Intelligence

Alex Grigsby is the assistant director for the Digital and Cyberspace Policy program at the Council on Foreign Relations.  Something remarkable happened a few months ago. Bernard Barbier, the former head of signals intelligence (SIGINT) between 2006 and 2014 at France’s foreign intelligence agency (DGSE), gave a speech at one of France’s top engineering schools in which he reflected on his career and imparted some of his wisdom to students. He also said some things that he probably shouldn’t have, like confirming that France was behind the Animal Farm advanced persistent threat, commenting on the SIGINT capabilities of European allies, and reacting to the revelation that the U.S. National Security Agency (NSA) had compromised the networks of the French presidency. Last week, Barbier’s speech surfaced on YouTube but was quickly taken down (UPDATE: A new version of the video is up here. H/T Boing Boing). However, it was up long enough for French daily Le Monde to transcribe some of the highlights. Here they are, paraphrased and translated from the original French. 1. "I got the order from Mr. Sarkozy’s successor [current President Hollande] to shout at the Americans ... it was a great moment in my professional career" Barbier recalls that he was first informed of a possible compromise at the Élysée palace in 2012, when a former colleague working IT security at the palace reached out for analysis on a piece of malware. With the help of a new metadata capability the French obtained in 2012 and Edward Snowden’s revelation of the NSA’s QUANTUM capability in 2013, Barbier’s staff concluded that the attack on the Élysée was the work of the United States. Barbier recalls:   I received the order from Mr. Sarkozy’s successor to go to shout at the Americans. It was on April 12, 2013 and it was really a great moment in my professional career. We were convinced it was them. At the end of the meeting, Keith Alexander [director of the NSA from 2005 to 2014] was not happy. While we were in the bus, he told me he was disappointed because he never thought they would have been caught. He added: "You are pretty good." As allies, we didn’t spy on them. The fact that the Americans broke this rule took us by surprise.   2. "And yes, it was a Frenchman"  In 2014, Le Monde published documents from the Snowden archive revealing that Canada’s SIGINT agency, the Communications Security Establishment (CSE), suspected that Paris was behind a cyber espionage campaign that began in 2009 targeting Iran’s nuclear program but also targeting computers in Canada. CSE was able to attribute the campaign to the French based on some reverse engineering revealing that the malware developer used references to a French children’s cartoon character, Babar the Elephant. That reference also led Kaspersky to baptise the malware Animal Farm. Barbier recalls that CSE "concluded that he [the malware author] was French. And yes, it was a Frenchman." 3. The pipe dream of united European intelligence agency and the possibility of merging French and German intelligence.  In one of the more surprising aspects of Barbier’s speech, he mused about the possibility of creating a European intelligence agency but quickly dismissed the notion, noting that only a fusion of French and German intelligence agencies would be feasible.   It is impossible to build a single European intelligence agency with twenty-eight countries that don’t have the same capabilities or the same culture. The best, by population size, are the Swedes. The Italians are bad. The Spanish are a bit better, but don’t have the capabilities. And the Brits, with 6,500 staff at GCHQ [Government Communications Headquarters, the UK SIGINT agency] are very good, but are they European? And France has the strongest technical capabilities for intelligence collection in continental Europe.   That leaves the Germans, who are solid partners. I’ve worked a lot with them, sometimes transmitting our knowhow and bringing them some technical capability. German and French engineers work very well together. In contrast, a British engineer with a French engineer is complicated. To be more effective, I told French politicians that we had to merge the BND [the German foreign intelligence agency] and the DGSE. It’s the only solution. It would be a an agency with 15,000 staff. The NSA has 60,000 people, and the SIGINT section of the DGSE is 3,000 agents. But the French politicians never followed up.   Merging the BND and the DGSE would have made for some awkward conversations given that last year, news reports revealed that the BND had been spying on France. 4. Snowden is a traitor that "rather helped us" Finally, Barbier gives his opinion on Edward Snowden, presumably in response to a question from the audience.   For me, Snowden is a traitor to his country, but he has nothing to do with Julian Assange. The Americans made Snowden, who was an external contractor, a systems administrator. Those who do that job in the DGSE are bureaucrats that have between fifteen and twenty years of seniority. The possibility of having a Snowden in France is very low. Snowden showed that espionage between allies existed and that Americans compromised hardware, such as that sold by Cisco and poses a problem for technological independence. In that sense, Snowden rather helped us.  

