Senate Intelligence Report -- IV. Executive Branch Investigations (A): The DNC Hack and FBI's Response (FULL SECTION)

Narrative
IV. EXECUTIVE BRANCH INVESTIGATIONS

In the summer of 2016, the U.S. Intelligence Community( IC) began collecting and analyzing information related to potential Russian interference in the upcoming U.S. elections.
The IC obtained intelligence information that indicated the Russian government, at Putin 's direction, was seeking to interfere in the U.S. presidential election. As a result, the IC began a small, highly compartmented effort to understand the full scope of this activity. Cyber Division had already opened a separate investigation into Russian-government cyber intrusions into the Democratic National Committee( DNC) based on Russian intelligence services ' cyber intrusions in the summer of 2015 and again in early 2016. Cyber Division 's investigation related to the DNC breach resulted in a series of interactions between the FBI and the DNC, which are described in detail below.

[ REDACTED] Shortly after WikiLeaks released thousands of documents stolen by Russian hackers from the DNC, the[ REDACTED] government provided information related to a potential Russian influence operation targeting the U.S. election.
That information suggested that the Russian government had made an offer to the Trump Campaign to assist the Campaign with the anonymous release of information harmful to Hillary Clinton 's electoral chances. Based on this information, and with the context of the Russian hacking investigation, FBI 's Counterintelligence Division initiated a full counterintelligence investigation on July 31, 2016," to determine whether individual( s) associated with the Trump campaign are witting of and/or coordinating activities with the Government of Russia.'' This umbrella investigation was codenamed Crossfire Hurricane.

[ REDACTED] FBI provided a basic counterintelligence briefing to Trump and two members of his Campaign staff on August 17, 2016.
An FBI agent delivered this briefing at the outset of a larger intelligence briefing the ODNI traditionally offers to both candidates at the SECRET level after the conventions. Flynn was one of Trump 's two advisors in attendance

[ REDACTED] The Committee was able to review the talking points FBI used at the briefing and the memo the agent wrote to record the briefing afterward.
Both reflect a cursory overview by FBI focused on encouraging awareness of counterintelligence issues. The briefing provided basic facts about foreign adversary intelligence operations and encouraged the campaign to use adequate communications security. For example, it cautioned that Trump and his staff were a target for foreign HUMINT, SIGINT, and cyber operations, and it said that intelligence officers from foreign countries could pose as diplomats or use non-official cover to approach those close to the candidate.

[ REDACTED] The briefing discussed Russia as a U.S. adversary with a robust intelligence presence.
It did not provide any specific warnings to the Campaign regarding the allegations FBI was pursuing in Crossfire Hurricane. According to the agent 's record of the encounter, FBI told Trump and his staff that''[ Foreign intelligence services] will send their IOs in diplomatic cover, business NOCs, as well as sources they have developed around you to elicit information and gain assessments on you.'' The agent 's notes do not refer to FBI 's suspicions about Page, Papadopoulos, Manafort, or Flynn 's contacts with Russian officials.

[ REDACTED] Shortly after opening Crossfire Hurricane, FBI 's Counterintelligence Division opened counterintelligence investigations on four separate U.S. persons under this umbrella investigation: George Papadopoulos( Crossfire Typhoon), Carter Page( Crossfire Dragon), Paul Manafort( Crossfire Fury), and Michael Flynn( Crossfire Razor).
Subsequent to the original cases, the FBI opened a number of other cases on both U.S. persons and foreign nationals related to these investigations, including on[ REDACTED] then-Attorney General Jeffrey Sessions([ REDACTED]), and President Donald Trump([ REDACTED]).

The FBI, as part of its investigation into Russian interference, successfully obtained a warrant to conduct Foreign Intelligence Surveillance Act( FISA)- authorized surveillance against Page.
The initial FISA application was approved on October 21, 2016, after Page had left his role as an advisor to the Trump Campaign. The Foreign Intelligence Surveillance Court reauthorized surveillance three times, but authorization ultimately expired on September 22, 2017. In its application and renewals seeking FISA authorities, the FBI and the Department of Justice relied heavily- but not solely- on information provided by Christopher Steele, a former[ REDACTED] officer and FBI confidential human source. Steele 's information and. the FBI 's response to Steele 's information is described in detail below.

[ REDACTED] In May 2017, Deputy Attorney General Rod Rosenstein appointed Robert Mueller III as Special Counsel to investigate Russian interference in the 2016 U.S. election.
Two memoranda provide the clearest articulation of the scope of the Special Counsel 's Office( SCO) investigation. First, an August 2, 2017, memorandum from Rosenstein to Mueller authorized SCO to conduct investigations related to Carter Page, Paul Manafort, George Papadopoulos, Michael Flynn, and[ REDACTED]. Second, an October 20, 2017, memorandum from Associate Deputy Attorney General Scott Schools to Rosenstein clarified that SCO had the authority to pursue certain additional, related investigations. These additional investigations included Michael Cohen, Rick Gates,[ REDACTED],[ REDACTED], Roger Stone, and[ REDACTED]. In addition to those individuals, the memorandum specified links from primary targets to secondary targets approved for investigation. These

secondary targets related to Paul Manafort, Michael Flynn, Michael Cohen, and[ REDACTED].
The SCO 's mandate, however, did not expressly retain a priority on counterintelligence matters.

[ REDACTED] Shortly after its creation, SCO was reassigned a number of open FBI case files related to SCO 's mandate.
These case files included existing FBI investigations of[ REDACTED] Carter Page; George Papadopoulos; Michael Flynn;[ REDACTED]; Paul Manafort;[ REDACTED];[ REDACTED]; Crossfire Hurricane( umbrella investigation); and[ REDACTED]

Over the course of its investigation, the SCO successfully secured numerous criminal indictments and convictions.
This included indictments of Russian nationals associated with a Russian government-sponsored social media campaign and GRU personnel who hacked into the DNC and other related targets. It also secured convictions of Paul Manafort and Rick Gates for activity stemming from their work in Ukraine, as well as numerous other convictions related to conduct which criminally misled or obstructed investigations into Russian election interference. This latter category included convictions of Roger Stone, Michael Cohen, and Michael Flynn. These criminal cases, prosecuted while under immense public and political scrutiny, brought to light significant criminal conduct.

While criminal prosecutions are a vital tool in upholding our Nation 's laws, protecting our democratic system from foreign interference is a broader national security mission that must be appropriately balanced with the pursuit of criminal prosecutions.
It is the Committee 's view that this balance was not achieved. Russian interference with the U.S. electoral process was inherently a counterintelligence matter and one not well-suited to criminal prosecutions. As a result, the Committee found that some of the counterintelligence aspects of the FBI 's original Crossfire Hurricane investigation were crowded out by the SCO 's effort to identify, charge, and prosecute crimes. In other cases, nascent counterintelligence efforts by FBI were subsumed by SCO, and were neither fully pursued nor returned to FBI until SCO 's conclusion almost two years later. Because the SCO 's investigation was ultimately a criminal inquiry, it did not fully address the depth and complexity of Russian interference in the 2016 election, an effort that this Committee has itself undertaken.

