© First Look Media. All rights reserved
The
Intercept_
✉
⎕
Illustration: Soohee Cho for The Intercept
Here’s the Public Evidence Russia Hacked the DNC – It’s Not Enough
Sam Biddle
Sam Biddle
December 14 2016, 11:30 a.m.
Illustration: Soohee Cho for The Intercept
There are some good reasons to believe Russians had something to do with the
breaches into email accounts belonging to members of the Democratic party,
which proved varyingly embarrassing or disruptive for Hillary Clinton’s
presidential campaign. But “good” doesn’t necessarily mean good enough to
indict Russia’s head of state for sabotaging our democracy.
There’s a lot of evidence from the attack on the table, mostly detailing how
the hack was perpetrated, and possibly the language of the perpetrators. It
certainly remains plausible that Russians hacked the DNC, and remains possible
that Russia itself ordered it. But the refrain of Russian attribution has been
repeated so regularly and so emphatically that it’s become easy to forget that
no one has ever truly proven the claim. There is strong evidence indicating
that Democratic email accounts were breached via phishing messages, and that
specific malware was spread across DNC computers. There’s even evidence that
the attackers are the same group that’s been spotted attacking other targets in
the past. But again: No one has actually proven that group is the Russian
government (or works for it). This remains the enormous inductive leap that’s
not been reckoned with, and Americans deserve better.
We should also bear in mind that private security firm CrowdStrike’s frequently
cited findings of Russian responsibility were essentially paid for by the DNC,
who contracted their services in June. It’s highly unusual for evidence of a
crime to be assembled on the victim’s dime. If we’re going to blame the Russian
government for disrupting our presidential election — easily construed as an
act of war — we need to be damn sure of every single shred of evidence.
Guesswork and assumption could be disastrous.
The gist of the Case Against Russia goes like this: The person or people who
infiltrated the DNC’s email system and the account of John Podesta left behind
clues of varying technical specificity indicating they have some connection to
Russia, or at least speak Russian. Guccifer 2.0, the entity that originally
distributed hacked materials from the Democratic party, is a deeply suspicious
figure who has made statements and decisions that indicate some Russian
connection. The website DCLeaks, which began publishing a great number of DNC
emails, has some apparent ties to Guccifer and possibly Russia. And then
there’s Wikileaks, which after a long, sad slide into paranoia, conspiracy
theorizing, and general internet toxicity, has made no attempt to mask its
affection for Vladimir Putin and its crazed contempt for Hillary Clinton.
(Julian Assange has been stuck indoors for a very, very long time.) If you look
at all of this and sort of squint, it looks quite strong indeed, an
insurmountable heap of circumstantial evidence too great in volume to dismiss
as just circumstantial or mere coincidence.
But look more closely at the above and you can’t help but notice all of the
qualifying words: Possibly, appears, connects, indicates. It’s impossible (or
at least dishonest) to present the evidence for Russian responsibility for
hacking the Democrats without using language like this. The question, then, is
this: Do we want to make major foreign policy decisions with a belligerent
nuclear power based on suggestions alone, no matter how strong?
What We Know
So far, all of the evidence pointing to Russia’s involvement in the Democratic
hacks (DNC, DCCC, Podesta, et al.) comes from either private security firms
(like CrowdStrike or FireEye) who sell cyber-defense services to other
companies, or independent researchers, some with university affiliations and
serious credentials, and some who are basically just Guys on Twitter. Although
some of these private firms groups had proprietary access to DNC computers or
files from them, much of the evidence has been drawn from publicly available
data like the hacked emails and documents.
Some of the malware found on DNC computers is believed to be the same as that
used by two hacking groups believed to be Russian intelligence units, codenamed
APT (Advanced Persistent Threat) 28/Fancy Bear and APT 29/Cozy Bear by industry
researchers who track them.
• The attacker or attackers registered a deliberately misspelled domain
name used for email phishing attacks against DNC employees, connected to an IP
address associated with APT 28/Fancy Bear.
• Malware found on the DNC computers was programmed to communicate with
an IP address associated with APT 28/Fancy Bear.
• Metadata in a file leaked by “Guccifer 2.0″ shows it was modified by a
user called, in cyrillic, “Felix Edmundovich,” a reference to the founder of a
Soviet-era secret police force. Another document contained cyrillic metadata
indicating it had been edited on a document with Russian language settings.
