by George Washington<\/p>\n
Preface by Washington’s Blog: We asked top NSA whistleblower Bill Binney what he thought about a report claiming that the DNC emails were transferred too quickly to have been accessed by a hacker, and could only have been copied by a DNC leaker. This article is his response.\u00a0\u00a0 Background\u00a0here<\/a>\u00a0and\u00a0here.<\/a><\/em><\/p>\n MEMORANDUM FOR:<\/strong>\u00a0The President<\/p>\n FROM:<\/strong>\u00a0Veteran Intelligence Professionals for Sanity (VIPS)<\/p>\n SUBJECT<\/strong>: Was the \u201cRussian Hack\u201d an Inside Job?<\/p>\n Executive Summary<\/em><\/strong><\/p>\n Forensic studies of \u201cRussian hacking\u201d into Democratic National Committee computers last year reveal that on July 5, 2016, data was\u00a0leaked (not hacked)<\/em><\/strong>\u00a0by a person with physical access to DNC computers, and then doctored to incriminate Russia.<\/p>\n After examining metadata from the \u201cGuccifer 2.0\u201d July 5, 2016 intrusion into the DNC server, independent cyber investigators have concluded that an insider copied DNC data onto an external storage device, and that \u201ctelltale signs\u201d implicating Russia were then inserted.<\/p>\n Key among the findings of the independent forensic investigations is the conclusion that the DNC data was copied onto a storage device\u00a0at a speed that far exceeds an Internet capability for a remote hack<\/em><\/strong>.\u00a0Of equal importance, the forensics show that the copying and doctoring were performed on the East coast of the U.S.\u00a0Thus far, mainstream media have ignored the findings of these independent studies [see\u00a0here<\/a>\u00a0and\u00a0here<\/a>].<\/p>\n Independent analyst Skip Folden, a retired IBM Program Manager for Information Technology US, who examined the recent forensic findings, is a co-author of this Memorandum. He has drafted a more detailed technical report titled \u201cCyber-Forensic Investigation of \u2018Russian Hack\u2019 and Missing Intelligence Community Disclaimers,\u201d and sent it to the offices of the Special Counsel and the Attorney General.\u00a0VIPS member William Binney, a former Technical Director at the National Security Agency, and other senior NSA \u201calumni\u201d in VIPS attest to the professionalism of the independent forensic findings.<\/p>\n The recent forensic studies fill in a critical gap.\u00a0Why the FBI neglected to perform any independent forensics on the original \u201cGuccifer 2.0\u201d material remains a mystery \u2013 as does the lack of any sign that the \u201chand-picked analysts\u201d from the FBI, CIA, and NSA, who wrote the \u201cIntelligence Community Assessment\u201d dated January 6, 2017, gave any attention to forensics.<\/p>\n NOTE<\/strong>: There has been so much conflation of charges about hacking that we wish to make very clear the primary focus of this Memorandum.\u00a0We focus specifically on the July 5, 2016 alleged Guccifer 2.0 \u201chack\u201d of the DNC server.\u00a0In earlier VIPS memoranda we addressed the lack of any evidence connecting the Guccifer 2.0 alleged hacks and WikiLeaks, and we asked President Obama specifically to disclose any evidence that WikiLeaks received DNC data from the Russians\u00a0[see\u00a0here<\/a>\u00a0and\u00a0here<\/a>].<\/p>\n Addressing this point at his last press conference (January 18), he described \u201cthe conclusions of the intelligence community\u201d as \u201cnot conclusive,\u201d even though the Intelligence Community Assessment of January 6 expressed \u201chigh confidence\u201d that Russian intelligence \u201crelayed material it acquired from the DNC \u2026 to WikiLeaks.\u201d<\/p>\n Obama\u2019s admission came as no surprise to us. It has long been clear to us that the reason the U.S. government lacks conclusive evidence of a transfer of a \u201cRussian hack\u201d to WikiLeaks is because there was no such transfer.\u00a0Based mostly on the cumulatively unique technical experience of our ex-NSA colleagues, we have been saying for almost a year that the DNC data reached WikiLeaks via a copy\/leak by a DNC insider (but almost certainly not the same person who copied DNC data on July 5, 2016).