The Perfect Weapon
Page 7
“This was pretty mind blowing to me,” one former official said. “Here we were, going to work every day behind sealed doors, essentially trying to figure out if it was possible to cripple an entire nation’s infrastructure without ever firing a shot or dropping a bomb. So we littered Iran’s networks with malware,” he said, a reference to the process of placing implants in key strategic systems that could, later on, be used to inject destructive code or simply turn the networks off.
“The hard part was keeping track of all of it,” he said.
Keeping track was tricky business because networks always change—and because there was no way to test Iran’s vulnerabilities in field conditions. So Nakasone and the thousands of people at work on Nitro Zeus resorted to tabletop exercises, simulations of an attack. They tested and retested on a virtual model of Iran’s networks to make sure that the implants were not visible to the Iranians and that collateral damage was limited.
And they created answers from scratch to a series of questions: How do you take down the grid and keep it down? How about the air defenses? If the Iranians try to retaliate, how do you make sure they never get off the ground?
“This was an enormous, and enormously complex, program,” the former official said. “Before it was developed, the US had never assembled a combined cyber and kinetic attack plan on this scale.”
For the United States’ cyber warriors, Nitro Zeus was a turning point. It exposed many of the tensions between the National Security Agency—which possessed most of the talent needed to pull off the attack—and the military’s newly created US Cyber Command. On paper, the two organizations were complementary. In reality, they had a constant series of spats, typical of arranged marriages, in which the NSA’s talent looked down on Cyber Command, and the military unit regarded the NSA as a bunch of arrogant civilians who never needed to complete a military mission.
It was a conflict that would play out time and again. The NSA invested huge resources into getting inside foreign systems, hiding its malware in hard-to-find corners, and checking in on it regularly. Cyber Command usually wanted to grab those implants to conduct attacks—thus revealing their location. “This was the endless squabble,” one former member of the NSA said. “It was the difference between intelligence officers, who are in this for the long term, and military officers, who are paid to plan for attacks.”
But the most fascinating element of Nitro Zeus might have been not its technical complexity but rather its geopolitical implications. Olympic Games was an intelligence agency–led operation designed to help force Iran to the negotiating table; Nitro Zeus was a military plan, intended to unplug Tehran if diplomacy failed. They both involved cyberweapons but for very different strategic goals.
Taken together, though, the two secret cyber programs suggest how seriously the Obama administration was contemplating the cost of diplomatic failure, and the very real possibility that the US could have found itself in an open conflict with Iran. In the minds of the war planners, that outbreak could have been triggered by something completely out of American control—particularly a decision by Netanyahu to strike Iran’s nuclear facilities. “There were many moments when I thought Bibi was on the brink of doing exactly that,” Ehud Barak, the former Israeli defense minister and prime minister, told me years later. “And the only question in our mind was, ‘If we do it, is the US behind us?’ ” Nitro Zeus gave America an opportunity to stick with an ally, if necessary, but without committing ground troops, a payoff that had become the holy grail of American power in recent years.
“Nothing else compared to this mission,” one insider said later to my colleague Javier Botero. “It was just a huge, expensive undertaking, beyond the reach of anyone but a few nation-states.” But apart from the potential implications for Tehran, Nitro Zeus demonstrated the degree to which, in a few short years, Nakasone and his colleagues had transformed America’s cyber operations from surveillance tools to vital weapons in the country’s arsenal.
* * *
—
A plan as big and destructive as Nitro Zeus required the United States to contemplate doing things to Iran’s infrastructure that—were they done to us—would be considered an act of war. And the preparations had to be conducted in a way that would not be detected by the Iranians, who would look at the implants in their network and conclude, quite reasonably, that whoever put them there was planning a preemptive attack on their country.
When the US mounted such an operation, the Pentagon called it “preparing the battlefield,” and described the moves—if spoken about at all—as a prudent step in case war breaks out. But when the same kind of implants were discovered in American systems, the US was outraged—understandably—and assumed the worst.
“We have seen nation-states spending a lot of time and a lot of effort to try to gain access to the power structure within the United States, to other critical infrastructure, and you have to ask yourself why,” said Adm. Rogers, the director of the NSA and the head of Cyber Command until the spring of 2018. “It’s because in my mind they are doing this with a purpose, doing this as a way to generate options and capabilities for themselves should they decide that they want to potentially do something.”
This, of course, is exactly what we were doing to Iran.
That approach worked in part because Iran was a highly unusual target. The country had so much on the line—global oil sales, investment in the country’s broken infrastructure, the ambitions of young Iranians who wanted visas stamped in their passports—that the nuclear program suddenly became negotiable when American and Israeli cyberattacks, combined with sanctions, triggered heated debate in Tehran over whether the country would be stronger as an independent nuclear power or as a major player in the global economy.
The Iranians did not know about Nitro Zeus, although after Stuxnet got loose and Olympic Games was exposed they may have suspected something like it was in the works. But what they did know about American cyberattacks prompted, in combination with the decision to halt their nuclear program, an incredibly foreseeable response: Iran started building a cyber army of its own.
