The FBI and the intelligence community at large has spent months trying to convince Donald Trump and the American public that Russia hacked the DNC — but last night, a report from BuzzFeed seemed to weaken the bureau’s case even further. After months of cooperation between the bureau and the DNC, it now appears that the FBI never physically examined the DNC servers involved in the hack. The servers were examined by CrowdStrike, the response team hired by the DNC, but the FBI never went back to confirm the findings. With President-elect Trump and many others openly challenging the intelligence community’s claim that the Russian government directed the attack, the news seems like a clear black eye for the bureau. If agents didn’t look at the server directly, how much could they know?
The answer might be more than you think. It’s common for the initial forensic analysis to be conducted by outside firms like CrowdStrike, and once that data has been copied, there’s often little need to copy it again. BuzzFeed described the FBI’s lack of interest in the DNC’s server as unusual, citing a number of response firms that preferred not to be named. But that’s not a unanimous opinion, and two experts contacted by The Verge disagreed that it was unusual.
“This is normal practice,” says Matt Tait, founder and CEO of Capital Alpha Security. “In cases like this, the onus for digital forensics is on the third-party contracted by the company that's calling in the incident response team, in this case CrowdStrike.”
“This is normal practice.”
It’s part of a long-standing division of labor between private firms and law enforcement, in which incident response firms handle the initial analysis and network cleanup, leaving broader legal questions to law enforcement. That division of labor saves time, but it also protects companies from what could potentially be seen as an invasion of privacy. Turning over a company’s entire network to a law enforcement agency can be an awkward proposition, particularly before the nature of the compromise is clear.
That’s particularly true for the DNC, since the FBI was actively investigating Hillary Clinton for mishandling classified information at the time — and it’s clear the agency had no reservations about searching for evidence of those crimes in unrelated cases. Similar awkwardness is common at corporate breaches, and the result has given incident response firms like CrowdStrike a persistent business as intermediaries between companies and law enforcement.
The New York Times followed a similar protocol in 2013, when the paper detected a digital intrusion that was ultimately traced back to the Chinese military. While the Times worked with both the FBI and AT&T in tracing the hackers, the newspaper hired Mandiant to do the immediate network analysis work, and had the firm coordinate with law enforcement for subsequent attribution.
The FBI suspected Russia long before CrowdStrike got involved
Once incident response has been conducted, the crucial evidence can be handed over directly to officials without politically tricky questions of broader access. We don’t know exactly what CrowdStrike handed over (the company declined to comment), but that data can range from full disk images to an edited digest of suspicious files and logged connections. If CrowdStrike did image the server, any subsequent analysis would simply be confirming that the firm hadn’t screwed up.
Law enforcement groups sometimes do double-check that data, but it’s unlikely to change the attribution itself. Even if CrowdStrike wanted to skew the results toward a particular party, the FBI would be able to check their work against data pulled directly from the network. “The IC would certainly be able to check the malware and associated technical data recovered from the DNC network themselves,” says Tait. “The FBI may be reliant on CrowdStrike to find malware on the DNC network, but they are not beholden to CrowdStrike's analysis.”
We also know that the FBI suspected Russian involvement in the DNC breach long before CrowdStrike got involved. According to the Times’ recounting, the first contact between the FBI and DNC came in September 2015, a full seven months before CrowdStrike was contracted. The Times article doesn’t detail exactly what tipped the FBI off to the breach, but it’s fair to assume it was some version of the threat-sharing systems used at NCCIC and similar centers. Even in September, the FBI saw Russia as the prime suspect, tying the intrusion to a group of malware tools previously identified by F-Secure. While the FBI ultimately came to the same conclusion as CrowdStrike, it did so with far more information, drawing on data only federal law enforcement would have access to.
The FBI has struggled to retain cybersecurity talent
This is not to say the FBI’s work has been perfect. There are still a number of valid criticisms of the most recent report, particularly its list of malicious IP addresses, which have turned out to include both Tor exit nodes and the home IP of a Microsoft debugger program. The rest of the report is light on details and has done little to convince those not inclined to take the intelligence community at its word.
But none of those failings have anything to do with the initial examinations of the DNC server, and there’s no reason to think that examining that server again would have helped the FBI. Even for those skeptical of the link to Russia, the doubts focus on conclusions about the groups behind the malware, not the identification of the malware itself. Pulling the same malware samples from the same drives wouldn’t shed any light on that question.
There’s also reason to think CrowdStrike is simply better at this kind of ground-level forensics than the FBI. The bureau has long struggled to retain cybersecurity talent, losing a steady stream of agents to more lucrative positions at a long list of private-sector security companies. That list includes CrowdStrike itself: the company’s services branch is run by Shawn Henry, an FBI lifer who many credit with the bureau’s recent focus on cybersecurity. The result is a persistent brain drain, and a valid reason for the FBI to focus its energy on the higher-level problems of attribution. If the FBI had decided to duplicate CrowdStrike’s work, it’s not clear they could have done a better job.
But while the end result might not hurt the FBI’s case for attribution, it does little to help the bureau’s credibility. The most immediate problem isn’t establishing evidence, but convincing the president and the public to accept that evidence. The intelligence community will have a chance to do that when it sits down with the president tomorrow, and another shot with its unclassified report on Russian involvement due early next week. If neither one does the job, the intelligence community will have to face some very hard truths about attributing cyberattacks — and foreign countries may find themselves surprised at what they can get away with.