“Let’s just say I didn’t hear much enthusiasm,” he told me when I went to see him with my colleague Charlie Savage at the old naval base that serves as the department’s headquarters and emergency operations center. The secretary of state of Georgia, Brian Kemp, told Johnson that he was certain the so-called evidence of hacking was a pretext for the federal government to try to take over the state-run election systems. (Kemp later accused the Department of Homeland Security of hacking into his state’s systems to scan them for vulnerabilities and left the impression that it was Washington, not Moscow, that most worried him.)
During our interview, Johnson never uttered the word “Russia,” even though we all knew who was responsible for the effort to break into the voter registration lists. He was still forbidden, at that moment, from saying the obvious, because the obvious was still treated as classified information. Yet Johnson’s evidence was mounting. In June, Arizona officials discovered that the passwords that belonged to an election official had been stolen, and they feared that a hacker using them could get inside the registration system. They took the registration database offline for ten days to conduct a forensic analysis of whether data had been changed. In Illinois, there was a deeper panic: the registration system was pierced and voter information siphoned off. The forensics suggested the hack was engineered by known Russian groups. Inside Johnson’s homeland-security headquarters, the cyber teams worried that once hackers got into a registration system, they could change Social Security numbers or delete voters from the rolls.
“That’s all it would have taken to create chaos on Election Day,” one senior White House official told me. “You didn’t have to change much.” Few said so at the time, but months after the election Homeland Security said it had seen evidence of similar probes into the systems of roughly three dozen other states. No one would say why they did not reveal that information at the time.
The fears, while rampant, were still based on conjecture: Russian hackers had essentially been caught scouting the systems, but not changing anything. And because none of the state officials had security clearances, Johnson’s phone call, from a vacation spot in the Adirondacks, was a failure. He had been prohibited from providing the state officials with any specifics. The classification rules—presumably intended to keep the Russians from learning that their activities were being watched—impeded Johnson’s ability to make his case. Once again, the reflexive assumption that all evidence of cyberattacks had to be kept highly classified cost America dearly.
To make matters worse, Johnson never detailed the evidence that overwhelmingly suggested Russia was behind the probes into the voting system. A written FBI warning to the states said only that information had been “exfiltrated” from Arizona’s system, but it did not indicate where that information was headed. Because the doubts of other intelligence agencies had not yet been resolved, the official position of the US government was to make no accusations about who was behind the hacking. “It was the worst, most vague briefing I’ve ever heard a government official conduct,” one official said of the call. “It wasn’t Jeh’s fault—he was following the rules. But he could provide no evidence.” James Clapper ran into a similar problem: he had seen all the evidence but told me that summer he could “make no calls on attribution” until the disparate assessments of the intelligence agencies came into line. His caution was understandable. But it was also costly: the intelligence agency’s paranoia about protecting sources and methods got in the way of warning the targets of the hacks—the election commissions in fifty states—that one of the world’s most cyber-savvy nations had them in its sights.
Brennan, meanwhile, had quietly assembled a task force of CIA, NSA, and FBI experts to sort through the evidence. And as his sense of alarm increased, he decided that he needed to personally brief the Senate and House leadership about the Russian infiltrations. It was not an easy task: Most of the leaders were scattered around the country, away from secure phones. One by one he got to them; they had security clearances, so he could paint a picture of Russia’s efforts with details that Johnson was forbidden from mentioning.
After Harry Reid, the Senate Democratic leader, received his briefing via a secure phone in Las Vegas, he was agitated and fearful that the government was under-responding to the threat. Perhaps because I had been writing on the subject through the summer, he called me in Vermont, where I was failing in an effort to take a last few days of vacation before the election entered its final phase. He had just received a lengthy briefing from a “senior intelligence official,” he told me; there was little doubt in my mind that it was Brennan, since he had been so fixated on the Russia issue in recent weeks. Reid would not offer the details of what he had been told, because they were classified, to his obvious frustration. But he did provide his takeaway: “Putin is trying to steal this election,” he told me. Ever the vote counter, he argued that if Russia concentrated on “less than six” swing states, it could alter the outcome.
* * *
—
Clearly, Vladimir Putin would have to be confronted about the evidence from the DNC and the probes on the state election systems. The debate was over how to do it.
Obama’s first rule of foreign policy, described to my colleague Mark Landler and others on Air Force One during a trip to Asia, was straightforward: “Don’t do stupid shit.” (He made the reporters repeat it in unison.) As a caution, it wasn’t bad; a lot of the worst moves in American foreign policy in the previous two decades had begun with stupid-shit decisions. But as a principle for dealing with Vladimir Putin, it didn’t offer much detailed guidance. Antony Blinken, the deputy secretary of state, put it succinctly: Since no one really understood if the Russians had planted code in the election systems—a booby trap that could be triggered on November 8—the cautious approach was to proceed slowly. “You never want to start a contest like this unless you have a reasonable assessment of where it will end up,” Blinken told me. Brennan voiced the concern only slightly differently: No one wanted “an escalatory cycle in the middle of a presidential campaign.”
