Was the DNC hack an inside job? It's a hot theory — but probably not

There are good reasons to distrust the U.S. intelligence agencies. But Russians likely did hack the Democrats

Published September 17, 2017 9:00AM (EDT)


People were listening to Dick Cheney again.

It was almost enough to make the former vice president break out into the smirk that he uses to approximate a human smile.

Nearly 15 years after he had destabilized the Islamic world -- and for that matter the entire world -- with the 2003 invasion of Iraq, Cheney was finally seeing the world come back around to his perspective as he gripped the podium at a New Delhi business conference in March.

The subject was near and dear.

“As I watch Mr. Putin operate in the Soviet Union,” Cheney began, referring to Russian President Vladimir Putin. He didn’t bother to correct his mistaken reference to a nation that has not existed for more than 25 years.

Cheney continued: “He believed that the end of the Cold War and the end of the Soviet Union was a disaster and I think he has aspirations of trying to correct that, or what he sees to be a disaster.”

The ex-veep was warming to the topic at hand: accusations that Russia had interfered in the 2016 American presidential election.

“There’s no question that there was a very serious effort made by Mr. Putin and his government and his organization to interfere in major ways with our basic, fundamental democratic processes,” he said. “In some quarters, that would be considered an act of war.”


The possibility of Dick Cheney being at least partially correct about something is horrifying to most humans. So it's no wonder that many otherwise rational people still refuse to believe the large body of evidence showing that Russian hackers infiltrated servers controlled by Democratic Party officials and leaked what they gathered in an effort to undermine the candidacy of 2016 Democratic nominee Hillary Clinton. The unbelievers also seem to have overlooked Putin's admission that last year's intrusion might have been the work of "patriotic" Russian hackers inspired to act on their own.

Numerically speaking, most of the doubters are loyalists of Donald Trump, reluctant to accept the prospect that their beloved president couldn’t have won the White House without Russian assistance. Others are people who were left unconvinced by the strange, abysmal failure of former President Barack Obama’s administration and his intelligence appointees to offer any real evidence of the Russian hacking operation beyond “trust us.”

Given the U.S. government’s recent pattern of poor judgments — Saddam Hussein had weapons of mass destruction, uprisings in the Islamic world would improve human rights, Saudi Arabia is a trustworthy ally — and outright falsehoods, such as former Director of National Intelligence James Clapper's perjurious statement that America was not collecting data on its own citizens, it's no surprise that many people feel unwilling to trust blind assurances.

One group of people who have taken a decidedly skeptical stance toward the government’s claims is the Veteran Intelligence Professionals for Sanity (VIPS), a collection of former employees of the National Security Agency, various intelligence divisions of the armed forces, and the CIA. VIPS was formed in 2003 as Cheney and others in the George W. Bush administration were making their misleading case for war in Iraq.

Born of a desire for a foreign policy that is less reflexively bellicose and more transparent to the public, VIPS has been insistent that the U.S. government show whatever evidence it may possess regarding Russian hacking, particularly data showing that Putin's government was behind it. The latter is an important point because while there is much publicly available evidence that Russians hacked Democratic officials, the question whether they did so in an official capacity has thus far proved elusive.

Faced with such uncertainty, some of the VIPS members decided to strike a more declarative stance based on research examining one of the document archives provided by “Guccifer 2.0,” an internet persona who has claimed responsibility for cyber intrusions into computers owned by various Democratic Party organizations, including the 2016 Clinton campaign.

As I wrote last week, there is considerable evidence that the loquacious Guccifer 2.0 is not what he claims to be. He is probably not Romanian and probably not a single individual. His ungrammatical Romanian parlance, his sudden emergence immediately after the Democratic National Committee accused Russia of hacking its computers, the hastily constructed nature of most of his files, his changing story about how he compromised Democrats' computers, his usage of a Russian-oriented network privacy service, and the presence of Russian-language metadata within several files he released all suggest that Guccifer 2.0 is a Russian fabrication. (Metadata is a term for information within files that helps computer programs process them that is not typically visible to computer users.)

Nonetheless, all of the above indications are circumstantial in nature. Cyber intrusions are notoriously difficult to attribute given the ease with which anyone with sufficient computer skills can construct serpentine, ephemeral paths to anywhere.

But what if no network pathway to the Democratic machines had actually been made? There is always at least the theoretical possibility of local data compromise. As the cases of former NSA contractors Edward Snowden and Reality Winner have demonstrated, people with privileged access can reveal things that higher-ups wish to be kept confidential.

