The Perfect Weapon
Page 27
For Rogers, the Pho case was a disaster; he had been brought in to clean up after the Snowden affair, not let other vulnerabilities fester. Then in early October 2016, things got even worse. Investigators trying to crack the Shadow Brokers case arrested another Booz Allen Hamilton contractor, Harold Martin III, whose house and car in a suburban tract in Glen Burnie, Maryland, were brimming over with classified documents, many from the TAO. Martin kept much of his stolen trove electronically, and the data amounted to “many terabytes” of information, according to the FBI. And it wasn’t limited to the NSA: court filings said he stole material, during previous posts, from the CIA, Cyber Command, and the Pentagon.
It did not look as if Martin was working for the Russians, but the material in his possession included some of the Tailored Access Operations unit’s tools that were ultimately put up for sale by Shadow Brokers. However, just because Martin had the materials, it did not necessarily mean that Shadow Brokers had acquired them from him, which left open the possibility that there were even further leaks from the NSA’s systems.
Rogers was now under more pressure than ever. The Pentagon was hammering him about where all the leaks were coming from. He was issued a reprimand, officials say, though the NSA would not discuss the subject. Nor would Rogers. And the timing was awful: he was under fire at the same moment the White House was asking for cyber options to deal with Russia, something that could deter Putin from further action against the United States.
But what if Putin’s hackers already had pieces of the NSA’s arsenal?
* * *
—
The Shadow Brokers disclosures alarmed the intelligence agencies because they suggested Snowden was not a one-off affair; the nation’s cyber warriors had been repeatedly, deeply compromised. But Obama and his team did not have time to deal with that issue. The debate inside the Situation Room was about how to handle Russia, and it bore no resemblance to the debate out on the campaign trail.
There, Trump did everything he could to cast doubt on the reliability of the intelligence about Russian interference. It was “impossible” to trace cyberattacks, he said, which was patently untrue. Hard, yes. Impossible, no. At his first debate with Hillary Clinton, he argued there was no evidence that Russia was responsible, and famously added that it could have been the Chinese or “somebody sitting on their bed that weighs four hundred pounds.” Ridiculous as it sounded, it was a reminder of how in the public’s mind, cyberattacks seemed so complex and mysterious that the topic lent itself to false claims and political misdirection.
Trump’s contentions stepped up the pressure on the administration to name the Russians—and to provide some evidence. It wasn’t clear either would happen. Obama had pulled back from naming them after the network intrusions at the White House and the State Department, and a later, bold intrusion in 2015 into the computers of the Joint Chiefs of Staff—it was entirely possible his overcaution would again prevail. Yet by October, Obama had concluded that the campaign attacks were different. They were not just espionage; they constituted an attack on American values and institutions—and were more akin to the Sony hacks, which he viewed as an attack on free expression. Obama was hesitant to come to the podium and call out the Russians. It would look too political, he told his aides.
So on October 7, Clapper released a statement from the Office of the Director of National Intelligence, also signed by Jeh Johnson, who was still trying to convince state election boards to let the federal government scan their systems for signs of malware. (Curiously, Comey, fearful of sinking the FBI further into the political campaign, declined to sign the warning. Three weeks later he plunged right into that maelstrom by reopening, then reclosing, the investigation into Hillary Clinton’s emails.) The statement confirmed what the country already knew—at least, those who had been paying attention or hadn’t dismissed the intelligence as politically driven: “The US intelligence community is confident that the Russian government directed the recent compromises of emails from US persons and institutions, including from US political organizations.” The statement also said that “some states have also seen scanning and probing of their election-related systems” from Russia, though it stopped short of accusing the Russian government.
Inside the White House, there had been a vigorous debate about whether to accuse Putin directly, and whether, if he was named, it would provoke him to further action. In the end, the statement was watered down: “We believe, based on the scope and sensitivity of these efforts, that only Russia’s senior-most officials could have authorized these activities.” To avoid public panic—and the easy win that would give Putin—the statement included the carefully hedged assessment that “it would be extremely difficult for someone, including a nation-state actor, to alter actual ballot counts or election results by cyber attack or intrusion.”
The statement was only three paragraphs. It offered not a shred of evidence, even though there was plenty, an omission that played into Trump’s hands because without proof, Trump could continue to claim Russia may have had nothing to do with it. This was the first time in history the United States had accused a foreign power of seeking to manipulate a presidential election on a broad scale.
It would have been huge news, save for the spectacularly bad timing.
Just as the government’s statement about Russian interference was beginning to circulate, the Washington Post published news of the Access Hollywood audiotape of Trump, in 2005, describing how “when you’re a star, they let you do it, you can do anything,” including actions that clearly would constitute sexual assault. It seemed for a moment that the one-two punch—the Russians’ interfering on his behalf and the surreptitious tape—would finish him off.
