As yet, there appear to be no independent expert witnesses scheduled to testify to the House Intelligence Committee in the upcoming hearings on the “Russian hacking” allegations.
This is particularly unfortunate since we already know that Russia didn’t “hack” anything that actually affected the election. That’s likely to be obscured by a parade of partisans earnestly insisting that Russia did hack something. Yet that assertion itself can be, and has been, disputed by experts.
The impression being set up by the witness list is like what you’d get if only the prosecutor got to argue his case in a courtroom. But it’s even worse, because unlike a courtroom trial, congressional hearings lead to political conclusions for which there is no appeals process.
So it’s extremely important – unless you just want to mislead the people – to get the playing-field/adversarial-arguments dynamic right.
The concern raised by Lee Stranahan at Breitbart is a valid one. The House is scheduled to hear only from the people who have already made the case that “Russia hacked the election” (or, to put it in less freighted language, that Russia tried to interfere in the 2016 election with a campaign of information warfare, the only actionable portion of which would have been the alleged computer intrusions).
The Obama political officials on the list are inherently biased, of course. That’s a given. It’s the expert testimony that Stranahan zeroes in on (emphasis added):
The initial witness list released by House Intelligence includes a number of intelligence officials, all appointed during the Obama administration, such as former CIA Director John Brennan, former Director of National Intelligence James Clapper, and former Acting Attorney General Sally Yates, but the sole technical people on the invitation list are two representatives of CrowdStrike, President Shawn Henry, and the co-founder Dmitri Alperovitch.
CrowdStrike is the now-famous cybersecurity company that has committed full-bore to the case that the DNC was “hacked” by Russians. (Technically, it was spear-phished.) A few other companies have supported the same case – and we’ll look at them a little later.
Stranahan lays out key points on which other experts disagree with CrowdStrike, and I recommend reading through them. The main takeaway is not that the Russians didn’t try to intrude on U.S. computer systems. It’s that we can’t identify the humans behind the intrusions with certainty as the Russians. What CrowdStrike suggests are “fingerprints” are actually not. Even malware packages that we believe the Russians developed could have been used by someone else. Once it’s a known malware package, that means it’s out there, and anyone can use it.
(This was all established even before the revelation this week that the CIA has the capability to mimic someone else’s malware signature, in order to misdirect cyber forensics.)
Stranahan brings up good reasons to be concerned about CrowdStrike’s non-partisan bona fides. Not only are they heavily indebted to Google – a major Hillary supporter – for a $100 million round of funding in 2015, but they were hired by the DNC and Hillary’s campaign organization in 2016.
Naturally, the last point means we would want to hear from them in these hearings. But we wouldn’t want to hear solely from them.
Stranahan traces, moreover, how CrowdStrike executives have made claims about the hackers’ political motives that are beyond their expertise—and how their “expert” narrative has actually changed over time to track with the narrative being touted by Democratic partisans. Congress needs to hear from experts with a different point of view.
When it comes to CrowdStrike, however, there are even more links with Democrats, and especially the previous administration, to consider.
The inevitable connections to Obama and Hillary
Founder Dmitri Alperovitch has been the best known face of CrowdStrike, partly due to the profile feature done on him by Esquire in late 2016. But his co-founder, George Kurtz – like Alperovitch, a former executive at McAfee – has had a high professional profile as well.
Worth noting at the outset is that Kurtz obtained a $26 million financing deal for the CrowdStrike start-up in February 2012 from equity giant Warburg Pincus, after Kurtz had been serving there as the “entrepreneur in residence.”
Warburg Pincus raised $253,000 for Obama’s 2008 campaign, and was a major source of private funding for Obama crony Polypore, whose subsidiary Celgrad manufactures batteries for electric cars. That boondoggle cost the taxpayer a pretty penny, but Warburg Pincus reportedly tripled its $300 million investment. Nice gig if you can get it.
This equity firm is where the initial seed money for CrowdStrike came from (Warburg was the only capital investor at the beginning; Google came in with the $100 million in 2015).
