Lights Out
Page 7
In Cotter’s estimation, the calibrated application of such cyber blackmail has been under way for some years, and its users extend beyond Moscow and Beijing. It would go a long way toward explaining the on-again, off-again nature of U.S. foreign policy toward Syria. According to Cotter, Syrian leader Bashar al-Assad “has a cyber operation which he routinely runs against Wall Street,” intended as a strong message to the U.S. government. These attacks tend to be relatively low-tech distributed denial-of-service attacks against American banks, but, Cotter suggests, Assad “is demonstrating that if you unleash an attack against the Syrian armed forces, against the Syrian government, all hell will break loose” in the United States’ financial sector. Cotter believes that Syria’s sabotage capabilities have unquestionably restrained our government’s actions against Assad. “I don’t think that signal is misunderstood by the White House. I don’t think it’s misunderstood by any thinking person who understands how the cybersecurity game works.”
Former NSA director Keith Alexander wouldn’t go so far as to link Syrian cyberattacks on Wall Street to any wavering in U.S. policy toward Damascus, but he did caution against dismissing Syria’s cyber capabilities. Those, he pointed out, have been greatly enhanced by Iran, which has dispatched its own experts to train and assist its Syrian allies.
Iran continues to demonstrate its sophistication with widespread and near-constant applications of harassment in cyberspace. A U.S. security firm, Crowdstrike, spent much of 2014 tracking a group of Iranian hackers. They found that the hackers had the potential capability not only to spy on but also to critically damage sensitive networks in the United States, Canada, Israel, India, Qatar, Kuwait, Mexico, Pakistan, Saudi Arabia, Turkey, the United Arab Emirates, Germany, France, England, China, and South Korea. In April 2015 researchers from Norse, a cybersecurity company, and the American Enterprise Institute issued a report concluding that “Iranian hackers are trying to identify computer systems that control infrastructure in the United States, such as the electrical grid, presumably with an eye toward damaging those systems.” Among the key points in the report was that hundreds of thousands of domains registered to Iranian citizens or companies are hosted by companies in the United States, Canada, and Europe and are then used to conduct cyberattacks on America and its allies.
Countries such as Iran and North Korea (of which more in the next chapter) cannot hope to match the United States in their ability to project conventional or nuclear force; what the Pentagon describes as “kinetic power.” Cyberattacks, however, present second- and even third-tier military powers with a fresh avenue for projecting force in the heartland of their enemies, all while enjoying that additional element of deniability.
It requires no great feat of imagination to construct a scenario in which Tehran would deploy the most damaging weapon available against the United States. The Israelis, particularly under the leadership of Prime Minister Benjamin Netanyahu, have left little doubt as to their intentions should Iran cross the nuclear threshold. An Israeli air attack on Iran’s nuclear complex might be carried out even over adamant U.S. objections, and although there is no way to foresee Tehran’s reaction, it seems reasonable to predict that Iran would believe the United States to be complicit. Iran lags far behind the United States in the development of intercontinental ballistic missile systems. Neither its navy nor its air force would be any match for its U.S. counterparts. There are, however, at least two ways in which Iran could project a retaliatory strike against the United States itself: terrorism or cyber war.
Certainly the United States, Russia, and China are keenly aware of how much damage an all-out cyber war would generate on all sides. It seems thus far to be encouraging a measure of restraint, at least in relation to the power grid. But this awareness has not inhibited the development of cyber weapons, and at this stage there is no realistic way of assessing how any one of the great powers would respond in the wake of a major cyberattack, especially one whose point of origin might not be quickly or reliably determinable.
It all comes back to issues of vulnerability, access, and motive. Several cyber specialists in the military were willing to talk to me, but only on the basis of nonattribution. The Internet, one of them explained, began in a climate of innocence, useful for nothing more than “sharing professors’ good ideas.” The older systems are vulnerable because they were designed without any thought that they might come under attack. The people who designed them are themselves older, their expertise no longer relevant to the technology being built today. But if one were looking for a way to exploit that old technology, much of which is still in use, one of those older technicians could be just the person to map the route of attack. It’s a point worth considering in the context of well-funded terrorist groups looking to acquire instant cyber expertise.
George Cotter told me that the Russian government has created a civilian corps of “largely criminal elements,” an all-star team of hackers useful because their government “can simply deny responsibility for anything that occurs,” as with the 2014 bank attacks. This is hardly the first time in the history of warfare that “sleeper” agents have been planted under cover within the homeland of a potential enemy. Arguably, though, none has ever been equipped with a weapons system as versatile, as potentially destructive, and as easy to deploy as the Internet.
Military and intelligence experts with whom I’ve spoken are unanimous in asserting U.S. superiority in launching cyberattacks. There is similar agreement that the nation’s cyber defense capabilities are more modest. It’s a function, many believe, of operating within the constraints of a democracy. Mike Hayden, former head of the NSA and director of central intelligence, described the handicap as being denied “home field advantage.” He was referring specifically to the Fourth Amendment privileges that protect the privacy of U.S. citizens. There is no denying a certain wistfulness among senior American military and intelligence officials when they discuss the constraints of the Constitution.