Responding to reports that Russian hackers stole voter lists in Arizona and Illinois, federal officials are scrambling to help states protect voting systems from cyberattacks in the next sixty days. Secretary of Homeland Security Jeh Johnson has warned election officials in all fifty states that voting systems could be compromised and offered federal support. Private cybersecurity firms have offered assistance on a pro bono basis as have a large number of white hat hackers. Yet the enormity of the challenge raises questions about the effectiveness of making voting systems immune from cyberattack before election day. According to the New York Times, some 9,000 jurisdictions have a role in overseeing voting. An accurate count of the number of polling places, let alone the numbers and types of voting machines does not exist. While the National Institute of Standards and Technology has issued guidance on securing them (hint: don’t connect them to the internet), the ability of election officials to thwart an advanced and dedicated adversary like Russia is limited. Even disconnecting systems is no panacea. If Russia were motivated enough, a Stuxnet-like piece of malware could be introduced into systems. More likely than not, Russia will not go to those lengths. Instead of a multiyear campaign carried out by the FSB, the Kremlin is more likely to employ some of its favorite patriotic hackers to conduct less sophisticated but still disruptive attacks. As former National Security Council official Richard Clarke and others have hypothesized, Russia could create chaos on election day simply by deleting voters from voter lists. These individuals would be forced to cast provisional ballots, causing delays at voting lines and throwing into doubt early election results. In short, fortifying our voting system so it will deflect any attempts by Russia to interfere with it are likely to fall short. Instead, Russia must be deterred from making the attempt. That begins and ends with Congress. Normally, the standard operating procedure following the leaked details of an FBI investigation would be some strong words at a White House press briefing, possibly followed by a formal rebuke from the State Department. Given the partisan nature of the issue and President Obama’s outspoken support for Secretary Clinton, Moscow is likely to interpret his administration’s threats as empty. Meddling in the election could, after all, replace the current commander-in-chief with someone who continues to praise Putin. That is why Congress must take the first step in coordination with the Obama administration. Congress should issue a resolution condemning interference in our election by cyber or other means, accompanied by a joint statement of the leaders of the House and Senate. The resolution should make clear that the United States will regard any foreign attempt to interfere with the outcome of the election as a hostile act. It must be clear that Congress will support the use of all instruments of national power in response to any attempt. At press briefings, when reporters ask if Congress would support military action against Russia, Congressional leaders should refuse to take any responses off the table. The resolution must demand that Russia provide assistance to the FBI in investigating the two known incidents and actively pursue investigations into other incidents. It must be clear that Washington will hold Moscow responsible for any attacks on the election coming out of Russia. The actions of patriotic hackers will be treated as if they were launched by Putin from his desktop computer. Failure to assist in investigations will be taken as evidence of culpability. While Congress is issuing a clear, bold and public rebuke of Russia, the Obama administration should covertly deliver a less diplomatic but chilling message. Rolling up known Russian intelligence infrastructure (both cyber and human), targeting Putin’s reportedly vast wealth and that of cronies, and building up military forces in Russia’s near abroad should all be on the table. The goal of this campaign must be to achieve escalation dominance over Russia. Efforts to secure the voting system from cyberattack should no doubt continue. Investments in technology to protect these systems and make them more secure could reduce or remove the threat in future election cycles (block chain holds some promise here). But in order for the United States to deter Russia, Russia needs to understand that the United States is willing to put more at risk to protect the sanctity of its elections than Russia is to disrupt them.

Here is a quick round-up of this week’s technology headlines and related stories you may have missed: 1. Further developments in the Shadow Brokers hack. Since an individual or group calling itself the "Shadow Brokers" posted hacking tools widely believed to be created by the National Security Agency, there has been some speculation that an NSA insider, like Edward Snowden, was behind the leak, perhaps physically smuggling the tools out of the NSA in a flash drive. However, the evidence suggests that it’s more likely that a careless NSA operator left the tools on an unsecured NSA server, where the Shadow Brokers were able to find them by tracing back from a system the NSA had compromised. Researchers digging into the tools this week also found a script that would hide an attacker’s presence in Huawei firewalls, on top of the Cisco, Juniper, and Topsec exploits already discovered. Another group of researchers was able to update one of the leaked exploits, which appears to have been stolen in 2013 and targets older versions of Cisco’s ASA firewall, so that it works on a much more recent version. And according to a linguist, despite the bad English used in the Shadow Brokers’ online posting, it appears that the person who wrote the statement was a native English speaker who deliberately introduced errors. 2. France and Germany not ready to concede crypto wars. Meeting in Paris Tuesday, the interior ministers of the two countries discussed plans to regulate encryption in the fight against terrorism. They called on the European Commission to require so-called "over-the-top" telecommunications providers, like video, voice, and text chat apps such as Skype, WhatsApp, or Telegram, to maintain a capability to decrypt encrypted messages and turn over the communications of suspected terrorists to law enforcement authorities. The commission is currently considering extending existing privacy regulations, which stipulate how traditional telecoms handle customer data, to such over-the-top services. The ministers meeting in Paris cited recent terrorist attacks in Europe as the reason they need to access encrypted communications, despite it being unclear whether perpetrators of the recent attacks actually used encrypted systems. Privacy advocates were quick to criticize the ministers’ proposal. 3. WikiLeaks: good on transparency, not so good on privacy and security. According to a report by the Associated Press, WikiLeaks’ releases have included the personal information of several hundred people. While the website’s founders have said in the past that they have a "harm minimization policy" that aims to protect "legitimate secrets" in the documents they leak, such as medical records, it doesn’t seem that this policy was followed in recent leaks. The documents, most of which were released as part of a dump of Saudi Arabian foreign ministry files, include medical records of children, refugees, and individuals with psychiatric conditions. Other documents identify victims of sexual assault, couples going through divorces, and individuals who are deeply in debt. Separately, a Bulgarian security researcher announced last week that he’d discovered several hundred pieces of malware among documents released by the transparency organization. 4. Journalists in Russia target of hacks. According to CNN, journalists with the New York Times and other news agency have been the target of cyberattacks by Russian intelligence agencies in recent months. The Times subsequently announced that its Moscow bureau was the target of an attempted hack, although a spokesperson for the paper said they had no evidence that any of their networks had been breached, and that they had not hired any outside firms to investigate the issue. Both outlets report that the Federal Bureau of Investigation is looking into the issue. While alarming in light of recent breaches of the networks of the Democratic National Committee, such attacks are old hat, both for the New York Times and for Russia. Russian intelligence services have long targeted domestic journalists with cyberattacks, and the New York Times’ networks were breached by Chinese hackers in 2013.

