RussiaGate: Riddle Me This.
Steve King, CISM, CISSP
Cybersecurity Marketing and Education Leader | CISM, Direct-to-Human Marketing, CyberTheory
(Upfront disclaimer: I do not subscribe to any conspiracy theories, nor am I promoting any ideology or political agenda. I simply ran across some data that prompts a set of questions that purely from a cybersecurity forensics point of view seem not to have been answered by those running the investigation into the DNC “hack”.)
On the evening of July 5, 2016, 1,976 megabytes of data were transferred (either uploaded or downloaded depending on you review) from the DNC’s server.
The operation took 87 seconds. This yields a transfer rate of 22.7 megabytes per second.
These statistics are matters of record.
No Internet service provider in mid-2016 was capable of uploading data at this speed.
A test published August 3, 2016, by www.speedtest.net/reports can serve as a thumbnail index. Their test upload of a comparable data volume 40 miles from the computer (not in Romania) via a server 20 miles away, averaged a speed of 11.8 megabytes per second—half what the DNC operation would need were it to have been a hack.
That same test indicated that the highest average ISP speeds in the first half of 2016 were achieved by Xfinity and Cox Communications. These speeds averaged 15.6 megabytes per second and 14.7 megabytes per second, respectively.
Peak speeds at higher rates were recorded intermittently but still never reached the required transfer speed of 22.7 megabytes per second.
A speed of 22.7 megabytes was simply unobtainable in 2016, especially if we are to accept the alleged charge that a hacker attacked the DNC server from Romania which would have required a transoceanic data transfer.
Based on the data that has been published, what everyone now is calling a hack is simply impossible. Aka, a claim unsupported by any evidence.
Compounding the physics problem, the FBI (and NSA, CIA, etc.) claimed the hack originated from Romania, which, because of delivery overheads - conversion of data into packets, addressing, sequencing times, error checks, and the like – that degrade all data transfers conducted via the Internet, would have slowed down the speed of a hack even further from the maximum achievable speeds which by themselves were not sufficient to allow an upload of that size in the time-frame recorded (87 seconds).
Time stamps in the metadata additionally indicate that the upload was sourced in the Eastern Daylight Time Zone at approximately 6:45 pm. In theory, the operation could have been conducted from Bangor or Miami or anywhere in between—but not Russia, Romania, or anywhere else outside the EDT zone.
The investigative team performing this analysis consisted of highly regarded cybersecurity-forensics experts led by William Binney, formerly the NSA’s technical director for world geopolitical and military analysis and designer of many agency programs now in use; Kirk Wiebe, formerly a senior analyst at the NSA’s SIGINT Automation Research Center; Edward Loomis, formerly technical director in the NSA’s Office of Signal Processing; and Ray McGovern, an intelligence analyst for nearly three decades and formerly chief of the CIA’s Soviet Foreign Policy Branch.
All four of these men have decades of experience in matters concerning Russian intelligence and the related technologies working in and for the top U.S. counter-intelligence and espionage agencies .
In August of 2016, they reported on another speed test they conducted. “Transfer rates of 23 MB/s (Mega Bytes per second) are not just highly unlikely, but effectively impossible to accomplish when communicating over the Internet at any significant distance,” they wrote. “Further, local copy speeds are measured, demonstrating that 23 MB/s is a typical transfer rate when using a USB–2 flash device (thumb drive).”
In three separate letters written to the NSA and to President Obama, they outlined blueprints of their forensic work in detail and argued that the hack theory was impossible based on the facts, and that a locally executed data transfer was the only likely explanation. In the final letter to Barack Obama dated January 17, three days before he left office, the group explained that the NSA’s known programs are fully capable of capturing all electronic transfers of data.
“We strongly suggest that you ask NSA for any evidence it may have indicating that the results of Russian hacking were given to WikiLeaks,” the letter said. “If NSA cannot produce such evidence—and quickly—this would probably mean it does not have any.”
Subsequently, Obama gave his last press conference as president, at which he delivered the official statement at the time on the DNC e-mail question. “The conclusions of the intelligence community with respect to the Russian hacking, were not conclusive.”
The report as published was based in facts supported by system documentation; it presented compelling evidence of a contrary theory to the official findings; and concluded plainly that the data in question could not have been uploaded by a remote actor using an Internet connection. It further presented evidence that the only way that data could have been transferred would have been through a direct connection to the server (aka, leak or theft, depending on your point of view).
That seems conclusive enough to me.
But if the NSA concluded that there was indeed a hack and that the Russians were responsible, then why haven’t they produced evidence to support that claim? It cannot be related to “national security” because every claim they have made regarding classified material in this matter is already fully known and available in the public domain.
Among at least a dozen other questions, I am confused as to why Crowdstrike, a well-respected cybersecurity forensics company steadfastly avoids the issue of the recorded system facts. “We continue to stand by our report,” CrowdStrike said, upon seeing the blueprint of the investigation.
CrowdStrike in fact argues that by July 5 all malware had been removed from the DNC’s computers. But the presence or absence of malware by that time is entirely immaterial, because the event of July 5 is clearly proven to have been a leak (theft) and not a hack. Given that malware has nothing to do with that leak (theft), CrowdStrike’s logic is bewildering.
I can understand Obama’s desire to avoid the issue during his final moments in office, but I am having trouble understanding why the “ongoing investigation” into Russian hacking continues to … go on. Rosenstein’s indictment announcement on Friday clearly stated, “There’s no allegation in this indictment that any American citizen committed a crime. There’s no allegation that the conspiracy changed the vote count or affected any election result.”
The joker teased us with, “I have billions of eyes, yet I live in darkness. I have millions of ears, yet only four lobes. I have no muscle, yet I rule two hemispheres. What am I?”
I’m a simple man. I just want to know two things:
- Why does the FBI refuse to examine the DNC server to this day.
- Why does the FBI continue to refer to what is clearly a theft of data by an unknown local actor as a Russian hack.