Posts

The Quest: Trump Learns of the Investigation (Part Four)

In this series, I’m analyzing the Mueller questions as understood by Jay Sekulow and leaked to the NYT to show how they set up a more damning investigative framework than commentary has reflected.

This post laid out how the Agalarovs had been cultivating Trump for years, in part by dangling real estate deals and close ties with Vladimir Putin. This post shows how during the election, the Russians and Trump danced towards a quid pro quo agreement, with the Russians offering dirt on Hillary Clinton in exchange for a commitment to sanctions relief, with some policy considerations thrown in. This post laid out how, during the transition period, Trump’s team took a series of actions they attempted to keep secret that moved towards consummating the deal they had made with Russia, both in terms of policy concessions, particularly sanctions relief, and funding from Russian sources that could only be tapped if sanctions were lifted.

This post will look at Mueller’s reported investigative interest in Trump’s reaction to discovering the “Deep State” was investigating the election year operation, including the actions his team had tried to keep secret. Note, I have put all of the events leading up to Flynn’s firing here (not least because I think the firing itself often gets treated improperly as obstruction), though just some of the Jim Comey events. I will repeat the timeline of events in the next post, which overlaps temporally, for clarity.

January 6, 2017: What was your opinion of Mr. Comey during the transition?

This is a baseline question for Trump’s firing of Jim Comey. At a minimum, Trump would need to explain his decision to keep Comey. It also provides Trump an opportunity to rebut Comey’s claim that, in the January 6 meeting, Trump told Comey he:

had conducted myself honorably and had a great reputation. He said I was repeatedly put in impossible positions. He said you saved her and then they hated you for what you did later, but what coice did you have? He said he thought very highly of me and looked forward to working with me, saying he hoped I planned to stay on. I assured him I intended to stay. He said good.

January 6, 2017: What did you think about Mr. Comey’s intelligence briefing on Jan. 6, 2017, about Russian election interference?

One key detail Comey (and the other representatives of the intelligence community) would have detailed for Trump that day is not just that Russia interfered in the election, but their basis for concluding that “We also assess Putin and the Russian Government aspired to help President-elect Trump’s election chances,” a conclusion Republicans have objected to repeatedly.

In his book, but not his memos, Comey describes that immediately after the briefing, Trump first asked for assurances Russian interference hadn’t affected the outcome and then, with his team, started strategizing how to spin the conclusions so as to dismiss any outcome on the election.

‘I recall Trump listening without interrupting, and asking only one question, which was really more of a statement: “But you found there was no impact on the result, right?” The intelligence team said they had done no such analysis.

‘What I found telling was what Trump and his team didn’t ask. They were about to lead a country that had been attacked by a foreign adversary, yet they had no questions about what the future Russian threat might be.’

Instead, Trump and his team immediately started discussing how they would “spin” the information on Russia as if the intelligence officers were not in the room. ‘They were keen to emphasize that there was no impact on the vote, meaning that the Russians hadn’t elected Trump.’

This reflects the same concern expressed in the KT McFarland email from just days earlier (which probably reflected detailed Trump involvement) that acknowledging Russian involvement would “discredit[] Trump’s victory by saying it was due to Russian interference.”

January 6, 2017: What was your reaction to Mr. Comey’s briefing that day about other intelligence matters?

In its analysis of the questions, NYT takes this question to be exclusively about Comey’s briefing on the Steele dossier, and it may be. But in Obama’s January 5 briefing covering the same issues, according to Susan Rice, Comey and others discussed concerns about sharing classified information with the Trump team, especially Mike Flynn.

The memorandum to file drafted by Ambassador Rice memorialized an important national security discussion between President Obama and the FBI Director and the Deputy Attorney General. President Obama and his national security team were justifiably concerned about potential risks to the Nation’s security from sharing highly classified information about Russia with certain members of the Trump transition team, particularly Lt. Gen. Michael Flynn.

Even though concerns about Flynn came up in that Obama briefing, the FBI counterintelligence investigation did not. It’s possible that this passage from Comey’s memo, which describes the main part of the briefing and not that part dedicated to the Steele dossier, pertained to the counterintelligence concerns about Flynn,which Obama had already shared with Trump the previous fall; such a warning may or may not have included Flynn’s conversations with Sergey Kislyak.

If Comey briefed anything to do with Flynn, it would significantly change the importance of subsequent events.

As for the Steele dossier conversation, which surely is included with this question, Comey has claimed that Trump first tried to convince Comey is wasn’t true that he would need to “go there” to sleeping with prostitutes, “there were never prostitutes,” even though Trump’s reference to “the women who had falsely accused him of grabbing or touching them” actually undermined his defense.

Comey has also claimed that Trump seemed relieved when he said (in the context of the Steele briefing), that the FBI was not investigating him. Importantly, this took place after Comey had said he didn’t want people to claim the information came from the FBI.

I said media like CNN had them and were looking for a news hook. I said it was important that we not give them an excuse to write that the FBI has the material or [redacted] and that we were keeping it very close-hold.

[snip]

I responded that we were not investigating him and the stuff might be totally made up but that it was being said out of Russia and our job was to protect the President from efforts to coerce him. I said we try to understand what the Russians are doing and what they might do. I added that I also wanted him to know this in case it came out in the media.

He said he was grateful for the conversation, said more nice things about me and how he looks forward to working with me and we departed the room.

January 12, 2017: What was your reaction to news reports on Jan. 12, 2017?

On January 12, in the context of a discussion of Trump aiming for better relationships with Putin, David Ignatius reported revealed that Flynn had called Sergey Kislyak “several times,” asking whether but not asserting that it might be an attempt to undercut sanctions.

Trump said Wednesday that his relationship with President Vladimir Putin is “an asset, not a liability.” Fair enough, but until he’s president, Trump needs to let Obama manage U.S.-Russia policy.

Retired Lt. Gen. Michael T. Flynn, Trump’s choice for national security adviser, cultivates close Russian contacts. He has appeared on Russia Today and received a speaking fee from the cable network, which was described in last week’s unclassified intelligence briefing on Russian hacking as “the Kremlin’s principal international propaganda outlet.”

According to a senior U.S. government official, Flynn phoned Russian Ambassador Sergey Kislyak several times on Dec. 29, the day the Obama administration announced the expulsion of 35 Russian officials as well as other measures in retaliation for the hacking. What did Flynn say, and did it undercut the U.S. sanctions? The Logan Act(though never enforced) bars U.S. citizens from correspondence intending to influence a foreign government about “disputes” with the United States. Was its spirit violated? The Trump campaign didn’t immediately respond to a request for comment.

The report neither revealed the FBI had intercepts of the conversation nor confirmed an investigation. But it may have alerted Trump that the actions he was probably a party to weeks earlier might have legal consequences.

January 24: FBI interviews Mike Flynn and he lies about talking about sanctions

January 26 and 27, 2017: What did you know about Sally Yates’s meetings about Mr. Flynn?

According to Sally Yates’ public testimony, she met with Don McGahn to discuss Mike Flynn’s interview with the FBI on January 26, 2017. She framed it by describing that DOJ knew Mike Pence’s January 15 comments about Flynn’s conversations with Kislyak were not correct.

YATES: So I told them again that there were a number of press accounts of statements that had been made by the vice president and other high-ranking White House officials about General Flynn’s conduct that we knew to be untrue. And we told them how we knew that this – how we had this information, how we had acquired it, and how we knew that it was untrue.

And we walked the White House Counsel who also had an associate there with him through General Flynn’s underlying conduct, the contents of which I obviously cannot go through with you today because it’s classified. But we took him through in a fair amount of detail of the underlying conduct, what General Flynn had done, and then we walked through the various press accounts and how it had been falsely reported.

We also told the White House Counsel that General Flynn had been interviewed by the FBI on February [sic] 24. Mr. McGahn asked me how he did and I declined to give him an answer to that. And we then walked through with Mr. McGahn essentially why we were telling them about this and the first thing we did was to explain to Mr. McGahn that the underlying conduct that General Flynn had engaged in was problematic in and of itself.

Secondly, we told him we felt like the vice president and others were entitled to know that the information that they were conveying to the American people wasn’t true. And we wanted to make it really clear right out of the gate that we were not accusing Vice President Pence of knowingly providing false information to the American people.

And, in fact, Mr. McGahn responded back to me to let me know that anything that General Flynn would’ve said would have been based — excuse me — anything that Vice President Pence would have said would have been based on what General Flynn had told him.

We told him the third reason was — is because we were concerned that the American people had been misled about the underlying conduct and what General Flynn had done, and additionally, that we weren’t the only ones that knew all of this, that the Russians also knew about what General Flynn had done.

And the Russians also knew that General Flynn had misled the vice president and others, because in the media accounts, it was clear from the vice president and others that they were repeating what General Flynn had told them, and that this was a problem because not only did we believe that the Russians knew this, but that they likely had proof of this information.

