Despite considerable evidence that points to Russian involvement, the actual identity of the individuals responsible for hacking into Democratic National Committee emails may never be revealed to the public, former U.S. intelligence, law enforcement and national security officials tell Cyberscoop.
While numerous private security firms and unnamed U.S. officials have made it clear they believe the Russian government is behind the breach, the White House is declining to appoint official blame until a formal, ongoing FBI investigation concludes.
‘We want that [investigation] to be thoughtful, meticulous and unfettered,” White House spokesman Eric Schultz said in a press conference Tuesday, ‘so I’m not going to do anything from here to prejudice that investigation.”
The decision to publicly disclose the attribution of a cyberattack — as was the case following the Sony-North Korea incident — is typically determined on a “case-by-case basis,” Schultz told reporters.
When deciding upon a course of action, the government will consider the “clarity of evidence pointing to a culprit” and “whether it’s in the United States’ best interest to release that information or not,” Schultz said, briefly referencing a case disclosure procedure that is shrouded in secrecy.
What will qualify as a “clarity of evidence” and “in the U.S.’ best interest” will be defined by a small group of individuals across the executive branch, defense, judicial, law enforcement and intelligence agencies.
The decision is ultimately made by the White House with input from as many departments and agencies as possible, including the State Department.
Simply put, “there are no fixed guidelines” to what should be publicly disclosed in these data breach cases, Sean Kanuck, a former national intelligence officer for cyber issues in the Office of the Director of National Intelligence, told Cyberscoop.
“One could envision a scenario where providing public attribution would show that a government has strong technological bases for identifying the perpetrator,” explained Kanuck. “That would in turn inform the perpetrator — and others — that the operational tactics it used to conceal its activity were not successful.”
On the other hand, public disclosure may cause such a perpetrator to “use different tactics the next time it embarked on clandestine operations, and the victim might not be able to detect those new tactics, techniques and procedures,” Kanuck said.
“Strategic advantage is very context specific,” Kanuck wrote in an email, “It depends on the parties, the timing and the objective.”
Sen. Dianne Feinstein, D-Calif., and Rep. Adam Schiff, D-Calif., urged President Barack Obama to use his authority to disclose the findings of the FBI investigation in a letter they wrote Wednesday to the White House.
The two senior democratic lawmakers argue that because the DNC hacker is likely a nation-state actor, the American public deserves to know if a foreign regime is targeting the country.
“Given the grave nature of this breach and the fact that it may ultimately be found to be a state-sponsored attempt to manipulate our presidential election, we believe a heightened measure of transparency is warranted,” the letter reads.
Even so, the decision to publicly attribute the attack to Russia — simply because evidence points to government involvement — should not be generalized, according to Nathaniel Gleicher, a former National Security Council director for cybersecurity policy.
Gleicher — who worked alongside White House officials between 2013 and October 2015 to help craft cyber policy — told Cyberscoop that “diplomacy plays a big part” in these decisions given the range of options available, including accelerated intelligence gathering operations, law enforcement action, imposing sanctions and public or private diplomatic negotiations.
“Every situation is unique, so it’s hard to generalize — it depends on the intruder and the circumstances,” Gleicher, now a cybersecurity executive for Silicon Valley-based data management startup Illumio, told Cyberscoop.
For the FBI, this attribution process, according to Milan Patel, a former supervisory special agent of the FBI’s cyber division, will start with an ‘inter-agency equities check to ensure there are no adverse effects to public disclosure.”
“If the FBI — through coordination and approval from the Department of Justice and White House — plans to make attribution it will provide details to other operational agencies to ensure release of the information won’t disrupt ongoing investigations or operations.”
“The equities check usually requires operational, legal, and policy personnel to weigh in for each agency. The goal could be deterrence, political or operational,” Patel said.
Tim Edgar, the first data privacy officer for the White House, agrees with Feinstein and Schiff.
Edgar believes public attribution in this case is not only recommended but necessary. In an email, Edgar wrote: “there is no reason to believe saying that ‘The Russians are behind it’ would have any impact on the investigation or on intelligence sources and methods. [FBI Director] Jim Comey and other national security officials should not be coy about calling out Putin for what seems to be a blatant effort to subvert the American political process.’
‘The public should know what is going on before the election.”
Earlier this month, House lawmakers also sought to learn more about where and if a red line exists in the digital realm during a House Oversight Subcommittee hearing chaired by Rep. Will Hurd, R-Texas. And if, for example, certain behavior warrants a kinetic, military response.
A panel of prominent cybersecurity experts — which included Kanuck, former NSA director Keith Alexander and State Department Coordinator for Cyber Issues Chris Painter — testified before the committee to address how they believe the U.S. government should respond to various cyber attacks.
Broadly, these experts described that any response should consider an attack’s intent, context, resulting damage and if accurate attribution is truly possible. Once again, the topic of public cybersecurity case disclosure was defined as a strategic tool rather than a default responsibility.
In a phone interview, Hurd, a former undercover CIA officer said, ‘While I can fully appreciate the need for secrecy and to make these decisions on a case-by-case basis, there really needs to be more transparency here on the policy side so that people at least have an expectation for what is considered.’
“North Korea’s 2014 cyber attack against Sony Pictures Entertainment, for example, which rendered thousands of computers inoperable and was intended to interfere with the exercise of freedom of expression and inflict significant harm on a U.S. business, represented behavior in cyberspace that is simply unacceptable,” Painter wrote in a prepared hearing testimony.
“This, in combination with the strength of the evidence linking North Korea to the cyber attack, contributed to the U.S. government’s decision to make a public attribution in that case,’ Painter’s testimony reads, ‘However, the U.S. government also maintains the flexibility to avail itself of the other options.’
“We know Russia is in it for long-game, so each attack is not treated in isolation but as a part of a greater investigative effort that looks much like a game of chess. As in chess, you might know your opponent’s next move, but you won’t announce it because you are planning your counter move,’ said Patel, now managing director in K2 Intelligence’s Cyber Investigations & Defense practices.