk? Normally, I’d absolutely agree with Goldsmith and Williams.

But as someone who has already written extensively about the ConFraudUs backbone that Robert Mueller has built into his cases, I want to argue this is an exception.

As I’ve noted previously, while Rod Rosenstein emphasized that the Internet Research Agency indictment included no allegations that Americans knowingly conspired with Russians, it nevertheless did describe three Americans whose activities in response to being contacted by Russian trolls remain inconclusive.

Rod Rosenstein was quite clear: “There is no allegation in the indictment that any American was a knowing participant in the alleged unlawful activity.” That said, there are three (presumed) Americans who, both the indictment and subsequent reporting make clear, are treated differently in the indictment than all the other Americans cited as innocent people duped by Russians: Campaign Official 1, Campaign Official 2, and Campaign Official 3. We know, from CNN’s coverage of Harry Miller’s role in building a cage to be used in a fake “jailed Hillary” stunt, that at least some other people described in the indictment were interviewed — in his case, for six hours! — by the FBI. But no one else is named using the convention to indicate those not indicted but perhaps more involved in the operation. Furthermore, the indictment doesn’t actually describe what action (if any) these three Trump campaign officials took after being contacted by trolls emailing under false names.

On approximately the same day, Defendants and their co-conspirators used the email address of a false U.S. persona, [email protected], to send an email to Campaign Official 1 at that donaldtrump.com email account, which read in part:

Hello [Campaign Official 1], [w]e are organizing a state-wide event in Florida on August, 20 to support Mr. Trump. Let us introduce ourselves first. “Being Patriotic” is a grassroots conservative online movement trying to unite people offline. . . . [W]e gained a huge lot of followers and decided to somehow help Mr. Trump get elected. You know, simple yelling on the Internet is not enough. There should be real action. We organized rallies in New York before. Now we’re focusing on purple states such as Florida.

The email also identified thirteen “confirmed locations” in Florida for the rallies and requested the campaign provide “assistance in each location.”

[snip]

Defendants and their co-conspirators used the false U.S. persona [email protected] account to send an email to Campaign Official 2 at that donaldtrump.com email account.

[snip]

On or about August 20, 2016, Defendants and their co-conspirators used the “Matt Skiber” Facebook account to contact Campaign Official 3.

Again, the DOJ convention of naming makes it clear these people have not been charged with anything. But we know from other Mueller indictments that those specifically named (which include the slew of Trump campaign officials named in the George Papadopoulos plea, KT McFarland and Jared Kushner in the Flynn plea, Kilimnik in the Van der Zwaan plea, and the various companies and foreign leaders that did Manafort’s bidding, including the Podesta Group and Mercury Public Affairs in his indictment) may be the next step in the investigation.

In the GRU indictment, non US person WikiLeaks is given the equivalent treatment.

On or about June 22, 2016, Organization I sent a private message to Guccifer 2.0 to “[s]end any new material [stolen from the DNC] here for us to review and it will have a much higher impact than what you are doing.” On or about July 6, 2016, Organization 1 added, “if you have anything hillary related we want it in the next tweo [sic] days prefable [sic] because the DNC [DemocraticNationalConvention] is approaching and she Will solidify bernie supporters behind her after.” The Conspirators responded,“0k . . . i see.” Organization I explained,“we think trump has only a 25% chance of winning against hillary . . . so conflict between bernie and hillary is interesting.”

But the activities of other American citizens — most notably Roger Stone and Donald Trump — are discussed obliquely, even if they’re not referred to using the standard of someone still under investigation. Here’s the Roger Stone passage.

On or aboutAugust 15,2016, the Conspirators,posing as Guccifer 2.0,wrote to a person who was in regular contact with senior members of the presidential campaign of Donald J. Trump, “thank u for writing back. . . do u find anyt[h]ing interesting in the docs i posted?” On or about August 17, 2016, the Conspirators added, “please tell me if i can help u anyhow . . . it would be a great pleasureto me.” On or about September 9, 2016,the Conspirators, again posing as Guccifer 2.0, referred to a stolen DCCC document posted online and asked the person, “what do u think of the info on the turnout model for the democrats entire presidential campaign.” The person responded,“[p]retty standard.”

The Trump one, of course, pertains to the response GRU hackers appear to have made when he asked for Russia to find Hillary’s emails on July 27.