And that created a compromise situation, a situation where the national security adviser essentially could be blackmailed by the Russians. Finally, we told them that we were giving them all of this information so that they could take action, the action that they deemed appropriate.

I remember that Mr. McGahn asked me whether or not General Flynn should be fired, and I told him that that really wasn’t our call, that was up to them, but that we were giving them this information so that they could take action, and that was the first meeting.

Then there was a follow-up meeting on January 27. Among the five topics discussed, McGahn asked if Flynn was in legal jeopardy, and if “they” (presumably meaning he and the Associate WHCO in the meeting) could see the underlying intelligence.

WHITEHOUSE: Did you discuss criminal prosecution of Mr. Flynn — General Flynn?

YATES: My recollection is that did not really come up much in the first meeting. It did come up in the second meeting, when Mr. McGahn called me back the next morning and asked the — the morning after — this is the morning of the 27th, now — and asked me if I could come back to his office.

And so I went back with the NSD official, and there were essentially four topics that he wanted to discuss there, and one of those topics was precisely that. He asked about the applicability of certain statutes, certain criminal statutes and, more specifically,

[snip]

And there was a request made by Mr. McGahn, in the second meeting as to whether or not they would be able to look at the underlying evidence that we had that we had described for him of General Flynn’s conduct. And we told him that we were inclined to allow them to look at that underlying evidence, that we wanted to go back to DOJ and be able to make the logistical arrangements for that. This second meeting on the 27th occurred late in the afternoon, this is Friday the 27th. So we told him that we would work with the FBI over the weekend on this issue and get back with him on Monday morning. And I called him first thing Monday morning to let him know that we would allow them to come over and to review the underlying evidence.

By the time the materials for review became available on January 30, Yates had been fired, nominally because she refused to defend Trump’s Muslim ban.

The HPSCI report (particularly content newly unredacted on May 4; see PDF 63 ff) reveals there were several concerns about Flynn’s contradictory comments (which Republicans bizarrely present as conflict). First, there had been a counterintelligence investigation into Flynn still active in December 2016, though FBI may have been moving to shut it down. The interview may have been sparked by Logan Act concerns, or it may have been Flynn’s public comments to Pence (the Republican report ignores that this would pose a blackmail problem). Comey told HPSCI that the agents found Flynn — a lifetime intelligence officer — exhibited no physical signs of deceit, but made it clear the Agents did find his statements plainly conflicted with known facts.

When Mueller asks the President what he knew about the meetings, he likely wants to know (and already has answers from McGahn and likely the Associate) whether they told him about the Flynn interview, if so when, and in how much detail. If they did tell Trump, Mueller may also want to know about whether McGahn’s questions on the 27th (including whether Flynn was in legal jeopardy) reflect Trump’s own questions.

Obviously, one other subtext of this question pertains to whether Yates’ pursuit of Flynn contributed to her firing.

The other critical point about whether and what Trump knew of Yates’ meetings with McGahn: on January 27, he had his first creepy meeting with Jim Comey. Then, on January 28, he had his first phone call with Vladimir Putin, a call Flynn attended.

January 27, 2017: What was the purpose of your Jan. 27, 2017, dinner with Mr. Comey, and what was said?

At lunchtime on January 27 — so after McGahn had called Yates to set up a follow-up meeting and indicated concerns about Flynn’s legal jeopardy, but before that meeting happened — Trump called Comey and set up dinner that day. According to Comey, several minor things that would recur later came up, including questions about Andrew McCabe and Trump’s exposition of the Hillary email investigation.

In addition, five other key things happened at the meeting.

He invited the FBI to investigate “the Golden Showers” thing to prove it was a lie:

At this point, he turned to what he called “the golden showers thing”

[snip]

He said he had spoken to people who had been on the Miss Universe trip with him and they had reminded him that he didn’t stay over night in Russia for that. [this is not true]

[snip]

He said he thought maybe he should ask me to investigate the whole thing to prove it was a lie. I did not ask any questions. I replied that it was up to him, but I wouldn’t want to create a narrative that we were investigating him, because we were not and I worried such a thing would be misconstrued. Ii also said that is very difficult to disprove a lie. He said ‘maybe you’re right,’ but several times asked me to think about it and said he would also think about it.

He asked if the FBI leaks:

He asked whether the FBI leaks and I answered that of course in an organization of 36,000 we were going to have some of that, but I said I think the FBI leaks far less than people often say.

He asked if Comey wanted to keep his job, even though they had discussed it twice before:

He touched on my future at various points. The first time he asked “so what do you want to do,” explaining that lots of people wanted my job (“about 20 people”), that he thought very highly of me, but he would understand if I wanted to walk away given all I had been through, although he thought that would be bad for me personally because it would look like I had done something wrong, that he of course can make a change at FBI if he wants, but he wants to know what I think. There was no acknowledgement by him (or me) that we had already talked about this twice.

I responded by saying that he could fire me any time he wished, but that I wanted to stay and do a job I love to and think I am doing well.

He asked for loyalty:

He replied that he needed loyalty and expected loyalty.

[snip — this comes after the request for an investigation]

He then returned to loyalty, saying “I need loyalty.” I replied that he would always get honesty from me. He paused and said that’s what he wants, “honest loyalty.” I replied, “you will get that from me.”

He claimed to suspect Mike Flynn’s judgment because he had delayed in telling Trump about Putin’s congratulatory phone call:

He then went on to explain that he has serious reservations about Mike Flynn’s judgment and illustrated with a story from that day in which the President apparently discovered during his toast to Teresa May that [Vladimir Putin] had called four days ago. Apparently, as the President was toasting PM May, he was explaining that she had been the first to call him after his inauguration and Flynn interrupted to say that [Putin] had called (first, apparently). It was then that the President learned of [Putin’s] call and he confronted Flynn about it (not clear whether that was in the moment or after the lunch with PM May). Flynn said the return call was scheduled for Saturday, which prompted a heated reply from the President that six days was not an appropriate period of time to return a call from the [President] of a country like [Russia]. (“This isn’t [redacted] we are talking about.”) He said that if he called [redacted] and didn’t get a return call for six days he would be very upset. In telling the story, the President pointed his fingers at his head and said “the guy has serious judgment issues.” I did not comment at any point during this topic and there was no mention or acknowledgement of any FBI interest in or contact with General Flynn.

Trump would be hard pressed to argue the meeting was unrelated to the Yates meeting and the FBI investigation. Which would mean one thing Trump did — in a meeting where he also lied to claim he hadn’t had sex in Moscow — was to disclaim prior knowledge of the Putin meeting the next day (even while emphasizing the import of it).

Of course, the claim he thought Flynn had poor judgment didn’t lead him to keep Flynn out of the phone call with Putin the next day.

January 28: Trump, Pence, Flynn, Priebus, Bannon, and Spicer phone Vladimir Putin

February 9, 2017: What was your reaction to news reports on Feb. 8-9, 2017?

According to Jim Comey, he went for a meet and greet with Reince Priebus on February 8. While he was waiting, Mike Flynn sat down to chat with him though didn’t mention the FBI interview. Then, after clarifying that the conversation with Comey was a “private conversation,” he asked if there was a FISA order on Flynn. Comey appears to have answered in the negative. Priebus then took Comey in to meet with Trump, who defended his answer in an interview with Bill O’Reilly released on February 6) that “There are a lot of killers. You think our country’s so innocent?” After Comey criticized that part of the answer, Trump, “clearly noticed I had directly criticized him.” (h/t TC for reminding me to add this.) Since Yates had told McGahn how they knew Flynn had lied, Priebus’ question about a FISA order suggests the White House was trying to find out whether the collection was just incidental, or whether both sides of all Flynn’s conversations would have been picked up.

On February 9, the WaPo reported that Flynn had discussed sanctions, in spite of public denials from the White House that he had.

National security adviser Michael Flynn privately discussed U.S. sanctions against Russia with that country’s ambassador to the United States during the month before President Trump took office, contrary to public assertions by Trump officials, current and former U.S. officials said.

Flynn’s communications with Russian Ambassador Sergey Kislyak were interpreted by some senior U.S. officials as an inappropriate and potentially illegal signal to the Kremlin that it could expect a reprieve from sanctions that were being imposed by the Obama administration in late December to punish Russia for its alleged interference in the 2016 election.

Flynn on Wednesday [February 8] denied that he had discussed sanctions with Kislyak. Asked in an interview whether he had ever done so, he twice said, “No.”

On Thursday [February 9], Flynn, through his spokesman, backed away from the denial. The spokesman said Flynn “indicated that while he had no recollection of discussing sanctions, he couldn’t be certain that the topic never came up.”

Officials said this week that the FBI is continuing to examine Flynn’s communications with Kislyak. Several officials emphasized that while sanctions were discussed, they did not see evidence that Flynn had an intent to convey an explicit promise to take action after the inauguration.

In addition to tracking Flynn’s changing claims, it also noted that on January 15, Mike Pence had denied both any discussion of sanctions in the December call and discussions with Russia during the campaign.

