UNCLASS]FIED, COMMTTTEE SENSITTVE EXECUTIVE SESSION PERMANENT SELECT COMMITTEE ON INTELLIGENCE U.S. HOUSE OF REPRESENTATIVES WASHINGTON, D.C. INTERVIEW OF: SHAWN HENRY Tuesday, December S, 2017 Washington, D.C. The interview in the above matter was held in Room HVC-304, the capitol, commencing at 2:00 p.m. Present: Representatives conaway, stewart, schiff, speier, euigrey, Swalwell, and Castro. UNCLASSIFTED, COMMTTTEE SENSTTTVE PROPERTY OF THE LINITED STATES HOUSE OF REPRESENTATIVES 1 2 UNCLASSIFIED, COMMITTEE SENSITIVE Aooearances: FoTthePERMANENTSELECTCoMMITTEEoNINTELLIGENCE For CROWDSTRIKE DAVID C. LASHWAY, PARTNER BAKER & MCKENZIE LLP 815 Connecticut Avenue, N.W. Washington, D.C.20006 For the DEMOCRATIC NATIONAL COMMITTEE GRAHAM M. WILSON, PARTNER PERKINS COIE POLITICAL LAW GROUP 700 13th Street, N.W. Suite 600 Washington, D.C.20005 UNCLASSIFIED, COMMITTEE SENSITIVE OF REPRESENTATIVES PROPERTY OF THE UNITED STATES HOUSE 3 UNCLASSTFIED, COMMITTEE SENSITTVE Good afternoon. This is a transcribed interview of shawn Henry. Thank you for speaking with us today. For the record, I am ! f I of the House Permanent select committee on lntelligence. Also present today from HPSCI are Congressman Stewart and Congressman Conaway and Ranking Member Schiff, Congressman Swalwell and Congressman Castro. Before we begin, I want to state a few things for the record. The questioning will be conducted by members and staff. During the course of this interview, members and staff may ask questions during their allotted time period. Some questions may seem basic, but this is because we need to clearly establish facts and understand the situation. Please do not assume we know any facts you have previously disclosed as part of any other investigation or review. This interview will be conducted at the unclassified level. During the course of this interview, we will take any breaks you desire. We ask that you give complete and fulsome replies to questions, based on your best recollections. lf a question is unclear or you are uncertain in your response, please let us know. And if you do not know the answer to a question or cannot remember, simply say so. You are entitled to have a lawyer present for this interview, though you are not required to. I understand that you are represented by counsel, and for the record, we'd ask them to state their details. MR. LASHWAy: Thank you. I'm David Lashway with Baker McKenzie, counsel to CrowdStrike. MR. wlLSoN: Good afternoon. My name is Graham wirson. Perkins Coie, counselto the DNC. I,INCIJASSIFTED, COMMTTTEE SENSITTVE PROPERTY OF THE TINITED STATES HOUSE OF REPRESENTATIVES I'm at 4 UNCLASSIFIED, COMMITTEE SENSITIVE Theinterviewwillbetranscribed.Thereisareporter consult a written making a record of these proceedings so we can easily compilation of Your answers. Becausethereportercannotrecordgestures,weaskthatyouanswer do so' You may also verbally. lf you forget to do this, you might be reminded to phrases. consistent with the be asked to spell certain terms or unusual your counsel, upon request, will have a committee,s rules of procedure, you and of this interview in order to reasonable opportunity to inspect the transcript determinewhetheryouranswerSwerecorrectlytranscribed. The committee also The transcript will remain in the committee's custody' questions should the need reserves the right to request your return for additional anse. Theprocessfortheinterviewisasfollows:Themajoritywillbegiven45 be given 45 minutes to ask minutes to ask questions. Then the minority will which' the questions. lmmediately thereafter, we will take a S-minute break' after questions and the minority will be given 15 majority will be given 15 minutes to ask minutestoaskquestions.Thesetimelimitswillbestrictlyadheredtobyatlsides for each portion of the with no extensions being granted. Time will be kept 1-minute mark respectively' interview, with warnings given at the S-minute and the interview with To ensure confidentiality, we ask that you do not discuss anyone other than Your attorneY' Youareremindedthatitisunlawfultodeliberatelyprovidefalseinformation to Members of Congress or staff' participating in this Lastly, the record will reflect that you are voluntarily interview, which will be under oath, I will now go ahead and swear you in' UNCLASSIFIED, COMMITTEE SENSITIVE PR0PERTYoFTHEI.n,{ITEDSTATESHoUSEoFREPRESENTATIVES UNCI,ASS]FIED, COMMITTEE SENSTTIVE [Witness sworn.] Thank you MR. CONAWAY: Hang on. The fact that you didn't raise your right hand, is that significant at all? MR. HENRY: No, sir. MR. CONAWAy: That doesn't take the _ MR. HENRY: I swear to tell the truth. My hand is up. MR. CONAWAy: Adam, any comments? MR. SCHIFF: No. Welcome. Appreciate you coming in. MR. CONAWAy: Shawn, do you have an opening statement? MR. HENRY: No, sir, other than I've been in this room many times in my prior life in the FBl. I've spoken before this committee, coincidentally, about cybersecurity, many times over the last probably g or 10 years. And I appreciate what the committee is doing. I want to sit here and talk to you about the facts, as I know them, and to provide any information that would be of value to you. MR. CONAWAY: Well, thank you. We'll start with Chris. Thank you, sir. MR. STEWART oF counsel as urAH: Thank you, Mr. Henry, for joining us, for your well. And the good news for you, sir, is that l'll be leading some of the questioning today, and l'm not an attorney. And I think __ MR. HENRY: Thankfully. Sorry. MR. STEWART oF UTAH: I think that you'il see maybe different circumstances or the questioning will be much less formal, And, again, I'm not an attorney nor a prosecutor as some have. we just want to try and get some UNCLASSfFfED, COMMTTTEE SENSITfVE PROPERTY OF THE LINITED STATES HOUSE OF REPRESENTATIVES 5 6 I.]NCLASSIFIED, COMMITTEE SENSfTIVE fonruard to learning information and background on you or from you, and we look of the -- you know, one of more on what turns out to be one of the pivotal and one over the last, you the most important elements as we look at what's happened know, 14 or 15 months. DNC' if so maybe you could begin by describing your relationship with the by the DNC you would, and specifically understanding that you were hired election' Could you subsequent to the hacking of their servers during the 2016 your professional give us some background on, again, your relationship with them, relationship, the dates, and how long that's existed? MR. HENRY: Yes, sir. I worked with Michael Sussmann, who is counsel Division, probably back in at Perkins coie, when I was in the FBl, in the FBI Cyber Crime and lntellectual the early 2000s. Michaelwas an attorney at the Computer him' We had just a Property Section at the Department of Justice, where I knew professional relationship. I don't have any recollection of ever socializing' so - me for this' but I did see him for lunch a couple of months before he called It was just to catch uP, how are You? MR. STEWART OF UTAH: And when was this? MR.HENRY:lwouldsayinearly20l6,ltmayhavebeenthewintertime' January or February, prior to the private call. Just telling him what I was doing in the sector. I would occasionally bump into him at an event at the Department of Justice or some like a holiday party, that sort of thing. But we didn't have a social relationshiP. 20'16' And He contacted me in -- as it relates to this mafter, April 30th of in their he said that he had a ctient and they had seen some unusualactivity - in them' if I was their network environment. And he asked if we were able to help UNCLASSIFIED, COMMITTEE SENSITIVE PROPERTY OF TTM I.INITED STATES HOUSE OF REPRESENTATIVES 7 UNCLASSIFIED, COMMITTEE SENSITTVE able to help them with my team. He was aware that we do cybersecurity, we have developed technology that helps to identify attacks in environments, and that we also do incident response services where, when we identify or when an attack is identified we come in and help the organization identify the methodology by which to remediate the network. MR' STEWART OF UTAH: And did he describe it as unusualactivity? MR. HENRY: That's my characterization. He was concerned that there was something going on. He didn't -- I think on April 30th, I don,t think he told me that it was the DNC, but it was a client. I contacted -- if I recall correcfly, he sent me an email. I was on a plane. I told him I'd call him when I landed. And then, when I landed, I did contact him by phone. He may have said it was the DNC then. But he wanted to talk to rne and my team about __ about coming in and doing an evaluation or an assessment of their network. MR. STEWART oF urAH: so he may or may not have described the client as the DNC' but I want to clarify. Did he describe it as unusual activity, or did he say, I have a client who's been hacked, or did he give you background on what his concerns were? MR' HENRY: I don't recallwhat his words were, but the implication to me was he had a client who had been hacked. And I don't remember exacily what he said, but that was the implication. MR. STEWART oF UTAH: okay. Because they - wourd they have known that at that point, that they'd been hacked? And if they would have, do you know how they would have known that? MR. HENRy: so it depends. would they have known it? lt depends on what they may have seen, if they saw some type of unusual traffic at the network I.INCI,ASSIFIED, COMMTTTEE SENSTTIVE PROPERTY OF THE TINITED STATES HOUSE OF REPRESENTATIVES 8 UNCLASSIFIED, COMMITTEE SENS]TIVE layer. had been contacted previously by I subsequently became aware that they the with FBl. so I think, in looking at the communications they had the FBI and activity, it led them to believe that then whatever traffic that they saw or unusual full examination of the environment' they needed to contact somebody to do a MR.STEWARToFUTAH:okay.Andaslrecall,theFBlinitiated contact with them' ls that your understanding? yes' sir' MR. HENRY: That is my understanding' MR.STEWARToFUTAH:Andthatwasconveyedtoyouaswell? yes' sir' MR. HENRY: By Michael Sussmann' MR.STEWARToFUTAH:Yeah,yeah.Anddoyouknowanythingabout was shared by the FBI with the the substance of that contact, what information DNC? MR'HENRY:ldoknowafterthefact,notbefore.Sussmanntalkedto of a couple of days from April 30th' me, and it would have been over the course that I want you -- a client when he first contacted me and said, I have somebody him that night and then shared -- had that has a problem or an issue. I contacted from my team get on the phone with a couple members or at least one member then he had shared with me him the next day on May 1st to talk about it. And he and - or the DNC and some of the substance of the communications between the FBl. MR.STEWARToFUTAH:okay.Maybe--lhaveSomequestions,but you have a phone up. Maybe if you'd just continue the narrative' so l,llfollow we have some problems we're call from an associate, and he says, you know, you at that point or -worried about. And then did he contract with UNCLASSIFIED, COMMITTEE SENSITIVE PRoPERTYoFTHELINITEDSTATESHoUSEoFREPRESENTATIVES UNCLASS]FIED, COMMITTEE SENSITTVE MR' HENRy: yes. 9 over the course of the next day or two, we tarked about what a contract would look like and us coming in to initiate an evaluation of their network. MR. STEWART oF urAH: okay. And can you describe for us the terms of that contract? MR. HENRy: tn terms of? MR. STEWART OF UTAH: Like duration, for exampre. r mean, I don,t think we're particularly interested in the financial value of the contract. Maybe others are. But, r mean, mosily the duration, or was it just ,,come rook at this one thing," or was it -MR. HENRy: r think that - we[, typicaily -- and r don,t recap specificagy, but typically it's, you know, a bucket of hours. you know, we,il come in for a hundred hours atX numberof doilars, and we'il do an evaruation, and then we,il make a determination after that initial triage what other steps might be necessary. MR. STEWART oF UTAH: okay. And was this work that you wourd do yourself or you would have your employees? MR. HENRy: My employees. I would not. MR' STEWART oF UTAH: was it unusuar you to in your rine of work for a client to say they'd been contacted by the FBI or by any law enforcement agency and be told, we think you,ve been hacked? ls that _ MR. HENRy: That's not unusual. MR. STEWART OF UTAH: tt happens frequenfly? MR. HENRy: periodicaily, r wourd say. r wourdn,t say frequenily, but periodically. MR. STEWART oF urAH: And r guess at that point, the FBr doesn,t offer I]NCLASSIFTED, COMMITTEE SENSTTfVE PROPERTY OF THE LTNITED STATES HOUSE OF REPRESENTATIVES 10 UNCI,ASSIFIED, COMMITTEE SENSITIVE to remedy that. They're just advising them' right? MR.HENRY:TheFBlwilltypicallyprovideintelligenceinformationor directionorguidance,buttheywitlnotdowhatwewouldcallaremediation. is a remediation? MR. STEWART OF UTAH: And what MR.HENRY:Aremediationiscomingintodoatechnicalanalysisofthe environmentandthen,ifidentifyinganadversaryontheenvironment,takingsteps the adversary off of the old buitd a new environment and moving to essentially environment. MR. STEWART OF UTAH: to come So help me understand' I don't want go on that well, but I think I got enough to back to that, because I don't understand fornow'Helpmeunderstandiftheysuspectahackhasoccurred,whichis criminal activitY, true? MR. HENRY: Yes' MR.STEWARToFUTAH:Sothere,sacrimethat'sbeencommitted. in the investigation subsequent to why woutd not the FBI have at least some rote that hack? not have a role? MR. HENRY: So why would the FBI MR.STEWARToFUTAH:Yeah.lmean,theysaid:Hey'theycontact I don't understand why the FBI them. You've been hacked, which is a crime. in investigating the evidence associated wouldn't lead or at least have some role with that crime. because I have something I -. MR. HENRY: So -- excuse me one minute' l think it's important, one piece to So, just to preface my statement, because intrusions, based on, from a understand' Typically, the FBI looks at computer they a criminal perspective' And actions national security perspective as well as UNCI,ASSIFIED, COMMITTEE SENSITIVE PROPERTYoFTHELINITEDSTATESHOUSEoFREPRESENTATIVES t\ UNCLASSIFIED, COMMITTEE SENSITIVE may take in an environment are often directed by that, who the actors may be -- generally, the FBl. As it relates to this case, we shared intelligence with the FBl. we had contact with them over a hundred times in the course of many months from June of 2Q16 up through current time, in the rast coupre weeks, r imagine. MR' SWALWELL: A point of order. My understanding is this interview was unclassified. ls that right? can we just clarify if the witness had classified -- my sense is that there's some sensitivities around classified information, and this setting is part of the issue. That's just what I'm MR' STEWART oF urAH: __ r'm not sure r understand his -- There hasn't been anything classified said so far MR' SWALWELL: I don't understand. lt looks like he may