By Marcus J. Ranum.
In various postings this year, I’ve been guarded about the Russian attribution of the DNC email hacks.
As I said in [stderr]:
To accurately establish attribution, you need evidence and understanding:
- Evidence linking the presumed attacker to the attack
- An understanding of the attacker’s actions, supporting that evidence
- Evidence collected from other systems that matches the understanding of the attacker’s actions
- An understanding of the sequence of events during the attack, matching the evidence
Until this point, I deliberately maintained a position of strict skepticism regarding Russian involvement (while admitting it was likely or even highly likely) It’s still possible that someone crafted the reported evidence, but unless we want to live our lives as radical skeptics eventually we can accept something as a given as long as contradictory facts don’t emerge. A lot of people were comfortable accepting the arguments that the US Government (notably the FBI and the ‘5 intelligence community agencies’) collectively asserted – I was not, because my assessment of their assertions was that they didn’t provide evidence that they doubtless had, consequently, I felt I had to wonder “why not?” and whether that evidence was any good.
I’ll note that the US Government still hasn’t provided anywhere near the kind of quality attribution that I’d expect they could if they tried. I freely admit that I hold that against them: they collect this stuff and it’s their job – as I see it – to distribute information that will help us better understand attacks that are being made against US government and corporate networks. Obviously we disagree about what their job is.
In terms of my components of a good attribution, we now have:
Evidence linking the presumed attacker to the attack: George Papadopolous was being played by someone he believed was directly connected to Putin, and was being offered dirt on Clinton “on or about” April 26. The DNC emails were leaking between January and May, so if Papadopolous’ contacts with the emails had them, they were getting them in real-time or near real-time. That establishes a linkage between the attacker and the attack that I am willing to accept.
An understanding of the attacker’s actions, supporting that evidence: Papadopolous’ contacts were claiming that they were tied in with Russian interests and had access to the emails and wanted to arrange a meeting with the Trump campaign. That is completely consistent with the overall story that has been promulgated, so far, that the Russians were trying to lure the Trump campaign into compromising itself with some dirt. Papadopolous has now admitted that that was exactly what he was doing, and what he believed the Russians were doing. I accept the story, now.
Evidence collected from other systems that matches the understanding of the attackers’ actions: This element of the attribution is still thinner than I’d like but the timing on the documents that Wikileaks eventually released matches the story of how the documents were compromised, shopped around between Papadopolous/the Trump Campaign and Wikileaks. I don’t think we need to see the various emails going back and forth; all the information Papadopolous has provided is congruent with Wikileaks’ version and the accounts of the DNC break-in from Crowdstrike. I think Crowdstrike could have provided better information but almost certainly were told not to by the FBI who were keeping that information in order to strengthen their own attribution if congruent pieces of the puzzle later emerged. In fairness to the FBI I will note that having whatever information Crowdstrike provided to them kept secret probably made it harder for Papadopolous to lie about any of the timing of these events and subsequent emails. So, while I complain about the FBI’s actions, I understand them.
An understanding of the sequence of events of the attack, matching the evidence: This is the piece of the puzzle that flips me from “skeptical” to “convinced.” Papadopolous’ exchanges with the Russians happened in the right sequence of time within the broader sequence of events and there is no contradiction. If Papadopolous was talking to the Russians “on or about” April 26 about getting a drop of dirt on Clinton, that fits with the story that the data went:
Hacker -> Russians -> (offered to Papadopolous) -> (given to Wikileaks) -> Published by Wikileaks
not
Hacker -> Wikileaks -> (shared with Russians somehow) -> (offered to Papadopolous) -> Published by Wikileaks
The latter wouldn’t be consistent with how Wikileaks operates and has operated, or how Papadopolous, or his Russians operated.
There are still plenty of loose ends but I think they are mostly curiosity. Was the hacker part of the Russian government, or merely “affiliated” to some degree? That’s an irrelevant question because “affiliation” doesn’t mean much; the programmers who are writing malware for NSA’s “Equation Group” are probably contractors, not employees – are they “US Government hackers”, “US Government affiliated hackers”, or “Patriotic American hackers who choose to share things with the US Government sometimes (like, when they are paid)”? I have no idea what the org chart of the Russian cyberintelligence efforts look like, and I suspect nobody does – any more than anyone knows what the org chart of the NSA looks like if you were to include contracting companies that make more than 80% of their revenue from NSA and CIA on it. I am comfortable with accepting that there’s a tight linkage between Papadopolous’ Russians and the hackers that initially got the documents, because of the speed at which the data moved. Someone in Papadopolous’ Russians group had to get the data from the hackers and check it out superficially to make sure it was what it purported to be, which would take about a week, while the Russian group was baiting the Trump Campaign. The timing works.
I’m also waffling a bit by calling the Russians “Papadopolous’ Russians” because we don’t really know to what degree they were “affiliated” with the Russian intelligence apparatus. Like with the hackers, I am comfortable saying they are “affiliated” because that’s how they presented themselves and even if they weren’t taking orders from Putin (I bet they weren’t, he’s not that much of a micro-manager) they were acting in line with their own perception of Russian affiliation. I believe that many CIA or NSA operations happen without the direct oversight of anyone on the National Security Council and certainly without the direct approval of the president. So, at what point can we say that something is a “US Government operation” versus a “CIA operation” versus a “rogue CIA operation” versus “ultra-nationalists going their own way” (which was basically what the White House portrayed G. Gordon Liddy as doing during Iran/Contra)
Based on the time-line of events there’s another thing we learn, which may explain why the FBI and intelligence community were so reluctant to offer good attribution: they appear to have been standing around figuring all of this out around April/May/June – well in advance of the election, which was in November. Meanwhile, Comey was making mysterious election-influencing remarks about the FBI’s investigations into Clinton’s other emails. Maybe the FBI doesn’t want to talk much about who knew what and when because it’d make it clear that they were incompetent, or playing politics, or incompetently playing politics.
“Likely or even highly likely” sounds pretty bayesian to me. I’m just not comfortable assigning bogo-probabilities to things in order to bolster my confirmation bias.
For an example of the kind of high quality attribution I’d expect from the US’ very expensive intelligence apparatus, you can take a look at Brian Krebs’ attribution of the Mirai Worm: [krebs] or Kaspersky Labs’ attribution of the ‘Equation Group’ malware tree to the NSA [kaspersky] [secur] Even Kaspersky’s attribution depends on external evidence in time, namely that Equation Group’s code was found on NSA’s development server leaks dated before Kaspersky’s attribution – which strongly identifies Equation Group as NSA (or NSA contractors working within NSA).
Papadopolous sounds like the kind of incompetent dumbass that Trump would love. I’m surprised he wasn’t put in charge of some important government agency. (PS: he spent $800,000 on his wardrobe)
Papadopolous also appears to be a “cooperating witness” which may be code for “he wore a wire during some meetings” – it is possible that Mueller has dropped Papadopolous as a card to pull in-suit denials from the next round of indictees.
Unrelated: Papadopolous cheated on at least $75 million in taxes. I wonder whether part of this is going to result in the FBI getting Trump’s tax returns. One thing everyone seems to forget about those: Trump has them but so does the IRS. One need not ask Trump for them. The whole thing around releasing Trump’s taxes is a charade.