By then, it was too late. The Russians had already moved on to stealing the emails of the officials of the Clinton campaign itself.
Clinton had set up shop in Brooklyn and had a lot more money than the DNC. Remembering that Chinese hackers had broken into both Obama’s and John McCain’s 2008 campaigns, the Clinton team brought in some serious cybersecurity expertise. The result was that the campaign’s own networks repelled several attacks, none of them wildly sophisticated. But the Russian hackers had a bigger game in mind: personal email accounts, where people tend to put complaints about the boss, their worries, and their contemplation of future personnel moves, along with documents that they don’t want on a corporate network.
Top of the Russians’ list was Clinton’s campaign chairman, the taut, wiry John Podesta. There was no better-connected Washington insider. He had served as Bill Clinton’s chief of staff. He had organized many campaigns. And he had deep, substantive knowledge on everything from climate change to cyber privacy—a topic on which he produced a report before leaving the Obama White House in 2015.
His familiarity with all things digital didn’t help him much on March 19, 2016. That was the day a fake message, ostensibly from Google, showed up in his personal inbox. It warned him that someone was trying to break into his personal account. As it turned out, this phishing email came not from the Dukes but from a new team of Russian-affiliated hackers. The group succeeded with a similar phishing message to campaign aide Billy Rinehart, but Podesta was a far richer target.
Because Podesta was so focused on fund-raising and message-sharpening for the Clinton campaign, a handful of his aides managed his email for him. When the spear-phishing email arrived, declaring that he had to change his password, it was sent to a computer technician for a judgment on its legitimacy.
“This is a legitimate email,” Charles Delavan, a Clinton campaign aide, replied to his colleague—the aide who had first noticed the phony alert. “John needs to change his password immediately.” Delavan later told my Times colleagues that his bad advice was a result of a typo: He knew this was a phishing attack because the campaign was getting dozens of them. He meant to type that it was an “illegitimate” email, an error that he said has haunted him since.
And so, the password was changed immediately. Suddenly the Russians obtained access to sixty thousand emails, stretching back a decade.
CHAPTER IX
WARNING FROM THE COTSWOLDS
Russia talk is FAKE NEWS put out by the Dems, and played up by the media, in order to mask the big election defeat and the illegal leaks!
—@realDonaldTrump, February 26, 2017
I never said Russia did not meddle in the election, I said “it may be Russia, or China or another country or group, or it may be a 400 pound genius sitting in bed and playing with his computer.” The Russian “hoax” was that the Trump campaign colluded with Russia—it never did!
—@realDonaldTrump, February 18, 2018
In the spring of 2016, Robert Hannigan was eighteen months into his job as director of GCHQ—Britain’s equivalent to the NSA—and he was getting accustomed to the rituals of the job. His past service to the government had been radically different: seeking peace in Northern Ireland under Prime Minister Tony Blair and adjudicating among bitterly competing British intelligence agencies at 10 Downing Street. But then he had been sent to one of those agencies, the Government Communications Headquarters, the blandly named bureaucracy that was still living off its reputation as the agency of brilliant oddballs who had cracked the German codes with the Enigma machine during World War II, and saved Britain.
Hannigan’s job was to bring GCHQ into the twenty-first century, the century of cyber conflict. Past heads of GCHQ barely communicated with the public, but on his first day on the job Hannigan took a direct shot at Silicon Valley firms in a column in the Financial Times. “However much they may dislike it,” he wrote, “they have become the command-and-control networks of choice for terrorists and criminals,” and must learn how to cooperate with the intelligence agencies of the Western democracies. Yet once he settled into the job, he found a player who worried him more than Facebook and Google: Vladimir Putin.
Hannigan thought Putin was causing a “disproportionate amount of mayhem in cyberspace.” His staff of thousands of code breakers, signal-intelligence officers, and cyber defenders had soon learned to place the raw evidence of that mayhem atop the pile of intelligence they brought him each day, culled from their own piles of intercepted computer messages and phone calls.
On this particular day, around Easter in 2016, a series of messages plucked out of the Russian networks stood out.
In the inartful terminology of the digital world, it was mostly “metadata,” Hannigan’s staff told him. To Hannigan’s frustration, he could not see its actual content. But it was clear that the traffic was controlled by one of Russia’s premier intelligence agencies, the GRU, the aggressive military intelligence unit whose activities GCHQ tried to monitor around the clock.
What struck Hannigan, though, was where the messages appeared to have originated: the computer servers of the Democratic National Committee.
* * *
—
When Hannigan sorted through the message traffic, pausing to examine what would turn out to be a historic intelligence intercept, he was deep inside “The Doughnut,” the Brits’ affectionate name for the bizarre, round Cheltenham headquarters of GCHQ. From the air, the building actually looked more like a spaceship, as if aliens had decided to drop in on the quaint pubs of the Cotswolds: Stow-on-the-Wold and Bourton-on-the-Water, the Shakespearean-era villages just down the road. The Doughnut’s design was very Silicon Valley; once inside the secure zone, everyone worked in the open, cross-pollinating ideas.
