President-elect Donald Trump has recently questioned President Barack Obama's finger pointing at the Russians for election-related cyberattacks; and the current media and pundit frenzy alleging a Russian cyber-strike targeting Secretary Hillary Clinton in order to assure a Trump presidency. President-elect Trump plans to press U.S. intelligence agencies to defend their conclusions, stating,
“I know a lot about hacking. And hacking is a very hard thing to prove. So it could be somebody else. And I also know things that other people don’t know, and so they cannot be sure of the situation.”
Having worked since 1995 as a first-responder to cyber-attacks, including serving 11 years as Chief of the SEC's Office of Internet Enforcement, I whole-heartedly agree with President-elect Trump. His skepticism is not only appropriate and warranted -- it's spot-on.
Official U.S. Statements About Russian Hacking of U.S. Election
Despite countless inflammatory headlines about Russian election hacking, there exist only two official U.S. statements specifically addressing the facts of recent election-related hacking incidents. The first is the Oct. 7, 2016 Joint Statement from the Department of Homeland Security and Office of the Director of National Intelligence on Election Security (the "Joint Statement"). The second is the Dec. 29, 2016 Joint Analysis Report of the Department of Homeland Security and the Federal Bureau of Investigation, entitled, "GRIZZLY STEPPE – Russian Malicious Cyber Activity" (the "JAR").
Both government statements are curt, vague, opaque and miles away from being concrete -- and both also beg far more questions than answers.
The Joint Statement
The Joint Statement adopts a cautionary approach to any sort of attribution or motive behind who "directed the recent compromises of e-mails from U.S. persons and institutions, including from US political organizations." The Joint Statement states that the hacks:
“. . . are consistent with the methods and motivations of Russian-directed efforts. These thefts and disclosures are intended to interfere with the US election process. Such activity is not new to Moscow — the Russians have used similar tactics and techniques across Europe and Eurasia, for example, to influence public opinion there. We believe, based on the scope and sensitivity of these efforts, that only Russia’s senior-most officials could have authorized these activities.”
Announcing that we think the hacks “are consistent with the methods and motivations of Russian-directed efforts” falls far short of a legitimate prosecutorial conclusion based upon actual evidence of Russian culpability and attribution. The Joint Statement's authors are clearly hedging their bets, which is exactly what any reasonable cyber-investigator would do under the circumstances.
After all, attributing disparate attack vectors to the same culprit is always speculative. The entire virtual criminal design could all be a ruse, where one country’s cyber gang coopts the techniques of another country’s cyber gang, to confuse or disassemble.
Moreover, even in its most favorable light, the Joint Statement does not support the conclusion that the Russians were trying to help Trump and hurt Hillary — as opposed to just doing what most hackers do i.e. rummaging voraciously and randomly through whatever data they can access, and leaving it to their patrons to determine what is, and is not, of use.
Interfering with the election process is only one of many possible motives behind cyber-attacks. Financial crime, insider trading, intellectual property thievery, trade secret pilfering, extortion, ransomware, governmental disruption, market manipulation (just to name a few) are all potential goals at the outset of a hack.
Cyber-attackers invade systems and networks, frantically grab every data-file they can and then continue mounting their virtual crime sprees wherever that stolen data may lead them -- disrupting organizations, causing damage and wreaking havoc all along the way. Make no mistake -- the 21st Century hacker's mantra is to shoot first and ask questions later.
Though more than half of the JAR is just a list of suggested preventive cybersecurity measures, the JAR is still an important report and a critical resource for any analysis of the Russian election rigging allegations -- both for what it does say and for what it doesn't say. Here is a play-by-play of its deconstruction:
- Attribution. The JAR is the first official government statement attributing certain politically-related malicious cyber activity to specific countries or threat actors, specifically, "to Russian government and civilian intelligent agencies."
- The DNC Cyber-Attacks. The cyber-attacks upon the Democratic National Committee ("DNC") apparently began with a 2015 cyber-attack upon the U.S. government. This is typical of cyber-attacks -- where the sole goal/motive is data exfiltration, leaving it until afterwards to determine how to take advantage of, or profit from, that exfiltrated data. Specifically, the JAR notes that in the summer of 2015, what looks like a Russian spear-phishing campaign targeted over 1,000 recipients, including U.S. government employees. Apparently, at least a few of these spear-phishing attacks hit pay dirt and in the course of that campaign, somehow successfully compromised a "U.S. Political Party." (The JAR does not identify the "Political Party" to be the DNC.)
- Multiple Attacks Continue." The JAR describes a second attack upon the same "U.S. Political Party," which occurred in the Spring of 2015 and states that, "Actors likely associated with [Russia] are continuing to engage in spear-phishing campaigns, including one launched as recently as November 2016, just days after the U.S. election."
- APT Attacks. The JAR acknowledges the lengthy history of state-sponsored Advanced Persistent Threat or so-called APT attacks against every type of U.S. entity, including a range of foreign governments initiating spear-phishing campaigns targeting government organizations, critical infrastructure entities, think tanks, universities, political organizations, and corporations." Given certain common indicators of compromise identified by the DHS and FBI, the JAR concludes that the perpetrators of the hacks upon the "U.S. Political Party" employed the same modus operandi used by purported Russian groups that have "historically targeted government organizations, think tanks, universities, and corporations around the world."
- The Leaks of Exfiltrated Emails and Other Data. The JAR ambiguously and blithely states that, "The U.S. Government assesses that information was leaked to the press and publicly disclosed." The JAR (whether clumsily or intentionally) employs the passive voice to describe the leak -- and does not state who leaked the information; how the information was leaked; or any other inculpatory details.
- The Podesta Emails. The JAR does not address or infer that the attacks upon the "U.S. Political Party" were perpetrated by the same attackers who somehow obtained the emails of Clinton campaign head John Podesta. In fact, the JAR makes no specific mention of the Podesta hacks.
- Trump Over Clinton. Like the Joint Statement, the JAR provides no evidence and makes no mention of any plot, effort or other scheme to steal the election from Hillary Clinton and favor Donald Trump. Rather, the JAR cites only the usual over-arching objective behind most state-sponsored APT attacks i.e. to disrupt and/or damage U.S. institutions and organizations.