have classified information to share, and that's the issue. MR. HENRY: r'm not sharing any crassified information. MR. SWALWELL: r guess through questions, r think it may be touching on that. MR. STEWART oF urAH: okay. Answer as best you can I guess is all can say, but let's be careful in your -- does your r - for further background, does your firm work in classified, and do you have security clearances? MR. HENRY: There are people on my team who have security clearances, including me. MR. STEWART oF UTAH: okay. Active security crearances? MR. HENRy: yes, sir. MR, STEWART oF UTAH: That allows you access to sc or above? MR' HENRY: I do have an active security clearance. And just to clarify, UNCLASSIFTED, COMMTTTEE SENSTTTVE PROPERTY OF THE LTNITED STATES HOUSE OF REPRESENTATIVES 12 UNCLASSIFIED, COMMITTEE SENSITIVE do you know what mY background is? MR. STEWART OF UTAH: ldo' Yes' So it's -MR. HENRY: So I mean, I ran that program' MR. STEWART OF UTAH: Right' there's nothing that l've said MR. HENRY: So l do have a clearance, but that's classified. MR. STEWART oF UTAH: Yes. And l appreciate, Eric, your -- you know, we want to keep this in the proper setting' MR. HENRY: Understood' questions -- or if there's MR. STEWART OF UTAH: And if there's and we need to' you know' information especially that you believe is relevant certainly be willing to do that' arrange an interview in a different setting, we'd MR. HENRY: Yes, sir' MR. STEWART OF UTAH: okay. trying to understand. And I'm really not have no "got you" here. Let me go back, if I could' to where I'm - this isn't a "got you" kind of thing' I I'm just trying to figure this out' So,ifmyquestionsSeemuninformed,l'madmittingtoyouthattheyare, just is interesting to me' and it I don't have a background in this. lt because to me that there would be Seems, l don,t want to say inconsistent, but curious especially with a client' Now' -evidence of a crime and that there wouldn't and you quickly became aware you may not have been aware of the client initially, but of the client. MR. HENRY: Very quicklY' MR. STEWART OF UTAH: Yeah' I mean, this isn't Joe's Pizza' This is want to say national security' but something else with much more intense, I don't UNCLASSIFIED, COMMITTEE SENSITIVE PRoPERTYoFTHEUNITEDSTATESHoUSEoFREPRESENTATIVES 13 IINCLASSIFIED, COMMTTTEE SENSITTVE political and other interests. I mean, this client is, after all, a nationalfigure in the middle of a national campaign. Did it strike you as curious or -- that the FBI didn't take the lead in this investigation? And who makes that decision? Does the FBI __ let me ask you this way: ln your experience, whether in your official capacity in the government or now as a private contractor/business owner, do you have examples of where something similar like this happened, but the FBI or any other law enforcement organization came in and said, "we're going to take the read on this, this is a criminalmatter, we're going to do the investigation,,? MR' HENRy: rn these types of cases, my experience typicaily has been notification made to the victim about what has occurred in their environment, not that the FBI would typically come in. And they certainly woutdn,t conduct a remediation. And they * MR. STEWART OF UTAH: And remediation is protecting the -- MR. HENRy; Remediation is essentiaily creaning it up. something bad has happened. There's been an actor. There's malware, malicious software in an environment. Somebody has access to what's occurring in the environment. so the remediation is cleaning out the bad stuff and putting place in infrastructure that is safe and secure. MR. STEWART oF the client' UTAH: so, in this case and generafly, it,s to protect It's to'protect their security from that point fonrard as best they can. MR. HENRy: yes, sir. MR. STEWART oF they - urAH: okay. so you were saying that generaily, the FBI doesn,t do remediation, but _ MR. HENRy: They make notification. UNCLASSIFTED, COMMITTEE SENSTTIVE PROPERTY OF THE UNITED STATES HOUSE OF REPRESENTATIVES 14 UNCI,ASSIFIED, COMMITTEE SENSITIVE MR. STEWART OF MR. HENRY I UTAH: OkaY value to the broader They often collect intelligence that's of ntelligence CommunitY. MR. STEWART OF UTAH: OkaY And were theY able to do that in this case? MR.HENRY:ldon,tknowwhattheyhadaccesstointheenvironment.l shared with them, including forensic can tell you that the intelligence that we which are pieces of malware, et cetera' we information, indicators of compromise, of 2a16, we provided them the provided all of that to the FBl. starting in June data that would have been of value to them' MR.STEWARToFUTAH:okay'Didtheyindicatetoyouatanytime any inference at all about who might have who they suspected or who they feared, hacks? been responsible for this hack, or these MR.HENRY:ldon.trecallwhenwecamein.Therehadbeensomel prior to the phone callthat mentioned notification to the DNC in the months I receivedfromSussmann.WhenMichaelSussmannprovidedmewith DNC, he said that they had told information that the FBI had contacted the him-theyusedatermthatlknowisrelatedtotheRussianGovernment. MR.STEWARToFUTAH:Andthatwas_l.msorry,thatwaswhen,at what point in this relationship or this work? MR.HENRY:lfoundthatoutfromSussmannthefirstdayortwoafterhe of 2016, but that that notification had made notification, so April 30th or May 1st been made to the DNC months Prior' MR. STEWART OF UTAH: OkaY' So the DNC is notified bY the FBI that they.vebeenhackedandthattheybelievethehackoccurredbyaforeign UNCLASSIFIED, COMMITTEE SENSITIVE PRoPERTYoFTHETINITEDSTATESHOUSEoFREPRESENTATIVES t5 UNCLASSIFIED, COMMfTTEE SENSITIVE government, in this case Russia. MR. HENRY: so let me -- yes, but let me clarify, if I could. when we say "the DNC," my understanding is there was a contractor who was administering the network for the DNC, and he was the one that had been contacted by the FBI for months leading up to the phone call that I got from Michael sussmann. MR. SfEWART OF UTAH: Okay. MR. HENRY: so when r -- r want to be crear. when I say the DNC, he wasn't a DNC employee. He was a contractor that was administering the network for the DNC. MR' STEWART OF UTAH: All this' right. So I want to make sure I understand So DNC exists. They have a network. They have a contractor providing security for that network. That contractor is notified by the FBI that there,s been a breach and that they believe the breach occurred, or a hack, by the Russian Government. MR. HENRY: So the -- so the term that the contractor - the contractor said that the FBI told him the Dukes, D-u-k-e-s, was identified. I don,t know if the contractor knew that the Dukes were associated with the Russian Government. MR. STEWART oF UTAH: rs that a common term, the Dukes? MR. HENRY: lt's a -- oftentimes, adversaries are given a code name or some type of a reference, and that people in the industry become familiar with the nomenclature. And the Dukes is a common term associated with an actor that many people who work this type of - do this type of work in the private sector refer to that Russian actor as. MR. STEWART oF office. UTAH: okay. so it,s not just the FBI or just your I mean, someone who worked professionally __ UNCLASSIFTED, COMMTTTEE SENSfTTVE PROPERTY OF THE LINITED STATES HOUSE OF REPRESENTATIVES 16 UNCLASSIFIED, COMMITTEE SENSIITIVE MR. HENRY: Yes, sir. industry would know MR. STEWART OF UTAH: -- and is competent in this what the Dukes were? MR. HENRY: Yes, sir' this contractor MR. STEWART OF UTAH: And you would have expected to know what the Dukes were -MR. HENRY: Well--MR. STEWART OF UTAH: -- assuming that they were the industry,l' I'm MR. HENRY: So, when I say "people who work in respond to these types of referring to people like my company and others that proficiency was or what his incidents. I don,t know what the contractor's security access to other types of information was' is that, when the FBI MR. STEWART OF UTAH: So your understanding said Russia, but you believe contacted this contractor, they may or may not have they did saY the Dukes. ls that true? MR. HENRY: That is true MR. STEWART OF UTAH But they might have said Russia, you just don't know? MR. HENRY: I don't know that' you believe it was MR. STEWART OF UTAH: Okay. ls there any reason you after in just the Dukes and not Russia or -- I mean, did they indicate to subsequent conversations what they were told? MR. HENRY: He said the Dukes' MR.STEWARTOFUTAH:Butwhenhesaiditwithyou,heindicatedhe knew who the Dukes were at that point? UNCLASSIF]ED, COMMITTEE SENSITIVE REPRESENTATIVES PROPERTY OF TI]E LINITED STATES HOUSE OF 17 UNCLASSIFTED, COMMITTEE SENSITIVE MR. HENRy: so that's not -- I wouldn't say that. I saw what I saw _ let me be clear here, because as you and I are speaking l,m saying ,,he said.,, There was a document that I read that was a summary from the contractor of his communications with the FBl. I read the document. I never personally spoke with the contractor, but I read the document that I was told the contractor wrote. MR. STEWART OF UTAH: Got you. MR. HENRY: Which was essentially a chronology. MR. STEWART OF UTAH: Got you. And that rnakes it harder to infer meaning into words other than what you might have been able pursue to more in a conversation. MR. HENRY: yes, sir. MR. STEWART oF UTAH: r understand. okay. Let me go back, if could, just a little bit. I But the word ,'Dukes,'was in the document. r want to understand better your experience, again, both officially as a government agent and now in the private sector. lf an entity like the DNC or any, you know, organization that has the obvious impact or import of the DNC had been informed that they had been hacked and by -- hopefully they understood - by a foreign government, what would that organization typically do? I mean, wouldn't law enforcement at some point be involved with that investigation? And, again, r've asked this question before. rjust want to -- r don,t think we got a chance to fully answer it. MR. HENRY: So l,m sorry, if you could repeat the question. MR. STEWART oF urAH: well, I'm just kind of framing it up. Again, we have an organization, a very important national organization has been informed by a law enforcement agency, in this case the FBl, that they have been hacked and, in fact, hacked by a foreign government. UNCLASSIFIED, COMMTTTEE SENSTTIVE PROPERTY OF THE LINITED STATES HOUSE OF REPRESENTATIVES 18 UNCLASSIFIED, COMMITTEE SENSITIVE and investigative -- you It would seem to me that the FBI or some legal with know, official investigative body would be involved that' Am I misreading that?Whatmakesthatassumptiononmypartfallacious? MR.HENRY:ldon.tthinkitis.Whenyouask,though,abouttheDNC beingnotified,again,myunderstandingistheonlypersonthatwasnotifiedwas became notified' I'm not aware the contractor. At what point officials in the DNC of that. MR. STEWART OF UTAH: if I could. I'm sorry. okay. That actuatly -- let me pursue that line', Did you want to -- MR.HENRY:No.lmean,justtogobacktoacommentlmadeearlier provide the FBI with information' about the FBI and the investigation, that we did they were feeding back They were conducting an investigation. whether they were conducting an information to the DNC or not, I don't know, but investigation'tomyunderstanding.AndwhenwesatwiththeminJune,we and other pieces of code provided them with a lot of the indicators, the malware, that we took off of the computer network' MR.STEWARToFUTAH:okay.Couldtheyconducttheirown the actual hardware? investigation in a thorough fashion without access to MR. HENRY: Maybe. lt depends on what else they had access to. They may have if they had access to other pieces of information' what other pieces -MR. STEWART OF UTAH: What else could I mean, without access to of information would allow them to do a complete investigation the hardware that was hacked? and lwould MR. HENRY: SO, right, we're in an unclassified environment' tellyou in a different be speculating. But having been in that space, I could UNCI,ASSIFIED, COMMITTEE SENSITIVE REPRESENTATIVES PROPERTY OF THE LINITED STATES HOUSE OF 19 UNCLASSIFIED, COMMfTTEE SENSTTIVE environment. MR. STEWART oF then' UTAH: okay. Maybe we,il foilow up with you on that Let me ask you just to surmise. Are you comfortable that someone could complete a thorough investigation, using other tools, without direct access to the hardware or the equipment? MR. HENRy: courd they come to a concrusion? you,re asking a nuanced question. And l'm not being cagey. I want to be crear, because this is an important point. MR. STEWART oF UTAH. weil, ret me rephrase that, and it wiil maybe make it simpler. Would it be better if they had access? MR' HENRY: As an investigator, and I've been an investigator for almost 30 years, the more information you have access to, the better in any investigation. But it doesn't mean that a lack of a piece of information precludes you from coming to a conclusion. MR. STEWART oF UTAH: And I courd see that. so let me surmise this and tell me if this is wrong: you could have a better investigation if you had access to all of the equipment or hardware or whatever that was available. you would be able to do a better investigation. So the question is, would there be reasons for not making that available that override the benefit of having a more conclusive investigation? ls that a fair summary? lf someone wasn't going to make that available, they would have to have reasons for not doing that because they would likely have a less thorough investigation by not making it available? MR. HENRy: you're asking me to speculate. I don,t know the answer. MR. STEWART OF UTAH: By the way, you need to pay him well, TINCLASSTFTED, COMMfTTEE SENSITTVE PROPERTY OF THE TINITED STATES HOUSE OF REPRESENTATIVES 20 UNCI,ASSIFIED, COMMITTEE SENSITIVE as you guys have your because he,s obviously serving you well today conversations back and forth together' I'm telling MR. HENRy: I want to be very clear on what you. lt's important to me. MR.STEWARToFUTAH:okay.lappreciatethat.Andwedo;we you know, on the edge of, you want clarity' And by the way, when We're talking, know,verysensitivesubjects,weappreciatethatyou,rebeingcareful. tvlR. HENRY: That's all' me, we understand MR. STEWART oF UTAH: And believe lot of conversations when lthink, that. l have a .'oh my gosh, did l say something l shouldn't have." I think we all have' provided you' and you could we talk a tittle bit about the memo that was that's you said it laid out the information that you - and said it laid out - I believe where you first heard the reference to Dukes' MR. HENRY: Yes, sir' kind of the content of that MR. STEWART oF UTAH: Could you give us memo and surmise what it told You? MR.SCHIFF:Maylaskaquestion?Anyreasonwedon'twanttodothis these questions without having to in classified session when he can answer all Any reason we don't want to do worry about what's classified and not classified? that in a classified session? MR. STEWART OF UTAH: Counsel is