Skeptics still doubt intelligence on Russia hacking

For months, calls grew for the Obama administration to punish Russia for hacking Democratic National Committee servers and party officials in the run up to the 2016 election. But the administration's expulsion of Russian officials and imposition of sanctions last week hasn't silenced all the critics.

Lawmakers from both parties continue to argue that President Barack Obama waited too long to react, and his punishment of Russia didn't go far enough to deter Russian President Vladimir Putin from conducting future cyberattacks.

On the other side, President-elect Donald Trump and many of his supporters continue to publicly challenge the intelligence community's assessment that the Russian government was behind the hacks and leaks of documents designed to undermine Hillary Clinton's presidential campaign.

They argue that the IC has not released data and evidence to support the assertion that the Russian government directed its hackers to infiltrate Democratic National Committee systems.

That's technically true, said one former senior administration official. Speaking to FCW on background, the former official said that in this case, private firms CrowdStrike and others detected breaches, performed forensics with public evidence and tracked the hacking back to Russian entities.

"So the IC didn't really have to worry about burning any intelligence capabilities," said the former official. "All they have to say here is, 'Our own tools confirm the same things the private sector has been saying and that is evidence enough for us to give attribution with high confidence. We have other sources of intelligence that confirm this further, but that is going to remain classified.'"

"The work by private cybersecurity companies, Crowdstrike and others, has certainly been the primary basis for technical attribution thus far," said Nathaniel Gleicher, former director for cybersecurity policy at the National Security Council.

He said this is a positive development because it allows the IC to weigh in while still preserving its sources and methods of collecting cyber intelligence.

"This makes it more likely that we'll be able to attribute, which will help reduce the uncertainty and anonymity that intruders often rely on," added Gleicher. "We're getting much better at attribution, and part of the reason for that is we have more technical experts focused on it -- it's always better to have more eyes focused on a problem like this."

That doesn't mean this is a new model, however.

Gleicher said the IC and private sector are still trying to determine how to work together in cases like this, and therefore formalization of intelligence and attribution sharing could be counterproductive.

"I also suspect that formalization would lead to less public disclosure, rather than more, and increased public disclosure at this point seems like a very good thing," he said.

The former official added that while there will always be some measure of informal information sharing given the number of former cyber and intelligence officials in the private sector, there are a number of barriers to having the private sector formally do the legwork and give the IC cover to protect its tools.

First, even though private industry capabilities continue to improve, there's no guarantee the private sector can and will detect and analyze every cybercrime. Second, there are still trust, security clearance and liability concerns that will prevent the various parties from formalizing a working relationship anytime soon.

Third, as has been witnessed in this case, not everyone is satisfied with the IC simply endorsing the findings of the private sector.

When President Obama announced the sanctions against Russia, the FBI and Department of Homeland Security released a joint analysis report of Russia's hacking activities. That report states that it "provides technical details regarding the tools and infrastructure used by Russian civilian and military intelligence Services" to hack the Democratic Party, and that previous JARs had not "attributed malicious cyber activity to specific countries or threat actors."

The JAR also stated it is a guide to network administrators to help them search their systems for signs of Russian malware and mitigate the threats.

But that report isn't a smoking gun even to those who are already convinced the Russian government directed the hacking.

"This ultimately seems like a very rushed report put together by multiple teams working different data sets and motivations," wrote Robert M. Lee, former Air Force cyber officer and CEO of Dragos, in a lengthy critique of the report.

While he said the IC's assessments are correct and that he supports the sanctions, Lee said the report failed to provide clear, compelling information about the sources of data it presents to support the government's attribution.

"It is useful to know what is government data from previously classified sources and what is data from the private sector and more importantly who in the private sector," wrote Lee. "Unfortunately, this is entirely missing. The report does not source its data at all. It's a random collection of information and in that way, is mostly useless."

For many experts, the private-sector analysis is sufficient to prove Russia's guilt.

For others, or in future cases where the private sector isn't providing conclusive attribution evidence, the IC will need to declassify more information and be willing to potentially burn sources and methods, said the former official.

"What's the point of collecting all that information," if it's not going to be used to inform and defend policy decisions, the official asked.

The Office of the Director of National Intelligence is preparing a detailed report on election-related hacking activities at the request of the administration. That report is expected within the next week, and the ODNI would not comment on what the report will contain and how much will be declassified for public release.

In the meantime, Director of National Intelligence James Clapper will be testifying before the Senate Armed Services Committee on Jan. 5 as that committee launches its own investigation into Russia's hacking activities.