“Now, we have mechanisms in place where if we can root out folks who have leaked, they will suffer consequences. In some cases, it’s criminal.” He quickly added: “The notion that my White House would purposely release classified national security information is offensive. It’s wrong.”
His comments, made in June 2012, underscored the reflexive secrecy surrounding all things cyber, particularly odd in this case because the code had been spreading around the globe for two years. They also essentially forced the Justice Department to launch a leak investigation, which Attorney General Eric Holder announced around the same time. The White House chief of staff ordered all employees to preserve any notes or emails or communications with me. Since I had been covering the Obama national security team for more than three years, there were a lot of those. Soon the FBI began interviewing scores of potential witnesses. They obtained a secret warrant to get all the emails sent and received by General Hayden, the former CIA and NSA chief. And they used the CIA’s notes from my conversation with Morell to try to point the finger at General Cartwright. Why they picked him, out of the scores of officials in the United States and abroad whom I interviewed, remains a mystery to me. (At one point they came to him with highlighted lines he had used in speeches, and the syntax of paragraphs I had written, looking for commonalities. Of course, all quotations were from Cartwright’s public, on-the-record, unclassified statements.)
As Cartwright himself has since acknowledged, he made an error of judgment in agreeing to be interviewed by the FBI without a lawyer present; he said he thought they were all on the same side. When the interview with the FBI became confrontational, the complaint filed in his case reported, he became ill and was briefly hospitalized. Later, when he was indicted, it was for lying to the FBI about when and how we had met.
He was never charged with leaking any classified information. And as far as I can tell, he never did. But that crucial fact almost didn’t seem to matter.*3
The supreme irony of the Cartwright case is that the man who’d helped propel the federal government into shaping a sophisticated approach to dealing with the world’s most complex weapon was among the first victims of the paranoia about discussing that approach. The government could have responded to the disclosures about Olympic Games by embracing the revelations and reminding adversaries—Iran, Russia, and North Korea among them—that the United States could do far worse to them. It could have explained why cyber was critical to avoiding a shooting war in the Middle East. It could have used the moment to talk about what kind of global rules we should create for using cyberweapons against civilians, against commercial facilities, and against other governments.
The government did none of that. The Pentagon and the intelligence agencies were unwilling to discuss publicly how they might limit the use of cyberweapons, in times of both war and peace.
Partly that reluctance reflected the fact that the United States still believed it had a lead, if a narrowing one, in cyber technology. In the early days of the nuclear age, many officials had opposed even a discussion of arms control, arguing that there was no reason for the United States to shorten a long lead over its competitors. (The first limits on nuclear weapons happened in the early 1960s, only after the Soviets had a full arsenal, and Britain, France, and China were building them.) But the silence and obsession with secrecy may have had a deeper motivation: American intelligence services had a menu of other cyber operations brewing around the world. These ranged from classic espionage to highly destructive malware—the kind that could knock a whole country back into the analog age.
*1 A zero-day flaw is a previously unidentified software vulnerability—so named because there are zero days of notice to get it fixed before the damage is done.
*2 The reason for the delay may lie in a coincidence of timing. That first big story was published just hours before Egypt erupted into the chaos of the Tahrir Square uprising, which then occupied all the headlines, and forced President Obama into a tense effort to get President Hosni Mubarak to leave office.
*3 In 2016, Cartwright pled guilty. Obama gave him a full pardon in the last days of his presidency, even restoring his security clearances.
CHAPTER II
PANDORA’S INBOX
The science-fiction cyberwar scenario is here. That’s Nitro Zeus. But my concern, the reason I’m talking, is when you shut down a country’s power grid, it doesn’t just pop back up. It’s more like Humpty-Dumpty. And if all the king’s men can’t turn the lights back on, or filter the water for weeks, then lots of people die. And something we can do to others, they can do to us too. Is that something that we should keep quiet? Or should we talk about it?
—An NSA employee, speaking through a composite character in Zero Days
After the Russian hack of the Pentagon’s secret networks in 2008, two things seemed clear to the newly inaugurated Obama administration. First, Putin’s hackers were sure to come back. And second, America needed a full-fledged Cyber Command, far more capable than the small units spread among the army, the navy, the air force, and Cartwright’s Strategic Command. It was time for a true military organization, with its own troops, that integrated digital offense and defense.
But no one was quite sure what that digital army was supposed to look like, or how it would wage war. Politicians instantly grasped all the other battle “domains”: land, sea, air, space. They could picture conventional equipment like tanks, aircraft carriers, bombers, and satellites. But cyber, as Keith Alexander, then the head of the National Security Agency and ultimately the first commander of Cyber Command, said, “left many of them a bit mystified.”
“My grandchildren got it,” he told me. “Congress took a little longer.”
In fact, Alexander and others found themselves talking to some members of Congress who barely used computers—so it was not easy to explain how a new military force could design malware to defeat an enemy. And while Operation Olympic Games would have provided a vivid example, it was still a highly guarded secret. The operation was so compartmentalized that only a handful of key members had been briefed about its existence.