not cleared' you, Mr. Chairman. Sorry MR' SCHIFF: Counsel is not cleared. Thank to interruPt MR. STEWART OF UTAH: How much time? UNCI,ASSTFTED, COMMITTEE SENSITIVE PRoPERTYoFTHELINITEDSTATESHoUSEoFREPRESENTATIVES 21 TJNCLASSIFTED, COMMITTEE SENSITTVE You have 25 minutes MR. STEWART OF UTAH: So 20 down? Excuse me,20 minutes. Ten till MR. scHrFF: Mr. stewart, you missed your vocation. you,re doing an excellent job on your questions. MR. STEWART oF urAH: oh, thank you. I dream of being an attorney one day, right? I'rn not smart enough. MR. CONAWAy: prosecutor, actually. MR' STEWART oF UTAH: r'm not smart enough for this. MR. CONAWAy: Go ail in. MR. STEWART oF urAH: I don,t know if I asked -- oh, I asked you for the chronology. You just said the synopsis of what the memo that was provided you. lf you could tell us, you know, what information it gave you. MR. LASHWAy: Just for the record, some of the comments we were just discussing, as Mr. Henry indicated, certain of the work that was performed was performed at the behest of counsel, perkins coie, Mr. sussmann,s law firm. Therefore, certain of that information, the DNC, as the client of perkins Coie, has asserted privilege and some confidences over certain of that information, sir. And so we would turn to perkins coie, as counselto the DNC, to ensure that Mr. Henry can actually answer some of these questions relating __ some of that information that would othenvise be considered protected by the DNC, as the client. MR. STEWART OF UTAH: Okay. Counselors. MR. LASHWAy: tapotogize. UNCLASSfFIED, COMMITTEE SENSTTIVE PROPERTY OF THE IINITED STATES HOUSE OF REPRESENTATIVES 22 UNCLASSIFIED, COMMITTEE SENSITIVE MR. WILSON: Yes, thank you. And on behalf of the DNC, the DNC takes seriously' lt was the the work of this committee and this investigation incredibly cooperate in every way that victim of, you know, a horrible intrusion and wants to information it needs to get back' we can in order to provide this committee all the Perkins coie so, as Mr. Lashway referenced, crowdStrike was working for coie advise the DNC on this and was performing work in order to help Perkins matter. MR. STEWART oF UTAH: lf l can just clarify one thing you said. crowdstrike was working for Perkins coie. ls that the contract was actually with the law firm then? Perkins coie and MR. WILSON: Correct. we had a contract between CrowdStrike,withaScopeofworkfortheDNC-specificwork. you never had a MR. STEWART OF UTAH: So does that mean that contract, Mr. Henry, with the DNC directly then? from Perkins MR. HENRY: I mentioned it was with Michael Sussmann Coie. MR. STEWART OF UTAH: Good' Thank you' is I think we are not MR. WILSON: So the one thing I would want to say product here today' waiving any of the attorney-client privilege over the work piping up, "don't say this"' That being said, we are trying to -- you don't hear me ,,don,t say that," because we want shawn to be able to give you the information it' that was relevant to this investigation so you have MR. STEWART OF UTAH: Yes' MR. WILSON: And we're happy to have him do that' And happy to have him continue to without _ again, l,m not waiving any privilege, We're UNCI,ASSIFIED, COMMITTEE SENSITTVE PR0PERTYoFTHEI.II.{ITEDSTATESHOUSEoFREPRESENTATIVES 23 UNCLASSIFfED, COMMITTEE SENSITTVE go' With the request for a specific document and the contents, you know, Iike that that was a DNC document, if you want to put that question to the DNC, we,d be -- I'd be happy to discuss that with him and we can come back to it. MR. STEWART oF UTAH: weil, that seems perfectty fair. And we,p tark with counsel and get back to you on whether we,d like to request a document. could I ask this: I mean, can you share any information with the work and how you started that work? us just in regards to Did the memo help you get started or did it share information with you that, you know, would not violate client privilege that, you know, wourd be herpfurto this committee to understand? MR. WILSON: I'm fine with you answering that. MR. HENRy: rt was a chronorogy of FBr communication with the contractor. He'd been calred over the course of several months. He,d been contacted' And it just summarized different phone calls and different meetings he had with the FBt. MR' STEWART OF UTAH: So it was more detailed, but essentially what you've told us up to this point, basically? MR. HENRy; yes, sir. MR' STEWART OF UTAH: Was there ever indication or evidence that the contractor had communicated what he knew because that's one of the central questions - what he knew -- to the readership of the DNC? MR. HENRy: I don't -- I don,t recallthat being in the document, and I don,t have any knowledge or any recollection of that. MR' STEWART oF UTAH: okay. so, as far as you know today, he may or may not have communicated immediately to the DNC, or he may have never communicated to the DNC? you don't know? TINCI,ASSIFTED, COMMITTEE SENSTTIVE PROPERTY OF THE LINITED STATES HOUSE OF REPRESENTATIVES 74 UNCLASSIFIED, COMMITTEE SENSITIVE MR. HENRY: I don't know' you maybe just continue MR. STEWART OF UTAH: Could you -- would told this information and,you begin with your narrative then. So your initial contact your work within a few days, as I understand it' MR. HENRY: Yes. you just conclude with what you MR. STEWART oF UTAH: And would you did with that information? discovered and how you discovered it and what analysis in the MR. HENRY: So we did - we did some forensic into the network' environment. we deployed technology into the environment' the processes that are running on software called Falcon that essentiatly looks at different computers in the environment' a different piece of we also looked historically at the environment, using environment' And we to look backwards at what was happening in the software sawactivitythatwebelievedwasconsistentwithactivityWe'dseenpreviouslyand had associated with the Russian Government' you identify that as being -- with a fair MR. STEWART oF UTAH: And can the Russian Government? degree of confidence that it's associated with of confidence it was the MR. HENRY: We said that we had a high degree RussianGovernment.Andouranalyststhatlookedatitthathadlookedatthese of attacks similar to this in different types of attacks before, many different types methods by which they were environments, certain tools that were used, certain movingintheenvironment,andlookingatthetypesofdatathatwasbeing adversary and associated with targeted, that it was consistent with a nation-state Russian intelligence. MR. STEWART OF UTAH: OkaY' Are there other nation-states that UNCLASSIFIED, COMMITTEE SENSITIVE PROPERTYoFTHELINITEDSTATESHoUSEoFREPRESENTATIVES UNCLASS]FIED, COMMITTEE SENSTTIVE 25 could have -- based on this evidence, that could have been the perpetrator? MR' HENRY: There are other nation-states that collect this type of intelligence for sure, but the -- what we would call the tactics and techniques were consistent with what we'd seen associated with the Russian state. MR. STEWART OF UTAH: And so, because I'm not familiar with this, I'm trying to give it a little more context. You said high confidence or high degree of confidence. we use that phrase in the lc, as you know, and it means, you know, something, but it's not, you know, absolute in its meaning. And so an analogy might be a fingerprint. you know, if you have a fingerprint and I know that that fingerprint's a match -- and t understand kind of because of my life and just being alive and knowing -- that's fairly accurate, a high degree of confidence. ls that the same level of confidence as a fingerprint, or is it something less than that, in your ability to define it as the Russian Government? MR. HENRY: There wasn't a videotape -MR. STEWART OF UTAH: yeah. MR' HENRY: * of the Russians with theirfingers on a keyboard, but the activities were consistent with what we'd seen previously, targeting other -- the state Department, for exampre, the Joint chiefs, other governments, western governments. And it was consistent with what we'd seen previously and associated with the Russian Government. MR. srEWARr oF UTAH: okay. And in those other instances you mentioned, was there any subsequent evidence that verified it really was the Russian Government that maybe wasn't found in this case? ln other words, you can make your initial analysis: we think this is the Russian Government. Then, as UNCI.ASSIFIED, COMMITTEE SENSITIVE PROPERTY OF THE LTNITED STATES HOUSE OF REPRESENTATIVES 26 UNCLASSIFIED, COMMITTEE SENSITIVE Russian time plays out, you have other evidence that proves, yeah, it was the Government. I'm sure that's been the case in some cases, right? -- you look MR. HENRY: I think that when you're looking at attribution, it's period of time' years in at an aggregate across many different attacks over a long you to a certain conclusion' many cases, and the intelligence that you collect leads I think that's the case here' lvlR. STEWART OF UTAH: Okay. I have just a few more questions' Then I'll see if the chairman wants to follow up on anything. you've laid out' Kind of encapsulating, and I think I understand the narrative well, I tellyou what: Mr. Henry, conclude, wOUld yOu please? so you started, how long? you did your analysis. You drew your conclusions, and that took about and then MR. HENRY: So the analysis started the first day or two in May, that was about 4 to 6 remediation weeks. I think, on June 1oth, we started what we call the event. so we collected enough intelligehce. we identified where plan to the adversaries were in the environment' We came up with a remediation say we see them in multiple locations. This - these are the actions that we need that the to execute in order to put a new infrastructure in place and to ensure adversaries don't have access to the new infrastructure. So that would have been June 1oth when we started. And we did the remediation event over a couple of days' May to MR. STEWART OF UTAH: And while you're investigating from June, is the DNC, is the client still vulnerable at that time? MR. HENRY: Yes. able to MR. STEWART OF UTAH: And is the adversary aware, are they see your activities? UNCLASSIFIED, COMMITTEE SENSITIVE PROPERTY OF THE IINITED STATES HOUSE OF REPRESENTATIVES 27 UNCLASS]FIED, COMMTTTEE SENSTTIVE MR. HENRy: The idea is that they don,t. we don't know if they did. we don't have any indication that they did, because we want to be surreptitious for that very reason. MR. STEWART OF UTAH: Okay. MR. HENRy: So that they don't take actions. MR. STEWART OF UTAH: yeah. MR' HENRY: I don't have any reason to believe that I can recall that we thought they knew. MR. STEWART oF UTAH: okay. so, at the end of the 6 weeks, you,ve concluded your work or close to it? MR. HENRy: To be crear, our goar, my goarwas to protect the crient. we were hired to protect the client. We identified an adversary there. The goal was to make sure that the adversary was removed and the client had a clean environment with which to work. MR. STEWART oF urAH: And at the end of that period, you feer you,d been able to accomplish that? MR. HENRy: At the end of June, June 12th, when we did the remediation event, yes. But we also know that it is common for an adversary to try and reacquire a network when they're moved off. That's common knowredge in this business. so we had technology deployed that would help us identify if they were back in. MR. STEWART oF UTAH: And, to your knowredge, they were not abre to after June 12th? MR. HENRy: There was another activity in the environment. we didn,t do direct attribution back in that case. They were different tools that were not UNCLASSTF]ED, COMMITTEE SENSTTTVE PROPERTY OF THE LINITED STATES HOUSE OF REPRESENTATIVES 28 UNCI,ASSIFIED, COMMTTTEE SENSITIVE first time' similar or consistent with what we'd seen the MR. STEWART OF UTAH: And when was that? MR. HENRY: ln SePtember of 2016' you didn't do attribution MR. STEWART OF UTAH: And when you say back,doesthatmeanthatyoudidn'tattempttooryouweren'tableto? there were different MR. HENRY: We weren't able to. we didn't toolsets in the second, the second attack' was -MR. STEWART OF UTAH: But apparently' it MR.HENRY:Wedid--We--tobeclear,We--ourtechnology-the that had not attack, the second breach was in an environment - did not have our technologydeployedintoit.Whentheadversary,whomeverthatwas,whenthey we alerted and moved to one of the computers that had our technology, environment' recognized that there was another attack in the MR.STEWARToFUTAH:]nthiscase,itwasunsuccessful? MR. HENRY: No, it was not unsuccessful' MR.STEWARToFUTAH:ltwasasuccessfulbreachagain? MR.HENRY:lntopartsoftheenvironmentthatdidnothaveour technologY in it' MR.STEWARToFUTAH:okay.Andthendidthatleadtoanother remediation for You? . MR. HENRY: Yes, it did' MR. STEWART OF UTAH: Looking at this kind of in its entirety -- now', let measkyou,isthereanythingmorethatyouwouldaddto,youknow,yourworkin this regard? MR.HENRY:Morethatlwanttoadd?Canlstayallday?So_ UNCLASSIFIED, COMMfTTEE SENSITIVE PRoPERTYoFTHETINITEDSTATESHoUSEoFREPRESENTATIVES 29 UNCLASSTFIED, COMMTTTEE SENS]TTVE MR. STEWART oF UTAH: And let me -- l,ll narrow my question, if I could, because that's an unfair question, I mean, because - in regards to your work with the DNC, does that -- did that conclude your work with the DNC? MR. HENRY: I think -- I think so. I don't want to make an emphatic statement, because over the course of the next couple months, there were leaks of data. We were talking to people at the DNC. They were trying to identify what documents were being leaked. So there were certainly communications. I think we were monitoring their network. I mean, we still had our technology in their network. So I wouldn't say it ended. But, from a professional services or an incident response perspective, probably, but we still had engagement with them, because leading up to the election, we had concerns that the Russians were going to come back or somebody was going to try to access that environment. so we did provide monitoring throughout that period of time. Mr. Stewart, 5 minutes MR. STEWART oF UTAH: wow. so much fun, the time just flies. Let me -- one question very quickry. There are some press reports or some people at least claim that this hack on the DNC did not -- was not perpetrated by the Russians. How do you respond to that? MR. HENRY: Everything in my experience, sir, having done this for many, many years, both in the government and in the private sector, says that it was the Russian Government. MR. STEWART oF UTAH: ls there anyone with - that you think - well, I'm not going to ask that question. Never mind. Thinking of it in its entirety now, going back to, you know, the client, who UNCI,ASSTF]ED, COMMITTEE SENSITTVE PROPERTY OF THE LINITED STATES HOUSE OF REPRESENTATIVES 5U UNCLASSIFIED, COMMTTTEE SENSITIVE you said several months, if was -- I know the contractor, who was informed I think in a more timely fashion' they had relied