A.
The DNC Hack and FBI 's Response

1.
Introduction and Findings

[ REDACTED] Beginning in July 2015 and continuing until at least October 2016, at least one[ REDACTED] Russian intelligence services compromised the DNC 's computer networks.
The DNC hack presented a novel scenario for the IC and federal law enforcement: political entities had been hacked before, but never before had a nation-state actor hacked a private political party in the United States, exfiltrated information, and then weaponized that information through public leaks. The scenario was further complicated by the fact that the DNC was a private political party with significant public presence, and the FBI was also looking at the domestic effects of a foreign threat during a U.S. presidential campaign.

[ REDACTED], the DNC was hesitant to engage with the Bureau on the matter of the political organization 's being under attack by a foreign country 's intelligence services, owing to resonant tensions stemming from the FBI 's investigation into Hillary Clinton 's email servers.
Further complicating matters, the DNC 's IT staff did not understand the nature of the threat it faced, despite multiple entreaties from an FBI agent at the Washington Field Office. The Committee investigated allegations that the FBI did not properly escalate its concerns about the DNC hack and that the DNC did not fully cooperate with the FBI. The Committee found that communication on both sides was inadequate, further confusing an already complex situation.

The Committee appreciated the voluntary cooperation it received from the individuals associated with the DNC, as well as from former FBI officials now in the private sector.
The DNC and its counsel were extremely accommodating in allowing the Committee to access potentially privileged materials, and provided staff with copies of incident response reports prepared by the DNC 's cybersecurity vendor, CrowdStrike. Several Hillary for America( HFA) Campaign staffers, including Clinton Campaign Manager Robby Mook and Clinton Campaign Chairman John Podesta, also submitted to voluntary staff interviews, which provided limited insights into the DNC hack but did provide helpful information in other areas of the Committee 's inquiry.

After conducting witness interviews and reviewing documents from the IC and third parties, the Committee found the FBI lacked an appropriate process to escalate their warnings of the DNC hack within the DNC and that the FBI 's victim-driven response paradigm hindered its ability to investigate the hack with the necessary urgency.


2.
FBI 's Role Responding to Nation-State Cyber Attacks on Private Entities

i.
The IC 's Division of Labor for Cybersecurity

Within the U.S. Government, the FBI,[ REDACTED] and Department of Homeland Security( DHS) have different but complementary roles related to cyber incident response.
[ REDACTED], has insights into foreign adversary activity, and is often one of the first to know that a foreign intelligence service has attempted to compromise, or has successfully compromised, a victim network.[ REDACTED] will then pass that notification to FBI, which engages with the victim, and DHS sometimes provides additional services to assist in remediation or ongoing engagement with the IC.

[ REDACTED] Because information about an attack can come from[ REDACTED],[ REDACTED] or even a foreign partner, FBI must first work with[ REDACTED] or[ REDACTED] to protect their equities before sharing information with the victim.
Jim Trainor, Former Assistant Director of the Cyber Division at FBI, described the Bureau as" always the one that 's more forward-leaning'' about sharing information with victim entities because FBI agents are" the ones on the hook to try to provide the notification.'' Once FBI receives permission to share threat indicators, field office agents will contact the victim entity. FBI agents use[ REDACTED] to" have complete visibility on... victim notifications.'' Trainor noted that the best scenario is for agents to do" a lot of outreach'' in their area of responsibility, so that when an incident occurs, the FBI is dealing with" victims[ who] have a relationship and a confidence and a trust...[ who know] who the agent is, who the cyber squad is.'' The FBI has[ REDACTED] cyber squads, and victim notifications are[ REDACTED] portion of a cyber squad 's investigative work. When dealing with a larger attack, the FBI[ REDACTED].

When asked whether the FBI triages its victim notifications, Trainor described[ REDACTED].
As an example of the[ REDACTED]. Trainor hypothesized that if Russian actors breached( as a hypothetical example) Yahoo! , the FBI would[ REDACTED].

3.
FBl 's Role: The Victim-Driven Response

Instead of treating hacked entities as crime scenes, where the FBI can collect evidence as needed the FBI treats hacked entities as victims,[ REDACTED].
Washington Field Office Assistant Special Agent in Charge( ASAC)[ REDACTED] told the Committee that it is" very typical'' in the" majority of cyber cases'' that after the FBI a roaches a potential victim about a cyber intrusion," we may never hear from them again.''[ REDACTED] testified that the FBI[ REDACTED] and that even in those cases" it 's quite a bit of a struggle... as the entity decides what level of cooperation they 're going to provide.''

As a first step, FBI agents[ REDACTED], the FBI 's case record system, to access contact information that may already exist for the victim.
If there is no contact information, agents will call the organization and convey:[ REDACTED]. Agents[ REDACTED] are entrusted to convey an appropriate sense of urgency. After engaging with the victim entity, the FBI[ REDACTED], working side by side'' and[ REDACTED]'' But the FBI is" not there to rebuild the network and remediate the network'' following a cyber incident; generally, a victim organization will hire a third-party cybersecurity vendor to complete that process.

One consequence of the victim-driven response is that victims who do cooperate do so at their own pace.
[ REDACTED] recognized that" every organization...[ has] valid reasons why they do n't want the FBI in their building, on their computer systems.'' Put simply:" half the time, the entity we 're calling just does n't want to deal with us.''

As of May 2018, there was no formal policy within the FBI for escalating notifications up the chain of command at a victim entity.
[ REDACTED] testified that" if an organization decides that they have it[ under control] or the do n't want to do it I do n't think we typically will escalate it much further...[ REDACTED].

There are reasons why, to date, the FBI does not compel victims to cooperate.
The FBI needs the victim organization 's help to investigate the crime because the victim knows its own systems best, so forcing cooperation could potentially alienate the very people whose help the FBI needs. Additionally, the FBI recognizes that using compulsory process to force cooperation would be adding hassle to the hacked entity, which has already been the victim of a crime.

When asked about using compulsory process to force victims to cooperate, Trainor admitted that the FBI could" get a grand jury subpoena to compel them.
... But that 's a little challenging'' Even with compulsory process, Trainor told staff that" FBI does n't know the network as well as the DNC or any other victim. It becomes very complicated... that 's the collaborative part of being on scene together. So... we 're not going to get that even with a grand jury subpoena.'' Trainor 's opinion was that compulsory process should be a last resort because" it would have a serious chilling effect with companies wanting to work with us'' and so it should only be used[ REDACTED].

4.
Private Cybersecurity Vendors

Typically, after the FBI notifies a victim organization, the organization will hire outside counsel who can then bring in a cybersecurity firm to address the intrusion and recommend remediation.
Depending on how the cybersecurity firm is retained, and how outside counsel and the victim organization want to work, the cybersecurity firm 's work product-including the technical details related to the intrusion and attribution theories-could be covered under the privileged umbrella of attorney work product. Many victim organizations are wary of publicly announcing cyber intrusions because of negative media attention and perceived reputational harm. This creates a tension as the cybersecurity community and law enforcement are better equipped to defend against cyber attacks when more information is shared.