<\/p>\n From the information available, we conclude that the same inside-DNC, copy\/leak\u00a0process<\/em>\u00a0was used at two different times, by two different entities, for two distinctly different purposes:<\/p>\n -(1) an inside leak to WikiLeaks before Julian Assange announced on June 12, 2017, that he had DNC documents and planned to publish them (which he did on July 22) \u2013 the presumed objective being to expose strong DNC bias toward the Clinton candidacy; and<\/p>\n -(2) a separate leak on July 5, 2016, to pre-emptively taint anything WikiLeaks might later publish by \u201cshowing\u201d it came from a \u201cRussian hack.\u201d<\/p>\n *\u00a0 *\u00a0 *<\/strong><\/p>\n Mr. President:<\/p>\n This is our first VIPS Memorandum for you, but we have a history of letting U.S. Presidents know when we think our former intelligence colleagues have gotten something important wrong, and why. For example, our first such\u00a0memorandum<\/a>, a same-day commentary for President George W. Bush on Colin Powell\u2019s U.N. speech on March 5, 2003, warned that the \u201cunintended consequences were likely to be catastrophic,\u201d should the U.S. attack Iraq and \u201cjustfy\u201d the war on intelligence that we retired intelligence officers could readily see as fraudulent and driven by a war agenda.<\/p>\n The January 6 \u201cIntelligence Community Assessment\u201d by \u201chand-picked\u201d analysts from the FBI, CIA, and NSA seems to fit into the same agenda-driven category. It is largely based on an \u201cassessment,\u201d not supported by any apparent evidence, that a shadowy entity with the moniker \u201cGuccifer 2.0\u201d hacked the DNC on behalf of Russian intelligence and gave DNC emails to WikiLeaks.<\/p>\n The recent forensic findings mentioned above have put a huge dent in that assessment and cast serious doubt on the underpinnings of the extraordinarily successful campaign to blame the Russian government for hacking.\u00a0The pundits and politicians who have led the charge against Russian \u201cmeddling\u201d in the U.S. election can be expected to try to cast doubt on the forensic findings, if they ever do bubble up into the mainstream media.\u00a0But the principles of physics don\u2019t lie; and the technical limitations of today\u2019s Internet are widely understood.\u00a0We are prepared to answer any substantive challenges on their merits.<\/p>\n You may wish to ask CIA Director Mike Pompeo what he knows about this.\u00a0Our own lengthy intelligence community experience suggests that it is possible that neither former CIA Director John Brennan, nor the cyber-warriors who worked for him, have been completely candid with their new director regarding how this all went down.<\/p>\n Copied, Not Hacked<\/strong><\/p>\n As indicated above, the independent forensic work just completed focused on data\u00a0copied (not hacked)<\/em>\u00a0by a shadowy persona named \u201cGuccifer 2.0.\u201d\u00a0The forensics reflect what seems to have been a desperate effort to \u201cblame the Russians\u201d for publishing highly embarrassing DNC emails three days before the Democratic convention last July.\u00a0Since the content of the DNC emails reeked of pro-Clinton bias, her campaign saw an overriding need to divert attention from content to provenance \u2013 as in, who \u201chacked\u201d those DNC emails?\u00a0The campaign was enthusiastically supported by a compliant \u201cmainstream\u201d media; they are still on a roll.<\/p>\n \u201cThe Russians\u201d were the ideal culprit.\u00a0And, after WikiLeaks editor Julian Assange announced on June 12, 2016, \u201cWe have emails related to Hillary Clinton which are pending publication,\u201d her campaign had more than a month before the convention to insert its own \u201cforensic facts\u201d and prime the media pump to put the blame on \u201cRussian meddling.\u201d\u00a0Mrs. Clinton\u2019s PR chief Jennifer Palmieri has explained how she used golf carts to make the rounds at the convention.\u00a0She\u00a0wrote<\/a>\u00a0that her \u201cmission was to get the press to focus on something even we found difficult to process: the prospect that Russia had not only hacked and stolen emails from the DNC, but that it had done so to help Donald Trump and hurt Hillary Clinton.\u201d<\/p>\n Independent cyber-investigators have now completed the kind of forensic work that the intelligence assessment did not do.\u00a0Oddly, the \u201chand-picked\u201d intelligence analysts contented themselves with \u201cassessing\u201d this and \u201cassessing\u201d that.\u00a0In contrast, the investigators dug deep and came up with verifiable evidence from metadata found in the record of the alleged Russian hack.