Obama was particularly concerned about appearing partisan—or, by making public declarations about Russia’s actions, playing into Putin’s hands by conceding, before a single ballot was cast, that the election had been compromised. So the White House developed a two-part plan: get the leaders of Congress, Democrats and Republicans, to issue a joint statement condemning Russia’s actions, and then have Obama confront Putin at a summit meeting they were both planning to attend in early September.
Obama dispatched Lisa Monaco, along with James Comey, the FBI director, and Jeh Johnson, to Capitol Hill to explain how the federal government was prepared to help the states.
As soon as they got into the session with twelve congressional leaders, led by Mitch McConnell, it went bad. “It devolved into a partisan debate,” Monaco later told me. “McConnell simply disbelieved what we were telling him.” He chastised the intelligence officials for buying into what he claimed was Obama administration spin, recalled one of the other senators present. Comey tried to make the point that Russia had engaged in this kind of activity before, but this time it was on a far broader scale. The argument made no difference. It became clear that McConnell would not sign on to any statement blaming the Russians.
“It was one of the most dispiriting days I ever had in government,” Monaco concluded. A subsequent, smaller session that Obama held in the Oval Office did not end much better.
Obama’s summit meeting with Putin, on September 5, was planned as the showdown. As they entered the ninety-minute session in Hangzhou, there were none of the forced pleasantries that usually begin such sessions: Knowing cameras were trained on them, they stared each other down like two sumo wrestlers waiting for the signal to begin combat. Then they headed into a one-on-one discussion. The accounts of how strongly Obama threatened Putin depend on who was telling the story. But his essential warning was that
the United States had the power to destroy the Russian economy by cutting off its transactions—and would use that power if American officials believed Russia interceded in the election.
Obama emerged from the session wondering aloud whether Putin was content to live with a “constant, low-grade conflict.” He was specifically referring to Ukraine, but he could have been talking about any of the arenas in which Putin relished his role as a great disrupter. It seemed clear that to Putin, constant, low-grade conflict was just fine; it was the only affordable way to restore Russia’s eminence on the global stage. “It shouldn’t come as a big shock to people,” James Clapper, the rare Cold War veteran in Obama’s top ranks, said after the Putin meeting. “I think it’s more dramatic maybe because now they have the cyber tools.”
The administration continued to envelop its debates in great secrecy. The video feeds of meetings at the National Security Council were shut off, much as they were during the run-up to the bin Laden raid. Susan Rice kept tight control of who knew the meetings were happening; always worried about leaks, she feared in this case that they would force Obama’s hand.
Only long after the election was over were officials willing to explain the full reason for the switched-off video and the secrecy. In fact, the president’s top advisers had received a detailed plan from the National Security Agency and Cyber Command about possible retaliatory strikes against Russia. Some would have fried the servers used to mount the Russian attacks against US targets; others would have put the Internet Research Agency out of action; still more were designed to embarrass Putin or make his money disappear. “It was strikingly detailed,” one former official said.
The ideas were limited to a handful of top officials: many of the White House and State Department senior officials working on Russia were not “read in” to the details. But again, Obama’s top aides hesitated. They had begun to see some evidence that the Russians were backing off; the probing of the state election systems had slowed dramatically after the Obama–Putin encounter. Hitting the Russians at that moment, just when it looked like they may have gotten the message, seemed counterproductive.
Around the same time, the results of the National Intelligence Estimate about the vulnerability of the election system began to circulate. In a rare bit of good news, the National Intelligence Council concluded that hacking the election machines themselves on a broad scale, while not impossible, would be a daunting job. Most voting machines were offline, meaning that hackers would need a physical presence in key polling places to interfere with the results. Theoretically, it was possible to get inside the software that was downloaded into the machines in advance of an election, but since every locality had a different ballot, and often a mix of voting hardware, it would be a complex operation to pull off. At the White House, the staff was clearly relieved.
At least until Clapper spoke up. He warned that if the Russians truly wanted to escalate, they had another easy path: their implants were already deep inside the American electric grid. Forget hacking the voting machines; the most efficient way to turn Election Day into a chaotic, finger-pointing mess would be to plunge key cities into darkness, even for just a few hours.
There was “a sort of silence for a moment,” one participant in that meeting recalled, “and you could sense that people were just letting that sink in.”
* * *
—
Something else had sunk in at Fort Meade: Not only were the Russians inside the election infrastructure; they might well be inside the Tailored Access Operations unit, the operations center for America’s cyber wars.
In mid-August, when the Democrats were still struggling to figure out what the Russian hackers were doing to them, the NSA discovered that it wasn’t only campaign memos that were suddenly showing up on the Internet. So were samples of the tools the TAO had used to break into the computer networks of Russia, China, and Iran, among others.