on the information provided by the FBI later that they because it seems to me they didn't if it was several months prevented a substantial portion contracted you or contacted you, could they have -- you know, that we see now if of this, of this hack or this - the outcome that was theyhadactedmore--inamoretimelyormoreurgentmanner? MR. HENRY: lf they had relied on the - on what they had received from the attack? ls that the FBl, had they responded earlier, could they have stopped the question? MR.STEWARToFUTAH:oratleastmitigatedthedamage. may have' MR. HENRY: Depending on how they responded' they MR. STEWART OF UTAH: lf they had been proactive' MR. HENRY: lt's speculation for me to say that' absurd speculation' MR. STEWART OF UTAH: Well, I don't think it's an I you act on that aggressively, mean, because if you're informed of an attack and occurs' you're obviously going to minimize the damage that, you know' MR. HENRY: I think that's fair' FBI ever MR' STEWART oF UTAH: At any point, are you aware of the it's something you've asking for access to anything, whether it's coding or whether did the FBt collected or whether it's the DNC and their equipment or hardware' by the client they ever, as far as you know, ask for access, and were they informed could not have that access? MR. HENRY: I'm not aware of the FBI asking the DNC for data' MR. STEWART OF UTAH: OkaY' with them many MR. HENRY: But, just to restate, that we were in contact UNCI,ASSIFIED, COMMITTEE SENSITIVE PROPERTY OF THE LTNITED STATES HOUSE OF REPRESENTATIVES 31 UNCLASS]FIED, COMMTTTEE SENSITTVE times, over a hundred times from June until even in the last few weeks. provided them with information related to this attack. MR. STEWART OF UTAH: Got you. MR. HENRY: lncluding electronic data, et cetera. MR. STEWART oF urAH: okay. But you're not aware of them ever asking and being denied any information or any access? MR. HENRY: r do not have a recoilection of that. r,m not aware. MR. STEWART oF UTAH: And so, if they didn't request it or that was on their own accord, they made the decision not to request access, as far as you know? MR. HENRy: I don,t know. MR. STEWART oF UTAH: okay. AIr right. chairman, do you have anything you want to follow up on? You've got 1 minute, sir. MR. CONAWAy: No. We'il switch. MR, STEWART OF UTAH: Thank you. And, Mr. Henry, thanks for your response. MR. CONAWAy: Turn it over to the ranking member. MR. SCHIFF: Thank you, Mr. Chairman. I just have a couple followup questions. Then l,m going to turn it over to Mr. Castro. Welcome, and thank you for coming to testify. My colleague asked you whether the damage that was done to the DNC through the hack might have been mitigated had the DNC employed your services earlier' Do you know the date in which the Russians exfiltrated the data from the DNC? UNCLASSIFIED, COMMITTEE SENSITIVE PROPERTY OF THE LNITED STATES HOUSE OF REPRESENTATIVES 32 UNCLASSIFIED, COMMITTEE SENSITIVE MR'HENRY:ldo.lhavetojustthinkaboutit'ldoknow.lmean,it,s in our report that I think the committee has' when would that have MR. SCHIFF: And, to the best of your recollection, been? relates to the DNC' we MR. HENRY: counseljust reminded me that, as it not have concrete evidence that have indicators that data was exfiltrated. we did that it was exfiltrated' data was exfiltrated from the DNC, but we have indicators when does it MR. SCHIFF: And the indicators that it was exfiltrated, indicate that would have taken place? -- I believe it was April of MR. HENRY: Again, it's in the report. I believe 2016. l,m confused on the date. I think it was April, but it's in the report' 22nd, data staged for MR. SCHIFF: lt provides in the report on 2016, April exfiltration by the Fancy Bear actor' MR.HENRY:Yes,sir.Sothat,again,stagedfor,which,lmean,there,s was we don't have video of it not -- the analogy I used with Mr. Stewart earlier There are times when we happening, but there are indicators that it happened. But in this case, it appears can see data exfiltrated, and we can say conclusively. just don't have the evidence that says it it was set up to be exfiltrated, but we actually left. you tell us who the MR. SCHIFF: Did the technology vendor -- could technology vendor was that you were working with? MR. HENRY: That the DNC was working with? MR. SCHIFF: Yes. MR.HENRY:His-it,sacompanycalledMls.Andtheactual contractor's name was Yared Tamine (ph)' Y-a-r-e-d' I believe' UNCLASS]FIED, COMMITTEE SENSITIVE REPRESENTATIVES PROPERTY OF THE LINITED STATES HOUSE OF 33 UNCLASS]FIED, COMMITTEE SENSfTTVE MR. SCHIFF: And did you get a sense from Mr. Tamene how specific the FBI was with their notification of a potential breach to their system? MR. HENRY: He said that he had -- and this is off of that document so -- he said that he had received a phone call in Septembe r of ZO S and that he received a phone call in October of 2015, and I think there was another call again in November. MR. SCHIFF: Did he tell you whether anyone actually came to visit, or were these just phone calls from the FBI? MR' HENRY: My recollection is - my recollection is the first 3 months was a phone call, and then subsequenfly he did meet with somebody. He had - believe there are a couple of meetings that were documented in the document. MR. scHlFF: And did he tell you whether the FBI had given him any specifics about what they were alerting him to or recommending any steps that the DNC should take? MR. HENRY: Again, my recollection is that there - the Dukes were there and that there were certain files he should look for, pieces of software. This - the document chronicles activity from September of 2015 up until the day or a couple of days before Sussmann contacted me. So that would have been April 30th. So it's several months. And he talks about different meetings and different phone calls between he and the FBl. I don't recall specifically without looking at the document which dates, was it a phone call or a meeting when he was told what, but he certainly was told that there was activity in the environment he needed to look for. And he in his, Tamene's chronicling of this, these meetings, said that he looked and he couldn't find it. on a couple of occasions, he says: I looked. I couldn,t find UNCLASSIFIED, COMMTTTEE SENSTTIVE PROPERTY OF THE L NITED STATES HOUSE OF REPRESENTATIVES 34 IINCI,ASSIFlED, COMMITTEE SENSITIVE it. The FBI called. I looked. I couldn't find it' MR.SCHIFF:DoyouknowwhethertheFBlhadmadeany information he was recommendation to him about what he should do with the getting from the FBI? MR. HENRY: ln terms of notification or -that they MR. SCHIFF: Well, do you know whether they recommended "W€ have indications retain the services of a firm like yours, or were they saying, you should look to see if you can find indications"? that he MR, HENRy: lthink it's the latter. I don't recall him documenting was told he should contact somebody outside of his organization, staged for MR. SCHIFF: ln your report, when you stated the data was first time that you exfiltration on April 22nd of last year, that would have been the found evidence that the data was staged for exfiltration? MR. HENRY: I believe that is correct' that was filed MR. SCHIFF: Did you have a chance to read the information in conjunction with the George Papadopoulos plea? MR. HENRY: ldid not. was MR. SCHIFF: ln that information, it states that Mr. Papadopoulos possession of stolen DNC or informed at the end of April that the Russians were in after that Clinton emails. lf that information is correct, that would be only days data was staged for exfiltration? MR. HENRY: Yes' you become MR. SCHIFF: Once you were retained by Perkins coie, did the - essentially the point of contact for the FBI in the investigation Russians were doing on the DNC server? UNCLASSfFIED, COMMITTEE SENSITIVE PROPERTY OF T}IE LTNITED STATES HOUSE OF REPRESENTATIVES of what the TINCLASSTFIED, COMMITTEE SENSTTTVE 35 MR' HENRY: I talked to the FBI for the first time about this matter after the network was remediated. we were sure that the network was rocked down. That would have been in June. The remediation took place June 1oth to June 12th. I thlnk June 13th, I contacted the Assistant Director of the FBl. MR' SCHIFF: And I think you said either you or your firm had thereafter hundreds of contacts with the FBI? MR. HENRY: I said more than a hundred. I don't know exacfly the number, but it was phone calls, it was meetings, it was emails. MR. scHlFF: And during those hundred or more contacts, did the FBI ever tell you that they needed the DNC server for their own forensic analysis? MR. HENRY: They asked us to provide to them the images of the computers and the results of our collection. They did ask for that, and we shared that with them. MR' SCHIFF: And did they ever indicate to you that they thought that the images that you had given them or the information you had given them was incomplete for their own analysis and they required access to the servers? MR. HENRY: I have no recollection of them saying that to me or anybody on my team, no. MR. SCHIFF' And the DNC never communicated to you that the FBI was asking for the server? MR. HENRY: No, sir. MR. scHlFF: can you tell us a litile bit about the images that you provided? what are those, in technical terms? How much -- how similar are those images to the actual server itself? MR. HENRY: So I want to be clear. And I think they're referenced in the UNCLASS]FIED, COMMITTEE SENSITIVE PROPERTY OF THE TINITED STATES HOUSE OF REPRESENTATIVES 36 UNCLASSIFIED, COMMITTEE SENSITIVE some cases where we're report. when I say what we provided to them, there are technology went out and providing the results of our analysis based on what our collected. lt so we have -- we have software that we send in to the environment' -- mean, l'd equate it to shell collects artifacts, if you will, of what happened l lt's the remnants of code' casings or -- it's digital evidence - and pulls it back. And we will sort through all that, analyze that. we provided that information to the FBI. images, which would be a I believe that there are a couple of actual digital copy of a hard drive that we also provided to the FBI' And there were -- we're excess of 10, I think, hard talking about, I don't know the exact number, but in want to say anything drives. Again, I believe you've got the documents, so I don't one drive' that,s inaccurate. But it's not -- we're not talking about T'NCLASSIFIED, COMMITTEE SFiNSITIVE PROPERTYoFTHELTNITEDSTATESHoUSEoFREPRESENTATIVES UNCLASSIFIED, COMMITTEE SENS]TIVE 37 [3:00 p.m.] MR. scHlFF: And those copies of the drives allow you to create a duplicate virtual environment as the DNC server? MR. HENRY: Yes. MR. SCHIFF: And at any time did the FBI indicate to you that that was unsatisfactory in terms of their own investigation? MR. HENRY: l'm not aware of them saying that. tMR. SCHIFF: Mr. Castro. MR. CASTRO: Thank you. Thank you, Mr. Henry, for your testimony today. I'm going to ask you some basic questions about your own background and expertise, and then we,ll get into this incident with the DNC and the DCCC and then more generally about these incidents. First, you first began your career at the FBl. ls that right? MR. HENRY: Yes, MR. CASTRO: When did you first begin it? MR. HENRY: January of 1989. Well, I actually started in the FBt as a file clerk in June of 1984. I resigned in July of 1gg5. MR. CONAWAY: tthought he said 1994, MR. HENRY: I work out a lot. I eat right. I resigned in July of '84, and then I came back as an FBI agent in January of 1 989. MR. CASTRO: And when did you leave the FBI? MR. HENRY: March of 2012. UNCiJASSTFTED, COMMITTEE SENSITTVE PROPERTY OF THE UNITED STATES HOUSE OF REPRESENTATIVES 38 UNCLASSIFIED, COMMITTEE SENSITIVE career? MR. CASTRO: And what roles did you have at the FBI during that go through the MR. HENRY: I had 13 different positions. I'd be happy to chronology if You need it' with cyber or MR. CASTRO: How about the ones that involve anything what we're discussing todaY? MR, HENRY: ln 1999, I was selected to be the chief of the computer Center at FBI lntrusion Unit in what was then the National lnfrastructure Protection headquarters. the cyber tn 2001, I left there and became a supervisory special agent of squad in the Baltimore field office. cyber' was on the inspection staff after that, not specifically related to I field I was the assistant agent in charge of the Philadelphia office. I had program was some minimal oversight of cyber. I was working for -- the technical underneath me, technical squad' I the was the chief of staff for the head of the national security branch of FBl, and so I had some interaction then with cyber issues. in I became the deputy assistant director of the Cyber Division 2006. I I led the FBI became the assistant director in charge of the Cyber Division, so Cyber Division, in 2008' in 2010, I was the assistant director in charge of the Washington field office and, in that capacity, t had the cyber program in my - along with every other violation. And then, in 2010, October 2010, I became the executive assistant director, so the Cyber Division was underneath me' years and So I touched it from '99 until my retirement exclusively multiple UNCLASSIFTED, COMMITTEE SENSITIVE PROPERTY OF THE LINITED STATES HOUSE OF REPRESENTATIVES UNCLASSIF]ED, COMMITTEE SENSITTVE ta 39 ngentially several years. MR. cASTRo: And your final position as EAD of criminal cyber Response and services Branch, how long were you in that role? MR. HENRY: October of 2010 until my retirement in end of March of 2012. IvlR. CASTRO: To the degree that you can talk about it, from your tenure at the FBl, did you have experience with sophisticated state-sponsored hackers or cyber attacks? MR. HENRY: yes. MR. CASTRO: And cyber groups acting at the behest of or in coordination with a foreign government, even if not directly employed by security or intelligence service? MR. HENRy: I'm sorry, say it again. I heard the second part, but I didn,t understand the first part, MR, cASTRo: Basically, did you have a -- did you work on cyber groups that were acting at the behest of or in coordination with a foreign government? MR. HENRY: yes. MR. CASTRO: What about nonstate actors? MR. HENRy: yes. MR' CASTRO: Can you tell us what differences you've seen between those two? one of the issues was how do you know it was Russia that is a nation-state or a state actor? What are the differences between when a state actor hacks versus a nonstate actor? MR' HENRY: So, back to the gentleman's point of classification. I want to be careful, because what I did in the Bureau is classified, and I want to be careful not to say anything that might be in breach of my requirements back then. T]NCI,ASSIFTED, COMM]TTEE SENSTTI\rE PROPERTY OF THE UNITED STATES HOUSE OF REPRESENTATIVES 40 UNCLASSIFIED, COMMTTTEE SENSITIVE MR.CASTRo:Doyouwantsometimetothinkaboutit? generalterms that my MR. HENRY: Well, I can say in general, I can say in in the way they access experience is nation-state actors are very sophisticated in the way they move networks, in the way that they maintain access to a network, in the environment. from the Typically, the type of information they target is very different motivations are information that is targeted by nonstate actors because their are the different. Nation-state actors are, in my experience -- nation-state actors exfiltrating' most sophisticated actors in terms of their capabilities in accessing' and moving in an environment' the extent you can MR. CASTRO: And based on your experience and to reasons? tell us, do nation-states and nonstate actors hack for different MR,HENRY:Well,yes,theydo.Theydo.Butthat,samuchlonger whether answer. All actors have some motivation to get into an environment' it pilfering of data for intelligence be the pilfering of data for financial gain, the purposes,or,insomecases,we'Veseenadversarieswhohaveaccessto as an example' networks.and destroy the networks, which we might use sony profit off of their MR. CASTRO: Some hackers also commercialize or activity. MR.HENRY:Theypilferthatforfinancialgain'yes'sir' your time at MR. CASTRO: Let me ask you about your experience during you describe the the FBI with anything related to Russia and hacking. so can investigated nature and scope of any Russian cyber operations you tracked and while at the FBI? Of course, in an unclaSsified setting. MR. HENRY: lcannot. UNCLASSIFIED, COMMITTEE SENSITIVE PROPERTY OF THE I.]