"Private firms are really good at forensics, but the federal government has other tools," former NSA Director Michael Hayden said Wednesday. | Getty NSA could hold 'smoking gun' in DNC leak If Russia hacked Democratic computers, the spy agency likely knows and will tell the FBI.

The political world is intensely focused on the FBI investigation into the suspected Russian hacking of Democratic National Committee emails, but the real smoking gun that could link the hack to Moscow is more likely found in the vast data troves of the National Security Agency.

While private sector cybersecurity specialists have gathered evidence pointing to Russia as the source of the hack, the U.S. Government has unique abilities to confirm such a finding, including sometimes being able to identify specific foreign government agencies or even individuals as responsible for the hacking, experts said.


"Private firms are really good at forensics, but the federal government has other tools," former NSA Director Michael Hayden said in an interview Wednesday. "It's not just following the breadcrumbs to the actual crime. It's broader intelligence collection: what someone may have been planning, what they were planning to do with it after, fingerprints on how the information was forwarded ... It's not just forensics."

"It's the difference between being able to examine the crime scene and being able to conduct a wiretap," said former National Security Agency lawyer Susan Hennessey, now with the Brookings Institution. "You can learn a lot at the crime scene and maybe even solve the crime [but] intelligence authorities allow you to listen to people ... potentially gathering the kind of smoking gun evidence you need for this kind of attribution."

Whatever information the NSA has on the DNC hack is not likely to emerge from the spy agency directly but to be compiled by the FBI. Whether to call out the Russians directly will be up to the White House. Criminal charges are always a possibility, as well, although the chances of actually putting suspects on trial is remote.

At a cybersecurity conference in New York City Wednesday, FBI Director James Comey was mum about the DNC hack, but defended the value of the so-called name-and-shame appraoch.

"If we can't lock them up, we have to call them out," Comey said.

One very prominent former NSA contractor, Edward Snowden, has already said he believes that spy agency’s snooping programs would “certainly” have spotted the DNC data as it made its way to Russia, if that’s what happened. It’s even possible the U.S. Government has some knowledge of internal Kremlin discussions about the hack, through surveillance or human sources, former intelligence officials say.

"Even if the attackers try to obfuscate origin, #XKEYSCORE makes following exfiltrated data easy. I did this personally against Chinese ops," Snowden tweeted Monday.

Records Snowden took from the NSA that have not yet been published show the spy agency hard at work trying to trace cyber intrusions and thefts, according to an author and journalist who had access to the archive of data Snowden copied while working for an NSA contractor in Hawaii.

"A lot of the stuff shows the NSA looking into the origins of some these attacks," said Jim Bamford, whose 1982 book "The Puzzle Palace" was the first widely read history of the agency. "One slide [in the Snowden collection] shows NSA ramping it up to plant up to a million or more implants in computers around the world. When you put an implant someplace it captures where something is coming from ... If you have a million of pieces of malware all around the world in key locations, it could trace back where an email came from."

The NSA will be able to compare signatures of the DNC hacks against a broader set of existing data than private security firms have access to, experts said.

In addition, the NSA may have intercepted and stored evidence of foreigners trying to get into the DNC systems, data being pulled out of those systems, or someone forwarding the data on to WikiLeaks, which released the emails and other records on the weekend before this week's Democratic National Convention.

Hayden declined to discuss the NSA's specific capabilities in this area, but said that sifting back through the recorded data is a frequent part of this kind of sleuthing. "It is routine for something that happens to then illuminate the data you already possessed in the past, whose meaning was not obvious," he said.

The NSA's ability to trace or, in government-speak, "attribute" cyberattacks has become pretty sophisticated, although it's far from perfect, experts said.

"They've been doing this ever since the beginning of the Internet," Bamford said. "That doesn't mean they can't be fooled, but NSA does a pretty good job of locating the origin or attribution of a lot of these attacks."

So far, President Barack Obama has been cautious about apportioning blame for the hack.

"I think the FBI's still investigating. I know the experts have attributed this to the Russians," Obama told NBC's "Today." "What we do know is the Russians hack our systems, not just government systems, but private systems, but what the motives were in terms of the leaks and all that, I can't say directly. What I do know is that Donald Trump has repeatedly expressed admiration for Vladimir Putin."

One former U.S.national security official said he doubted Obama would have mentioned the Russians at all unless he had some official indication they were involved. "He wouldn't make a statement like that, even attributing to experts, without him having some reason to think it's true," said the ex-official, who spoke on condition he not be named.

A policy directive Obama issued Tuesday further clarifies how the U.S. Government responds to cyber incidents. The FBI is the key agency for on-the-ground "threat response," with the intelligence community in a supporting role. Officially, the task of "providing attribution" appears to be assigned to the FBI.

An NSA spokesperson did not respond to a request for comment on the agency's role in the DNC investigation. A Director of National Intelligence official referred requests for comment to the FBI, which offered a statement confirming its ongoing probe.

"The FBI is investigating a cyber intrusion involving the DNC and are working to determine the nature and scope of the matter. A compromise of this nature is something we take very seriously, and the FBI will continue to investigate and hold accountable those who pose a threat in cyberspace," an FBI spokesperson said.

Pointing the finger at Russia publicly will be the easy part, though, compared to the question U.S. officials are certain will come next: How do you know that?

That’s where things really get messy, because explaining how the U.S. Government zeroed in on suspects can expose sources and methods and compromise ability to do the same thing again in the future. Even publicly making the claim that a specific country did it can set in motion a series of events where revealing some sophisticated or sensitive U.S. capabilities get made public, experts say.

Intelligence officials got a vivid lesson to that effect when they publicly blamed North Korea for the 2014 hack into confidential files at Sony Pictures. Many in the private cybersecurity realm were skeptical and publicly challenged the U.S. attribution. The FBI eventually released more details information about the reasons for the attribution.

"Their credibility depended on it and essentially their hand got forced," Hennessey said.

If the Russians are culpable for the DNC hack (or hacks), detailing why the U.S. thinks that could limit our insight the next time Russia tries something similar.

"In a case where information was exchanged through a single channel, people who are sophisticated can determine that's how it was made public," Hennessey observed.

While many in the political world are breathless about the DNC hack and the possibilty of Russian involvement, those immersed in the world of intelligence don't find the act shocking or much different than things the U.S. has done over the years, vacuuming up information and using it for political advantage.

"We don't come in here with clean hands," Bamford said. "A lot of stuff is being intercepted all the time everywhere ...This goes on all the time. The only difference here is there was a publicized leak."