“Cybersecurity is agnostic to politics.”
As a cybersecurity expert and professional hacker, I can’t tell you how many times I have made this statement on stage, on-air, or simply in normal conversation over the last few years. People ask me why I can’t just hack into “something” to retrieve everything – from Hillary’s emails to the president’s tax returns. While cybersecurity aims to be apolitical, it’s not immune to being involved in political situations. A bombshell New York Post story concerning Hunter Biden’s laptop has thrust cybersecurity into the political spotlight yet again. As the general public begins suiting up in their usual red or blue jerseys, the cybersecurity professionals need to step back and examine multiple aspects of this situation – from determining who owned the laptop to judging the authenticity of the materials within in.
On October 14, 2020, the New York Post published a story alleging that Hunter Biden, the son of Vice President Joe Biden, dropped off his personal laptop at a Delaware computer repair shop in April of 2019. The laptop was reportedly brought in with water damage and then never picked up by Biden. The repair shop owner claimed to have repeatedly attempted to contact Biden but was unsuccessful. After that, the repair shop owner said he made a copy of the hard drive and discovered incriminating evidence that Joe Biden, then-Vice President, pressured Ukrainian officials to fire federal prosecutors in addition to cozying up to Burisma, a dubious Ukrainian energy firm. There is also a video of Hunter Biden supposedly high on narcotics and engaging in adult activities with an unidentified woman. According to the New York Post, the FBI obtained the laptop from the repair shop owner in December of 2019 and has said nothing to date regarding the computer’s contents. Additionally, a copy of the hard drive was reportedly given to an associate of Rudy Giuliani.
Let’s walk through some of the questions and concerns from the standpoint of a non-partisan cybersecurity investigation.
Determining the Chain of Custody
Running under the assumption that the laptop itself is real, and the FBI has it, we can then assume it exists. If that is all true, then the first goal of a cybersecurity expert should be to validate its ownership. In other words, it means verifying that the laptop does indeed belong to Hunter Biden and not a forgery. The repair shop owner himself stated he wasn’t sure it was Hunter Biden that dropped it off, which means that the Chain of Custody starts with this person. This issue complicates the situation because there is a possibility that this laptop came from somewhere else – including the owner himself. The owner has made conflicting statements to reporters, further compounding doubts.
Most organizations have IT personnel – either outsourced or in-house – that deal with the asset management of their technology. If the laptop was purchased through an employer of Hunter Biden – such as the Beau Biden Foundation – it would have a serial number from Apple that can be identified internally as their own. Most IT personnel can easily find who a laptop is assigned to thanks to asset management. If the Foundation’s responses are suspect, then contacting Apple directly regarding the computer’s registry is another avenue of confirmation.
Separately, if this was a laptop personally owned by Hunter Biden and not a company, he most likely had access permission to these companies, putting the computer into their internet ecosystem. This access can be used to identify personal devices outside company-registered technology and traced back to him.
Look at the Settings
Outside of determining the laptop’s chain of custody, its configuration needs to be compared to the Beau Biden Foundation’s standards and practices. Uniformity is the key to a well-run technological infrastructure. Many organizations have standard data security policies that apply to both the users and their technologies. If the proper procedure for repair at the Foundation was to turn it over to the IT team, then why did this laptop go to a repair shop by itself? Did this repair shop do all of the repair work for the Foundation? And if not, then why were they engaged for a single laptop?
It is possible that the Foundation played very fast and loose with their standards, but then that should be rather apparent throughout the history of the Foundation during this period. Vice President Biden would have been rather plugged into the national cybersecurity implications that his Foundation would have faced, especially given his prominent Executive Branch position. Top-tier national cybersecurity experts would have been advising both President Obama and Vice President Biden.
The Foundation would not be as secure as an entity like The White House. Still, if the Foundation lacked serious data and cybersecurity standards, then that itself would be eyebrow-raising to professionals like me. It’s also possible that Hunter Biden himself dropped this laptop off at the repair without being identified due to the deeply personal nature of the video that was allegedly found; however, without confirmation from the repair shop owner (who couldn’t recognize him), this too is speculation.
If the Foundation integrated uniform defensive technologies into their computers, then a comparison of the software in use in the laptop would help bolster the claim that the laptop was legitimately from the Foundation or even personally owned by Hunter Biden. Many organizations use Mobile Device Management (MDM) or Remote Managed Monitoring (RMM) to maintain their fleet of computers and devices. This would force the device or computer to phone home to a cloud service to “check-in.” This could easily be traced back to the Foundation. Many organizations also use full disk encryption solutions to prevent access to the data in loss or theft cases.
