On Monday, flanked by his Russian counterpart Vladimir Putin at a press conference in Helsinki, Donald Trump refused to concur with the conclusions of US intelligence agencies that Russia was behind intrusions into computer systems belonging to the Democratic National Committee, Democratic Congressional Campaign Committee, and Hillary Clinton’s campaign during the 2016 elections.
Those intelligence assessments led last week to the indictment of 12 Russian military officers believed to be behind a sophisticated state-backed effort to gain access to and expose Democrats’ email systems involving malware, phishing attacks, social media personas, and Wikileaks, with the purpose of damaging Clinton’s campaign. Yet Trump once again brought out his rambling, stream-of-consciousness theory that Democrats had worked to conceal the real culprit, focusing specifically on the issue of a supposed DNC server that the FBI was never able to investigate:
You have groups that are wondering why the FBI never took the server—haven’t they taken the server. Why was the FBI told to leave the office of the Democratic National Committee? I’ve been wondering that, I’ve been asking that for months and months and I’ve been tweeting it out and calling it out on social media. Where is the server? I want to know where is the server and what is the server saying?
If you believe the president, this mysterious server is the key to solving the riddle of who really gained access to Democratic email systems and proving that allegations of Russian involvement were cooked up to damage Trump’s campaign. The alternate explanation that does not require believing a really obvious liar is that the physical server in question is more or less irrelevant (and in fact a network of partially cloud-based computer systems that would be hard to just cart off) and the president is just squirting out a big cloud of squid ink.
As noted by Motherboard, actually unplugging a server and bringing it in is less useful than providing a total image of it to investigators, because there’s lots of potentially useful data that can be extracted from a memory dump that can only be performed while it is still turned on. In March 2017, then-FBI Director James Comey told members of Congress that the DNC’s security contractor, CrowdStrike, had provided an “appropriate substitute” that Motherboard reports is “widely believed” to be such an image of the DNC’s network.
As Johns Hopkins University’s School of Advanced International Studies professor of strategic studies Thomas Rid told the site:
“To keep it simple, let’s say there’s only one server. CrowdStrike goes in, makes a complete image including a memory dump of everything that was in the memory of the server at the time, including traffic and connections at the time,” Rid said. “You have that image from the machine live in the network including its memory content, versus a server that someone physically carries into the FBI headquarters. It’s unplugged, so there’s no memory content because it’s powered down. That physical piece of hardware is less valuable for an investigation than the onsite image and data extraction from a machine that is up and running. The idea a physical server would add any value doesn’t make any sense.”
It’s true that Comey, as well as other senior law enforcement officials, had previously said that the DNC rebuffed requests for direct access to the servers. But those familiar with FBI procedures insist that it is far from unusual for the agency to forego physically obtaining servers targeted by an attack. The former special agent in charge of the FBI’s New York field office cyber division, Leo Taddeo, told the Hill last year that “In nine out of 10 cases, we don’t need access, we don’t ask for access, we don’t get access. That’s the normal [procedure]. It’s extraordinarily rare for the FBI to get access to the victim’s infrastructure because we could mess it up.”
Taddeo added that direct access would be unnecessary “unless there was a reason to think the victim was going to alter the evidence in some way,” while another intelligence official told the Hill that CrowdStrike was “pretty good.”
According to Politifact, there is “no indication that the FBI had renewed their request to gain access to the actual server, or that investigating the server copy would have prevented the FBI from tracking down the culprits.”
In other words, the FBI got whatever it needed from CrowdStrike when it comes to the servers themselves. The president unsurprisingly either has no idea how digital forensics work or is playing stupid.
Then there’s also the fact that the image of the servers likely only contains some of the evidence that would be needed to track down whoever attacked the DNC in the first place. The rest would need to come from investigating internet infrastructure such as command and control servers used in the attack, Rid told Motherboard. The indictment contains exactly that kind of information. The FBI tracked down leased servers in Arizona and Illinois used in the attacks, as well as obtained evidence on how they used Amazon Web Services’ backup feature to obtain copies of DNC computer systems.
Other evidence, like rumored communications between alleged Russian intelligence officials and Trump associate Roger Stone or cryptocurrency payments they allegedly used to finance the operation, was compiled from completely different sources. As Motherboard noted, special counsel Robert Mueller’s indictment includes evidence like the search histories of Russian agents, malware development records, and “specifics about the types of spearphishing attacks Russians allegedly launched against DNC employees.”
So, to recap: Trump thinks that the Democrats are trying to hide something on a server somewhere, but his fun little theory requires overlooking mountains of corroborating evidence as well as circumstantial tidbits like the fact he challenged Russia to steal Clinton’s emails the same day the hacking efforts began. It requires ignoring that the “server” is a large computer network rather than a single machine. It also requires looking past the certainty that as the president, Trump should have been briefed about all of this. So either he deliberately didn’t read the memo (sigh), or he knows full well that the server theory is stupid but likes the mouthfeel of that particular conspiratorial soundbite.
Finally, the guy accused of orchestrating the hacking campaign was standing beside Trump while he was just asking questions about the DNC server. C’mon.
Other conspiracy theories floated by Trump during the press conference on Monday, such as references to a “Pakistani gentleman” who might also be able to exonerate Russia, are equally dumb and explainable. Per NBC, authorities have charged former Democratic IT aide Imran Awan with nothing more than bank fraud unrelated to his job.