-NITED STATES HOUSE OF REPRESENTATIVES 4t UNCLASSTFIED, COMMITTEE SENSITTVE MR. CASTRO: Okay. So anything they did with data exfiltration or cyber espionage? MR. HENRY: [Nonverbal response.] MR. CASTRO: Okay. There has been prior public reporting of state-sponsored cyber operations against political campaigns prior to 2012. For instance, the Chinese reportedly hacked both the Obama and McCain campaigns in 200g. Did you work or were you othenruise involved in the investigation of that apparent cyber espionage? MR. HENRY: yes. MR. CASTRO: And, to your knowledge, did the Bureau work or offer help, assistance, or support to the campaigns? MR. HENRY: Yes. MR. cASTRo: To your knowledge, prior to the 20'16 campaign, had you ever witnessed or observed a foreign state actor using cyber means against U.S. election campaigns, beyond espionage, to undertake an influence campaign, meddle in domestic political processes, or othenrrrise, quote/unquote, "weaponize" the fruits of hacking? MR' HENRY: That is a complicated question and not something that I can talk about here. MR. I can talk about what happened at the DNC. cASTRo: you mean you can't talk about it.because some of the information is classified? MR. HENRY: To the extent .- if r have information related to that, wouldn't be able to talk about it here. MR. CASTRO: Ail right. UNCLASSIFIED, COMMITTEE SENSTTIVE PROPERTY OF THE TINITED STA' ES HOUSE OF REPRESENTATIVES I 42 UNCLASSIFIED, COMMITTEE SENS]TIVE you leave the FBI' Let me ask you about your time at crowdstrike after When did you first join CrowdStrike? MR. HENRY: The day after I retired from the FBI' but was MR. CASTRO: And pardon my ignorance about the business, of it' or what CrowdStrike already up and going, or were you one of the founders WAS -- MR. HENRY: I was not a founder. crowdstrike had started several months prior. And there were just a couple dozen employees -- two dozen employees at the time when ljoined the company' MR. CASTRO: How many employees are there now? MR. HENRY: About840. MR.CASTRO:Whatwasyourpositionwhenyoujoined? owned MR. HENRy: president of CrowdStrike Services. That's a wholly subsidiary of CrowdStrike' your MR. CASTRO: And what does that all include? what was under purview, what kind of work? MR. HENRY: So, when ljoined, I was the president of crowdstrike Services. tt/y charge was leading our professional services organization' so activity in their consultants who would assist organizations in identifying adversary environment from a -were the MR. CASTRO: Let me ask you, I guess, building on that, what services that you guys were offering your clients? client's MR. HENRY: So incident reSpOnse services, which is coming to a occurred in the aid when they've been breached and helping them identify what plan' environment and helping them work to develop a remediation UNCLASSIFIED, COMMITTEE SENSITIVE PROPERTY OF T}IE LNITED STATES HOUSE OF REPRESENTATIVES 43 UNCLASSIFIED, COMMITTEE SENSITIVE As well as proactive services, which are services done in advance to help prepare a company so that it does not become breached. so we might do a compromise assessment in an environment where we would deploy technology to help identify some deficiencies in the network so that they could prepare it. We might test the environment by simulating a penetration to see if there were identified weaknesses. We would look at their policies and procedures, similarly, to look for weaknesses. So it's reactive work, something bad has already happened, we go in and assist them, or proactive work, providing services in advance to help them identify weaknesses and to make them better prepared to defend their environmdnt. MR. cASTRo: And what's the range of clients you have? For example, is it Fortune 500 companies? ls it universities, government agencies, individuals? What's the range of those? MR. HENRY: I would say all of those. Not many individuals, There are some high-net-worth people that we've worked with or for. But primarily corporations across every sector: healthcare, financial services, manufacturing. MR. CASTRO: Okay. And, in general terms, what relationship does CrowdStrike maintain with law enforcement -- for example, the FBI -- or other government entities with cybersecurity resources, such as Department of Homeland security? MR, HENRY: we will engage with those agencies at the request of a client. Or if a law enforcement agency were to contact us, we would work with the client to facilitate what the law enforcement agency would need. lt's not typical for us to engage with law enforcement in our engagements. lt's not a typical relationship. UNCLASSTFTED, COMMTTTEE SENSITTVE PROPERTY OF THE I.INITED STATES HOUSE OF REPRESENTATIVES 44 UNCLASSIFIED, COMMITTEE SENSTTIVE you do find out that MR. CASTRo: How do you handle a situation where DHS? Do you allow somebody's been hacked? Do you reach out to the FBI or the client to make that decision? what's your protocol there? lf we did MR. HENRY: we would not unilaterally make that decision' with the client' that, it would be at the client's request or in consultation MR. CASTRO: You've made recommendations? MR. HENRY: I have made recommendations' MR. CASTRO: How about in this case? MR. HENRY: ln this case -talking to the MR. CASTRO: Understanding that the FBlwas already DNC. privilege with MR. HENRY: sO, in many CaSeS, we're working under we coordinate with counsel, and we have to -- we respect that privilege, and counselto do that. done work MR. CASTRO: Prior to the 2016 campaign, had crowdstrike or any other political for any political parties or election campaigns -- RNC, DNC, organizations? Prior to? MR. HENRY: Priortothe20l6work--orpriortotheDNCworkin20l6 MR. CASTRO: MR. HENRY: I want to be clear on what the clarification of a political organization is. MR. CASTRO Whatever You consider it to be. Well, that's the question. MR. HENRY: rUR. CASTRO You know, the RNC, the DCCC, any State parties, for like that example, the Texas Democrats, the Texas Republicans, anything UNCI,ASS]FIED, COMMITTEE SENSITIVE PROPERTY OF THE LINITED STATES HOUSE OF REPRESENTATIVES UNCLASSIF]ED, COMMITTEE SENSITIVE 45 MR. HENRY: I'm not aware, prior to the DNC, of us being engaged with any political party. I'm not aware. But we have hundreds of engagements. But I'm not aware of any. MR. CASTRO: Okay. So, during your time at CrowdStrike, had you or your company identified any noteworthy trends or evolution in the offensive cyber operations of nation-state actors * say, moving away from run-of-the-mill espionage towards more kinetic ops or outright active measures? ItIR. HENRY: So I want to be clear again, because this is an important question. During my time at CrowdStrike -MR. CASTRO: Yes. MR. HENRY: -- were we aware of nation-states moving away from pure espionage to more kinetictype attacks? MR' CASTRO: Yeah. I mean, my question is meant to get at what trends you're seeing. For example, at least for many of us, this was the first time where we saw that emails or data were weaponized and used in the political arena. Had you seen that before? Or what kind of trends were you seeing such as that that you might be -- because one of the main charges of this committee is to make recommendations about how, going fonruard, as a Nation, we protect ourselves in the future from this kind of activity. But, first, we have to fully understand what was happening and going on. MR. HENRY: No, I understand that, And I appreciate that question, because, as an American, I have the same concerns. When you talk about weaponization, I think we have seen nation-states moving towards more destructive attacks. And the two that I would call out that UNCI,ASSTFIED, COMM]TTEE SENSITIVE PROPERTY OF THE LINITED STATES HOUSE OF REPRESENTATIVES 46 I.INCLASSIFIED, COMMITTEE SENSITIVE those actions have been publicized are North Korea and lran, both, where some of have been publicized and acknowledged by the u.S. Government. MR. CASTRO: Let me ask you, in termS of response by commercial clients - your or let me ask it this way so you don't have to divulge any of what clients may have reacted or not reacted' got an expertise But just in terms of what you've Seen aS somebody who'S a political in this area, have commercial clients handled this differently than, say, client or government agency or so forth? For example, we just found out in the news a few weeks ago that Uber -- I don,t know whether they're a client or not -= but Uber paid some hackers $100'000 ransom, basically, and then didn't tell anybody for a year that it had happened' So it sounds like they certainly didn't go to the FBI or weren't talking to the FBI' So what kind of responses have you seen from both commercial and noncommercial grouPs? MR. HENRY: I think it ranges from groups that are completely unengaged, and disengaged, to groups or organizations that are very aware and very engaged gamut' applying the appropriate resources and a sense of urgency. lt runs the l've seen it for manY Years that waY. l've talked to this committee about this before, in my prior position, and some of the things that we should all be doing differently and better. I'd be happy to come back and talk about that again. MR. CASTRo: Let me ask you, because you are an expert, what recommendation do you have for what kind of responsibility a company or a government or the DNC or anybody else who's got large volumes of data, what responsibility, going forward, do you think that these organizations should have? UNCLASSIFIED, COMMITTEE SENSITIVE PROPERTY OF THE UNITED STATES HOUSE OF REPRESENTATIVE,S 47 UNCLASSIFIED, COMMITTEE SENSITTVE Should Congress pass a law that says that there's got to be some minimum level of cybersecurity? Because you just mentioned, of course, that there,s some businesses, for example, that really don't take any precautions and are sitting ducks. So, not with respect to your clients or anybody else but just as an expert, what do you recommend? Because this will be about recommendations. MR' HENRY: I think, Mr. Castro, I really appreciate the question, and I do have an interest in this. I've been in this space for a long time, and I have a lot of concerns for our country. And I think, for the purposes of this, we're focused on this issue, and I would be happy to come talk about that issue, if I may, in a separate meeting, if that would be okay. MR. CASTRO: Sure. So, prior to 2016, was CrowdStrike tracking or observing the cyber threat posed by Russia? MR. HENRy: yes, sir. MR. cASTRo: And how have you assessed Russian capabilities? MR, HENRy: They are MR. cASTRo: __ How do they stack up against ours? rn the worrd? MR. HENRY: I'll say that they are among the best in the compare them. world. I won,t I'll say they are arnong the best in the world. MR. cASTRo: MR. HENRy: Their tactics, their -- the techniques, the toots they,ve And what makes them among the best in the world? developed, their ability, their operational security, their rigor, I think their collection, their targeting - a whole host of capabilities I'd look at from an intelligence perspective. And I think that they are tops in the world. UNCLASSIFTED, COMMITTEE SENSTTTVE PROPERTY OF THE LINITED STATES HOUSE OF REPRESENTATIVES 48 UNCLASSIFIED, COMMITTEE SENSITIVE MR'CASTRo:Whataretheirmotives,asfaraSyoucante[l? -- I mean', MR. HENRY: well, I think, when we're looking at nation-states are like other you,re asking a geopolitical question, I think. And their motives policy, global politics, global nation-states, to gain an advantage tactically in global go into it a lot deeper. economics. I think at a high level that's fair. we can has grown over the MR, CASTRO: ts it fair to say that Russia's ambition last severalYears in that realm? issue, and it would MR. HENRY: I mean, again, that's kind of a geopotitical be speculation, I guess. MR. CASTRO: OkaY. Who is FancY Bear? with Russian MR. HENRY: FanCy Bear is an actor that we associated of a Russian intelligence. lt's likely a group of people that are operating on behalf Fancy Bear as a way intelligence service, and aggregatety we have named them it with a particular group' for us to kind of identify different tactics and associate of tactics they use MR. CASTRO: They have a unique set or similar set group of individuals? that you can use to group them together or identify a MR. HENRY: Yes. MR. CASTRO: How about CozY Bear? MR' HENRY: A group, similarly, we have associated with Russian tools' different target intelligence, and using different types of tactics, different intelligence sets, but that we've also associated similarly with Russian those two lr/R. CASTRO: ls there an important distinction between groups? with Russian MR. HENRY: I think that Fancy Bear has been associated UNCLASS]FIED, COMMITTEE SENSITIVE PROPERTY OF THE I.INITED STATES HOUSE OF REPRESENTATIVES UNCLASSIFIED, COMMITTEE SENSTTIVE 49 military based on a lot of the targeting, the types of intelligence that's been collected, and that Cozy Bear, not clear specifically which agency but more of a traditional intelligence collection organization. so, in the case the DNC, for example, cozy Bear was monitoring communication channels, looking at email, looking at voice-over-lp communications, sort of traditional intelligence collection. MR. CASTRO: And I was going to ask you next about the role of Fancy Bear and Cozy Bear with respect to the DNC incident. Can you describe their role in all of this? MR. HENRY: Yes. cozy