Trainor described the ideal incident response cooperation as when" the internal staff... the third party vendor, and... the FBI[ are] working side by side,[ REDACTED]'' Trainor used the Sony hack as a real-life example of an" optimal'' situation where FBI agents[ REDACTED] in order to speed up the review of technical data that could lead'' to attribution.


i The DNC Hack: A Case Study in the FBI Victim Notification Process


The FBI agents and headquarters personnel working the DNC case were frustrated by the lack of responsiveness at the DNC, while witnesses from the DNC repeatedly told the Committee that they did not think the FBI appropriately conveyed the threat picture.
FBI personnel told the Committee that they were[ REDACTED] from the DNC would have[ REDACTED]'' Trainor asked the Committee to" just imagine the FBI having the Washington Field Office giving a grand jury subpoena to the DNC.'' Yet DNC witnesses repeatedly told the Committee that there was no" alarm bell'' from the FBI, and DNC staff believed that the FBI received everything it needed from CrowdStrike and the DNC.

[ REDACTED] None of the Committee 's witnesses expected that the compromise of the DNC 's network lead to the exfiltration and exposure of the DNC 's emails and information.
At the time of the compromise, FBI saw the[ REDACTED] behavior on the DNC network" as very consistent'' with the past[ REDACTED] behavior, that it was[ REDACTED]. Trainor told the Committee that although he was familiar with the[ REDACTED] doxing practices, he did not assume that was a possibility with the DNC hack because the FBI[ REDACTED].''

[ REDACTED] In reviewing staff interviews,[ REDACTED], and witness document production, the Committee gained insights into the challenges facing both the DNC and the FBI in confronting a new kind of attack on America 's democracy.
The uniquely political nature of the DNC as an organization and the FBI 's approach towards victims of cyber attacks led to miscommunications and missed opportunities to thwart, or eradicate, the Russian cyber actors from the DNC systems. The below timeline conveys the Committee 's understanding of the DNC hack, the FBI 's response, and how the FBI, CrowdStrike, and the DNC worked together during this historic attack.

5.
Summary of Events

Prior to the multiple[ REDACTED] GRU intrusions into the DNC, the DNC networks were protected by a firewall, spam filters, an IT directory that managed password rotation, the Windows Defender system, and two-factor authentication on the VPN system.
The DNC trained new staff on computer use; part of that training included simulating phishing attacks and senior employees received a high-level cybersecurity briefing from a third-party vendor. DNC CEO Amy Dacey told the Committee that cybersecurity was" a priority'' for both her and DNC Chair Debbie Wasserman Schultz. The DNC had also hired a third-party vendor to conduct penetration testing on the DNC 's publicly available assets. The DNC contracted The MIS Department, Inc.( MIS) to provide some IT services. Yared Tamene, a contractor for MIS and the DNC 's IT Director, was responsible for IT and network security, and he reported to Andrew Brown, the Technology Director, who in tum reported to both DNC COO Lindsey Reynolds and DNC CEO Amy Dacey.

[ REDACTED] From August 2015 until early May 2016, the FBI attempted to assist the DNC in recognizing and responding to Russian intrusions into the DNC network.


Despite multiple conversations with the FBI in 2015 and early 2016, Tamene told the Committee that the first indication he had" of confirmed foreign actors on our network, meaning unauthorized access to the network,'' was April 28, 2016.
In May 2016, the DNC hired CrowdStrike, a third-party cybersecurity vendor, to respond to what they by then understood to be a foreign nation-state attacking their network. On June 12, 2016, the DNC completed remediation related to the incident and transitioned to new systems. On June 14, 2016, the DNC approached an cooperated with The Washington Post to publish an article announcing that the Russian intelligence services had hacked the DNC.

In the June 14, 2016 The Washington Post article, CrowdStrike 's CTO Dmitri Alperovitch associated one threat actor, dubbed" Fancy Bear,'' with the GRU and associated another threat actor, dubbed" Cozy Bear,'' with the FSB.
The following day, Alperovitch published an article on CrowdStrike 's blog associating Fancy Bear with the GRU, but allowing that Cozy Bear could have been either the SVR or the FSB. Through the remaining of the summer and fall of 2016, emails obtained from the DNC hack were published by online GRU personas DCLeaks and Guccifer 2.0, as well as WikiLeaks. In September 2016, the DNC 's cloud environment, hosted by Amazon Web Services( AWS), was the victim of another intrusion attempt, detected by CrowdStrike.

On October 7, 2016, the Department of Homeland Security( DHS) and the Office of the Director of National Intelligence( ODNI) released a public statement that the IC was" confident that the Russian Government directed the recent compromise of e-mails from US persons and institutions, including from US political organizations.''
6. Detailed Timeline

April 2015


[ REDACTED] In April 2015, the FBI 's Washington Field Office( WFO) hosted a threat awareness briefing in Washington, D.C. to advise industry, think tanks, and universities about the increased risk of cyber attacks during the spring and summer timeframe.
During April 2015, the FBI engaged with a university on the west coast and one think tank in Washington, D.C ~ to alert them that their infrastructure had been compromised by[ REDACTED] cyber actors. The[ REDACTED] actors were using U.S. infrastructure in an attempt to conceal the true origins of their attacks and blend in to normal internet traffic. FBI 's WFO engaged with both victims and[ REDACTED]. August 2015

[ REDACTED] On August 3, 2015,[ REDACTED] FBI Special Agent( SA)[ REDACTED] was[ REDACTED] was the FBI ' s main point of contact for the DNC notification process.
Both Trainor and[ REDACTED] characterized the initial DNC notification as one of approximately[ REDACTED] priority victim notifications from the larger pool of[ REDACTED].

[ REDACTED] On August 6, 2015,[ REDACTED] received approval from[ REDACTED] to share information related to the incident and to notify the potential victims.
[ REDACTED] was one of[ REDACTED] agents on his squad, was responsible for notifying the[ REDACTED] prioritized, potential victims. Trainor told the Committee that the notifications would have conveyed:" you very well may have been compromised, you may have been a victim... that you 've received a spear phishing email.''[ REDACTED] testified that in this particular case, the[ REDACTED] allowed FBI to share[ REDACTED] IP addresses with victims to help them search for nefarious activity on their networks.

On August 6, 2015,[ REDACTED] called Tamene, the DNC 's IT Director, and passed along the[ REDACTED] IP addresses.
On the same phone call,[ REDACTED] but he did suggest that Tamene look up public reporting on the cyber actors mini-DUKE and mini-DIONIS. Tamene told the Committee that on that first phone call, which he remembered happening in September of 2015,[ REDACTED] reached him through the DNC switchboard and told him that the FBI thought" there may be some activity that is nefarious'' and provided the outgoing IP address. Tamene said that[ REDACTED] also gave him[ REDACTED] the FBI in case the DNC systems were compromised.

