For two and a half years the House Intelligence Committee knew CrowdStrike didn’t have the goods on Russia. Now the public knows too.
Ray McGOVERN
House Intelligence Committee documents released Thursday reveal that the committee was told two and half years ago that the FBI had no concrete evidence that Russia hacked Democratic National Committee computers to filch the DNC emails published by WikiLeaks in July 2016.
The until-now-buried, closed-door testimony came on Dec. 5, 2017 from Shawn Henry, a protege of former FBI Director Robert Mueller (from 2001 to 2012), for whom Henry served as head of the Bureau’s cyber crime investigations unit.
Henry retired in 2012 and took a senior position at CrowdStrike, the cyber security firm hired by the DNC and the Clinton campaign to investigate the cyber intrusions that occurred before the 2016 presidential election.
The following excerpts from Henry’s testimony speak for themselves. The dialogue is not a paragon of clarity; but if read carefully, even cyber neophytes can understand:
Ranking Member Mr. [Adam] Schiff: Do you know the date on which the Russians exfiltrated the data from the DNC? … when would that have been?
Mr. Henry: Counsel just reminded me that, as it relates to the DNC, we have indicators that data was exfiltrated from the DNC, but we have no indicators that it was exfiltrated (sic). … There are times when we can see data exfiltrated, and we can say conclusively. But in this case, it appears it was set up to be exfiltrated, but we just don’t have the evidence that says it actually left.
Mr. [Chris] Stewart of Utah: Okay. What about the emails that everyone is so, you know, knowledgeable of? Were there also indicators that they were prepared but not evidence that they actually were exfiltrated?
Mr. Henry: There’s not evidence that they were actually exfiltrated. There’s circumstantial evidence … but no evidence that they were actually exfiltrated. …
Mr. Stewart: But you have a much lower degree of confidence that this data actually left than you do, for example, that the Russians were the ones who breached the security?
Mr. Henry: There is circumstantial evidence that that data was exfiltrated off the network.
Mr. Stewart: And circumstantial is less sure than the other evidence you’ve indicated. …
Mr. Henry: “We didn’t have a sensor in place that saw data leave. We said that the data left based on the circumstantial evidence. That was the conclusion that we made.
In answer to a follow-up query on this line of questioning, Henry delivered this classic: “Sir, I was just trying to be factually accurate, that we didn’t see the data leave, but we believe it left, based on what we saw.”
Inadvertently highlighting the tenuous underpinning for CrowdStrike’s “belief” that Russia hacked the DNC emails, Henry added: “There are other nation-states that collect this type of intelligence for sure, but the — what we would call the tactics and techniques were consistent with what we’d seen associated with the Russian state.”
Interesting admission in Crowdstrike CEO Shaun Henry’s testimony. Henry is asked when “the Russians” exfiltrated the data from DNC.
Henry: “We did not have concrete evidence that the data was exfiltrated from the DNC, but we have indicators that it was exfiltrated.” ? pic.twitter.com/TyePqd6b5P
— Aaron Maté (@aaronjmate) May 8, 2020
Try as one may, some of the testimony remains opaque. Part of the problem is ambiguity in the word “exfiltration.”
The word can denote (1) transferring data from a computer via the Internet (hacking) or (2) copying data physically to an external storage device with intent to leak it.
As the Veteran Intelligence Professionals for Sanity has been reporting for more than three years, metadata and other hard forensic evidence indicate that the DNC emails were not hacked — by Russia or anyone else.
Rather, they were copied onto an external storage device (probably a thumb drive) by someone with access to DNC computers. Besides, any hack over the Internet would almost certainly have been discovered by the dragnet coverage of the National Security Agency and its cooperating foreign intelligence services.
Henry testifies that “it appears it [the theft of DNC emails] was set up to be exfiltrated, but we just don’t have the evidence that says it actually left.”
This, in VIPS view, suggests that someone with access to DNC computers “set up” selected emails for transfer to an external storage device — a thumb drive, for example. The Internet is not needed for such a transfer. Use of the Internet would have been detected, enabling Henry to pinpoint any “exfiltration” over that network.
Bill Binney, a former NSA technical director and a VIPS member, filed a sworn affidavit in the Roger Stone case. Binney said: “WikiLeaks did not receive stolen data from the Russian government. Intrinsic metadata in the publicly available files on WikiLeaks demonstrates that the files acquired by WikiLeaks were delivered in a medium such as a thumb drive.”
The So-Called Intelligence Community Assessment
There is not much good to be said about the embarrassingly evidence-impoverished Intelligence Community Assessment (ICA) of Jan. 6, 2017 accusing Russia of hacking the DNC.
But the ICA did include two passages that are highly relevant and demonstrably true:
(1) In introductory remarks on “cyber incident attribution”, the authors of the ICA made a highly germane point: “The nature of cyberspace makes attribution of cyber operations difficult but not impossible. Every kind of cyber operation — malicious or not — leaves a trail.”
(2) “When analysts use words such as ‘we assess’ or ‘we judge,’ [these] are not intended to imply that we have proof that shows something to be a fact. … Assessments are based on collected information, which is often incomplete or fragmentary … High confidence in a judgment does not imply that the assessment is a fact or a certainty; such judgments might be wrong.” [And one might add that they commonly ARE wrong when analysts succumb to political pressure, as was the case with the ICA.]
The intelligence-friendly corporate media, nonetheless, immediately awarded the status of Holy Writ to the misnomered “Intelligence Community Assessment” (it was a rump effort prepared by “handpicked analysts” from only CIA, FBI, and NSA), and chose to overlook the banal, full-disclosure-type caveats embedded in the assessment itself.