In the case of the Democratic secrets disclosed during the course of last year’s presidential campaign, a cottage industry has sprung up trying to demonstrate that Clinton and her colleagues were compromised by Seth Rich, a former DNC data analyst who was fatally shot last July in what Washington police have ruled an attempted robbery.

Many far-right conspiracy theorists dispute that version of Rich's death, suggesting instead that he was one of the many people who supposedly have been killed by Clinton and her husband, former President Bill Clinton.

Though the evidence for Rich’s murder remains essentially nonexistent (he was not a computer administrator, he had little skill at programming and the FBI has said it is not investigating his death), the idea has been as enthralling for the far right as it has been repellent to Rich’s family. Not only does it allow right-wing believers to drink again from the intoxicating well of Clinton hatred, it also cleanses the Russian taint from Trump's victory.

Spreading word of the theory has also proven attractive to Russian state-owned media outlets. According to Google as of this writing, Rich’s death has been mentioned on 148 pages from Sputnik News, a propaganda site modeled after BuzzFeed. RT, Sputnik’s television-oriented counterpart, has run 53 stories mentioning Rich.

The myth of Rich’s murder also has some support among jilted supporters of Sen. Bernie Sanders of Vermont, Clinton’s defeated rival for the Democratic nomination. While the vast majority of former Sanders supporters followed his lead in supporting Clinton against Trump, a few have grasped hold of the possibility that the Democratic establishment’s obvious bias in Clinton’s favor was met with internal comeuppance by a righteous Bernie fan.

It’s not difficult to understand why the idea that the DNC was victimized by an internal dissenter (whether Rich or someone else) might be appealing to longtime critics of America’s national security establishment as well. That appears to be why several of the VIPS members — including Ray McGovern, a retired CIA analyst who co-founded the group — declare in late July that Clinton’s secrets had been revealed by a disgruntled Democrat.

“The purported ‘hack’ of the DNC by Guccifer 2.0 was not a hack, by Russia or anyone else,” several of the members stated in a strongly worded July 24 open memo to the president that stated as fact that the DNC's files were stolen by a local actor and that "the data was leaked to implicate Russia.”

That confident assessment — with which not all VIPS members agreed — turned out to have been based upon the work of an anonymous analyst calling himself “The Forensicator,” who had examined the contents of a compressed archive file released to the public by Guccifer 2.0 and found several potentially significant details. The most notable of these is that the archive’s metadata suggests that the files within it were added at a rapid rate (around 23 megabytes per second). Additionally, the archive itself appears to have been created on a computer with a clock set to the Eastern time zone of North America, instead of in Romania, Russia or elsewhere.

Moving on from these two observed pieces of evidence, McGovern and a number of other VIPS members and associate members (including retired IBM executive Skip Folden and William Binney, a retired technical director for the NSA) concluded that Democrats had been victimized by a tech-savvy insider who copied the files on July 5, 2016, from a DNC server to a memory stick or some other local storage device.

“A speed of 22.7 megabytes is simply unobtainable, especially if we are talking about a transoceanic data transfer,” Folden said in an interview with The Nation. “Based on the data we now have, what we’ve been calling a hack is impossible.”

While Folden and several other VIPS members remain confident in this assessment, a number of outside critics have poked a number of holes in the analysis using a variety of arguments. Several of the VIPS members have done so as well.

The first major problem with making sweeping judgments from a single set of purloined files is that judgments about it do not necessarily apply to the many other documents that were stolen from the DNC and other Democratic-affiliated organizations. Even if this particular archive was "leaked," it would not preclude hacking in the other cases.

The second significant problem with the VIPS memo is that the speed with which the archive was created is irrelevant, because the Democrats’ servers had been hacked since the summer of 2015. This means that the files within the archive could have existed on a computer anywhere in the world between July 2015 and July 2016. Thus, even if the archive that Guccifer 2.0 released was created on a single machine, there's no way to tell where it was created or when the files it contained were originally pilfered.

Former United Nations weapons inspector and U.S. intelligence official Scott Ritter, one of the VIPS members who declined to sign the controversial memo, made this argument in a Truthdig article he published four days after his colleagues released their conclusion. In his response, Ritter said he remained skeptical that formal Russian agents had hacked the DNC, but argued that his VIPS colleagues had made an argument that the Forensicator analysis did not prove: "There is no way to use the available metadata to determine where the copying of the data was done," Ritter wrote. "In short, one cannot state that this data proves Guccifer 2.0 had direct access to the DNC server or that the data was located in the DNC when it was copied on July 5, 2016."