Here is a quick round-up of this week’s technology headlines and related stories you may have missed: 1. Release of NSA hacking tools raises questions about vulnerability disclosure. A group calling itself the “Shadow Brokers” posted hacking tools online last weekend it claims were created by the Equation Group, a threat actor identified by Kaspersky Labs in 2015 suspected of being the NSA. According to security experts, the claims appear to be legitimate, and the tools are based on major vulnerabilities in software from several major router manufacturers, including Cisco Systems and Juniper Networks. The source of the leaks isn’t clear: some speculate that an insider leaked the tools, while others have claimed that Russian state hackers stole them from an NSA staging server. Either way, it looks bad for the NSA, both because the Shadow Brokers claim to have more such tools, and because it raises questions about the extent to which the NSA actually discloses software vulnerabilities, as the White House claims it does. 2. Guccifer 2.0 strikes again. Guccifer 2.0, a group of hackers believed to be Russian intelligence services, returned from a month-long hiatus last weekend, publishing the contact information of nearly two hundred legislators and congressional staffers. The group leaked a large amount of internal Democratic Party documents earlier this summer that it stole from Democratic National Committee (DNC) and Democratic Congressional Campaign Committee networks. WordPress, where the new documents were published, subsequently took them down, but not before it was too late; individuals whose personal information was leaked suffered spearphishing attacks and harassing messages over the weekend. In response to the hacks, the DNC created an advisory board to improve the party’s cybersecurity, which was summarily mocked for not including any actual security experts. 3. SWIFT long aware of security holes. According to a report from Reuters, SWIFT, a network that helps banks conduct cross-border transactions and which was central to the theft by hackers of $81 million from the central bank of Bangladesh earlier this year, had suspected for years that there were weaknesses in its system that might enable such an attack. Former employees say the organization simply did not consider security a priority. That’s changed now: earlier this week, SWIFT announced a new effort to increase security across its system. Meanwhile, Bangladesh Bank dropped plans to sue SWIFT and the Federal Reserve Bank of New York, which transferred the money to the hackers on orders that were spoofed to look like they’d come from Bangladesh Bank. 4. Privacy Shield up and running. Privacy Shield, an agreement governing data transfers between the European Union and the United States, officially went live this week, with companies self-certifying that they are compliant with EU data protection laws. At the time of this writing, forty-two companies have successfully applied to be covered by the pact (a full list of covered firms can be found here). It may not last, however. Germany’s data protection authority (DPA), which oversees compliance with EU data law, announced earlier this month that it plans to challenge the legality of Safe Harbor in EU courts, arguing that the new agreement does not fix the problems that led the Court of Justice of the European Union to strike down Privacy Shield’s predecessor, Safe Harbor, late last year.

Allegations the Russian government hacked the Democratic National Committee (DNC), Democratic Congressional Campaign Committee (DCCC), and the Hillary Clinton campaign have generated intense attention, especially concerning the implications of possible Russian efforts to use the fruits of cyber espionage to influence the U.S. election. Although Russia rejects the allegations, these hacks might constitute payback for Clinton and Democrats, who championed direct U.S. cyber support for opponents of authoritarian regimes during the Obama administration. China and Russia have long complained the United States manipulates cyberspace to interfere in their domestic political affairs, and, under this perspective, airing the DNC’s digital dirty laundry through Wikileaks courtesy of Russian intelligence perhaps means turnabout is fair play. One of Clinton’s most well known speeches as Secretary of State was her remarks on internet freedom in January 2010. In this speech, Clinton described how cyberspace supported the “four freedoms” articulated by President Roosevelt in 1941. But she also asserted the emergence of a fifth freedom: “the freedom to connect—the idea that governments should not prevent people from connecting to the internet, to websites, or to each other.” Clinton placed the freedom to connect at the heart of the Obama administration’s conception of internet freedom. In policy terms, Clinton explained, the freedom to connect animated the administration’s efforts “to help individuals silenced by oppressive governments” in over forty countries, provide “new tools that enable citizens to exercise their rights of free expression by circumventing politically motivated censorship,” fund and train local political groups to use the internet effectively and safely, and making it clear to “nations that censor the internet . . . that our government is committed to helping promote internet freedom.” Clinton argued the internet provided the means for digital samizdat to overcome the “new information curtain . . . descending across much of the world” in the same way clandestine leaflets during the Cold War contributed to the fall of the Berlin Wall and Iron Curtain. For China, Russia, and other authoritarian governments, this rhetoric and agenda constituted a U.S. strategy to intervene in their domestic politics through cyber means. Such governments doubled down domestically and internationally on “internet sovereignty,” which has included efforts to increase government control over the internet and over the activities of foreign-supported organizations in cyberspace. As a result, the “internet freedom” versus “internet sovereignty” conflict has become ubiquitous in international cyber politics. The exquisitely timed release of DNC emails by Wikileaks, and the promise by Julian Assange of more DNC disclosures to come, has possibly added a new twist to this overarching conflict. Whether or not Russia is behind the leaks, it is not hard to imagine amusement in the Kremlin over U.S. politicians, especially Hillary Clinton, fretting over a foreign government’s exploitation of cyberspace to influence domestic politics in another country. Isn’t that what Clinton claimed the United States had a right to do in her speech on internet freedom, and what the Democrat-led Obama administration pursued? Is the DNC leak, and the hacking of the DCCC and the Clinton campaign, perhaps a message that other governments can also engage in cyber intervention into the domestic politics of foreign countries? And a message particularly for Clinton, the champion of US cyber meddling in the domestic politics of other nations? Clinton and others associated with the internet freedom agenda would reject any equivalence between U.S. support to help political dissidents circumvent internet censorship and protect their communications from the surveillance of oppressive regimes and efforts by foreign governments to intervene in American democratic politics. But, the internet sovereignty position rejects American perspectives on the relationship between cyberspace, human rights, and the principle of non-intervention in the domestic affairs of other countries. The legal and ideological differences among countries concerning cyberspace expand incentives for adversary states to exercise material power to shape the geopolitical agenda. These speculations, like others offered by experts, frame these hacks and the release of DNC emails in ways that reinforce the increasing political dangers countries face and the lack of global norms regulating cyberspace. The escalating risks and paucity of agreed norms helps explain the growing prominence of coercion, retaliation, and deterrence in cybersecurity policies. Frequent calls for retaliation against Russia, if Russian involvement in the DNC leaks is sufficiently established, highlight these rising dangers, the entrenched disagreements about appropriate state behavior in cyberspace, and the growing desire to address cybersecurity threats through power politics.

