Donald Trump may have left himself an out today when he urged Russian hackers to find 30,000 emails deleted by Hillary Clinton from her private server.
“Russia, if you’re listening, I hope you’re able to find the 30,000 emails that are missing,” Trump said during a press conference in Florida. “I think you’ll probably be rewarded mightily by our press. Let’s see if that happens.”
Ed McAndrew, a former federal cybercrime prosecutor and partner at law firm Ballard Spahr, said Trump walked right up to the line on soliciting a serious federal crime.
“He says, ‘I hope…’ and those words would give him some wiggle room if the FBI were to knock on his door,” McAndrew said. While it’s unclear whether Trump’s statements put him in immediate violation of the Computer Fraud and Abuse Act (CFAA), 18 U.S. Code 373 spells out penalties for the solicitation of a crime should hackers follow his heed. Since the contents of the emails are unknown and could contain sensitive personal or financial information, hacks occurring as a result of Trump’s solicitation that lead to information disclosure or damage to protected computers would also likely fall under the CFAA.
“We’re no longer talking about disclosing contents and information of political interest, we’re talking about the disclosure of sensitive information that is protected by law,” McAndrew said.
Dear god: Trump explicitly invites a foreign power to hack a US Secretary of State's emails. This is insane. https://t.co/GjX5nmhGNi
— Kevin Bankston (@KevinBankston) July 27, 2016
Trump’s statements come one day after President Obama signed Presidential Policy Directive 41 (PPD-41) outlining the country’s cyber incident coordination plan. PPD-41 also comes with an incident severity schema, rating incidents 1 (low) to 5 (emergency); a level 3 high rating, for example, would be an incident resulting in a demonstrable impact to public health or safety, or national security, economic security, foreign relations or civil liberties. The FBI would be the lead investigatory agency in any such related incident.
The statements by the Republican party’s presidential nominee also come on the heels of allegations by the U.S. government that Russian government-sponsored hackers are behind attacks against the Democratic National Committee that resulted in the theft of emails and strategic research by the DNC on Trump.
Security companies Crowdstrike, Fidelis and ThreatConnect this week connected the dots on the DNC hack and said two APT groups, APT 28 and 29, allegedly aligned with Russian intelligence, were behind the attacks. The allegations shoot down theories that the attacks were carried out by a single individual named Guccifer who had claimed responsibility.
“This is unprecedented, as far as I know, that someone of this stature, a presidential candidate and owner and operator of hotel chains that have suffered successive cyber attacks, encouraging a foreign country to commit computer crimes against a U.S. citizen,” McAndrew said. “This is astounding and appalling, putting all politics aside, that anyone would do that particularly as we are in the midst of a cybercrime epidemic in this country. The fact he’s making these comments in the context of publication of stolen data is really something that’s significant.”