<\/p>\n They found that the purported \u201chack\u201d of the DNC by Guccifer 2.0 was not a hack, by Russia or anyone else.\u00a0Rather it originated with a copy (onto an external storage device \u2013 a thumb drive, for example) by an insider.\u00a0The data was leaked after being doctored with a cut-and-paste job to implicate Russia.\u00a0We do not know who or what the murky Guccifer 2.0 is. You may wish to ask the FBI.<\/p>\n The Time Sequence<\/strong><\/p>\n June 12, 2016:<\/strong>\u00a0Assange\u00a0announces<\/a>\u00a0WikiLeaks is about to publish \u201cemails related to Hillary Clinton.\u201d<\/p>\n June 15, 2016:<\/strong>\u00a0DNC contractor Crowdstrike, (with a dubious professional record and multiple conflicts of interest) announces that malware has been found on the DNC server and claims there is evidence it was injected by Russians.<\/p>\n June 15, 2016:<\/strong>\u00a0On the same day, \u201cGuccifer 2.0\u201d affirms the DNC statement; claims responsibility for the \u201chack;\u201d claims to be a WikiLeaks source; and posts a document that the forensics show was synthetically tainted with \u201cRussian fingerprints.\u201d<\/p>\n We do not think that the June 12 & 15 timing was pure coincidence. Rather, it suggests the start of a pre-emptive move to associate Russia with anything WikiLeaks might have been about to publish and to \u201cshow\u201d that it came from a Russian hack.<\/p>\n The Key Event<\/strong><\/p>\n July 5, 2016:<\/strong>\u00a0In the early evening, Eastern Daylight Time, someone working in the EDT time zone with a computer directly connected to the DNC server or DNC Local Area Network, copied 1,976 MegaBytes of data in 87 seconds onto an external storage device.\u00a0That speed is many times faster than what is physically possible with a hack.<\/em><\/strong><\/p>\n It thus appears that the purported \u201chack\u201d of the DNC by Guccifer 2.0 (the self-proclaimed WikiLeaks source) was not a hack by Russia or anyone else, but was rather a copy of DNC data onto an external storage device.\u00a0Moreover, the forensics performed on the metadata reveal there was a subsequent synthetic insertion \u2013 a cut-and-paste job using a Russian template, with the clear aim of attributing the data to a \u201cRussian hack.\u201d\u00a0This was all performed in the East Coast time zone.<\/p>\n \u201cObfuscation & De-obfuscation\u201d<\/strong><\/p>\n Mr. President, the disclosure described below may be related.\u00a0Even if it is not, it is something we think you should be made aware of in this general connection.\u00a0On March 7, 2017, WikiLeaks began to publish a trove of original CIA documents that WikiLeaks labeled \u201cVault 7.\u201d\u00a0WikiLeaks said it got the trove from a current or former CIA contractor and described it as comparable in scale and significance to the information Edward Snowden gave to reporters in 2013.<\/p>\n No one has challenged the authenticity of the original documents of Vault 7, which disclosed a vast array of cyber warfare tools developed, probably with help from NSA, by CIA\u2019s Engineering Development Group.\u00a0That Group was part of the sprawling CIA Directorate of Digital Innovation \u2013 a growth industry established by John Brennan in 2015.<\/p>\n Scarcely imaginable digital tools \u2013 that can take control of your car and make it race over 100 mph, for example, or can enable remote spying through a TV \u2013 were described and duly reported in the New York Times and other media throughout March.\u00a0But the Vault 7, part 3 release on March 31 that exposed the \u201cMarble Framework\u201d program apparently was judged too delicate to qualify as \u201cnews fit to print\u201d and was kept out of the Times.<\/p>\n The Washington Post\u2019s Ellen Nakashima, it seems, \u201cdid not get the memo\u201d in time.\u00a0Her March 31 article bore the catching (and accurate) headline: \u201cWikiLeaks\u2019 latest release of CIA cyber-tools could blow the cover on agency hacking operations.\u201d<\/strong><\/p>\n The WikiLeaks release indicated that Marble was designed for flexible and easy-to-use \u201cobfuscation,\u201d and that Marble source code includes a \u201cdeobfuscator\u201d to reverse CIA text obfuscation.<\/p>\n More important, the CIA reportedly used Marble during 2016.\u00a0In her Washington Post report, Nakashima left that out, but did include another significant point made by WikiLeaks; namely, that the obfuscation tool could be used to conduct a \u201cforensic attribution double game\u201d or false-flag operation because it included test samples in Chinese, Russian, Korean, Arabic and Farsi.