Obstruction of Justice Page 5
The Harvard-educated and somewhat nerdy Ramsey had been asked this before, and those who’d heard him knew his answer always came down to the arcana of technical terms. He’d explain that the academic definition of hacking required two things: breaking in and then escalation, a term that meant moving from one user account with minimal privileges to a higher-level one. The Awans were House employees and had access to the servers, so there was no break in, and as IT administrators they already had super-user accounts, so there was no “escalation.” Then he’d go on, in his bumbling manner, explaining that this was more accurately described as an “insider threat" every bit as severe.
He was a behind-the-scenes kind of guy and these kinds of meetings with political powerhouses made him nervous. He told the attendees, “No, this isn’t hacking.” Though he had more to say, someone else interjected. That seemed to be all they needed to know, and the meeting was quickly adjourned. Ramsey quit his job not long after in August 2017, leaving the House with no chief information security officer at all. What lingered was the misleading impression left by this truncated version of a pedantic answer.
It was one a savvy operator could elicit from Ramsey as if by pulling a string.
* * *
In early October 2016, Theresa updated the Paul Ryan-Nancy Pelosi crowd with a briefing which had no purpose other than to shout: “Everything I told you about is still going on! They’re still on the network! It’s only gotten worse!” Under a header one word longer than the last briefing—“CONTINUED UNAUTHORIZED ACCESS”—Theresa told the leaders that “during September 2016, shared employees continued to use Democratic Caucus computers in anomalous ways,” logging in using seventeen different accounts that they had no business using, including “credentials [that] belonged to members.” There was no doubt that rules were being broken.
Worse, there was “possible storage of sensitive House information outside the House.” Files were being copied to Dropbox, which uploaded them to cloud servers and synced them with external devices. Dropbox was not permitted in the House, so this was a secret account and out of authorities’ control. It is a “classic method for insiders to exfiltrate data from an organization,” the presentation said. Not only did files appear to be aggregated from various congressmen’s computers onto the House Democratic Caucus servers, files were jumping from that server onto the internet. Theresa and her investigators could see the lists of folders and files. “Based on the file names”—one of which was “credentials”—“some of the information is likely sensitive.”
Without looking at the files themselves, no one could know exactly how severe the breach was. “We have not been permitted to view content of the files on these workstations,” Theresa reminded the House leadership.
Theresa was not a political person. She had been appointed by Nancy Pelosi and retained by Speaker Ryan. She was there because every training session, textbook, and professional development course underscored that the actions she discovered were against every tenet of basic cybersecurity practice, and hallmarks of exactly the type of nefarious behavior she was sworn to sniff out. She was there to do her job, and her job involved protecting the United States of America.
But for members of Congress, politics was always at the forefront. Democrats wanted to protect the United States of America too, and to them, that meant protecting it against what they felt was the inexperienced and rash personality of Trump, who they couldn’t imagine having possession of the nuclear “football.” This obviously concerning breach wasn’t happening in isolation. The very words “emails” and “servers,” when combined with the word “Democrat” were radioactive. Even though Democrats appeared to be the victims of these IT aides, the disclosure of this scandal would be an embarrassment for the Democratic Party.
For months, some of the most tenacious and barbed press coverage of Hillary Clinton’s presidential campaign revolved around her homemade email server, run for a time out of a bathroom. In some instances, classified information was stored on the server, which lacked the high-grade firewalls necessary to prevent hacking from foreign powers. Clinton had elected to use this server anyway because it allowed her to dodge oversight from Congress or from journalists who could otherwise seek her official emails under the Freedom of Information Act.
Then there were the separate hacks of both the Democratic National Committee and the personal email of Clinton’s campaign chair, John Podesta. The Democrats had a PR strategy in the works: pivot from the embarrassing content of the emails exposed by the DNC breach to the fact that the disclosure was a crime inflicted by foreigners. If America’s focus could be turned to a common enemy—and Russia, with its communist history, seemed to make a particularly viable enemy for conservatives—then Americans of all stripes might actually band together against this outsider. One who, the storyline went, wanted Trump to win. The result would be sympathy for the victimized DNC and antipathy for Trump.
But adding another Democratic cyber scandal to the list so close to the election, this time in the House, seemed to conjure a version of every father’s admonition: hack me three times, shame on you. Hack me four times, shame on me. It begged the question: how could the highest-level officials of the world’s most advanced nation be so sloppy?
Worse, the Awan breach was eerily similar to the DNC hack. First, they happened at the same time. Second, the House breach involved the House Democratic Caucus, a group that voters could not be expected to differentiate from the Democratic National Committee. Lastly, both involved Representative Debbie Wasserman Schultz, who chaired the DNC until she resigned because of the fallout from the WikiLeaks breach, and who was one of Imran Awan’s earliest and most supportive employers. Though everyone in the room assumed the two incidents to be unrelated, as political operators, they knew the truth didn’t matter so much as the public perception. If it got out that Representative Wasserman Schultz’s IT aide hacked the House, the average swing-state American would very likely conflate that with the DNC breach. The “Russia” narrative would be diluted to a more complex one about various hacks, at best.