Of the thousands of communications GCHQ intercepted every week or so, more and more from Russia were pulled out and placed atop the daily pile on Hannigan’s desk. Like the CIA and NSA, British intelligence agencies had been surprised by the speed and stealth of Putin’s annexation of Crimea in 2014. NATO nations were worried enough about stepped-up Russian bomber and submarine runs along the European coast—something they had not seen since Soviet days—that they had to devote more resources to tracking them all.
“We had gotten pretty complacent about Russia,” one of Hannigan’s national security colleagues told me. “There was still this overhang from the ’90s that somehow the Russians would come to their senses and join the West and become our economic partners. Even when they attacked Georgia in 2008, people shrugged it off. It took a long time for reality to set in.”
The Baltic states on Russia’s edge now appeared, in the British official’s words, a “vulnerable gray zone” that Putin would seek to destabilize. Soon after arriving at GCHQ at the end of 2014, Hannigan began pressing for more intercepts, more “implants” in the networks to which Britain had unique access, one of the last benefits of a dismantled British Empire. Every day came a torrent of new material: messages fleshing out Russia’s support for the Syrian government of Bashar al-Assad, its maneuvers off Finland, its submarine runs.
To Hannigan, it was all new and fascinating. His background wasn’t in intelligence; it was in the intersection of politics and national security. At first glance, he was easily mistaken for the very model of the polished British bureaucrat: buttoned down, with the perfect pedigree for a job that was all about discretion. To one of his aides inside the Doughnut, Hannigan’s best attribute was a “puckish sense of humor about the ridiculousness of much of what we do in the intelligence business.”
Though Hannigan was no intelligence professional, he was put atop GCHQ because David Cameron, the prime minister, had come to rely on his judgment after years at 10 Downing Street. Already, Hannigan had broken a lot of china at the hidebound and overly secretive agency. The agency was born after World War I as the “Government Code and Cypher School,” which pretty
well defined its role in the twentieth century. Hannigan was born twenty years after World War II had ended, and it was his job to push GCHQ to figure out its role in the cyber age. It had survived since the glory days of Enigma at Bletchley Park, decoding messages and intercepting calls, but in a new era when defense and offense had blended, merely intercepting conversations was not enough.
So Hannigan began reorganizing GCHQ’s structure and moving it beyond its roots in signals intelligence. He realized that, like the NSA, GCHQ needed to up its game in cyber skills—specifically “network exploitation” and “network attack.” Month by month, Hannigan tried to push the agency into the future. On his watch, GCHQ scraped ISIS recruiting messages off their servers around the world. Hannigan particularly enjoyed seeing transcripts of ISIS cyber lieutenants fuming that they could not get into their own recruiting and communications channels.
Cheltenham, on the edge of the Cotswolds, is a place of splendid isolation, and with his family remaining in London, Hannigan had plenty of time to dig deep on the Russia intercepts. The one containing DNC data was a particular mystery.
“It didn’t tell us much,” he recalled. “It told us there was an intrusion, and something had been taken out of the committee. But I had no way of knowing what.”
As Hannigan looked at the intercepted Russian communications from the DNC, it was his sense of history that made them stand out. He was only seven years old when the Watergate scandal broke, barely aware of the headlines from across the Atlantic. But he had become enough of a student of history and politics at university to immediately grasp the import of what the Russians seemed to be doing. “The DNC meant something to me,” he said. “And it was an odd target.”
It was unclear what they were looking for. The DNC wasn’t a place to get military secrets, or even much policy. It was essentially a place to redistribute cash to campaigns. The goal was a mystery.
Hannigan thought his American counterparts needed to see these intercepts, and fast. He looked at them once more and asked his staff to be sure to flag them for the National Security Agency. This shouldn’t get lost in the daily pile, he told them. This was sensitive stuff, and his American counterpart, Admiral Rogers, and his colleagues at the NSA, needed to know about it.
A few weeks later, Hannigan recalled, he received an acknowledgment “from someone senior” on Rogers’s NSA staff. They appreciated the heads-up.
It was the last he heard from them about it.
* * *
—
Inside the NSA, officials hint that they already had a pretty good idea of what the Russians were up to at the DNC, and they say the British were not the only foreign intelligence service to see evidence of the hack. But they were the most important, and that should not be surprising. For reasons of history, geography, and faded empire, GCHQ’s access to the networks that feed into and out of western Russia are among the best of the “Five Eyes”—the five English-speaking victors of World War II who share the burden of intelligence gathering and most of what they harvest.*
Hannigan describes the Five Eyes as more of a club than a tightly run organization. It was, he said, a “signals intelligence creation dating from World War II, when Roosevelt and Churchill took a political decision to share their most sensitive cryptological secrets.”
“I think Americans would be surprised by how many British experts we keep at the NSA,” one senior British official with deep experience said to me a few years before the Russia investigation broke. “And I know the British would be surprised how many Americans are deep in our system.”