Bear lve just descrlbed. Fancy Bear was targeting the research, opposition research, candidate research. So some of the data that we saw staged but we didn't have indication that it was exfil'd, but it was staged - appeared to be staged for exfil, that it was associated with research that had been conducted by the DNC on opposition candidates. MR. cASTRo: And so you saw these two groups seem to divide up responsibility for activity? MR. HENRY: well, it's interesting. so we don't have any reason to believe that they actually were coordinating with each other. One of our analysts actually said that he didn't think that they were coordinating and that the Fancy Bear actor actually had been in the DCCC and had moved from the DCCC into the DNC environment, and that Cozy Bear had been there since July of 2015 and Fancy Bear didn't come into the environment until the end of April of 2016, so that Cozy Bear had been there for many months prior to Fancy Bear ever getting there. MR. CASTRO: So your analysts who gave this report may have believed that these two Russian cells were operating independenfly of each other, UNCLASSTFIED, COMMITTEE SENSfTTVE PROPERTY OF THE LINITED STATES HOUSE OF REPRESENTATIVES 50 UNCLASSIFIED, COMMITTEE SENSITIVE possiblY? MR. HENRY: Yes. MR. CASTRO: And as a cybersecurity expert and a former FBI executive of the 2016 assistant director focused on cyber issues, heading into the start or campaign, would you have had any particular concerns about the cybersecurity digital integrity of U,S. political campaigns? this MR. HENRY: I have concern about the integrity of every network in country. MR. CASTRO: Any special concern about these political organizations? MR. HENRy: I have concern about all critical infrastructure in this country. Yes. MR. CASTRO: And do you recall any prominent foreign-sponsored cyber 2012 or 2014 attacks or incidents of espionage against U'S. campaigns during the election seasons? MR. HENRY: Yes' I mentioned -- MR.CASTRo:Well,wetalkedaboutChinabackfrom'08. MR. HENRY: - the McCain and the Obama campaigns' period MR. CASTRO: But anythin g in 2012 or 2014, in that intervening between 2008 and 2015? MR. HENRY: the 201 2 -- Oh. I'm not aware. I'm not aware. l'd left the Bureau by 2012? Yeah. or MR. CASTRO: Let me ask you, why do you think they did a document data dump in 2016? Why not before that? Just as an expert. MR. HENRY: So, to be Clear, On the dOCUment dump, as you've referred I think' to it, there was data that we know was taken off of the DCCC' And we've' UNCLASSIFIED, COMMITTEE SENSITIVE PROPERTY OF THE I,INITED STATES HOUSE OF REPRESENTATIVES 51 I.INCLASSIFTED, COMMITTEE SENSTTIVE chronicled, documented that in the report. There is evidence of exfiltration, not conclusive, but indicators of exfiltration off the DNC. As the person who led the investigation into both of those remediations, can state those facts. I don't know that I should speculate I on why it may have been done. So we did look at hash values, so algorithms of the documents that the FBI had provided, and compared that with documents that came off of the DNC, and they were consistent, MR. CASTRO: Okay. I'm going to pass it over to Mr. Swalwell. Thank you. MR. HENRY: Thanks. MR. SWALWELL: Thank you, Mr. Henry, for your participation. And we'll take a break, also, shorily, if you need one. ln your experience as an FBI agent, particularly in cyber notifications, if the Bureau learned that a corporation or entity had been penetrated, was there a standard protocol for how you,d contact that entity? And we'll just stick with 2012, and then you can talk about what you observed in the private sector. MR. HENRy: yes, there was. MR. SWALWELL: And what was it? MR. HENRY: so it depends. I mean, notification would be made to a corporation that there was a breach into their environment. And we'll have to go back and pull what the document says specifically. But it depends on where the information came from. We're in an unclassified environment. The FBI is a domestic intelligence I.INCLASSTFIED, COMMITTEE SENSTTTVE PROPERTY OF THE UNITED STATES HOUSE OF REPRESENTATIVES 52 UNCLASSIFIED, COMMITTEE SENSITIVE in the agency, and the FBI works domestically, and they coordinate with others community. And depending on where the intelligence came from, the FBI would be restricted on releasing certain pieces of data' present MR. SWALWELL: And looking at your experience from 2012 to had in day, have you noticed a pattern or a manner of practice that the FBI has notified who they notify of your clients, like, which individuals at the companies-are ls it' when a breach occurs? And l'lljust give you an example' ts it the CTO? you know, someone at the lT help desk? I mean, what is typically the practice you've observed recentlY? MR. HENRY: Again, it depends. lf the FBI has an established relationship with somebody - and that's encouraged. I mean, I'd recommend people in the private sector to have those contacts in advance of a breach. They would reach out to the person they've got an established contact with' lf they don't, it might be at the general counsel's CISO, the chief information security relationship with. office' lt might be to the officer. lt depends on who you've got a I don't know that the notification that you refer to is that explicit. I think it's case bY case. MR. SWALWELL: Sure. earlier, ln this case, the notification went to Yared Tamene, who you referenced is that the an lT contractor for the DNC. Can you just, based on your experience, - first? had you been working at the Bureau, is that who you would've contacted MR. HENRY: My understanding is that it was Yared that was contacted based on the document I referred to. I don't have any indication anybody else was notified. UNCI,ASSIFIED, COMMITTEE SENSITIVE PROPERTY OF THE LINITED STATES HOUSE OF REPRESENTATIVES that 53 UNCLASSIFIED, COMMITTEE SENSITIVE MR. SwALWELL: And r guess my question is, you know, he was an rr contractor for the Democratic National committee that has a chairperson, a finance team' a politicaldirector. Are there other individuals who you believe may have been more appropriate to contact? And, again, I'm asking you, you know, as an expert, not as somebody who performed work for the DNC, but just knowing what you know from working at the FBI and your work on this case. MR. HENRy: I think that - I mean, my rote in this case was as leading the team that was responding. Pursuant to our contract with counsel, I don't know that I should speculate about MR. SWALWELL: - Sure. I understand. when Mr. Tamene was contacted in septemb er zo1s, it was by speciar Agent ls that right? MR. HENRY: yes. MR. SWALWELL: Did you ever talk to Special Agen MR' HENRY: I have. I have spoken to him since the notification to the Bureau in June. And I may have spoken to him beforehand when lworked in the Bureau. I don't have a recoilection of that. MR. SWALWELL: Agent-onveyed sure. And with respecl to this case, what has special to you, in an uncrassified manner, aboul his contact with Mr. Tamene back in September ZOIS? MR' HENRY: I don't know that about his contact with t - I don't recalltalking to him specifically ramene. I may have talked to him about that. recall specificalry what the content of that would,ve been. MR. SWALWELL: Sure. Great. UNCI,ASSIFIED, COMMTTTEE SENSI?TVE PROPERTY OF THE UNITED STATES HOUSE OF REPRESENTATIVES I don,t 54 UNCI,ASSIFIED, COMMITTEE SENSITIVE And I'llYield back. you' MR. STEWART OF UTAH: Mr' Henry' thank MR. CONAWAY: Do You need a break? MR. HENRY: I'm okaY. Thanks' MR. STEWART OF UTAH: So we'll press ahead then' MR. CONAWAY: Yeah, 15 minutes' MR. STEWART OF UTAH: I yield to the chairman' MR. CONAWAY: Oh, okaY' Again,Mr.Henry,thankyouforbeinghere.Myprofessionalbackgroundis direction' And I'm not a lawyer' as a cPA, so my questions are more slanted that in on questions that were This may be a bit disjointed because I'm kind of falling asked to You. did you do that on your work on behalf of the DNC through Perkins coie, onsite?Allremote?Howdidthatmechanicallywork? MR. HENRY: Both. MR. CONAWAY: Both? MR. HENRY: On site and remotelY' MR. CONAWAy: Alt right. And the team that made up your guys there' their professional backgrounds can you give us some general description of what are? MR.HENRY:Yes.Andl'lljustcaveatthat.lcantalkaboutthe members of my specific team. Even though I was overseeing this incident' there and other members are other members of our team that fall -- intelligence analysts thatcomeunderdifferentgroupsinmyorganization.Soldon.tknow specificallY UNCI,ASSIFIED, COMMfTTEE SENSITTVE PROPERTYoFTHEI.INITEDSTATESHoUSEoFREPRESENTATIVES 55 UNCLASS]FIED, COMMITTEE SENSTTTVE MR. CONAWAY: The guys that are doing the cyber forensics, what do they look like? MR. HENRy: Former U.S. Government, a couple of them. MR. CONAWAy: FBt? MR. HENRy: No. DOD, military. MR. CONAWAY: NSA? MR. HENRY: NSA. And former contractors or employees of defense contractors. Extensive experience in this area, in computer forensics and in working in this type of an environment. MR. coNAWAy: Arr right. So you mentioned ramene was the contractor who did -- was there another contractor, anybody else that you knew? MR' HENRY: I only know Tamene that worked at other employees that worked with him. MlS. I think there were I don't recall ever meeting anybody there. MR. CONAWAy: Ail right. So, from an outsider looking in, he starts being contacted in September. When did he actually tell his client that something was going to be a sense of urgency on his on? There doesn,t seem part. Any sense of why that's the case? MR. HENRy: r don't know. And r don't know when he tord anybody in the DNC. My only knowledge of the communications between him and the FBI were based on my looking at that document, April 30th or May 1st. And I don,t remember if, in the document, it said that he told any of his superiors or anybody actually in the chain of command at the DNC. MR. CONAWAy: Ail righr. So is it coincidental, then, that the data prepped for exfiltration on the Z2nd UNCLASSIFIED, COMMITTEE SENSITTVE PROPERTY OF THE LTNITED STATES HOUSE OF REPRESENTATIVES 55 UNCLASSIFIED, COMMITTEE SENSITIVE and then you being contacted by Perkins Coie? When did he tell the DNC that on behalf of DNC? they had a problem? or was it he contacted Perkins coie Any idea? MR. HENRY: I don't know who in the DNC contacted Perkins coie' I don't know who made that contact' MR. CONAWAY: But it would have been them, not the contractor? MR' HENRY: l would be speculating. lwould assume so, but l'm speculating. bad was MR. CONAWAY: Had the contractor got a sense that something abouttohappenonthe22nd,andthat'swhyheescalated? know MR. HENRY: Again, to Mr. Stewart's question earlier, I don't indication or -whether Michael sussman said, you know, we have some [Discussion off the record.] don't know MR. HENRy: As it relates to the notification to Perkins Coie, I what that was. MR. CONAWAY: Okay. I was worried that I wouldn't ask you a question has, and so I was a that your attorney wouldn't pullyou aside. Everybody else you're over there litile nervous that I would be so inane with my questions that laughing at me, but - okaY. of when you imaged and/or sent data to the FBl, did you filter anything out that that the DNC would not have wanted the FBI to look at? MR. HENRY: No, sir. I don't think so' MR. CONAWAY: OkaY. MR. HENRY: No. And I say that because I know that part of our report is gave to the FBI was redacted, but I have no -- my understanding is everything we UNCLASSIFIED, COMMITTEE SENSITIVE PROPERTY OF TI{E LINITED STATES HOUSE OF REPRESENTATIVES 57 i.INCLASSIF]ED, COMMITTEE SENSTTTVE as we collected it. MR. CONAWAy: Ail right. What is your obligation and your role as a contractor with a client like that, when you come across -- I mean, all of us have people who work for us that we don't supervise moment to moment that are potentially subject to looking at a website they shouldn't look at or having something on a company computer they shouldn't have. Do you have any kind of responsibility -- when you go into that environment and you find something inadvertently that's not supposed to be there, what,s your responsibility to that? Ir/R. HENRy: I don't understand the question, MR. coNAWAy: an employee I'll be a litile more graphic. we've got somebody who,s - you have an event that you've been called in to look at, and you find an employee who has downroaded chird pornography onto a company computer. Are you under any obligation to tell the authorities or the client? what's your protocor in that regard? or wourd you find that? [Discussion off the record.] MR. HENRy: lf I found child pornography on a client's computer, yes, I would notify law enforcement. MR' CONAWAY: Okay. Is that just a personal-- and it doesn't have to be something that heinous, but illegal. ls that just something you, as a, you know, code of conduct, would do? or is there some sort of legal requirement for you do that? MR. HENRy: There are legal requirements. MR. coNAWAy: okay. And with respect to your work at the DNC, you UNCLASSIFfED, COMMITTEE SENSTTT\rE PROPERTY OF THE LINITED STATES HOUSE OF REPRESENTATIVES 58 UNCLASS]FfED, COMMITTEE SENSITIVE observed all your tegal requirements in that regard? MR. HENRY: I didn't find child pornography' MR. CoNAWAY: Well, good' lwasn't going to ask you that bluntly, but nothing that would have caused them a problem? MR. HENRY: Not that I'm aware of, sir' MR. CONAWAY: OkaY' MR.STEWARToFUTAH:Canlrefinethatveryquickly? MR. CONAWAY: Sure' MR. STEWART OF UTAH: He used the example of child pornography' but to report any illegal activity what about just any illegal activity? Are you required that you find on a client's computer? MR.HENRY:lwon'tspeculateonwhatmylegalobligationsare. MR. STEWART OF UTAH: OkaY' you attribute these hacks MR. CONAWAy: ln talking about the folks that of staff to, you mentioned state Department and the Joint chiefs hacks' How did or is that just you come by that information? were they your clients as well, publicreporting?orhowisitthatyouknewthatthefootprints,thefingerprints' the dust from those attacks were the same as at DNC? MR. HENRy: Some of that, I believe, was public reporting, and I believe Department reporting' my team has had some access to some of the State MR. CONAWAy: All right. ln enough detailthat you're confident that it's referring to both of those? MR. HENRY: Yes, sir. did it.. or ''State actors.,. MR. CoNAWAY: We use the phrase ''the Russians -I get them mixed up' can you be more precise? You said cozy Bear was and UNCLASSIFIED, COMMITTEE SENSITIVE PROPERTY OF TIIE LINITED STATES HOUSE OF REPRESENTATIVES 59 UNCLASSIFTED, COMMITTEE SENSITIVE One of them was the military. MR. HENRY: GRU. MR. CONAWAY. Say that lgain? MR. HENRY: GRU? Russian miritary inteiligence? Fancy MR. CONAWAY. All Bear. right. And Cozy Bear is? MR, HENRY: was a Russian inteiligence service. uncrear -MR. CONAWAY: As to