On NCCIC/FBI Joint Report JAR-16-20296

Social media is ripe with analysis of an FBI joint report on Russian malicious cyber activity, and whether or not it provides sufficient evidence to tie Russia to election hacking. What most people are missing is that the JAR was not intended as a presentation of evidence, but rather a statement about the Russian compromises, followed by a detailed scavenger hunt for administrators to identify the possibility of a compromise on their systems. The data included indicators of compromise, not the evidentiary artifacts that tie Russia to the DNC hack.

One thing that’s been made clear by recent statements by James Clapper and Admiral Rogers is that they don’t know how deep inside American computing infrastructure Russia has been able to get a foothold. Rogers cited his biggest fear as the possibility of Russian interference by injection of false data into existing computer systems. Imagine the financial systems that drive the stock market, criminal databases, driver’s license databases, and other infrastructure being subject to malicious records injection (or deletion) by a nation state. The FBI is clearly scared that Russia has penetrated more systems than we know about, and has put out pages of information to help admins go on the equivalent of a bug bounty.

Everyone knows that when you open a bug bounty, you get a flood of false positives, but somewhere in that mess you also get some true positives; some real data. What the government has done in releasing the JAR is made an effort to expand their intelligence by having admins look for (and report) on activity that looks like / smells like the same kind of activity they found happening with the DNC. It’s well understood this will include false positives; the Vermont power grid was a great example of this. False positives help them, too, because it helps to shore up the indicators they’re using by providing more data points to correlate. So whether they get a thousand false positives, or a few true ones in there, all of the data they receive is helping to firm up their intelligence on Russia, including indicators of where Russia’s interests lie.

Given that we don’t know how strong of a grasp Russia has on our systems, the JAR created a Where’s Waldo puzzle for network admins to follow that highlights some of the looser indicators of compromise (IP addresses, PHP artifacts, and other weak data) that doesn’t establish a link to Russia, but does make perfect sense for a network administrator to use to find evidence of a similar compromise. The indicators that tie Russia to the DNC hack were not included in the JAR and are undoubtedly classified.

There are many good reasons one does not release your evidentiary artifacts to the public. For starters, tradecraft is easy to alter. The quickest way to get Russia to fall off our radars is to tell them exactly how we’re tracking them, or what indicators we’re using for attribution. It’s also a great way to get other nation states to dress up their own tradecraft to mimic Russia to throw off our attributions of their activities (false flag operations). Secondly, it releases information about our [classified] collection and penetration capabilities. As much as Clapper would like to release evidence to the public, the government has to be very selective about what gets released, because it speaks to our capabilities. Both Clapper and Congress acknowledged that we have a “cyber presence” in several countries and that those points of presence are largely clandestine. In other words, we’ve secretly hacked the Russians, and probably many other countries, and releasing the evidence we have on Russia could burn those positions.

Consider this: Perhaps we have collection both from DNC’s systems, located in the United States, but also other endpoints inside Russia (or other countries) from C2 servers, or even uplinks directly back to the Kremlin. Perhaps we can account for the entire picture based on global collection of traffic, but releasing evidence of that will directly hamper our ability to perform these types of collections in the future. It’s no doubt that Clapper is being very careful what he says. If we can intercept comms of Russian leaders celebrating Trump’s election, we likely can also intercept the network traffic coming back to the Kremlin.

Looking at how various agencies are in agreement on this subject, and given the FBI’s recent and obvious agenda to influence the elections themselves in the republicans’ favor, it will not surprise me at all to find that there is credible evidence linking Russia to all of this. While possible, I don’t get the impression that FBI is simply trying to wag the dog to distract from their own proclivities. CrowdStrike’s involvement certainly helps to make their findings believable. At the same time, we’ll probably never hear about much of it directly. What the government could do, and should do, however, is an independent peer-review of both CrowdStrike’s findings and their own; this would allow them the luxury of continuing to compartmentalize the classified indicators and artifacts they’ve established, but also build the confidence of the public in general. There are a number of third party research arms capable of doing this. To name a few, MITRE Corporation has a long history of working with the intelligence community, has the experience in-house to peer-review these findings, and the clearances already in place to make sure that data is never leaked. MIT Lincoln Labs also has a cyber arm more than capable of reviewing this data, as do a number of universities that are actively doing this type of work for the government already.

We don’t ever need to see the data, at least until the indicators and the capabilities behind them become obsolete. In fact, even if we saw the data today, most information security experts still wouldn’t be able to agree on it. To interpret this data correctly, you need not only expert cyber warfare experience, but also years of intelligence on Russia (and maybe other countries), full knowledge of our capabilities and where our points of presence are, and a lot of other intel that will likely always remain classified. Giving the evidence we have on the DNC attack to security experts, without the rest of the intelligence to go with it, would be like giving spaghetti to a baby. That’s why we both need and are benefitting from a Director of National Intelligence on this matter.

What we do need to see, however, are independent reviews by people with the experience. Look to the FFRDCs for that kind of expertise. Many of the experts in this space are seasoned career intelligence people, detached enough from government to be impartial in their research, but close enough to government to be able to review the intel that the security community at large will never see.