- Jake Williamsfounder of Rendition InfoSec, a computer security firm. He is also a former member of the NSA’s Tailored Access Operations hacking team.
- Bruce Schneiersecurity technologist. He is a fellow at Harvard’s Berkman Center for Internet and Society and author of Data and Goliath: The Hidden Battles to Collect Your Data and Control Your World.
A military intelligence contractor has been arrested and charged with leaking a top-secret NSA report to the media that reveals Russian military intelligence conducted a cyberattack on at least one U.S. voting software company just days before last November’s presidential election. The charges were announced after The Intercept published part of the NSA report on Monday. It is the first criminal leak case under President Trump. We speak with security technologists Bruce Schneier and Jake Williams, who is a former member of the NSA’s Tailored Access Operations hacking team.
JUAN GONZÁLEZ: A new exposé by The Intercept reveals Russian military intelligence conducted a cyberattack on at least one U.S. voting software company just days before last November’s presidential election and sent so-called spear-phishing emails to more than 100 local election officials. The story is based on a top-secret NSA report provided anonymously to The Intercept, and has now prompted the first criminal leak case under President Trump.
The Intercept calls the classified report from May 5th, 2017, “the most detailed U.S. government account of Russian interference in the election that has yet come to light.” It shows that the agency is convinced the Russian General Staff Main Intelligence Directorate, or GRU, was responsible for interfering in the 2016 presidential election and, quote, “executed cyber espionage operations against a named U.S. company in August 2016, evidently to obtain information on elections-related software and hardware solutions. … The actors likely used data obtained from that operation to … launch a voter registration-themed spear-phishing campaign targeting U.S. local government organizations.” Although the leaked report does not directly identify a specific company, it refers to a product made by a Florida-based company called VR Systems, which provides electronic voting services and equipment used in eight states.
The Intercept makes a point to note that, quote, “While the document provides a rare window into the NSA’s understanding of the mechanics of Russian hacking, it does not show the underlying 'raw' intelligence on which the analysis is based. A U.S. intelligence officer who declined to be identified cautioned against drawing too big a conclusion from the document because a single analysis is not necessarily definitive.”
AMY GOODMAN: About an hour after The Intercept story was published, the Justice Department announced it was charging a 25-year-old intelligence contractor named Reality Leigh Winner with sending a classified report about Russia’s interference in the 2016 election to the news media. The FBI arrested Winner at her home in Augusta, Georgia, on Saturday. Federal officials say she confessed to an agent that she had printed out the report and mailed it to an online news outlet. An FBI affidavit said Winner has worked for Pluribus International Corporation at a government facility in Georgia since February. Hillary Clinton’s 2016 vice-presidential running mate, Senator Tim Kaine, responded to the report and the arrest Monday night during an interview with CNN’s Erin Burnett.
SEN. TIM KAINE: I don’t condone leaks by anybody, so there—there are laws about it. And if she has broken laws, then she has to suffer the consequences for that.
ERIN BURNETT: And obvious—
SEN. TIM KAINE: But—
ERIN BURNETT: Sorry, go ahead.
SEN. TIM KAINE: But we also—we also have to get to the bottom of the story, because, as you pointed out, Erin, there was—there has already been public reporting of the fact that the Russians not only invaded the DNC and Democratic emails—the intelligence community has concluded that they wanted to defeat Hillary Clinton and elect Donald Trump—but they also were rummaging around through state boards of elections. The public reporting is that they sucked data on more than 200,000 people out of the Illinois State Board of Elections, for example, that they could then use to target them with false news stories or all kinds of other things. So, this is all part of a pattern. Somebody who leaks documents against the law has got to suffer the consequences, but the American public is also entitled to know the degree to which Russia invaded the election to take it, the election, away from American voters.
AMY GOODMAN: Attorney General Jeff Sessions has vowed to crack down on leakers, saying he has, quote, “initiated appropriate steps to address these rampant leaks that undermine our national security,” unquote. Espionage Act charges can carry a sentence of up to 10 years in prison. On Monday, WikiLeaks publisher Julian Assange called for the public to support Winner, tweeting she is, quote, “accused of courage in trying to help us know,” unquote.
All of this comes as former FBI Director James Comey is set to testify Thursday before the Senate Intelligence Committee on Russian interference in the 2016 election.
