Intel Report on Russia is as Close as it Comes to Absolute Certainty

Ned Carmody
Former Case Officer, CIA

Nearly everyone now accepts that Russia attempted to interfere with the U.S. electoral process with the aim of harming Hillary Clinton’s presidential campaign. Even President Donald Trump has grudgingly admitted that Russia was behind the hacking of the Democratic National Committee. But for a long, long time – far too long – Trump repeatedly dismissed the evidence, saying the intelligence agencies had no idea where the attacks came from, that “it could have been a 14-year-old kid sitting on a bed somewhere.” Trump continued to repeat such comments long after he must have known better.

At the recent G-20 summit, Trump again seemed to back away from the findings of the intelligence community by alluding to the possible involvement of countries other than Russia. As numerous commentators pointed out, how could the U.S. president press Russian President Vladimir Putin on the issue, when Trump himself did not seem to accept the evidence? Any lingering doubts about the Russian origin of the hacking during the 2016 campaign should be put to bed.

First, confident attribution of those behind hacks is possible. Much like an art lover doesn’t need to look at the signature to tell the difference between a Picasso and a Rembrandt, intelligence agencies investigating a computer breach can, with the right knowledge, determine who was conducting the cyber attack. Artists have vastly different styles. They use distinctly different techniques, brush strokes, and colors. Even the subject matter is vastly different. Similarly, hackers have distinct signatures and techniques, and cybersecurity experts can differentiate between the works of different cyber actors.  Russian hackers are known to use certain tools, algorithms, malware, botnets and source code – all readily identifiable as Russian.

The intelligence community’s report on Russian cyber intrusions identified specific individuals and institutions as culprits. The report wasn’t just a general finger-pointing at Russia – we knew who was behind the actions.

In another instance in 2013, the computer security company Mandiant, which has since been acquired by FireEye, tracked Chinese intrusions into a broad range of U.S. private sector computer networks to a specific military unit in China: People’s Liberation Army (PLA) Unit 61398, operating under the 2nd Bureau of the General Staff Department (GSD) Third Department. The Mandiant investigation even identified specific individuals in PLA Unit 61398 behind the Chinese hacks, including the notorious Wang Dong.

Other than the Chinese government, no one challenged the accuracy of the Mandiant report. If a private sector company had the capability to identify the culprits behind cyber intrusions into U.S. computers in 2013, why would anyone doubt the U.S. federal government’s ability to do the same now? In May 2014, the U.S. Department of Justice announced an indictment of five PLA Unit 61398 officers for theft of confidential business information and intellectual property from U.S. corporations. In 2015 the Chinese government, which had previously followed a policy of denial to all U.S. complaints – commonly claiming that “hacking is illegal in China, we are the victims, you, America, are the cyber experts” – reversed its position and openly admitted to having cyber warfare units in both the military and the civilian sector of the government.

In another example, an employee of the information security company Crowdstrike, which works closely with the U.S. Defense Department, said publicly that his company had been monitoring a U.S. computer while an intrusion was underway. The employee indicated that the hackers were using a special tool used only by Russians. In addition, some of the source code left behind reportedly contained Cyrillic letters.

What the Crowdstrike technician didn’t mention publicly is one of the fun facts of cyber espionage: If someone hacks in, you can “hack back,” particularly if you catch the bad guy in the act. By hacking in, a channel has been opened – a channel that goes both ways. If an adversary’s probe is sending data back to its home base – the whole point of hacking in – it is possible to attach code of your own to the data flow and to trace exactly where that data goes. Without access to classified material, we have no way of knowing if that is what actually happened, but it seems likely.  Our surety and exact identification of Russian players had to come from somewhere.

Finally, the intelligence community’s report carried a “High Confidence” imprimatur, meaning the analysts were highly confident in the assessment presented based on multiple sources of intelligence. Such confidence is as good as it gets in the intelligence world.  Analysts are notoriously gun-shy; they hate to commit to anything without some degree of waffling. Instead, analysts are prone to saying things like, “well, if the laws of physics stay in effect and if the creek don’t rise, we are reasonably certain the sun will set in the West tomorrow.’’

For the report’s conclusion to be stated with “High Confidence” means it is exactly what the analysts believe happened. Nothing is certain under the sun, but the analysts were saying they were pretty darn sure about this one – as close as it comes to absolute certainty. For anyone to dismiss the report out of hand – which President Trump has repeatedly – is irresponsible.

The Author is Ned Carmody

Ned Carmody served as a case officer in the CIA's Directorate of Operations for nearly 28 years. His career included interagency assignments to NSA, the FBI's National Joint Terrorism Task Force, the U.S. Army War College and the Office of the Director of National Intelligence.

Learn more about The Cipher Brief's Network here.


Share your point of view

Your comment will be posted pending moderator approval. No ad hominem attacks will be posted. Your email address will not be published. Required fields are marked *