Late April 2016 – Clinton’s law firm hires Crowdstrike, Fusion GPS, and they are the lone sources for the ‘Russian hookers’ and ‘Russian hackers’ claims
The Washington Post reports that Michael Sussman, a partner with Perkins Coie and who represents the DNC and Hillary Clinton’s campaign, is responsible for hiring Crowdstrike.
“DNC leaders were tipped to the hack in late April. Chief executive Amy Dacey got a call from her operations chief saying that their information technology team had noticed some unusual network activity.
“It’s never a call any executive wants to get, but the IT team knew something was awry,” Dacey said. And they knew it was serious enough that they wanted experts to investigate.
That evening, she spoke with Michael Sussmann, a DNC lawyer who is a partner with Perkins Coie in Washington. Soon after, Sussmann, a former federal prosecutor who handled computer crime cases, called Henry, whom he has known for many years.
Within 24 hours, CrowdStrike had installed software on the DNC’s computers so that it could analyze data that could indicate who had gained access, when and how. (Read more: Washington Post, 6/14/2016)
August 26, 2015 – Clinton signs an agreement and takes control of the DNC finances and strategies
“Many Democrats expressed outrage Thursday at allegations from a former party chairwoman that an agreement with the Democratic National Committee gave the presidential campaign of Hillary Clinton some day-to-day control over the party early in the 2016 campaign.
Donna Brazile, a former interim chairwoman of the party, says in a forthcoming book that an August 2015 agreement gave the Clinton campaign a measure of direct influence over the party’s finances and strategy, along with a say over staff decisions and consultation rights over issues like mailings, budgets and analytics.
The control was given in exchange for a joint fundraising pledge by the Clinton campaign that helped fund the DNC through the election year, Brazile says.
“This was not a criminal act, but as I saw it, it compromised the party’s integrity,” she wrote in a book scheduled for publication next week, a portion of which was excerpted Thursday in Politico.” (Read more: Chicago Tribune, 11/02/2017)
Donna Brazile will later write: “When I got back from a vacation in Martha’s Vineyard, I at last found the document that described it all: the Joint Fund-Raising Agreement between the DNC, the Hillary Victory Fund, and Hillary for America.
The agreement—signed by Amy Dacey, the former CEO of the DNC, and Robby Mook with a copy to Marc Elias—specified that in exchange for raising money and investing in the DNC, Hillary would control the party’s finances, strategy, and all the money raised. Her campaign had the right of refusal of who would be the party communications director, and it would make final decisions on all the other staff. The DNC also was required to consult with the campaign about all other staffing, budgeting, data, analytics, and mailings.” (Read More: Politico, 11/02/2017)
Copy of Agreement:
Aug. 26, 2015 – Donna Brazile: Inside Hillary Clinton’s Secret Takeover of the DNC
Donna Brazile is the former interim chair of the Democratic National Committee. Excerpted from the book Hacks: The Inside Story of the Break-ins and Breakdowns that Put Donald Trump in the White House to be published on November 7, 2017, by Hachette Books, a division of Hachette Book Group. Copyright 2017 Donna Brazile.
(…) “I had promised Bernie when I took the helm of the Democratic National Committee after the convention that I would get to the bottom of whether Hillary Clinton’s team had rigged the nomination process, as a cache of emails stolen by Russian hackers and posted online had suggested. I’d had my suspicions from the moment I walked in the door of the DNC a month or so earlier, based on the leaked emails. But who knew if some of them might have been forged? I needed to have solid proof, and so did Bernie.
So I followed the money. My predecessor, Florida Rep. Debbie Wasserman Schultz, had not been the most active chair in fundraising at a time when President Barack Obama’s neglect had left the party in significant debt. As Hillary’s campaign gained momentum, she resolved the party’s debt and put it on a starvation diet. It had become dependent on her campaign for survival, for which she expected to wield control of its operations.
Debbie was not a good manager. She hadn’t been very interested in controlling the party—she let Clinton’s headquarters in Brooklyn do as it desired so she didn’t have to inform the party officers how bad the situation was. How much control Brooklyn had and for how long was still something I had been trying to uncover for the last few weeks.
By September 7, the day I called Bernie, I had found my proof and it broke my heart.
The Saturday morning after the convention in July, I called Gary Gensler, the chief financial officer of Hillary’s campaign. He wasted no words. He told me the Democratic Party was broke and $2 million in debt.
“What?” I screamed. “I am an officer of the party and they’ve been telling us everything is fine and they were raising money with no problems.”