which one? MR' HENRY: Yes, potentially. I mean, there's other intelligence services that are Russia SVR and FSB. CONAWAy: Okay. IVIR. Not clear. ls anybody out there good enough, I guess, for lack of a better phrase, to run a false-flag operation using the exact same tactics, techniques, and procedures that cozy Bear, Fancy Bear used that would have, in other words, caused us to look at the Russians and it was actually some other group doing it? ls anybody that good yet? MR, HENRY: So, if you'll recallwhen I talked earlier about attribution, you look at data over the course of many intrusions over many years, and some of the infrastructure that we saw and some of the specific tactics and tools we've only seen associated with this particular actor, and it goes back many years. MR. CONAWAY: Right. MR. HENRY: So for somebody to do a false flag, as you've described it, it would've, I imagine, have been in play for many years. They would've had to have acquired Russian command-and-control servers. They would've had to somehow acquire tools and software, malicious code that had been used up until this point only by what we believe was the Russian Government. UNCLASSTFIED, COMMITTEE SENSITTVE PROPERTY OF THE LINITED STATES HOUSE OF REPRESENTATIVES 60 UNCI,ASSIF]ED, COMMITTEE SENSITIVE MR. CONAWAY: Right' MR. HENRY. So I don't think that that is plausible' MR. CONAWAY: Right. But not totally impossible either, given the constant development of folks getting better and better' _ MR' HENRY: l ttrink that _ l don,t think it,s a viable option MR. CONAWAY: OkaY' MR. HENRY: -- under the circumstances here' MR. CONAWAY So you mentioned that Fancy Bear moved from DCCC to DNC? MR. HENRY: Yes, sir, MR. CONAWAY: What's your relationship to DCCC? MR.HENRY:WealsodidanincidentresponseattheDCCC. MR. CONAWAY: All right' MR. HENRY: After the DNC' sometime after MR. CONAWAY: And so, talking about that movement June 1Oth? response to the MR. HENRY: lt was prior to that, during the course of the DNC incident. Perkins coie' or MR. CONAWAY: Are they a similar relationship through is that relationship through somebody else? MR. HENRY: Yes, sir, same relationship' MR. CONAWAY: Okay. And there you were able to tellthe amount of data that was exfiltrated? based on MR. HENRY: ln that particUlar case, we were able to identify, was exfiltrated from some of the indicators that we saw, that there was data that UNCLASSIFIED, COMMITTEE SENSTTIVE PROPERTY OF THE L]NITED STATES HOUSE OF REPRESENTATIVES 61 UNCLASS]FIED, COMMITTEE SENSITIVE that network. MR. CONAWAY: And you could attribute the totalvolume through some sort of metric? MR. HENRY: So we can -- I mean, we saw an identified volume. I don,t know that we can say that that's all that was taken, but we certainly can say what we saw, 70 gigabytes of data. MR. CONAWAY: Okay. And I apologize for not having the article with me. There is this conspiracy theorist group out there that will argue that you guys are just totally wrong and that it was an insider job, and they walk through this analysis using, quote/unquote, "experts," et cetera, et cetera. And the genesis of what they're arguing is that there's not a datalink out there fast enough to download what was believed to be downloaded without it being onto a thumb drive directly off the machine. Have you seen that line of logic, or have you heard anybody talking about that? MR. HENRy: I have seen it. MR. CONAWAY: Okay. Do you find it plausible or implausible? What's going on with that conspiracy theory? MR. HENRY: I've talked to the technicalexperts in my organization who say it's not plausible at all, what they're saying, that their argument is not plausible. MR' CONAWAY: All right. And I'm skeptical of the article, as well, just because of all the other things that are going on that kind of back up what CrowdStrike did. The mechanics of download speeds, all the other things they talked about, which sounds very credible to the uninitiated, to someone who's looking at it without any kind of background, does it fall apart there? Where does UNCLASSIFIED, COMM]TTEE SENSITTVE PROPERTY OF THE LTNITED STATES HOUSE OF REPRESENTATIVES 62 IINCLASSIFIED, COMMITTEE SENSITIVE it fall apart when you talk to your guys? it, other MR. HENRy: I don't know that I can tellyou the specifics about this area' and they than l,ve spoken to my team about it, who are true experts in say that the argument is just not plausible' MR. CONAWAY: Okay. He nameS some of the -- well, he doesn't either' Okay. So what's your relationship with the Podesta emails? than MR. HENRY: I never -- I don't have a relationship with them, other - was MR. CONAWAy: so that fishing expedition and the stealing of those totally outside your realm or your work? MR. HENRY: Yes. MR. CONAWAY: OkaY. that the FBI Did the DNC restrict anything that you shared with the FBI or asked for? Did they tellyou "no" at any point? are MR. HENRY: No, I have no recollection. Again, I know that there the only redacted reports and there WaS Some restriction on the reports' That's thing I can recall. MR. CONAWAY: All right. You mentioned that you left tools in -[Discussion off the record.] provided' MR. HENRY: Everything that was requested by the FBI we MR. CONAWAY: OkaY' ls euickly, you said you left tools in place to monitor for further intrusions. that a normal part of your service on remediation, that you leave those? MR. HENRY: Yes, sir. UNCLASSIFIED, COMMITTEE SENSITIVE PROPE,RTY OF THE I]NITED STATES HOUSE OF REPRESENTATIVES UNCLASS]FIED, COMMITTEE SENSTTTVE coNAWAy: MR. 63 How rong does that -- do they just stay in prace permanently or as long as - MR. HENRY: prophylactically, yes. MR. CONAWAy: Okay. MR. HENRY: I mean, it's a service that we provide, so it's an ongoing service MR. CONAWAY: Okay. And those are remote triggers, that if it happens, you get a notification? MR, HENRY: Essentially. lt's more complex, but that's essentially what we do. MR. CONAWAY: I got you. you wouldn't necessarily wait on the contractor to call you and tell you something had triggered? I\tlR. HENRY: We would -- depending on the service, we would know that something happened. MR. CONAWAy: Okay. Does the FBI ever subcontract to you to do the investigations that they would've normally done? ln a situation where they don't have enough manpower -MR. HENRY: They have not subcontracted with us. MR. CONAWAY: Have they contracted with you to do investigations? Maybe I used the wrong word. MR. HENRY: They have not. MR. CONAWAy: Okay, And so the body of stuff that was prepped to be stolen, you can,t unequivocally say it was or was not exfiltrated out of DNC, from what you know of? UNCLASSTF]ED, COMMITTEE SENSTTTVE PROPERTY OF THE UNITED STATES HOUSE OF REPRESENTATIVES 64 UNCLASSIFIED, COMMITTEE SENSITIVE MR. HENRy: I can't say based on WaS Some - that. But I think I said earlier that there and I want to make sure I'm correct here -- that there were Some provided by the FBI that hash values, which are algorithms essentially, that were is accurate' were consistent with files that were on the DNC. I think that that get them from MR. CONAWAY: So how did the FBI get those if they didn't you? lr/R. HENRY: I don't know. [Discussion off the record.] been MR. HENRY: They had gotten them from documents that had dumped,andthentheycreatedthehashvalue,thealgorithm' MR.CONAWAY:Oh,itwasdumpedintothepublicarena? MR. HENRY: Yes, sir' MR. CONAWAY: Oh, I got you' Got you, got you' All right. Your 15. questions, and MR. SCHIFF: Thank you, Mr. Chairman. Just a couple of then I want to hand it back to Mr' Swalwell' from You mentioned that the hackers hacked the DCCC and then migrated the DCCC to the DNC. ls that correct? of them MR. HENRy: Cozy Bear was in the DNC. Our first identification in the DNC that indicated they were there was July of 2015' The second actor' Fancy Bear, migrated from the DCCC to the DNC' point at which MR. SCHIFF: And were you able to determine the original Fancy Bear entered the DCCC? MR. HENRY: We were not able to determine the original origin' to the MR. SCHIFF: And at what point did they migrate from the DCCC UNCLASSIFIED, COMMITTEE SENSITIVE PROPERTY OF THE I.INITED STATES HOUSE OF REPRESENTATIVES UNCLASSIF]ED, COMMITTEE SENSITIVE 65 DNC? MR. HENRY: ln April of 2016. I had April 11th, I believe. Again, it's in the report. I'm not certain of the exact date, but I believe it,s April 1 1th. MR' SCHIFF: And you weren't retained to handle the intrusion into the Podesta emails? MR. HENRY: No. No, I don,t -- no. MR. SCHIFF: Do you know who was? MR. HENRY: I don't know. I don't think we did anything with that, no. MR. SCHIFF: So you didn't have any interaction with them to determine the similarities or cyber signatures or digital dust that you saw in connection with DCCC and DNC and what they might have seen with respect to the podesta hack? MR. HENRY: No. MR. SCHTFF: Ail right. Mr. Swalwell? MR. SWALWELL: Thank you. You talked about the images you provided to the FBI with respect to the DNC hack. ls that common practice in your industry when the FBI is conducting an investigation and a third-party vendor, cybersecurity vendor like CrowdStrike is involved, that, rather than turning over a server, images would be sufficient? MR' HENRY: I have done it before, or indicators at least, not necessarily a full image. But we have provided indicators in the past to the FBI in a case where an adversary was in a client's environment MR. SWALWELL: And, in this case, is it fair to say that the DNC, being a rather large political entity, that at the time of its hack, or at the time that you were TINCLASSTFIED, COMMITTEE SENSITIVE PROPERTY OF THE LINITED STATES HOUSE OF REPRESENTATIVES 66 UNCLASSIFIED, COMMITTEE SENSITIVE servers were still working on the analysis and the remediation, that the DNC operation that had email functioning for other purposes, that it was still an active that were occurring? correspondence and web service hosting and other functions ls that right? MR. HENRY: Yes. be to turn MR. SWALWELL: Can you describe how disruptive it would that or any other client in a over custody of your Servers to the FBI for a client like situation like this? MR.HENRY:Howdisruptiveitwouldbetoturnover? MR'SWALWELL:Well,lguessmyquestionis,whenyouhearinthe seryers to the FBI' public realm, you know, why didn't the DNC just turn over their were sufficient, just for and you're telling us that images, according to the FBl, FBI mean practically to argument's sake, what does turning over the servers to the servers? an organization that is still functioning and relying upon those seruers," MR. HENRY: When I hear somebody say "turning over the server; it's an image of the based on my experience, it's not turning over the actual server. MR. SWALWELL: okay. And, in your experience, comparing this case to you believe that the images other clients that you've had or in your work at the FBl, were sufficient for the FBI to understand what had occurred? asked for that MR. HENRY: I believe that the FBI got everything that they related to the DNC from us. Everything that we had access to related to images and servers, when they asked for it, they got it' the MR. SWALWELL: How did you present your findings to by a report, or was it a -- UNCLASSIFIED, COMMITTEE SENSITIVE PROPERTY OF THE LINITED STATES HOUSE OF REPRESENTATIVES DNC? was it UNCLASSIFIED, COMMITTEE SENSITTVE MR. HENRY: lt was by a report that I believe the committee has. MR. SWALWELL: Who did you present your findings to? MR. HENRY: I believe it was to perkins coie, to the law firm, because they were the client, essentially, right? We were contracted through the law firm MR. SWALWELL: One second, please. l'llyield to Ms. Speier. I'NCLASSTFIED, COMMTTTEE SENSfTIVE PROPERTY OF THE LTNITED STATES HOUSE OF REPRESENTATIVES 6l 68 UNCLASSIFIED, COMMITTEE SENSITIVE [4:00 p.m.] MS. SPEIER: Thank you for being here' Did you do any work on behalf of the RNC? And I apologize if this question was asked earlier. MR. HENRy: So there are a number of political organizations that we have done work To the extent that they're protected under privilege, I want to for. -- I don't be careful not to say anything thal's protected. And so I don't know know, honestlY. MS. SPEIER: Okay. But you've -- can we surmise from that that you have worked for both political parties? political MR. HENRy: You can surmise that we have worked for multiple organizations on both sides of the aisle' MS. SPEIER: OkaY. came One of the findings of the lntelligence Community assessment that States -out in January was that, while voter records were hacked in a number of fair degree think the number grew to over 20 states, maybe even higher -- with a been of confidence, the lC believed that the actualvoting machines had not hacked. took Now, subsequently, there have been a number of conventions. one place in Las Vegas called DEFCOM, where they purchased 10 different voting and every machines from around the country and proceeded to hack them, each one of them, over the weekend, one within the first hour and a half of the conference getting taken uP. no way I spoke to one of the hackers, and his comment to me was, there'S you could know whether or. not the actual election machine had been hacked or UNCLASSIFIED, COMM]TTEE SENSITIVE PROPERTY OF THE UNITED STATES HOUSE OF REPRESENTATIVES 69 UNCLASSIFTED, COMM]TTEE SENSITIVE not because of the way they're constructed. Are you at all familiar with the ability to hack into election equipment? MR. HENRY: No. MS. SPEIER: And you weren't brought in to look at the hacking of voting records by the FBI or the lC community? MR. HENRY: No. MS. SPEIER: And you don't know who was brought in? MR, HENRY: No. MS' SPEIER: So you have no opinion on whether those two statements are accurate or not? MR. HENRY: No. MS. SPEIER: Okay. I'il yietd. MR. CONAWAY: Mr. euigtey? MR. QUIGLEY: So a part of our concern here is making sure these things don't happen again. Just your generar sense of the following thoughts. Most entities don't know they've been hacked. ls that correct? Like, a corporation, Target, what have you. MR. HENRY: That's a very general, when you say "most organizations don't know they've been hacked" -MR. QUIGLEY: Most entities that are hacked don't know that they've been hacked. Someone else has to tellthem. MR. HENRY: I've notified many companies that they've been hacked that did not know they'd been hacked. I don't know that I would say most, because I don't know the universe of companies. But oftentimes companies don't know that they've been hacked. UNCLASSIFIED, COMMITTEE SENSTTIVE PROPERTY OF THE I.INITED STATES HOUSE OF REPRESENTATIVES 70 UNCLASSIFIED, COMMITTEE SENSTTIVE expert MR. QUIGLEY: Okay. And oftentimes someone else who is more in such things has to be the one that tells them' MR, HENRY: That haPPens regularlY' of time MR. QUIGLEY: And, in your experience, how long is the range that they've before -- you know, from the time they've been