While combing through an 88-page transcript from the House Intelligence Committee –- the kind of thing some of us do for weekend fun during self-quarantine –- we found some very interesting things.
This unclassified but still lightly redacted and “committee sensitive” transcript documents a December 5, 2017, appearance before the committee of CrowdStrike cybersecurity expert Shawn Henry. Mr. Henry is flanked by lawyers: David C. Lashway, attorney for CrowdStrike, and Graham M. Wilson of Perkins Coie Political Law Group, attorney for...drum roll, please... the DNC and Hillary Clinton.
The hearing involves questioning by both the majority and minority committee members (unlike Adam Schiff’s shifty impeachment hearings, in which only Democrats could ask questions). The tone seems mostly friendly and casual, at least at first.
Henry starts by giving some background on himself: He was hired by the DNC on April 30 of 2016 after the apparent hacking of their servers. “I worked with Michael Sussmann [NOTE: this is the attorney for Hillary Clinton who distributed unverified anti-Trump “dirt” to the CIA], who is counsel at Perkins Coie, when I was in the FBI, in the FBI Cyber Division, probably back in the early 2000s. Michael was an attorney at the Computer Crime and Intellectual Property Section at the Department of Justice, where I knew him.” Sussman was the one who contacted Henry about helping the DNC find out what happened to their servers.
Henry’s understanding was that the FBI had gone to the DNC and notified them that they might have been hacked. This seems odd to me (how would they know?) and, given what we've learned about the FBI’s phony “Russia” ploy, raises some questions about their role in this; but as Henry tells them, this scenario happens “periodically.” In such cases, the FBI provides only intelligence and “direction,” not “remediation,” which includes a technical analysis of what happened. That would be the job for his company, CrowdStrike.
"Remediation is essentially cleaning it up,” Henry explains. “Something bad has happened. There’s been an actor. There’s malware, malicious software in an environment. Somebody has access to what’s occurring in the environment. So the remediation is cleaning out the bad stuff and putting in place infrastructure that is safe and secure.” He adds that “starting in June of 2016, we provided them the data that would have been of value to them.” That would have included “a lot of the indicators, the malware, and other pieces of code that we took off the computer network.”
Not the hardware, though. “Could they conduct their own investigation in a thorough fashion without access to the actual hardware?” asks Rep. Chris Stewart of Utah. They bat this question around a bit, with Stewart pressing him on whether it would be better for investigators to be supplied with the hardware. And he asks, “Would there be reason for not making that available that overrides the benefit of having a more conclusive investigation?” The tone of the interview has obviously changed at this point, with that exchange ending in sort of a stalemate.
So where did Henry first get the idea that it might have been the Russians? Well, not from his own investigation; Sussmann (Hillary's dirt-peddler) had told him, saying that the FBI had used a term related to the Russian government (“the Dukes”) when they contacted the contractor who had been administering the network for the DNC.
And what did Henry find? “We saw activity that we believed was consistent with activity we’d seen previously and had associated with the Russian government,” he tells the committee. “...We said that we had a high degree of confidence that it was the Russian government...it was consistent with a nation-state adversary and associated with Russian intelligence.”
Henry says that by the end of their remediation period, June 12, whoever had intruded should not have been able to do it again. But then he tells them that someone else did, in September. “There was another activity in the environment,” Henry says. “We didn’t do direct attribution back in that case. They were different tools that were not similar or consistent with what we’d seen the first time. In other words, there was a second successful breach “in an environment that...did not have our technology deployed into it.”
On page 32 of the transcript, Mr. Henry goes into a distinction between “indications” that the Russians hacked (which he had seen) and actual “evidence” of this (which he had not seen). They had INDICATORS that data was exfiltrated, but “DID NOT HAVE EVIDENCE THAT DATA WAS EXFILTRATED FROM THE DNC.” (Emphasis mine.)
I\Interestingly, Adam Schiff tries to create a timeline with the date in April that the data was “staged for exfiltration” and the end-of-April conversation George Papadopoulos had –- with someone we now know was a “confidential human source” –- about Russians being in possession of stolen DNC/Hillary emails. Now that we know what the FBI is capable of, it’s reasonable to wonder if this timing might conceivably have been part of the set-up. Could the FBI have even put those Russian “indicators” on the hard drives? What used to sound like conspiracy theory seems entirely plausible now, given what we know about the Russia hoax..
Towards the end of the session, Rep. Stewart returns to Henry’s admission that he didn’t have direct evidence that Russia actually exfiltrated data from the DNC computers. Anything cited as “evidence” was circumstantial. They saw signs the Russians had been nosing around (signs that would be very hard, Henry says, for someone else to imitate), but nothing definite to indicate they had exfiltrated the data.
And it’s possible, Henry says, that the Russians had done this before, in the months before the FBI caught wind of something unusual, and had erased the "indications" so no one would ever know. Admittedly, I’m not a cybersecurity expert, but here’s a question: if the Russians can do that, why didn’t they do it THIS time?
Finally, Henry is asked if there's any evidence that anyone besides Russia had access to the DNC servers, and he says no. But what about that later brEach, the one using "different tools"? Maybe there's no evidence about that one because they didn't even look into it.
The meeting concludes with Henry saying he stands by his assessment that the Russian government hacked the DNC. “It’s a conclusion we made,” he says. But, remember, this is still his opinion. After all this time, and all the hysterical cries of “Russia Russia Russia!,” there is no direct evidence of Russian hacking of the DNC. Recall that CrowdStrike hasn’t always been correct in blaming Russia, as they mistakenly reported that Russia had hacked Ukraine’s military equipment.
Recall also that Robert Mueller’s special counsel never attempted to interview Julian Assange about who leaked the DNC emails to him. Assange has long maintained that the emails he received were not from Russia or any government. He has also made it clear he NEVER reveals a source, but wouldn’t it be great if he’d finally help us solve the mystery once and for all? Acting Director of National Intelligence Ric Grenell is in a position to seek answers. More to come.