Dr. Sandro Gaycken is the Director of the Digital Society Institute, a former hacktivist, and a strategic advisor to NATO, some German DAX-companies and the German government on cyber matters. The hack of the Democratic National Committee (DNC) definitely looks Russian. The evidence is compelling. The tools used in the incident appeared in previous cases of alleged Russian espionage, some of which appeared in the German Bundestag hack. The attackers, dubbed Cozy Bear and Fancy Bear, have been known for years and have long been rumored to have a Russian connection. Other indicators such as IP addresses, language and location settings in the documents’ metadata and code compilation point to Russia. The Kremlin is also known to practice influence operations, and a leak before the Democrats’ convention fits that profile as does laundering the information through a third party like Wikileaks. Finally, the cui bono makes sense as well; Russia may favor Donald Trump given his Putin-friendly statements and his views on NATO. Altogether, it looks like a clean-cut case. But before accusing a nuclear power like Russia of interfering in a U.S. election, these arguments should be thoroughly and skeptically scrutinized. A critical look exposes the significant flaws in the attribution. First, all of the technical evidence can be spoofed. Although some argue that spoofing the mound of uncovered evidence is too much work, it can easily be done by a small team of good attackers in three or four days. Second, the tools used by Cozy Bear appeared on the black market when they were first discovered years ago and have been recycled and used against many other targets, including against German industry. The reuse and fine-tuning of existing malware happens all the time. Third, the language, location settings, and compilation metadata can easily be altered by changing basic settings on the attacker’s computer in five minutes without the need of special knowledge. None of technical evidence is convincing. It would only be convincing if the attackers used entirely novel, unique, and sophisticated tools with unmistakable indicators pointing to Russia supported by human intelligence, not by malware analysis. The DNC attackers also had very poor, almost comical, operational security (OPSEC). State actors tend to have a quality assurance review when developing cyberattack tools to minimize the risk of discovery and leaving obvious crumbs behind. Russian intelligence services are especially good. They are highly capable, tactically and strategically agile, and rational. They ensure that offensive tools are tailored and proportionate to the signal they want to send, the possibility of disclosure and public perception, and the odds of escalation. The shoddy OPSEC just doesn’t fit what we know about Russian intelligence. The claim that Guccifer 2.0 is a Russian false flag operation may not hold up either. If Russia wanted to cover up the fact it had hacked the DNC, why create a pseudonym that could only attract more attention and publish emails? Dumping a trove of documents all at once is less valuable than cherry picking the most damaging information and strategically leaking it in a crafted and targeted fashion, as the FSB, SVR or GRU have probably done in the past. Also, leaking to Wikileaks isn’t hard. They have a submission form. Given these arguments, blaming Russia is not a slam dunk. Why would a country with some of the best intelligence services in the world commit a whole series of really stupid mistakes in a highly sensitive operation? Why pick a target that has a strong chance of leading to escalatory activity when Russia is known to prefer incremental actions over drastic ones? Why go through the trouble of a false flag when doing nothing would have been arguably better? Lastly, how does Russia benefit from publicly backing Donald Trump given that Republicans have been skeptical of improving relations? The evidence and information in the public domain strongly suggests Russia was behind the DNC hack, even though Russian intelligence services would have had the choice of not making it so clear cut given what we know about their tools, tactics, procedures, and thinking. The DNC hack leads to at least four “what if” questions, each with its own significant policy consequences. First, if Russia had poor operational security and misjudged its target, it needs to be educated about the sensitivity of certain targets in its favorite adversary countries to avoid a repeat of this disaster. Second, if Russia deliberately hacked the DNC to leak confidential information, it would represent a strategic escalation on behalf of the Kremlin and the world would need to prepare for difficult times ahead. Third, if the breach and leak were perpetrated by a bunch of random activists using the pseudonym “Guccifer 2.0“, it would be the first instance of non-state actors succeeding in creating a global incident with severe strategic implications, demanding more control of such entities and a much better design of escalatory processes among nations. Finally, it is entirely possible that this was a false flag operation by an unknown third party to escalate tensions between nuclear superpowers. If this is the case, this party has to be uncovered. Despite to the many “what ifs,”  this incident is serious and requires a more thorough investigation and explanation than what is provided by a self-serving private sector IT-security industry and hobby cyber analysts.