After speaking with[ REDACTED] Tamene called DNC Technology Director Andrew Brown and went through the DNC firewall logs with his assistant engineer.
No one on the DNC 's IT staff saw anything to substantiate[ REDACTED] concerns. Brown told the Committee that" there was no indication like: Hey, the FBI is ringing a fire bell; we think you 're getting hacked.'' Brown said he did raise the FBI 's outreach with Dacey in his biweekly meeting, but he" did n't flag for her any direct actions'' related to the FBI call.[ REDACTED] FBI did not hear from the DNC after[ REDACTED] initial call.

CrowdStrike would eventually report that COZYBEAR had been sitting on the DNC 's email server since the summer of 2015.
According to their report, after gaining access to an individual DNC staffer 's computer through a spearphishing campaign, COZYBEAR actors moved laterally throught the DNC 's system and gained access to the email server.

December 2015


[ REDACTED] On December 24, 2015,[ REDACTED] FBI that it continued to see[ REDACTED] efforts against the DNC.
On December 28, 2015,[ REDACTED] again contacted Tamene and told him that the DNC may have been compromised. He provided the same IP addresses, but included another indicator that he thought might help the DNC find the bad actors.[ REDACTED] characterized this second notification as a slight escalation because" there was still a persistent presence, at least through attempts.''[ REDACTED] again received no follow-up information from Tamene or anyone else at the DNC after his December 28, 2015., outreach.

Brown told the Committee that the DNC searched again and did not find any of the indicators[ REDACTED] had passed to them.
Brown again told Dacey about the interaction with the FBI, characterizing his response as:" we 're treating it seriously and we 're dealing with it.'' The DNC had purchased a new firewall in late December 2015 and Tamene 's team was" in the process of putting it in as sort of transparent to the existing firewall'' to ensure better logging capabilities. During this timeframe, the DNC also purchased Splunk, a tool that aggregates and enables quicker searching of logs.

January 2016


After two weeks following the second notification without any word from Tamene,[ REDACTED] that Tamene might not be the appropriate contact within the DNC.
On January 12, 2016,[ REDACTED] called the DNC switchboard and asked to speak to the person[ REDACTED]. Again,[ REDACTED] was directed to Tamene. On January 15, 2016,[ REDACTED] called Tamene to check in, and Tamene told[ REDACTED] that he would search the DNC systems and get back to the FBI. Tamene told the Committee that, prior to April 2016," there was no sense of urgency'' to[ REDACTED] notifications. Yet both Trainor and[ REDACTED] testified that[ REDACTED] would have conveyed a sense of urgency. Tamene also told the Committee that he had no awareness of[ REDACTED] ever asking to speak to his supervisor or attempting to escalate the conversation within the DNC.

Trainor told the Committee that he" first became aware of the challenges associated with the DNC...[ the] lack of cooperation, lack of response, the fact that the exfil was going on'' in January 2016.
Around this time, Trainor said the FBI Section Chief escalated the matter to a more senior level within the DNC. Trainor was confident that" it got raised beyond a working level and got raised within the DNC... the bottom line is they were able, from what I understand, were able to convince them[ the DNC].'' The Committee notes the conflicting testimony, but could not find any record of any FBI attempts to raise the profile of their warnings during this time period. ASAC[ REDACTED] told the Committee that[ REDACTED] had[ REDACTED] in the DNC IT staffs technical abilities, and that, during early 2016,[ REDACTED]" was comfortable he was dealing with people that actually understood the consequences of what was happening and how to remediate it.''

February 2016


On February 8, 2016,[ REDACTED] still had not heard back from Tamene, so[ REDACTED] left a voicemail telling Tamene that he wanted to meet to provide Tamene with some additional threat intelligence.
The next day,[ REDACTED] spoke with Tamene by telephone and they set up an in-person meeting for February 10, 2016, so that[ REDACTED] could provide Tamene with additional information.

On February 10, 2 016,[ REDACTED] Tamene, and Suraj Gaur, another DNC IT staffer, met at a coffee shop in Sterling, VA..
The FBI provided the DNC IT staff with additional threat information, including[ REDACTED]. Tamene recalled that at this meeting,[ REDACTED] provided him with[ REDACTED] indicating nefarious activity, including[ REDACTED]. Tamene told[ REDACTED] that he would review the DNC 's logs for the indicators that[ REDACTED] provided. For Tamene,[ REDACTED] he realized that the DNC 's logging capabilities did not go back far enough to catch the activity[ REDACTED] described.

Tamene told the Committee that he remembered[ REDACTED] telling him at this meeting that the FBI" believes these to be Russian state actors, Russian state-sponsored actors.''
Tamene relayed[ REDACTED] statement about the foreign actors to Brown, and they both agreed that the DNC should continue to increase its logging capabilities.[ REDACTED] also suggested that Tamene run a script[ REDACTED][ REDACTED], which could discover nefarious activity. Tamene was nervous about[ REDACTED] on the network if the environment was compromised, so he and his team tried to figure out ways to[ REDACTED] without alerting the malicious actors.

Tamene told the Committee that, after their meeting, he told[ REDACTED] by email or text message that the logs did not go back far enough and that the DNC had not found anything yet, but that they were still working on[ REDACTED].
He also told[ REDACTED] that the DNC had purchased Splunk, a tool to aid its investigation, and had extended its logging capabilities.

On February 18, 2016, a week after their first meeting, the FBI 's[ REDACTED] called Tamene and again requested the log files.
On February 26, 2016,[ REDACTED]. Two days later, on February 29, 2016, FBI sent[ REDACTED], to Tamene, Gaur, and a third member of the DNC 's contract IT staff, Alberto Enrique.

Tamene recalled that sometime in February,[ REDACTED] called to invite him to an FBI tabletop exercise on April 5, 2016.


March 2016


On March 1, 2016, Suraj Gaur responded to[ REDACTED] and reported that the DNC had not found any malicious traffic but that they would increase their logging capability.
On March 24, 2016, FBI identified additional spearphishing activity at the DNC. The next day, FBI passed indicators of that activity to the DNC,[ REDACTED]. April 2016

On April 5, 2016, the FBI[ REDACTED].''
Tamene participated in the[ REDACTED] included discussion of response options for victims of spear phishing campaigns. Tamene did not know the exercise[ REDACTED] told the Committee that the FBI[ REDACTED]. Brown described[ REDACTED]" generic:[ covering] what to you do if you have an incident and what are some of the ways you can interact with[ the FBI].''

Tamene thought the exercise was helpful because it helped him understand how to leverage the Splunk program and because it confirmed, for him, that he was" moving in the right direction'' with the DNC 's cybersecurity posture.
Tamene remembered that the FBI asked for the DNC 's logs on April 10, 2016. Tamene started collecting the log information and asked Andrew Brown and DNC COO Lindsey Reynolds for permission to share the logs.

On April 15, 2016, the FBI notified the DNC[ REDACTED] that it was still seeing signs of compromise, and provided additional[ REDACTED] for the DNC to use.
The FBI also made another request for the DNC 's logs. Brown described this request for logs as a shift in the FBI engagement, telling the Committee that" all of a sudden the FBI asked us to send them logs,'' which was a" new request.'' At that point, the FBI had been requesting logs for almost two months.

