Along with charges of “fake news,” leaks have become the watchword of the Trump administration's offensive against the news media and are what some Republicans have said are distracting from the president's agenda to overhaul immigration policy, repeal the Affordable Care Act and ramp up the fight against the Islamic State.
Leaks have been at the heart of explosive news stories, from the firing of James B. Comey as FBI director to the transcripts of Trump's calls with the heads of Mexico and Australia, published Thursday by The Washington Post.
Attorney General Jeff Sessions said Friday that the Justice Department has more than tripled the number of leak investigations compared with the number that were ongoing at the end of the last administration. He has directed Deputy Attorney General Rod J. Rosenstein and FBI Director Christopher A. Wray to actively monitor every investigation and instructed the Justice Department's National Security Division and U.S. attorneys to prioritize such cases. The Justice Department will also create a new counterintelligence unit in the FBI to manage the work.
“I think it's easier to figure out who's leaking than some of the leakers realize,” Conway said.
She did not respond to questions about the progress of leak investigations or the methods the FBI and the Justice Department might use to find and prosecute alleged leakers.
How exactly would these investigations play out? The Post spoke to Jason Smolanoff, a former FBI cyberinvestigations special agent and now a senior managing director at Kroll, a security and risk consultant firm. He ran through some potential methods and offered thoughts on how quickly investigations could produce results.
Step 1: Find a pool of suspects
The first step in broad leak investigations is to start with a pool of staffers who may have come in contact with the leaked information itself.
Some of the information that has leaked, including the transcripts of Trump speaking with world leaders, would probably have been accessible to only a small number of employees at few agencies outside the White House, Smolanoff said. Investigators would re-create a trail from when and where files were created, disseminated and stored on government computers and cellphones.
Then investigators can generate a list of official activity from computer log-ins to give a sense of which users could have accessed sensitive information, and when.
Step 2: Shrink your pool using digital tools
Once a pool of potential leakers is created, investigators use a variety of advanced software to cull the list in what is called correlative analysis, Smolanoff said, which eliminates variables and finds characteristics that can point to suspicious behavior.
Investigators cross-reference data points that link physical location, such as a badge swipe at an office door, to information retrieval, such as computer log-ins and server access. Then anomalies could be introduced, Smolanoff said, such as peculiar hours in the office. That helps build a case to prove where and at what time a person was using government equipment.
All of that collection adds up to a lot of raw data, Smolanoff said, and investigators need help looking for subtle clues among days, weeks or even months worth of activity.
That is where cloud-based software and analytics comes in. Potentially useful analysis tools that Smolanoff said could be used is Splunk, a program that harvests data generated by machines such as browser information, IP addresses and GPS coordinates on smartphones that can be paired with log-in and badge access data to show a specific person or group had taken and transmitted data. The data-crunching software program Hadoop can help compare data sets for large pools of people.
Step 3: Subpoena and grab personal data
Say you now have a small group of people whose activity looks suspicious. That's when investigators trigger subpoenas, court orders and search warrants to zero in on data patterns in their personal lives.
Any kind of tool used to send, receive or retrieve information is on the table to be analyzed with digital forensics, Smolanoff said. In the digital age, the list is seemingly endless: social-media accounts, email, text messaging, location-tracking apps such as Uber, search engine results and so on.
And there is a suspect's personal cellphone, which not only wraps up those digital tools in one place but also can be used to track their location during the window that investigators suspect the breach might have occurred, he said.
Those pieces of data can then be used to plug into the correlative analysis to produce a rich portrait of a suspect's communications and digital activity, both at home and work.
Investigators would scrutinize physical and digital methods by which the leaked material may have been transmitted, Smolanoff said. That would include thumb drives, hard drives, instant messages, photocopies, email attachments, photos and other collections.
Step 4: Question and prosecute
If any leakers are identified, FBI investigators would question their activity and seek confessions.
Smolanoff said he suspects they will face consequences more severe than losing their jobs if they end up convicted. Charges could range from mishandling classified information to as high as treason if a serious national security breach occurred, he said.
There is already a precedent. Reality Winner, a National Security Agency contractor, was charged in June with removing classified information from a government facility and sending it to a news organization, the first criminal charge brought against a leaker during the Trump administration.
She was allegedly among six employees who printed the documents at work but was the only one in email contact with the Intercept, the news outlet that appeared to publish a story based on those documents. The FBI found and questioned her just days after they were notified of the breach, and Winner allegedly admitted she had leaked the documents.
Smolanoff expects similarly swift results from ongoing investigations.
“I don’t anticipate it will take long to find leakers,” he said.
Matt Zapotosky and Devlin Barrett contributed to this report.