Exposing The Man Behind The Curtain
Americans have a right to know the full truth about claims of Russian hacking.
“When you attack a country,” John McCain, the long-serving Republican Senator from Arizona, who chairs the influential Senate Armed Services Committee, told reporters on December 30, 2016, during a visit to Ukraine, a nation locked in a quasi-Civil War with Russian-backed separatist rebels, “it’s an act of war.”
McCain was referring to allegations of Russian involvement in the hacking of servers belonging to the Democratic National Committee (DNC), and the release of emails purportedly thus stolen to Wikileaks for the purpose of undermining the candidacy of Hillary Clinton in the 2016 presidential election.
“And so we have to make sure that there is a price to pay,” McCain concluded, “so that we can perhaps persuade the Russians to stop these kind of attacks on our very fundamentals of democracy.”
McCain’s words echoed those of the White House, which just the day prior had published a “fact sheet” explaining its decision to expel 35 Russian diplomats and their families from the United States. “Russia’s cyber activities were intended to influence the election, erode faith in U.S. democratic institutions, sow doubt about the integrity of our electoral process, and undermine confidence in the institutions of the U.S. government,” the “fact sheet” proclaimed. “These actions are unacceptable and will not be tolerated.”
And, as if to underscore the point, that same day the FBI and Department of Homeland Security (DHS) published a 13-page “Joint Activity Report” (JAR) on what it called “Grizzly Steppe,” or malicious cyber activity by Russia “to compromise and exploit networks and endpoints associated with the US elections.” Long on allegation and short on evidence, the JAR stated that its work “expanded” upon an earlier joint statement issued by the Office of the Director of National Intelligence (IDNI) and DHS on the U.S. elections, issued October 7, 2016, which made similar claims without citing any evidence that sustained the charge (note: the JAR contained a disclaimer that DHS “does not provide any warranties of any kind regarding any information contained within”.)
A week later, the Obama administration continued to make its case against Russia when the Director of National Intelligence (DNI), James Clapper, released a classified Intelligence Community Assessment (ICA), “Russia’s Influence Campaign Targeting the 2016 US Presidential Election” that the President had ordered back on December 16, 2016. Clapper briefed President Obama on its findings on Thursday, January 6, 2017 before briefing President-elect Trump and select members of the U.S. Congress on Friday, January 7, 2017.
The Office of the Director of National Intelligence (ODNI) released an unclassified version of its ICA later that same day. “We assess,” the unclassified ICA stated in its “key judgments” section (noting that “its conclusions were identical to those in the highly classified assessment”), “Russian President Vladimir Putin ordered an influence campaign in 2016 aimed at the US presidential election. Russia’s goals were to undermine public faith in the US democratic process, denigrate Secretary Clinton, and harm her electability and potential presidency. We further assess Putin and the Russian Government developed a clear preference for President-elect Trump. We have,” the unclassified ICA concluded, “high confidence in these judgments.”
The Intelligence Community (IC), by the very nature of its work, operates in the shadows, away from the kind of public scrutiny that is a necessary function of any representative democracy.
The explanation of the estimative language used in the ICA’s findings is instructive here. “Judgments,” the ICA noted, “are not intended to imply that we have proof to show that something to be a fact.”
This caution against certainty extended to the “high confidence” the ICA assigned to its stated conclusions. “High confidence in a judgment does not imply that the assessment is a fact or certainty.”
As the ICA warned, “Such judgments might be wrong.”
“The intelligence community is not perfect.” Thus spoke DNI Clapper before a hearing of the Senate Armed Services Committee on January 5, 2017, shortly before the ICA was released. “We are an organization of human beings, and we’re prone sometimes to make errors.”
The Intelligence Community (IC), by the very nature of its work, operates in the shadows, away from the kind of public scrutiny that is a necessary function of any representative democracy. This is an especially resonant point, given the circumstances and subject matter of Clapper’s testimony: the assessment of the Intelligence Community on matters pertinent to the highest expression of the electoral processes that underpin American democracy — a presidential election.
Errors have been made by the Intelligence Community in the past and, given the punishing reality of a fair and open society, and the scrutiny of a free press contained within, these failures have been exposed — sometimes ruthlessly so — for all the world to see. From the reversal of the Intelligence Community’s stance on the possible military dimensions of Iran’s nuclear program, underestimating the scope and reach of the threat of the Islamic State, and the exaggeration of Iraqi weapons of mass destruction, the shortcomings of the intelligence assessments and estimates conducted by the IC over the past two decades — the period spanning the careers of those who continue to provide the analysis that underpinned these highlighted erroneous conclusions and findings — the public history of the failures of the judgment of the American intelligence community is extensive and uncomplimentary.
