#Russiagate Update: Winner Leak Implications

Megyn Kelly is probably kicking herself for not delaying her interview of Vladimir Putin. Had she waited just a few days, she could’ve brought a leaked copy of the latest NSA estimate of the timeline, motivations, and targets of alleged Russian hackers during the 2016 election cycle to her chat with Putin and asked a lot of pointed questions about it. Even though that opportunity never materialized, she and other journalists still have the chance to ask some equally important questions of American officials about this rather interesting document and the young woman responsible for sharing it with the world. What follows are some of my suggested lines of inquiry for our friends in the Fourth Estate.

The Leaker: Reality Leigh Winner

As I read The Intercept’s story, I kept asking myself one question, over and over: did this young woman learn nothing from Ed Snowden? 

This extract from the arrest warrant affidavit contains details that, if accurate, speak to a total lack of awareness of or concern for the kind of “insider threat” detection measures that now exist in most, if not all, Intelligence Community components:

Extract of arrest warrant affidavit in the case of Reality Leigh Winner

Why did Winner not use a truly secure means of contacting The Intercept? Why did she select this particular document? Why did she not contact a whistleblower advocacy organization for legal advice before even contemplating such a rash act?

The Media Outlet: The Intercept

In a statement published a short time ago, The Intercept claimed that

On June 5 The Intercept published a story about a top-secret NSA document that was provided to us completely anonymously. Shortly after the article was posted, the Justice Department announced the arrest of Reality Leigh Winner, a 25-year-old government contractor in Augusta, Georgia, for transmitting defense information under the Espionage Act. Although we have no knowledge of the identity of the person who provided us with the document, the U.S. government has told news organizations that Winner was that individual.

That statement is at odds with the search warrant affidavit quoted above, which claims that Winner was in “email contact” with the “News Outlet” (The Intercept).

Who’s telling the truth here vis a vis Winner’s alleged email contact with The Intercept–the Department of Justice or the paper? Could Winner have emailed the wrong reporter at The Intercept, and the actual story authors were in the dark that she’d contacted the paper? Did Winner’s email bounce? And why did Intercept staff share an exact copy of the purloined document with NSA officials in the first place? Why didn’t they simply read key passages of the document over the phone, or include extracts in an email to NSA officials?

Given the fact that Winner printed the document and thus left investigators a digital trace of her actions, perhaps The Intercept’s decision to share a scanned version of the document wouldn’t have mattered–but maybe it would have, and why endanger a source (annonymous or otherwise) by behaving in such an irresponsible way with the document?

The Document: Some Answers, More Questions

The NSA report that Winner leaked contained a number of new details about the alleged Russian hacking campaign, including a flow chart that lays out in greater detail the precise mechanism used by the attackers in not only the spearphishing campaign but their attempts to actually gain access voter-related data and possibly voting machines themselves. Here’s the key paragraph from the story, which quotes Alex Halderman, director of the University of Michigan Center for Computer Security and Society, at length:

“Usually at the county level there’s going to be some company that does the pre-election programming of the voting machines,” Halderman told The Intercept. “I would worry about whether an attacker who could compromise the poll book vendor might be able to use software updates that the vendor distributes to also infect the election management system that programs the voting machines themselves,” he added. “Once you do that, you can cause the voting machine to create fraudulent counts.”

How long has the Intelligence Community known that Putin ignored Obama’s warnings not to interfere in our election? How much of the vulnerability-related information has been shared with municipalities that employ voting technology susceptible to the kinds of attacks described by NSA? Are states and localities currently assessing whether their electronic voting machine and voter roll infrastructure is vulnerable to these kinds of attacks?

When I worked for then-Rep. Rush Holt (D-NJ), one of his major concerns was the security–or lack thereof–of electronic voting machines and the infrastructure that supports them. It’s been nearly 10 years since Holt had Princeton professor and computer scientist Ed Felton conduct a live hack of a Diebold voting machine for the House Committee on Administration, an event that should have served as a wake-up call about the potential for digital election fraud by one or more hostile actors. The leaked NSA assessment underscores that such cyber vulnerabilities in our election process remain. Whether one accepts or rejects the Intelligence Community assessment that Vladimir Putin ordered his intelligence services to interfere in our election is almost beside the point now. What’s clear is that this digital vulnerability is real and we ignore the implications at our peril.