John Durham and the Amazing Disappearing DNC Hack

This is the fifth in a series of articles analyzing the 27 page federal grand jury indictment charging lawyer Michael Sussmann with making a false statement to the FBI.

As stated in the fourth article, when the FBI learned of the alleged hack of the Democratic National Committee’s (“DNC”) emails, it asked to examine the server.

In fact, at the same time as the alleged DNC hack, there were similar reports regarding the Democratic Congressional Campaign Committee’s (“DCCC”) server as well as DNC Chairman John Podesta’s personal email devices.

In testimony before the Senate, FBI Director James Comey stated the following:

Question (by Senator Burr): Did the FBI request access to those devices [the servers and Podesta’s devices] to perform forensics on?

A: Yes, we did.

Q: And would that access have provided intelligence or information helpful to your investigation in possibly finding … including to the Intelligence Community Assessment?

A: Our forensics folks would always prefer to get access to the original device or server that’s involved. So, it’s the best evidence.

Q: Were you given access to do the forensics on those servers?

A: We were not. We were … a highly respected private company eventually got access and shared with us what they saw there.

Q: But is that typically the way the FBI would prefer to do the forensics or would your forensic unit rather see the servers and do the forensics themselves?

A: We always prefer to have access hands on ourselves, if that’s possible.

Q: Do you know why you were denied access to those servers?

A: I don’t know for sure. Um, I don’t know for sure.

Q: Was there one request or multiple requests?

A: Multiple requests at different levels and ultimately what was agreed to is that the private company would share with us what they saw.

So, instead of using a search warrant or some other legal process to perform a direct, hands on forensic examination of the DNC server, the FBI agreed to base its investigation on the findings of a private cybersecurity company. And, as discussed in the previous article, that company, CrowdStrike, was to do the investigation pursuant to its contract with Michael Sussmann of Perkins Coie, the law firm that represented Hillary Clinton’s presidential campaign.

Think about that. When presented with allegations of a devastating foreign cyber attack on one of the two major political parties, the FBI meekly agreed to allow CrowdStrike and Perkins Coie to do the forensic examination and, for all intents and purposes, run the investigation.

Not even the lowliest local police department would agree to such an absurd arrangement. What if this was a murder case? Would the Smallville PD allow a private investigator and lawyer hired by the murder victim’s family to process the crime scene, do the autopsy, and tell the police and district attorney what they supposedly found? Wouldn’t such findings be subject to attack in court as coming from sources that may have had an interest in shaping and tailoring the investigative results to suit the needs and desires of their client? Wouldn’t there be legal problems with the evidence’s provenance, chain of custody, and the reliability and comprehensiveness of the investigative work that supposedly produced it? Would the police and district attorney ever allow themselves to get roped into such a bizarre, ridiculous, nightmarish, and self-defeating arrangement?

Of course not. No rational person or organization intent on conducting a serious investigation would.

But that, in effect, is precisely what the FBI — the self-proclaimed greatest investigative agency in the world — did when faced with this purportedly monumental foreign attack on the Democrat Party apparatus.

Now keep Comey’s testimony in focus as we review the remarkable appearance of Shawn Henry, President of CrowdStrike Services, before the House Permanent Select Committee on Intelligence (“HPSCI”).

The HPSCI convened in closed executive session on December 5, 2017. Present were Henry, the Committee members and staff, as well as a lawyer representing CrowdStrike and a lawyer from Perkins Coie.

Under questioning, Henry confirmed that CrowdStrike’s examination of the DNC server was done pursuant to its contract with Michael Sussmann of Perkins Coie. Consequently, as explained by the Perkins Coie lawyer, CrowdStrike’s findings were protected by the attorney-client privilege. Therefore, it would be up to Perkins Coie, acting on behalf of the DNC, to decide what information Henry would be allowed to share with the HPSCI.

First up was Rep. Chris Stewart (R-UT) who wanted to know why the FBI hadn’t taken “the lead in this investigation.”

And that’s when the fun and games began.

Once it was established that the FBI did not have access to the server, Stewart asked, “Could they [the FBI] conduct their own investigation in a thorough fashion without access to the actual hardware?”

To that Henry went out on a limb and firmly replied, “Maybe.”

Undeterred, Stewart asked, “Are you comfortable that someone could complete a thorough investigation, using other tools, without direct access to the hardware or equipment?”

Up to the challenge, Henry proceeded to answer a question that wasn’t asked.