These failures are furthered when one incorporates the shortcomings of American intelligence analysis behind the failure to accurately predict the Russian actions against Georgia in 2008, the annexation of the Crimea in 2014, and the intervention in Syria in 2015 — in short, the track record of the very intelligence community that produced the ICA addressing allegations of a Russian influence campaign targeting the 2016 US Presidential election is not impressive.
“I don’t think,” DNI Clapper told the Armed Services Committee on January 5, 2017, “the intelligence community gets the credit it’s due for what it does day in and day out to keep this nation safe and secure.” The Director then continued: “You only need walk into the lobby of CIA (Central Intelligence Agency) and look at the stars on the wall or the front lobby of NSA (National Security Agency) and the number of intelligence people that have paid the ultimate price in the service of their country.”
There are 117 stars carved into the white marble surface of the CIA’s Memorial Wall; another 176 names are etched into the polished black granite of the NSA’s Memorial Wall. The majority of the CIA names are those of paramilitary officers, killed under combat-like circumstances; the same can be said for the military and civilian cryptologists listed by the NSA — most met their fate flying classified intelligence collection missions during the Cold War, manning listening stations during the Vietnam War, or — in the largest single incident resulting in loss of the life of NSA personnel (34) — onboard the USS Liberty when it was attacked by Israel in 1966.
Conflating the sacrifice of the heroes on these two memorials with the analysts who are responsible for some of the greatest intelligence failures in American history denigrates the service of those who died in the service of the United States. It is also part and parcel of an overall policy of politicization and obfuscation that has surrounded the allegations of Russian interference in the 2016 presidential election.
Not a single NSA operator, FBI Special Agent, or CIA analyst died — or had their life placed in danger — because of the alleged Russian cyber activity, or the investigations carried out by American intelligence and law enforcement officials and agencies in response to the same. Conflation and exaggeration, however, have been the hallmark of the Obama administration’s response to allegations of Russian interference in the presidential election process.
One of the most glaring examples of this is the singling out by the Intelligence Community of the leadership of Russia for directing the alleged cyber attacks on the U.S. elections, without citing any evidence to underpin that conclusion, and the decision of the White House to expel 35 Russian diplomats, inclusive of several described as serving Russian intelligence officers, in response to the cyber attacks on the DNC.
The Russian diplomats were kicked out of the country void of any mention of specific evidence linking the diplomats to the illicit cyber activities in question. By conflating the two events (the expulsion of the diplomats and the release of the joint FBI/DHS “Grizzly Steppe” Joint Activity Report occurred on the same day — December 29, 2016), the Obama administration made a conscious and concerted effort to create and reinforce perceptions designed to link Russian intelligence services and the cyber attacks against the DNC where no evidence exists — at least none that has been released publicly.
Even more disturbing — especially within the context of a nation that holds freedom of speech and a free press in such high regard — is the conflation made in the intelligence community’s assessment of the activities of Russian “state-controlled” media outlets, in particular the content of specific programming critical of American democratic processes and specific candidates for office, with accusations that Russia was behind the theft and subsequent publication of information that proved embarrassing, and damaging, to the Democratic Party and its candidate for President, Hillary Clinton.
Two issues emerge from this act. First, in the minds of the U.S. Intelligence Community (as expressed through its Russian assessment), form appears to trump substance, in so far as the source of information seems to negate whether or not the information is accurate. This is a particularly telling theme in the present matter, where the question of how the information stolen from the DNC and John Podesta came into the possession of Wikileaks seems to have taken priority over the accuracy and content of that information, and the tangential notion that the American public, when exposed to accurate information pertinent to decisions necessary in an electoral process, has somehow been “manipulated.”
The very act of being skeptical, however, is difficult in an environment where the intelligence is sold as virtually unimpeachable.
And, given the role that the leaking of unsubstantiated classified information from anonymous government sources to the American media has played in underpinning the public arguments made by the Intelligence Community on the Russian role in the cyber attacks on the DNC, the irony behind the ICA findings about the role of Russian media in shaping American public opinion is palpable.