• Peculiarities in a conversation with “Guccifer 2.0″ that Motherboard
published in June suggests he is not Romanian, as he originally claimed.
• The DCLeaks.com domain was registered by a person using the same email
service as the person who registered a misspelled domain used to send phishing
emails to DNC employees.
• Some of the phishing emails were sent using Yandex, a Moscow-based
webmail provider.
• A bit.ly link believed to have been used by APT 28/Fancy Bear in the
past was also used against Podesta.
Why That Isn’t Enough
Viewed as a whole, the above evidence looks strong, and maybe even damning. But
view each piece on its own, and it’s hard to feel impressed.
For one, a lot of the so-called evidence above is no such thing. CrowdStrike,
whose claims of Russian responsibility are perhaps most influential throughout
the media, says APT 28/Fancy Bear “is known for its technique of registering
domains that closely resemble domains of legitimate organizations they plan to
target.” But this isn’t a Russian technique any more than using a computer is a
Russian technique — misspelled domains are a cornerstone of phishing attacks
all over the world. Is Yandex — the Russian equivalent of Google — some sort of
giveaway? Anyone who claimed a hacker must be a CIA agent because they used a
Gmail account would be laughed off the internet. We must also acknowledge that
just because Guccifer 2.0 pretended to be Romanian, we can’t conclude he works
for the Russian government — it just makes him a liar.
Next, consider the fact that CrowdStrike describes APT 28 and 29 like this:
Their tradecraft is superb, operational security second to none and the
extensive usage of ‘living-off-the-land’ techniques enables them to easily
bypass many security solutions they encounter. In particular, we identified
advanced methods consistent with nation-state level capabilities including
deliberate targeting and ‘access management’ tradecraft – both groups were
constantly going back into the environment to change out their implants, modify
persistent methods, move to new Command & Control channels and perform other
tasks to try to stay ahead of being detected.
Compare that description to CrowdStrike’s claim it was able to finger APT 28
and 29, described above as digital spies par excellence, because they were so
incredibly sloppy. Would a group whose “tradecraft is superb” with “operational
security second to none” really leave behind the name of a Soviet spy chief
imprinted on a document it sent to American journalists? Would these groups
really be dumb enough to leave cyrillic comments on these documents? Would
these groups that “constantly [go] back into the environment to change out
their implants, modify persistent methods, move to new Command & Control
channels” get caught because they precisely didn’t make sure not to use IP
addresses they’d been associated before? It’s very hard to buy the argument
that the Democrats were hacked by one of the most sophisticated, diabolical
foreign intelligence services in history, and that we know this because they
screwed up over and over again.
But how do we even know these oddly named groups are Russian? CrowdStrike
co-founder Dmitri Alperovitch himself describes APT 28 as a “Russian-based
threat actor” whose modus operandi “closely mirrors the strategic interests of
the Russian government” and “may indicate affiliation [Russia’s] Main
Intelligence Department or GRU, Russia’s premier military intelligence
service.” Security firm SecureWorks issued a report blaming Russia with
“moderate confidence.” What constitutes moderate confidence? SecureWorks said
it adopted the “grading system published by the U.S. Office of the Director of
National Intelligence to indicate confidence in their assessments. … Moderate
confidence generally means that the information is credibly sourced and
plausible but not of sufficient quality or corroborated sufficiently to warrant
a higher level of confidence.” All of this amounts to a very educated guess, at
best.
Even the claim that APT 28/Fancy Bear itself is a group working for the Kremlin
is speculative, a fact that’s been completely erased from this year’s
discourse. In its 2014 reveal of the group, the high-profile security firm
FireEye couldn’t even blame Russia without a question mark in the headline:
“APT28: A Window into Russia’s Cyber Espionage Operations?” The blog post
itself is remarkably similar to arguments about the DNC hack: Technical but
still largely speculative, presenting evidence the company “[believes] indicate
a government sponsor based in Moscow.” Believe! Indicate! We should know
already this is no smoking gun. FireEye’s argument that the malware used by APT
28 is connected to the Russian government is based on the belief that its
“developers are Russian language speakers operating during business hours that
are consistent with the time zone of Russia’s major cities.”