Three days later, on April 18, 2016, Tamene told[ REDACTED] that the DNC was going to install and configure a new firewall; he also relayed that, so far, the[ REDACTED] had not yielded any results.
On that same day, FBI learned that a second Russian cyber actor, FANCYBEAR, was also operating within the DNC network. On April 19, 2016, the FBI again provided additional information to the DNC and again asked for the logs-the second request in two days, and the fifth request for logs cumulatively.

Tamene told the Committee that the repeated requests for logs did not" seem like an escalation'' to him, and that" Agent[ REDACTED] never used alarming language.''


The FBI repeatedly asked for logs in an attempt to help the DNC because[ REDACTED] to the point where DNC could search its own logs for those same indicators.
ASAC told the Committee that the DNC had enough information to find the nefarious activity, but that" it was going to take them a lot longer and a lot more manpower to do it.'' After the fifth request for the logs, Tamene told the FBI that Brown would have to approve the request for any logs. Tamene told[ REDACTED] that Brown was aware of the compromise and that he had briefed Lindsey Reynolds, the DNC 's chief operating officer. On April 20, 2016,[ REDACTED] sent Tamene and Guar and[ REDACTED].

The following day, Tamene told[ REDACTED] he did not have authorization to share the logs.
On April 25, 2016, the FBI[ REDACTED] the DNC 's general counsel to request a meeting. The next day, on April 26, 2016,[ REDACTED] called Michael Sussmann, a partner at the law firm of Perkins Coie and the DNC 's external cybersecurity counsel. Sussmann told[ REDACTED] that[ REDACTED] should engage with Tamene and that Sussmann would encourage Tamene to cooperate with the FBI. On April 27, 2016, Sussmann and Tamene called[ REDACTED] and told him they were planning to meet with Dacey on April 28, 2016. Sussmann relayed that he expected Dacey to approve sending the FBI the logs.

On April 28, 2016, Tamene discovered APT-28, or FANCYBEAR, on the DNC 's networks-eight months after the FBI first contacted the DNC.
Despite his earlier conversations with[ REDACTED] about APT-29, or COZYBEAR, Tamene described the discovery of FANCYBEAR as" the first indication that I had of confirmed foreign actors on our network.''

Tamene saw that a utility server that the DNC used to manage adding users to the domain had been compromised.
On that domain server, the DNC used a program called[ REDACTED] to manage password.[ REDACTED] had two-factor authentication, but the IT team received an alert that an IP address was trying to log into the[ REDACTED] account by guessing the password. After examining the[ REDACTED] accesses, Tamene and his team could see that there were nefarious[ REDACTED] access attempts that Tamene described as" irrefutable'' indicators of compromise.

In addition to the[ REDACTED] activity, Tamene and his team also found a" process that[ they] did n't recognize'' running on the utility server.
Tamene told the Committee that FANCYBEAR was running processes at system-level privileges, which could have given them access to" potentially everything... they could delete things, they could copy things, they could exfiltrate things.'' Brown told the Committee that" they were kind of at the heart of the network at that point, by the time we saw them getting administrative passwords.''

On April 29, 2016, after confirming the GRU/FANCYBEAR activity, when he" knew for sure'' that the DNC was compromised, Tamene called Brown, and then Reynolds, to obtain permission to reach out to the FBI.
Brown separately called Dacey and Reynolds to alert them to the problem, but could not reach Dacey. Dacey told the Committee that she received a call Friday evening from Reynolds explaining that" the IT team... had noticed unusual activity on our system and they said that they thought that a breach had occurred and it was not something they had seen before and they were concerned about it and needed help to figure out what was going on.'' Dacey immediately called Sussmann. Tamene and the DNC team, including counsel," spent several hours on the phone thinking through what[ their] were.'' That same day-11 weeks after the FBI 's first request-Tamene sent[ REDACTED] and email stating that the DNC IT department had permission to provide the logs, and subsequently provided the logs to the FBI.

Tamene told the Committee that he texted[ REDACTED] on the night of April 29 and said" we have evidence that we 're compromised; I have the logs ready for you; let me know what you can do.''
[ REDACTED] responded by text and told Tamene" if you need us to help you next week, let me know. I see that you sent us the logs. Thank you.'' Tamene told the Committee," the tone here still was n't` fire drill' or` evacuate.' It was n't that. It was never that. Even after we had confirmed a compromise... there was no sense of urgency from him[ SA[ REDACTED]'] Tamene attributed[ REDACTED] relative calm to the fact that he was a" cool customer'' or that he had not seen the activity Tamene had seen. Tamene was nervous to attempt any remediation on his own because he did not want to" show[ his] hand to the adversary, who may have full control of[ the] network.''

On Saturday, April 30, 2016, Sussmann emailed CrowdStrike President Shawn Henry to discuss a potential incident; on a phone call later that afternoon, Sussmann told Henry that" somebody at the DNC had seen some activity'' and that there had been" prior communications... with the FBI,'' and that Sussmann wanted CrowdStrike 's help.
Later that day, Dacey, Reynolds, Brown, Tamene, Perkins Coie attorneys, and CrowdStrike employees Shawn Henry and Chris Scott had a phone call to discuss incident response options. May 2016

On May 1, 2016, Sussmann, Henry, and one or two CrowdStrike employees discussed more information about the breach and started the paperwork for the DNC to retain CrowdStrike.
Dacey called Congresswoman and then-DNC Chair Debbie Wasserman Shultz that Saturday to let her know" that there was a concern, that we had a problem that they thought' was significant in the system and we needed more information, so that we had brought on CrowdStrike to help.''

Dacey told the Committee that one of the reasons she chose CrowdStrike was because of Henry 's former FBI career, and that the DNC" encouraged[ CrowdStrike] to talk directly to the FBI and that we wanted them to be coordinating and working with them once we knew about the breach.''
That weekend, Tamene and his team wiped their computers and began using a newly created Gmail account to communicate about the incident.

On May 2, 2016, CrowdStrike incident responder Robert Johnston called Tamene to discuss communication and security protocols.
Johnston also gave Tamene a list of technical assets he needed from Tamene,[ REDACTED]. Johnston gave Tamene one of CrowdStrike 's Falcon sensors, a tool which detects nefarious activity presently occurring in the environment. Later on, the DNC IT team had also installed CrowdStrike 's Falcon Forensic Collector, which detects historical suspicious activity. Tamene told CrowdStrike about his earlier conversation with Agent[ REDACTED] about[ REDACTED], and how CrowdStrike helped Tamene to[ REDACTED] to figure out what was going on.'' Henry recalled that during that initial week, CrowdStrike deployed 200 sensor devices on the DNC network. CrowdStrike did not do an assessment of the DNC 's defenses at the time of the attack because their focus was responding to the active intrusion. At the end of the investigation, the DNC discovered that 37 of 700 hosts on the DNC 's network were compromised, including a domain controller.

