Exposing the Man Behind the Curtain

And, given the role that the leaking of unsubstantiated classified information from anonymous government sources to the American media has played in underpinning the public arguments made by the Intelligence Community on the Russian role in the cyber attacks on the DNC, the irony behind the ICA findings about the role of Russian media in shaping American public opinion is palpable.

Second, and perhaps more important, is the chilling effect the conflation of being critical of a source and questioning the veracity of what has been reported has on the very act of skeptical inquisition that marks a free society’s relationship with its public servants.  Efforts have been made to link any person or entity that takes a critical approach to the issue of Russian involvement in the U.S. election process as somehow being an agent – witting or otherwise – of Russia (a November 24, 2016 Washington Post story – “Russian propaganda effort helped spread ‘fake news’ during election, experts say” –serves as a case in point; again, the irony that this report appeared in the same paper that served as the primary conduit for anonymously sourced leaked intelligence information sustaining both the Intelligence Community and Obama administration’s case against Russia should be lost on no one.)

Somehow, however, the act of questioning whether the intelligence community got it right on the Russian ICA has been turned into an act of denigration.  “There’s a difference between skepticism and disparagement,” DNI Clapper told the Armed Services Committee, after being asked by Senator Claire McCaskill about the “trashing of the intelligence community.”

The very act of being skeptical, however, is difficult in an environment where the intelligence is sold as virtually unimpeachable.  In response to a question by Senator McCain asking if the intelligence community stood by its assertions in its October 7, 2016 statement that it was confident the Russian government directed the thefts and disclosures of information, and that these actions were intended to interfere in the Presidential election, DNI Clapper responded that “We stand, actually more resolutely on the strength of that statement than we did on the 7th of October.”

“We have 17 intelligence agencies, civilian and military, who have all concluded that these espionage attacks, these cyberattacks, come from the highest levels of the Kremlin, and they are designed to influence our election.”  This statement was false when it was made by Hillary Clinton, on October 9, 2016, referring to the aforementioned October 7 joint statement by DHS and the ODNI; as was the case for the Russian ICA, the joint statement drew upon only three of the 16 agencies (the 17th is the ODNI, which is a coordinating body, not a separate intelligence agency), the only intelligence agencies involved in crafting the underlying assessments and judgments were the FBI, CIA and NSA.

When one dissects the nuts and bolts that hold the Russian ICA together, the framework is actually quite weak.  The FBI, the sole agency responsible for intelligence derived from a domestic source (i.e., the DNC server and John Podesta) has acknowledged that it has had no direct access to the servers involved, and was compelled to carry out its investigation based upon the technical report of a private cyber security company, Crowdstrike, brought in by the DNC in April 2016.

Rather than sharing the technical details of the cyber intrusion with the National Cyber Communications Integration Center (NCCIC), as is the norm, the DNC ordered Crowdstrike to instead share its report with the Washington Post, which wrote a front-page story on June 14, 2016 that reported, as fact, the assertions by Crowdstrike that Russian intelligence was behind the cyber attacks on the DNC. 

Both the FBI and NSA are reported to have been tracking intrusions into the DNC server dating back to July 2015.  But, as the Crowdstrike information confirms, these cyber events were associated with known cyber activity known as Advanced Persistent Threat (APT) 29, which Crowdstrike subsequently named “Fancy Bear.”

The NSA reportedly briefed select Congressional leaders about the APT 29 activity as early as July 2015, but insisted that this information remain closely held in order to protect an ongoing intelligence collection effort designed to trace the cyber intrusion back to its source.

While the NSA and the FBI were deeply involved in monitoring the APT 29 intrusion, however, another intrusion is alleged to have taken place, this time by a separate cyber activity known as APT 28, or “Cozy Bear.”  The Crowdstrike technical findings, as reported by the Washington Post, associate APT 28/”Cozy Bear” with the Russian military’s Main Intelligence Directorate, or GRU. 

There is good reason to believe that Crowdstrike is the only source of information about the APT 28/”Cozy Bear” intrusion; even after information from the DNC was made public by Wikileaks, no action was taken to alert John Podesta that his personal emails had been stolen.  This indicates that neither the FBI nor NSA were aware of that particular intrusion; the FBI didn’t interview Mr. Podesta about the breach until October 9, 2016 – two days after the initial batch of his personal emails was published by Wikileaks.)  This reinforces the notion that the specific attribution of the Russian GRU to the DNC cyber intrusion is solely the product of a private cyber security firm on the payroll of the DNC, and not the FBI or NSA.