Indeed, while Paul Nakasone’s team at Cyber Command burned the candle at both ends preparing Nitro Zeus, the Iranians were already preparing to strike back for Stuxnet. In terms of firepower, their volley would pack little punch compared to the US government’s comprehensive plans to shut down their country. Yet, even with their limited cyber capability, the Iranians would expose a difficult truth about cyber conflict, one that Obama would grapple with but never know how to counter: The calculus of offense was inextricably wedded with that of defense. And defending the United States—with its sprawling financial systems, stock markets, utilities, and communications networks, all in private hands—was next to impossible.
* * *
—
When I was a kid growing up in the suburbs of New York, we all knew the Bowman Avenue Dam in Rye. It looked more like a toy dam than a real one—twenty feet high, with a single gate. Fed by Blind Brook, it was mostly empty, and thus a great place to clamber around after school. It was also the kind of place your parents probably didn’t want you hanging around, for fear you would fall and break something.
I don’t think I saw or thought about the dam between junior high school and the day that John Carlin, who headed the national security division of the Justice Department, called me in early 2016. He had just unsealed the indictment of a number of Iranians, with apparent ties to the country’s intelligence services, for breaking into Bowman Avenue Dam’s command-and-control system in 2013, in what the federal government darkly suggested might be an effort to unleash the water behind the dam to flood a section of New York.
“John,” I told him, “I doubt there is enough water in that dam to flood a basement.” The idea that this dam even had a command-and-control system was a stretch; my recollection was that the sluice was opened and closed by a bi
g, long bar that was mostly rusted shut. While it was later put under computer control, this wasn’t exactly the Hoover Dam.
It turned out that the Bowman Avenue Dam was a mistake for the Iranian hackers; they must have had something like Hoover in mind, and missed. Or maybe it was simply a demonstration of their powers. “The most likely conclusion is that it was a warning shot,” Sen. Chuck Schumer, the Democrat from New York, said to me the day of the indictment. The message was, “Don’t pick on us, because we can pick on you.”
Schumer went on to say that the lesson from this case was “not that we should not employ cyberweapons, but that we should be able to protect ourselves.”
If Schumer was right about the retaliatory nature of the strike, it was an interesting insight into one predictable result of Olympic Games. The decision by the United States to make use of a cyberweapon gave the mullahs and the Iranian Revolutionary Guard Corps an excuse to do something they desperately wanted to do anyway: find a pretext for attacking the United States and its allies. To save their pride, if nothing else, they needed to prove they could reach deep inside America’s infrastructure and the infrastructure of its allies.
In the summer of 2010, the Iranians publicly announced the creation of a cybercorps to counter the growing US Cyber Command. For historians of the Cold War, this development had a familiar ring: we deployed nuclear weapons, and then the Soviets did; we created bureaucratic structures around those weapons, and then they did.
Following this pattern, after Olympic Games was exposed in 2011, Iranian hackers began targeting roughly four dozen American financial institutions—including JPMorgan Chase, Bank of America, Capital One, PNC Bank, and the New York Stock Exchange. These were not especially creative attacks. Mostly, they were what the government called “distributed denial of service” attacks, often referred to as DDoS attacks, which overwhelm their target with coordinated computer requests from thousands of machines around the world. The targeted networks were never designed to take that kind of volume, and they often crashed, knocking them and any operations that relied on them out of service. Banks were paralyzed. Customers were frozen out of online banking. A group that called itself the Izz ad-Din al-Qassam Cyber Fighters conveniently claimed responsibility.
Nothing about the attack was very sophisticated. “It’s primitive; it’s not top of the line,” James Lewis, the expert on nation-state hacking at the Center for Strategic and International Studies, said at the time. “But it’s good enough and they are committed.”
With their customers outraged, the banks needed to offer some kind of response, but they quickly found themselves caught up in a central conundrum of American cyber conflict. While Washington urged companies to be more transparent about attacks, high-priced lawyers and security experts offered the opposite advice. Admitting you are a target, they said, just encourages more attacks—and opens companies to liability suits. And for financial institutions trying to convince customers to keep their money there, it was plain old embarrassing. (As seen time and again, even the federal government rarely follows its own advice when its institutions suffer major breaches.)
Most of the targeted financial institutions decided it was better to shut up than to admit the existence of the attacks. JPMorgan Chase, which had openly acknowledged previous denial-of-service attacks, determined this one was so large that it was better to say nothing. Their customers were left in the dark.
The banks weren’t the only ones twisted into knots by the problem of what to say. In fact, as the Iranian bank attacks unspooled, the Obama administration struggled to respond. They couldn’t simply stay quiet in the face of news that someone was attacking the financial system, yet they were hesitant to elevate the problem to one of national security. While still publicly refusing to say who was behind the attacks, administration officials began inviting bank executives to the White House for emergency briefings. Then they struggled to figure out what this attack actually was. Vandalism? An act of war? Something in between?