On February 10, Trump was asked by reporters about Flynn’s answer. Trump played dumb: “I don’t know about that. I haven’t seen it. What report is that? I haven’t seen that. I’ll look into that.” (h/t TC)

Presumably, Mueller wants to know how surprised Trump was about this story (which actually builds on whether McGahn told him about the Yates conversation). But given Trump’s earlier question about FBI leaks, I also wonder whether Mueller knows that Trump knew this was coming. That is, some of the leaks may have come from closer to the White House, as an excuse to fire Flynn, using the same emphasis that the story (and Yates) had: the claim that Flynn had lied to Pence.

Except Mueller probably knows that the effort to soothe Russia’s concerns about sanctions made in December were a surprise to few top aides in the White House, least of all Trump.

February 13, 2017: How was the decision made to fire Mr. Flynn on Feb. 13, 2017?

We have remarkably little reporting on how and why Flynn was actually fired — mostly just the cover story that it was because Flynn lied to Pence — though after Flynn flipped last year, Trump newly claimed he had to fire Flynn because he lied to the FBI (something that, if the claims about the original 302 are correct, FBI hadn’t concluded at the time Trump fired him).

The thing is, neither story makes sense. It’s virtually certain that many people in the White House knew what Flynn had said to Sergey Kislyak back in December 2016; Tom Bossert was included in KT McFarland’s emails to Mike Flynn, and he sent it to Reince Priebus, Stephen Bannon, Sean Spicer, and at least two other people. All of those people, save Bossert, are known to have provided testimony to Mueller’s team.

But it also makes little sense to argue that Trump had to fire Flynn because he lied. If so, he would have done so either immediately, before the Putin meeting, or much later, after FBI actually came to the conclusion he had lied.

One logical explanation is that Flynn lied because he was told to lie, in an effort to continue to hide what the Trump Administration was doing in the transition period to pay off its debts to Russia. But faced with the prospect that the FBI would continue to investigate Flynn, Trump cut him out in an effort to end the investigation. Which explains why things with Comey proceeded the way they did.

Update: This post has been updated with new details surrounding February 8-10 and newly unredacted details from the HPSCI report.

RESOURCES

These are some of the most useful resources in mapping these events.

Mueller questions as imagined by Jay Sekulow

CNN’s timeline of investigative events

Majority HPSCI Report

Minority HPSCI Report

Trump Twitter Archive

Jim Comey March 20, 2017 HPSCI testimony

Comey May 3, 2017 SJC testimony

Jim Comey June 8, 2017 SSCI testimony

Jim Comey written statement, June 8, 2017

Jim Comey memos

Sally Yates and James Clapper Senate Judiciary Committee testimony, May 8, 2017

NPR Timeline on Trump’s ties to Aras Agalarov

George Papadopoulos complaint

George Papadopoulos statement of the offense

Mike Flynn statement of the offense

Internet Research Agency indictment

Text of the Don Jr Trump Tower Meeting emails

Jared Kushner’s statement to Congress

Erik Prince HPSCI transcript

THE SERIES

Part One: The Mueller Questions Map Out Cultivation, a Quid Pro Quo, and a Cover-Up

Part Two: The Quid Pro Quo: a Putin Meeting and Election Assistance, in Exchange for Sanctions Relief

Part Three: The Quo: Policy and Real Estate Payoffs to Russia

Part Four: The Quest: Trump Learns of the Investigation

Part Five: Attempting a Cover-Up by Firing Comey

Part Six: Trump Exacerbates His Woes

New Right Hook: Mike Flynn Lied When He Admitted to a Judge He Lied to the FBI

Apparently, the latest Grassley-Graham effort to spin a very understandable reaction to the discovery that the incoming National Security Advisor might be compromised by Russia — to have a meeting about whether that requires a change in the government’s investigative approach and then memorialize the meeting — as a Christopher Steele plots is not an isolated event. To accompany the Grassley-Graham effort to obscure, the right wing is now seeing a conspiracy, best captured in this Byron York piece with follow-ups elsewhere, in Mike Flynn’s guilty plea.

At issue is leaked March 2017 testimony from Jim Comey (in a piece complaining about the leak of Flynn’s FISA intercepts) that the FBI agents who interviewed Flynn on January 24, 2017 believed any inaccuracies in Flynn’s interview with the FBI were unintentional.

In March 2017, then-FBI Director James Comey briefed a number of Capitol Hill lawmakers on the Trump-Russia investigation.

[snip]

According to two sources familiar with the meetings, Comey told lawmakers that the FBI agents who interviewed Flynn did not believe that Flynn had lied to them, or that any inaccuracies in his answers were intentional. As a result, some of those in attendance came away with the impression that Flynn would not be charged with a crime pertaining to the Jan. 24 interview.

From that, York spins out a slew of laughable claims: Mike Flynn would have no reason to address the FBI amid swirling coverage of lies about Russian ties! The Deputy Attorney General “sends” FBI agents to conduct interviews! DOJ “effectively gave” Jim Comey authority to decide Hillary’s fate but then fired him for usurping that authority! They lead up to York’s theory that DOJ may have overridden the FBI agents in forcing Flynn to sign a plea admitting he made false statements.

It could be that the FBI agents who did the questioning were overruled by Justice Department officials who came up with theories like Flynn’s alleged violation of the Logan Act or his alleged vulnerability to blackmail.

[snip]

To some Republicans, it appears the Justice Department used a never-enforced law and a convoluted theory as a pretext to question Flynn — and then, when FBI questioners came away believing Flynn had not lied to them, forged ahead with a false-statements prosecution anyway. The Flynn matter is at the very heart of the Trump-Russia affair, and there is still a lot to learn about it.

Along the way, York feigns apparent ignorance of everything he knows about how criminal investigations work.

For example, York pretends to be unaware of all the pieces of evidence that have surfaced since that time that have changed the context of Flynn’s January 24 interview. There’s the weird dinner Trump invited Comey to on January 27, a day after Sally Yates first raised concerns about the interview with White House Counsel Don McGahn, where Trump told Comey “I need loyalty, I expect loyalty.” There’s the more troubling meeting on February 14, where (after asserting that Flynn had indeed lied to Mike Pence) Trump asked Comey to drop the Flynn investigation.

He repeated that Flynn hadn’t done anything wrong on his calls with the Russians, but had misled the Vice President. He then said, “I hope you can see your way clear to letting this go, to letting Flynn go. He is a good guy. I hope you can let this go.”

There’s the March 30 phone call in which the President complained about the “cloud” of the Russian investigation. There’s the April 11 phone call where the President complained about that “cloud” again, and asked for public exoneration. There’s the newly reported Don McGahn call following that conversation, to Dana Boente asking for public exoneration. There’s Comey’s May 9 firing, just in time for Trump to tell Russians on May 10 that firing that “nut job” relieved pressure on him. There’s the letter Trump drafted with Stephen Miller’s help that made it clear Comey was being fired because of the Russian investigation.

Already by the time of Comey’s firing, the White House claim that Mike Flynn got fired because he lied about his conversations to Sergey Kislyak to Mike Pence, was falling apart.

Then, in August, the Mueller team obtained the transition emails that transition lawyers had withheld from congressional requests (and therefore from Mueller), including those of Flynn himself, Jared Kushner, and KT McFarland. The transition would go on to squawk that these emails, which didn’t include Trump and dated to before Trump became President, were subject to executive privilege, alerting Mueller that the emails would have been withheld because the emails (some sent from Mar-A-Lago) reflected the involvement of Trump. Not to mention that the emails tied conversations about Russia to the “thrown election.”

Then there’s Jared Kushner’s interview with Mueller’s team in the weeks before Mike Flynn decided to plead guilty. At it, prosecutors asked Jared if he had any information that might exculpate Flynn.

One source said the nature of this conversation was principally to make sure Kushner doesn’t have information that exonerates Flynn.

There were reports that Flynn felt like he had been sold out just before he flipped, and I would bet this is part of the reason why. In addition to instructions regarding the sanction calls with Kislyak, which were directed by KT McFarland, Flynn’s statement of offense describes someone we know to be Kushner directing Flynn to call countries, including Russia, to try to persuade them to avoid a vote on Israeli West Bank settlements.

On or about December 22, 2016, a very senior member of the Presidential Transition Team directed FLYNN to contact officials from foreign governments, including Russia, to learn where each government stood on the resolution and to influence those governments to delay the vote or defeat the resolution.

Granted, Mueller’s team didn’t make the point of the lies as obvious as they did with the George Papadopoulos plea, where they made clear Papadopoulos lied to hide that he learned of the “dirt” on Hillary in the form of emails after he started on the campaign and whether he told the campaign about those emails (not to mention that he had contacts with Ivan Timofeev).

Mueller’s not telling us why Flynn’s lies came to have more significance as Mueller collected more and more evidence.

