Several days ago, half jokingly, Edward Snowden gave the best advice on how to determine whether Russia was indeed, as the media has already decided, behind the hack of first the Democratic National Committee, then the Democratic Congressional Campaign Committee and, as of last night, the Hillary presidential campaign itself. This is what Snowden said in a July 25 tweet: "Evidence that could publicly attribute responsibility for the DNC hack certainly exists at #NSA, but DNI traditionally objects to sharing. The aversion to sharing #NSA evidence is fear of revealing "sources and methods" of intel collection, but #XKEYSCORE is now publicly known."
Evidence that could publicly attribute responsibility for the DNC hack certainly exists at #NSA, but DNI traditionally objects to sharing.— Edward Snowden (@Snowden) July 25, 2016
It appears that the NSA has taken up Snowden on his advce, because as ABC reports, U.S. government hackers at the National Security Agency are now targeting Russian government-linked hacking teams "to see once and for all if they're responsible for the massive breach at the Democratic National Committee." ABC cited three former senior intelligence officials. It's a job that the current head of the NSA's elite hacking unit said they've been called on to do many times before, ABC notes.
Robert Joyce, chief of the NSA's shadowy Tailored Access Operations, declined to comment on the DNC hack specifically, but said in general that the NSA has technical capabilities and legal authorities that allow the agency to "hack back" suspected hacking groups, infiltrating their systems to gather intelligence about their operations in the wake of a cyber attack.
"In terms of the foreign intelligence mission, one of the things we have to do is try to understand who did a breach, who is responsible for a breach," Joyce told ABC News in a rare interview this week. "So we will use the NSA's authorities to pursue foreign intelligence to try to get back into that collection, to understand who did it and get the attribution. That's hard work, but that's one of the responsibilities we have." Meanwhile, the NSA has deferred questions about its potential involvement in the DNC hack investigation to the FBI, which is the leading agency in that probe. Representatives for the bureau have not returned ABC News' request for comment. Lisa Monaco, President Obama's homeland security and counterterrorism advisor whose responsibilities include cyber policy, declined to comment.
As we reported last week, a former senior U.S. official said it was a "fair bet" the NSA was using its hackers' technical prowess to infiltrate two Russian hacking teams that the cybersecurity firm Crowdstrike alleged broke into the DNC's system and were linked to two separate Russian intelligence agencies, as first reported by The Washington Post. In some past unrelated cases, the former official said, NSA hackers have been able to watch from the inside as malicious actors conduct their operations in real time.
So are the US and Russian now in a state of cyberwar?
Rajesh De, former general counsel at the NSA, said that if the NSA is targeting the Russian groups, it could be doing it under its normal foreign intelligence authorities, as the Russian government is "clearly... a valid intelligence target." Or the NSA could be working under the FBI's investigative authority and hacking the suspects' systems as part of technical support for investigators, said De, now head of the cyber security practice at the law firm Mayer Brown.
While U.S. officials have told news outlets anonymously they concur with Crowdstrike and other private cybersecurity firms who have pointed to Russian culpability, the U.S. government has declined to publicly blame the Russians. The Russian government has said the hacking allegations are "absurd". Director of National Intelligence James Clapper told the audience at the Aspen Security Forum Thursday that the U.S. intelligence community was "not quite ready to make a call on attribution," though he said there were "just a few usual suspects out there." The next day CIA Director John Brennan said that attribution is "to be determined" and a lot of people were "jumping to conclusions."
Professional hackers often use proxies, Brennan said, so investigators have to make two or three "hops" before tracing cyber attacks back to a state's intelligence agency, which makes the attribution process more difficult.
The NSA's Joyce said that in general it's very difficult to properly frame someone for a complex attack, since too many details have to be exactly right, requiring a tremendous amount of expertise and precision. But Joyce said that before the U.S. government pins blame on anyone for a cyber attack publicly, the evidence has to pass an "extremely high bar." So when they do come forward, he said, perhaps based on the results of attribution techniques that have not been publicly described, "You should bank on it."
For some, however, there is no doubt that Putin is "desperate" to crush the democrats and to install his "puppet" Trump as the next US president, or something... People like Michael Buratowski, the senior vice president of cybersecurity services at Fidelis Cybersecurity, who said the evidence pointing to the Russians was so convincing, "it would have had to have been a very elaborate scheme" for it really to have been anyone else.
Kenneth Geers, a former cyber analyst at the Pentagon who recently published a book about Russian cyber operations, told ABC News earlier this week that he didn't necessarily doubt it was the Russians, but said that even in the best cases when doing cyber investigations, "You can have a preponderance of evidence -- and in nation-state cases, that’s likely what you’ll have -- but that’s all you’ll have."
That, he said, opens the possibility, however remote, that a very clever hacker or hacking team could be framing the Russians.
Someone as clever as the NSA perhaps, the same NSA which is using the unconfirmed "Russian" hack to counterhack the Russians now, in what someone may be tempted to call is a false flag escalation, meant to lead to just one thing: a convenional response from the Kremlin.
* * *
Meanwhile, earlier today, Russia's intelligence service said on Saturday that the computer networks of 20 organizations, including state agencies and defense companies, have already been infected with spyware in what it described as a targeted and coordinated attack. The Federal Security Service, the FSB, said the malware and the way the networks were infected were similar to those used in previous cases of cyber espionage found in Russia and other countries. The agency did not say who it suspected of being behind the attacks.
Now that the NSA is actively "hacking" Russia, however, we doubt that what is rapidly emerging as the first official cyberwar between the world's two hacking superpowers will remain under wraps for long. We can only hope that said war remains in the cyber domain.