As security researcher Jeffrey Carr pointed out in June, FireEye’s 2014 report
on APT 28 is questionable from the start:
To my surprise, the report’s authors declared that they deliberately excluded
evidence that didn’t support their judgment that the Russian government was
responsible for APT28’s activities:
“APT28 has targeted a variety of organizations that fall outside of the three
themes we highlighted above. However, we are not profiling all of APT28’s
targets with the same detail because they are not particularly indicative of a
specific sponsor’s interests.” (emphasis added)
That is the very definition of confirmation bias. Had FireEye published a
detailed picture of APT28’s activities including all of their known targets,
other theories regarding this group could have emerged; for example, that the
malware developers and the operators of that malware were not the same or even
necessarily affiliated.
The notion that APT 28 has a narrow focus on American political targets is
undermined in another SecureWorks paper, which shows that the hackers have a
wide variety of interests: 10 percent of their targets are NGOs, 22 percent are
journalists, 4 percent are aerospace researchers, and 8 percent are “government
supply chain.” SecureWorks says that only 8 percent of APT 28/Fancy Bear’s
targets are “government personnel” of any nationality — hardly the focused
agenda described by CrowdStrike.
Truly, the argument that “Guccifer 2.0″ is a Kremlin agent or that GRU breached
John Podesta’s email only works if you presume that APT 28/Fancy Bear is a unit
of the Russian government, a fact that has never been proven beyond any
reasonable doubt. According to Carr, “it’s an old assumption going back years
to when any attack against a non-financial target was attributed to a state
actor.” Without that premise, all we can truly conclude is that some email
accounts at the DNC et al. appear to have been broken into by someone, and
perhaps they speak Russian. Left ignored is the mammoth difference between
Russians and Russia.
Security researcher Claudio Guarnieri put it this way:
[Private security firms] can’t produce anything conclusive. What they produce
is speculative attribution that is pretty common to make in the threat research
field. I do that same speculative attribution myself, but it is just
circumstantial. At the very best it can only prove that the actor that
perpetrated the attack is very likely located in Russia. As for government
involvement, it can only speculate that it is plausible because of context and
political motivations, as well as technical connections with previous (or
following attacks) that appear to be perpetrated by the same group and that
corroborate the analysis that it is a Russian state-sponsored actor (for
example, hacking of institutions of other countries Russia has some
geopolitical interests in).
Finally, one can’t be reminded enough that all of this evidence comes from
private companies with a direct financial interest in making the internet seem
as scary as possible, just as Lysol depends on making you believe your kitchen
is crawling with E. Coli.
What Does the Government Know?
In October, the Department of Homeland Security and the Office of the Director
of National Intelligence released a joint statement blaming the Russian
government for hacking the DNC. In it, they state their attribution plainly:
The U.S. Intelligence Community (USIC) is confident that the Russian Government
directed the recent compromises of e-mails from US persons and institutions,
including from US political organizations. The recent disclosures of alleged
hacked e-mails on sites like DCLeaks.com and WikiLeaks and by the Guccifer 2.0
online persona are consistent with the methods and motivations of
Russian-directed efforts. These thefts and disclosures are intended to
interfere with the US election process.
What’s missing is any evidence at all. If this federal confidence is based on
evidence that’s being withheld from the public for any reason, that’s one thing
— secrecy is their game. But if the U.S. Intelligence Community is asking the
American electorate to believe them, to accept as true their claim that our
most important civic institution was compromised by a longtime geopolitical
nemesis, we need them to show us why.
The same goes for the CIA, which is now squaring off directly against Trump,
claiming (through leaks to the Washington Post and New York Times) that the
Russian government conducted the hacks for the express purpose of helping
defeat Clinton. Days later, Senator John McCain agreed with the assessment,
deeming it “another form of warfare.” Again, it’s completely possible (and
probable, really) that the CIA possesses hard evidence that could establish
Russian attribution — it’s their job to have such evidence, and often to keep
it secret.
But what we’re presented with isn’t just the idea that these hacks happened,
and that someone is responsible, and, well, I guess it’s just a shame. Our
lawmakers and intelligence agencies are asking us to react to an attack that is
almost military in nature — this is, we’re being told, “warfare.” When a
foreign government conducts (or supports) an act of warfare against another
country, it’s entirely possible that there will be an equal response. What
we’re looking at now is the distinct possibility that the United States will
consider military retaliation (digital or otherwise) against Russia, based on
nothing but private sector consultants and secret intelligence agency notes. If
you care about the country enough to be angry at the prospect of
election-meddling, you should be terrified of the prospect of military tensions
with Russia based on hidden evidence. You need not look too far back in recent
history to find an example of when wrongly blaming a foreign government for
sponsoring an attack on the U.S. has tremendously backfired.
