[This report was updated Aug. 15.]
A former National Security Agency official today distanced himself from an explosive claim by some of his ex-intelligence colleagues that the Democratic National Committee was not hacked last summer but fell victim to an insider leak. Such a bombshell revelation would exonerate Russian hackers and directly contradict the "high confidence" findings the American intelligence community provided to the public -- if it were true.
"I am a former NSA Exec & didn't sign this VIPS memo due to significant analytic, sourcing, data, date & tech issues," ex-NSA whistleblower Thomas Drake posted on Twitter today. VIPS stands for Veteran Intelligence Professionals for Sanity (VIPS), a group to which Drake belongs.
The referenced memo and interviews with some of its authors from VIPS served as the main basis for a controversial story published this week by the liberal outlet The Nation under the headline "A New Report Raises Big Questions About Last Year’s DNC Hack." The story quoted one of the ex-intelligence officials as saying that a remote hack was "impossible" and said it was more likely an insider with direct access to DNC computers was the culprit.
The story was repeated in a Bloomberg column and trumpeted on social media by those who have long suspected Russia was being used as a scapegoat for a more insidious DNC cover-up. (President Donald Trump for months questioned Russia's alleged involvement before saying in July he believed Russia "and others" attempted to meddle in the election with cyber attacks.)
But in addition to Drake's dissent, cybersecurity experts told Code and Dagger there are some issues with The Nation report and the July 24 VIPS memo on which much of it is based.
As reflected in The Nation report, much of the VIPS's argument hangs on one particular piece of evidence, apparently found in "metadata" analyzed by an anonymous cybersecurity specialist: the download of the DNC files was simply too fast to have been done from afar.
"The metadata established several facts in this regard with granular precision: On the evening of July 5, 2016, 1,976 megabytes of data were downloaded from the DNC’s server. The operation took 87 seconds. This yields a transfer rate of 22.7 megabytes per second," The Nation story says. "These statistics are matters of record and essential to disproving the hack theory. No Internet service provider, such as a hacker would have had to use in mid-2016, was capable of downloading data at this speed."
In the memo written by VIPS -- the same one criticized in the tweet by Drake as having "significant" "issues" -- the group calls the mysteriously speedy download the "key event" that unravels the plot.
But as a New York Magazine report pointed out, among with other things, that part about the bandwidth of ISPs is not accurate, according to cybersecurity expert Jake Williams. Williams, a former Department of Defense official who was involved in cyber operations, told Code and Dagger the average household may not have had the speed, but professional entities -- especially, say, a Russian spy agency -- absolutely would have access to that kind of bandwidth.
Even if they didn't, cybersecurity researcher Robert Graham posted on his blog on Aug. 15 that there's no evidence the speedy transfer was done at the point the files were supposed to have been sent over the internet. Rather, perhaps it happened when the hacker moved the information from one computer to another within the DNC network or from one computer to another in the hacker's own network after the theft -- both of which he said are common techniques.
"This story is bogus," Graham wrote. "My point is that while the forensic data-point is good, there's just a zillion ways of explaining it. It's silly to insist on only the one explanation that fits your pet theory."
Williams told Code and Dagger that in the anonymous analyst's own data, it shows the thief at one point likely used .rar compression to shrink the files before they were moved. The .rar files are time-stamped in September, months after the alleged breach, but Williams said that could reflect a prior move to a staging server, or that the time-stamps themselves had been artificially manipulated. Either way, if there was an insider at a DNC computer, as VIPS suggests, Williams said there would be no particular reason to use .rar compression before simply copying the files onto a thumb drive.
".rar would be unusual for an insider, but very typical for attackers," said Williams, who founded the cybersecurity firm Rendition InfoSec after leaving the government.
Overall, he said, "The timing is interesting, but I don't think it's evidence of an inside job."
A former NSA hacker told Code and Dagger that The Nation report was "very strange" and said there is currently no reason to doubt the private sector and government analysts who responded to and investigated the breach initially.
It's also worth keeping in mind that Russian President Vladimir Putin admitted on television that Russian hacking "patriots" may have been involved in the cyber attacks ahead of the 2016 election, even if he maintained his government was not involved.
A representative for VIPS told Code and Dagger that, "given the importance of the findings, we did due diligence -- big time -- and still are." The representative said he didn't know what Drake's issues were with the VIPS memo that caused him not to sign it.
The Nation did not respond to a request for comment Saturday.
[EDITOR'S NOTE Aug. 13: This report has been updated to include information about the time-stamp on the .rar files and comments from the VIPS representative.]
[EDITOR'S NOTE Aug. 15: This report has been updated to include the views of cybersecurity researcher Robert Graham. It also expands on William's comments.]