Lessons learned from hacking an election (Q&A)
CANCÚN, Mexico—John Bambenek has worn many hats: cybersecurity executive, hacker, author, university lecturer, Republican candidate for Illinois state senate among them. He’s also been a recipient of stolen Democratic Congressional Campaign Committee documents.
Some analysts have said the hacker (or hackers) known as Guccifer 2.0, who sent Bambenek the stolen documents, is closely connected with, if not a cover for, Russian intelligence services. But Bambenek has his doubts about how connected Guccifer 2.0 actually is. And in January 2017, Guccifer 2.0 himself denied any connection to Russia.
When he was communicating with Guccifer 2.0 in 2016 over Twitter direct messages, Bambenek was a senior threat researcher and manager at Maryland-based Fidelis Cybersecurity. He is currently the vice president of security research and intelligence at the Illinois-based ThreatStop.
READ MORE ON ELECTION AND VOTING-MACHINE HACKING
For decade-old flaws in voting machines, no quick fix
Post-recount, experts say electronic voting remains ‘shockingly’ vulnerable
Can your vote be hacked—after you cast it?
How Spain is waging Internet war on Catalan separatists
Facebook’s Stamos on protecting elections from hostile hackers (Q&A)
Unlike what one might expect from a professional Russian intelligence operation, Bambenek tells The Parallax, “He didn’t seem to have any relationship with journalists.”
Bambenek describes his plan to contact Guccifer 2.0 in casual terms. As journalists were publicly discussing documents that Guccifer 2.0 had shared with them, Bambenek says he thought he could trade in on his old political-campaign website email to trick the pseudonymous hacker that he wanted stolen documents for a political edge.
He contacted Guccifer 2.0 via direct message on Twitter in August 2016, and he continued corresponding with him, he says, for the next two months. With little effort, Bambenek says, he fooled Guccifer 2.0 into thinking that he would use additional stolen documents against the Democrats—a prospect even a minimal background check on him would have eliminated. Instead, Bambenek says, he “almost immediately” fed the stolen documents to the FBI.
The documents Guccifer 2.0 sent to Bambenek were not related to the higher-profile and more embarrassing hacks against the Democrats revealed during the summer of 2016. Cybersecurity analysts at Fidelis, CrowdStrike, and Mandiant concluded that the voluminous leaks of emails from Democratic Presidential nominee Hillary Clinton, her chief of staff, John Podesta, and other members of the Democratic National Committee were the work of the Russian government.
Bambenek says it’s important to note that not all leak operations are run by professionals. The documents Guccifer 2.0 shared with him, he adds, mostly contained information on noncompetitive races, and thus had no impact on the 2016 elections.
What we need to jealously protect, almost to an extent more than technology, is the confidence in the American public that, when they vote on Election Day, the results they see from the Associated Press is what happened. That at the end of the day, our elections are legitimate, and we’re the ones that decide, not somebody else.
During a phone interview just before the annual Kaspersky Security Analyst Summit (co-sponsored by Avast Software, which sponsors this site) here, where Bambenek presented his experiences with Guccifer 2.0, Bambenek discussed why he and how sought out the documents.
What follows is an edited transcript of our conversation.
Q: How did you get involved with Guccifer 2.0?
I reached out to Guccifer, sent a message, and he sent a response. I ended up using my [former campaign] identity instead of creating an alias, because absent the fact that I was investigating this stuff [as a security researcher, it indicated], you know, “Hey, I’m a Republican. Why don’t you give me documents on these Democrats to play on their particular biases. You know, with political offices being corrupt, party first-ers flip on their country.”
And, in retrospect, there were two other people who did do it, both for nefarious purposes. But I didn’t share it with any campaign. I gave all the data I got almost immediately as I got it to the FBI. I wasn’t part of the investigation or anything like that. I messaged the FBI, “Hey, just so you know, he’s responded to me, and I’m going to try to get everything I can out of him, and we’ll see if anything shakes loose that’s interesting.”
What motivated you to turn them over to the FBI?