If the laptop’s cybersecurity standards match the laptop Foundations, that is a serious indicator that the computer is real and owned by the Foundation. However, it does not validate the laptop’s data as legitimate, which brings us to the third point.
The data on the laptop itself needs to be examined. In repairing or fixing a computer, the technician working on the computer may see something on the computer that is concerning. If the technician stumbles across something criminal, such as child pornography, they are trained to stop working on the computer and notify law enforcement. This is standard practice. Some repair places go one step further and work closely with the FBI. The FBI will pay technicians when they identify illegal material, which motivates the technician to snoop around. In 2018 Best Buy’s Geek Squad was accused of snooping around on personal computers to find something incriminating for the FBI.
Therefore, it’s not out of the possibility that this technician, which is understood to the repair shop owner, worked under the same standards and went looking deeply into the laptop and found what is being reported publicly. However, since we don’t have a transparent Chain of Custody and don’t understand the Foundation’s standards and practices, the data discovered on the laptop that has appeared in the news is automatically suspect. That statement is reinforced by how cybersecurity forensic examinations happen.
Consider these following points: The world knows of at least one copy of the alleged data on the laptop – Rudy Giuliani’s copy. The FBI supposedly has the computer as mentioned above but has not confirmed that the data the mayor has released matches the laptop. This means the world is using a single unconfirmed source as a significant point of political contention, which should terrify anyone that understands the implications of this.
The data needs to be verified. One way of doing that is through emails. The New York Post article shows an alleged email to Hunter Biden’s Rosemont Seneca email address. Emails have transaction IDs that can be tracked to originating sources. Rosemont Seneca no longer exists as BHR Partners absorbed it in China. A quick routing check shows that Rosemont Seneca’s internet domain no longer has email routing; however, they would have fallen under various U.S. compliance standards, most likely including SEC compliance. This means that they were required to retain data for years; otherwise, they could face legal action from the government along with fines and worse. The message headers included with the email – not shown by the New York Post – would allow investigators to trace the messages and confirm authenticity. So far, we have no independent verification of anything happening on that front.
Real, Fake, Or Deepfake?
The alleged video of Hunter Biden being high and engaging in adult activities needs an in-depth forensic examination to ensure it is not a “deepfake.” In a nutshell, a deepfake is the use of artificial intelligence to overlay someone’s face onto an image or video and then scan it multiple times, looking to smooth over the little artifacts and other visual clues that make a deepfake video seem “off” in some way. It has been pervasive, prolific, and vastly improving over time. This deepfake video of President Obama from 2018 is rudimentary at best compared to the improved techniques of 2020, as witnessed in this video. They are getting extraordinarily accurate and virtually impossible to detect by the naked eye when done correctly. Unfortunately, researchers have been outgunned on this front even though companies like Microsoft have made strides recently. Essentially this video needs independent verification by deepfake experts that are trained to look at this. Until then, this video is also suspect.
Mayor Giuliani allegedly has a “copy” of the hard drive, per the New York Post article. “Copy” is an interesting word to a cybersecurity professional. It is typical for a repair shop to back up the data before repairing a computer due to the liability that potentially lost data brings. However, there are many ways to do this. Did the repair shop simply copy and paste folders from the laptop to another device? Did they back up the computer using integrated technologies like Time Machine from Apple? Did they use some imaging software to essentially take a complete snapshot of the hard drive onto another device for storage while they repaired it?
Given the New York Post article’s claim that the laptop had water damage, I speculate that they would have physically extracted the hard drive from the MacBook Pro and then attached it to another computer and duplicated the drive via imaging software. An image made in this manner can be mounted and searched to retrieve information, but it can also be manipulated to insert data into it. This process can be easily done for legitimate purposes, such as fixing backup corruption; however, it could also be used to insert false information into a laptop. This would require a forensic examination of both the image and originating source to verify.
Considering all of the above, the only answer I have to give as a cybersecurity professional dealing with similar situations is this: I have no flipping clue… yet. There are too many gaps in the story and too many points that have no independent verification, which means a good deal of this alleged evidence is taken on faith alone. True cybersecurity professionals would never abide by this standard of proof. Time will tell one way or the other.