Trump Team Planning Possible Retaliation for Classified Leak Allegations

President Donald Trump’s inner circle is war-gaming how best to respond to the Washington Post’s bombshell report that he shared classified intelligence with the Russians about an Islamic State plot, sensitive information reportedly passed to the United States by Israel.

One option under consideration? Attack former President Barack Obama and his administration over their handling of sensitive data, in particular through one information-sharing program regarding cybersecurity threats.

According to a source with knowledge of a White House meeting that took place Wednesday morning, Trump’s team is considering launching an investigation into a Department of Homeland Security program that shares information on cyberattacks in an effort to coordinate globally on countering digital threats, insinuating that it inappropriately opened up streams of sensitive data to Russia and other nonallies. Another option under consideration is placing a story in the media about the program, similarly accusing it of sharing sensitive information.

The White House told Foreign Policy that it was not aware of any such meeting or discussions with Russia to participate in that information-sharing program.

The program in question, known as the Automated Indicator Sharing capability, allows companies to provide information about potential cyberattackers, like IP addresses and emails, to the U.S. government and international partners. The Department of Homeland Security is working on expanding the program to sharing “characteristics of cyberattacks” to help “identify and block adversary methods that we’ve never seen before,” wrote Scott McConnell, a department spokesman, in an email to FP.

The administration’s approach in this instance is a “bag of crazy cats,” the source with knowledge of the meeting said.

Another source close to the White House confirmed to FP that Trump and his team have been interested in targeting the Homeland Security program for the past couple weeks. Nothing has been decided, the source added, but it’s an option on the table.

Sources with knowledge of the program found the idea absurd.

One former Department of Homeland Security official, when contacted by FP and told about the Trump team’s plans, laughed in response. “That doesn’t make sense,” he said.

“It seems ludicrous,” the former official added.

While there is some cybersecurity information that the United States shares around the globe, including with Russia and China, “there’s certain information out there that’s beneficial for everyone to have, like, ‘Hey, this Windows program has a bug.’ When we share cybersecurity information with the Russians, we’re protecting their systems, making sure that no one hijacks their planes and missiles.”

Additionally, the former official said, nothing the department has in its information-sharing program is particularly sensitive. It would just be “indicators of an attack,” the source said. “Nothing is going to be vital to national security.”

McConnell, the Department of Homeland Security spokesman, told FP that all foreign partners “must first be verified” before joining the Automated Indicator Sharing program by contacting the U.S. Embassy in their respective countries. He added that there are currently four international partners, though he didn’t immediately respond to follow-up questions about which countries are involved in the program.

According to the Department of Homeland Security website, the Automated Indicator Sharing program was designed to set up channels where the private sector could hand over malicious IP addresses, the names of fake phishing accounts, and other details concerning attempted or successful cyberattacks. That information, parsed by Department of Homeland Security software, churns out threat data in real time and attempts to match ongoing attacks with digital signatures it recognizes — like the infrastructure or tools used by Russian hacking groups like Cozy Bear and Fancy Bear, the alleged culprits behind the Democratic National Committee breach during the 2016 U.S. presidential election.

Participants in the program can share anonymously, a part of the program designed to encourage openness even in the face of being victimized, although the Department of Homeland Security has at times had trouble eliciting information from companies.

The information-sharing program came under fire when the system triggered false alarms about Russian cyberattacks on private company systems, including one utility company, following the government’s decision to publish a list of threat indicators about Cozy Bear and Fancy Bear in its Grizzly Steppe report. That report, which contained a list of IP addresses and other identifying information about potentially malicious accounts, was prepared by the Department of Homeland Security following concerns that the Russians had been meddling in the election. The alarms aren’t meant to be conclusive evidence of a hack but a cause for a deeper look, the department said.

But the false positives aren’t the target of the Trump team. Sharing information with international partners might be used as an opportunity and excuse for “finger-pointing and house-cleaning” at the Department of Homeland Security, the source with knowledge of the meeting said. Members of Trump’s inner circle are apparently angry with the department for refusing to share certain classified information with White House staffers, because they lack proper clearances — a roadblock the White House insists doesn’t exist, because it has the president’s signoff.

The Automated Indicator Sharing program was born out of controversial legislation passed in 2015 aimed at increasing the flow of information between government and the private sector to confront cyberattacks. Privacy advocates had been concerned that Americans’ personal information would be compromised when companies shared information about breaches — but have been largely reassured since the program was implemented that the government has prioritized privacy protections.

Robyn Greene, a policy counsel and government affairs expert at the Open Technology Institute, told FP during a phone interview that the department has “done a good job of keeping Americans’ privacy at the forefront,” following through on promises to mask personally identifying information. When told about the Trump team’s plans, she told FP, “This is a massive distraction.… The two are totally unrelated.”

One source close to the White House who spoke with FP on the condition of anonymity said the Trump team might have a point that sharing some types of data, regardless of whether it’s masked to protect the privacy of victims, might be concerning if it’s finding its way to nonallies like Russia.

That concern, however, pales in comparison to revealing to Russia specific intelligence Israel shared with the United States about the Islamic State and its plans to embed explosive devices in laptops to target aircraft.

“I don’t understand how they can draw the line between Trump sharing code-name information with the Russians and this,” Greene said.

FP staff writer Elias Groll contributed to this report.

Photo credit: BRENDAN SMIALOWSKI/Getty Images