Yesterday, the White House released a new policy document on the management of cyber incident response. The document, Presidential Policy Directive (PPD) 41, captures over a decade of lessons learned on how federal agencies respond to cyber incidents. It is clear about what federal agencies will do (as well as what they will not do) and sets up a series of mechanisms for coordinating federal action with private companies. It fixes long-standing problems in Federal response policy, formalizing the “bubble chart” and creating unified coordination groups to coordinate with private entities and state and local governments based on what works for responding to real world disasters. Unfortunately, nobody cares because the White House also released a Cyber Incident Severity Schema that looks like the ill-fated and often-mocked color-coded Homeland Security Advisory System and the twitterverse is all abuzz. So, instead of getting into the importance of the new presidential policy, let’s take a minute to understand why the schema is not the homeland advisory system’s “spiritual successor for hacking.” Believe it or not, the federal government does every once in a great long while realize that something does not work and fixes it. The Obama administration eliminated the Homeland Security Advisory System because national alert levels simply were not useful. Raising the alert level to orange because of a bomb threat to the financial sector in New York would cause seaports on the West Coast to burn overtime for guard patrols. Recognizing this problem, the Department of Homeland Security (DHS) replaced it with the National Terrorism Advisory System to provide specific and actionable information to the public when such information exists. For cyber threats, there are already multiple similar systems used to convey government information to the public and to constituency groups including US-CERT alerts and joint intelligence bulletins from the Federal Bureau of Investigation (FBI) and DHS released to select groups. The Schema does not replace or augment these systems. All the Schema does is create a way to quickly convey the severity of an incident to senior government officials. The press statement and the Schema document are clear that it is for internal government use: “a common framework within the federal government for evaluating and assessing the severity of cyber incidents and will help identify significant cyber incidents to which the PPD’s coordination procedures would apply.” In government, I saw first-hand the need for this kind of easy to understand rating of an incident’s severity. A breaking headline on MSNBC can easily send an agency head into a tailspin. Conversely, practitioners who routinely deal with cyber incidents can become inured to cyber threats and not move quickly to respond. Being able to use a simple and easily understood level system is just a common sense thing to do when a dozen or more agencies need to be on the same page. I can guess that the team that developed the schema probably thought about ways to avoid using colors. I can almost guarantee that the White House debated not releasing it because they knew that the color-coding would be mocked. Yet in the end, they decided to do both because they were the right things to do. Nobody ever gets confused about whether green or red is worse in a color hierarchy (numbers can go either way—DEFCON 1 and a category 5 hurricane are both the highest in their respective fields). And even though it is quite possible the public may never see the category rating of a cyber incident, releasing the schema is in the public interest. It helps explains the context for the PPD. Private companies may want to adopt it. At a basic level, there is no reason to make Electronic Frontier Foundation go through the process of a freedom of information act request to get it.

Alex Grigsby is the assistant director for the Digital and Cyberspace Policy program at the Council on Foreign Relations.  Identifying the responsible party for a cyber incident is always a challenge. However, evidence has been piling up over the last few months that Russian intelligence services, and Russian military intelligence (GRU) in particular, is behind the hack of the Democratic National Committee’s (DNC) network and the email disclosures. Over at Motherboard, Thomas Rid does an excellent job laying out the case, but here’s a short timeline of events: the DNC’s network was hacked in April; in May, security company Crowdstrike investigates and points the finger at Russia, arguing that the DNC hackers used the same infrastructure, tools, and techniques as previously known Russian cyber espionage operations; a few days after the Crowdstrike accusation, someone called Guccifer 2.0 claims responsibility for the attacks, denying it was the Russians despite glaring holes in his story and evidence that Guccifer was in fact a Russian false flag operation; and two weeks ago, emails pilfered from the breach started getting leaked to the press, culminating with their posting on Wikileaks, for which Guccifer claims credit. There has been a lot of speculation as to Russia’s intent in publicly releasing the emails. Historically, Russian doctrine has put a premium on information warfare, where information is used as a weapon to spread disinformation and confusion. Online troll farms and the use of traditional media, such as Russia Today (RT), to spread a Kremlin-friendly narrative are obvious examples. David Sanger and Nicole Perlroth at the New York Times hint that the publication of the emails could be a deliberate Kremlin attempt to influence the election. Clinton campaign officials have been more direct, accusing the Russians of leaking the emails to help Republican candidate Donald Trump in the election. Dave Aitel, a former National Security Agency employee, argues that Russia has crossed a red line. These narratives assume that the leak of the emails is a deliberate attempt by Russia to influence the outcome of the U.S. election in favor of Mr. Trump as he is perceived to be more aligned with Russian interests. Although that may very well be true, there’s an alternative hypothesis worth considering: Russian intelligence services fumbled badly and tried to recover via the email disclosure. Any intelligence official will tell you that the computer networks of a political party is a legitimate foreign intelligence target. They provide insight on a candidate’s policy positions, donors and networks. It is therefore no surprise that Russian state sponsored actors targeted the DNC this presidential cycle just as much as the Chinese did to then-Senator Obama and Senator John McCain’s campaigns in 2008. However, intelligence agencies are not supposed to get caught, and the Russian intelligence services did and tried a ham-fisted attempt to cover their tracks using Guccifer as a