During this same time period, SA[ REDACTED] and Tamene had technical conversations[ REDACTED].
Tamene recalled that he had spoken with[ REDACTED] on May 2, 2016, to let him know that CrowdStrike was working on the incident response. On May 3, 2016, Agent[ REDACTED] notified Tamene of some areas where the FBI had[ REDACTED] and asked that DNC to do further investigations on its systems.[ REDACTED]. FBI notes show that on May 3, 2016, Robert Johnston, of CrowdStrike, reached out to the FBI to tell them that the DNC had retained CrowdStrike for the incident response.

During the first week of May, Tamene worked with CrowdStrike and participated in daily calls with Brown, Reynolds, Dacey, CrowdStrike, and Graham Wilson of Perkins Coie.
Tamene told the Committee that he spoke with Agent[ REDACTED] after CrowdStrike was retained to confirm that[ REDACTED] was" getting the information he need[ ed] from CrowdStrike.'' When pressed about what exactly was shared with the FBI, Tamene told the Committee that he did not" know for a fact exactly what CrowdStrike gave Agent[ REDACTED] but that" every time that the FBI asked the DNC, the DNC cooperated.'' Tamene told the Committee that he believed that, during the incident response phase, he" passed the baton'' to CrowdStrike to deal with the FBI.

Within a few days, CrowdStrike 's sensors relayed that one threat actor, COZYBEAR," had compromised certain email accounts... Voice over IP servers... servers related to internal text messaging,[ and] text messages in the environment... they had apparently been collecting intelligence going back to July of 2015.''
By mid-May, CrowdStrike" recognized that FANCYBEAR... had been in the environment as early as April 18[ 2016].'' Henry characterized the compromise of the network as" widespread.''

Dacey told the Committee that" within a week a:( tef' bringing on CrowdStrike, Michael Sussmann called to tell her that CrowdStrike had identified one of the perpetrators of the attack as FANCYBEAR," a state-sponsored foreign entity, Russian in nature.''
During this same conversation, Sussmann told Dacey that FANCYBEAR had been" interested in the research files at the DNC'' and that they" had exfiltrated a few files from the system'' related to Trump research.'' A short time after her conversation with Sussmann, CrowdStrike alerted Dacey that they had found a second actor-COZYBEAR-that had been in the system for a longer time, and" seemed to be[ REDACTED].'' CrowdStrike told Dacey that" there was no indication'' that COZYBEAR and FANCYBEAR had known of the other 's presence on the system.

At some point during the remediation process, the DNC IT staff did see one indicator of potential exfiltration.
According to Tamene," it looked like someone took a bunch of files, zipped them, and then charred them to be a bunch of other files so that they can be small, 5-meg uploads out of that system.'' Tamene told the Committee that the folder in the file share was called" Trump.zip.'' Henry testified that CrowdStrike was" able to see some exfiltration and the types of files that had been touched'' but not the content of those files.

In mid-May, Tamene met with vendors as MIS, not as DNC IT staff, about obtaining new email systems and preparing the technical infrastructure for remediation CrowdStrike and the DNC IT staff determined that June 10, 2016, would be the day when the DNC switched to new systems.


The Committee notes there is discrepancy in witness testimony regarding how communicative CrowdStrike was with the FBI during the incident response phase.
On May 20, 2016, Agent[ REDACTED] contacted Tamene for an update on the incident response; Tamene told.[ REDACTED] there had been some developments but that Tamene was unsure what he was authorized to share with the FBI. On May 26, 2016,[ REDACTED] reached out to Tamene again, and Tamene told[ REDACTED] he was authorized to share some information with the FBI, but did not actually share any additionally information on that call. On May 31, 2016,[ REDACTED] called Tamene again. During this call,[ REDACTED] asked for an update and provided[ REDACTED]. Henry told the Committee that one of CrowdStrike 's consultants spoke with[ REDACTED] in May after the Falcon sensors were deployed.[ REDACTED] timeline only includes one CrowdStrike call in May: the initial May 3, 2016, call from Robert Johnston to alert the FBU that CrowdStrike was working on the incident response.

June 2016


On June 10, 2016, the DNC had an all-staff meeting and asked its personnel to return their laptops and devices to the IT staff.
Brown told the Committee:" most people thought they were getting fired. But we had to maintain operational secrecy... we did n't want to tip our hand to the intruders that we knew they were there.'' From June 10, 2016, to June 12, 2016, the DNC IT staff and CrowdStrike unplugged all of the old, potentially compromised systems, and worked to re-image devices and hardware for the new systems. DNC IT staffers used[ REDACTED]. The new network had security" baked in,''[ REDACTED].

On June 13, 2016, Agent[ REDACTED] contacted Tamene[ REDACTED] to ask for an update on the incident response.
Later that day, Sussmann and Henry called then-FBI Assistant Director for Cyber Jim Trainor to tell him that the DNC hack was going to be made public. On June 14, 2016, the DNC told the FBI that the workstations had been re-imaged and compromised servers were remediated. That afternoon, immediately prior to the release of an article in The Washington Post, Wasserman Shultz held a call with DNC officers, including Donna Brazile, to tell them that the DNC had been hacked by a foreign entity and that remediation was underway. Brazile remembered that the call occurred about five minutes prior to the Post story breaking. On the evening of June 14, 2016, The Washington Post published an article about the DNC hack, with quotes from DNC staff, Sussmann, and CrowdStrike employee.

On June 15, 2016, Alperovitch published excerpts from CrowdStrike 's analysis of the FANCYBEAR and COZYBEAR intrusions on CrowdStrike 's blog.
Later that day, after reading CrowdStrike 's blog post, the FBI reached out to the DNC to ask for copies of the malware that CrowdStrike had collected.

That same day, the GRU online persona Guccifer 2.0 made its first public appearance on a newly created website where it released" just a few docs from many thousands... I extracted when hacking into DNC 's network.''
The initial Guccifer 2.0 blog release included the DNC 's Trump research file. The Guccifer 2.0 persona 's Twitter account became operational on June 20, 2016.

As Brown remembers it, a day or two after The Washington Post story," all of a sudden this Guccifer 2.0 persona pops up purporting to be the person, the individual, he claimed, who hacked into the DNC systems and started releasing files that had been purportedly stolen from the DNC.''
Brown told the Committee that there was" definitely an effort to review the materials that were being released by Guccifer...[ by the] folks on the DNC research team and our legal counsel.'' CrowdStrike coordinated with the DNC to look at timelines of what had been exfiltrated.

Henry told the Committee that Guccifer 's claim of sole responsibility for the DNC hack was" very interesting... as an investigator...[ as] an attempt just to refocus blame and throw investigators off the track.''
Henry told the Committee that" operationalizing the intelligence'' through leaks" was a major change in the stakes... Collection of intelligence and espionage is acceptable. The actioning of intelligence to have some type of an operational impact[ was]... kind of a new paradigm.''

