Cybersecurity

Skeptics still doubt intelligence on Russia hacking

Shutterstock. 

For months, calls grew for the Obama administration to punish Russia for hacking Democratic National Committee servers and party officials in the run up to the 2016 election. But the administration's expulsion of Russian officials and imposition of sanctions last week hasn't silenced all the critics.

Lawmakers from both parties continue to argue that President Barack Obama waited too long to react, and his punishment of Russia didn't go far enough to deter Russian President Vladimir Putin from conducting future cyberattacks.

On the other side, President-elect Donald Trump and many of his supporters continue to publicly challenge the intelligence community's assessment that the Russian government was behind the hacks and leaks of documents designed to undermine Hillary Clinton's presidential campaign.

They argue that the IC has not released data and evidence to support the assertion that the Russian government directed its hackers to infiltrate Democratic National Committee systems.

That's technically true, said one former senior administration official. Speaking to FCW on background, the former official said that in this case, private firms CrowdStrike and others detected breaches, performed forensics with public evidence and tracked the hacking back to Russian entities.

"So the IC didn't really have to worry about burning any intelligence capabilities," said the former official. "All they have to say here is, 'Our own tools confirm the same things the private sector has been saying and that is evidence enough for us to give attribution with high confidence. We have other sources of intelligence that confirm this further, but that is going to remain classified.'"

"The work by private cybersecurity companies, Crowdstrike and others, has certainly been the primary basis for technical attribution thus far," said Nathaniel Gleicher, former director for cybersecurity policy at the National Security Council.

He said this is a positive development because it allows the IC to weigh in while still preserving its sources and methods of collecting cyber intelligence.

"This makes it more likely that we'll be able to attribute, which will help reduce the uncertainty and anonymity that intruders often rely on," added Gleicher. "We're getting much better at attribution, and part of the reason for that is we have more technical experts focused on it -- it's always better to have more eyes focused on a problem like this."

That doesn't mean this is a new model, however.

Gleicher said the IC and private sector are still trying to determine how to work together in cases like this, and therefore formalization of intelligence and attribution sharing could be counterproductive.

"I also suspect that formalization would lead to less public disclosure, rather than more, and increased public disclosure at this point seems like a very good thing," he said.

The former official added that while there will always be some measure of informal information sharing given the number of former cyber and intelligence officials in the private sector, there are a number of barriers to having the private sector formally do the legwork and give the IC cover to protect its tools.

First, even though private industry capabilities continue to improve, there's no guarantee the private sector can and will detect and analyze every cybercrime. Second, there are still trust, security clearance and liability concerns that will prevent the various parties from formalizing a working relationship anytime soon.

Third, as has been witnessed in this case, not everyone is satisfied with the IC simply endorsing the findings of the private sector.

When President Obama announced the sanctions against Russia, the FBI and Department of Homeland Security released a joint analysis report of Russia's hacking activities. That report states that it "provides technical details regarding the tools and infrastructure used by Russian civilian and military intelligence Services" to hack the Democratic Party, and that previous JARs had not "attributed malicious cyber activity to specific countries or threat actors."

The JAR also stated it is a guide to network administrators to help them search their systems for signs of Russian malware and mitigate the threats.

But that report isn't a smoking gun even to those who are already convinced the Russian government directed the hacking.

"This ultimately seems like a very rushed report put together by multiple teams working different data sets and motivations," wrote Robert M. Lee, former Air Force cyber officer and CEO of Dragos, in a lengthy critique of the report.

While he said the IC's assessments are correct and that he supports the sanctions, Lee said the report failed to provide clear, compelling information about the sources of data it presents to support the government's attribution.

"It is useful to know what is government data from previously classified sources and what is data from the private sector and more importantly who in the private sector," wrote Lee. "Unfortunately, this is entirely missing. The report does not source its data at all. It's a random collection of information and in that way, is mostly useless."

For many experts, the private-sector analysis is sufficient to prove Russia's guilt.

For others, or in future cases where the private sector isn't providing conclusive attribution evidence, the IC will need to declassify more information and be willing to potentially burn sources and methods, said the former official.

"What's the point of collecting all that information," if it's not going to be used to inform and defend policy decisions, the official asked.

The Office of the Director of National Intelligence is preparing a detailed report on election-related hacking activities at the request of the administration. That report is expected within the next week, and the ODNI would not comment on what the report will contain and how much will be declassified for public release.

In the meantime, Director of National Intelligence James Clapper will be testifying before the Senate Armed Services Committee on Jan. 5 as that committee launches its own investigation into Russia's hacking activities.

About the Author

Sean Carberry is a former FCW staff writer who focused on defense, cybersecurity and intelligence.


Rising Stars

Meet 21 early-career leaders who are doing great things in federal IT.

Featured

  • SEC Chairman Jay Clayton

    SEC owns up to 2016 breach

    A key database of financial information was breached in 2016, possibly in support of insider trading, said the Securities and Exchange Commission.

  • Image from Shutterstock.com

    DOD looks to get aggressive about cloud adoption

    Defense leaders and Congress are looking to encourage more aggressive cloud policies and prod reluctant agencies to embrace experimentation and risk-taking.

  • Shutterstock / Pictofigo

    The next big thing in IT procurement

    Steve Kelman talks to the agencies that have embraced tech demos in their acquisition efforts -- and urges others in government to give it a try.

  • broken lock

    DHS bans Kaspersky from federal systems

    The Department of Homeland Security banned the Russian cybersecurity company Kaspersky Lab’s products from federal agencies in a new binding operational directive.

  • man planning layoffs

    USDA looks to cut CIOs as part of reorg

    The Department of Agriculture is looking to cut down on the number of agency CIOs in the name of efficiency and better communication across mission areas.

  • What's next for agency cyber efforts?

    Ninety days after the Trump administration's executive order, FCW sat down with agency cyber leaders to discuss what’s changing.

Reader comments

Thu, Jan 5, 2017 Ethan S. Burger

The Russian Government often acts through proxies and 'like-thinking" individuals. Germany, Latvia, Lithuania, and other countries publicly have attributed attacks on their 'political infrastructure" to Russia. Russia financially supports bloggers and websites who push their agenda. It is hard to imagine that it is not acting on the same fashion in the U.S.

Thu, Jan 5, 2017 DAC Michigan

Why does no one discuss the fact that the heads of all the Government Intelligence Agencies are Obama appointees that are leaving their posts on 20 Jan? The departure exception being the FBI, but that position is seen as compromised because of their partisan failure to recommend prosecution of the SOS for egregious security violations. I'm a Federal employee that has seen associates prosecuted for security violations and intent was not a mitigating factor. And as a Fed I, and 10's of millions of others, had personal information stolen by China, but there were no sanctions against them. This seems to me to be a strictly partisan effort to delegitimize the incoming administration.

Thu, Jan 5, 2017 2RUFF ATLANTA

Leading up to the election, the Executive Branch "head" was steadfast in his assertions that there was "No Hacking" being done by the Russians and that they could not affect our election system. Only after Hillery LOST did the tone and message change to certainty that there WAS hacking being done by the Russian Government...... Very odd this is and very unnerving to think that maybe until after Hillery LOST did they message change. The issues of election "tampering" and attempts to subvert foreign elections by the current "head" of the Executive Branch is totally lost in what was attempted in the last Israeli election. The Democrats are sending a clear message on the hypocrisy they are practicing. It is OK for THEM but NOT for anyone else. Hopefully America will get back on a direction that will be good for ALL Americans and not just for a few. May God Bless America.

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group