In fact, the tie between the NSA and GCHQ was so tight that each placed its own officers in the other’s headquarters, so they were partners rather than anonymous analysts on each end of the line. Snowden documents revealed that in Bude, on the southwest coast of Britain, there were 300 GCHQ analysts and 250 Americans in 2012, working on two projects—“Mastering the Internet” and “Global Telecoms Exploitation”—that picked up terabytes of Facebook entries, emails, phone calls, Google Maps searches, and histories of who visited what websites, and when. It was all legal, the British maintained after the operation was revealed, but the analysis section was based in Britain for a reason: there was more legal leeway than in the United States.
For obvious reasons, no one will be very precise about how the British picked up the traffic that led back to the DNC. But there are several clues. The Snowden documents reveal that GCHQ was plugged into two hundred fiber-optic cables, and could process information from forty-six of them simultaneously. That is quite a feat, since cable traffic runs at ten gigabits per second. The content of that traffic is mostly encrypted. But the British were able to pick up the metadata.
British access to the cables came courtesy of two leaders who were quite definitely of a pre-cyber age: Queen Victoria and President James Buchanan. When HMS Agamemnon and the USS Niagara met in the mid-Atlantic in 1858 to splice together the first copper cable, the queen and the beleaguered president used the new undersea line to transmit telegrams to each other. Britain then became the critical hub—the “termination point”—for even more cables laid across Europe and into Russia. “Termination points” are where the cables come ashore. And in both the United States and Britain, the intelligence agencies paid “intercept partners”—like AT&T and British Telecom—to keep teams of technicians at the termination site to mine and hand over data. The whole arrangement is ruled by court orders on both sides, kept secret to avoid blowback for the firms. Post-Snowden, the rules governing the system got a lot stricter. But the intelligence was also getting more valuable.
One hundred and sixty years later, the copper cables have been replaced by fiber-optic cables, which are more durable, higher-capacity, and harder to tap, and more than 95 percent of network traffic moves through them. One termination point in Cyprus, leaked documents showed a few years ago, has long been a particular bonanza for intelligence agencies. So has another in Asia, not far from North Korea. When Gen. Keith Alexander, then the head of the NSA, visited the Menwith Hill Station in Yorkshire in 2008, he asked, “Why can’t we collect all the signals all the time? Sounds like a good summer project for Menwith.”
He could have said something similar at other listening posts around the world, which are divided up for monitoring among the Five Eyes. While the Brits focus on Europe, the Middle East, and western Russia, the Australians monitor East Asia and South Asia—which is why operations in Afghanistan are often run out of Pine Gap, in the Australian desert. New Zealand owns the digital traffic in the South Pacific and Southeast Asia. Canada peers deep into Russia and covers Latin America. The United States, with huge collection budgets, looks at hot spots, starting with China, Russia, Africa, and parts of the Middle East. Naturally, such monitoring is a subject officials in each of those countries won’t discuss openly, even years after the Snowden revelations.
One reason is that these termination points are no longer just a place to plug in headphones. They have become a way to inject implants—malware—into foreign networks. “Once they were all about defense,” a telecommunications expert told me. “Today, they are also about offense.”
They are also a huge risk, as the steady flow of global communication depends on them. If six or so termination points were blown up or seized, information flow in the United States would slow to a trickle. Phone conversations would halt, markets would be disabled, news would stop. “It’s a tremendous vulnerability,” one British official told me. “And a great opportunity.”
So it was no surprise that Facebook and Google started laying their own cables.
* * *
—
It was a sign of the Russian hackers’ professionalism that they did not rush the stolen Podesta emails into public view after they obtained them in March 2016. Instead, they took their time sorting through the material, looking carefully at what might be especially valuable, such as Clint
on’s speeches to Goldman Sachs. She had refused to reveal the texts publicly, but here they were, in the stolen trove. (It turned out the speeches sounded a lot like the ones she used to give for free when she was Secretary of State.) The Russian strategy was one of patience: there would be a moment to reveal the contents of the emails, when they could do maximum damage.
At the DNC, Yared Tamene still saw no reason to be alarmed. He wrote in a memo on April 18 that a “robust set of monitoring tools” had finally been installed at the DNC—in other words, they had decided to pay for a burglar alarm.
Only later in April did Tamene, using those new tools, find evidence that someone had stolen credentials giving them access to all of the DNC’s files. He called the DNC’s chief executive, Amy Dacey, with news that there had been a major, recent breach and the DNC had probably lost most of its files—far more than they ever lost in the Watergate break-in.
Belatedly, panic set in.
* * *
—
Far from Washington, another element of the Russian enterprise was playing out in Texas, Florida, and New York—all in plain sight.
While Russian intelligence agencies were hiring hackers to break into the DNC, the trolls and bot creators at the Internet Research Agency in Saint Petersburg were kicking into overtime. Paychecks had risen to $1,400 a week, a small fortune by Russian standards, especially for twentysomethings. In return, they worked twelve-hour shifts, churning out Facebook posts that hit on themes conveyed to them by email. On one floor, Russian-language trolls fought off opposition to Vladimir Putin. On another floor, they looked for any divisive issue in American society where a wedge could be driven via the Internet, to widen the natural fault lines in American politics and society.
The Perfect Weapon Page 23