But as Clinton herself wrote, the events proved “the old Washington cliché about how the ‘drip, drip’ of scandal can be even more damaging over time than a single, really bad story. Trump’s tape was like a bomb going off, and the damage was immediate and severe. But no other tapes emerged, so there was nowhere else for the story to go.” The tape and its aftermath largely obliterated much discussion of the intelligence findings. Within an hour, WikiLeaks began publishing John Podesta’s emails, which had been stolen back in March. Suddenly the focus changed to what Hillary had said in speeches to Goldman Sachs, and the internal conversations about her shortcomings as a candidate. Putin had caught a lucky break, again. The Podesta emails dominated the airwaves in the last month of the campaign, but how they became public did not. And Obama decided that any sanctions against Russia should proceed only if it appeared that his warning to Putin—reiterated in a secret letter to the Russian leader that former members of the administration will not discuss—had done no good.
The FBI and Brennan reported a continued decrease in Russian “probes” of the state election systems. No one knew exactly how to interpret that fact—it was possible the Russians already had their implants in the systems they had targeted. But as one senior aide said, “it wouldn’t have made sense to begin sanctions” just when the Russians were backing away.
The administration decided to put off the question of deterrence—or punishment—for a few weeks, until after the election.
* * *
—
Election Day came and went with no penalties for Putin, almost no evidence of suspicious cyber activity at the polls, and the election of a candidate who said the hacking probably never happened and probably wasn’t the Russians if it did. Suddenly all the decisions that had been made about pushing back against the Russians required reexamination. “There had been an assumption that Hillary would win and we’d have time to figure out a set of actions that could be carried into the next administration,” one senior official said. “Suddenly we had to come up with some steps that couldn’t be reversed.”
Obama’s team was stunned. John Kerry pushed for a September 11–style commission to set out the facts of the Russian intrusion; that idea got
shot down. So did new versions of Victoria Nuland’s proposals about releasing embarrassing information about Putin himself.
Even then, in the wake of Trump’s astonishing win, Obama still could not bring himself to take immediate, strong action against Putin, the oligarchs, or the GRU. He worried that the United States would lose the moral high ground. But you could hear the regret in Obama’s voice when he talked to reporters in mid-December. He laid out the facts, including the telling admission that he didn’t know about the hacking of the DNC until “the beginning of the summer” of 2016, without mentioning that that was nine months after the FBI made the first call to DNC headquarters. “My hope is that the president-elect is going to similarly be concerned with making sure that we don’t have potential foreign influence in our election process. I don’t think any American wants that. And that shouldn’t be a source of argument.”
Of course, it became just that. Obama seemed determined not to place the hack into the context of the far larger plan Putin was executing, one whose shadow had lengthened across his second term: the attacks on Ukraine, the intrusions into the American electrical grid, the digital battle with Russian hackers for control over the unclassified network in Obama’s own White House. “This was not some elaborate, complicated espionage scheme,” he said, dismissing the emails the Russians had released as “pretty routine stuff, some of it embarrassing or uncomfortable.” The big concern, he suggested, was the way everyone—the media, the voters—fixated on it.
And he defended his decision to stay quiet until then. “My principal goal leading up to the election was making sure that the election itself went off without a hitch, that it was not tarnished, and that it did not feed any sense in the public that somehow tampering had taken place with the actual process of voting.” Now, he said, “that does not mean that we are not going to respond.”
When the response came, it was right out of the diplomatic playbook. Thirty-five Russian “diplomats” were thrown out of the country, most of them spies, some suspected of abetting the hacking into American infrastructure. A few Russian facilities were closed, including the consulate in San Francisco, where black wisps of smoke rose from the chimney as the Russians burned paperwork. The White House also announced the closure of two Russian diplomatic properties, in Long Island and Maryland. What the administration did not say was that one of them was being used by the Russians to bore underground and tap into a major telephone trunk line that would presumably give them access to both phone conversations and electronic messaging—and perhaps another pathway into American computer networks. But overall it was, as one of Obama’s own aides said, “the perfect nineteenth-century response to a twenty-first-century problem.”
As a secret parting shot, Obama ordered that some code—easy to discover—be placed in Russian systems, a “Kilroy was here” message that was later spun by some as a time bomb left in Russian networks. If so, it was never armed. As a deterrent, it wasn’t much of a success. In fact, the Russians had largely won. As Michael Hayden, the former CIA and NSA director, said, it was “the most successful covert operation in history.”
* * *
—
The Obama administration’s parting cyber sanctions triggered the first scandal of the Trump transition: Trump’s national-security designate, Lt. Gen. Michael Flynn, quietly told the Russian ambassador he would look at the sanctions as soon as Trump took office. He later lied about the conversation, got caught, resigned, and pled guilty to lying to the FBI.
Meanwhile, in a bizarre briefing at Trump Tower conducted by Clapper, Brennan, Comey, and Rogers, Trump was presented with the classified evidence of Putin’s role in hacking the election. He later dismissed Clapper and Brennan, career intelligence officers, as “political hacks.” He fired Comey, largely for pursuing the Russia investigation and refusing to declare his loyalty to the new president.
