Future Tense

The FBI Relied on a Private Firm’s Investigation of the DNC Hack—Which Makes the Agency Harder to Trust  

James Comey
FBI Director James Comey testifies in front of the Senate Judiciary Committee during an oversight hearing on the FBI on Capitol Hill on May 3.

Eric Thayer/Getty Images

“When will the Fake Media ask about the Dems dealings with Russia & why the DNC wouldn’t allow the FBI to check their server or investigate?” President Trump tweeted on Sunday at 4:15 a.m. How invigorating to discover that, like me, the president also lies awake at night wondering about the mechanics of major data-breach investigations!

Setting aside the nonsensical first half of the tweet, there’s actually an interesting question worth revisiting buried in the second half. Why wouldn’t the Democratic National Committee allow the FBI to check their servers during the investigation of the DNC breaches during the 2016 election?

The DNC maintains there’s a simple answer to this question: According to the group, the FBI never asked to see their servers. But FBI Director James Comey told the Senate Intelligence Committee back in January that the FBI did, in fact, issue “multiple requests at different levels” to the DNC to gain direct access to their computer systems and conduct their own forensic analysis.

Instead, whether because they were denied access or simply never asked for it, the FBI instead used the analysis of the DNC breach conducted by security firm CrowdStrike as the basis for its investigation. Regardless of who is telling the truth about what really happened, perhaps the most astonishing thing about this probe is that a private firm’s investigation and attribution was deemed sufficient by both the DNC and the FBI.

That’s not meant as an insult to CrowdStrike, which is, undoubtedly, a first-rate security firm that does extremely sophisticated and reliable investigative work. Calling in CrowdStrike was a good move on the part of the DNC. I’ve even argued that the DNC should have been relying more heavily on private tech firms to provide its email services and security from the outset. But it’s one thing to trust tech companies to provide email servers and cloud storage and quite another to rely exclusively on them to collect and analyze evidence of a major security incident attributed to a foreign national government.

Good security companies can be invaluable when it comes to helping breach victims figure out where they went wrong and how they can better protect their systems in the future. They can certainly, at times, provide useful assistance to law enforcement investigations—but when they end up essentially doing law enforcement’s job for them, as seems to have been the case with the DNC breach, it becomes exceedingly difficult to know whom to trust and whether to take the results of that investigation at face value. In fact, the president made this point himself, in a Jan. 5 tweet about the FBI investigation, back when he apparently believed the DNC’s version of events: “So how and why are they so sure about hacking if they never even requested an examination of the computer servers? What is going on?”

Knowing who conducted a breach investigation is particularly important when it comes to international cyber conflicts because just about everything the government tells us about those conflicts we are expected to take on faith. Consider the declassified summary of the Intelligence Community’s assessment of “Russian Activities and Intentions in Recent US Elections.”

The DNC breaches feature prominently in that summary but, more to the point, the primary rationale readers are given for why they should believe that the Russian government meddled in the U.S. election is because the FBI, CIA, and NSA believe that to be the case. We are given very little actual detail about what happened or how the incidents were traced to Russia specifically, while we are treated to numerous statements along the lines of: “We assess with high confidence that Russian President Vladimir Putin ordered an influence campaign in 2016 aimed at the US presidential election” or “We further assess Putin and the Russian Government developed a clear preference for President-elect Trump. We have high confidence in these judgments.”

Of course, there are many reasons the Intelligence Community might have decided not to reveal any actual evidence for these claims. But in the absence of that evidence, whether or not you believe their conclusions rests entirely on your confidence in the judgment and investigative abilities of the FBI, CIA, and NSA. And if the evidence that they’ve used to level major accusations at a foreign government comes not from agencies of the U.S. government or direct law enforcement investigations, but rather from private sector firms like CrowdStrike, then the “high confidence” of the government counts for very little. The DNC breach is not the only incident attributed to Russia in the Intelligence assessment summary and it’s likely that some of the others were directly investigated by the government. But even so, this conflation of government- and industry-gathered evidence without clear distinctions makes it harder to take the agencies’ assessments at face value.

Asking private firms to investigate security incidents is often beneficial—it’s possible (likely even) that CrowdStrike has resources and technical expertise that the FBI does not. But turning over an entire law enforcement investigation to the private sector is a serious mistake. Companies have very different agendas and motivations from those of law enforcement agencies—companies want to raise their own profiles, satisfy their clients, and draw new customers, while law enforcement agencies aim to identify criminals and hold them accountable. Especially when the government is going to justify an accusation by urging citizens to trust its judgment, it matters that they have actually conducted an investigation themselves and drawn their own conclusions based on a firsthand examination of the available evidence.

So if the FBI didn’t ask for access the DNC’s servers out of laziness or negligence, it certainly should have. And if the DNC denied them that access for fear of being embarrassed by what they might find, or because they had more faith in CrowdStrike than the FBI, then it served only to undermine confidence in the ultimate results of the investigation and give the impression of having something shameful to hide. Neither the DNC nor the FBI should have been satisfied with an investigation that did not involve the FBI conducting a firsthand look at the compromised systems. And all of us should be concerned about the seeming acceptance of both parties to let a private company singlehandedly carry out an investigation with such significant political consequences.