But what they make clear is that the significance of Flynn’s lies was not, as it first appeared, that he was trying to hide the subject of the calls from Mike Pence. I mean, maybe he did lie to Pence about those calls. But discussions about how to work with the Russians were not secret; they included at least Kushner, McFarland, Tom Bossert, Reince Priebus, Steve Bannon, and Sean Spicer. Some of those conversations happened with McFarland emailing while at Mar-A-Lago with the President-Elect.

So given the weight of the evidence collected since, Flynn’s lies now appear neither an effort to avoid incriminating himself on Logan Act charges, nor an effort to cover up a lie he told others in the White House, but the opposite. His lies appear to have hidden how broadly held the Russian discussions were within the transition team, not to mention that he was ordered to make the requests he did, possibly by people relaying orders from Trump, rather than doing them on his own.

That, by itself, doesn’t make the Flynn conversations (as distinct from the lies) illegal. But it means Trump went to great lengths to try to prevent Flynn from suffering any consequences for lying to hide the degree to which negotiations with Russia during the transition period were the official policy of the Trump team. And when Trump (or rather, his son-in-law) stopped protecting Flynn on that point, Flynn decided to admit to a judge that he had been knowingly lying.

It doesn’t take a conspiracy to realize that the FBI Agents who interviewed Flynn in January had none of the evidence since made available largely because Trump tried so hard to protect Flynn that he fired his FBI Director over it. It takes looking at the evidence, which makes it clear why those false statements looked very different as it became clear Flynn, after acting on Trump transition team instructions, got sold out as other senior Trump officials started trying to protect themselves.

Fake Russian Metadata that Will Do Nothing to Prevent Nuclear War

Apparently I’m not the only one troubled by Tom Bossert’s attribution of WannaCry to North Korea the other day.

In this post, Jack Goldsmith suggests the attribution will do nothing for deterrence.

He said that he thought the public attribution alone, without more, accomplished something important in holding North Korea accountable. As he put it, somewhat confusingly, later:

It’s about simple culpability. We’ve determined who was behind the attack and we’re saying it. It’s pretty straightforward. All I learned about cybersecurity I learned in kindergarten. We’re going to hold them accountable and we’re going to say it. And we’re going to shame them for it.

There you have it: The U.S. government thinks that naming and shaming by itself is a useful response to a cyberattack that caused billions of dollars of damage (though relatively little in the United States) and targeted precisely the types of critical infrastructure officials have long warned was a red line.

[snip]

it’s not just that name and shame is ineffective. For at least two reasons, it is counterproductive for the United States to take evident pride in an attribution of a major cyberattack that it at the same time concedes it lacks the tools to retaliate against or deter. First, the consequence of the attribution, and the emphasis on the damage caused by WannaCry, is to raise expectations, at least domestically, about a response. Second, the effect of such a drum-beating attribution and statement of damage, combined with a weak response, is to reveal what has been apparent for a while: “We currently cannot put a lot of stock … in cyber deterrence,” as former DNI Clapper last year. “It is … very hard to create the substance and psychology of deterrence.” When we overtly signal to North Korea that we have no tools to counteract their cyberattacks, we invite more attacks by North Korea and others—though to be fair, for the reasons Inglis stated, North Korea already has plenty of incentive, since cyber is a relatively inexpensive but very consequential tool for it, and since the United States has already imposed such extensive sanctions and seems out of tools.

I must be missing something here. Probably what I am missing is that the public attribution sends an important signal to the North Koreans about the extent to which we have penetrated their cyber operations and are watching their current cyber activities. But that message could have been delivered privately, and it does not explain why the United States delayed public attribution at least six months after its internal attribution, and two months after the U.K. had done so publicly.

In this thread, Emily Maxima notes that not everyone in the Infosec community agrees with this attribution (here’s an old piece I did on some oddities with it) and worries that the attribution might be used to justify war with North Korea.

So in the context of a potential hot-war with DPRK, the attribution chain from Wannacry to DPRK is *really* fucking important.

She then goes on to explain one of her concerns about the attribution to Lazarus group.

A few months back, I was doing some research into malware that used obfuscation mechanisms in their campaigns and code that could be used to misattribute them to other actors/nations.

It turns out, Lazarus group was one of these actors that had examples of misleading operation that made it seem like it was made in Russia, but was likely built to act as a false flag deus ex machina to lead researchers away from the true actors.

[snip]

[W]e’re talking about an increasingly tense situation where the largest attack on networked computer infrastructure in probably the last 5 years may be pinned on a group known for running false flag operations.

She points to this article that shows that some 2016 watering hole attacks that had targeted Polish and Mexican bank supervisor sites, which might be associated with Lazarus, used Russian words as a false flag to hide their origin.

In spite of some ‘Russian’ words being used, it is evident that the malware author is not a native Russian speaker.

Of our previous examples, five of the commands were likely produced by an online translation. Below we provide the examples and the correct analogues for reference:

Word Type of error Correct analogue
“ustanavlivat” omitted sign at the end, verb tense error “ustanovit'” or “ustanoviti”
“poluchit” omitted sign at the end “poluchit'” or “poluchiti”
“pereslat” omitted sign at the end “pereslat'” or “pereslati”
“derzhat” omitted sign at the end “derzhat'” or “derzhati”
“vykhodit” omitted sign at the end, verb tense error “vyiti”

Another example is “kliyent2podklyuchit”. This is most likely a result of an online translation of “client2connect” (which means ‘client-to-connect’). In this case, the two words “client” and “connect”were translated separately, then transliterated from the Russian pronunciation form into the Latin alphabet and finally joined to produce “kliyent2podklyuchit”.

[snip]

Internally, the ActionScript also uses transliterated Russian words, similar to the tactic seen in the bot code:

Transliterated Russian words used in AS Translated from Russian
Podgotovkaskotiny Preparation of farm animals
geigeigei3raza Hey, hey, hey 3 times
chainik Dummy (a stupid person)
chainikaddress Dummy’s address
poishemdatu Let’s search for data
poiskvpro Searching in ‘pro’
vyzov_chainika Calling the dummy (a stupid person)
daiadreschainika Get address of the dummy
runskotina Execute farm animals
babaLEna Old woman Lena

As seen in the table, while the words are technically Russian, their usage is out-of-context.

In one code fragment, the ActionScript contains both “chainik” and “dummy”:

01 private function put_dummy_args(param1:*) : *
02 {
03 return chainik.call.apply(null,param1);
04 }
05 private function vyzov_chainika() : *
06 {
07 return chainik.call(null);
08 }

As such, it is obvious that the word “dummy” has been translated into “chainik”. However, the word “chainik” in Russian slang (with the literal meaning of “a kettle”) is used to describe an unsophisticated person, a newbie; while, the word “dummy” in the exploit code is used to mean a “placeholder” or an “empty” data structure/argument.

The BAE analysis suggests that this incorrect usage is evidence proving the attackers are not native Russian speakers (leaving open the possibility they’re North Korean, though the report doesn’t attribute that aggressively).

I point to all this because of my continuing obsession with attacks featuring Russian metadata — starting from the first stolen Democratic files released by Guccifer 2.0 in June 2016 to faked Macron leak documents and extending to metadata ShadowBrokers left in some SWIFT files released in April — that served to deflect blame.

Perhaps it’s just fashionable to blame Russians these days.

Mind you, that other Russian metadata is for a totally unrelated watering hole attack, not for WannaCry. It’s worth remembering, however, that in addition to using Lazarus code, WannaCry also appears to have used code from Metasploit.

Ah well. I guess none of this will matter when North Korea nukes Seoul.

The Bankrupt Attribution of WannaCry

I’ve been puzzling through this briefing, purportedly attributing the WannaCry hack to North Korea, which followed last night’s Axis of CyberEvil op-ed (here’s the text). The presser was … perhaps even more puzzling than the Axis of CyberEvil op-ed.

Unlike the op-ed, Homeland Security Czar Tom Bossert provided hints about how the government came to attribute this attack.

Bossert makes much of the fact that the Five Eyes plus Japan all agree on this.

We do so with evidence, and we do so with partners.

Other governments and private companies agree.  The United Kingdom, Australia, Canada, New Zealand, and Japan have seen our analysis, and they join us in denouncing North Korea for WannaCry.

He also points to the Microsoft and (unnamed — because it’d be downright awkward to name Kaspersky in the same briefing where you attack them as a cybersecurity target) security consultant attributions from months ago.

Commercial partners have also acted.  Microsoft traced the attack to cyber affiliates of the North Korean government, and others in the security community have contributed their analysis.

Here are the specific things he says about how the US, independent of Microsoft and villains like Kaspersky, made an attribution.

What we did was, rely on — and some of it I can’t share, unfortunately — technical links to previously identified North Korean cyber tools, tradecraft, operational infrastructure.  We had to examine a lot.  And we had to put it together in a way that allowed us to make a confident attribution.

