Congressional intelligence committee leaders have pledged to examine Russia’s involvement in hacks against Democrats during the 2016 presidential election. As the ranking member of the Senate’s intelligence panel, Rep. Adam Schiff put it, “we want to make sure that the intelligence community got it right … We want to look at the raw intelligence, and make sure their conclusions were substantiated.”
But a detailed investigation into hacking demands technical skills that staff for the House and Senate Intelligence Committees appear to be lacking.
Research into public committee staff lists, LinkedIn, and conversations with several sources who have interacted with the committees shows a serious dearth of technical expertise among the staffers cleared to access classified materials that would be involved in the investigation. Essentially, committee staff are underwater when it comes to poking into the nitty gritty of cyber warfare — a longstanding problem made more relevant as attacks on U.S. government and politicians escalate.
Committees and their members customarily rely on staff to do the heavy lifting to prepare background research, evaluate evidence and information, and advise on policy and legal issues. Depending on the committee, staffers are typically well versed in the law, international affairs, Washington policy debates, and more. But a technical matter like the election hacks benefits from knowledge of coding, information security, and attribution.
The bulk of staff on the intelligence committees — more than two dozen on each — are lawyers, policy wonks, and budget experts. Many staffers worked in the legislative affairs offices of other senators and members of Congress, government budget offices, the Department of Justice, the military, private law firms, defense contractors, or Washington think tanks. While they’ve served for many years in their respective areas, those areas are rarely technical.
While some programs were created in recent years to remedy the desperate need for computer scientists and hackers on the Hill — like TechCongress, a tech policy fellowship in D.C. — the intelligence committees don’t normally accept fellows or detailees due to the sensitivity of the policy issues they discuss.
“Anecdotally, of the 15,000 staff in Congress, I’m aware of six that have technology-related educational backgrounds,” Travis Moore, the founder and director of TechCongress told The Intercept in response to a question about the staffing on the intelligence committees. “This is a problem. All policy is increasingly ‘tech’ policy.”
Spokespeople for the House and Senate Intelligence Committees declined comment on the expertise of their staff. The Senate Intelligence Committee does have new leadership in Democratic Sen. Mark Warner, who made his fortune investing in the cellular telecom industry and took a prominent role in the debate over encryption technology last Congress and who may emphasize technical issues in the coming debates over Russia.
But at the end of the day, there’s not much money to throw around, and adding a technical staffer might mean replacing another qualified legal or policy expert. “Congressional budgets have been slashed 35% and even officers that would like to hire for this expertise don’t have the resources to do so,” Moore said.
What technical knowledge the committees have historically added to their staffs is typically rooted in the legal sphere or the policy space rather than in the nuts and bolts of tech.
“Evidence of hacking, computer forensics, and attribution are highly technical fields,” Steven Bellovin, a computer science researcher and professor at Columbia University with experience advising the government on technology, wrote in an email.
“If you don’t have independent experts in those fields, you cannot independently evaluate the evidence — all you can do is look at their reports and see if all of the analysts agree,” Bellovin added.
There are staffers with some tech-related experience, like Bob Minehart of the House Intelligence Committee, who spent several decades in the intelligence community, including at the NSA doing “technical” work, according to Yahoo News. But even Minehart “may not have the right background for attribution” Bellovin said. Minehart, who has served in Congress for 12 years, works on the “Technical and Tactical” Subcommittee of the House Intelligence Committee, which polices the NSA, the National Reconnaissance Office, and the National Geospatial Intelligence agency on issues including offensive and defense cyber capabilities. Then there’s Brett Freedman, a counsel to the Senate Intelligence Committee, who spent time in the NSA and worked on the President’s Review Group on Intelligence and Communication technologies to advise President Barack Obama on how to maintain intelligence collection capabilities while protecting privacy and civil liberties. While often working on cyber policy issues, Freedman’s role appears strictly legal rather than technical. Neither Minehart or Freedman responded to a request for comment.
Other staffers were intelligence analysts for the government, served on the National Security Council, worked in the Pentagon, or were in the private sector working on defense at companies like Booz Allen Hamilton or BAE Systems.
Chris Soghoian, formerly the chief technologist of the American Civil Liberties Union and now a TechCongress fellow, has worked with several Members on technical issues including Sen. Ron Wyden, D-Ore., who serves on the Senate Intelligence Committee — but never on the Russia investigation, confirmed by Hill staffers who have worked with him. Soghoian was not available for comment.
A major part of the investigation into Russian groups’ malicious cyber activities is actually linking their habits and traits, their trail of breadcrumbs, to the DNC hack itself. It’s challenging to solve whodunits in the cyber realm, because it’s possible to hide your tracks, and you can strike from halfway across the world without warning.
It is “continuity of knowledge” of past attacks and understanding of the “style of the attack and the tools and the software used” that helps companies make confident assessments about who’s behind what, Bellovin notes.
There’s a “typical tendency of governments to appoint lawyers to senior roles in leading all their cyber efforts,” according to Tony Cole, the Chief Technical Officer of Global Government at cybersecurity firm FireEye. “The legal expertise is needed to ensure all applicable laws are followed, especially since this is a relatively gray area in the area around international law … [but] more operational cyber expertise at the most senior levels in government is needed badly,” he wrote in an email to The Intercept.
Security experts criticized the government’s rather pitiful report on the DNC hacks in December titled “Grizzly Steppe,” which listed malicious IP addresses as evidence of the attacks’ attribution to Russia — but noted that private sector reports painted a more revealing picture of the historical behavior of those groups than the report itself. Crowdstrike has been tracking purported Russian hacking groups — “Fancy Bear” and “The Dukes” — for years, since at least 2007.
“There have been personnel detailed to the committees in the past to try to provide greater technical expertise. But it’s always been woefully inadequate to the task,” Amy Zegart, the co-director of the Center for International Security and Cooperation, wrote in an email. Zegart penned a 2011 essay for the Hoover Institution titled “The Roots of Weak Congressional Intelligence Oversight” discussing the need for detailed knowledge and experience in the intelligence community to properly patrol its conduct.
Zegart helped launch a boot camp for Congressional staffers to beef up on cyber issues at Stanford University in 2014, which they’ll be hosting again this summer — a program with a long waitlist. But it’s not been sufficient, yet. “The fundamental challenge is you can’t oversee something effectively if you don’t understand it,” she concluded.
The post Congress May Lack Technical Expertise to Properly Investigate Russian Hacking appeared first on The Intercept.