Second, and perhaps more important, is the chilling effect the conflation of being critical of a source and questioning the veracity of what has been reported has on the very act of skeptical inquisition that marks a free society’s relationship with its public servants. Efforts have been made to link any person or entity that takes a critical approach to the issue of Russian involvement in the U.S. election process as somehow being an agent — witting or otherwise — of Russia (a November 24, 2016 Washington Post story — “Russian propaganda effort helped spread ‘fake news’ during election, experts say” –serves as a case in point; again, the irony that this report appeared in the same paper that served as the primary conduit for anonymously sourced leaked intelligence information sustaining both the Intelligence Community and Obama administration’s case against Russia should be lost on no one.)
Somehow, however, the act of questioning whether the intelligence community got it right on the Russian ICA has been turned into an act of denigration. “There’s a difference between skepticism and disparagement,” DNI Clapper told the Armed Services Committee, after being asked by Senator Claire McCaskill about the “trashing of the intelligence community.”
The very act of being skeptical, however, is difficult in an environment where the intelligence is sold as virtually unimpeachable. In response to a question by Senator McCain asking if the intelligence community stood by its assertions in its October 7, 2016 statement that it was confident the Russian government directed the thefts and disclosures of information, and that these actions were intended to interfere in the Presidential election, DNI Clapper responded that “We stand, actually more resolutely on the strength of that statement than we did on the 7th of October.”
“We have 17 intelligence agencies, civilian and military, who have all concluded that these espionage attacks, these cyberattacks, come from the highest levels of the Kremlin, and they are designed to influence our election.” This statement was false when it was made by Hillary Clinton, on October 9, 2016, referring to the aforementioned October 7 joint statement by DHS and the ODNI; as was the case for the Russian ICA, the joint statement drew upon only three of the 16 agencies (the 17th is the ODNI, which is a coordinating body, not a separate intelligence agency), the only intelligence agencies involved in crafting the underlying assessments and judgments were the FBI, CIA and NSA.
When one dissects the nuts and bolts that hold the Russian ICA together, the framework is actually quite weak. The FBI, the sole agency responsible for intelligence derived from a domestic source (i.e., the DNC server and John Podesta) has acknowledged that it has had no direct access to the servers involved, and was compelled to carry out its investigation based upon the technical report of a private cyber security company, Crowdstrike, brought in by the DNC in April 2016.
Rather than sharing the technical details of the cyber intrusion with the National Cyber Communications Integration Center (NCCIC), as is the norm, the DNC ordered Crowdstrike to instead share its report with the Washington Post, which wrote a front-page story on June 14, 2016 that reported, as fact, the assertions by Crowdstrike that Russian intelligence was behind the cyber attacks on the DNC.
Both the FBI and NSA are reported to have been tracking intrusions into the DNC server dating back to July 2015. But, as the Crowdstrike information confirms, these cyber events were associated with known cyber activity known as Advanced Persistent Threat (APT) 29, which Crowdstrike subsequently named “Fancy Bear.”
The NSA reportedly briefed select Congressional leaders about the APT 29 activity as early as July 2015, but insisted that this information remain closely held in order to protect an ongoing intelligence collection effort designed to trace the cyber intrusion back to its source.
While the NSA and the FBI were deeply involved in monitoring the APT 29 intrusion, however, another intrusion is alleged to have taken place, this time by a separate cyber activity known as APT 28, or “Cozy Bear.” The Crowdstrike technical findings, as reported by the Washington Post, associate APT 28/”Cozy Bear” with the Russian military’s Main Intelligence Directorate, or GRU.
There is good reason to believe that Crowdstrike is the only source of information about the APT 28/”Cozy Bear” intrusion; even after information from the DNC was made public by Wikileaks, no action was taken to alert John Podesta that his personal emails had been stolen. This indicates that neither the FBI nor NSA were aware of that particular intrusion; the FBI didn’t interview Mr. Podesta about the breach until October 9, 2016 — two days after the initial batch of his personal emails was published by Wikileaks.) This reinforces the notion that the specific attribution of the Russian GRU to the DNC cyber intrusion is solely the product of a private cyber security firm on the payroll of the DNC, and not the FBI or NSA.
DNI Clapper, in his testimony of January 10, 2017 before the Senate Select Intelligence Committee, noted that cyber intrusions like that which occurred at the DNC leave a trail that can be followed, and that this was precisely what had happened in this case. While DNI Clapper declined to discuss the specific tradecraft involved in “following the cyber trail”, Edward Snowden, the NSA contractor-turned-whistleblower who leaked thousands of highly classified documents to news outlets in 2013, has shed some insight into the possible sources and methods relied upon by the NSA to trace the July 2015 cyber attack on the DNC server back to Russia. Snowden highlighted one NSA analytical tool in particular — Xkeyscore, as being extremely useful in tracking the identity of hackers. “Even if the attackers try to obfuscate origins,” Snowden tweeted, “#XKeyscore makes following exfiltrated data easy.”