For more, we’re joined by two guests who were consulted for The Intercept story and quoted in it. In San Francisco, Jake Williams is the founder of Rendition InfoSec, a computer security firm. He is also a former member of the NSA’s Tailored Access Operations hacking team. And in Washington, D.C., we’re joined by Bruce Schneier, a security technologist, a fellow at Harvard’s Berkman Center for Internet and Society, author of Data and Goliath: The Hidden Battles to Collect Your Data and Control Your World.
Jake Williams and Bruce Schneier, welcome to Democracy Now! Jake Williams, you worked at the NSA. Can you talk about the document that has been released, its significance, and also the arrest of the person who allegedly leaked it?
JAKE WILLIAMS: Well, so I’ll start by saying that when I commented on The Intercept story, I was unaware it was based on a leaked NSA document. First time I heard that, actually, was when I read the story itself. They actually talked to me about the technical aspects of—you know, of, again, how Russia would have done what they did with the hacking of that voting company. But, you know, as far as all that goes, obviously, there are laws against leaking. You know, I think we have to balance some of that in the public interest. But, yeah, again, like I said, when I first commented, I had no idea that it was based on that leaked NSA document. That being said, I think it’s a relatively interesting—you know, relatively interesting development and, ultimately, very technically detailed as far as giving insight into the specific actor and actions that were conducted.
JUAN GONZÁLEZ: And, Bruce Schneier, I’d like to get your response to the story and also the rapidity with which the government moved to arrest the alleged whistleblower in this case.
BRUCE SCHNEIER: Yeah, the story is an interesting one. This is just one document that is a piece of a much larger puzzle. It shows something very specific, that in August the Russian GRU attacked VR Systems, which is a company that makes voting roll software. They’re not involved in election software, in voting software. It’s software that manages voting rolls. And they do that for eight states in the U.S., as far as we know from their website. The Russians did that in an effort to get information about VR Systems that they used a few days before the election to run an attack against, according to the document, 122 state election officials.
Now, near as we can tell, nothing happened with this. If you’re going to attack voting rolls, the effect would be to deregister people, change their party affiliation, change their address—generally, sow chaos during the election. And we didn’t see any of that. So this feels much more exploratory as an attack than operational. But we don’t know. This was a document written by the NSA, so it shows the NSA analysis. Presumably, it was sent to the FBI, who would be doing the domestic investigation as to what happened. And we don’t see that. We don’t know if there were attacks against other election officials, other voting software companies, and what those effects might have been.
The document seems to have come from Reality Winner. And The New York Times talks about the arrest, that it seems that she sent the document to The Intercept. But when The Intercept sent it to the NSA, the NSA noticed that the document was folded, that it was a piece of paper that was folded. And from that, they concluded that it was printed out and hand-carried from a secure location. They checked their auditing system, found that only five or six people had printed that document. And Winner was the only person who had interacted with The Intercept via email. So, a lot of very bad operational security on the part of both Winner and The Intercept resulted in that very swift arrest.
AMY GOODMAN: You mean she had sent an email from her work email to The Intercept?
BRUCE SCHNEIER: That’s unclear, but that’s the impression I got, which, you can imagine, is just crazy. But, you know, it could be from a Gmail account. It’s hard to tell from the story. But it was an email that was traceable that the NSA was able to trace. And they seem to have known who it was before the story was released. The Intercept had talked with the NSA in the days before publication about what was to be redacted. And that’s very common practice for a news organization. So the NSA figured out who this was. They seem to have waited ’til publication before making the arrest but had identified the leaker in the days previously.
AMY GOODMAN: Well, actually, didn’t they arrest her on Saturday, but they charged her yesterday and issued the press release?
BRUCE SCHNEIER: Oh, OK. That’s something I didn’t know. So, that would make sense. You know, the document, fundamentally, isn’t all that. I mean, it does show Russian interference. It’s not interference in the election. I mean, there’s—no interference seems to have happened. This is obviously part of a very broad campaign from Russia to find out pressure points in our election and see what they can do. This isn’t evidence that they did interfere with the election, that they certainly could have, I think, if they wanted to. They might be setting the stage for a future interference. They might just be seeing where the vulnerabilities are and what they could do. It’s very hard, from this document, to make broader conclusions. And I echo that unnamed intelligence official in The Intercept story that said, you know, there’s a lot we’re missing from this document, and it’s hard to make broad generalities.