distraction. When that didn’t work, they probably then considered their options, narrowing it down to a few choices: lay low and hope the issue blows over or use lemons to make lemonade. It seems like they chose the latter option, deciding that attempting to undermine the Clinton campaign would at least reap some benefit from a blown cover. It’s always difficult, if not impossible, to truly identify the intent of foreign actors. And even though both hypotheses lead to the same effect, the intent behind the effect matters. It allows leaders to calibrate their responses and signal to their adversaries what will and will not be tolerated. The United States denounced and sanctioned North Korea because it clearly intended to stymie the release of a movie that made fun of the Hermit Kingdom’s leader, an affront to U.S. free speech values. There will be pressure on the White House to respond to this latest incident, and there’s no doubt that it should respond to signal that actions have consequences. But a potential White House response to a classic intelligence collection operation gone awry looks very different than a response to a rational and calculated attempt to influence the U.S. election. In the first scenario, the Obama administration could release evidence (and burn intelligence assets in the process) to tie the Russians to the hack and signal to the Kremlin that it should reign in some of the aggressiveness of its intelligence services, much like it did with the Chinese in September 2015. This would allow the White House to convey its strong displeasure, while recognizing the email disclosure may not have been deliberate or sanctioned by the Kremlin. The second scenario would probably call for a much forceful response, something on par or worse than the measures the Obama administration took against North Korea, given that trying to alter an election is more egregious than trying to keep people from watching a movie. Possible options here could include sanctions, retaliatory covert action, and a temporary suspension of diplomatic cooperation. That would potentially jeopardize a number of non-cyber initiatives, such as efforts to contain the Syrian civil war, and strain an already terrible relationship. Additionally, Russia is not nearly as isolated as North Korea. Ratcheting up the pressure on Moscow is likely to have more serious knock-on effects than taking a hard line against Pyongyang. Assessing the Russians’ intent will be critical to shaping the Obama administration’s response. I hope that Russian bureaucratic ineptitude and a few overeager Russian intelligence officers explain the current mess. If disclosing emails was the original goal of the DNC hack, it would be a significant escalation of Russian hostility in cyberspace, forcing policymakers and intelligence officials to rethink their approach to Russia.

Months after promising to release the number of civilians that have been killed in U.S. lethal counterterrorism operations outside of "areas of active hostilities," the Obama Administration today released its count in a report from the Office of the Director of National Intelligence. According to the numbers provided, there were 473 "strikes" [presumably this includes both manned and unmanned aircraft conducted by both the CIA and the U.S. military] which killed between 2,372 and 2,581 combatants, and between 64 and 116 civilians. According to the numbers that we have provided since our Reforming U.S. Drone Strike Policies report in January 2013, the numbers of strikes in non-battlefield settings and fatalities of both combatants and civilians is much higher. As of today, there have been approximately 578 strikes—50 under George W. Bush, 528 under Obama, which have cumulatively killed an estimated 4,189 militants and 474 civilians. This information is fully presented in the chart below with the sources used.   Sources: New America Foundation (NAF); Long War Journal (LWJ); The Bureau of Investigative Journalism (TBIJ) ** Based on averages within the ranges provided by the organizations monitoring each country as of July 1, 2016.  

The Cyber Conflict Studies Association (CCSA) recently published Cyber Conflict After Stuxnet: Essays from the Other Bank of the Rubicon. Stuxnet, of course, was the name given to the malware that was designed to damage the centrifuges at Natanz and thus slow down Iran’s nuclear program. The ability of digital code to produce physical effect had long been predicted and had been produced under controlled circumstances.With Stuxnet, it had happened “in the wild.” The Rubicon in the subtitle is a reference to a quote from General Michael Hayden, former director of the NSA and CIA, on the new era of international relations and national security that was emerging after the attack became publicly known: Somebody has crossed the Rubicon. We’ve got a legion on the other side of the river now. I don’t want to pretend it’s the same effect, but in one sense at least, it’s August 1945. In the book, Merritt Baer, Chris Demchak, Catherine Lotrionte, Tim Maurer, P.W. Singer, Timothy Thomas and several other cyber and regional specialists describe what this new territory might look like. Essays explore how Stuxnet has shaped domestic and international law; influenced the debate over Internet governance and confidence building measures; and provoked strategic responses from U.S. friends and allies as well as potential adversaries. While fully acknowledging the technical sophistication of Stuxnet, my introduction struggles with how radically different the other bank of the Rubicon is. Perhaps the most widespread but difficult to quantify impact of Stuxnet is the expansion of the “art of the possible.” While many would have speculated that a successful attack on industrial control systems was possible before Stuxnet, the digital assault on Natanz involved the creative and ambitious use of zero-days and new techniques in eye-opening and imagination-expanding ways. With creativity and enough resources, anything looks possible. But what are the long term implications for international relations? At the national level, countries have been turning their attention to the development of doctrine, policies, and institutions necessary for cyber offensive operations. They have also continued the process of deterring, defending, and recovering from attacks. At the international level, discussions about norms and rules of the road are occurring at numerous multilateral, regional, and bilateral venues. I wonder, however, how much of this activity is motivated by Stuxnet and how much of it is a reaction to the unrelenting pace of all types of cyberattacks in general and the Edward Snowden revelations, in particular? It is not that Stuxnet is not important, it is just not singular. I hope you have a chance to pick up the book, and you’ll let the CCSA and me know what you think of it.

