It also took advantage of a technological perfect storm. Just as the Russian effort was ramping up, companies like Facebook were making changes that played right into Moscow’s hands. Facebook’s conscious transition to becoming one of the world’s leading global news delivery systems, and tailoring that news to the tastes of each recipient, meshed beautifully with Russia’s desire to accentuate the divisions in American society. Worse yet, Facebook (and Twitter) put far too little energy into understanding how their systems were being hijacked by young Russian trolls and bot makers who knew how to take advantage of the algorithms that made the systems work. It is impossible to know whether the Russian campaign succeeded in changing hearts and minds. Yet the truth remains that the tech firms who were so repelled by Donald Trump invented a system that may have helped elect him.
Without question, the Russian decision to move from an espionage operation aimed at disrupting the election to an effort to put Donald Trump in office propelled the country into an entirely new place. We now think about the effects of cyberattacks entirely differently. Just five years before, our worry was China’s theft of intellectual property. Then came North Korea’s efforts at revenge, and Iran’s threats to the financial system.
But the Russian attacks exposed more than the Obama administration’s lack of a playbook for cyber conflict, despite years of ever-escalating, ever-more-ingenious attacks. Russia’s multifaceted, Gerasimov-inspired approach underscored the administration’s failure to anticipate that cyberattacks can be used to undermine more than banks, databases, and electrical grids—they can be used to fray the civic threads that hold together democracy itself.
CHAPTER XI
THREE CRISES IN THE VALLEY
If you had asked me, when I got started with Facebook, if one of the central things I’d need to work on now is preventing governments from interfering in each other’s elections, there’s no way I thought that’s what I’d be doing, if we talked in 2004 in my dorm room.
—Mark Zuckerberg, on the use and abuse of Facebook data in the presidential elections, March 2018
The suicide bomb went off outside the Stade de France in Saint-Denis at 9:20 p.m. on November 13, 2015, the first of three. Nine minutes later, shootings began on the streets of Paris, triggering panic among diners, who raced to the backs of restaurants, trying to avoid becoming the latest victims of ISIS.
Twenty minutes after the first attack, the shooters entered the nearby Bataclan music hall as the song “Kiss the Devil” poured through its speakers. A few people in the back heard the shout of “Allahu Akbar.” And the gunfire broke out. First from the mezzanine level, then from the aisles, as the shooters walked up and down, firing at anyone still moving. By the time the siege of Paris ended, a little after midnight, 130 people had died, two-thirds of them trapped in the killing zone of the theater.
What happened next was predictable: the claim of responsibility by ISIS, the recriminations over who let jihadists move freely across the passport-free borders of France and Belgium, President François Hollande’s vow to “be unforgiving with the barbarians from Daesh.” But then came a fascinating, and very quiet, battlefield partnership between Facebook, the FBI, and the French authorities to hunt down the rest of the ISIS cell.
As the bodies of some of the nine terrorists were photographed, the police turned to Facebook for help in identifying them and their friends around Europe and the world. They were looking for ISIS members who had helped prepare for the attacks or who were readying future attacks. It quickly became clear that several of the terrorists had multiple Facebook accounts that reflected their split lives. Some showed normal European lifestyles, while others, under noms de guerre, portrayed lives of struggle against the West. The French and the FBI obtained court orders within minutes or hours, issued by judges in New York standing by to help. Facebook could then legally share data on the suspected terrorists. It turned over a treasure trove of links between the accounts and specific cell-phone numbers. In some cases the police even had IP addresses from the last places the terrorists had signed into their accounts.
“Once we had a cell-phone number,” said one of the people involved in the investigation, “the game was over.”
French and Belgian police, with the help of European intelligence agencies and the National Counterterrorism Center back in Virginia, began to triangulate where the attackers were holed up. By November 15, the police were raiding hundreds of locations. A few days later they engaged in a gun battle with ISIS in Saint-Denis. More raids in Belgium followed.
At first glance, the speed and success of the manhunt provided vivid evidence of how social media, when smartly harvested, could be turned against the terror organizations that used the same tools to recruit, organize, and communicate. The connections drawn so quickly from the Facebook community of ISIS supporters helped to dismantle the cell’s support structure. No one will ever know how many lives that swift action saved.
But, of course, the lesson of the Paris attack is more complicated. The only issue that animated the Europeans more than hunting down ISIS members in their midst was the competing instinct to protect the privacy of their citizens from Internet behemoths like Facebook. Not long after the attack, Facebook executives met with EU officials about new rules going into effect to protect the privacy of European citizens—rules that limited the kind of information that social-media companies and cloud-storage providers can retain. When the executives reviewed the list of what they could no longer keep, they warned the EU representatives that this was just the kind of data—phone numbers and IP addresses—that had enabled them to help the police track down the Paris attackers. If they could not retain it, they could not help when the next attack happened.
“They didn’t care,” one of the Facebook executives told me. “They said that’s a problem for the intelligence agencies, not the regulators. And the two clearly weren’t talking to each other.”