Warburg Pincus remains a primary investor in CrowdStrike, along with Google and Accel Partners. In 2016, Warburg, whose president since 2014 has been Tim Geithner, Obama’s former secretary of the treasury, raised $29,709 for Hillary Clinton, the largest single recipient of campaign funds raised by Warburg employees and PACs. (No contributions were made through Warburg-related entities to Donald Trump.)
Accel Partners, meanwhile, is one of the top partners listed for the Clinton Foundation’s Endeavor Mentor Capital Program, and in 2016 was reported to be a direct partner with the program’s capital investment arm Endeavor Catalyst.
Google, of course, is now a subsidiary of Alphabet, whose employees and PACs donated $1,315,940 to the Hillary Clinton campaign in 2016.
The human element
But, as Lee Stranahan points out, that’s not all, when it comes to CrowdStrike investor Google Capital. There’s the human, personal side of all this, starting with Google’s Eric Schmidt (now officially the Executive Chairman of Alphabet) and his direct connection with Hillary’s campaign.
Then there’s the linked-ness of the CrowdStrike executive stable. Steven Chabinsky, CrowdStrike’s General Counsel and Chief Risk Officer, was named to Obama’s Commission on Enhancing National Cybersecurity in April 2016.
That’s partly because Chabinsky was Deputy Assistant Director of the FBI’s Cyber Division and Chief of the FBI’s Cyber Intelligence Section before he left the Bureau for private life in 2012 (the year he joined CrowdStrike).
And in that FBI capacity, he would have worked with one of the two CrowdStrike witnesses scheduled to testify before the House committee: Shawn Henry. Stranahan notes that Henry is now a talking head for multiple NBC properties, which is a significant point.
But there’s more. Henry is the president of CrowdStrike Services, and the Chief Security Officer (CSO) for the company. But when he came on with CrowdStrike, in April 2012, he was coming off his final position with the FBI: Executive Assistant Director of the Criminal, Cyber, Response, and Service Branch. (Or, as he was usually referred to, the “FBI’s top cyber official.”)
In other words, CrowdStrike scored the FBI’s two biggest Obama-era cybersecurity names – Henry and Chabinsky – the year it was formed as a start-up.
These personnel details shed an especially interesting light on a point Stranahan emphasizes: that the FBI has never performed a direct evaluation of the DNC computer system that suffered the intrusion. Instead, the Bureau relied entirely on the CrowdStrike assessment of what happened.
And that was because, according to FBI Director James Comey, the FBI was repeatedly denied access to the DNC servers, along with John Podesta’s smartphone, the intrusion path for the spear-phishing attack.
At a minimum, this denial of access could not have been because CrowdStrike and the FBI were unfamiliar with, and wary of, each other. Right? So why was the FBI denied access?
Another CrowdStrike exec – co-founder George Kurtz – sheds additional interesting light on a Stranahan observation. As mentioned above, Stranahan stresses that cyber-expertise does not confer expertise in the motives of attackers. He’s right. Assessing motives has to be a multi-discipline analytical effort. Any good intelligence officer will tell you that.
But selling its services on the basis of understanding the attacker and his motives is exactly how CrowdStrike markets itself. CrowdStrike is effectively, in its own right, a narrative-concocting security company – and that should color everything we think about its testimony.
Kurtz affirmed that in 2013, when he was interviewed for the Accel Partners funding tranche.
“We’ve built a platform that can identity the kind of attack that is being used, but we can also determine who’s behind it and what their motivation is,” said George Kurtz, CEO and co-founder.
The firm uses a big data and analytics platform to keep track of hacking groups around the world, and Kurtz said it can usually figure out who’s behind an attack, and shut it down.
With that in mind, listen to the tagline with which CrowdStrike cultivates its reputation with customers, touted in the Esquire profile of Dmitri Alperovitch in October:
“You don’t have a malware problem, you have an adversary problem.”
We don’t know just how the Democrats and CrowdStrike came to find each other. But it’s a remarkable concatenation of circumstances, that a narrative-concocting cybersecurity firm was right there when the anti-Trump forces needed to build a narrative about the election.
Letting CrowdStrike be the sole expert witness on cybersecurity will be like letting the prosecutor do all the questioning of an expert witness, with no cross-examination by the defense, or any independent experts put on the stand.