JUAN GONZÁLEZ: But one of the things that does seem clear, though, Bruce, is that President Obama had indicated—I think it was in September of last year—that he had personally spoken to President Putin about Russian attempts to interfere in U.S. elections and that, after he spoke to Putin, it had stopped. But according to this report, some of these overtures occurred just before the election, so obviously the Russians did not get the message from President Obama.
BRUCE SCHNEIER: I mean, that is correct. The first attack happened in August. The second attack happened in early November. Then these—this was attacks against U.S. election officials directly. And there’s a sort of a very broad set of things going on. You know, we know about vulnerabilities in election machines. These are about vulnerabilities in voting rolls, the DNC hack about vulnerabilities in the parties and their networks and their information. The election system is very broad and complicated, and there are vulnerabilities everywhere. Exactly what is being targeted and what counts, we have to decide. But certainly, this is an example of, after the September conversation, the Russians doing more meddling.
We also know from last fall that there were attacks into voting databases. Vice-presidential candidate Kaine mentioned one of them earlier, in Illinois. We didn’t know who, but someone did access the voting rolls in Illinois and, I think, one other state, downloaded information, which, you can imagine, could be used to target different propaganda campaigns, to just cause problems. And nothing seems to have happened about that. We don’t know who did that. But it’s yet another example of interference.
AMY GOODMAN: Jake Williams, can you explain what the GRU is, the Russian General Staff Main Intelligence Directorate, that allegedly this document shows conducted the cyberattack?
JAKE WILLIAMS: Yeah. So the GRU generally targets a number of—it’s generally political organizations, as well as a number of technology organizations in the U.S. and abroad. And basically, we’ve seen them in quite a few—quite a few networks. In fact, when I was commented or, you know, requested for comments on the story, they just talked to me about the technical end and never mentioned GRU or Russia. And, you know, I came out and said, “Oh, hey, this sounds very much like—very much like the GRU.” And the reporter says, “Hey, how do you know that?” I said, “This is like reading a playbook.” Right? The techniques that they describe, you know, while not specific to the GRU, are very, very typical of their types of—their types of operations. And again, you know, very important to note that we’ve seen them strike far and wide. This isn’t something that’s unique to—uniquer to U.S. election interference. We’ve seen them in quite a few—quite a few of our client networks, both in the U.S. and outside the U.S., as well.
JUAN GONZÁLEZ: And, Jake, if the—if elections in this country are so fundamental or critical to the society and to the governing process, why are—why is the election machinery so vulnerable?
JAKE WILLIAMS: Well, I mean, I think you have to step back and look at the fact that, you know, as the vote totals come in, they’re totaled by county commissioners, who, really, at the end of the day, have very little cyber—very little, if any, cybersecurity training. There’s no real-time monitoring of these machines in any case that I’ve—that I’ve been involved in. And, you know, as we look at these small county governments, they simply don’t have the funding to fend off, you know, what ultimately are coordinated nation-state—coordinated nation-state attacks. You know, some of our Fortune 50 clients can’t effectively get rid of—you know, keep APT, the advanced persistent threat, attackers out of their networks. And your county governments simply don’t have a chance. And it’s very easy to stand on high at the federal level and say, “We have to get this right. We have to secure this.” I hear this as a talking point quite a bit, and quite a bit leading up to the election. But the reality is it’s an unfunded—an unfunded mandate, basically, to secure these—to secure these systems.
It doesn’t surprise me a bit, one, that the GRU would target county and state election officials, because the reality is that they’re the ones that are the most vulnerable. That’s where the vote totals originally come in. That’s where the voter rolls are stored. Again, all this makes sense from a targeting perspective, both in the—that’s where the easy-to-get-at, juicy information is at, and these are the people least likely to discover such an attack.
AMY GOODMAN: Jake Williams, you recently gave a speech about how to hack an election. How would you do it?
JAKE WILLIAMS: Well, that’s very interesting. Back in November, after the election results had been posted, I gave a speech at one of the SANS Institute conferences about basically how I’d hack an election. And this is based on some research that I did into—kind of into that mode.