We Need the Real Evidence, Right Now
It must be stated plainly: The U.S. intelligence community must make its
evidence against Russia public if they want us to believe their claims. The
integrity of our presidential elections is vital to the country’s survival;
blind trust in the CIA is not. A governmental disclosure like this is also not
entirely without precedent: In 2014, the Department of Justice produced a
56-page indictment detailing their exact evidence against a team of Chinese
hackers working for the People’s Liberation Army, accused of stealing American
trade secrets; each member was accused by name. The 2014 trade secret theft was
a crime of much lower magnitude than election meddling, but what the DOJ
furnished is what we should demand today from our country’s spies.
If the CIA does show its hand, we should demand to see the evidence that
matters (which, according to Edward Snowden, the government probably has, if it
exists). I asked Jeffrey Carr what he would consider undeniable evidence of
Russian governmental involvement: “Captured communications between a Russian
government employee and the hackers,” adding that attribution “should solely be
handled by government agencies because they have the legal authorization to do
what it takes to get hard evidence.”
Claudio Guarnieri concurred:
All in all, technical circumstantial attribution is acceptable only so far as
it is to explain an attack. It most definitely isn’t for the political
repercussions that we’re observing now. For that, only documental evidence that
is verifiable or intercepts of Russian officials would be convincing enough, I
suspect.
Given that the U.S. routinely attempts to intercept the communications of heads
of state around the world, it’s not impossible that the CIA or the NSA has
exactly this kind of proof. Granted, these intelligence agencies will be loath
to reveal any evidence that could compromise the method they used to gather it.
But in times of extraordinary risk, with two enormous military powers placed in
direct conflict over national sovereignty, we need an extraordinary disclosure.
The stakes are simply too high to take anyone’s word for it.
≡
• English
• Português
🔍
• Glenn Greenwald
• Unofficial Sources
• Robert Mackey
• Features
• Documents
• About & Contacts
ft© First Look Media. All rights reserved
• Terms of use
• Privacy
• Sitemap
f
t
✉
⎕
217
Illustration: Soohee Cho for The Intercept
Here’s the Public Evidence Russia Hacked the DNC – It’s Not Enough
/staff/sambiddle//staff/sambiddle/
/staff/sambiddle//staff/sambiddle/
Sam Biddle
December 14 2016, 11:30 a.m.
There are some good reasons to believe Russians had something to do with the
breaches into email accounts belonging to members of the Democratic party,
which proved varyingly embarrassing or disruptive for Hillary Clinton’s
presidential campaign. But “good” doesn’t necessarily mean good enough to
indict Russia’s head of state for sabotaging our democracy.
There’s a lot of evidence from the attack on the table, mostly detailing how
the hack was perpetrated, and possibly the language of the perpetrators. It
certainly remains plausible that Russians hacked the DNC, and remains possible
that Russia itself ordered it. But the refrain of Russian attribution has been
repeated so regularly and so emphatically that it’s become easy to forget that
no one has ever truly proven the claim. There is strong evidence indicating
that Democratic email accounts were breached via phishing messages, and that
specific malware was spread across DNC computers. There’s even evidence that
the attackers are the same group that’s been spotted attacking other targets in
the past. But again: No one has actually proven that group is the Russian
government (or works for it). This remains the enormous inductive leap that’s
not been reckoned with, and Americans deserve better.
We should also bear in mind that private security firm CrowdStrike’s frequently
cited findings of Russian responsibility were essentially paid for by the DNC,
who contracted their services in June. It’s highly unusual for evidence of a
crime to be assembled on the victim’s dime. If we’re going to blame the Russian
government for disrupting our presidential election — easily construed as an
act of war — we need to be damn sure of every single shred of evidence.
Guesswork and assumption could be disastrous.
