Why did it take an election loss for the Obama administration to take Russian hacking and propaganda efforts seriously? It might have had something to do with many being unaware that the problem existed at all. The Associated Press reported last night that “scores” of US officials had never been notified of their targeting by “Fancy Bear,” the Russia-linked hacking effort, even though the FBI had apparently known of that targeting for two years:
The FBI failed to notify scores of U.S. officials that Russian hackers were trying to break into their personal Gmail accounts despite having evidence for at least a year that the targets were in the Kremlin’s crosshairs, The Associated Press has found.
Nearly 80 interviews with Americans targeted by Fancy Bear, a Russian government-aligned cyberespionage group, turned up only two cases in which the FBI had provided a heads-up. Even senior policymakers discovered they were targets only when the AP told them, a situation some described as bizarre and dispiriting.
“It’s utterly confounding,” said Philip Reiner, a former senior director at the National Security Council, who was notified by the AP that he was targeted in 2015. “You’ve got to tell your people. You’ve got to protect your people.”
Imagine working in a high-level national security position, with government clearances that could choke Hillary Clinton’s e-mail server. You’re tasked with protecting the nation’s secrets and planning for its defense. Russia, despite Barack Obama’s assertions in the 2012 presidential debates, is one very clear international geopolitical threat and a serious intelligence adversary. You likely get alerts every day on both nat-sec threats and security-clearance issues, including safeguarding communications, as well as warnings about the risks of sloppy or worse work.
Two years later, you find out that the FBI knew you’d been targeted that whole time, and yet somehow failed to drop you a line to let you know. Bizarre and dispiriting doesn’t begin to cover the range of reactions.
What did the FBI say to this exposé? Nothing officially, but one senior executive talked on background about “triage,” leaving the AP unimpressed:
A senior FBI official, who was not authorized to publicly discuss the hacking operation because of its sensitivity, declined to comment on timing but said that the bureau was overwhelmed by the sheer number of attempted hacks.
“It’s a matter of triaging to the best of our ability the volume of the targets who are out there,” he said.
The AP did its own triage, dedicating two months and a small team of reporters to go through a hit list of Fancy Bear targets provided by the cybersecurity firm Secureworks.
“Triage” is a curious way to describe this failure. In fact, two web hosting services used by one of Fancy Bear’s fronts (DCLeaks.com) never heard from the FBI at all. One of the public victims of the Gmail hacks, retired Army officer Maj. James Phillips, didn’t hear from the FBI until well after his inbox got published and a journalist contacted him two months later. Others echoed similar stories, having only been informed of the risk after their e-mails appeared on DCLeaks.
Some of the sources contacted by the AP, including a few of the victims, argue that the FBI doesn’t have a duty to notify everyone targeted in such an operation. That doesn’t make a lot of sense, however. If Russian intelligence had targeted such officials, then steps should have been taken to ensure they didn’t get ensnared. The problem isn’t just determining whether a single target has a high enough nat-sec risk to act — it’s also that one person will interact with many others, allowing for a cascade of risk to present itself.
This brings up another issue in regard to timing. The scope and scale of the intelligence efforts against US officials certainly should have pushed the Obama administration to get serious about the threat in 2015, but they kept quiet about it until after the DNC hack was revealed in 2016. Only then, and only grudgingly, did the Obama administration start going public about the Russia threat, waiting until Hillary Clinton lost the election to cast that threat in near-existential terms. Either they were asleep at the switch or they were worried about looking weak as an election approached. That may be one reason why victims didn’t get notified; the risk of the story spreading might have been too high, even though it would have at least forced the Obama administration to start taking the Russia influence campaign a lot more seriously sooner.
James Comey has a new book coming out next year about leadership and integrity. Perhaps that might answer the serious questions raised by the AP in this story, but … don’t count on it.