For example, on or about July 27, 2016, the Conspirators attempted after hours to spearphish for the first time email accounts at a domain hosted by a third‑party provider and used by Clinton’s personal office. At or around the same time, they also targeted seventy‐six email addresses at the domain for the Clinton Campaign.

Finally, there is yesterday’s Mariia Butina complaint, which charges her as an unregistered Russian spy and describes Aleksandr Torshin as her boss, but which also describes the extensive and seemingly willful cooperation with Paul Erickson and another American, as well as with the RNC and NRA. Here’s one of the Americans, for example, telling Butina that her Russian bosses should take the advice he had given her about which Americans she needed to meet.

If you were to sit down with your special friends and make a list of ALL the most important contacts you could find in America for a time when the political situation between the U.S. and Russia will change, you could NOT do better than the list that I just emailed you. NO one — certainly not the “official” Russian Federation public relations representative in New York — could build a better list.

[snip]

All that you friends need to know is that meetings with the names on MY list would not be possible without the unknown names in your “business card” notebook. Keep them focused on who you are NOW able to meet, NOT the people you have ALREADY met.

Particularly as someone whose communications (including, but not limited to, that text) stand a decent chance of being quoted in an indictment in the foreseeable future, let me be very clear: none of these people have been accused of any wrong-doing.

But they do suggest a universe of people who have attracted investigative scrutiny, both by Mueller and by NSD, as willing co-conspirators with Russian spies.

Granted, there are three different kinds of Russian spies included in these three documents:

  • Uniformed military intelligence officers working from Moscow
  • Civilian employees who might be considered intelligence contractors working from St. Petersburg (though with three reconnaissance trips to the US included)
  • Butina and Torshin, both of whom probably committed visa fraud to engage as unregistered spies in the US

We have a specific crime for the latter (and, probably, the reconnaissance trips to the US by IRA employees), and if any of the US persons and entities in Butina’s indictment are deemed to have willingly joined her conspiracy, they might easily be charged as well. Eventually, I’m certain, Mueller will move to start naming Americans (besides Paul Manafort and Rick Gates) in conspiracy indictments, including ones involving Russian spies operating from Russia (like Konstantin Kilimnik). It seems necessary to include the Russians in some charging documents, because otherwise you’ll never be able to lay out the willful participation of everyone, Russian and American, in the charging documents naming the Americans.

So while I generally agree with Goldsmith and Williams, this case, where we’re clearly discussing a conspiracy between Russian spies — operating both from the US and from Russia (and other countries), wearing uniforms and civilian clothing –and Americans, it seems important to include them in charging documents somewhere.

[Photo: National Security Agency, Ft. Meade, MD via Wikimedia]

Shadow Brokers and the “Second Source”

When I emphasized Der Spiegel’s reporting on TAO in this post on the tool for which Shadow Brokers recently released a manual, UNITEDRAKE, I was thinking along the same lines Electrospaces was here. Electrospaces lays out a universe of documents and reporting that doesn’t derive from Edward Snowden leaked documents, notes some similarity in content (a focus on NSA’s Tailored Access Operations), and the inclusion of documents from NSA’s San Antonio location. From that, Electrospaces posits that Shadow Brokers could be “identical with the Second Source.”

With the documents published by the Shadow Brokers apparently being stolen by an insider at NSA, the obvious question is: could the Shadow Brokers be identical with the Second Source?

One interesting fact is that the last revelation that could be attributed to the second source occured on February 23, 2016, and that in August of that year the Shadow Brokers started with their release of hacking files. This could mean that the second source decided to publish his documents in the more distinct and noticeable way under the guise of the Shadow Brokers.