According to the documents released by Snowden, the real-time detection and monitoring capability of XKeyscore would have allowed the NSA to trace the cyber attack detected on the DNC server back to specific command and control servers, the electronic communications associated with those servers, and identify the specific keyboard type used to create the code and related electronic communications between the hacker and the malware that was imbedded in the DNC’s system. XKeyscore would have allowed the NSA to attribute the cyber intrusion of the DNC server to APT 29 (and even APT 28, if they were able to track that intrusion as well.)
APT 28/”Cozy Bear” and APT 29/”Fancy Bear” represent cyber tools and methodologies, not individuals or groups. Their affiliation into quantifiable entities is a byproduct of analysis carried out by government and non-government cyber security players who have detected, over time, patterns of related activity that lent themselves to specific, if somewhat nebulous, attribution. The specific linkage between these cyber activities and the intelligence services of Russia are a matter of speculation based upon analysis of the countries and institutions targeted by actors using these tools and methodologies, and forensic examination of the malware involved that suggests a Russian origin.
But there is no specific proof. Crowdstrike attributes its claims that Russian intelligence was behind the DNC cyber intrusion to a report by the German domestic intelligence service (BfV) about a cyber attack on the German Parliament in 2015. “Many of these attack campaigns,” the German report, published in January 2016, noted, “have technical similarities, such as malicious software families, and infrastructure ― these are important indicators of the same authorship. It is assumed that both the Russian domestic intelligence service FSB and the military foreign intelligence service GRU run cyber operations.”
Assumed, not known. One must keep in mind the fact that the German BfV was using XKeyscore at the time to track the parties who launched the cyber attack against the German Parliament; the best they could do was come up with an assumption.
The attributions made in the ICA to the Russian intelligence services regarding the cyber attacks on the DNC server, and others, are not as solid as DNI Clapper has led his audience to believe. Neither is the element of intent. There have been reports in the media of intercepted Russian communications, and Clapper himself informed the Senate Select Intelligence Community on January 10, 2017 that the ICA also made use of human sources. But there is no “smoking gun” that specifically links President Putin, as claimed in the ICA, to the theft of the emails from the DNC and John Podesta, and the release of these emails to Wikileaks and other outlets; the attribution is purely the result of analysis on the part of those who prepared the ICA.
In the intelligence business, there is no higher crime than the politicization of intelligence (save perhaps the outright falsification of data with the intent to mislead — itself a politicized act.) Former CIA Director Robert Gates addressed the problem of politicized intelligence back in 1992, and his words resonate today. Gates defined the politicization of intelligence as the deliberate distortion of “analysis or judgments to favor a preferred line of thinking irrespective of evidence,” usually occurring when intelligence products “are forced to conform to policymaker’s views.”
Director Gates noted that it was proper for policymakers, such as the President of the United States and Congress, to request specific intelligence products that address issues of importance to them. This was the bread and butter of the intelligence business. However, Gates said, it would be improper for a policymaker to dictate the “line of march” that he or she expected the analysis contained in any such requested product to take.
On December 9, 2016, President Obama ordered the intelligence community to conduct a thorough review of the Russian cyber interference into the U.S. presidential election of 2016. One of the critical issues to be addressed in the review was whether or not the intent of any Russian intervention was to tilt the election in favor of one candidate — Donald Trump — over another — Hillary Clinton.
“This happened at the highest levels of the Russian government,” Obama announced on December 16, 2016 — perhaps the clearest example of the senior-most policy maker dictating the “line of march” expected from the analysis underpinning the requested intelligence assessment.
The ICA, by its own admission, contains no “fact,” but rather a series of assessments based upon analysis derived from unknown sources. The Russian hacking case, as presented in the ICA, isn’t about fact, but rather public opinion. The declassified ICA was not produced for the benefit of the President or Congress — they already had their classified briefings, and were aware of the conclusions. The declassified ICA was produced for public consumption, designed from the start to sway public opinion in a manner that influenced the composition of the cabinet, and policies of the administration, of President-elect Donald Trump. In this light, the release of the declassified ICA was, in every sense of the word, a political act, with the intelligence contained therein, by definition, politicized.