[snip]

[I]t’s a little tradecraft, to get to your second question.  It’s hard to find that smoking gun, but what we’ve done here is combined a series of behaviors.  We’ve got analysts all over the world, but also deep and experienced analysts within our intelligence community that looked at not only the operational infrastructure, but also the tradecraft and the routine and the behaviors that we’ve seen demonstrated in past attacks.  And so you have to apply some gumshoe work here, not just some code analysis.

Nevertheless, Bossert alludes to people launching this attack from “keyboards all over the world,” but says because these “intermediaries … had carried out those types of attacks on behalf of the North Korean government in the past,” they were confident in the attribution.

People operating keyboards all over the world on behalf of a North Korean actor can be launching from places that are not in North Korea.  And so that’s one of the challenges behind cyber attribution.

[snip]

[T]here were actors on their behalf, intermediaries, carrying out this attack, and that they had carried out those types of attacks on behalf of the North Korean government in the past.  And that was one of the tradecraft routines that allowed us to reach that conclusion.

Taking credit for stuff the private sector did

In his prewritten statement, Bossert provides on explanation for the timing of all this. One of the reasons the US is attributing the WannaCry attack now — aside from the need to gin up war with North Korea — is that Facebook and Microsoft, “acting on their own initiative last week,” took action last week against North Korean targets.

We applaud our corporate partners, Microsoft and Facebook especially, for acting on their own initiative last week without any direction by the U.S. government or coordination to disrupt the activities of North Korean hackers.  Microsoft acted before the attack in ways that spared many U.S. targets.

Last week, Microsoft and Facebook and other major tech companies acted to disable a number of North Korean cyber exploits and disrupt their operations as the North Koreans were still infecting computers across the globe.  They shut down accounts the North Korean regime hackers used to launch attacks and patched systems.

Yet even while acknowledging that Microsoft and Facebook are busy keeping the US safe, he demands that the private sector … keep us safe.

We call today — I call today, and the President calls today, on the private sector to increase its accountability in the cyber realm by taking actions that deny North Korea and the bad actors the ability to launch reckless and disruptive cyber acts.

Golly how do you think the US avoided damage from the attack based on US tools so well?

Then Bossert invites Assistant Secretary for Cybersecurity and Communications at DHS Jeanette Manfra to explain not how the US attributed this attack (the ostensible point of this presser), but how the US magically avoided getting slammed — by an attack based on US tools — as badly as other countries did.

By midafternoon, I had all of the major Internet service providers either on the phone or on our watch floor sharing information with us about what they were seeing globally and in the United States.  We partnered with the Department of Health and Human Services to reach out to hospitals across the country to offer assistance.  We engaged with federal CIOs across our government to ensure that our systems were not vulnerable.  I asked for assistance from our partners in the IT and cybersecurity industry.  And by 9:00 p.m. that night, I had over 30 companies represented on calls, many of whom offered us analytical assistance throughout the weekend.

By working closely with these companies and the FBI throughout that night, we were able to issue a technical alert, publicly, that would assist defenders with defeating this malware.  We stayed on alert all weekend but were largely able to escape the impacts here in this country that other countries experienced.

Managing to avoid getting slammed by an attack that the US had far more warning of (because it would have recognized and had 96 days to prepare) is proof, Manfra argues, of our preparation to respond to attacks we didn’t write the exploit for.

[T]he WannaCry attack demonstrated our national capability to effectively operate and respond.

Ix-Nay on the AdowBrokers-Shay

Which brings us to the dramatic climax of this entire presser, where Tom Bossert plays dumb about the fact that his this attack exploited an NSA exploit. In his first attempt to deflect this question, Bossert tried to distinguish between vulnerabilities and the exploits NSA wrote for them.

Q    Had they not been able to take advantage of the vulnerabilities that got published in the Shadow Brokers website, do you think that would have made a significant difference in their ability to carry out the attack?

MR. BOSSERT:  Yeah.  So I think what Dave is alluding to here is that vulnerabilities exist in software.  They’re not — almost never designed on purpose.  Software producers are making a product, and they’re selling it for a purpose.

Pretending a vulnerability is the same thing as an exploit, Bossert pointed to the (more visible but still largely the same) Vulnerabilities Exploit Process Trump has instituted.

When we find vulnerabilities, the United States government, we generally identify them and tell the companies so they can patch them.

In this particular case, I’m fairly proud of that process, so I’d like to elaborate.  Under this President’s leadership and under the leadership of Rob Joyce, who’s serving as my deputy now and the cybersecurity coordinator, we have led the most transparent Vulnerabilities Equities Process in the world.

Hey, by the way, why isn’t Rob Joyce at this presser so the person in government best able to protect against cyber attacks can answer questions?

Oh, never mind–let’s continue with this VEP thing.

And what that means is the United States government finds vulnerabilities in software, routinely, and then, at a rate of almost 90 percent, reveals those.  They could be useful tools for us to then exploit for our own national security benefit.  But instead, what we choose to do is share those back with the companies so that they can patch and increase the collective defense of the country.  It’s not fair for us to keep those exploits while people sit vulnerable to those totalitarian regimes that are going to bring harm to them.

So, in this particular case, I’m proud of the VEP program.  And I’d go one step deeper for you:  Those vulnerabilities that we do keep, we keep for very specific purposes so that we can increase our national security.  And we use them for very specific purposes only tailored to our perceived threats.  I think that they’re used very carefully.  They need to be protected in such a way that we don’t leak them out and so that bad people can get them.  That has happened, unfortunately, in the past.

Hell! Let’s go for broke. Let’s turn the risk that someone can steal our toys and set off a global worm into the promise that we’ll warn people they’ve been hacked.

But one level even deeper.  When we do use those vulnerabilities to develop exploits for the purpose of national security for the classified work that we do, we sometimes find evidence of bad behavior.  Sometimes it allows us to attribute bad actions.  Other times it allows us to privately call — and we’re doing this on a regular basis, and we’re doing it better and in a more routine fashion as this administration advances — we’re able to call targets that aren’t subject to big rollouts.  We’re able to call companies, and we’re able to say to them, “We believe that you’ve been hacked.  You need to take immediate action.”  It works well; we need to get better at doing that.  And I think that allows us to save a lot of time and money.

We’re not yet broke yet, though! When Bossert again gets asked whether WannaCry was based off a US tool, he tried to argue the only tool involved was the final WannaCry one, not than the underlying NSA exploit.

Q    So you talked about the 90 percent of times when you guys share information back with companies rather than exploit those vulnerabilities.  Was this one of the 10 percent that you guys had held onto?

MR. BOSSERT:  So I think there’s a case to be made for the tool that was used here being cobbled together from a number of different sources.  But the vulnerability that was exploited — the exploit developed by the culpable party here — is the tool, the bad tool.

This soon descends into full-on Sergeant Schultz.

I don’t know what they got and where they got it, but they certainly had a number of things cobbled together in a pretty complicated, intentional tool meant to cause harm that they didn’t entirely create themselves.

MalwareTech took a risk doing what he always does [er, did, before the US government kidnapped him] with malware?

Then there’s weird bit — one of those Bossert moments (like when he said WannaCry was spread by phishing) that makes me think he doesn’t know what he’s talking about. When asked if this North Korean attribution changed the government’s intent to prosecute MalwareTech (Marcus Hutchins), Bossert dodged that tricksy question (the answer is, yes, the prosecution is still on track to go to trial next year) but then claimed that Hutchins “took a risk” doing something he has repeatedly said he always does when responding to malware.

I can’t comment on the ongoing criminal prosecution or judicial proceedings there.  But I will note that, to some degree, we got lucky.  In a lot of ways, in the United States we were well-prepared.  So it wasn’t luck — it was preparation, it was partnership with private companies, and so forth.  But we also had a programmer that was sophisticated, that noticed a glitch in the malware, a kill-switch, and then acted to kill it.  He took a risk, it worked, and it caused a lot of benefit.  So we’ll give him that.  Next time, we’re not going to get so lucky.

After dodging the issue of why the government is prosecuting the guy whose “luck” Bossert acknowledges saved the world, he has the gall to say — in the very next breath!! — we need to do the kind of information sharing that Hutchins’ prosecution disincents.

So what we’re calling on here today is an increased partnership, an increased rapidity in routine speed of sharing information so that we can prevent patient zero from being patient 150.

Whatever you do, don’t follow the lack of money

All that was bad enough. But then things really went off the rail when a journalist asked about what one of the poorest countries on earth — a country with a severe exchangeable currency shortage — did with the money obtained in this ransomware attack.

Q    Tom, the purpose of ransomware is to raise money.  So do you have a sense now of exactly how much money the North Koreans raised as a result of this?  And do you have any idea what they did with the money?  Did it go to fund the nuclear program?  Did it go just to the regime for its own benefit?  Or where did that money go?