DNI Clapper, in his testimony of January 10, 2017 before the Senate Select Intelligence Committee, noted that cyber intrusions like that which occurred at the DNC leave a trail that can be followed, and that this was precisely what had happened in this case.  While DNI Clapper declined to discuss the specific tradecraft involved in “following the cyber trail”, Edward Snowden, the NSA contractor-turned-whistleblower who leaked thousands of highly classified documents to news outlets in 2013, has shed some insight into the possible sources and methods relied upon by the NSA to trace the July 2015 cyber attack on the DNC server back to Russia.  Snowden highlighted one NSA analytical tool in particular – Xkeyscore, as being extremely useful in tracking the identity of hackers.  “Even if the attackers try to obfuscate origins,” Snowden tweeted, “#XKeyscore makes following exfiltrated data easy.”

According to the documents released by Snowden, the real-time detection and monitoring capability of XKeyscore would have allowed the NSA to trace the cyber attack detected on the DNC server back to specific command and control servers, the electronic communications associated with those servers, and identify the specific keyboard type used to create the code and related electronic communications between the hacker and the malware that was imbedded in the DNC’s system.  XKeyscore would have allowed the NSA to attribute the cyber intrusion of the DNC server to APT 29 (and even APT 28, if they were able to track that intrusion as well.)

APT 28/”Cozy Bear” and APT 29/”Fancy Bear” represent cyber tools and methodologies, not individuals or groups.  Their affiliation into quantifiable entities is a byproduct of analysis carried out by government and non-government cyber security players who have detected, over time, patterns of related activity that lent themselves to specific, if somewhat nebulous, attribution.  The specific linkage between these cyber activities and the intelligence services of Russia are a matter of speculation based upon analysis of the countries and institutions targeted by actors using these tools and methodologies, and forensic examination of the malware involved that suggests a Russian origin.

But there is no specific proof. Crowdstrike attributes its claims that Russian intelligence was behind the DNC cyber intrusion to a report by the German domestic intelligence service (BfV) about a cyber attack on the German Parliament in 2015. “Many of these attack campaigns,” the German report, published in January 2016, noted, “have technical similarities, such as malicious software families, and infrastructure — these are important indicators of the same authorship. It is assumed that both the Russian domestic intelligence service FSB and the military foreign intelligence service GRU run cyber operations.” 

Assumed, not known. One must keep in mind the fact that the German BfV was using XKeyscore at the time to track the parties who launched the cyber attack against the German Parliament; the best they could do was come up with an assumption.

The attributions made in the ICA to the Russian intelligence services regarding the cyber attacks on the DNC server, and others, are not as solid as DNI Clapper has led his audience to believe.  Neither is the element of intent.  There have been reports in the media of intercepted Russian communications, and Clapper himself informed the Senate Select Intelligence Community on January 10, 2017 that the ICA also made use of human sources.  But there is no “smoking gun” that specifically links President Putin, as claimed in the ICA, to the theft of the emails from the DNC and John Podesta, and the release of these emails to Wikileaks and other outlets; the attribution is purely the result of analysis on the part of those who prepared the ICA.

In the intelligence business, there is no higher crime than the politicization of intelligence (save perhaps the outright falsification of data with the intent to mislead – itself a politicized act.)  Former CIA Director Robert Gates addressed the problem of politicized intelligence back in 1992, and his words resonate today.  Gates defined the politicization of intelligence as the deliberate distortion of “analysis or judgments to favor a preferred line of thinking irrespective of evidence,” usually occurring when intelligence products “are forced to conform to policymaker’s views.”

Director Gates noted that it was proper for policymakers, such as the President of the United States and Congress, to request specific intelligence products that address issues of importance to them.  This was the bread and butter of the intelligence business.  However, Gates said, it would be improper for a policymaker to dictate the “line of march” that he or she expected the analysis contained in any such requested product to take. 

On December 9, 2016, President Obama ordered the intelligence community to conduct a thorough review of the Russian cyber interference into the U.S. presidential election of 2016.  One of the critical issues to be addressed in the review was whether or not the intent of any Russian intervention was to tilt the election in favor of one candidate – Donald Trump – over another – Hillary Clinton.

“This happened at the highest levels of the Russian government,” Obama announced on December 16, 2016 – perhaps the clearest example of the senior-most policy maker dictating the “line of march” expected from the analysis underpinning the requested intelligence assessment.