Look, I think, up at the state level, it gets pretty difficult to start manipulating vote totals. But I said I would go down to the county governments—right?—the individuals who are certifying the individual vote totals. We saw some—before the election, we saw some demonstrations of how to hack voting machines. And people always note that these are air-gapped voting machines. But, of course, the reality is, they’re programmed from, in some cases, PCMCIA cards, these computer cards, that ultimately are programmed on a computer that is very likely, in every case, connected to the internet. And so, again, if you look at starting to work through us, you know, we would target these low-level machines. I said the second thing I’d target would be absentee ballots. I think that—and to do that, you know, I specifically mentioned I’d go after voter rolls. It was very interesting to see that come out—come out of the story, actually felt a little eerie.
AMY GOODMAN: Bruce Schneier, I wanted to get your comment on Julian Assange’s tweet saying that the person accused of this, Reality Winner, is “accused of courage in trying to help us know.” Your thoughts?
BRUCE SCHNEIER: So, there’s two sides to this, and it’s very complicated. On the one side, these are classified documents, and there are laws, and there are rules. And she committed a crime by releasing it. On the other hand, there is a public right to know. And there are lots of lawsuits going on right now. Electronic Privacy Information Center has a lawsuit trying to get the details of that January ODNI report. If you remember, in January, we had the report from the director of national intelligence saying that Russia interfered with the elections in an attempt to sway the votes. We just got the unclassified summary. There’s a detailed report behind that, that we’re trying to get released through various legal means. And there are ways to do that. There’s also leaking. There are times that leaking is incredibly beneficial.
Now, this document, you know, doesn’t seem worth the risk, unfortunately. And I wish I didn’t say that. So, yes, I think principled leaking is extremely important and valuable and a safety check against government overclassification. On the other hand, this is prosecutable and will be prosecuted, and I cannot fault the Justice Department. And it’s not the Trump administration. Anybody would do this. Here’s a person who took a document and mailed it to the press, didn’t cover her tracks, and she’s going to be convicted for it. I believe she already confessed. So, there’s both going on here, and it’s very hard to tease them apart. I understand both sides. I sympathize with the leakers, and I very much like seeing the information, but it is a crime, and it is a risk.
JUAN GONZÁLEZ: It is interesting, though, that Julian Assange, who has been often critical of the media for alleging Russian interference in the elections, that there’s no solid proof of it, would come out with a statement in defense of this person who leaked this document, and that The Intercept, which has published many articles also critical of how the media is looking—is painting the Russians with criminal activities without any direct proof, then presents—prints a document that does suggest that there was much more Russian involvement than people are aware of, so that in both cases, these—in Julian’s case and in The Intercept's case, they seem to be going against some of the very things they've been raising in the past.
BRUCE SCHNEIER: This demonstrates the power of source documents. I mean, it’s one thing to see a report saying, you know, “our studies conclude,” “our intelligence says,” but to show the documents—this is what happened, this is the classified document, here are the steps, here is what we know—that level of detail is convincing in a way a public spokesman never is, because that seems to transcend party politics. These are the facts.
One thing about this document, this document is dated May 5th. It is a very recent document. It was not written in December. It was not a part of that January report. This is new information. This shows that the NSA is still going through their intercepts, their intelligence, their raw data, looking for evidence. And when they find it, they are writing up reports and sending it to, I assume, the FBI to continue their investigation. So things are ongoing in our intelligence community. It’s not that we know everything. We’re still learning things.
AMY GOODMAN: And finally, is there anything that you think will come out of this week’s exposé that Comey will be talking about on Thursday, the much-anticipated testimony of the fired FBI director?
BRUCE SCHNEIER: I mean, it’s hard to know. He will certainly be asked about this. The document is dated after he left the FBI, so he would never have seen it in his role. But he might have heard about this. There might have been previous reports. There might be other evidence. He’ll be asked about this. Unfortunately, the answers will be classified. He’ll be unable to say a lot of things. But this will become part of the narrative of the Russian interference with the 2016 election.
AMY GOODMAN: We want to thank you both for being with us, Bruce Schneier, security technologist. Jake Williams is the founder of Rendition InfoSec, a computer security firm, also a former member of the NSA’s Tailored Access Operations hacking team. Bruce Schneier is with the Harvard Berkman Center for Internet and Society and author of Data and Goliath: The Hidden Battles to Collect Your Data and Control Your World.
This is Democracy Now! When we come back, we will be speaking with two contenders for the Philadelphia district attorney’s race. We will start with Larry Krasner, very interesting defense attorney for decades who is now running to be district attorney. Stay with us.