The gist of the Case Against Russia goes like this: The person or people who
infiltrated the DNC’s email system and the account of John Podesta left behind
clues of varying technical specificity indicating they have some connection to
Russia, or at least speak Russian. Guccifer 2.0, the entity that originally
distributed hacked materials from the Democratic party, is a deeply suspicious
figure who has made statements and decisions that indicate some Russian
connection. The website DCLeaks, which began publishing a great number of DNC
emails, has some apparent ties to Guccifer and possibly Russia. And then
there’s Wikileaks, which after a long, sad slide into paranoia, conspiracy
theorizing, and general internet toxicity, has made no attempt to mask its
affection for Vladimir Putin and its crazed contempt for Hillary Clinton.
(Julian Assange has been stuck indoors for a very, very long time.) If you look
at all of this and sort of squint, it looks quite strong indeed, an
insurmountable heap of circumstantial evidence too great in volume to dismiss
as just circumstantial or mere coincidence.
But look more closely at the above and you can’t help but notice all of the
qualifying words: Possibly, appears, connects, indicates. It’s impossible (or
at least dishonest) to present the evidence for Russian responsibility for
hacking the Democrats without using language like this. The question, then, is
this: Do we want to make major foreign policy decisions with a belligerent
nuclear power based on suggestions alone, no matter how strong?
What We Know
So far, all of the evidence pointing to Russia’s involvement in the Democratic
hacks (DNC, DCCC, Podesta, et al.) comes from either private security firms
(like CrowdStrike or FireEye) who sell cyber-defense services to other
companies, or independent researchers, some with university affiliations and
serious credentials, and some who are basically just Guys on Twitter. Although
some of these private firms groups had proprietary access to DNC computers or
files from them, much of the evidence has been drawn from publicly available
data like the hacked emails and documents.
Some of the malware found on DNC computers is believed to be the same as that
used by two hacking groups believed to be Russian intelligence units, codenamed
APT (Advanced Persistent Threat) 28/Fancy Bear and APT 29/Cozy Bear by industry
researchers who track them.
• The attacker or attackers registered a deliberately misspelled domain
name used for email phishing attacks against DNC employees, connected to an IP
address associated with APT 28/Fancy Bear.
• Malware found on the DNC computers was programmed to communicate with
an IP address associated with APT 28/Fancy Bear.
• Metadata in a file leaked by “Guccifer 2.0″ shows it was modified by a
user called, in cyrillic, “Felix Edmundovich,” a reference to the founder of a
Soviet-era secret police force. Another document contained cyrillic metadata
indicating it had been edited on a document with Russian language settings.
• Peculiarities in a conversation with “Guccifer 2.0″ that Motherboard
published in June suggests he is not Romanian, as he originally claimed.
• The DCLeaks.com domain was registered by a person using the same email
service as the person who registered a misspelled domain used to send phishing
emails to DNC employees.
• Some of the phishing emails were sent using Yandex, a Moscow-based
webmail provider.
• A bit.ly link believed to have been used by APT 28/Fancy Bear in the
past was also used against Podesta.
Why That Isn’t Enough
Viewed as a whole, the above evidence looks strong, and maybe even damning. But
view each piece on its own, and it’s hard to feel impressed.
For one, a lot of the so-called evidence above is no such thing. CrowdStrike,
whose claims of Russian responsibility are perhaps most influential throughout
the media, says APT 28/Fancy Bear “is known for its technique of registering
domains that closely resemble domains of legitimate organizations they plan to
target.” But this isn’t a Russian technique any more than using a computer is a
Russian technique — misspelled domains are a cornerstone of phishing attacks
all over the world. Is Yandex — the Russian equivalent of Google — some sort of
giveaway? Anyone who claimed a hacker must be a CIA agent because they used a
Gmail account would be laughed off the internet. We must also acknowledge that
just because Guccifer 2.0 pretended to be Romanian, we can’t conclude he works
for the Russian government — it just makes him a liar.
Next, consider the fact that CrowdStrike describes APT 28 and 29 like this:
Their tradecraft is superb, operational security second to none and the
extensive usage of ‘living-off-the-land’ techniques enables them to easily
bypass many security solutions they encounter. In particular, we identified
advanced methods consistent with nation-state level capabilities including
deliberate targeting and ‘access management’ tradecraft – both groups were
constantly going back into the environment to change out their implants, modify
persistent methods, move to new Command & Control channels and perform other
tasks to try to stay ahead of being detected.