But there’s probably also a much more direct connection: the batch of documents published along with Der Spiegel’s main piece from December 29, 2013 include a presentation about the TAO unit at NSA’s Cryptologic Center in San Antonio, Texas, known as NSA/CSS Texas (NSAT):


TAO Texas presentation, published by Der Spiegel in December 2013
(click for the full presentation)And surprisingly, the series of three slides that were released by the Shadow Brokers on April 14 were also from NSA/CSS Texas. They show three seals: in the upper left corner those of NSA and CSS and in the upper right corner that of the Texas Cryptologic Center:

TAO Texas slide, published by the Shadow Brokers in April 2017
(click for the full presentation)NSA/CSS TexasIt’s quite remarkable that among the hundreds of NSA documents that have been published so far, there are only these two sets from NSA/CSS Texas, which is responsible for operations in Latin America, the Caribbean, and along the Atlantic littoral of Africa in support of the US Southern and Central Commands.Besides the one in San Antonio, Texas, NSA has three other regional Cryptologic Centers in the US: in Augusta, Georgia, in Honolulu, Hawaii and in Denver, Colorado. These four locations were established in 1995 as Regional Security Operations Centers (RSOC) in order to disperse operational facilities from the Washington DC area, providing redundancy in the event of an emergency.So far, no documents from any of these regional centers have been published, except for the two from NSA/CSS Texas. This could be a strong indication that they came from the same source – and it seems plausible to assume that that source is someone who actually worked at that NSA location in San Antonio.

Frankly, I’m skeptical of the underlying reports that Shadow Brokers must be a disgruntled NSA employee or contractor, which derives in part from the conclusion that many of the files released include documents that had to be internal to NSA, and in part from this report that says that’s the profile of the suspect the government is looking for.

The U.S. government’s counterintelligence investigation into the so-called Shadow Brokers group is currently focused on identifying a disgruntled, former U.S. intelligence community insider, multiple people familiar with the matter told CyberScoop.

Sources tell CyberScoop that former NSA employees have been contacted by investigators in the probe to discover how a bevy of elite computer hacking tools fell into the Shadow Brokers’ possession.

Those sources asked for anonymity due to sensitivity of the investigation.

While investigators believe that a former insider is involved, the expansive probe also spans other possibilities, including the threat of a current intelligence community employee being connected to the mysterious group.

The investigatory effort is being led by a combination of professionals from the FBI, National Counterintelligence and Security Center (NCSC), and NSA’s internal policing group known as Q Group.

It’s not clear if the former insider was once a contractor or in-house employee of the secretive agency. Two people familiar with the matter said the investigation “goes beyond” Harold Martin, the former Booz Allen Hamilton contractor who is currently facing charges for taking troves of classified material outside a secure environment.

The report clearly suggests (and I confirmed with its author, Chris Bing) that the government is still testing out theories, and that the current profile (or the one they were chasing in July) happens to be an insider of some sort, but that they didn’t have a specific insider in mind as the suspect.

There are a number of  reasons I’m skeptical. First, part of that theory is based on Shadow Brokers making comments about Jake Williams that reflects some inside knowledge about an incident that happened while he was at NSA (Shadow Brokers has deleted most of his tweets, but they’re available in this superb timeline).

trying so hard so  helping out…you having big mouth for former  member what was name of.

leak OddJob? Windows BITS persistence? CCI? Maybe not understand gravity of situation USG investigating members talked to Q group yet

theshadowbrokers ISNOT in habit of outing  members but had make exception for big mouth, keep talking shit  your next

Even there, Shadow Brokers was falsely suggesting that Matt Suiche, who’s not even an American citizen, might be NSA. But things got worse in June, when Shadow Brokers thought he had doxed @drwolfff as a former NSA employee, only to have @drwolfff out himself as someone else entirely (see this post, where Shadow Brokers tried to pretend he hadn’t made a mistake). So Shadow Brokers has been wrong about who is and was NSA more often than he has been right.

Another reason I doubt he’s a direct insider is because when he posted the filenames for Message 6, he listed a good many of the files as “unknown.” (Message 6 on Steemit, archived version)

That suggests that even if Shadow Brokers had some insider role, he wasn’t using these particular files directly (or didn’t want to advertise them as what they were).

And because I’m not convinced that Shadow Brokers is, personally, an insider, I’m not convinced that he necessarily is (as Electrospaces argues) “identical with the Second Source.”

Rather, I think it possible that Jacob Appelbaum and Shadow Brokers have a mutually shared source. That’s all the more intriguing given that Wikileaks once claimed that they had a copy of at least the first set of Shadow Brokers files, which Shadow Brokers recalled in January, and that Julian Assange released an insurance file days after Guccifer 2.0 first started posting hacked Democratic documents (see this post on the insurance file and this one on Shadow Brokers calling out WikiLeaks for hoarding that document).