To be helpful. And I gave it to them almost more for my own protection, to say, “Hey guys, this is what I’m doing, so don’t think I’m working with a campaign because the last thing I want is being dragged in front of the special prosecutor.”
They said, “OK, thanks for letting us know.” The case was a counterintelligence one and wasn’t necessarily a criminal one. I don’t have security clearance so it’s not like they could have a real in-depth conversation with me. I do work with them on pure cybercrime matters, and in that case, we’re better able to have a conversation. But in this case, when it’s national security, the rules are pretty firm and there for good reason.
Once you started direct-messaging with him, what did he have to offer?
The first time I [made contact with] him, [we messaged for] about a week, and then his [Twitter] account was suspended. And when it got unsuspended, I resumed communication, saying, “Hey, I’m a Republican official. I’m looking for documents.”
He asked what I was going to do with them, and I told him, “Use them for maximum effect.” Right? In my case, “maximum effect” meant investigation.
But I let him believe what he wanted to believe. And he gave me documents. Most of the stuff he gave me, he did release otherwise. I think he got excited at the prospect of giving documents to somebody who could probably use them [for political gain].
Some of the documents that he shared were phone call logs and call sheets. It was kind of very perfunctory, introductory stuff. Some of the documents made reference to some intraparty intrigue between Illinois Democrats. I don’t think he knew what to do with what he had.
[On the other side, and in another election, there was] the baggage that Roy Moore had in Alabama. It doesn’t take a genius to influence an election with that [kind of] information. You just get it out there, and it almost doesn’t even matter how you do it. Those kinds of things can swing an election.
As an analyst, what made you think that Guccifer 2.0 was not a professional intelligence operation?
One day, he started complaining, “Man, this reporter screwed me over. I didn’t think he’d use this quote.”
And I’m sitting there, thinking, have you never talked to a reporter? I mean, you ask if they’re going to record the call. Or you say, “I want it off the record. You will tell me yes, or you will tell me no. If you don’t tell me yes, everything I say could end up in whatever article you write.” And that’s just Media 101. You want to move a message to a reporter, right? You’ve got to package a narrative.
What’s the lesson here for American politics?
Ethically, if you know it’s foreign operatives offering you documents, I would say, either don’t talk to them, or call the FBI, and get the documents in a controlled setting, so that our intelligence community and law enforcement apparatus can figure out what’s going on and try to respond to it.
From a cybersecurity perspective, you should cooperate [with the FBI] because the threat is to the country. The last cycle, the DNC got hacked. I would imagine that if the Russians are going to pick a side [to support] in the 2018 elections, it’s not going to be on the Republican side, but on the Democrat side.
Both parties face the same threat. The cybersecurity professionals in financial institutions cooperate [with one another], even if they’re among competitors. Technology professionals should cooperate and look beyond partisan bias [too], right? At a certain point, it’s time to stand together.
What steps should the government take to protect the American political body?
The one legal difficulty we have is [the perception of] using governmental resources for the benefit of campaigns. There’s kind of this inherent, “We can’t spend time helping the DNC or the RNC—that’s helping the campaign.” Well, if there has to be a legislative fix, so be it. Because from the tactical nature of it, you’re helping the campaign, but from the strategic nature of it, you’re protecting our democracy.
What we need to jealously protect, almost to an extent more than technology, is the confidence in the American public that, when they vote on Election Day, the results they see from the Associated Press is what happened. That at the end of the day, our elections are legitimate, and we’re the ones that decide, not somebody else. There has to be something that, if all else fails, we can do a hand recount. It’ll be tough, it’ll be time-consuming, it’ll be expensive, but we can do it. If we can’t deter election meddling, then how will we deter somebody flicking the lights in the power grid in Ohio?
How did you stop talking to Guccifer 2.0?
About two months in, I forget exactly what question I asked, but the way he responded was, “Is your company going to continue writing about me?” He basically called me out [as a security researcher rather than as a politician, having figured out] that I was playing him. And my kind of snarky response to that was, “Would you like us to?”
Did he respond to that?
No, that was the end of it. At that point, the op was blown, so might as well get a snarky comment in, and call it a day.