Compare that description to CrowdStrike’s claim it was able to finger APT 28
and 29, described above as digital spies par excellence, because they were so
incredibly sloppy. Would a group whose “tradecraft is superb” with “operational
security second to none” really leave behind the name of a Soviet spy chief
imprinted on a document it sent to American journalists? Would these groups
really be dumb enough to leave cyrillic comments on these documents? Would
these groups that “constantly [go] back into the environment to change out
their implants, modify persistent methods, move to new Command & Control
channels” get caught because they precisely didn’t make sure not to use IP
addresses they’d been associated before? It’s very hard to buy the argument
that the Democrats were hacked by one of the most sophisticated, diabolical
foreign intelligence services in history, and that we know this because they
screwed up over and over again.
But how do we even know these oddly named groups are Russian? CrowdStrike
co-founder Dmitri Alperovitch himself describes APT 28 as a “Russian-based
threat actor” whose modus operandi “closely mirrors the strategic interests of
the Russian government” and “may indicate affiliation [Russia’s] Main
Intelligence Department or GRU, Russia’s premier military intelligence
service.” Security firm SecureWorks issued a report blaming Russia with
“moderate confidence.” What constitutes moderate confidence? SecureWorks said
it adopted the “grading system published by the U.S. Office of the Director of
National Intelligence to indicate confidence in their assessments. … Moderate
confidence generally means that the information is credibly sourced and
plausible but not of sufficient quality or corroborated sufficiently to warrant
a higher level of confidence.” All of this amounts to a very educated guess, at
best.
Even the claim that APT 28/Fancy Bear itself is a group working for the Kremlin
is speculative, a fact that’s been completely erased from this year’s
discourse. In its 2014 reveal of the group, the high-profile security firm
FireEye couldn’t even blame Russia without a question mark in the headline:
“APT28: A Window into Russia’s Cyber Espionage Operations?” The blog post
itself is remarkably similar to arguments about the DNC hack: Technical but
still largely speculative, presenting evidence the company “[believes] indicate
a government sponsor based in Moscow.” Believe! Indicate! We should know
already this is no smoking gun. FireEye’s argument that the malware used by APT
28 is connected to the Russian government is based on the belief that its
“developers are Russian language speakers operating during business hours that
are consistent with the time zone of Russia’s major cities.”
As security researcher Jeffrey Carr pointed out in June, FireEye’s 2014 report
on APT 28 is questionable from the start:
To my surprise, the report’s authors declared that they deliberately excluded
evidence that didn’t support their judgment that the Russian government was
responsible for APT28’s activities:
“APT28 has targeted a variety of organizations that fall outside of the three
themes we highlighted above. However, we are not profiling all of APT28’s
targets with the same detail because they are not particularly indicative of a
specific sponsor’s interests.” (emphasis added)
That is the very definition of confirmation bias. Had FireEye published a
detailed picture of APT28’s activities including all of their known targets,
other theories regarding this group could have emerged; for example, that the
malware developers and the operators of that malware were not the same or even
necessarily affiliated.
The notion that APT 28 has a narrow focus on American political targets is
undermined in another SecureWorks paper, which shows that the hackers have a
wide variety of interests: 10 percent of their targets are NGOs, 22 percent are
journalists, 4 percent are aerospace researchers, and 8 percent are “government
supply chain.” SecureWorks says that only 8 percent of APT 28/Fancy Bear’s
targets are “government personnel” of any nationality — hardly the focused
agenda described by CrowdStrike.
Truly, the argument that “Guccifer 2.0″ is a Kremlin agent or that GRU breached
John Podesta’s email only works if you presume that APT 28/Fancy Bear is a unit
of the Russian government, a fact that has never been proven beyond any
reasonable doubt. According to Carr, “it’s an old assumption going back years
to when any attack against a non-financial target was attributed to a state
actor.” Without that premise, all we can truly conclude is that some email
accounts at the DNC et al. appear to have been broken into by someone, and
perhaps they speak Russian. Left ignored is the mammoth difference between
Russians and Russia.
Security researcher Claudio Guarnieri put it this way:
[Private security firms] can’t produce anything conclusive. What they produce
is speculative attribution that is pretty common to make in the threat research
field. I do that same speculative attribution myself, but it is just
circumstantial. At the very best it can only prove that the actor that
perpetrated the attack is very likely located in Russia. As for government
involvement, it can only speculate that it is plausible because of context and
political motivations, as well as technical connections with previous (or
following attacks) that appear to be perpetrated by the same group and that
corroborate the analysis that it is a Russian state-sponsored actor (for
example, hacking of institutions of other countries Russia has some
geopolitical interests in).