hacked to the time timeframe? been told they've been hacked, how long have you witnessed that The MR. HENRY: There are multiple analyses that have been done. ,'dwell time," how long is an adversary in an environment before they're term is identifled. I think, actually, our public reporting that is coming out in the next couple of weeks will say it's about 3 months. There have been other consultancies that have opined that it's in excess of that. The MR. QUIGLEY: So help me make this question more specific. into entities that we have now hacking, the adversaries who are hacking the government, into corporate U.S. interests, can we tell that they are there? Are point? adversaries so good that we just don't know that they're there at this MR. HENRY: lt depends, sir, on which organization is looking at it' There the are certain organizations that will never know because they don't have better sophistication or the tools, and there are other organizations who are much prepared to know. so it really depends. There's too many variables to answer that. MR. eUlGLEy: But are there adversaries who use sophisticated attacks so good that they just cannot be detected? MR. HENRY: Well, yOu're asking me to prove a negative. And I'm not being a wise guy. lf they can't be detected, I don't know if there's anybody ever been there or not. UNCLASSIFIED, COMMITTEE SENSITIVE PROPERTY OF THE I.INITED STATES HOUSE OF REPRESENTATIVES 71. UNCLASS]F]ED, COMMITTEE SENSTTIVE I can say this - and we had spoken prior -- about the sophistication of adversaries that we see now and their ability to remain obfuscated and to be surreptitious for long periods of time, and there are nation-states that we've witnessed that have that type of capability. MR. QUIGLEY: So I know you're being very careful and cautious, and appreciate and respect that. I But you have a general understanding of the sophistication of local governments, I would assume. And are most State boards of election capable of having the sophistication you spoke of earlier to know when they've been hacked? MR. HENRY: I don't know because I haven't done an evaluation of those organizations. MR. QUIGLEy: Okay. Thank you. I yield back. MR. SWALWELL: Thank you. And just to clarify as to Ms. speier's questions and Mr. euigley, you had stated earlier that you worry about all infrastructure, as far as vulnerability to a hack. ls that correct? MR. HENRY: Correct, MR. SWALWELL: And that would include election infrastructure? MR. HENRY: yes. MR. SWALWELL: And just a few questions about Apr-28 and Apr-29. It's correct -- and I know you've turned over the report, but just for our record -- that it was April 18th, 2016, when ApT-2g first appeared on the DNC servers. ls that correct? MR. HENRY: What we call Fancy Bear, yes, ApT_2g. T]NCLASSIFIED, COMMITTEE SENSITIVE PROPERTY OF THE LNITED STATES HOUSE OF REPRESENTATIVES 72 UNCLASSIFIED, COMMTTTEE SENSITIVE MR. SWALWELL: MR. HENRY: Okay. And the system -- wait. l'm sorry. To clarify, you said when they first showed up there? MR. SWALWELL: Yes. it's in the MR. HENRY: I thought that the date was April 11th. Again, report. I want to make sure that we're accurate' your report included MR. SWALWELL: And the systems compromised in voter file domain controllers, lT workstations, backup SerVerS, donor information' party affairs, accounting, data, email, Voice Over lnternet Protocol, shared drives, marketing, and research. ls that right? MR. HENRY: Yes, sir. MR. SWALWELL: And Mr. Brown - do you know Andrew Brown? MR. HENRY: I know who he is, Yes' MR. SWALWELL: Okay. He has stated that "we didn't see any evidence They seemed that the attackers had gone after the data warehouse environment' tobecompletelyfocusedontheDNCcorporatenetwork.', Do you agree or disagree with that statement? MR. HENRY: I don't know what he was referring to' MR. SWALWELL: And as far as activity that you would attribute to APT -- let me withdraw that. this report, And, Mr. Chair, I believe that we're assuming a lot of facts about report but can we enter the report as exhibit 1 for the record, the crowdstrike that's been referred to? MR. CONAWAY Without objection, it's admitted [Henry Exhibit No. 1 UNCLASSIFIED, COMMITTEE SENSITIVE PROPERTY OF THE LTNITED STATES HOUSE OF REPRESENTATIVES 73 UNCLASS]FIED, COMMITTEE SENS]TIVE was marked for identification.l MR. SWALWELL: Okay. Thank you. One of the questions we're supposed to answer for the public is the sufficiency of the government response to the attack, meaning once the FBI learned about the attack, once the Obama administration learned about the attack, and then actions that were taken. And just in your expertise as a former FBI agent with cyber expertise and working on the private sector, are there any recommendations you would make to the committee, based on your public knowledge and intimate knowtedge, having worked partially in this investigation, as to what the government response could have been to have been more effective to stop this intrusion? MR. HENRy: I'd be happy to have that conversation. I don,t know - want to focus on the DNC here, if that's all right. MR. SWALWELL: Sure. MR. HENRY: And I wourd be happy to have that conversation. MR. SWALWELL: And is that, in part, because it would involve conveying to us classified information? MR. HENRy: yes, MR. SWALWELL: Okay. Thank you. Anything else, Ms. Speier? I yietd back, MR. STEWART oF urAH: Thank you, Mr. Henry. And r have to say you've been an outstanding witness. You've been patient with that. And you've been, us. Thank you for I think, as forthright as you could be. And it's been a couple hours now, so I think we'll be : at least I think we,ll UNCLASSIFIED, COMMTTTEE SENSITIVE PROPERTY OF THE TINITED STATES HOUSE OF REPRESENTATIVES 74 UNCLASSIFIED, COMMITTEE SENS]TIVE questions, and they might be concluding fairly shortly. I'd like to go through four if you would' be as simple as yes/no. lt may not take much time, but elaborate, to Among your many clients, are you also under contract with the FBI perform technical services for them? MR. HENRY: No. MR. STEWART OF UTAH: And never have been? MR. HENRY: No. MR. STEWART OF UTAH: OkaY' have MR. HENRY: We have not provided them technical services. we provided them intelligence in the past. MR. STEWART OF UTAH: Okay. As part of a contract or just part of a professional courtesy that you share that type of information? MR. HENRY. We did it as part of a contract' MR. STEWART OF UTAH: Okay. Are you currently under contract to provide that information to them? MR. HENRY: I do not think so. MR. STEWART OF UTAH: OkaY' -- if You said something, and I want to restate it -- and tell me if I'm wrong could. You said, I believe, talking about the DNC computer, you had indications that data was prepared to be exfiltrated, but no evidence it actually lbft' Did I write that down correctlY? MR. HENRY: Yes. MR. STEWART OF UTAH: And, in this case, the data I am assuming you're talking about is the email as well as everything else they may have been trying to take. UNCLASSIFIED, COMMITTEE SENSITIVE PROPE,RTY OF THE LTNITED STATES HOUSE OF REPRESENTATIVES I 75 UNCLASSTFIED, COMMTTTEE SENSITfVE MR. HENRY: There were files related to opposition research that had been conducted. MR. STEWART oF urAH: okay. is so, you know, knowledgeable of? what about the emails that everyone Were there also indicators that they were prepared but not evidence that they actually were exfiltrated? MR' HENRY: There's not evidence that they were actually exfiltrated. There's circumstantial evidence -MR. STEWART OF MR. HENRY: - UTAH: Okay. but no evidence that they were actually exfiltrated. But let me also state that if somebody was monitoring an email server, they could read allthe email. MR. STEWART OF UTAH: Right. MR. HENRY: And there might not be evidence of it being exfiltrated, but they would have knowledge of what was in the email. MR, STEWART oF UTAH: But they wouldn,t be able to copy that emait; they could only watch it in realtime. MR. HENRy: There wourd be ways to copy screenshots. You could copy it. you courd take it. MR. STEWART oF UTAH: A[ right. so I think that's one of the more interesting things that we've learned from you today, again, that there is no evidence it was actually exfiltrated. ls it -- it seems unlikely to me that in the real{ime that they're watching these emails that they'd be able to collect the hundreds or thousands that they had but with screenshots or whatever. MR. HENRY: so there is circumstantial evidence that it was taken. UNCLASSIFTED, COMMITTEE SENSITIVE PROPERTY OF THE TINITED STATES HOUSE OF REPRESENTATIVES 76 UNCLASSIFIED, COMMITTEE SENSfTIVE MR. STEWART oF UTAH: l understand, but not conclusive. a network sensor MR. HENRY: We didn't watch it happen. There's not evidence that it that actuaily saw traffic actuaily reaving, but there's circumstantiar happened. was in the And, also, the cozy Bear actor that I mentioned earlier that months before we ever environment going back to July of 2015, there were many got there where data maY have - MR. STEWART OF UTAH: Okay' All right' MR. HENRY: Again, sPeculating, but -MR. STEWART OF UTAH: But you have a much lower degree of that the Russians confidence that this data actually left than you do, for example' were the ones who had breached the security? was MR. HENRY: There is circumstantialevidence that that data exfiltrated off the network. sure than the other MR. STEWART OF UTAH: And circumstantial is less less sure than definitive' evidence you've indicated. circumstantial evidence is to characterize MR. HENRY: So, to gO baCk, because I think it's important this. We said that We didn't have a network sensor in place that saw data leave' was a conclusion that we the data Ieft based on the circumstantiat evidence. That made. when I answered that question, I was trying to be as factually accurate' want to provide the facts. so I said that we didn't have direct evidence' But we made a conclusion that the data left the network' MR. STEWART OF UTAH: Okay. That's fair. But it gives us, kind context. some things are more sure than others. And we appreciate that' UNCI,ASSIFI ED, I COMMITTEE SENSITIVE PROPERTY OF THE I.INITE,D STATES HOUSE OF REPRESENTATIVES of', 77 UNCLASS]FIED, COMMITTEE SENSITTVE Any evidence that any entity other than Russia had access to the DNC servers? MR. HENRY: We have no evidence of that. MR. STEWART OF UTAH: Okay. And then I think this is my last question. CrowdStrike cofounder -- l'm sure he's a friend of yours -- Dmitri Alperovitch, if l'm saying his name correcly, I understand he has a Russian background. MR. HENRY: yes. MR. STEWART OF UTAH: Does that give him insights or background that helps in these types of investigations, or is he far enough removed from that that it doesn't really benefit you? MR. HENRY: He left there when he was a boy. MR. STEWART oF UTAH: oh, or something else, but no other okay. so he maybe speaks the language - MR. HENRY: yes, sir. MR. STEWART oF UTAH: -- no other real benefit. okay. Ail right. Mr. Chairman? MR. CONAWAy: Okay. MR, STEWART oF UTAH: Thank you. I'm going to have to leave, but, again, thank you for being here. MR. HENRY: Thank you. MR. CONAWAY: So the mechanics of Cozy Bear being set up there, they could be watching traffic go across in real-time? ls that the way that works? MR. HENRY: yes, sir. IVIR. CONAWAY: And the Voice Over lnternet Protocol, they could be UNCI,ASS]Ff ED, COMMTTTEE SENSITIVE PROPERTY OF THE TINITED STATES HOUSE OF REPRESENTATIVES 10 UNCLASSIFIED, COMMITTEE SENSITIVE listening to the conversations like that? MR. HENRY: Yes, sir. MR. CONAWAY: OkaY. You know there was a body of data ready to go April 22nd,l think you said. could that have happened previously during that timeframe and they erased the footprint of that having happened so you just - or is it -- MR. HENRY: Yes. MR. CONAWAY: Okay. so you're just aware of that one block that was ready to go, but you can't tell whether it went or not. But as long as they'd been on there, they could have periodically come in and gotten data? MR. HENRY: Yes. MR. CONAWAY: Because we didn't have any monitors on it, there wasn't any evidence? MR. HENRY: Yes' MR. CONAWAY: OkaY. Eric, anYthing else? you left MR. SWALWELL: [Vlr. Henry, I know it's been about 5 years since the Bureau, but throughout the 2o-some-odd years that you were an agent, did you ever testifY in court? MR. HENRY: Grand jury. MR. SWALWELL: Okay. And do you remember ever presenting to the grand jury or being a part of jury instructions that told them that, in the court of law, you believe circumstantial evidence can be treated the same as direct evidence if that circumstantial evidence? MR. HENRY: Have I heard that been said? UNCLASSIFIED, COMMITTEE SENSITIVE PROPERTY OF THE LINITED STATES HOUSE OF REPRESENTATIVES UNCLASS]FIED, COMMITTEE SENSTTIVE 79 MR. SWALWELL: Yes. MR. HENRY: Yes. MR. SWALWELL: And DNA evidence is circumstantialevidence, isn't it? MR. HENRY: ln this case, we reached a conclusion that the evidence -. that the data left the network. That's the conclusion we came to. MR. SWALWELL: And ljust want to be clear, based on the last line of questioning, that you're not saying that circumstantial evidence in this case was weaker than direct evidence. lt's just it was only circumstantial evidence that you could rely upon. ls that right? MR. HENRY: Sir, I was just trying to be factually accurate, that we didn't see the data leave, but we believe it left, based on what we saw. MR. SWALWELL: And the report that you provided to the DNC on August 24th,2016, is there any information that you've learned since that report, based on dumps that have occurred, that inform you any further as to your findings in this case? So, you know, time has passed since August 24th, 2016. Have you learned anything else, based on anything in the public realm, about what occurred? MR' HENRY: l've heard the U.S. lntelligence Community say that this was Russia -MR. SWALWELL: Okay. MR. HENRY: -- after our report was completed. MR. SWALWELL: But just so we're clear, there's nothing that you or your team have analyzed or looked at from, Iike, public dumpings by the Russians or Guccifer or wikiLeaks that changes your opinion or has supplemented your UNCLASSfF]ED, COMMITTEE SENSITIVE PROPERTY OF THE LTNITED STATES HOUSE OF REPRESENTATIVES 80 UNCLASSIFIED, COMMITTEE SENS]TIVE opinion? MR. HENRY: There's nothing that changes our opinion. We stand on our analysis, and we stand on our assessment -MR. SWALWELL: Great. MR. HENRY: -- that the Russian Government hacked the DNC. MR. SWALWELL: I'll leave it at that, Mr' Chair' MR. CONAWAY: Mr. Henry, thank you so very much. Appreciate that' doesn't look like we have any other questions, but if we do, we might have to call you back. But thank You. We're adjourned. [Whereupon, at 4:18 p.m., the interview was concluded'] UNCI.ASSIFIED, COMMITTEE SENSITIVE PROPERTY OF THE TINITED STATES HOUSE OF REPRESENTATIVES lt