Malcolm Nance: The Plot to Hack America

The 2016 presidential election was already surreal—a former reality TV host fueled by white backlash had completed a hostile takeover of the Republican Party—before the bears emerged.

By the summer, as the campaign intensified, a WordPress page operated by someone claiming the mantle Guccifer2.0 was dumping embarrassing emails and memoranda stolen from the Democratic National Committee. When the anti-secrecy organization Wikileaks did the same thing, Guccifer2.0 claimed credit as the source; Wikileaks has kept its sourcing obscure. But the leaks showed the Democrats’ political apparatus to be petty, vindictive and determined to anoint Hillary Clinton as the Democratic nominee despite grassroots enthusiasm for challenger Bernie Sanders. Chairwoman Debbie Wasserman Schultz resigned.

Then something unexpected happened.

Cybersecurity researchers analyzing the committee network breach noticed that the particulars of the attack showed distinct patterns for gaining access—familiar patterns. Their tools were prohibitively expensive for random hackers, particularly their use of previously unknown software flaws. Instead, the researchers concluded, the hack was the work of two well-known groups tied to Russian intelligence. They are known by the weird names Fancy Bear and Cozy Bear.

Intelligence professionals weren’t actually mad at the Russians for digitally breaking into the DNC. “That’s a valid intelligence target,” one cybersecurity analyst and Defense Intelligence Agency veteran told me. But usually they hoard stolen data, not spill it out onto the Internet. Suddenly, it looked like the bears had changed their game.

Attributing culpability for cyberattacks is difficult. Competent spy agencies labor to make it nigh-impossible. But it didn’t take long before Obama administration and congressional leaders started expressing with unusual certainty—off the record, of course—that Russia was behind the assault. A theory emerged. The Russians were putting a digital thumb on the scale of the US election to help the aforementioned reality-TV host—who just happened to be running on the most pro-Russia platform in GOP history.

As of this writing, the election is undecided. And there are knowledgeable cybersecurity researchers skeptical of Russian involvement. So here comes Malcolm Nance, an intelligence, counterterrorism, and national-security lifer, to sort out what’s known, what’s suspected, and what it all means. If you’ve read books like The Terrorists of Iraq and Defeating ISIS , you know Malcolm’s expertise. If you’ve seen his 2007 congressional testimony using his firsthand experience with waterboarding to call it torture—back when that was controversial—you know Malcolm’s integrity. And if you’ve spent any time with his fellow Navy senior chiefs, you know Malcolm’s bluntness.

It’s worth scrutinizing this bizarre episode in American politics and security. It’s unlikely to be a one-off event. After all, bears tend to go where they want—unless something stops them.

Beginning in March and April 2016, an unknown person or persons hacked into the computer servers of the Democratic National Committee. Over time it became clear that the hackers were targeting very specific information in the DNC files—the opposition research the Democrats had dug up on their Republican opponent Donald J. Trump. Once they had the information they wanted, the cyber-spies rooted around in the computers for several months thereafter, stealing other files such as personal emails, digital voice mails, and sensitive personal information on donors. This included the donors’ bank account, credit card, and social security numbers. The DNC discovered the intrusion while performing a security check, and shut their network down. However, the damage was done.

For an old spy and codebreaker like myself, nothing in the world happens by coincidence. Intelligence officers are a peculiar lot. Whether they are active or retired, their brains are wired for a completely different way of seeing the world around them. Some come from the Human Intelligence world, where they learn to read, manipulate, and distrust everyone in order to “social engineer” intelligence from people who do not want to give them anything. Others are forged in the signals intelligence world, where all data is just a massive electronic puzzle to be constantly analyzed, turned over, and fused together into an exploitable product, or into a final code to be decrypted or broken. Some, like myself, come from both worlds, and are at turns analytical and skeptical of seemingly obvious information. This hybrid mindview doesn’t approach the world as streams of linear data; it attempts to analyze information like a constantly flowing game of three-dimensional chess. All the moves are technically the same as in regular chess, but the traditional allowances of forward and backwards one square, or a lateral or L-shaped pattern, are too limiting for those trained to sniff out hostile intent; we require additional ways of processing information to be satisfied. Up vertically, down every angle of the compass rose and then across every median, line of longitude, latitude, and every other angle of measure are just about right… then we add layers of frequency analysis figuring out the timing, spacing, depth and distance between each item we call data points. When an event has been then identified on the continuum of intelligence, we compare it with everything that has ever occurred in history to see if it resembles other patterns played by another spy who employed that process. We then process the context and precedence of each observed activity against common sense to determine if an event chain is coincidence, or if it bears the marks of hostile intent. Ian Fleming, the old British Secret Intelligence Service officer who created the fictional character of James Bond, characterized the amazing events in his books with an observation in his 1959 book Goldfinger : “Once is happenstance. Twice is coincidence. Three times is enemy action.”

Times have changed since Mr. Fleming’s Dictum. In light of current trends in the intelligence business, I like to characterize this phenomenon as Nance’s Law of Intelligence Kismet: “Coincidence takes a lot of planning.”

Reading about the DNC hack was not initially alarming; hackers had also penetrated the Obama and McCain campaigns in 2008. The DNC hack was newsworthy but not really noteworthy until it was paired with two additional events. At the time of the hacks I was writing a massive tome on hackers associated with ISIS and al-Qaeda, so I was attuned to any information about electronic data theft. Then on June 1, 2016 one of my military hacker friends pointed out that an entity who called himself Guccifer 2.0 had opened a WordPress page and was dumping information stolen from the DNC hack.

Guccifer 2.0 claimed he had all the hacked material from the DNC and would be releasing it through his webpage. The name Guccifer struck a nerve, as the real Guccifer, a prolific Romanian hacker had just been extradited to the United States. Guccifer 2.0 was a copy-cat, and a lazy one at that. My hyper suspicious intelligence mind started kicking into gear and the game of multi-dimensional chess was on.

Two weeks later Steve Biddle, the national security writer for the snarky web magazine Gawker posted the entire Donald J. Trump opposition file from the DNC’s servers. Immediately both Fleming’s Dictum and Nance’s Law struck at the same time. There was no way that the single most damaging (and dull) file from the DNC hack would be “accidently” released weeks before the Republican National Committee convention. It was straight from the Karl Rove political playbook: Release damning information early, hold bad information until appropriate. More startling was that word was spreading across the global cyber security community that the DNC hack and Guccifer 2.0 had Russian fingerprints all over it.