That wasn’t true, he said. Officials from Hillary’s campaign had taken a look at the DNC’s books. Obama left the party $24 million in debt—$15 million in bank debt and more than $8 million owed to vendors after the 2012 campaign—and had been paying that off very slowly. Obama’s campaign was not scheduled to pay it off until 2016. Hillary for America (the campaign) and the Hillary Victory Fund (its joint fundraising vehicle with the DNC) had taken care of 80 percent of the remaining debt in 2016, about $10 million, and had placed the party on an allowance.
If I didn’t know about this, I assumed that none of the other officers knew about it, either. That was just Debbie’s way. In my experience, she didn’t come to the officers of the DNC for advice and counsel. She seemed to make decisions on her own and let us know at the last minute what she had decided, as she had done when she told us about the hacking only minutes before the Washington Post broke the news.
On the phone, Gary told me the DNC had needed a $2 million loan, which the campaign had arranged.
“No! That can’t be true!” I said. “The party cannot take out a loan without the unanimous agreement of all of the officers.”
“Gary, how did they do this without me knowing?” I asked. “I don’t know how Debbie relates to the officers,” Gary said. He described the party as fully under the control of Hillary’s campaign, which seemed to confirm the suspicions of the Bernie camp. The campaign had the DNC on life support, giving it money every month to meet its basic expenses, while the campaign was using the party as a fund-raising clearinghouse. Under FEC law, an individual can contribute a maximum of $2,700 directly to a presidential campaign. But the limits are much higher for contributions to state parties and a party’s national committee.
Individuals who had maxed out their $2,700 contribution limit to the campaign could write an additional check for $353,400 to the Hillary Victory Fund—that figure represented $10,000 to each of the 32 states’ parties who were part of the Victory Fund agreement—$320,000—and $33,400 to the DNC. The money would be deposited in the states first, and transferred to the DNC shortly after that. Money in the battleground states usually stayed in that state, but all the other states funneled that money directly to the DNC, which quickly transferred the money to Brooklyn.
“Wait,” I said. “That victory fund was supposed to be for whoever was the nominee, and the state party races. You’re telling me that Hillary has been controlling it since before she got the nomination?”
Gary said the campaign had to do it or the party would collapse.
“That was the deal that Robby struck with Debbie,” he explained, referring to campaign manager Robby Mook. “It was to sustain the DNC. We sent the party nearly $20 million from September until the convention, and more to prepare for the election.”
“What’s the burn rate, Gary?” I asked. “How much money do we need every month to fund the party?”
The burn rate was $3.5 million to $4 million a month, he said.
I gasped. I had a pretty good sense of the DNC’s operations after having served as interim chair five years earlier. Back then the monthly expenses were half that. What had happened? The party chair usually shrinks the staff between presidential election campaigns, but Debbie had chosen not to do that. She had stuck lots of consultants on the DNC payroll, and Obama’s consultants were being financed by the DNC, too.
When we hung up, I was livid. Not at Gary, but at this mess I had inherited. I knew that Debbie had outsourced a lot of the management of the party and had not been the greatest at fundraising. I would not be that kind of chair, even if I was only an interim chair. Did they think I would just be a surrogate for them, get on the road and rouse up the crowds? I was going to manage this party the best I could and try to make it better, even if Brooklyn did not like this. It would be weeks before I would fully understand the financial shenanigans that were keeping the party on life support.” (Read more: Politico, 11/07/2017)
NPR reports having seen a copy of the agreement dated August 26, 2015, that Clinton made with the DNC and transcribes it here.
January 2015 – May 25, 2016: There are 14,409 emails in the Wikileaks DNC email archive that are taken after Crowdstrike installs their security software
“Yesterday, Scott Ritter published a savage and thorough critique of the role of Dmitri Alperovitch and Crowdstrike, who are uniquely responsible for the attribution of the DNC hack to Russia. Ritter calls it “one of the greatest cons in modern American history”. Ritter’s article gives a fascinating account of an earlier questionable incident in which Alperovitch first rose to prominence – his attribution of the “Shady Rat” malware to the Chinese government at a time when there was a political appetite for such an attribution. Ritter portrays the DNC incident as Shady Rat 2. Read the article.
My post today is a riff on a single point in the Ritter article, using analysis that I had in inventory but not written up. I’ve analysed the dates of the emails in the Wikileaks DNC email archive: the pattern (to my knowledge) has never been analysed. The results are a surprise – standard descriptions of the incident are misleading.