MR. BOSSERT:  Yeah, it’s interesting.  There’s two conundrums here.  First, we don’t really know how much money they raised, but they didn’t seem to architect it in the way that a smart ransomware architect would do.  They didn’t want to get a lot of money out of this.  If they did, they would have opened computers if you paid.  Once word got out that paying didn’t unlock your computer, the payment stopped.

And so I think that, in this case, this was a reckless attack and it was meant to cause havoc and destruction.  The money was an ancillary side benefit.  I don’t think they got a lot of it.

Wow. A couple things here. First, of one of the poorest countries in the world, Bossert said with a straight face: “They didn’t want to get a lot of money out of this.”

He has to do that, because he has just said that, “They’ve got some smart programmers.” So he has to treat the attack, as implemented, as the attack that the perpetrators wanted. That apparently doesn’t mean he feels bound to offer some explanation for why North Korea would forgo the money that their smart programmers could have earned. Because he never offers that, without which you have zero credible attribution.

Still nuttier, at one level it cannot be true that “we don’t know how much money they raised.” Later in his presser he claims, “cryptocurrency might be difficult to track” and suggests the government only learned about how little they were making because, “targets seem to have reported to us, by and large, that they mostly didn’t pay. … So we were able to track the behavior of the targets in that case.”

Um. No. It was very public! We watched WannaCry’s perps collect $144,000 via the @Actual_ransom account, and we watched the account be cashed out in the immediate wake of the aforementioned MalwareTech arrest (as Hutchins noted, making it look like he had absconded with his Bitcoin rather than gotten arrested by the FBI).  That, too, is a detail that Bossert would have needed to address for this to be a marginally credible press conference.

But wait! There’s more! We also know that as soon as WannaCry’s perps publicly cashed out, Shapeshift blacklisted all its known accounts, making it impossible for WannaCry to launder the money, and adding still more transparency to the process. Which means Bossert should know well the answer to the question “how much did North Korea (or whatever perp) make off this?” is, zero. None. Because their money got cut off in the laundering process. (For some reason, Bossert gave Shapeshift zero credit here, which raises further questions I might return to at a later date.) Either attribution includes details about this process or … it’s not credible.

Bossert’s backflips to pretend Trump isn’t treating North Korea differently than Russia

Now, all this is before you get into the gymnastics Bossert performed to pretend that Trump isn’t treating North Korea — against whom this attribution will serve as justification for war — differently than Russia. After being asked about it, Bossert claimed,

President Trump not only continued the national emergency for cybersecurity, but he did so himself and sanctioned the Russians involved in the hacks of last year.

His effort to conflate last year’s hack-related sanctions with the sanctions imposed by Congress but not fully implemented looked really pathetic.

Q    Have all the sanctions been implemented?

MR. BOSSERT:  This was — yeah, this was the Continuation of the National Emergency with Respect to Significant Malicious Cyber-Enabled Activities.  President Trump continued that national emergency, pursuant to the International Emergency Economic Powers Act, to deal with the “unusual and extraordinary threat to the national security, foreign policy, and economy of the United States.”

Pivoting to one of the most important private companies

Immediately after which, perhaps in an act of desperation, Bossert pivoted to Kaspersky, one of the most important security firms in unpacking WannaCry and therefore utterly central to any claim the answer to cyberattacks is to share between the private and public sector. Bossert said this to defend the claim that the Trump administration is taking Russian threats seriously.

Now, look, in addition, if that’s not making people comfortable, this year we acted to remove Kaspersky from all of our federal networks.  We did so because having a company that can report back information to the Russian government constituted a risk unacceptable to our federal networks.

And then — in the same press conference where Bossert hailed cooperation, including with private security firms like Kaspersky, he boasted about how “in the spirit of cooperation” the US has gotten “providers, sellers, retail stores” to ban one of the firms that was critical in analyzing and minimizing the WannaCry impact.

In the spirit of cooperation, which is the second pillar of our strategy — accountability being one, cooperation being the second — we’ve had providers, sellers, retail stores follow suit.  And we’ve had other private companies and other foreign governments also follow suit with that action.

In case you’re counting, he has boasted about cooperation in the same breath as speaking of both MalwareTech and Kaspersky.

Whatever. From this we’re supposed to conclude we should go to war against North Korea and their non-NK keyboarders the world over and  that the way to defend ourselves against them is to simultaneously demand “cooperation” even while treating two of the most important entities who minimized the threat of WannaCry as outlaws.

Tom Bossert Brings You … Axis of CyberEvil!

I was struck, when reviewing the NYT article on the KT McFarland email, how central Homeland Security Czar Tom Bossert was to the discussion of asking Russia not blow off Obama’s Russia sanctions.

“Key will be Russia’s response over the next few days,” Ms. McFarland wrote in an email to another transition official, Thomas P. Bossert, now the president’s homeland security adviser.

[snip]

Mr. Bossert forwarded Ms. McFarland’s Dec. 29 email exchange about the sanctions to six other Trump advisers, including Mr. Flynn; Reince Priebus, who had been named as chief of staff; Stephen K. Bannon, the senior strategist; and Sean Spicer, who would become the press secretary.

[snip]

Mr. Bossert replied by urging all the top advisers to “defend election legitimacy now.”

[snip]

Obama administration officials were expecting a “bellicose” response to the expulsions and sanctions, according to the email exchange between Ms. McFarland and Mr. Bossert. Lisa Monaco, Mr. Obama’s homeland security adviser, had told Mr. Bossert that “the Russians have already responded with strong threats, promising to retaliate,” according to the emails.

There Tom Bossert was, with a bunch of political hacks, undercutting the then-President as part of an effort to “defend election legitimacy now.”

Which is one of the reasons I find Bossert’s attribution of WannaCry to North Korea — in a ridiculously shitty op-ed — so sketchy now, as Trump needs a distraction and contemplates an insane plan to pick a war with North Korea.

The guy who — well after it was broadly known to be wrong — officially claimed WannaCry was spread by phishing is now offering this as his evidence that North Korea is the culprit:

We do not make this allegation lightly. It is based on evidence.

A representative of the government whose tools created this attack, said this without irony.

The U.S. must lead this effort, rallying allies and responsible tech companies throughout the free world to increase the security and resilience of the internet.

And the guy whose boss has, twice in the last week, made googly eyes at Vladimir Putin said this as if he could do so credibly.

As we make the internet safer, we will continue to hold accountable those who harm or threaten us, whether they act alone or on behalf of criminal organizations or hostile nations.

Much of the op-ed is a campaign ad falsely claiming a big break with the Obama Administration.

Change has started at the White House. President Trump has made his expectations clear. He has ordered the modernization of government information-technology to enhance the security of the systems we run on behalf of the American people. He continued sanctions on Russian hackers and directed the most transparent and effective government effort in the world to find and share vulnerabilities in important software. We share almost all the vulnerabilities we find with developers, allowing them to create patches. Even the American Civil Liberties Union praised him for that. He has asked that we improve our efforts to share intrusion evidence with hacking targets, from individual Americans to big businesses. And there is more to come.

A number of the specific items Bossert pointed to to claim action are notable for the shoddy evidence underlying them, starting with the Behzad Mesri case and continuing to Kaspersky — which has consistently had more information on the compromises we blame it for than the US government.

When we must, the U.S. will act alone to impose costs and consequences for cyber malfeasance. This year, the Trump administration ordered the removal of all Kaspersky software from government systems. A company that could bring data back to Russia represents an unacceptable risk on federal networks. Major companies and retailers followed suit. We brought charges against Iranian hackers who hacked several U.S. companies, including HBO. If those hackers travel, we will arrest them and bring them to justice. We also indicted Russian hackers and a Canadian acting in concert with them. A few weeks ago, we charged three Chinese nationals for hacking, theft of trade secrets and identity theft. There will almost certainly be more indictments to come.

The Yahoo case, which is backed by impressive evidence, was based on evidence gathered under Obama, from whose Administration Bossert claims to have made a break.

And this kind of bullshit — in an op-ed allegedly focused on North Korea — is worthy of David Frum playing on a TRS-80.

Going forward, we must call out bad behavior, including that of the corrupt regime in Tehran.

Especially ending as it does with a thinly disguised call for war.

As for North Korea, it continues to threaten America, Europe and the rest of the world—and not just with its nuclear aspirations. It is increasingly using cyberattacks to fund its reckless behavior and cause disruption across the world. Mr. Trump has already pulled many levers of pressure to address North Korea’s unacceptable nuclear and missile developments, and we will continue to use our maximum pressure strategy to curb Pyongyang’s ability to mount attacks, cyber or otherwise.

I mean, maybe dirt poor North Korea really did build malware designed not to make money. But this is not the op-ed to credibly make that argument.

Trump Appears to Have Withheld the KT McFarland Email about the “Thrown Election”

This post explains what appears to be the real reason for the fake outrage about Mueller obtaining information from GSA: by doing so, he appears to have obtained proof that the Transition was withholding emails material to the investigation. Go to this post for a more general summary of what we know about the claim. 