And still there’s more. Through their common roots in McAfee, Alperovitch and Kurtz have an extensive history with top cyber expert Phyllis Schneck, who appears in the Esquire piece from October. In fact, Alperovitch and Schneck were at Georgia Tech together (see the Esquire article), and later were vice presidents of McAfee at the same time Kurtz was McAfee’s chief technology officer (CTO). Alperovitch has obviously had a close professional relationship with Schneck; their names are both on four separate patent applications.
What is Schneck doing today? Since 2013, she’s been the Deputy Under Secretary for Cybersecurity and Communications for the National Protection and Programs Directorate (NPPD) – i.e., the chief cybersecurity official for the Department of Homeland Security (DHS).
Which department interestingly spent 2016 looking for reasons to federalize the supervision of state election systems. And, what do you know, conveniently found just such a reason in the CrowdStrike narrative that the Russians were behind the hacking of the DNC servers.
Schneck also served for eight years as the chairman of the national board of the FBI’s InfraGard program, a public-private partnership with the commercial security industry. Not a bad contact to have teed up in your smartphone, as the execs at CrowdStrike quite probably do.
An…interesting CIA connection
CrowdStrike itself doesn’t appear to have links with the CIA. But FireEye, a company whose work going back to 2013 attributes the two key “threat groups” implicated in the DNC hack to Russia, does have a link to the CIA. FireEye’s subsidiary Mandiant identified the two threat groups fingered in the CrowdStrike analysis as “APT28” and “APT29,” and connected them with Russia – work that figures large in the CrowdStrike assessment.
FireEye’s Mandiant is one of two companies the Washington Post (link above) cited as “independent” firms “seconding” CrowdStrike’s assessment about Russia.
…and other CrowdStrike connections
The other is Fidelis Cybersecurity. But Fidelis has been in a close partnership with CrowdStrike since 2014 “to provide customers with access to shared threat intelligence that will further improve the prevention, detection, attribution and remediation of cyber-attacks in real-time.”
So “independent” is not the word I would use to describe the threat intelligence analyses of CrowdStrike and Fidelis, as regards each other. They’re in a partnership to accept and rapidly implement the fruits of each other’s work.
The third company mentioned in WaPo’s June 2016 article is ThreatConnect. ThreatConnect did some forensic work related to the DNC server, but it was also – most famously – the company that tied “DCLeaks,” the outlet that dumped emails from the Hillary campaign, to Russia.
It turns out that ThreatConnect, like Fidelis, has been in a close partnership with CrowdStrike since 2015 to “strengthen threat intelligence data availability and delivery…delivering premium and open-source threat intelligence directly into ThreatConnect, allowing customers to derive even more extensive and actionable intelligence from their existing security data.”
Some independent perspective, please
It would not be impugning any of the aforementioned companies to insist on hearing from at least one that is not connected to the Democratic Party, the Obama administration, Obama-crony or Hillary-crony funding sources, the CIA, or each other.
This is especially imperative now that the CIA’s malware-misdirection capability has been exposed. Certainly, we don’t know for sure the validity of that disclosure via WikiLeaks. But that’s precisely the point. The potential scenario it raises goes straight to the core assumption of the “Russian hacking” theme. It can’t be brushed aside. It has got to be sorted out, if anything from the House hearings is to be credible.
Without claiming that any one alternative viewpoint is definitive, we can’t do better than to sign off with the skepticism expressed by John McAfee, founder of the company where CrowdStrike’s top talent used to work. He doesn’t think the Russians hacked the DNC servers, or passed on the Hillary campaign’s emails to DCLeaks. Said McAfee (in a December 2016 interview with Larry King):
[H]ackers can fake their location, their language, and any markers that could lead back to them. Any hacker who had the skills to hack into the DNC would also be able to hide their tracks, he said.
“If I was the Chinese and I wanted to make it look like the Russians did it, I would use Russian language within the code, I would use Russian techniques of breaking into the organization,” McAfee said, adding that, in the end, “there simply is no way to assign a source for any attack.”
McAfee summed it up this way:
[I]f it looks like the Russians did it, then I can guarantee you it was not the Russians.