the ICA version in the recent DNI documents is a different version (dated January 5, 2017) than the released version (dated January 6, 2017). There were many changes overnight - some substantive.

Before editorializing, I'll laboriously go through comparisons - final version on left, previous day version on right. (I apologize for not marking this on each of the following slides.)

The Jan 6, 2017 version contained a preface entitled "Background... The Analytic Process and Cyber Incident Attribution", not present in the Jan 5 version (as shown). It has two sections.

The first section entitled "The Analytic Process" stated that these assessments "adhere to tradecraft standards".

"On these issues of great importance to US national security, the goal of intelligence analysis is to provide assessments to decisionmakers that are intellectually rigorous, objective, timely, and useful, and that adhere to tradecraft standards."

Now recall the dispute over inclusion of Steele dossier information in the ICA as an appendix and, as we recently learned, as a bullet supporting the assessment that Putin "aspired" to help Trump. Some IC professionals objected to the inclusion of Steele dossier information on the grounds that it did not meet tradecraft standards for inclusion in an ICA. Comey, McCabe and FBI insisted on its inclusion on the grounds that Obama had said to include "everything" - which they interpreted as mandating inclusion of Steele dossier information even though it didn't meet tradecraft standards.

Reasonable people can perhaps disagree on whether this was justified or not. What was not justified was the claim that the inclusion decision complied with "tradecraft standards". It was bad enough to include non-compliant material, but the claim that the included material "adhered to tradecraft standards" was miserably false. The recent Tradecraft Review should have addressed this fault.

The preface also included the following assertion:
"The tradecraft standards for analytic products have been refined over the past ten years. These standards include describing sources (including their reliability and access to the information they provide), clearly expressing uncertainty, distinguishing between underlying information and analysts’ judgments and assumptions, exploring alternatives, demonstrating relevance to the customer, using strong and transparent logic, and explaining change or consistency in judgments over time."

The "past ten years" here refers to the period of time since the savage tradecraft review by the WMD Commission, an excellent repot on a previous intelligence failure of similar scale to the Russia collusion hoax as an //intelligence failure// - which it was (even if non-criminal).

They state that "standards include describing sources (including their reliability and access to the information they provide)". Now apply that to the description of the Steele network in the classified appendix (declassified and released in 2020) shown below and transcribed as follows:
"the source is an executive of a private business intelligence firm and a former employee of a friendly foreign intelligence service who has been compensated for previous reporting over the past three years. The source maintains and collects information from a layered network of identified and unidentified subsources, some of which has been corroborated in the past. The source collected this information on behalf of private clients and was not compensated for it by the FBI".

This description does not remotely comply with the warranty in the Preface. We know that Steele (the "source") had told the FBI that his information was funneled through a "Russian-based sub-source" who Steele refused to identify. Steele did however tell the FBI that Sergei Millian was one of the sub-subsources to the "Russian-based sub-source". By mid-December 2016, the FBI had figured out that Steele's "Russian-based sub-source" was Igor Danchenko, an alumnus of U of Louisville, Georgetown and Brookings Institute, who lived in northern Virginia and had an American-born daughter. A fulsome description of sources IN ACCORDANCE WITH THE WARRANTY IN THE PREFACE would have included these details and more.

It would have also stated that the FBI planned to interview the Primary Sub-Source as soon as possible. Given the importance of the document, the obvious question from any sane reviewer of the draft ICA would be: "uh, why don't you interview Steele's Primary Sub-Source right now? Today? " "And, by the way, why are you saying that he is 'Russian-based' when he lives in northern Virginia?"

If the reviewers had known that Steele's Primary Sub-Source had lived in northern Virginia and was available for interview, maybe they would have said: "uh, maybe we should hold off this ICA until we talk to Danchenko. This is a big document, maybe we should do some due diligence". But they weren't given that option, because Danchenko's location in northern Virginia was concealed from them. The warranty in the prefatory Background was false.

Subsequently, a few weeks later, when the FBI interviewed Danchenko and he revealed that there wasn't any "layered network" and that the key allegations were based (at best) on an anonymous phone call and that many of the sourcing claims in the dossier were untrue, the intelligence community had an obligation to fess up. To retract their claims about the Steele dossier, which, by the end of January, had emerged in public consciousness as the driving predicate of the Russia collusion investigation. Once the FBI knew that the sourcing claims were fraudulent, they had an obligation to disclose that to the rest of the IC and to publicly disown the Steele dossier, which had become important to the public precisely because of its endorsement in the ICA.

The Jan 6, 2017 prefatory Background also contained assertions about cyber incident attribution. Don't forget that the ICA firmly declared that the Russian GRU was responsible for the DNC and Podesta hacks, Guccifer 2 and dcleaks. But did so without producing the evidence. (In making this statement, I am not saying that their assessment was wrong, only that the ICA didn't include evidence of its correctness.)

The ICA boldly stated the following: "Every kind of cyber operation—malicious or not—leaves a trail."