On June 16, 2016, FBI personnel including AD Trainor, Cyber Division Unit Chief Unit Chief[ REDACTED], Section Chief[ REDACTED] DNC CEO Amy Dacey, CrowdStrike President Shawn Henry, CrowdStrike employee Robert Johnston, and Michael Sussmann from Perkins Coie met to discuss how CrowdStrike and the FBI would work together going forward and any outstanding requests from the FBI.
Henry Characterized the collaboration as" absolutely'' a" two-way street,'' stating that the FBI and CrowdStrike had"[ REDACTED]'' throughout the investigation.

Wasserman Schultz told the Committee that she" was never told that the FBI had any interest in or requested access to[ the DNC] servers.''
In fact, Wasserman Schultz said that she understood that the DNC cooperated with the FBI through the transition to the new servers, and that" if there was a request, we most definitely would have provided access to our servers.'' Wasserman Schultz told the Committee that she believed her imperative as Chair was to" address. the intrusions and make sure that whatever information the FBI would have needed, that they got it.''

Trainor recalled that Henry and Sussmann had expressed frustration that the FBI had not notified the DNC of the FANCYBEAR and COZYBEAR intrusions earlier.
But, as Trainor pointed out to Henry and Sussmann, that FBI had notified that DNC quickly and repeatedly about the FANCYBEAR intrusions in March-April of 2016. Trainor remembered describing the FBI 's ideal cooperation scenario at this meeting, and he recalled that the DNC response was:" we 'll give you everything you need.'' Subsequently, Trainor had" several conversations with the law firm nearly every day from there on out.''

On June 17, 2016, the day after the meeting at the FBI headquarters, Agent[ REDACTED] reached out to Tamene asking for[ REDACTED]; Tamene said he would ask for authorization to give[ REDACTED] the information.
Despite the initial meeting, and the fact that the DNC"[ REDACTED] the DNC ultimately relayed to Trainor that it would give the FBI access to[ REDACTED].

On June 20, 2016, CrowdStrike reached out to the FBI, and provided some of the indicators[ REDACTED] had requested.
CrowdStrike still had not provided the FBI with forensic images nor an unredacted copy of their report. Around this time, Trainor spoke to John Carlin, then-Assistant Attorney General of the National Security Division, about a grand jury subpoena in the DNC matter. Ultimately, Trainor believed that[ REDACTED] was unnecessary because he" was able to get the DNC to cooperate to some degree or level that was satisfactory and allowed[ the FBI] to pursue the investigation.'' Trainor told the Committee that he was not aware of any situation during his tenure in the Cyber Division where the FBI ever used[ REDACTED] to secure victim cooperation.

July 2016


On July 22, 2016, WikiLeaks began releasing emails captured from the DNC hack.
Although Donna Brazile 's emails were among those publicly released, she said that she never received any official victim notification prior to or subsequent to those releases.

On July 24, 2016, immediately prior to the start of the Democratic National Convention, Wasserman Schultz resigned as DNC Chair and Donna Brazile became Interim Chair.
At around 1:00 p.m. that day, after speaking with Wasserman Schultz, Brazile ran into Mark Elias in the Logan Hotel lobby in Philadelphia. Elias told Brazile details of the hack, including background on the Russian actors and background on CrowdStrike, and he also told Brazile about the work Sussmann had been doing for the DNC. Elias also told Brazile that 127 of her emails had been released. Brazile asked Elias to have Sussmann set up a briefing from the FBI.

In July, as additional material purportedly from the DNC was being released, Johnston called Tamene to ask for help in substantiating that some of the leaked emails were legitimate DNC emails.
Specifically, Johnston wanted to know where emails that were older than the DNC retention policy were stored. As leaked emails were published, the DNC IT staff saw phishing attempts on staff 's personal email accounts" or doxing from details that were released publicly through Wikileaks... there was a lot of activity targeting DNC staff.'' According to DNC IT Director Brown, activity targeting DNC staff was reported to the FBI on an ongoing basis.

August 2016


Brazile told the Committee that as Interim Chair in August, her" total focus'' was cybersecurity.
Brazile wanted to ensure that the DNC was making appropriate notifications to donors and staff whose personally identifiable information( PII) had been compromised, since she herself had PII compromised and had not been notified. Brazile also reviewed invoices at the DNC and discovered that the DNC had" recreated everything the FBI wanted... at a cost of over$ 65,000.

[ REDACTED] On August 2, 2016, the FBI asked CrowdStrike for additional information but" they[ CrowdStrike] insisted DNC legal be involved so... that[ did n't go] very far.''


In early August, DHS reached out to Andrew Brown to provide assistance to the DNC.
Brown directed DHS to contact Sussmann. Brazile 's response to additional aid from DHS was" let 's get some help. We need help.'' On or about August 5, 2016, Brazile attended President Obama 's birthday party at the White House. During the party, both National Security Adviser Susan Rice and Attorney General Eric Holder told Brazile that the DNC needed to cooperate with the FBI.

On August 11, 2016, Brazile received a briefing at the FBI, which DNC Director of Transition Tom McMahon and DNC officers Henry Munoz and Ray Buckley also attended, along with Sussmann and Henry.
At the briefing, AD Trainor and Cyber Division personnel walked through the Russia cyber threat. Brazile told the Committee that she thought the briefing was" professional'' and" thorough'' and that she believed it was her" duty as an American citizen'' the direct the DNC to cooperate. Brazile said that the FBI never raised any issue with the DNC 's cooperation during the briefing. Brazile told the Committee that when she left the FBI she" wanted to go straight to the Pentagon'' because she felt like the DNC hack" was a major attack on our country.''

After meeting with the FBI, Brazile organized the DNC 's Cyber Security Task Force, a group of about 30 volunteers from Silicon Valley, to conduct penetration testing, security assessments, and ongoing cybersecurity support for the DNC.
Tamene told the Committee that the Task Force included the Chief Information Security Officer( CISO) of Google, the former CISO of Facebook, and employees from Lyft, Uber, and Coinbase, among others.

On August 31, 2016, more than two months after Trainor met with senior DNC officials at FBI Headquarters, the FBI received a draft of CrowdStrike 's report that ASAC[ REDACTED] described as" heavily redacted.''
Trainor became frustrated and he told the Committee that when he finally received a copy of CrowdStrike 's report, he doubted its completeness because he knew that outside counsel had reviewed it. September 2016

On or about September 21, 2016, Robert Johnston of CrowdStrike called Tamene to alert him to nefarious activity on the DNC 's Amazon Web Services( AWS) cloud account.
The intrusion involved an actor using a compromised access key to look at the assets in AWS and determine what type of equipment the DNC had. CrowdStrike 's Falcon sensors triggered an alert on the DNC 's Command Hub which helped the IT team find a September 2, 2016 log indicating[ REDACTED]. After discovering that the AWS activity started September 2, 2016, DNC IT staff, CrowdStrike, Amazon Support staff, and the DNC 's Cyber Security Task Force worked together to remediate the incident. Tamene told the Committee that CrowdStrike was coordinating with the FBI about the intrusion, but he himself never spoke with Agent[ REDACTED] or anyone from the FBI during this remediation. Brown told the Committee that the DNC had" worked with law enforcement around'' the AWS incident; but, when asked about whether the FBI was involved, he said he did not know" the specifics of how law enforcement was involved at that point.'' October 2016

Henry told the Committee that" the FBI provided a request[ for forensic images] to the DNC through Perkins Coie'' and that Perkins Coie told CrowdStrike to" give the FBI what you have access to, what you can.''
Henry recalled that CrowdStrike provided the FBI with forensic images, a copy of their report, and a USB with some malware on it.