Comey’s firing resulted in the appointment of a special counsel, Robert Mueller, who peeled away layer after layer of evidence about the Trump campaign’s involvement with the Russians. Then Comey went in front of Congress and said that not only had the Russians intervened, but they would try to do it again. “It’s not a Republican thing or a Democratic thing…,” he said. “They’re going to come for whatever party they choose to try and work on behalf of. And they’re not devoted to either, in my experience. They’re just about their own advantage. And they will be back.”
Trump, his own advisers conceded to me, refused to discuss the Russia hack: He viewed the entire investigation as an effort to undercut his legitimacy. As a result, he seemed unable to design a strategy for dealing with Moscow—which put Putin in the driver’s seat.
It wasn’t until July 7, 2017, six months into his presidency, that Donald Trump finally met Vladimir Putin. They had circled each other for years, each thinking about how to manipulate the other, before they sat down in Hamburg, Germany, at the edge of a Group of 20 summit meeting,
By that time it was becoming clear to Putin that his bet that Trump would eradicate the sanctions choking Russia’s economy was failing, spectacularly. Even the Republican Congress, usually loyal to Trump to a fault, was on the verge of passing new sanctions against Russia for its election interference. Trump could not veto it. And the arms race was accelerating.
Putin and Trump talked behind closed doors for two and a quarter hours. Trump brought only Rex Tillerson, the beleaguered secretary of state, who would be unceremoniously fired over Twitter eight months later. By Tillerson’s account to a group of us after the meeting, they covered everything from Syria to the future of Ukraine. But Tillerson also said that “they had a very robust and lengthy exchange” on the election hack and agreed to a meeting of American and Russian officials to create “a framework in which we have some capability to judge what is happening in the cyber world and who to hold accountable.”
Shortly after the summit broke up, Trump headed for Air Force One, and called me once he was in the air. He wanted to describe his first encounter with Putin. Most of Trump’s call was off the record, but some of what he told me that afternoon he repeated at various times in the next few days, in talking about the session.
He had raised the election hacking three times, he said, and Putin had denied involvement each time. But what was more remarkable was the explanation he gave. Trump had asked if he was involved in election meddling, he said. Putin denied it, and said, “If we did, we wouldn’t have gotten caught, because we’re professionals.”
Trump told me he believed that explanation. “I thought that was a good point because they are some of the best in the world,” he said, a line he repeated nearly verbatim two days later. I asked Trump whether he believed Putin’s denial despite the evidence that Clapper, Brennan, Comey, and Rogers had shown him six months before—some of it drawn from intercepts of Russian communications. Clapper and Brennan, Trump responded, were two of the “most political” intelligence people he knew, and Comey was “a leaker.”
He clearly considered the Russia-and-the-election issue closed. Then our line got cut off as Air Force One ascended.
* * *
—
More than two years later, with the benefit of hindsight, the sequence of missed signals and misjudgments that allowed Russia to interfere in an American election seems incomprehensible and unforgivable—and yet completely predictable for a nation that did not fully comprehend the many varieties of cyber conflict.
Many of the initial mistakes were born of bureaucratic inertia and lack of imagination: The FBI fumbled the investigation, and the DNC’s staff was asleep at the wheel. That deadly combination allowed the Russian hackers complete freedom to rummage through the DNC’s files before the party’s leadership and the president of the United States were briefed about what was happening. The lost time proved disastrous.
If the Russians had struck at our election system in some more obvious way—poisoning candidates it
opposed, for example, as it has poisoned dissidents—any president would have called them out and responded. Only because the gray zone of cyber conflict gave the Russians cover did Obama hesitate. By the time he responded, after the election, it was too late.
We are likely to pay for that failure for years to come. As James Comey said of the Russians: “They will be back.”
Some who look back now on the decisions made in the summer and fall of 2016—politicians and national-security staffers, intelligence officials and FBI agents, Russia specialists and journalists—have described the sequence of events as a massive intelligence failure. But it wasn’t a failure in the classic sense of the phrase. It didn’t launch America into a war on false pretenses, and it didn’t underestimate the progress of Russia’s nuclear program, or North Korea’s for that matter. Rather, it was a failure to confront how skillfully and creatively the Russians were using newly minted cyber skills around the world and how potent a weapon they could become in widening America’s political and social fault lines. In our fixation on the types of cyberattacks we thought we understood—against power grids or banks or nuclear centrifuges—we missed the turn toward manipulating voters.
“Was this the cyber 9/11?” Susan Gordon, the deputy director of national intelligence, and a longtime CIA analyst, asked a year after the election. “I don’t know. Maybe it was, because it affected something far more fundamental than our electric grid—it affected the workings of our democracy. But it was hard to know that at the time.”
Still, it didn’t look much like a 9/11 attack. That was designed to be a spectacular, singular event. The undercutting of the American election system was the opposite. It stretched over many months. Initially, it was hard to detect—and once detected, it was designed to be a deniable operation. Part of it was discovered before Americans went to the polls, but the social-media campaign became evident only months after Donald Trump was elected. And to this day, no one can prove whether it actually affected the election’s outcome—in fact, the dispute over its effects widened the political divide, as the Russians intended.