“Could they come to a conclusion? You’re asking a nuanced question. And I’m not being cagey. I want to be clear, because this is an important point.”

But would it be better if the FBI had access?

Henry replied, “The more information you have access to, the better any investigation. But it doesn’t mean that a lack of a piece of information precludes you from coming to a conclusion.”

The determined Stewart tried again. If you “could have a better investigation if you had access to all of the equipment or hardware” would there be “reasons for not making that available [to the FBI] that override the benefit of having a more conclusive investigation?”

To which Henry replied, “You’re asking me to speculate. I don’t know the answer.”

At which point, an exasperated Stewart said to the Perkins Coie lawyer, “By the way, you need to pay him well, because he’s obviously serving you well today as you guys have your conversations back and forth.”

So just what evidence did CrowdStrike find on the DNC server?

Over the course of the hearing, Henry grudgingly gave ground with answers such as these:

“Counsel just reminded me that, as it relates to the DNC, we have indicators that data [the DNC emails] was (sic) exfiltrated [taken by hackers off the server]. We did not have concrete evidence that data was (sic) exfiltrated from the DNC, but we have indicators that it was exfiltrated…. There’s not evidence that they were actually exfiltrated. There’s circumstantial evidence … we didn’t have direct evidence. But we made a conclusion that data left the network.” (Emphasis added.)

Okay, there was no direct, concrete, or other proof that the emails were actually taken from the DNC computer. But what were these “indicators” that led CrowdStrike to conclude that the emails were hacked?

According to Henry, CrowdStrike found “indicators of [server] compromise, which are pieces of malware, et cetera.” He then explained that CrowdStrike’s investigative report states that the data [emails] were “staged for exfiltration” by the purported Russian hacker.

He added, “There are times when we can see data exfiltrated, and we can say conclusively. But in this case, it appears that it (sic) was set up to be exfiltrated, but we just don’t have the evidence that says it actually left.” (Emphasis added.)

Got that? With no evidence that the emails were actually hacked, CrowdStrike nevertheless concluded that the Russians hacked the emails.

Despite the spin, the whole DNC hack story had just flatlined.

But there was one more issue to be addressed: exactly what evidence was shared with the FBI?

I will spare you the tedious details of the interrogation. The questioners kept asking Henry what information CrowdStrike provided to the FBI, and he repeatedly said that they got whatever they asked for.

But the problem with this line of questioning is that it failed to consider the fact that CrowdStrike was working for Perkins Coie. Consequently, the questions should have focused on what information Perkins Coie allowed to be transmitted to the FBI.

The closest anyone came to getting at this issue was when Rep. Mike Conaway (R-TX) asked, “Did the DNC restrict anything that you shared with the FBI or that the FBI asked for? Did they tell you ‘no’ at any point?”

Henry replied, “No, I have no recollection. Again, I know that there are redacted reports and there was some restriction on the reports. That’s the only thing that I can recall.”

Wait. What? Redacted? Restriction? Does this mean that the DNC withheld some of CrowdStrike’s findings and work product from the FBI?

The answer to that question can be found lurking in the pre-trial pleadings in the case of United States v. Roger Stone. In an effort to debunk the DNC hack story, Stone’s lawyers requested that the Department of Justice produce the full, unredacted CrowdStrike investigative report.

And that’s when the cowpie hit the fan. It turned out that, in addition to not examining the DNC server, neither the FBI nor the DOJ actually saw the full, final CrowdStrike report.

The following is lifted directly from the prosecution’s response to Stone’s discovery request:

Ponder  that carefully. The referenced “counsel for the DNC and DCCC” is Perkins Coie. The reports provided were marked “draft” and had redactions. But the FBI and DOJ had the assurances of Perkins Coie that the  drafts were, in fact, the last version of the report and “no redacted information concerned the attribution of the attack to Russian actors.”

So, was there a hack of the DNC server? Don’t ask the FBI or the DOJ. They only know what Perkins Coie — which was representing a client that was heavily invested in spreading the Russian hack story — allowed them to know.

But thanks to the release of Shawn Henry’s testimony before the HPSCI, what we now know is that CrowdStrike never found any “direct,” “concrete,” or other evidence that proves the DNC emails “actually left” the DNC server.

Or, as we used to say in the old Justice Department: turn out the lights, the party’s over.

There’s more to come, but this article is already too long.

So stay tuned for the next episode.

George Parry is a former federal and state prosecutor. He blogs at knowledgeisgood.net and can be reached by email at [email protected].