The cybersecurity firm CrowdStrike makes a surprising appearance in the recently released notes on the July telephone conversation between President Donald Trump and Ukrainian President Volodymyr Zelensky. The reference is too fleeting and too incoherent to easily follow, so it’s worth revisiting the role of CrowdStrike in the 2016 campaign and why its name is still floating around the president’s head.
CrowdStrike, as you may or may not recall, was the security firm tasked with investigating the Democratic National Committee breach back in May 2016. In June of that year, CrowdStrike co-founder and CTO Dmitri Alperovitch posted about the results of the investigation, attributing the intrusion to two “Russian intelligence-affiliated adversaries,” dubbed COZY BEAR (or APT 29) and FANCY BEAR (or APT 28).
CrowdStrike is a highly regarded security firm and Alperovitch, a Russian-born U.S. citizen, is a well-known expert in cybersecurity circles. Even so, at the time I was critical of the DNC’s decision to use CrowdStrike to investigate the incident rather than turning over the servers to the FBI for a law enforcement investigation. The FBI apparently made multiple requests to access the DNC’s networks but was rebuffed and forced to rely on the CrowdStrike analysis and forensics for its own investigation.
CrowdStrike later said it had provided all of its forensic evidence and analysis to the FBI, but as I argued previously, the DNC’s refusal to let the FBI investigate firsthand “served only to undermine confidence in the ultimate results of the investigation and give the impression of having something shameful to hide. Neither the DNC nor the FBI should have been satisfied with an investigation that did not involve the FBI conducting a firsthand look at the compromised systems.”
None of that is CrowdStrike’s fault, and I’d be willing to bet it did an excellent job investigating what happened at the DNC. But it does open the investigation up for the kinds of criticism and paranoid conspiracy theories that Trump raised in his call with Zelensky. According to the released notes, Trump said to Zelensky:
I would like you to do us a favor though because our country has been through a lot and Ukraine knows a lot about it. I would like you to find out what happened with this whole situation with Ukraine, they say Crowdstrike. … I guess you have one of your wealthy people. … The server, they say Ukraine has it. There are a lot of things that went on, the whole situation. I think you’re surrounding yourself with some of the same people. I would like to have the Attorney General call you or your people and I would like you to get to the bottom of it.
To understand this particularly incoherent passage it’s helpful to note that Trump has referenced the possibility of a “missing” server linked to the DNC before. For instance, in a tweet on July 14, 2018, he mused, “Where is the DNC Server, and why didn’t the FBI take possession of it? Deep State?” The president appears to be promoting at least a few misconceptions about the DNC breach: First, that the DNC relied on a single server that stored all relevant data; and second, that the server was at some point misappropriated and shipped to Ukraine, possibly by CrowdStrike, possibly because Trump is laboring under the delusion that Alperovitch is Ukrainian. (He is not.)
All of this is nonsense. As the Daily Beast put it in a headline last year, “Trump’s ‘Missing DNC Server’ Is Neither Missing Nor a Server.” The DNC, like all large organizations, relied on many servers to store and process data and we know, from a lawsuit that it filed last year, that the DNC ultimately had to decommission more than 140 servers, wipe and reboot 180 computers, and rebuild 11 servers as a result of the 2016 incidents.
That’s a perfectly normal, even admirable thing for an organization to do following a security breach—replace and reboot network equipment. There is no indication that any of these decommissioned or rebuilt servers were not subject to the CrowdStrike investigation, or that any of them went missing at any point, or that any of them ended up anywhere in or near Ukraine.
So Trump’s attempt to pressure Ukraine to surface that imaginary missing server is meaningless, except insofar as it gives fuel to misguided conspiracy theories about the illegitimacy of CrowdStrike’s investigation and its findings—theories that Trump ally Roger Stone has also promoted by calling CrowdStrike’s report “inconclusive and unsubstantiated.” CrowdStrike’s report is neither, but the DNC made a strategic mistake in relying solely on a private company for its investigation, thereby opening itself up to these types of criticisms and conspiracy theories. Perhaps Trump would have leveled the same accusations at an investigation run by the FBI. Perhaps he would still have asked the Ukrainian president to locate an imaginary server for him. Probably it would have made little difference to the actual findings—but at the very least, it would have helped avoid sending the message that the DNC had something to hide, much less that they were hiding it in Ukraine.