He further noted that the original file modification times of the files that were stored within the Guccifer 2.0 archive were likely lost due to the way that 7-Zip and WinRAR (the two programs used to archive the files) normally work.

Ritter's source for these assertions? The Forensicator, the computer whiz who originally inspired some of Ritter's colleagues to come up with their own analysis.

In a subsequent posting, the anonymous geek made it clear that his original research did not necessarily indicate that whoever made the 7-Zip file that Guccifer 2.0 put onto the internet was connected to a DNC server. The VIPS, in the Forensicator's view, had engaged in "over-ambitious extrapolations" from the original research. (Italics and brackets are in the original.)

Some reports in the media have been critical of aspects of the VIPS report, and then by implication have transferred their criticisms to the Guccifer 2.0 NGP/VAN Metadata Analysis. In the process, those reporters have demonstrated that they likely did not carefully read the Forensicator’s analysis or were not careful in making attributions. ...

No claim is made in the report that the data might not have been copied earlier nor whether it might have been copied or leaked. ...

No claim was made in the Forensicator’s analysis that this computer was connected to a DNC server. ...

No claim was made in the analysis that the estimated transfer speed “is much faster than what is physically possible with a hack” [VIPS]. Rather the statement was “this rate is too fast to support the hypothesis that the DNC data was initially copied over the Internet (esp. to Romania)."  They’re close; they differ in degree of certainty and the Forensicator added the qualifier “(esp. to Romania)."

The Forensicator’s report makes no reference to “hack”, “leak”, or “server”.

This analysis was enough to convince Lisa Ling, a former Air Force technical sergeant who endorsed the original VIPS memo, to reverse herself and ask for her name to be removed from the list of signatories.

"I was willing to go with [the Russian hacking operation] being theoretical, not factual and definitely not irrefutable," she told Salon in an interview. Other VIPS members who had signed on told Salon that they believed the July 24 memo has raised credibility concerns for the group.

Cian Westmoreland, a former Air Force transmissions systems technician, said the memo was changed to become more declarative after several VIPS members and associate members had agreed to endorse it.

"I could not in good conscience agree with what was ultimately added to the letter after many of our members signed," he told Salon in an email.

"The memo should have then shown in this work that multiple scenarios were considered, and then how they were eliminated," Westmoreland wrote. "Then it should have been a unanimous decision by the signers as to what the end product would ultimately be, not edited post signature and ferried off to media with haste."

McGovern, Folden, Binney, and several other VIPS members are still standing by their conclusions. There's no question the holdouts have impressive credentials. But they seem to have gone beyond the facts and the currency of their expertise in their desire to fact-check an intelligence community that deserves it.

Ritter and several dissenting VIPS members published a response to the original memo that is required reading:

The environment around Trump, Russia, et al. is hyperpolarized right now, and much disinformation is floating around, feeding confirmation bias, mirroring and even producing conspiracy theories.

However, this VIPS memo could have easily raised the necessary and critical questions without resorting to law-of-physics conclusions that claim to prove beyond any shadow of a doubt that it was an inside-network copy only and then asserting the “fact” that the Russians (or anybody else for that matter) did not hack the DNC.

The bottom line: This VIPS memo was hastily written based on a flawed analysis of third-party analyses and then thrown against the wall, waiting to see if it would stick. This memo could have cited the critical questions raised in the third-party analyses of “Guccifer 2.0” while also asking why the three US intelligence agencies have yet to provide any actual hard proof following their January 6, 2017, assessment.

The VIPS memo is now increasingly politicized because the analysis itself was politicized. It deals only with alleged “Guccifer 2.0” hacking and makes the classic apples-versus-oranges mistake. In an ideal world, VIPS would at least retract its assertion of certainty. Absent real facts regarding proof of leaks or hacks (or both), how many hypotheses can one copy onto the head of a digital pin?

Though the original authors' claims do not hold up to serious scrutiny, the fact remains that the U.S. government needs to be more forthright in pointing the finger at the Russian government. The confusion that currently reigns on the issue is squarely on the shoulders of America's elected representatives (including, unsurprisingly, President Trump). They owe it to the public to release significant details to convince the skeptics. A credibility contest between Dick Cheney and Vladimir Putin is one with no winner.

By Matthew Sheffield

Matthew Sheffield is a national correspondent for The Young Turks. He is also the host of the podcast "Theory of Change." You can follow him on Twitter.

MORE FROM Matthew Sheffield