the ICA version in the recent DNI documents is a different version (dated January 5, 2017) than the released version (dated January 6, 2017). There were many changes overnight - some substantive.

Before editorializing, I'll laboriously go through comparisons - final version on left, previous day version on right. (I apologize for not marking this on each of the following slides.)

The Jan 6, 2017 version contained a preface entitled "Background... The Analytic Process and Cyber Incident Attribution", not present in the Jan 5 version (as shown). It has two sections.

The first section entitled "The Analytic Process" stated that these assessments "adhere to tradecraft standards".

"On these issues of great importance to US national security, the goal of intelligence analysis is to provide assessments to decisionmakers that are intellectually rigorous, objective, timely, and useful, and that adhere to tradecraft standards."

Now recall the dispute over inclusion of Steele dossier information in the ICA as an appendix and, as we recently learned, as a bullet supporting the assessment that Putin "aspired" to help Trump. Some IC professionals objected to the inclusion of Steele dossier information on the grounds that it did not meet tradecraft standards for inclusion in an ICA. Comey, McCabe and FBI insisted on its inclusion on the grounds that Obama had said to include "everything" - which they interpreted as mandating inclusion of Steele dossier information even though it didn't meet tradecraft standards.

Reasonable people can perhaps disagree on whether this was justified or not. What was not justified was the claim that the inclusion decision complied with "tradecraft standards". It was bad enough to include non-compliant material, but the claim that the included material "adhered to tradecraft standards" was miserably false. The recent Tradecraft Review should have addressed this fault.

The preface also included the following assertion:
"The tradecraft standards for analytic products have been refined over the past ten years. These standards include describing sources (including their reliability and access to the information they provide), clearly expressing uncertainty, distinguishing between underlying information and analysts’ judgments and assumptions, exploring alternatives, demonstrating relevance to the customer, using strong and transparent logic, and explaining change or consistency in judgments over time."

The "past ten years" here refers to the period of time since the savage tradecraft review by the WMD Commission, an excellent repot on a previous intelligence failure of similar scale to the Russia collusion hoax as an //intelligence failure// - which it was (even if non-criminal).

They state that "standards include describing sources (including their reliability and access to the information they provide)". Now apply that to the description of the Steele network in the classified appendix (declassified and released in 2020) shown below and transcribed as follows:
"the source is an executive of a private business intelligence firm and a former employee of a friendly foreign intelligence service who has been compensated for previous reporting over the past three years. The source maintains and collects information from a layered network of identified and unidentified subsources, some of which has been corroborated in the past. The source collected this information on behalf of private clients and was not compensated for it by the FBI".

This description does not remotely comply with the warranty in the Preface. We know that Steele (the "source") had told the FBI that his information was funneled through a "Russian-based sub-source" who Steele refused to identify. Steele did however tell the FBI that Sergei Millian was one of the sub-subsources to the "Russian-based sub-source". By mid-December 2016, the FBI had figured out that Steele's "Russian-based sub-source" was Igor Danchenko, an alumnus of U of Louisville, Georgetown and Brookings Institute, who lived in northern Virginia and had an American-born daughter. A fulsome description of sources IN ACCORDANCE WITH THE WARRANTY IN THE PREFACE would have included these details and more.

It would have also stated that the FBI planned to interview the Primary Sub-Source as soon as possible. Given the importance of the document, the obvious question from any sane reviewer of the draft ICA would be: "uh, why don't you interview Steele's Primary Sub-Source right now? Today? " "And, by the way, why are you saying that he is 'Russian-based' when he lives in northern Virginia?"

If the reviewers had known that Steele's Primary Sub-Source had lived in northern Virginia and was available for interview, maybe they would have said: "uh, maybe we should hold off this ICA until we talk to Danchenko. This is a big document, maybe we should do some due diligence". But they weren't given that option, because Danchenko's location in northern Virginia was concealed from them. The warranty in the prefatory Background was false.

Subsequently, a few weeks later, when the FBI interviewed Danchenko and he revealed that there wasn't any "layered network" and that the key allegations were based (at best) on an anonymous phone call and that many of the sourcing claims in the dossier were untrue, the intelligence community had an obligation to fess up. To retract their claims about the Steele dossier, which, by the end of January, had emerged in public consciousness as the driving predicate of the Russia collusion investigation. Once the FBI knew that the sourcing claims were fraudulent, they had an obligation to disclose that to the rest of the IC and to publicly disown the Steele dossier, which had become important to the public precisely because of its endorsement in the ICA.

The Jan 6, 2017 prefatory Background also contained assertions about cyber incident attribution. Don't forget that the ICA firmly declared that the Russian GRU was responsible for the DNC and Podesta hacks, Guccifer 2 and dcleaks. But did so without producing the evidence. (In making this statement, I am not saying that their assessment was wrong, only that the ICA didn't include evidence of its correctness.)

The ICA boldly stated the following: "Every kind of cyber operation—malicious or not—leaves a trail."

In December 2016, CrowdStrike's Dmitri Alperovitch was brashly asserting "We caught them in the act". But in May 2020, long after public interest had moved on, when the December 2017 testimony of CrowdStrike’s Shawn Henry testimony was belatedly released, Henry stated that CrowdStrike didn't actually observe the exfiltration of the DNC emails.

"There's not a network sensor that actually saw traffic actually leaving …We didn't have a network sensor in place that saw data leave. We said that the data left based on the circumstantial evidence. That was a conclusion that we made."

If CrowdStrike wasn't able to observe the exfiltration, then was it correct for the ICA to assert that "every kind of cyber operation leaves a trail" if they were not in possession of the DNC email exfiltration trail? Or maybe they were and haven't published it. But, if so, why wouldn't Shawn Henry have said so?

@walkafyre notified me of a confusion in my nomenclature (and my understanding of the structure). There were THREE versions of the ICA, not two. The "compartmented" version dated December 30, 2016; the "classified" version dated January 5, 2017 and the "unclassified" version dated January 6, 2017.

The "compartmented" version is the one with details and footnotes. The January 5 version that is in the recent documents is the "classified" version as declassified. And the January 6 version is the "declassified" version.

I'll be describing the differences between the classified and unclassified versions tomorrow, but the differences, while interesting, are not nearly as substantial as one would expect. There aren't any footnotes or details even in the "classified" version.

//For actual details, it's the COMPARTMENTED version that needs to be declassified.//