Last summer, cyber investigators plowing through the thousands of leaked emails from the Democratic National Committee uncovered a clue.
A user named “Феликс Эдмундович” modified one of the documents using settings in the Russian language. Translated, his name was Felix Edmundovich, a pseudonym referring to Felix Edmundovich Dzerzhinsky, the chief of the Soviet Union’s first secret-police organization, the Cheka.
It was one more link in the chain of evidence pointing to Russian President Vladimir Putin as the man ultimately behind the operation.
During the Cold War, when Soviet intelligence was headquartered in Dzerzhinsky Square in Moscow, Putin was a KGB officer assigned to the First Chief Directorate. Its responsibilities included “active measures,” a form of political warfare that included media manipulation, propaganda and disinformation. Soviet active measures, retired KGB Major General Oleg Kalugin told Army historian Thomas Boghart, aimed to discredit the United States and “conquer world public opinion.”
As the Cold War has turned into the code war, Putin recently unveiled his new, greatly enlarged spy organization: the Ministry of State Security, taking the name from Joseph Stalin’s secret service. Putin also resurrected, according to James Clapper, the U.S. director of national intelligence, some of the KGB’s old active- measures tactics.
On October 7, Clapper issued a statement: “The U.S. Intelligence community is confident that the Russian government directed the recent compromises of emails from U.S. persons and institutions, including from U.S. political organizations.” Notably, however, the FBI declined to join the chorus, according to reports by the New York Times and CNBC.
A week later, Vice President Joe Biden said on NBC’s Meet the Press that “we’re sending a message” to Putin and “it will be at the time of our choosing, and under the circumstances that will have the greatest impact.” When asked if the American public would know a message was sent, Biden replied, “Hope not.”
Meanwhile, the CIA was asked, according to an NBC report on October 14, “to deliver options to the White House for a wide-ranging ‘clandestine’ cyber operation designed to harass and ‘embarrass’ the Kremlin leadership.”
But as both sides begin arming their cyberweapons, it is critical for the public to be confident that the evidence is really there, and to understand the potential consequences of a tit-for-tat cyberwar escalating into a real war.
This is a prospect that has long worried Richard Clarke, the former White House cyber czar under President George W. Bush. “It’s highly likely that any war that began as a cyberwar,” Clarke told me last year, “would ultimately end up being a conventional war, where the United States was engaged with bombers and missiles.”
The problem with attempting to draw a straight line from the Kremlin to the Clinton campaign is the number of variables that get in the way. For one, there is little doubt about Russian cyber fingerprints in various U.S. campaign activities. Moscow, like Washington, has long spied on such matters. The United States, for example, inserted malware in the recent Mexican election campaign. The question isn’t whether Russia spied on the U.S. presidential election, it’s whether it released the election emails.
Then there’s the role of Guccifer 2.0, the person or persons supplying WikiLeaks and other organizations with many of the pilfered emails. Is this a Russian agent? A free agent? A cybercriminal? A combination, or some other entity? No one knows.
There is also the problem of groupthink that led to the war in Iraq. For example, just as the National Security Agency, the Central Intelligence Agency and the rest of the intelligence establishment are convinced Putin is behind the attacks, they also believed it was a slam-dunk that Saddam Hussein had a trove of weapons of mass destruction.
Consider as well the speed of the political-hacking investigation, followed by a lack of skepticism, culminating in a rush to judgment. After the Democratic committee discovered the potential hack last spring, it called in the cybersecurity firm CrowdStrike in May to analyze the problem.
CrowdStrike took just a month or so before it conclusively determined that Russia’s FSB, the successor to the KGB, and the Russian military intelligence organization, GRU, were behind it. Most of the other major cybersecurity firms quickly fell in line and agreed. By October, the intelligence community made it unanimous.
That speed and certainty contrasts sharply with a previous suspected Russian hack in 2010, when the target was the Nasdaq stock market. According to an extensive investigation by Bloomberg Businessweek in 2014, the NSA and FBI made numerous mistakes over many months that stretched to nearly a year.
“After months of work,” the article said, “there were still basic disagreements in different parts of government over who was behind the incident and why.” There was no consensus, with just a 70 percent certainty that the hack was a cybercrime. Months later, this determination was revised again: It was just a Russian attempt to spy on the exchange in order to design its own.
The federal agents also considered the possibility that the Nasdaq snooping was not connected to the Kremlin. Instead, “someone in the FSB could have been running a for-profit operation on the side, or perhaps sold the malware to a criminal hacking group.”
Again, that’s why it’s necessary to better understand the role of Guccifer 2.0 in releasing the Democratic National Committee and Clinton campaign emails before launching any cyberweapons.
It is strange that clues in the Nasdaq hack were very difficult to find ― as one would expect from a professional, state-sponsored cyber operation. Conversely, the sloppy, Inspector Clouseau-like nature of the Guccifer 2.0 operation, with someone hiding behind a silly Bolshevik cover name, and Russian language clues in the metadata, smacked more of either an amateur operation or a deliberate deception.
Then there’s the Shadow Brokers, that mysterious person or group that surfaced in August with its farcical “auction” to profit from a stolen batch of extremely secret NSA hacking tools, in essence, cyberweapons. Where do they fit into the picture? They have a small armory of NSA cyberweapons, and they appeared just three weeks after the first DNC emails were leaked.