The ICA, by its own admission, contains no “fact,” but rather a series of assessments based upon analysis derived from unknown sources.  The Russian hacking case, as presented in the ICA, isn’t about fact, but rather public opinion.  The declassified ICA was not produced for the benefit of the President or Congress – they already had their classified briefings, and were aware of the conclusions.  The declassified ICA was produced for public consumption, designed from the start to sway public opinion in a manner that influenced the composition of the cabinet, and policies of the administration, of President-elect Donald Trump.  In this light, the release of the declassified ICA was, in every sense of the word, a political act, with the intelligence contained therein, by definition, politicized.

It was interesting to note that DNI Clapper told the Senate Select Intelligence Committee, in open session on January 10, 2016, that the State Department, in particular its Bureau of Intelligence and Research (INR) was excluded from participating in the preparation of the classified ICA because of “sensitivity of sources.”  This seems to be a unique circumstance, as the Senator who asked the question noted; INR analysts possess the highest level of security clearances that grant them access to a broad range of highly classified sources of intelligence.

The implication inherent in DNI Clapper’s revelation is that the classified information relied upon by the Intelligence Community was so specific as to its nature, and so critical and central to the judgments made in the ICA, that it could not be worked around to the extent necessary to shield its specific source from the analysts in the INR. 

This exclusion, however, would cut across the entire intelligence community, given the “need to know” caveats attached to most, if not all, sensitive information of this nature.  If this was, indeed, the standard applied, then it would also exclude from participation in preparation of the ICA many of the CIA’s own analysts, and most, if not all, of the academics recruited to fill positions within the National Intelligence Council, the arm of the ODNI responsible for overseeing the production of multi-agency assessments like the ICA on Russian involvement in the 2016 presidential election.

If DNI Clapper is telling the truth, then the ICA was prepared in a manner that violated the very tradecraft regarding the preparation of intelligence community analytical products he proudly cited to underpin the credibility of the ICA.  It also implies that the intelligence community was comfortable with excluding from one of the most important assessments of Russian intent in modern times the very agency, the Department of State, that deals with the Russians on a broad spectrum of issues on a daily basis, and as such would be ideally positioned to weigh in on issues such as Russian intent – especially that of its leader, Vladimir Putin.

DNI Clapper’s testimony on the lack of INR participation brings to mind his infamous testimony before the very same Senate Select Intelligence Committee, on March 12, 2013, when asked about the existence of a classified intelligence collection program.  Rather than declining to comment on the question, Clapper responded simply, “No.”  Subsequent disclosures by Edward Snowden showed that Clapper had lied.  When confronted with this lie, Clapper explained that he “responded in what I thought was the most truthful, or the least untruthful manner.”

The exclusion of the State Department’s intelligence bureau (historically one of the most insightful and inquisitive members of the Intelligence Communities whose questioning of what otherwise would be consensus opinion is more often than not proven correct – witness the INR footnotes in the 2002 National Intelligence Estimate on Iraqi weapons of mass destruction) should serve as a red flag for Congressional intelligence oversight committees.  The Senate Select Intelligence Committee has already established a select group to investigate the intelligence sources used to underpin the ICA; DNU Clapper has promised to support their work.

More important, at least from the perspective of the American public, is the request made by the Chairman of the House Permanent Select Committee on Intelligence, Devin Nunes.  In a letter dated December 12, 2016, Chairman Nunes requested DNI Clapper to have the Office of Analytic Integrity and Standards prepare, for release to the committee, an analytic and tradecraft review of any Intelligence Community assessments related to alleged Russian involvement in cyber activities related to the U.S. presidential election.  Such an inquiry would delve into the very processes of analysis and assessment, and answer the kind of “who said what, when, and based on what information” questions that would expose any potential politicization of intelligence that may have occurred in the production of the ICA.

In the closing scenes of the classic 1939 movie, “The Wizard of Oz”, Dorothy, played by Judy Garland, confronts the “Wizard,” a giant talking head.

“The Great Oz has spoken!” the giant talking head proclaims.

But one of Dorothy’s companions pulls back a curtain next to the giant head, revealing a short pudgy man manipulating a contraption, and speaking into a microphone.  The man – the “Wizard of Oz” – sees Dorothy as he speaks. 

“Oh…I…Pay no…attention to that man behind the curtain.  The…Great…Oz…has spoken!”

The ICA on Russian influence operations in the 2016 U.S. presidential election has been published, at least in unclassified form.  There is a concerted effort by the White House, many members of Congress, and a surprisingly unquestioning American media to accept the ICA and its judgments at face value.

DNI Clapper has spoken, not once, but several times. 

It is imperative that Representative Nunes follows through on his request for an analytic and tradecraft review of the ICA, especially when the ICA delves into matters that have been classified by Senator John McCain and others as constituting “an act of war.”

America has a right to know the truth about the man behind the curtain.