The House scandal involved Pakistani nationals, and some of their employers, like Representatives Yvette Clarke, Hakeem Jeffries, and Andre Carson, were among the most vocal in denouncing Donald Trump’s plans for “extreme vetting” of immigrants from largely Muslim countries. The idea that Democrats had been victimized by Pakistani-born staffers after failing to vet them might make some Americans feel that Trump was right, and that could not be tolerated.
It might seem unbelievable that anyone would fear bad publicity more than the consequences of leaving malicious actors on a sensitive network, but Democrats had made the exact same calculation weeks before. The DNC had found that the Fancy Bear malware, which included an IP address registered to a company in Pakistan called CrookServers, had hopped over from the Democratic Congressional Campaign Committee, or DCCC. As the New York Times reported: “Though DNC officials had learned that the Democratic Congressional Campaign Committee had been infected, too, they did not notify their sister organization, which was in the same building, because they were afraid that it would leak.”4 And just as Democrats were thwarting a vigorous investigation into the Awans, Wasserman Schultz had forbidden the FBI from taking the DNC server as evidence, preferring to have a private company present their analysis of the hack to the Washington Post.
If the Democrats had much to lose from the exposure of the Awan scandal, President Trump had something to gain. It was early October and Trump was lagging in every poll. Paul Ryan had just been given information about a cybersecurity breach in the House that reflected very badly on the Democrats. But Ryan, like many Republicans, was unenthusiastic about Trump. Privately, he called Trump a “joke,” and three weeks before the election, he told Republican members of Congress to jump ship and distance themselves from Trump. Some speculated that Ryan looked forward to a Clinton victory in 2016 so that he could run against her in 2020.
Even if this were a small
company selling paperclips rather than the U.S. Congress in the days before a major election, the aides’ removal would be following the most basic cybersecurity practices: ban them immediately. Put them on paid leave if you’re concerned about due process. Ninety-nine times out of one hundred, when activity like this was detected, the systems administrators responsible wouldn’t last a day.
On the other hand, didn’t the politics of it all call for special sensitivity? The FBI’s director, James Comey, had been faced with similar decisions about how much to say about his ongoing investigation into Clinton’s email practices, and he had gotten pilloried for his choices. After all—putting out of mind that it was the leaders' foot-dragging that led to this result—so much was still unknown. Quiet law enforcement action that could stem any damage without making the incident public was not an option. The arrest or forcible removal of a group of five people from the House network would almost certainly make the news. Would Ryan take decisive action by ordering immediate arrests, which would no doubt have the side effect of creating an October surprise? Or would he leave his institution open to an ongoing infiltration of unknown severity?
Ryan chose the latter. He was prepared to let Republicans lose the White House while Democrats talked nonstop about cybersecurity. He sat on findings that, coupled with the Democrats’ response, seemed to expose those laments as empty posturing.
The systems administrators would stay on the network.
Still, something had to be done. The Office of Inspector General had a mandate to conduct exactly this type of probe, and Theresa was by far the House’s most knowledgeable cybersecurity expert. Democrats knew that, but they’re also masters of political posturing. They said: why not take the investigation away from the IG and refer it to the police? It gave them a sound bite that was hard to argue with: we referred it to law enforcement, what more could we do?
But it was not an escalation. In previous cases, the IG had worked directly with the FBI and prosecutors. But when Democrats said “police,” they meant the Capitol Police who man the metal detectors at congressional office buildings and whose mission is to protect members, not cause problems for them. As part of the legislative branch, they’re beholden to the House leadership, not the Department of Justice.
The day a lone Capitol Police officer met with Theresa to conduct the hand off, he joked about how little he understood about computers. “This is the case I’m going to get fired over,” he grumbled. He was wrong. It was Theresa who would soon be out of a job.
FIVE
PANIC
(ELECTION DAY 2016 TO INAUGURATION DAY)
Democrats everywhere assumed Hillary Clinton would be the certain victor in November 2016. But she did not win, sending D.C. into turmoil. No one was scrambling as frantically during that period as the Awans, who appeared to be so worried about what a competent investigation would find that they were making plans to flee the country.
AshLee Strong, a spokeswoman for Speaker Ryan, would tell me a year later that the purpose of leaving the Awans on the House network for so many months after cybersecurity violations were detected was to conduct a sting. “The [Capitol Police] requested that the shared employees be allowed to continue to use their IT credentials until February because they didn’t want to tip off the employees,” she said. There was just one problem. Even if it was somehow reasonable to let a cybersecurity breach of unknown severity continue through the election in order to catch them in the act, the Awans already knew about the investigation.
Jamie Fleet’s garrulous and gossipy assistant, Eddie Flaherty, told people that Abid Awan was popping in to see Jamie on a regular basis about how he was under investigation. Not only that, but as part of the Representative Clarke investigation, Abid had been forced to answer questions.
