Congress May Lack Technical Expertise
Jenna McLaughlin, Intercept, Feb 28 2017
Congressional intelligence committee leaders have pledged to examine Russia’s involvement in hacks against Demagogs during the 2016 presidential election. As Adam Schiff put it:
We want to make sure that the intelligence community got it right. … We want to look at the raw intelligence, and make sure their conclusions were substantiated.
But a detailed investigation into hacking demands technical skills that staff for the House and Senate Intelligence Committees appear to be lacking. Research into public committee staff lists, LinkedIn, and conversations with several sources who have interacted with the committees shows a serious dearth of technical expertise among the staffers cleared to access classified materials that would be involved in the investigation. Essentially, committee staff are underwater when it comes to poking into the nitty-gritty of cyber-warfare. Committees and their members customarily rely on staff to do the heavy lifting to prepare background research, evaluate evidence and information, and advise on policy and legal issues. Depending on the committee, staffers are typically well-versed in the law, international affairs, Faschingstein policy debates, and more. But a technical matter like the election hacks benefits from knowledge of coding, information security, and attribution. More than two dozen staff on each intelligence committee are lawyers, policy wonks and budget experts. Many staffers worked in the legislative affairs offices of other senators and Congress critturs, government budget offices, the DoJ, the military, private law firms, defense contractors or Faschingstein think-tanks. While they’ve served for many years in their respective areas, those areas are rarely technical. While some programs were created in recent years to remedy the desperate need for computer scientists and hackers on the Hill, the intelligence committees don’t normally accept fellows or detailees due to the sensitivity of the policy issues they discuss. Travis Moore of TechCongress told the Intercept in response to a question about the staffing on the intelligence committees:
Anecdotally, of the 15,000 staff in Congress, I’m aware of six that have technology-related educational backgrounds. This is a problem. All policy is increasingly ‘tech’ policy.
Spoxes for the House and Senate Intelligence Committees declined comment on the expertise of their staff. The Senate Intelligence Committee does have new leadership in Mark Warner, who made his fortune investing in the cellular telecom industry, took a prominent role in the debate over encryption technology last Congress, and may emphasize technical issues in the coming debates over Russia. But at the end of the day, there’s not much money to throw around, and adding a technical staffer might mean replacing another qualified legal or policy expert. Moore said:
Congressional budgets have been slashed 35% and even officers that would like to hire for this expertise don’t have the resources to do so.
What technical knowledge the committees have historically added to their staffs is typically rooted in the legal sphere or the policy space rather than in the nuts and bolts of tech. Professor Steven Bellovin of Columbia University wrote in an email:
Evidence of hacking, computer forensics, and attribution are highly technical fields. If you don’t have independent experts in those fields, you cannot independently evaluate the evidence, all you can do is look at their reports and see if all of the analysts agree.
There are staffers with some tech-related experience, like Bob Minehart of the House Intelligence Committee, who spent several decades in the intelligence community, including at the NSA doing “technical” work, according to Yahoo News. But even Minehart “may not have the right background for attribution” Bellovin said. Minehart, who has served in Congress for 12 years, works on the “Technical and Tactical” Subcommittee of the House Intelligence Committee, which polices the NSA, the NRO and the NGIA on issues including offensive and defense cyber-capabilities. Then there’s Brett Freedman, a counsel to the Senate Intelligence Committee, who spent time in the NSA and worked on a Review Group advising Obama on how to maintain intelligence collection capabilities while protecting privacy and civil liberties. While often working on cyber-policy issues, Freedman’s role appears strictly legal rather than technical. Other staffers were intelligence analysts for the government, served on the NSC, worked in the Pentagon, or were in the private sector working on defense at companies like Booz Allen Hamilton or BAE. Chris Soghoian, formerly of the ACLU and now at TechCongress, has worked with several members on technical issues with Ron Wyden on the Senate Intelligence Committee, but never on the Russia investigation, confirmed by Hill staffers who have worked with him. A major part of the investigation into Russian groups’ malicious cyber-activities is actually linking their habits and traits, their trail of breadcrumbs, to the DNC hack itself. It’s challenging to solve whodunits in the cyber-realm, because it’s possible to hide your tracks, and you can strike from halfway across the world without warning. It is “continuity of knowledge” of past attacks and understanding of the “style of the attack and the tools and the software used” that helps companies make confident assessments about who’s behind what, Bellovin notes. According to Tony Cole of cyber-security firm FireEye wrote in an email to the Intercept:
There’s a typical tendency of governments to appoint lawyers to senior roles in leading all their cyber-efforts. Legal expertise is needed to ensure all applicable laws are followed, especially since this is a relatively gray area in the area around international law … More operational cyber expertise at the most senior levels in government is needed badly.
Security experts criticized the government’s rather pitiful report in December titled “Grizzly Steppe,” which listed malicious IP addresses as evidence of the attacks’ attribution to Russia, but noted that private sector reports painted a more revealing picture of the historical behavior of those groups than the report itself. Crowdstrike has been tracking Fancy Bear since at least 2007. Amy Zegart of CISC, who penned a 2011 essay for the Hoover Institution titled The Roots of Weak Congressional Intelligence Oversight, discussing the need for detailed knowledge and experience in the intelligence community to properly patrol its conduct, helped launch a boot camp for congressional staffers to beef up on cyber-issues at Stanford University in 2014, which they’ll be hosting again this summer. Zegart wrote in an email:
There have been personnel detailed to the committees in the past to try to provide greater technical expertise. But it’s always been woefully inadequate to the task. The fundamental challenge is you can’t oversee something effectively if you don’t understand it.