<\/p>\n The CIA\u2019s reaction was neuralgic. Director Mike Pompeo lashed out two weeks later, calling Assange and his associates \u201cdemons,\u201d and insisting, \u201cIt\u2019s time to call out WikiLeaks for what it really is, a non-state hostile intelligence service, often abetted by state actors like Russia.\u201d<\/p>\n Mr. President, we do not know if CIA\u2019s Marble Framework, or tools like it, played some kind of role in the campaign to blame Russia for hacking the DNC.\u00a0Nor do we know how candid the denizens of CIA\u2019s Digital Innovation Directorate have been with you and with Director Pompeo.\u00a0These are areas that might profit from early White House review.<\/p>\n Putin and the Technology<\/strong><\/p>\n We also do not know if you have discussed cyber issues in any detail with President Putin.\u00a0In his interview with NBC\u2019s Megyn Kelly, he seemed quite willing \u2013 perhaps even eager \u2013 to address issues related to the kind of cyber tools revealed in the Vault 7 disclosures, if only to indicate he has been briefed on them.\u00a0Putin pointed out that today\u2019s technology enables hacking to be \u201cmasked and\u00a0camouflaged to\u00a0an\u00a0extent that no one can\u00a0understand the\u00a0origin\u201d [of the hack] \u2026 And, vice versa, it is possible to\u00a0set up any entity or\u00a0any individual that everyone will think that they are the\u00a0exact source of\u00a0that attack.\u201d<\/p>\n \u201cHackers may be anywhere,\u201d he said. \u201cThere may be hackers, by\u00a0the\u00a0way, in\u00a0the\u00a0United States who very craftily and\u00a0professionally passed the\u00a0buck to\u00a0Russia. Can\u2019t you imagine such a\u00a0scenario? \u2026 I\u00a0can.\u201d<\/p>\n Full Disclosure:\u00a0<\/strong>Over recent decades the ethos of our intelligence profession has eroded in the public mind to the point that agenda-free analysis is deemed well nigh impossible.\u00a0Thus, we add this disclaimer, which applies to everything we in VIPS say and do: We have no political agenda; our sole purpose is to spread truth around and, when necessary, hold to account our former intelligence colleagues.<\/p>\n We speak and write without fear or favor. Consequently, any resemblance between what we say and what presidents, politicians and pundits say is purely coincidental. The fact we find it is necessary to include that reminder speaks volumes about these highly politicized times.\u00a0This is our 50th<\/sup>\u00a0VIPS Memorandum since the afternoon of Powell\u2019s speech at the UN. Live links to the 49 past memos can be found at\u00a0http:\/\/consortiumnews.com\/vips-memos\/<\/a>.<\/p>\n FOR THE STEERING GROUP, VETERAN INTELLIGENCE PROFESSIONALS FOR SANITY<\/p>\n William Binney, former NSA Technical Director for World Geopolitical & Military Analysis; Co-founder of NSA\u2019s Signals Intelligence Automation Research Center<\/p>\n Skip Folden, independent analyst, retired IBM Program Manager for Information Technology US (Associate VIPS)<\/p>\n Matthew Hoh, former Capt., USMC, Iraq & Foreign Service Officer, Afghanistan (associate VIPS)<\/p>\n Michael S. Kearns, Air Force Intelligence Officer (Ret.), Master SERE Resistance to Interrogation Instructor<\/p>\n John Kiriakou, Former CIA Counterterrorism Officer and former Senior Investigator, Senate Foreign Relations Committee<\/p>\n Linda Lewis, WMD preparedness policy analyst, USDA (ret.)<\/p>\n Lisa Ling,\u00a0TSgt USAF (ret.) (associate VIPS)<\/p>\n Edward Loomis, Jr., former NSA Technical Director for the Office of Signals Processing<\/p>\n David MacMichael, National Intelligence Council (ret.)<\/p>\n Ray McGovern, former U.S. Army Infantry\/Intelligence officer and CIA analyst<\/p>\n Elizabeth Murray, former Deputy National Intelligence Officer for Middle East, CIA<\/p>\n Coleen Rowley, FBI Special Agent and former Minneapolis Division Legal Counsel (ret.)<\/p>\n Cian Westmoreland, former USAF Radio Frequency\u00a0Transmission\u00a0Systems Technician and Unmanned Aircraft Systems whistleblower (Associate VIPS)<\/p>\n Kirk Wiebe, former Senior Analyst, SIGINT Automation Research Center, NSA<\/p>\n Sarah G. Wilton, Intelligence Officer, DIA (ret.); Commander, US Naval Reserve (ret.)<\/p>\n Ann Wright, U.S. Army Reserve Colonel (ret) and former U.S. Diplomat<\/p>\n