Robert Muggah is co-founder and research director of the SecDev Foundation and the Igarapé Institute. He is co-editor of a new volume entitled Open Empowerment: From Digital Protest to Cyberwar that focuses on the evolution of digital crime in the Americas. Julian Way is a lead analyst at the SecDev Group and research fellow at the SecDev Foundation.  Around the world, social media is being colonized not just by extremist groups like the so-called Islamic State but also by cartels, gangs and crime syndicates. Cyberspace is offering-up new ways for gangsters to fleece unsuspecting victims and coordinate their operations. There is growing awareness of how gangs are using social media to intimidate rivals, recruit members and sell drugs in Brazil, El Salvador and Mexico. But the threat from digital gangs is closer to home than you might think. California—and San Diego in particular—is now considered by U.S. law enforcement experts to be a kind of gangland ground zero. The city is currently home to at least 91 gangs straddling more than a dozen ethnic groups. San Diego’s police force has documented over 7,500 members of 158 gangs spread across the county. San Diego’s gangs are amplifying their power and prestige in cyberspace. Some gangs have signaled partnerships with affiliates in Los Angeles, Atlanta, Chicago, Houston, New York, Phoenix and Washington, DC. Others have expressed global ambitions, using the internet to expand their operations from the southern U.S.-Mexico border to Guatemala, El Salvador, Colombia, Uruguay and Argentina. Our research shows cyberspace can also create strange bedfellows, as some San Diego groups collaborate with competitors such as Black Disciples (Chicago), Cosa Nostra (United States and Italy), GS9 (New York), Los Negros, and the Medellín Cartel. It is also facilitating new kinds of digital collusion. For example, the Sinaloa Cartel and some of its affiliates are using social media and encrypted messaging services to coordinate offline operations. Getting an accurate picture of how gangs operate online is challenging. Take the case of “El Gallito”, or Little Rooster, one of thousands of digital gangsters who maintain a public profile on Facebook and Twitter. Rooster claims to be connected to the Sinaloa Cartel’s notorious Gente Nueva gang, or Los Chapos (with 118,000 Twitter followers of their own). He publicly boasts of connections to Los Antrax—a group of assassins. Such is Rooster’s sense of impunity that he geo-tagged his personal profile to sites in Sinaloa, Sonora and Mexico City. Of course, Rooster can also delete or falsify his profile at the click of a mouse. There’s a chance that he may not exist at all. Virtual thugs like Rooster are popping up across Mexico and the United States and using all manner of digital tools—increasingly encrypted messenger services like WhatsApp, Telegram and many others—to coordinate their activities and warn associates when they suspect police are nearby. They routinely turn to Facebook and Twitter to intimidate rivals, recruit members and traffic in drugs and people. Many of them are involved in "cyber-banging" and "cyber-tagging". Local law enforcement is taking notice, with some surveilling online platforms to disrupt gang networks. One way disrupt gang activity is by mapping and decoding their digital interactions. This requires learning their gang slang. Online interactions between gang members rarely involve formed sentences. Instead, they are conducted in codes that involve written text interspersed with emoticons, hashtags, numbers, special characters, photos, video, and music clips. Think of these codes as the gang’s shibboleth separating “in-group” members from “out-group” pretenders. Law enforcement agencies across the United States are expanding their capacities to police cyberspace and take on the growing threat posed by digital gangs and cybercrime. A 2015 survey of U.S. law enforcement’s use of social media detected that over 95 percent of the 600 police departments surveyed are already using social media to fight crime. The majority—over 85 percent—reported that social media had helped solve crime in their jurisdictions. Cities like Chicago, Detroit, and New York, long experienced with gangs, are very much on the virtual frontline. Yet police are still playing catch-up when it comes to tracking the digital footprint of gangs. Some of them are using digital forensics tools to understand their social networks, but skills are still rudimentary. California’s Attorney General Kamala Harris argues that the private sector is much further along in defending against high tech threats and that it should be mobilized to support the public authorities. Part of the solution to fighting the threat from digital gangs might reside in California itself, home of the world’s largest technology and social media start-ups. While wary of being too invasive of privacy, Facebook, Google, IBM, Twitter and YouTube are all developing new approaches to track both extremist and gang-related activities. Bringing law enforcement and tech companies together will not be easy given recent spats over encryption and the Edward Snowden disclosures. But in this new struggle, such partnerships will be essential. Since 2015, the U.S. government stepped-up its engagement with tech companies and community groups to target online radicalization and extremism. The focus, however, is still very much on countering actual and would be terrorists—either of the religious or extreme right-wing variety. The White House also established a task force to coordinate activities, setting-up a global engagement center to counter extremism online and off. The intent is to amplify positive messages rather than those based narrowly on fear. For its part, Facebook already bans terrorist groups from its platform and routinely removes offensive content. It also offers assistance for “counter-speech”, including up to $1,000 in ad credits to those joining the effort, and has agreed, along with other U.S. tech firms, to delete hate speech on German sites within twenty-four hours. Meanwhile, Google tries to control the dissemination of extremist ISIS videos, removing many of them from its YouTube service. The company also launched a new pilot scheme to harness AdWords to display anti-extremist messages for those seeking extremist content through its search engine. In the face of public pressure, Twitter has eliminated more than 125,000 accounts since 2015 for “promoting terrorist acts” and involvement in organized crime. It also launched a Trust and Safety Council that monitors social media and proactively deletes abusive content. Taken together, these efforts are starting to negatively impact the ability of extremist groups to reach out across social networks and remotely recruit individuals to their cause. They are admittedly more focused on Islamist terrorist groups than gangsters in Mexico and the United States. Given the scale of the challenges in Southern California, the focus on foreign terrorism seems short-sighted. The most pressing priority is containing gang activities on both sides of the border and in cyberspace.