Here’s the letter that Trump For America lawyer sent to Congress to cause a big hullabaloo about how Robert Mueller obtained transition period emails. I unpacked it in this Twitter thread and commented on it in an update to this post.

But this passage deserves a separate post, because it seems to go to the heart of why the Republicans are spewing propaganda like this.

Additionally, certain portions of the PTT materials the Special Counsel’s Office obtained from the GSA, including materials that are susceptible to privilege claims, have been leaked to the press by unknown persons. Moreover, the leaked records have been provided to the press without important context and in a manner that appears calculated to inflict maximum reputational damage on the PTT and its personnel, without the inclusion of records showing that PTT personnel acted properly – which in turn forces TFA to make an impossible choice between (a) protecting its legal privileges by keeping its records confidential and (b) waiving its privileges by publicly releasing records that counteract the selective leaks and misguided news reports. In short, since the GSA improperly provided them to the Special Counsel’s Office, the PTT’s privileged materials have not only been reviewed privately by the Special Counsel’s Office without notification to TFA – they have also been misused publicly.

Kory Langhofer is insinuating — without quite risking the claim — that after GSA shared certain emails with Robert Mueller’s office, “unknown persons” leaked them to the press. The insinuation is that Mueller’s team leaked them.

I can think of just one set of emails that fit this description: emails from KT McFarland that provided proof that Mike Flynn lied to the FBI about his conversations with Sergei Kislyak on December 29, 2016. The NYT quoted extensively from them in a December 2 story.

Among other things, McFarland stated in the emails that Russia “has just thrown the U.S.A. election to” Trump.

On Dec. 29, a transition adviser to Mr. Trump, K. T. McFarland, wrote in an email to a colleague that sanctions announced hours before by the Obama administration in retaliation for Russian election meddling were aimed at discrediting Mr. Trump’s victory. The sanctions could also make it much harder for Mr. Trump to ease tensions with Russia, “which has just thrown the U.S.A. election to him,” she wrote in the emails obtained by The Times.

[snip]

Mr. Obama, she wrote, was trying to “box Trump in diplomatically with Russia,” which could limit his options with other countries, including Iran and Syria. “Russia is key that unlocks door,” she wrote.

She also wrote that the sanctions over Russian election meddling were intended to “lure Trump in trap of saying something” in defense of Russia, and were aimed at “discrediting Trump’s victory by saying it was due to Russian interference.”

“If there is a tit-for-tat escalation Trump will have difficulty improving relations with Russia, which has just thrown U.S.A. election to him,” she wrote.

Contrary to Langhofer’s suggestion, NYT made some effort to mitigate the damage of McFarland’s comment seemingly confirming the Trump team knew the election had been stolen, including speaking to a White House lawyer about it.

It is not clear whether Ms. McFarland was saying she believed that the election had in fact been thrown. A White House lawyer said on Friday that she meant only that the Democrats were portraying it that way.

And while NYT’s explanation that they got the emails “from someone who had access to transition team communications” certainly could include Mueller’s team among the culprits, it could also include GSA officials themselves or — even more likely — a former Trump official with a grudge. At least three were CCed on the email in question: Bannon, Priebus, and Spicer.

Mr. Bossert forwarded Ms. McFarland’s Dec. 29 email exchange about the sanctions to six other Trump advisers, including Mr. Flynn; Reince Priebus, who had been named as chief of staff; Stephen K. Bannon, the senior strategist; and Sean Spicer, who would become the press secretary.

In other words, Langhofer uses the leak as an excuse to suggest wrong-doing by Mueller, when other possibilities are far more likely.

But consider the other implication of this: Langhofer is suggesting that this email chain (which included no named active lawyers, nor included Trump directly, though they were written in Trump’s presence at Mar a Lago) is “susceptible to privilege claims.” He is further suggesting that GSA is the only way this email could have been released (ignoring, of course, the Bannon/Priebus/Spicer) options.

If that’s right, then he’s suggesting that Trump was involved in this email chain directly. There’s no reason to believe he was CCed. But since the emails were written from Mar-a-Lago, it’s likely he was consulted in the drafting of the emails.

In addition, Langhofer is also admitting that Trump’s team didn’t release these emails directly — at least not to Congress.

Emails which couldn’t be more central to the point of Mueller’s investigation.

Did the GOP just admit that Trump withheld this email? Because if so, it suggests the “thrown election” comment is far more damning than the NYT laid out.

Update: It’s not clear whether Mueller ever tried to obtain these records via GSA (though it’s possible FBI obtained emails before the inauguration). But this, from the letter, makes it clear at least Congress had made requests, which led TFA to try to take GSA out of the loop even though SCO had a document preservation request.

In order to comply with congressional document production requests, TFA ordered from the GSA electronic copies of all PTT emails and other data. Career GSA staff initially expressed concern that providing copies of PTT emails to TFA might violate a document preservation request that the GSA had received from the Special Counsel’s Office.

Withholding this email from Congress would be particularly problematic, as McFarland testified in conjunction with her now-frozen nomination to be Ambassador to Singapore that she knew nothing about Flynn’s communications with Kislyak. h/t SS

Update: Ah, this explains how Mueller was getting emails: via voluntary production, along with everything the Transition was giving Congress. Which means the email was withheld, and this October subpoena was an attempt to see whether they’d cough it up on their own.

Special counsel Robert Mueller’s team in mid-October issued a subpoena to President Donald Trump’s campaign requesting Russia-related documents from more than a dozen top officials, according to a person familiar with the matter.

The subpoena, which requested documents and emails from the listed campaign officials that reference a set of Russia-related keywords, marked Mr. Mueller’s first official order for information from the campaign, according to the person. The subpoena didn’t compel any officials to testify before Mr. Mueller’s grand jury, the person said.

The subpoena caught the campaign by surprise, the person said. The campaign had previously been voluntarily complying with the special counsel’s requests for information, and had been sharing with Mr. Mueller’s team the documents it provided to congressional committees as part of their probes of Russian interference into the 2016 presidential election.

[snip]

Mueller’s team had previously issued subpoenas individually to several top campaign officials, including former campaign chairman Paul Manafort and former national security adviser Mike Flynn.

[Correction: I’ve been corrected on this passage, which makes it clear this is about campaign emails, not transition ones. But I assume he made parallel requests for all three phases of Trump organization.]

Update: Mueller’s spox, Peter Carr, issued a statement saying, “When we have obtained emails in the course of our ongoing criminal investigation, we have secured either the account owner’s consent or appropriate criminal process.” Given what I’ve laid out here, I actually think “C” may have been the case:

  • Subpoena to Flynn, obtain voluntary compliance for specific things as well as evidence shared with Congress prior to August
  • In August (perhaps after being alerted to withheld documents by Priebus/Spicer/Bannon/Papadopoulos?) obtain emails from GSA, technically the device owners
  • In October, subpoena for Russian-related emails from the same ~13 people

Trump Transition Team Outraged To Be Treated as Transition Team!!

This is a general post on the GOP claim Mueller improperly obtained emails from ~13 Transition officials, updated as new news comes available. This post explains what is really going on: the Transition appears to have withheld emails — including the KT McFarland one referring to the election as having been “thrown” — and Mueller obtained proof they were withholding things. 

Both Fox News and Axios have pieces reflecting the outrage!!! among Trump people that they got asked questions about emails they thought they had hidden from Mueller’s investigation. Axios reveals that Mueller obtained the full contents of 12 accounts (Reuters says 13), one including 7,000 emails, from people on the “political leadership” and “foreign-policy team;” it says it includes “sensitive emails of Jared Kushner.”

Fox reveals that a transition lawyer wrote Congress today claiming that it was unlawful for government employees to turn over emails hosted on government servers for a criminal investigation.

A lawyer for the Trump presidential transition team is accusing Special Counsel Robert Mueller’s office of inappropriately obtaining transition documents as part of its Russia probe, including confidential attorney-client communications and privileged communications.

In a letter obtained by Fox News and sent to House and Senate committees on Saturday, the transition team’s attorney alleges “unlawful conduct” by the career staff at the General Services Administration in handing over transition documents to the special counsel’s office.

Officials familiar with the case argue Mueller could have a problem relating to the 4th Amendment – which protects against unreasonable searches and seizures.

Kory Langhofer, the counsel to Trump for America, wrote in the letter that the the GSA “did not own or control the records in question.”

But, Langhofer says, Mueller’s team has “extensively used the materials in question, including portions that are susceptible to claims of privilege.”

And Axios explains that the Trump people actually sorted through this stuff. “The sources say that transition officials assumed that Mueller would come calling, and had sifted through the emails and separated the ones they considered privileged.”

I’m really looking forward to hearing the full story about this, rather than just this partisan spin. For example, I’m interested in whether Mueller realized via some means (perhaps from someone like Reince Priebus or Sean Spicer — update, or George Papadopoulos) that the White House had withheld stuff that was clearly responsive to his requests, so he used that to ask GSA to turn over the full set.