Finally, one can’t be reminded enough that all of this evidence comes from
private companies with a direct financial interest in making the internet seem
as scary as possible, just as Lysol depends on making you believe your kitchen
is crawling with E. Coli.
What Does the Government Know?
In October, the Department of Homeland Security and the Office of the Director
of National Intelligence released a joint statement blaming the Russian
government for hacking the DNC. In it, they state their attribution plainly:
The U.S. Intelligence Community (USIC) is confident that the Russian Government
directed the recent compromises of e-mails from US persons and institutions,
including from US political organizations. The recent disclosures of alleged
hacked e-mails on sites like DCLeaks.com and WikiLeaks and by the Guccifer 2.0
online persona are consistent with the methods and motivations of
Russian-directed efforts. These thefts and disclosures are intended to
interfere with the US election process.
What’s missing is any evidence at all. If this federal confidence is based on
evidence that’s being withheld from the public for any reason, that’s one thing
— secrecy is their game. But if the U.S. Intelligence Community is asking the
American electorate to believe them, to accept as true their claim that our
most important civic institution was compromised by a longtime geopolitical
nemesis, we need them to show us why.
The same goes for the CIA, which is now squaring off directly against Trump,
claiming (through leaks to the Washington Post and New York Times) that the
Russian government conducted the hacks for the express purpose of helping
defeat Clinton. Days later, Senator John McCain agreed with the assessment,
deeming it “another form of warfare.” Again, it’s completely possible (and
probable, really) that the CIA possesses hard evidence that could establish
Russian attribution — it’s their job to have such evidence, and often to keep
it secret.
But what we’re presented with isn’t just the idea that these hacks happened,
and that someone is responsible, and, well, I guess it’s just a shame. Our
lawmakers and intelligence agencies are asking us to react to an attack that is
almost military in nature — this is, we’re being told, “warfare.” When a
foreign government conducts (or supports) an act of warfare against another
country, it’s entirely possible that there will be an equal response. What
we’re looking at now is the distinct possibility that the United States will
consider military retaliation (digital or otherwise) against Russia, based on
nothing but private sector consultants and secret intelligence agency notes. If
you care about the country enough to be angry at the prospect of
election-meddling, you should be terrified of the prospect of military tensions
with Russia based on hidden evidence. You need not look too far back in recent
history to find an example of when wrongly blaming a foreign government for
sponsoring an attack on the U.S. has tremendously backfired.
We Need the Real Evidence, Right Now
It must be stated plainly: The U.S. intelligence community must make its
evidence against Russia public if they want us to believe their claims. The
integrity of our presidential elections is vital to the country’s survival;
blind trust in the CIA is not. A governmental disclosure like this is also not
entirely without precedent: In 2014, the Department of Justice produced a
56-page indictment detailing their exact evidence against a team of Chinese
hackers working for the People’s Liberation Army, accused of stealing American
trade secrets; each member was accused by name. The 2014 trade secret theft was
a crime of much lower magnitude than election meddling, but what the DOJ
furnished is what we should demand today from our country’s spies.
If the CIA does show its hand, we should demand to see the evidence that
matters (which, according to Edward Snowden, the government probably has, if it
exists). I asked Jeffrey Carr what he would consider undeniable evidence of
Russian governmental involvement: “Captured communications between a Russian
government employee and the hackers,” adding that attribution “should solely be
handled by government agencies because they have the legal authorization to do
what it takes to get hard evidence.”
Claudio Guarnieri concurred:
All in all, technical circumstantial attribution is acceptable only so far as
it is to explain an attack. It most definitely isn’t for the political
repercussions that we’re observing now. For that, only documental evidence that
is verifiable or intercepts of Russian officials would be convincing enough, I
suspect.
Given that the U.S. routinely attempts to intercept the communications of heads
of state around the world, it’s not impossible that the CIA or the NSA has
exactly this kind of proof. Granted, these intelligence agencies will be loath
to reveal any evidence that could compromise the method they used to gather it.
But in times of extraordinary risk, with two enormous military powers placed in
direct conflict over national sovereignty, we need an extraordinary disclosure.
The stakes are simply too high to take anyone’s word for it.