Here is a quick round-up of this week’s technology headlines and related stories you may have missed: 1. The IANA transition is approved! The National Telecommunications and Information Administration (NTIA), an arm of the U.S. Department of Commerce, approved the proposal to transition the U.S. government’s stewardship role over the domain name system to the multistakeholder internet community. The NTIA determined that the plan meets the criteria that it set out when it announced its intent to relinquish its oversight over some of the internet’s technical infrastructure, namely that it supports the multistakeholder model, maintains the stability of the domain name system, and does not replace U.S. government oversight with UN or multilateral institution oversight. Absent any last minute Cruz missiles to blow up the plan, the multistakeholder internet community will take control of the IANA functions in September. If you want any more information on why the transition plan is important, check out Net Politics’ Rob Knake post. 2. The Federal Bureau of Investigation (FBI) defends not encrypting evidence collected in the Playpen case. The FBI‘s investigation into Playpen—a child porn website—is revealing interesting information about its use of network investigative techniques (NIT) to monitor suspects’ online activities. The FBI installed malware on the Playpen website to identify its users, and relayed that information in an unencrypted format to FBI servers. In sworn testimony, the Bureau justified the practice by emphasizing that it was the only way defendants could confirm that the data collected fell within the scope of its search warrant. Critics were not convinced. American Civil Liberties Union Principal Technologist Chris Soghoian compared the absence of encryption to the FBI collecting evidence and putting it in a ziploc bag, instead of "a signed, sealed evidence bag." This case comes at a time where some are suggesting that the FBI rely more on NITs—also known as “lawful hacking”—as a potential solution to law enforcement’s concern that greater use of encryption will hinder its ability to investigate crimes. 3. UK House of Commons passes “Snooper’s Charter” after concessions. Last Tuesday, the UK House of Commons passed the Investigative Powers Bill by a landslide 444-69. The bill would expand law enforcement and intelligence agencies’ bulk data collection and retention capacities. Dubbed the “Snooper’s Charter”, it has been criticized as a legalization of the Government Communication’s Headquarters’ (GCHQ) covert surveillance revealed by Edward Snowden in 2013. The bill earned the Labour Party’s crucial support following Home Secretary Theresa May’s concessions on the protection of journalists, surveillance of MPs, and exceptional use of bulk personal datasets. The scope of the bill has also opened the door to questions concerning encryption backdoors and the role of tech corporations in protecting privacy and assisting the government. Having passed the House of Commons, the draft bill will now go to the House of Lords for further debate. 4. Obama and Modi commit to plans for an open internet. President Obama and Indian Prime Minister Narendra Modi met at the White House on Tuesday to discuss near-term bilateral initiatives for an open and interoperable cyberspace. Their framework agreement is in line with a continued effort by the two countries to enhance cybersecurity cooperation. The new framework seeks to “promote cooperation between law enforcement agencies to combat cybercrime including through training workshops, enhancing dialogue and processes and procedures," and will rely on “Sharing information on a real time or near real time basis, when practical and consistent with existing bilateral arrangements.”

A revelation today about Hillary Clinton’s use of a private email server during her time as Secretary of State may indicate her preference using military force over diplomatic considerations. It was known since January that the content of twenty-two emails that went through the private server were classified at the “top secret/SAP [special access programs]” level, referring to highly classified intelligence gathering or covert programs run by the Pentagon and CIA. At the time, Clinton told NPR, "the best we can determine" is that the emails in question consisted solely of a news article about drone strikes in Pakistan. As Clinton stated: "How a New York Times public article that goes around the world could be in any way viewed as classified, or the fact that it would be sent to other people off of the New York Times site, I think, is one of the difficulties that people have in understanding what this is about.” Today, Adam Entous and Devlin Barrett reported that the e-mails were not merely forwarded news articles, but consisted of informal discussions between Clinton’s senior aides about whether to oppose upcoming CIA drone strikes in Pakistan. According to Entous and Barrett when a potential strike was imminent—or if it occurred during the holidays when staffers were away from government computers—the covert operation was then debated openly, albeit vaguely without mentioning the CIA, drones, or the militant targets specifically. The State Department was given a voice in the intensity and timing of CIA drone strikes in Pakistan, after then-Ambassador Cameron Munter reportedly opposed certain covert operations that occurred during especially sensitive points in the U.S.-Pakistani bilateral relationship, or when domestic opposition to the strikes were at their highest. As he later described this process: “I have a yellow card,” Munter recalled, describing the new policy. “I can say ‘no.’ That ‘no’ goes back to the CIA director. Then he has to go to Hillary. If Hillary says ‘no,’ he can still do it, but he has to explain the next day in writing why.” It was after Munter raised objections to drone strikes that Sec. Clinton and her aides would debate the merits of them, including through emails that were forwarded to Clinton’s private account. Entous and Barrett’s reporting includes this critical passage: “With the compromise, State Department-CIA tensions began to subside. Only once or twice during Mrs. Clinton’s tenure at State did U.S. diplomats object to a planned CIA strike, according to congressional and law-enforcement officials familiar with the emails.” During Clinton’s tenure between January 2009 and February 2013, the CIA conducted 294 drone strikes that killed 2,192 people, 226 of whom were civilians. (For the data see here, which is based on averages within the ranges provided by the New America Foundation, Long Wars Journal, and The Bureau of Investigative Journalism.) In other words, of the 294 CIA drone strikes in Pakistan, Clinton’s State Department objected to fewer than one-percent of them. If elected to the White House, would she similarly prioritize CIA counterterrorism operations over the concerns of senior U.S. diplomats? The evidence from her time as Secretary of State suggests that the answer is overwhelmingly “yes.”