The tools—everything from code designed to exploit vulnerabilities in Microsoft systems to actual instruction manuals for conducting cyberattacks—were being posted by a group that called itself the Shadow Brokers. The agency’s cyber warriors knew that the code being posted was malware they had written. It was the code that allowed the NSA to place implants in foreign systems, where they could lurk unseen for years—unless the target knew what the malware looked like. And the Shadow Brokers were offering a product catalog.
Inside the NSA, this breach was regarded as a far greater debacle than the Snowden affair. For all the publicity and media attention around Snowden, a dark if compelling character who could still command headlines from his exile in Russia, the Shadow Brokers were inflicting far more damage. Snowden released code words and PowerPoints describing what amounted to battle plans. The Shadow Brokers had their hands on actual code, the weapons themselves. These had cost tens of millions of dollars to create, implant, and exploit. Now they were posted for all to see—and for every other cyber player, from North Korea to Iran, to turn to their own uses.
“People were stunned,” one former employee of the TAO said. “It was like working at Coca-Cola, and waking up to discover that someone had just put the secret formula on the Internet.”
The initial dump was followed by many more, wrapped in taunts, broken English, a good deal of profanity, and a lot of references to the chaos of American politics. The Shadow Brokers were promising a “monthly dump service” of stolen tools and leaving hints—perhaps misdirection—that Russian hackers were behind it all. “Russian security peoples,” one missive read, “is becoming Russian hackers at nights, but only full moons.”
The posts raised many questions. Was this the work of the Russians, and if so was it the GRU, trolling the NSA the way it was trolling the Democrats? Did the GRU’s hackers break into the TAO’s digital safe—which seemed unlikely—or did they turn an insider, maybe several? And was this hack related to another loss of cyber tools, equally embarrassing, from the CIA’s Center for Cyber Intelligence, which had been appearing for several months on the WikiLeaks site under the name “Vault 7”?
Most important, was there an implicit message in the publication of these tools—a threat that if Obama came after the Russians too hard for the election hack, more of the NSA’s code would become public?
Inside the NSA, these questions were rampant. But they were never uttered in public. The NSA’s counterintelligence investigators, called the Q Group, went on a broad hunt for “undiscovered Snowdens,” as one senior official put it. The agency, which had been forced to open up a bit after Snowden, explaining its missions and the legal basis for where it would and would not spy, shut the gates again. Suddenly employees found themselves subjected to polygraph tests, and some were suspended from their jobs. Some departed; a hotshot hacker for the TAO might command upwards of $80,000 a year from the NSA but could make multiples of that figure in the private sector. Many had been willing to make less money to break into foreign systems to defend American interests. But now they reconsidered: was it worth giving up the extra income if you were treated with suspicion at work and strapped to a lie-detector machine?
“Snowden killed morale,” one TAO analyst told us when Scott Shane, Nicole Perlroth, and I dug into the tale of the Shadow Brokers. “But at least we knew who he was. Now you have a situation where the agency is questioning people who have been 100 percent mission-oriented, telling them they are liars.”
The worst part was the fear that came from not knowing if the hemorrhaging had stopped. With their implants in foreign systems exposed, the NSA temporarily went dark. At a moment when the White House and the Pentagon were demanding more options on Russia and a stepped-up campaign against ISIS, the agency was busy building new tools because the old ones had been blown.
Adm. Rogers and other leaders at the agency strongly suspected the Russians were either behind the attack or the beneficiaries of it. The NSA had already been stung by Moscow in 2015—twice.
First, Kaspersky Lab, Russia’s most famous cybersecurity group and a maker of antivirus software, had published a report about the activities of what it called “The Equation Group,” detailing malware implanted in dozens of countries. You didn’t have to read between the lines very carefully to see that the Equation Group was really the Tailored Access Operations unit; some of the malware that Kaspersky highlighted as the group’s handiwork included code from the Olympic Games attacks on Iran. Then, to provoke the NSA further, Kaspersky issued new versions of its antivirus software, used by 400 million people around the world, that detected some of the TAO’s malware and neutralized it.
Then the Shadow Brokers began crowing. “We hack Equation Group,” they wrote. “We find many many Equation Group cyber weapons.”
It was not clear they did “hack” the Equation Group. But there were two incidents involving NSA contractors that likely seem linked to how the TAO’s darkest secrets got out—and, most officials believe, ended up in the hands of the Russians.
The first occurred in late 2014 or early 2015, when a sixty-seven-year-old NSA employee, Nghia H. Pho, took home classified documents. Pho, a native of Vietnam who became a naturalized American citizen, worked deep inside the TAO for a decade, starting in 2006. But after about four years on the job, according to court documents, he started to bring home classified documents, many of them in digital form.
It turned out that Pho was using Kaspersky’s antivirus software, which someone, likely the Russian intelligence agencies, had brilliantly manipulated to search for NSA code words—and Pho had apparently brought home documents that contained some of those words. In effect, Kaspersky’s antivirus products appeared to be giving Russian intelligence a back door into any computer it was installed on.
The Perfect Weapon Page 26