Maybe they’re all bullshitting. But given Electrospaces’ observation that some of the files (covering intercepts of US allies, often pertaining to trade deals) for which there is no known source went straight to WikiLeaks, I think a shared source is possible.

All that said, there’s one more detail I’d add to Electrospaces’ piece. As noted, he finds the inclusion, in both the Shadow Brokers and the Appelbaum files, of documents from NSA’s San Antonio location to be intriguing. So do I.

Which is why it’s worth noting that that location is among the three where — as late as the first half of 2016 — a DOD Inspector General audit found servers and other sensitive equipment unlocked.

An unlocked server would in no way explain all of the files included even in a narrowly scoped collection of “Second Source” files. But it would indicate that the San Antonio facility was among those that wasn’t adequately secured years after the Snowden leaks.

If the NSA “Won” the War in Iraq, Why Are We Still Losing It?

To Shane Harris’ misfortune, his book, @War, out today, came out on the same day that General Daniel Bolger’s book, Why We Lost, came out.

That means Harris’ first excerpt, initially titled “How the NSA Sorta Won the Last Iraq War,” came out just days before Bolger’s op-ed today, mourning another Veteran’s Day to contemplate the 80 men he lost. Bolger wants us to stop telling the lie that the surge won the Iraq War.

Here’s a legend that’s going around these days. In 2003, the United States invaded Iraq and toppled a dictator. We botched the follow-through, and a vicious insurgency erupted. Four years later, we surged in fresh troops, adopted improved counterinsurgency tactics and won the war. And then dithering American politicians squandered the gains. It’s a compelling story. But it’s just that — a story.

The surge in Iraq did not “win” anything. It bought time. It allowed us to kill some more bad guys and feel better about ourselves. But in the end, shackled to a corrupt, sectarian government in Baghdad and hobbled by our fellow Americans’ unwillingness to commit to a fight lasting decades, the surge just forestalled today’s stalemate. Like a handful of aspirin gobbled by a fevered patient, the surge cooled the symptoms. But the underlying disease didn’t go away. The remnants of Al Qaeda in Iraq and the Sunni insurgents we battled for more than eight years simply re-emerged this year as the Islamic State, also known as ISIS.

Harris’s story, which explains how network analysis and then hacking of Iraqi insurgents — including Al Qaeda in Iraq — helped us to win the surge, relies on that legend.

TAO hackers zeroed in on the leaders of the al Qaeda group. Centering their operations in Baghdad, they scooped up e-mail messages that the terrorists had left in draft form in their personal accounts, where they could be picked up by fellow fighters without having to be sent over the Internet. This was a common trick terrorists used to avoid detection. TAO had been on to it for years.

For TAO, hacking into the communications network of the senior al Qaeda leaders in Iraq helped break the terrorist group’s hold on the neighborhoods around Baghdad. By one account, it aided U.S. troops in capturing or killing at least ten of those senior leaders from the battlefield.

[snip]

For the first time in the now four-year-old Iraq War, the United States could point to a strategy that was actually working. The overall success of the surge, which finally allowed U.S. forces to leave Iraq, has been attributed to three major factors by historians and the commanders and soldiers who served there. First, the additional troops on the ground helped to secure the most violent neighborhoods, kill or capture insurgents, and protect Iraq’s civilians. The cities became less violent, and the people felt safer and more inclined to help the U.S. occupation. Second, insurgent groups who were outraged by al Qaeda’s brutal, heavyhanded tactics and the imposition of religious law turned against the terrorists, or were paid by U.S. forces to switch their allegiances and fight with the Americans. This so-called Sunni Awakening included 80,000 fighters, whose leaders publicly denounced al Qaeda and credited the U.S. military with trying to improve the lives of Iraqi citizens.

But the third and arguably the most pivotal element of the surge was the series of intelligence operations undertaken by the NSA and soldiers such as Stasio. Former intelligence analysts, military officers, and senior Bush administration officials say that the cyber operations opened the door to a new way of obtaining intelligence, and then integrating it into combat operations on the ground. The information about enemy movements and plans that U.S. spies swiped from computers and phones gave troops a road map to find the fighters, sometimes leading right to their doorsteps. This was the most sophisticated global tracking system ever devised, and it worked with lethal efficiency.