On September 7, 2016, as the House investigation was in full swing, Imran flew to Pakistan. He was there for months, but all of his House employers kept paying him anyway, and server logs showed that he and his relatives were still logging into congressional computers. While Imran was in Pakistan, his wife Hina began liquidating their possessions. She listed her possessions such as a piano for sale online. The couple also owned a rental property a block away from their residence, and on November 1, 2016, Hina “sold” it to Imran’s brother Jamal. It netted a handsome sum in quick cash, as the house was sold at a high price, and almost all of Jamal’s money was financed by a mortgage company; a scenario banks would virtually never permit for a rental property. The house was rented by a military family. The wife told me Imran is “a very charming guy, charismatic, you’d like him. He’s brilliant, he’s very smart, knowledgeable about everything.” But when it came to money, his behavior was suspicious. “I would write the rent to all sorts of different people,” or pay in cash, she said. The November sale seemed to be on paper only. She never met Jamal, and when Imran later had her sign a new lease with Jamal’s name instead of his, something was different. “He was desperate for us to sign with Jamal. He was a very different person than we’d met two years ago. If he killed himself, I wouldn’t be surprised,” she said. Imran’s daughter was friends with their child and in the same class at school, and out of the mouth of babes, something slipped: the youngest Awan told her friend she was moving to Pakistan.
* * *
On November 18, an eviction notice was issued against an apartment rented in Imran’s name in the slums of Alexandria, Virginia. It was the home of his second wife, Sumaira. He stopped paying her rent after she called police and said Imran kept her “like a slave.” Sumaira was granted a restraining order against Imran, with a judge ruling that “either the petitioner is in immediate and present danger of family abuse or there is sufficient evidence to establish probable cause that family abuse has recently occurred,” where “family abuse means any act involving violence, force, or threat that results in bodily injury or places one in reasonable apprehension of death, sexual assault, [or] bodily injury.”1
On December 9, Imran returned to the United States after being accused of unrelated fraud in Pakistan. Three days later, he approached the Congressional Federal Credit Union to take out a home equity line of credit against one of Hina’s several rental properties. The bank approved because the application said it was for “home improvement,” which meant the bank’s equity would be enhanced. He filled out the form impersonating his wife, though he listed his House phone number and personal email as contact information. The bank didn’t offer lines of credit against properties used as rentals, so a signed affidavit was submitted swearing that the property was Hina’s principal residence.
The application acknowledged that the couple owned a different property that they did rent out, a small run-down townhouse in Alexandria, which he said brought in $1,650 in rental income. But the couple’s jointly-filed tax returns, included as part of the application, showed that they had not paid taxes on any rental income. On January 3, 2017, the loan officer wrote to Imran asking him to explain this apparent tax fraud. Imran responded: “Property was not on my 2014 and 2015 tax returns as a rental because it was not rent out during those years. Regards, Hina Alvi.” As evidence, he enclosed a lease claiming it had been rented out to someone named Suriyah Begum on March 1, 2016. Imran was in a hurry to get the money. Two days later, he wrote: “When will you have an answer on both of our HELOC approval? And what are the soonest closing dates please?” On January 12, the loan went through.
The evidence was fake. Suriyah Begum is Hina’s mother, and she did not live in the apartment. A young black couple told me they were paying $1,800 a month in rent for the property and had been since 2014. The vacancy had opened up for them after some drama with Imran’s last tenant. “The lady living here before us, he said she fled, and he was going to take her to court. She said it was because he was a creep and involves his whole family,” the current tenants said. They soon found their own situation to be similar. Imran took extensive and frequent trips to Pakistan, during which they would deal with Hina. They had to d
o their own repairs and drive rent payments to Imran across the county in Lorton. Like the other tenants, they said instead of traceable payments, “he only wants cash—security deposit, everything.”
Imran’s intense hunger for money is why they found it so suspicious when, around the election, Imran tried to evict them with two weeks’ notice so that he could sell the house at a fire-sale price. “He was gonna make us move out in two weeks, and he wanted $110,000 for the apartment. Now he wants $200,000,” they told me in March 2017. It went on the market again after a strange call they got in February. Imran “called me and said he lost his job. But I looked at the caller ID and I said, ‘then why does it say he’s calling from the House of Representatives?’ ”
When the renters saw Imran next, something was different. “He said ‘life is changing, I’ve realized the importance of life.’ He saw two holes in the wall and said, ‘don’t worry,’ something he never would have said before.” His kindness was coupled with one demand: Imran ordered the couple not to cooperate with any law enforcement, should they come around asking about him.
On January 5, the Awans’ stepmother called the Fairfax County police on the Awan brothers, saying they were preventing her from seeing her husband in the hospital. On January 16, the Awans’ father, Muhammad, died of cancer in the hospital in Reston, Virginia, and Jamal, his youngest son, filed a death certificate falsely swearing that Muhammad was divorced. The next day, Abid removed their stepmom as the beneficiary of Muhammad’s life insurance policy and replaced her with himself, then filed a claim for the $50,000.