Nov 7, 2017: story picked up by Luke Rosniak at Daily Caller here
On April 29, DNC IT staff noticed anomalous activity and brought it to the attention of senior DNC officials: Chairwoman of the DNC, Debbie Wasserman-Schultz, DNC’s Chief Executive, Amy Dacey, the DNC’s Technology Director, Andrew Brown, and Michael Sussman, a lawyer for Perkins Coie, a Washington, DC law firm that represented the DNC. After dithering for a few days, on May 4, the DNC (Sussman) contacted Crowdstrike (Shawn Henry), who installed their software on May 5.
According to a hagiography of Crowdstrike’s detection by Thomas Rid last year, Crowdstrike detected “Russia” in the network in the early morning of May 6:
At six o’clock on the morning of May 6, Dmitri Alperovitch woke up in a Los Angeles hotel to an alarming email. Alperovitch is the thirty-six-year-old cofounder of the cybersecurity firm CrowdStrike, and late the previous night, his company had been asked by the Democratic National Committee to investigate a possible breach of its network. A CrowdStrike security expert had sent the DNC a proprietary software package, called Falcon, that monitors the networks of its clients in real time. Falcon “lit up,” the email said, within ten seconds of being installed at the DNC: Russia was in the network.
In many accounts of the incident (e.g. Wikipedia here), it’s been reported that “both groups of intruders were successfully expelled from the systems within hours after detection”. This was not the case, as Ritter pointed out: data continued to be exfiltrated AFTER the installation of Crowdstrike software, including the emails that ultimately brought down Wasserman-Schultz:
Moreover, the performance of CrowdStrike’s other premier product, Overwatch, in the DNC breach leaves much to be desired. Was CrowdStrike aware that the hackers continued to exfiltrate data (some of which ultimately proved to be the undoing of the DNC Chairwoman, Debbie Wasserman Schultz, and the entire DNC staff) throughout the month of May 2016, while Overwatch was engaged?
This is an important and essentially undiscussed question.
Distribution of Dates
The DNC Leak emails are generally said to commence in January 2015 (e.g. CNN here) and continue until the Crowdstrike expulsion. In other email leak archives (e.g Podesta emails; Climategate), the number of emails per month tends to be relatively uniform (at least to one order of magnitude). However, this is not the case for the DNC Leak as shown in the below graphic of the number of emails per day:
There are only a couple of emails per month (~1/day) through 2015 and up to April 18, 2016. Nearly all of these early emails were non-confidential emails involving DNCPress or innocuous emails to/from Jordan Kaplan of the DNC. There is a sudden change on April 19, 2016 when 425 emails in the archive. This is also the first day on which emails from hillaryclinton.com occur in the archive – a point that is undiscussed, but relevant given the ongoing controversy about security of the Clinton server (the current version of which was never examined by the FBI) The following week, the number of daily emails in the archive exceeded 1000, reaching a maximum daily rate of nearly 1500 in the third week of May. There is a pronounced weekly cycle to the archive (quieter on the week-ends).
Rid’s Esquire hagiography described a belated cleansing of the DNC computer system on June 10-12, following which Crowdstrike celebrated:
Ultimately, the teams decided it was necessary to replace the software on every computer at the DNC. Until the network was clean, secrecy was vital. On the afternoon of Friday, June 10, all DNC employees were instructed to leave their laptops in the office. Alperovitch told me that a few people worried that Hillary Clinton, the presumptive Democratic nominee, was clearinghouse. “Those poor people thought they were getting fired,” he says. For the next two days, three CrowdStrike employees worked inside DNC headquarters, replacing the software and setting up new login credentials using what Alperovitch considers to be the most secure means of choosing a password: flipping through the dictionary at random. (After this article was posted online, Alperovitch noted that the passwords included random characters in addition to the words.) The Overwatch team kept an eye on Falcon to ensure there were no new intrusions. On Sunday night, once the operation was complete, Alperovitch took his team to celebrate at the Brazilian steakhouse Fogo de Chão.
Curiously, the last email in the archive was noon, May 25 – about 14 days before Crowdstrike changed all the passwords on the week-end of June 10-12. Two days later (June 14), the DNC arranged for a self-serving article in the Washington Post in which they announced the hack and blamed it on the Russians. Crowdstrike published a technical report purporting to support the analysis and the story went viral.
There were no fewer than 14409 emails in the Wikileaks archive dating after Crowdstrike’s installation of its security software. In fact, more emails were hacked after Crowdstrike’s discovery on May 6 than before. Whatever actions were taken by Crowdstrike on May 6, they did nothing to stem the exfiltration of emails from the DNC. (Read more: Climate Audit/Steve McIntire, 9/02/2017)