I’m also interested in how they’ll claim any of this was privileged. The top 13 political and foreign policy people on the Trump team might include (asterisks mark people confirmed to be among those whose accounts were obtained):

  1. Pence
  2. Bannon
  3. Jared*
  4. Flynn*
  5. KT McFarland
  6. Spicer
  7. Priebus
  8. Nunes
  9. Sessions
  10. Seb Gorka
  11. Stephen Miller
  12. Hope Hicks
  13. Ivanka
  14. Don Jr
  15. Rebekah Mercer
  16. Kelly Anne Conway
  17. Rudy Giuliani
  18. Steven Mnuchin
  19. Rick Gates
  20. Corey Lewandowski
  21. Tom Bossert

Just one of those people — Sessions — is a practicing lawyer (and he wasn’t, then), and he wasn’t playing a legal role in the transition (though both Sessions and Nunes may have been using their congressional email, in which case Mueller likely would show far more deference; update: I’ve added Rudy 911 to the list, and he’d obviously qualify as a practicing lawyer). Though I suppose they might have been talking with a lawyer. But I would bet Mueller’s legal whiz, Michael Dreeben, would point to the Clinton White House Counsel precedent and say that transition lawyers don’t get privilege.

Furthermore, Trump wasn’t President yet! This has come up repeatedly in congressional hearings. You don’t get privilege until after you’re president, in part to prevent you from doing things like — say — undermining existing foreign policy efforts of the actually still serving President. So even if these people were repeating things Trump said, it wouldn’t be entitled to privilege yet.

Finally, consider that some of these people were testifying to the grand jury months and months ago. But we’re only seeing this complaint today. That’s probably true for two reasons. One, because Mueller used the emails in question (most notably, the emails between McFarland and Flynn from December 29 where they discussed Russian sanctions) to obtain a guilty plea from Flynn. And, second, because Republicans are pushing to get Trump to fire Mueller.

Update: I’ve added Pence, Don Jr., Ivanka, Hope Hicks, Kelly Anne Conway, Rudy Giuliani, Steven Mnuchin back in here.

Update: Here’s more from Reuters.

Langhofer, the Trump transition team lawyer, wrote in his letter that the GSA’s transfer of materials was discovered on Dec. 12 and 13.

The FBI had requested the materials from GSA staff last Aug. 23, asking for copies of the emails, laptops, cell phones and other materials associated with nine members of the Trump transition team response for national security and policy matters, the letter said.

On Aug. 30, the FBI requested the materials of four additional senior members of the Trump transition team, it said.

The GSA transfer may only have been discovered this week (probably as a result of Congress’ investigation). But the witnesses had to have known these emails went beyond the scope of what the transition turned over. And the request date definitely is late enough for Mueller to have discovered not everything got turned over, perhaps even from George Papadopoulos, who flipped in late July.

Update: One more thing. Remember that there were worries that transition officials were copying files out of a SCIF. That, by itself, would create an Insider Threat concern that would merit FBI obtaining these emails directly.

Update: Here’s a report dated June 15 on a transition lawyer instructing aides and volunteers to save anything relating to Russia, Ukraine, or known targets (Flynn, Manafort, Page, Gates, and Stone).

Update: AP reports that Flynn was (unsurprisingly) among those whose email was obtained.

Update: Here’s the letter. I unpacked it here. It’s a load of — I believe this is the technical term — shite. First, it stakes everything on PTT not being an agency. That doesn’t matter at all for a criminal investigation — Robert Mueller was no FOIAing this stuff. It then later invokes a bunch of privileges (the exception is the attorney client one) that only come with the consequent responsibilities. It then complains that Mueller’s team didn’t use a taint team.

Perhaps the craziest thing is they call for a law that would only permit someone to access such emails for a national security purpose — as if an espionage related investigation isn’t national security purpose!

Update: Chris Geidner got GSA’s side of the story. Turns out they claim the now dead cover up GC didn’t make the agreement the TFA lawyer says he did. In any case, GSA device users agreed their devices could be monitored.

“Beckler never made that commitment,” he said of the claim that any requests for transition records would be routed to the Trump campaign’s counsel.

Specifically, Loewentritt said, “in using our devices,” transition team members were informed that materials “would not be held back in any law enforcement” actions.

Loewentritt read to BuzzFeed News a series of agreements that anyone had to agree to when using GSA materials during the transition, including that there could be monitoring and auditing of devices and that, “Therefore, no expectation of privacy can be assumed.”

Update: Mueller’s spox, Peter Carr, issued a statement saying, “When we have obtained emails in the course of our ongoing criminal investigation, we have secured either the account owner’s consent or appropriate criminal process.”

Why Did Tom Bossert Claim WannaCry Was Spread Via Phishing?

Writing this post made me look more closely at what Trump’s Homeland Security Czar Tom Bossert said in a briefing on WannaCry on Monday, May 15.

He claimed, having just gotten off the phone with his British counterpart and in spite of evidence to the contrary, that there had been minimal disruption to care in Britain’s DHS.

The UK National Health Care Service announced 48 of its organizations were affected, and that resulted in inaccessible computers and telephone service, but an extremely minimal effect on disruption to patient care.

[snip]

And from the British perspective, I thought it was important to pass along from them two points — one, that they thought it was an extremely small number of patients that might have been inconvenienced and not necessarily a disruption to their clinical care, as opposed to their administrative processes.  And two, that they felt that some of those reports might have been misstated or overblown given how they had gotten themselves into a position of patching.

 

Of course, this may be an issue in the upcoming election, so I can see why Theresa May’s government might want to downplay any impact on patient care, especially since the Tories have long been ignoring IT problems at DHS.

He dodged a follow-up question about whether there might be more tools in the Shadow Brokers haul that would lead to similar attacks in the future, by pointing to our Vulnerabilities Equities Process.

Q    I guess a shorter way to put it would be is there more out there that you’re worried about that would lead to more attacks in the future?

MR. BOSSERT:  I actually think that the United States, more than probably any other country, is extremely careful with their processes about how they handle any vulnerabilities that they’re aware of.  That’s something that we do when we know of the vulnerability, not when we know we lost a vulnerability.  I think that’s a key distinction between us and other countries — and other adversaries that don’t provide any such consideration to their people, customers, or industry.

Obviously, the VEP did not prevent this attack. More importantly, someone in government really needs to start answering what the NSA and CIA (and FBI, if it ever happens) do when their hacking tools get stolen, an issue which Bossert totally ignored.

But I’m most interested in something Bossert said during the original exchange on NSA’s role in all this.

Q    So this is one episode of malware or ransomware.  Do you know from the documents and the cyber hacking tools that were stolen from NSA if there are potentially more out there?

MR. BOSSERT:  So there’s a little bit of a double question there.  Part of that has to do with the underlying vulnerability exploit here used.  I think if I could, I’d rather, instead of directly answering that, and can’t speak to how we do or don’t do our business as a government in that regard, I’d like to instead point out that this was a vulnerability exploit as one part of a much larger tool that was put together by the culpable parties and not by the U.S. government.

So this was not a tool developed by the NSA to hold ransom data.  This was a tool developed by culpable parties, potentially criminals of foreign nation states, that was put together in such a way so to deliver it with phishing emails, put it into embedded documents, and cause an infection in encryption and locking. [my emphasis]

Three days into the WannaCry attack, having spent the weekend consulting with DHS and NSA, Bossert asserted that WannaCry was spread via phishing.

That is a claim that was reported in the press. But even by Monday, I was seeing security researchers persistently question the claim. Over and over they kept looking and failing to find any infections via phishing. And I had already seen several demonstrations showing it didn’t spread via phishing.

Now, Bossert is one of the grown-ups in the Trump Administration. His appointment — and the cybersecurity policy continuity with Obama’s policy — was regarded with relief when it was made, as laid out in this Wired profile.

“People that follow cybersecurity issues will be happy that Tom is involved in those discussions as one of the reasoned voices,” Healey says.

“Frankly, he’s an unusual figure in this White House. He’s not a Bannon. He’s not even a Priebus,” says one former senior Obama administration official who asked to remain unnamed, contrasting Bossert with Trump’s top advisers Stephen Bannon and Reince Priebus. “He has a lot of credibility. He’s very straightforward and level-headed.”

And (as the rest of the profile makes clear) he does know cybersecurity.

So I’m wondering why Bossert was stating that this attack spread by phishing at a time when open source investigation had already largely undermined that hasty claim.

There are at least three possibilities. Perhaps Bossert simply mistated here, accidentally blaming the vector we’ve grown used to blaming. Possibly (though this would be shocking) the best SIGINT agency in the world still hadn’t figured out what a bunch of people on Twitter already had.

Or, perhaps there were some phished infections, which quickly got flooded as the infection spread via SMB. Though that’s unlikely, because the certainty that it didn’t spread via email has only grown since Monday.

So assuming Bossert was, in fact, incorrect when he made this claim, why did have this faulty information?