8
Independent Actors
The bad guys are awfully good.
— GEORGE R. COTTER
Until May 2012 Howard Schmidt was President Obama’s White House advisor on cybersecurity. What would he say, I asked, if the president asked him directly, “Howard, is there a way we can guarantee that a cyberattack won’t knock out one of our power grids?”
“Absolutely not,” said Schmidt.
When I spoke to him in the summer of 2014, he and Tom Ridge, the first secretary of homeland security, were partners in a cybersecurity consulting firm in Washington, D.C. Schmidt confirmed what other specialists had been telling me: the greatest cyber threats to the U.S. infrastructure are in the hands of the Russians and the Chinese. Schmidt also echoed the assumption that China and Russia, encumbered by a network of interlocking interests with the United States, would likely be constrained from launching a full-scale cyberattack on an American power grid. Could they do it? Yes. Would they? Only in the context of an expanding crisis.
As one moves down the capability scale of potential actors, though, a disturbing phenomenon becomes apparent. Iran, for example, presents somewhat less of a threat than China or Russia in terms of its capability but has far fewer overlapping interests with the United States. North Korea is yet several notches below Iran on the capability scale but has almost no interlocking interests with the United States and therefore even fewer restraints. In some ways most worrisome of all is the realm of individual hackers, whether independent or at least not visibly associated with a national government.
When I asked Schmidt about independent actors, unrestrained by a network of interests with the United States, he focused initially on profit-oriented groups: “Independent actors and independent terrorist groups that contract to each other—we’ve seen coordination among those guys stealing the financial data, sharing it with another group that wants to send spam and collect all. There is much more organization from independents than there was in the past.” That’s bad news for Amer
ican businesses and the U.S. economy, but it doesn’t quite rise to the level of a strategic threat against the United States.
What about independent actors using cyberattacks to knock out one of our power grids? Are we at that point yet?
“Simple answer,” said Schmidt, “yes. And that worries me as much as a nation-state using an aggressive move for whatever reason.”
George Cotter also sees a growing level of sophistication among criminal organizations, terrorist groups, and so-called hacktivists (political activists who use the Internet, such as the group Anonymous). “I believe,” said Cotter, “it is literally possible for a hacktivist group, well trained and well motivated, to take down major portions of the grid without the industry being able to stop it.”
In a rapidly changing world, we are obliged to consider certain harsh realities. Whatever conditions may constrain some nation-states from launching a genuinely crippling cyberattack do not apply to an outlaw state such as North Korea or to a growing number of criminal or terrorist organizations. What distinguishes the terrorist organizations from the nation-states can be summarized in two words: goals and consequences. The actions of nation-states, unless and until they are at war, do not have a simple goal of destruction. Even if the Russian government is behind some of the anonymous cyberattacks targeting the United States, its motivations likely run the gamut from intelligence gathering to sending a warning signal. As we’ve seen, nation-states are restrained by an understanding of networked interests and likely consequences.
An independent actor such as Al Qaeda or ISIS, in contrast, has as its immediate goals inflicting pain and instilling terror. These groups are, if anything, trying to provoke violent reaction from their enemies. To the degree that such groups have been inhibited from using weapons of mass destruction, it has been due to the difficulties in acquiring and deploying them. Cyber warfare employs a wide-open battlefield with multiple points of vulnerability, an easily accessible weapons system, and legions of experts available for hire. ISIS, for example, has the money (it is believed to have accumulated more than $2 billion in assets), and it has the motive. It is not yet clear whether it has found the experts. But in the opinion of the NSA’s former chief scientist George Cotter, “if ISIS can recruit a trainable, competent cyber army, then what they need to develop is available for a price in the black market.”
General Lloyd Austin III is the commander of United States Central Command (CENTCOM), responsible for the twenty-country area of responsibility (AOR) consisting of Iraq, Syria, Afghanistan, Pakistan, Iran, Egypt, Lebanon, Yemen, Jordan, Qatar, Kuwait, Bahrain, Saudi Arabia, the United Arab Emirates, Kazakhstan, Kyrgyzstan, Oman, Tajikistan, Turkmenistan, and Uzbekistan. If there is a likely breeding ground for a terrorist attack against the United States, it can be found somewhere on CENTCOM’s operational map. Austin cites the growing divide between the Shia and Sunni branches of Islam, the tensions between moderate and radical Islamists, and the “youth bulge,” the group of educated, unemployed, and disenfranchised young people who are prime candidates for recruitment by extremist organizations. These, fueled by widespread anti-American and anti-Western sentiments, constitute a foundation to the growing threat against vital U.S. interests. It is precisely among young, educated radicals, warns Austin, that a new generation of cyber warriors will be recruited.
And then there is North Korea, which straddles categories: a nation-state with the instincts of a terrorist organization. Sources within the U.S. military’s Cyber Command told me that the North Koreans, while less advanced than the Iranians, are well along in their development of cyber war capabilities, due in no small part to instruction by the Chinese and Russians.