In December 2016, CrowdStrike's Dmitri Alperovitch was brashly asserting "We caught them in the act". But in May 2020, long after public interest had moved on, when the December 2017 testimony of CrowdStrike’s Shawn Henry testimony was belatedly released, Henry stated that CrowdStrike didn't actually observe the exfiltration of the DNC emails.

"There's not a network sensor that actually saw traffic actually leaving …We didn't have a network sensor in place that saw data leave. We said that the data left based on the circumstantial evidence. That was a conclusion that we made."

If CrowdStrike wasn't able to observe the exfiltration, then was it correct for the ICA to assert that "every kind of cyber operation leaves a trail" if they were not in possession of the DNC email exfiltration trail? Or maybe they were and haven't published it. But, if so, why wouldn't Shawn Henry have said so?

@walkafyre notified me of a confusion in my nomenclature (and my understanding of the structure). There were THREE versions of the ICA, not two. The "compartmented" version dated December 30, 2016; the "classified" version dated January 5, 2017 and the "unclassified" version dated January 6, 2017.

The "compartmented" version is the one with details and footnotes. The January 5 version that is in the recent documents is the "classified" version as declassified. And the January 6 version is the "declassified" version.

I'll be describing the differences between the classified and unclassified versions tomorrow, but the differences, while interesting, are not nearly as substantial as one would expect. There aren't any footnotes or details even in the "classified" version.

//For actual details, it's the COMPARTMENTED version that needs to be declassified.//

I'm going to show a long series of comparisons of the Jan 6 Declassified version versus the Jan 5 "Classified" version. The Compartmentalized version remains withheld.
The section on Scope and Sourcing doesn't actually contain any information on "Sourcing" in either version. Recall that the prefatory Background stated that "[tradecraft] standards include describing sources (including their reliability and access to the information they provide), clearly expressing uncertainty". However, if one looks for descriptions of Sourcing in the section entitled "Scope and Sourcing", there aren't such descriptions.

The Jan 6 declassified version contains one additional paragraph to the Jan 5 classified version saying "This report is a declassified version of a highly classified assessment. This document’s conclusions are identical to the highly classified assessment, but this document does not include the full supporting information, including specific intelligence on key elements of the influence campaign."

However, as previously observed, the Jan 5 "classified" version doesn't contain "the full supporting information, including specific intelligence on key elements of the influence campaign" either.

Those details are presumably in the Compartmentalized ("highly classified") version that remains withheld. As readers will observe in this series of comparisons, the Jan 5 "classified" version is little more informative than the Jan 6 declassified version. It's the Compartmentalized version that needs to be declassified and released to the maximum extent, if clarity is to emerge on this affair.

Here's what the section on Scope and Sourcing actually says about Sourcing. Both versions are almost identical.

They observe that "many of the key judgments" come from "multiple sources from multiple sources that are consistent with our understanding of Russian behavior". They say that "insights into Russian efforts—including specific cyber operations— ... derive from multiple corroborating sources."

This generic language clearly falls well short of the tradecraft standard declared in the Background: "describing sources (including their reliability and access to the information they provide), clearly expressing uncertainty, distinguishing between underlying information and analysts’ judgments and assumptions".

Further, this warranty does not appear to apply to one of the key assessments - that Putin "aspired" to help Trump get elected. That assessment appears to be based only on Brennan's supersecret source plus the fabricated Steele dossier information falsely attributed to "Millian".

This next slide is pretty interesting as there are important differences between the Key Judgments in the classified and declassified versions. Readers are invited to wonder why.

The most interesting difference is the judgement that was excluded from the Jan 6 Declassified version as follows:

"We assess that Moscow refrained from the full spectrum of actions it could have taken to influence the US election. We judge that the Kremlin could have disclosed additional material and could have conducted attacks on electoral infrastructure in the runup to and on Election Day."

Why was this key judgement excluded from the public reporting? This seems like a very big deal and puts the affair in a much different light. On multiple counts.

If the "Kremlin" "aspired" to help Trump get elected, why would they have held back additional material - some of which, as we have recently learned - appears to have been MUCH more damning than the rather anodyne (including mostly useless) material that was released?

And doesn't the conclusion - that the "Kremlin" "could have conducted attacks on electoral infrastructure" but didn't - rather contradict the assertions of totally secure infrastructure, as well as casting some doubt on exactly what was going on?

The other difference is version arises in the description of confidence in the key "Putin aspired" assessment. The classified version added: "CIA and FBI have high confidence in this judgment based on sensitive information not included in this version of the assessment; NSA has moderate confidence in this judgment based on the same sensitive information. NSA’s confidence in this judgment would be elevated
to high with additional corroborating sources."

The validity of the "sensitive information not included in this version of the assessment" used to arrive at the "Putin aspired" judgement remains a primary issue. We now know that the Steele dossier was the second bullet to "justify" this assessment in the Compartmentalized version and the third and fourth bullets were interpretations of open source information that could be interpreted differently.

But why would these sentences be removed in the public version? Did they want to avoid showing the narrow support for this key assessment?