In 2009, Robert Gates, by then Obama’s secretary of defense, concluded after the Russian breach of the Pentagon’s classified networks that the creation of US Cyber Command was overdue. It formally came into existence in June, and was housed at Fort Meade—a recognition that, if it wanted to survive, this new military unit would desperately need the skills and experience of the civilian talent at the National Security Agency. Over time a plan emerged to create a 6,200-strong military force—soldiers, sailors, marines, and fliers divided into 133 “Cyber Mission Forces”—that would be spread among the services. A few offensive cyber teams were already housed at Fort Meade, quite explicitly modeled on the Special Forces Command, the favorite of every American president. But turning them into a digital fighting force would take time.
“Special Operations people are hard to find and hard to grow,” Ashton Carter told me in 2013, just before he left his post as deputy secretary of defense. But the hardest part, he added, was figuring out exactly what these new forces would be allowed to do. Every US military operation requires the sign-off of lawyers, but figuring out what was permissible under the laws of war was particularly difficult in cyberspace. (This was a uniquely American problem, one that did not slow down the Russians, the Chinese, or the North Koreans.)
“It’s things like: Are you sure that a particular action you take with an enemy’s information system will only have the consequence of disrupting, let us say, an air-defense system,” Carter asked, without shutting down hospitals or cutting off water to civilians? “You have to understand what the consequences are of your actions.”
For that reason, Carter added, “these are the kinds of [decisions] that are serious enough that they’re reserved for the president.” It was a key point: Just as only the president could order the launch of a nuclear
weapon, the use of a cyberweapon was similarly limited.
The task of sorting through the rules fell to Keith Alexander, who in turn relied heavily on Paul Nakasone, his chief aide-de-camp. While Alexander was always pushing the envelope—arguing for more authority to collect data flowing into the United States, the way he had done for the digital data flowing into Iraq—Nakasone was immersed in thinking about how to organize a cyber army.
“Everyone who watched him operate—grabbing you in the hall to ask what’s going on, fluidly working across the Pentagon and Fort Meade—realized he was being groomed to lead in cyber in the future,” recalled Christopher Kirchhoff, a Pentagon aide who went on to be one of the partners in the Pentagon’s experimental technology development effort in Silicon Valley.
As it turned out, Nakasone was deeply involved in another critical operation—one of Cyber Command’s first big classified projects. It was a subset of what the Pentagon called, in its number-obsessed way, “Op Plan 1025.” This was the road map for going to war with Iran, either because negotiations over its nuclear program failed or because Iran lashed out, perhaps in response to an Israeli bombing strike.
Cyber Command’s piece of the puzzle was to contribute to an operation named Nitro Zeus. It was a plan—using cyber and other methods—to shut down the entire country, preferably without firing a shot. If Olympic Games was the cyber equivalent of a targeted drone strike on Iran, Nitro Zeus was a full-scale attack.
* * *
—
Paul Nakasone’s first encounter with computing was not exactly an inspirational Silicon Valley tale of discovery and invention.
“It was 1986, and I bought a PCjr,” he recalled. Nakasone was a college student at St. John’s University, a small gem of a school on a beautiful lake in a remote part of Minnesota, so remote that the ability to connect to the outside world meant everything. That little computer—with its much-derided “Chiclets” keyboard and its basic operating system—“completely fixated me,” he said. Decades later he still remembered the odd combination of commands you needed to make it work. “You know, these were the days when you had to hit ‘Control’ plus ‘7’ just to print something out. No way you could get much done. But I was hooked.”
Nakasone was the son of a Japanese-American linguist who had witnessed Pearl Harbor firsthand. During World War II, his father’s language skills solved an immediate wartime need for the government, a service that was enough to keep his family out of the internment camps that the Roosevelt administration had mandated for most Japanese-American citizens. Paul, born nearly twenty years after the war ended, was the first generation in his family to go to college in the United States.
As he tapped the keys on that PCjr in 1986, Nakasone had little inkling of how his first, brief exposure to the new world of personal computing would change his life. When he received his army commission that year, no one paid any attention to his interest in computing—and neither did he. He ran through the traditional posts given to an army career officer interested in rising to the top ranks. That meant thinking the way the army has thought for decades about how to prevent—and fight—a land war.
He did his Second Infantry Division training at Fort Carson in Colorado, followed by a posting on the last border of the Cold War: the Demilitarized Zone, where South Korean and North Korean troops stare each other down as if it were still 1952. From his perch thirty miles north of Seoul, it looked as if the North Koreans could barely make a light bulb. The country was dark.
During the 2008 invasion of Iraq, Nakasone finally got a chance to think digitally. He was part of the “Strategic Initiatives Group,” which was just beginning to utilize cyber techniques—no one had yet gotten as far as thinking about it as cyberwarfare—against Islamic extremists. There were a few experiments—infecting laptops and taking down communications lines—but nothing that would get a cyber warrior’s blood running.