Gen. David Petraeus, the commander of all coalition forces in Iraq, credited this new cyber warfare “with being a prime reason for the significant progress made by U.S. troops” in the surge, which lasted into the summer of 2008, “directly enabling the removal of almost 4,000 insurgents from the battlefield.” The tide of the war in Iraq finally turned in the United States’ favor.

I didn’t get a review copy of Harris’ book, so I’ll have to let you know whether he grapples with the fact that this victory lap instead led us to where we are now, escalating the war in Iraq again, with ISIL even more powerful for having combined Saddam’s officers with terrorist methods. I’ll also have to let you know why Harris claims this started in 2007, when we know NSA was even wiretapping Iraqi targets in the US as early as 2004, a program that got shut down in the hospital confrontation.

Harris would have done well to consider Bolger’s call for an assessment of this failure.

That said, those who served deserve an accounting from the generals. What happened? How? And, especially, why? It has to be a public assessment, nonpartisan and not left to the military. (We tend to grade ourselves on the curve.) Something along the lines of the 9/11 Commission is in order. We owe that to our veterans and our fellow citizens.

Such an accounting couldn’t be more timely. Today we are hearing some, including those in uniform, argue for a robust ground offensive against the Islamic State in Iraq. Air attacks aren’t enough, we’re told. Our Kurdish and Iraqi Army allies are weak and incompetent. Only another surge can win the fight against this dire threat. Really? If insanity is defined as doing the same thing over and over and expecting different results, I think we’re there.

That is, if this network analysis and hacking is so superb, then why didn’t it work? Did we not understand the networks that our spectacular tech exposed? Or did we do the wrong thing with it, try to kill it rather than try to win it over? Not to mention, did we account for the necessarily temporary value of all these techniques, given that targets will figure out that their cell phones, the RFID tags, their laptops, or whatever new targeting means we devise are serving as a beacon.

And there’s one more lesson in Harris’ excerpt, one I doubt he admits.

Earlier in the except, he explains in giddy language how the NSA’s hackers broke an insurgent method of leaving draft unsent emails.

Centering their operations in Baghdad, they scooped up e-mail messages that the terrorists had left in draft form in their personal accounts, where they could be picked up by fellow fighters without having to be sent over the Internet. This was a common trick terrorists used to avoid detection. TAO had been on to it for years.

Even while he provides David Petraeus opportunity to do a victory lap for the surge that in fact did not win the war, he doesn’t mention that Petraeus adopted this insurgent technique to communicate with his mistress, Paula Broadwell. Harris also doesn’t mention that the FBI, like the NSA before it, easily broke the technique.

More important still, Harris doesn’t mention that FBI found reason to do so. These techniques — described with such glee — were turned back on even the man declaring victory over them. They didn’t win the war in either Iraq or Afghanistan, but they sure made it easy for President Obama to take out Petraeus when he became inconvenient.

I have no sympathy for Petraeus, don’t get me wrong. But he is an object lesson in how these techniques have not brought victory to the US. And it’s time to start admitting that fact, and asking why not.

Update: In a post I could have written (though probably not as well), Stephen Walt engages in a counterfactual asking if we didn’t have the dragnet we might be doing better at fighting terrorism. Go read the whole thing, but here’s part of it:

Second, if we didn’t have all these expensive high-tech capabilities, we might spend a lot more time thinking about how to discredit and delegitimize the terrorists’ message, instead of repeatedly doing things that help them make their case and recruit new followers. Every time the United States goes and pummels another Muslim country — or sends a drone to conduct a “signature strike” — it reinforces the jihadis’ claim that the West has an insatiable desire to dominate the Arab and Islamic world and no respect for Muslim life. It doesn’t matter if U.S. leaders have the best of intentions, if they genuinely want to help these societies, or if they are responding to a legitimate threat; the crude message that drones, cruise missiles, and targeted killings send is rather different.

If we didn’t have all these cool high-tech hammers, in short, we’d have to stop treating places like Afghanistan, Pakistan, Iraq, and Syria as if they were nails that just needed another pounding, and we might work harder at marginalizing our enemies within their own societies. To do that, we would have to be building more effective partnerships with authoritative sources of legitimacy within these societies, including religious leaders. Our failure to do more to discredit these movements is perhaps the single biggest shortcoming of the entire war on terror, and until that failure is recognized and corrected, the war will never end.