Then National Intelligence Director James Clapper and the directors of the CIA, FBI, and NSA briefed President Obama on the ICA on Jan. 5, 2017, the day before they gave it personally to President-elect Donald Trump.
On Jan. 18, 2017, at his final press conference, Obama saw fit to use lawyerly language on the key issue of how the DNC emails got to WikiLeaks, in an apparent effort to cover his own derriere.
Obama: “The conclusions of the intelligence community with respect to the Russian hacking were not conclusive as to whether WikiLeaks was witting or not in being the conduit through which we heard about the DNC e-mails that were leaked.”
So we ended up with “inconclusive conclusions” on that admittedly crucial point. What Obama was saying is that U.S. intelligence did not know—or professed not to know—exactly how the alleged Russian transfer to WikiLeaks was supposedly made, whether through a third party, or cutout, and he muddied the waters by first saying it was a hack, and then a leak.
From the very outset, in the absence of any hard evidence, from NSA or from its foreign partners, of an Internet hack of the DNC emails, the claim that “the Russians gave the DNC emails to WikiLeaks” rested on thin gruel.
In November 2018 at a public forum, I asked Clapper to explain why President Obama still had serious doubts in late Jan. 2017, less than two weeks after Clapper and the other intelligence chiefs had thoroughly briefed the outgoing president about their “high-confidence” findings.
Clapper replied: “I cannot explain what he [Obama] said or why. But I can tell you we’re, we’re pretty sure we know, or knew at the time, how WikiLeaks got those emails.” Pretty sure?
Preferring CrowdStrike; ’Splaining to Congress
CrowdStrike already had a tarnished reputation for credibility when the DNC and Clinton campaign chose it to do work the FBI should have been doing to investigate how the DNC emails got to WikiLeaks. It had asserted that Russians hacked into a Ukrainian artillery app, resulting in heavy losses of howitzers in Ukraine’s struggle with separatists supported by Russia. A Voice of America report explained why CrowdStrike was forced to retract that claim.
Why did FBI Director James Comey not simply insist on access to the DNC computers? Surely he could have gotten the appropriate authorization. In early January 2017, reacting to media reports that the FBI never asked for access, Comey told the Senate Intelligence Committee there were “multiple requests at different levels” for access to the DNC servers.
“Ultimately what was agreed to is the private company would share with us what they saw,” he said. Comey described CrowdStrike as a “highly respected” cybersecurity company.
Asked by committee Chairman Richard Burr (R-NC) whether direct access to the servers and devices would have helped the FBI in their investigation, Comey said it would have. “Our forensics folks would always prefer to get access to the original device or server that’s involved, so it’s the best evidence,” he said.
Five months later, after Comey had been fired, Burr gave him a Mulligan in the form of a few kid-gloves, clearly well-rehearsed, questions:
BURR: And the FBI, in this case, unlike other cases that you might investigate — did you ever have access to the actual hardware that was hacked? Or did you have to rely on a third party to provide you the data that they had collected?
COMEY: In the case of the DNC, … we did not have access to the devices themselves. We got relevant forensic information from a private party, a high-class entity, that had done the work. But we didn’t get direct access.
BURR: But no content?
COMEY: Correct.
BURR: Isn’t content an important part of the forensics from a counterintelligence standpoint?
COMEY: It is, although what was briefed to me by my folks — the people who were my folks at the time is that they had gotten the information from the private party that they needed to understand the intrusion by the spring of 2016.
In June last year it was revealed that CrowdStrike never produced an un-redacted or final forensic report for the government because the FBI never required it to, according to the Justice Department.
By any normal standard, former FBI Director Comey would now be in serious legal trouble, as should Clapper, former CIA Director John Brennan, et al. Additional evidence of FBI misconduct under Comey seems to surface every week — whether the abuses of FISA, misconduct in the case against Gen. Michael Flynn, or misleading everyone about Russian hacking of the DNC. If I were attorney general, I would declare Comey a flight risk and take his passport. And I would do the same with Clapper and Brennan.
Schiff: Every Confidence
But No Evidence
Both pillars of Russiagate–collusion and a Russian hack–have now fairly crumbled.
Thursday’s disclosure of testimony before the House Intelligence Committee shows Chairman Adam Schiff lied not only about Trump-Putin “collusion,” [which the Mueller report failed to prove and whose allegations were based on DNC and Clinton-financed opposition research] but also about the even more basic issue of “Russian hacking” of the DNC.
[See: “The Democratic Money Behind Russia-gate” republished today.]
Five days after Trump took office, I had an opportunity to confront Schiff personally about evidence that Russia “hacked” the DNC emails. He had repeatedly given that canard the patina of flat fact during an address at the old Hillary Clinton/John Podesta “think tank,” The Center for American Progress Action Fund.
Fortunately, the cameras were still on when I approached Schiff during the Q&A: “You have every confidence but no evidence, is that right?” I asked him. His answer was a harbinger of things to come. This video clip may be worth the four minutes needed to watch it.
Schiff and his partners in crime will be in for much tougher treatment if Trump allows Attorney General Barr and U.S. Attorney John Durham to bring their investigation into the origins of Russia-gate to a timely conclusion. Barr’s dismissal on Thursday of charges against Flynn, after released FBI documents revealed that a perjury trap was set for him to keep Russiagate going, may be a sign of things to come.
Given the timid way Trump has typically bowed to intelligence and law enforcement officials, including those who supposedly report to him, however, one might rather expect that, after a lot of bluster, he will let the too-big-to-imprison ones off the hook. The issues are now drawn; the evidence is copious; will the Deep State, nevertheless, be able to prevail this time?