It was interesting to note that DNI Clapper told the Senate Select Intelligence Committee, in open session on January 10, 2016, that the State Department, in particular its Bureau of Intelligence and Research (INR) was excluded from participating in the preparation of the classified ICA because of “sensitivity of sources.” This seems to be a unique circumstance, as the Senator who asked the question noted; INR analysts possess the highest level of security clearances that grant them access to a broad range of highly classified sources of intelligence.
The implication inherent in DNI Clapper’s revelation is that the classified information relied upon by the Intelligence Community was so specific as to its nature, and so critical and central to the judgments made in the ICA, that it could not be worked around to the extent necessary to shield its specific source from the analysts in the INR.
This exclusion, however, would cut across the entire intelligence community, given the “need to know” caveats attached to most, if not all, sensitive information of this nature. If this was, indeed, the standard applied, then it would also exclude from participation in preparation of the ICA many of the CIA’s own analysts, and most, if not all, of the academics recruited to fill positions within the National Intelligence Council, the arm of the ODNI responsible for overseeing the production of multi-agency assessments like the ICA on Russian involvement in the 2016 presidential election.
If DNI Clapper is telling the truth, then the ICA was prepared in a manner that violated the very tradecraft regarding the preparation of intelligence community analytical products he proudly cited to underpin the credibility of the ICA. It also implies that the intelligence community was comfortable with excluding from one of the most important assessments of Russian intent in modern times the very agency, the Department of State, that deals with the Russians on a broad spectrum of issues on a daily basis, and as such would be ideally positioned to weigh in on issues such as Russian intent — especially that of its leader, Vladimir Putin.
DNI Clapper’s testimony on the lack of INR participation brings to mind his infamous testimony before the very same Senate Select Intelligence Committee, on March 12, 2013, when asked about the existence of a classified intelligence collection program. Rather than declining to comment on the question, Clapper responded simply, “No.” Subsequent disclosures by Edward Snowden showed that Clapper had lied. When confronted with this lie, Clapper explained that he “responded in what I thought was the most truthful, or the least untruthful manner.”
The exclusion of the State Department’s intelligence bureau (historically one of the most insightful and inquisitive members of the Intelligence Communities whose questioning of what otherwise would be consensus opinion is more often than not proven correct — witness the INR footnotes in the 2002 National Intelligence Estimate on Iraqi weapons of mass destruction) should serve as a red flag for Congressional intelligence oversight committees. The Senate Select Intelligence Committee has already established a select group to investigate the intelligence sources used to underpin the ICA; DNU Clapper has promised to support their work.
More important, at least from the perspective of the American public, is the request made by the Chairman of the House Permanent Select Committee on Intelligence, Devin Nunes. In a letter dated December 12, 2016, Chairman Nunes requested DNI Clapper to have the Office of Analytic Integrity and Standards prepare, for release to the committee, an analytic and tradecraft review of any Intelligence Community assessments related to alleged Russian involvement in cyber activities related to the U.S. presidential election. Such an inquiry would delve into the very processes of analysis and assessment, and answer the kind of “who said what, when, and based on what information” questions that would expose any potential politicization of intelligence that may have occurred in the production of the ICA.
In the closing scenes of the classic 1939 movie, “The Wizard of Oz”, Dorothy, played by Judy Garland, confronts the “Wizard,” a giant talking head.
“The Great Oz has spoken!” the giant talking head proclaims.
But one of Dorothy’s companions pulls back a curtain next to the giant head, revealing a short pudgy man manipulating a contraption, and speaking into a microphone. The man — the “Wizard of Oz” — sees Dorothy as he speaks.
“Oh…I…Pay no…attention to that man behind the curtain. The…Great…Oz…has spoken!”
The ICA on Russian influence operations in the 2016 U.S. presidential election has been published, at least in unclassified form. There is a concerted effort by the White House, many members of Congress, and a surprisingly unquestioning American media to accept the ICA and its judgments at face value.
DNI Clapper has spoken, not once, but several times.
It is imperative that Representative Nunes follows through on his request for an analytic and tradecraft review of the ICA, especially when the ICA delves into matters that have been classified by Senator John McCain and others as constituting “an act of war.”
America has a right to know the truth about the man behind the curtain.
Scott Ritter served as an intelligence officer in the U.S. Marines from 1984–1995, specializing in arms control and disarmament in both the former Soviet Union and Iraq. He is the author of numerous books, including the Deal of the Century: How Iran Blocked the West’s Road to War, to be published in March 2017 by Clarity Press. For speaking engagements and media inquiries, contact Jeff Norman at 626.986.3543 or firstname.lastname@example.org.