On Monday, the Shadow Brokers released more information, including what they claimed is a list of hundreds of organizations that the NSA has targeted over more than a decade, complete with technical details. This offers further evidence that their information comes from a leaker inside the NSA rather than the Kremlin.
The Shadow Brokers also discussed Obama’s threat of cyber retaliation against Russia. Yet they seemed most concerned that the CIA, rather than the NSA or Cyber Command, was given the assignment. This may be a possible indication of a connection to NSA’s elite group, Tailored Access Operations, considered by many the A-Team of hackers.
“Why is DirtyGrandpa threating CIA cyberwar with Russia?” they wrote. “Why not threating with NSA or Cyber Command? CIA is cyber B-Team, yes? Where is cyber A-Team?”
Because of legal and other factors, the NSA conducts cyber espionage, Cyber Command conducts cyberattacks in wartime, and the CIA conducts covert cyberattacks.
The Shadow Brokers connection is important because Julian Assange, the founder of WikiLeaks, claimed to have received identical copies of the Shadow Brokers cyberweapons even before they announced their “auction.” Did he get them from the Shadow Brokers, from Guccifer, from Russia or from an inside leaker at the NSA?
Despite the rushed, incomplete investigation and unanswered questions, the Obama administration has announced its decision to retaliate against Russia. But a public warning about a secret attack makes little sense. If a major cyber crisis happens in Russia sometime in the future, such as a deadly power outage in frigid winter, the United States could be blamed even if it had nothing to do with it.
That could then trigger a major retaliatory cyberattack against the U.S. cyber infrastructure, which would call for another reprisal attack ― potentially leading to Clarke’s fear of a cyberwar triggering a conventional war. President Barack Obama has also not taken a nuclear strike off the table as an appropriate response to a devastating cyberattack.
In August 2009, there was a massive turbine explosion in a power plant at the Sayano-Shushenskaya Dam, on the Yenisei River, in a remote part of the Russian Republic of Khakassia. Cyberwarfare was suspected. It is the ninth-largest hydroelectric plant in the world, more than three times the size of Hoover Dam, and supplies thousands of square miles of western Russia with electricity. Seventy-five people were killed, and the dam, with 30 million tons of water pressure pushing against its 80-story-tall curved cement wall, was in danger of collapsing, potentially drowning thousands of people down river.
It was determined that the explosion was caused by computer code sent from hundreds of miles away. But how or why was the question. Even within U.S. Cyber Command, there were grave concerns about the blast. One Army study that discussed the explosion referred to Marine General Robert E. Schmidle, the deputy commander of Cyber Command, and suggested that he had “speculated this was a possible network attack.”
Shortly after the power-plant explosion, computers at the U.S. Department of the Interior were targeted and an unknown hacker stole a sensitive index of vulnerabilities at thousands of U.S. dams.
Russian engineers conducted a long investigation and concluded that the code was sent by accident from another Russian power plant. Nonetheless, U.S. Army General Keith Alexander, the commander of Cyber Command and director of the NSA, brought up the explosion during a conference and warned, “That’s our concern about what’s coming in cyberspace, a destructive element. It’s coming. It’s a question of time.”
If something similar were to happen following Biden’s warning, the Russians could assume the worst and launch a deadly counterattack, rather than wait months for the results of an investigation.
By now, Obama should also be wise enough not to trust the advice of his spy chiefs when it comes to cyber conflict. At the start of his first term, he authorized the Stuxnet cyberattack that destroyed about a thousand of Iran’s centrifuges used for enriching uranium. This was an illegal act of war, and the first instance of cyberwar.
Obama was told that the computer viruses would not escape the facility, would not affect any other computers if they did escape, and would never be traced back to the United States in any case.
All three claims turned out to be incorrect. The viruses did escape, they infected tens of thousands of computers in many countries and they were quickly traced back to the United States. The operation was also a bust: It destroyed a small fraction of the intended centrifuges and only slightly delayed Iran’s enrichment. It also caused Iran to create its own cyber command and retaliate by destroying 30,000 computers belonging to a U.S. oil supplier. U.S. banks were also attacked.
Rather than launch a dangerous covert cyberattack with unknown consequences ―as the administration did against Iran ― it would be far wiser for Obama to press for further economic sanctions, as the administration did with North Korea. At the same time, Washington could begin focusing on cyber defense, long neglected as billions go instead to cyber offense.
“I think the public believes that the U.S. government – Cyber Command, NSA, FBI, Homeland Security – has the capability to defend the electric power grid, pipelines, trains, banks that could be attacked by other nations through cyber,” Clarke told me. “The truth is the government doesn’t have the capability, doesn’t have the legal authority and doesn’t have a plan to do it.”
Washington could also begin exploring new Internet and cyber technologies that are not as easy to attack and destroy, as well as opening an international dialogue on ways to achieve cyberarms control.
“People say that’s going to be very, very difficult and verification will be very, very hard,” said Clarke. “I heard that a long time ago about nuclear arms control and then about chemical-arms control – about biological-arms control. But we achieved all of those . . . . Therefore, we should start talking about cyberarms control and cyber peace now.”
Starting with Vietnam, the list of wars the United States has entered with disastrous results continues to grow. Engaging Russia in a potentially endless cyberwar based on questionable evidence will only make it longer. It’s time to find better alternatives.
James Bamford is the author of The Shadow Factory: The Ultra-Secret NSA From 9/11 to the Eavesdropping on America. He is a columnist for Foreign Policy magazine.