The volatile mixture of a rogue state, uniquely isolated, with an unpredictable leadership emerged in bizarre fashion during the waning months of 2014. The cyberattack on Sony Pictures Entertainment became an awkward case study of America’s commitment to the First Amendment. It will, in time, be seen as a dangerous escalation in cyber warfare—recognized as such at the time by President Obama, but widely misunderstood by a distracted public.
A Hollywood film, The Interview, applied a broad brush of locker room humor to the most isolated nation on earth and its brutal and unpredictable ruler, Kim Jong Un. In what appeared to be an act of retaliation directed by North Korea, hackers took the film’s production company, Sony Pictures Entertainment, offline. That’s a benign way of saying that Sony was publicly humiliated and, for a period of months, had its corporate computer system rendered inoperable. The hackers dumped onto the Internet five Sony films that were due for first-run theater release. Privileged information—executive and superstar compensation packages, medical records, budgets—was made public, as was a trove of silly texts and emails that perhaps shouldn’t have been sent in the first place. That was, the hackers suggested, merely an appetizer. They claimed to have a hundred terabytes of Sony data. In what may have been the most unheeded advice since Lot’s wife ventured a final glance back at Sodom, Michael Lynton, Sony Pictures Entertainment’s CEO, urged his employees not to read the waves of pirated emails, because it would cause them to turn on one another, damaging relationships.
The North Korean government denied any involvement in the hacking attack, even as someone speaking in the voice of the attackers warned of dire, 9/11-type consequences if Sony actually released The Interview. That was enough for the four largest theater chains in the United States, which announced that they would not carry the film. Sony initially followed suit, canceling release of The Interview, only to be roundly condemned by some of Hollywood’s biggest stars and, more significantly, by the president of the United States himself for failing to uphold freedom of speech. During his final news conference of 2014, President Obama expressed disappointment that Sony executives had not sought his opinion. “We cannot,” said the president, “have a dictator imposing censorship in the U.S.”
The New York Times and the Wall Street Journal ran lengthy investigations, citing the FBI and laying the blame squarely on North Korea. The Times suggested that digital techniques were used to steal the credentials and passwords from a systems administrator who had maximum access to Sony’s computer systems. The Journal’s version reported that while Sony had installed no fewer than forty-two specialized computers designed to keep hackers out, in another example of human error trumping technology one of these so-called firewalls apparently went unmonitored when Sony shifted from an outside company to an in-house team.
With the ultimate release of The Interview in about three hundred theaters and news that a digital blackout had effectively, if temporarily, wiped out North Korean access to the Internet, it appeared that justice of some sort had been served. The new year dawned, and public appetite for the story waned.
The national import of the attack on Sony is hardly in the past, however. It highlighted a number of threats and vulnerabilities that had already preoccupied Obama’s national security team and which are destined to plague future administrations. As damaging as the cyberattack on Sony may have been, it never constituted an obvious threat to national security. If, however, a skilled team of hackers can disrupt a large corporation in the entertainment field, what’s to prevent them from launching equally devastating attacks on American infrastructure? It is not that Sony was unprepared or unprotected. The forty-two firewalls cited by the Wall Street Journal were designed to protect the company against precisely the sort of attack that took down its computer system. This raises questions about the vulnerability of smaller, less profitable corporations with fewer resources than Sony (or JP Morgan Chase, or Target) to spend on cybersecurity. It’s a point that former NSA director Keith Alexander emphasizes with particular reference to the hundreds of electric power companies that are simply unable to afford the best cybersecurity, while remaining connected to the same grid as the companies that can.
President Obama also recognized the significance of this attack in particular. While he addressed the issue in the context of supportin
g a film’s right to be seen, his message went far beyond defending freedom of speech. The president took what appeared to be an isolated assault on a private corporation and raised it to the level of an attack on the national interest. This, he made clear, was not merely cyber theft, nor was it intelligence gathering. What had been inflicted on Sony Pictures was an attempt at cyber blackmail. In pledging that the United States would, at a time of its choosing, “respond proportionately” against North Korea, Obama struck the posture of a leader sending an unambiguous message to his counterparts around the world. North Korea had come dangerously close to crossing a red line. Just as U.S. policy precludes paying ransom to or negotiating with terrorists holding an American citizen hostage, the president was defining America’s position toward blackmail carried out in cyberspace: no deals, guaranteed retaliation. After all, what had been applied to an entertainment company could be deployed against vital U.S. interests.
Warning of consequences, though, is one thing; delivery is another. What is most dangerous about Pyongyang and its mercurial leadership is not only its unpredictability but also its degree of immunity to cyberattack. North Korea has so much less to lose in a high-stakes cyber war than the cyber-dependent United States; it is neither easy nor particularly effective to isolate a hermit kingdom. The concern that President Obama expressed a few years back to his aides about the vulnerability of the U.S. infrastructure and America’s dependence on computer systems applies inversely to North Korea. As of late 2014, the total number of Internet protocol addresses in North Korea was estimated at 1,024—“fewer than many city blocks in New York,” the New York Times observed. Satellite photographs of the Korean peninsula at night speak volumes: South Korea is ablaze in light, while north of the demilitarized zone at Panmunjom is a nation almost entirely plunged in darkness. There is not much infrastructure to target in North Korea.