In the Situation Room, there were basically two groups of people, one official familiar with the debate recalled. “There were those who said this is the equivalent of an Iranian submarine coming off the coast and launching something.” That was the position of some members of the Joint Chiefs, and of some in the intelligence community. “And there were those who said no, it isn’t—it’s the equivalent of a bunch of Iranians driving down the middle of the street playing a lot of loud music and generally being obnoxious. And you don’t shoot at kids who are being obnoxious.”
One intelligence official who was involved in the administration’s debate admitted there was a lot of distance between those two arguments, explaining: “It was neither one. And this is the problem with our analogies from cyber to the physical world, because…it was the kind of attack that undermines the confidence in the banking system of the world’s largest economy.”
“You can’t be in the position of letting someone mess with your banking system,” the official went on to explain, “even in a minor way, because the next time it won’t be so minor. And that’s how you head toward financial chaos.”
The Iranians may have done the banks a favor. After the attacks, several officials noted, the financial industry spent billions of dollars building the best cyber protections in any corner of the American private sector.
Still, the bank attacks triggered a familiar debate in Washington: If the United States ever had to strike back, how would it do it? It wasn’t an easy question, because the attacks weren’t coming out of Tehran; rather, they were coming from servers located in other countries. “When Iran hit our banks, we could have shut down their botnet, but the State Department got nervous because the servers weren’t actually in Iran,” one former official said later. “So until there was a diplomatic solution, Obama let the private sector deal with the problem.”
In fact, Obama was concerned that if the United States came to the rescue of the banks, it would give them little incentive to build their own defenses. At the same time, the White House felt it had to hide the evidence that Iranians were behind the attacks. So that central fact was immediately classified. Congressional staff members were shuttled into secure conference rooms before being told that Iran was the certain culprit, but they were cautioned not to reveal this attribution in public. Of course, as one member of Congress said to me, revealing who was responsible would force a discussion of what the administration was going to do about the attacks. And there were plenty of reasons for the administration’s inaction.
It was a ridiculous effort; the secret couldn’t last for long. The banks needed to know who had hacked them, and private security teams were beginning to identify the culprits. The government’s refusal to say anything about who was behind the attacks only made Washington seem clueless when in fact it knew the answer.
* * *
—
What the hackers were inflicting on American financial institutions, however, was child’s play compared to the simultaneous attacks they were launching on rivals closer to home. In midsummer 2012, roughly a year into their active cyber campaign against American banks, Iranians struck Saudi Arabia: their greatest adversary, America’s gas station, and the country whose king had suggested to the United States that the way to deal with Iran was to “cut off the head of the snake.”
Hackers found an easy target in Saudi Aramco, Saudi Arabia’s state-owned oil company and one of the world’s most valuable companies. That August, during Ramadan when the Iranians knew most of Saudi Aramco’s workers would be away, their hackers wreaked havoc, flipping a kill switch that unleashed a simple wiper virus onto 30,000 Aramco computers and 10,000 servers. Screens went black, and files disappeared. On some computers there appeared a partial image of a burning American flag. In their panic, Saudi technicians ripped the cables out of their computer servers and physically unplugged Aramco offices around the world.
Oil
production was not affected. But everything surrounding it was, from the purchases of supplies to the coordination of shipping. For a while, Saudi Aramco couldn’t connect with the Saudi Ministry of Energy, with oil rigs, or with the giant Kharg Island oil terminal, through which the Saudis ship much of their crude production. There was no corporate email and the phones were dead.
This was a milestone hack; rather than simply using cyberattacks to disrupt service, Iranian hackers had just proved their ability to utilize malware to inflict physical damage. The wiper software, called “Shamoon,” became a model for other countries seeking to conduct attacks for the next few years. While the early evidence suggested the Iranians had simply hacked in, American intelligence agencies quickly concluded that an insider at Saudi Aramco had helped—someone with pretty unfettered access to the oil firm’s networks. The Saudis ended up scrapping their infected computers. By one count they bought 50,000 hard drives—basically cornering the world supply—to get back running. It took five months to undo the damage.
* * *
—
In hindsight the Iranian counterattacks, from Saudi Arabia to Wall Street to the decrepit Bowman Avenue Dam, were more than just tit-for-tat. They were our first look at what low-level, never-ending cyber conflict looks like.
Like the skirmishes at the DMZ and in East Berlin during the Cold War, these attacks did not seem likely to escalate into a broader war. Instead, everyone hewed to the unspoken rules about keeping the cyber conflict just below the line that could trigger armed conflict. The US went for what the Iranians valued most—their nuclear program—and Iran went for what America valued most: its financial markets, its access to oil, and its sense of control over its own infrastructure. There was disruption and signal-sending. But no one got killed.
“We spent a lot of time on the Saudi Aramco hack, and the Iranian use of cyber in general,” said one senior intelligence officer who had spent a career studying the Middle East. “You have to think of their pyramid of weapons.” He formed his thumbs and forefingers to illustrate—showing the three sides of a triangle. “We’re used to thinking nuclear on top, then bioweapons, then maybe chemical weapons and just ordinary firearms. But they’ve put cyber on the top—above all of that.”