Brown, Tamene, Dacey, and Wasserman Schultz all told the Committee that the DNC cooperated with the FBI as much as possible.
Brown said:" we gave the FBI everything they ever asked for. I 'm not aware of any decision ever being made to deny a request that the FBI made for something.'' With respect to the confusion about whether or not the FBI had gotten direct access to the DNC 's servers, Brown told the Committee that" a lot of the servers were actually virtual servers'' and that the DNC had taken and[ REDACTED] of all of the running servers. Brown told the Committee that[ REDACTED], as far as I 'm aware. And that was the level of access that was requested.'' According to ASAC[ REDACTED] on October 13, 2016, CrowdStrike sent the FBI a bill for$ 4,000 for the forensic images that FBI requested.

In October 2016, DHS briefed DNC and RNC staff on DHS 's Election Day activities, making both organizations aware that DHS was working with the states to secure voting infrastructure.
Throughout October, the DNC IT staff continued to see intrusion attempts on their network. Brazile told the Committee that the DNC kept the FBI aware of After each attempted intrusion, Brazile had a notification process whereby the DNC would alert the DCCC, the DGSC, the DGA, HFA, and the RNC. Brazile herself would notify the RNC. Brazile told the Committee that the last attempted intrusion she was aware of took place on October 26, 2016. 7. Conclusions

In many ways, the DNC hack was a novel scenario, fraught with confusion and miscommunication, inherently enmeshed in the domestic political space that FBI traditionally avoids.
But in other ways, the DNC hack played out like a typical FBI cyber case-a victim reticent to cooperate with the FBI, a victim who subsequently hires a third-party cybersecurity vendor through counsel, potentially limiting the FBI 's access and insights. While the Committee understands that the FBI operates with limited resources and currently follows a victim-driven model when responding to cyber threats, it is clear to the Committee that the FBI could have, and should have, escalated its messages within the DNC much sooner than it did. The FBI complained about lack of access to the DNC servers and the refereeing of information by Perkins Coie, but ultimately it did not pursue compulsory process, and witnesses admitted that the FBI did eventually get what it needed.

i. Escalation


[ REDACTED] By the time the DNC retained CrowdStrike in May 2016, the FBI had identified two active cyber intrusions on the DNC 's network-FANCYBEAR and COZYBEAR-both of which are associated with the Russian intelligence services.
As Trainor told the Committee:" they had a real mess on their hands.'' Trainor, a 20-year veteran of the FBI who spent the last third of his career on cyber issues, could not think of any other FBI investigation where the[ REDACTE]. As Henry put it," the Russians are probably the most sophisticated foreign adversaries that we have seen in terms of their tactics... their stealthiness, and their creativity.''

But the FBI did not treat the initial intrusion into the DNC like the mismatch it was: sophisticated foreign adversary versus nonprofit.
When asked why the FBI did not just escalate the situation at the DNC,[ REDACTED] ASAC[ REDACTED] told the Committee that he wanted to protect[ REDACTED] equities. But when pressed about whether the FBI ever discussed finding a cleared person at the DNC to receive a defensive briefing,[ REDACTED] said he did not know whether those conversations had taken place. The FBI could have engaged with the DNC Chair, a sitting member of Congress, with a classified briefing, but they continued to engage the DNC 's IT staff, despite the futility of those efforts over a period of months.

DNC IT staffers suggested that more urgent warnings could have helped mitigate the threat sooner, and they contrasted the FBI 's efforts during the 2016 cycle to the 2008 cycle.
As Brown told the Committee:" the DNC had been targeted by Chinese APTs in 2008...[ and] law enforcement had come to the office and met with the- Chairman to tell them: we think you 're under attack... that was not the level of outreach we were getting from the FBI in the fall of 2015.''

During an all-members brief to Congress about the Intelligence Community Assessment( ICA) in January of 2017, Congresswoman Wasserman Schultz confronted then-FBI Director Comey about the lack of engagement with DNC leadership during the hack.
During that exchange, Director Comey defended the FBI and said they had properly engaged and that the Congresswoman should have a follow-up meeting with the FBI. Wasserman Schultz then met with the FBI, which she told the Committee" confirmed... that they did n't do anything proactive to go up the chain of command in the DNC to ensure that we would know about their concerns that a Russian spy agency was on our network.''

ii.
Engagement with CrowdStrike/Obtaining Necessary Investigative Materials

The biggest miscommunication between the DNC, CrowdStrike, and the FBI was the extent to which FBI received or did not receive the materials it needed for its ongoing investigations in a timely manner.


DNC witnesses and CrowdStrike 's Shawn Henry indicated that the FBI received all of the materials it asked for, and that the FBI never complained about the DNC 's cooperation to Wasserman Schultz or Brazile.


Henry told the Committee that CrowdStrike" had more than 100 exchanges back and forth with the FBI,'' including FBI field offices, from May 2016 until September 2017.
But Trainor characterized the DNC 's cooperation as" moderate'' overall, and lamented that getting materials from CrowdStrike and the DNC was" slow and laborious in many respects.'' Trainor testified that the manner in which the FBI received information from CrowdStrike-in a report reviewed by counsel-was not his preference. As Trainor told the Committee:" having that information[ raw data about the computer intrusion] collected, fully viewed by an attorney, scrubbed, sent over to the FBI in a stripped-down version three weeks later is not optimal.''

Trainor told the Committee that while it was common for victims to retain cybersecurity vendors, it was uncommon to have" everything thoroughly reviewed and vetted[ by outside counsel] before being shared.''
Trainor told the Committee that Perkins Coie asked the FBI for a list of forensic images and other technical information that the FBI wanted, and the FBI gave Perkins Coie that list. Ultimately, the FBI got what it needed, including the forensic images from CrowdStrike.

As Trainor told the Committee,[ REDACTED].
Not only does the victim entity know the system best, but multiple personnel on-site allows for skill gaps to be addressed and for expertise to be appropriately marshaled to meet the threat. Further, the use of a cybersecurity vendor and cybersecurity counsel as potential filters for information creates the impression-true or not-that the organization is not being fully transparent with the FBI. Despite what the FBI felt was delayed or filtered cooperation,[ REDACTED] given political sensitivities and the lack of any precedent for doing so.
Highlighted Information
People
Groups
Interactions
Narrative Web
Timeline
Times Cloud
Map
Places Cloud
Subjects Cloud
Actions Cloud
Objects Cloud
Verbs
Nouns
Contexts Cloud
*