“The change came in 2008,” he told me, when Gates was pushing for the creation of Cyber Command. Nakasone’s experience made him a natural to help organize the force. He seemed fluent in a language that left most of his army colleagues a bit dizzy, and more than a little suspicious about the new Pentagon catchphrase, the “digital domain.”
Like his father, Nakasone found himself constantly translating for the military—from the code-speak of programmers to the lingo of war planners. “There was the realization, between the Secretary of Defense and the Joint Chiefs, that we needed to think differently about this—to think of it as an entirely new realm of battle,” Nakasone told me. Nakasone spent a lot of time explaining that cyber didn’t supplant the normal weapons of war. Cyber conflict wasn’t separate from every other form of conflict. It would be a part of every future war, and subwar; it would be used right alongside the military’s drones and Tomahawk missiles, its F-16s and Special Forces.
But at the beginning, “we didn’t have anything,” he said. “No structure. No real mission yet. That had to change.”
* * *
—
For the new troops at Cyber Command, Olympic Games provided a case study in what can go right—and what can go off the rails—when the United States turns to cyberweapons.
The physical damage done by the Stuxnet worm was devastating and dramatic but not long-lasting. By most accounts, the Iranians lost about a thousand centrifuges, and out of fear of further destruction, the Iranian engineers took more offline. But after the code leaked out, they put the pieces together. It took a year of recovery and rebuilding, but they got their capacity back and ultimately installed about eighteen thousand centrifuges—more than three times the number that were installed at the time of the attack. As Iran’s foreign minister, Mohammad Javad Zarif, said to me one day in Vienna during the negotiations on the Iran deal, “In the end, what did your vaunted engineers accomplish? They made us more determined than ever to build, and build more.”
The attack’s more lasting effects were psychological, not physical. When you looked at a chart of Iran’s production of enriched uranium, Olympic Games was a blip, not a game changer; a tactical victory, not a strategic one. But it created fear inside the Iranian nuclear establishment.
“The first thing it told the Iranians is that we were way, way inside their systems,” one former Israeli official noted later. “That had to make them paranoid. Not only were we inside but we could keep coming back, anytime we wanted. In other words, they could not lock the door.
“The second effect,” the official continued, “was that we sent a message. If countries like the United States and Israel were willing to go to these lengths to stop the centrifuges, what lengths would they be willing to go to stop a bomb from being produced?”
And the third message, he said, was that the nuclear program “might be more valuable to them as a bargaining chip than as a bomb-making system.”
But as the Iranians rebuilt their program larger than before, President Obama could not count on those messages’ convincing the mullahs that it was time to go to the negotiating table to see what they could get in return for giving up their nuclear program. There was always the chance that his effort to restrain Israel would fail, and Prime Minister Benjamin Netanyahu would decide to bomb Iran’s facilities—possibly sucking the United States into another war in the Middle East. Obama needed a broader strategy, one that gave him a workable military option.
So even while Olympic Games was under way, Obama ordered up a war plan. In part that decision was driven by Gates, who made clear he was distinctly unimpressed by the quality of the administration’s thinking about what the United States would do if Iran raced for the bomb. Gates wrote a blistering memorandum to national security adviser Tom Donilon describing how woefully unprepared the United States was for “strategic surprise.”
It fell to Gen. John R. Allen, then at US Central Command—which is based in Florida and oversees the totality of US military strategy in th
e Middle East—to rectify that deficiency. To this day, General Allen, who went on to lead the Brookings Institution, has never spoken of his efforts there, but the end result was a comprehensive strategy to respond to a nuclear Iran. And Nakasone and Cyber Command had their own piece of that project: integrating cyberattacks with more traditional military operations.
When Nakasone and Cyber Command looked at what their digital weapons could contribute to the battle plan, they focused on the Iranian targets that they could reach by boring into the country’s networks: Iran’s air defense, its communications systems, and its power grid. Nitro Zeus would be the opening act of the war plan: turning off an entire country so fast that retaliation would have been extremely difficult. It was also, in the minds of some of its creators, a glimpse of the future. The idea was to plunge the target country into blackness and confusion from the very beginning of a conflict. That would give Israel and the United States time to bomb the many suspected nuclear sites, take pictures of how much damage was done, and if necessary bomb them again. But the hope was that Nitro Zeus would avert an all-out war, because the Iranians would, in theory, not be able to strike back. As part of the plan, Iran’s missile capability would also have been targeted—an operation whose fundamental concept would return, with a vengeance, as the North Korea crisis heated up.
So, even as President Obama was worried about the vulnerability of America’s electric grid, the United States was tunneling inside Iran’s grid—along with its cell-phone network and even the Iranian Revolutionary Guard Corps’ command-and-control systems.
The Perfect Weapon Page 6