* * *
—
If there is one lesson that emerged from years of trying to find, follow, and disrupt terrorists, it is that the same countries that figured out how to destroy centrifuges from afar and disrupt power grids and missile systems were stymied by how to deal with what has come to be called “weaponized social media.” The term itself is a subject of debate. Is a recruiting message that contains a call-to-arms a weaponization of social media, or is it merely what used to be called propaganda, just distributed more quickly and widely? What about a beheading video meant to instill fear, or far more subtle messages of the kind Putin used to widen social and religious divides?
Given the billions of dollars that governments spend to build offensive cyber forces, and the resources that technology companies devote to protecting their platforms from becoming digital havens for jihadis, it would seem easy to predict quick, satisfying victories in the cyber battle against bands of ill-funded terrorists. The reverse turns out to be true. “It’s the hardest fight we face,” one senior military official told me. Blow up a safe house in Pakistan or a missile base in Syria, and the result is rubble. Aim at the servers sending out beheading videos or recruiting messages, and the videos and messages just reappear elsewhere a few days later.
“It’s almost never as cool as getting into a system and thinking you’ll see things disappear for good,” said Joshua Geltzer, the senior director for counterterrorism at the National Security Council under Obama. By the time Obama left office, the question of whether Cyber Command had pursued ISIS with enough vigor became so fraught that there was a movement inside the Obama administration to fire Adm. Rogers.
But while Washington was struggling to understand how to go on the offense against groups that were using social media as a way to organize attacks, Silicon Valley was still unable or unwilling to face the extent of the problem. For years the world’s most brilliant technologists convinced themselves that once they connected the world, a truer, global democrac
y would emerge. They rejoiced when Twitter and WhatsApp made the Arab Spring possible, and were convinced they had built the weapon that would tear down autocrats and beget new, more transparent democracies.
But over time a harsher truth has emerged. Those same networks became ISIS’s most potent tool. They were exploited by Russian trolls and the political targeteers at Cambridge Analytica to manipulate voters. And the subsequent call for a new kind of cyberspace—where we understand the real identities of everyone we are dealing with on the web—delighted the Chinese and the Russians. What better way to hunt down dissidents and doubters, and break up the political opposition?
Meanwhile, the tech companies became gradually aware of another international threat to their future: China’s carefully laid-out plan to become the world’s dominant economic and technological power by 2049, the hundredth anniversary of Mao’s revolution. To accomplish this goal, Beijing developed a new strategy—one in which Chinese investors, rather than the venture capitalists of Sand Hill Road, were quietly becoming a critical source of cash for a range of new start-ups.
Suddenly, the valley’s billionaires discovered they needed something that they had never really thought about before: a foreign policy.
* * *
—
In the spring of 2016, under pressure to reverse the Islamic State’s expansion in Syria and Iraq, the Pentagon announced for the first time that it was declaring cyberwar on a foreign entity.
“We are dropping cyber bombs,” Robert Work, the usually staid deputy secretary of defense, told reporters in a bit of hyperbole that raised the eyebrows of his Pentagon colleagues. “We have never done that before.”
They had, of course, but without announcing it publicly. The job had been handed to Gen. Paul Nakasone, who after Nitro Zeus had moved on to run the army’s cyber operations and was already rumored to be in line as the next head of the NSA and Cyber Command. Soon, “Joint Task Force Ares”—a combination of forces designed to go after ISIS networks—was created in Florida at Central Command, which directs American military operations in the Middle East. Cyber Command mission teams poured into MacDill Air Force Base and other Central Command posts, joining up with the more traditional military units that were operating against ISIS.
The goal of the new campaign, I was told in a series of briefings, was to disrupt the Islamic State’s ability to spread its message, attract new adherents, circulate orders from commanders, and carry out day-to-day functions, including paying its fighters. Even Obama entered the fray, emerging from a lengthy meeting at the CIA about operations against the Islamic State and declaring, as part of a description of the strategy, that “our cyber operations are disrupting their command-and-control and communications.” Clearly the administration went public for only one reason: to rattle ISIS commanders and increase their paranoia that someone was inside their communications and perhaps manipulating their data. The theory was that potential recruits would be deterred if they began to worry about the security of their communications.
But while these pronouncements sounded impressive, the results were not. Obama’s top aides were growing increasingly impatient about how slowly Cyber Command was finding all the dark corners of the Internet where ISIS was hiding its digital caches of recruiting and training material, and how quickly it all resurfaced when knocked out. “The Internet is a big place,” James Clapper told me, “and ISIS is very astute and sophisticated about how they used it,” often stashing their materials in the cloud via servers located in Germany and elsewhere.
No one was more impatient with the pace of progress than Ashton B. Carter, the tech-savvy defense secretary, who was pouring his all into an ISIS strategy. Carter was a physicist and had been a major force in pushing the Pentagon to develop far greater cyber capabilities and the doctrine to match. But he had diminishing patience for Rogers, who he thought was not putting enough resources or creativity into the problem of knocking the terror group offline—and keeping them offline.
“Ash was holding meetings every few weeks, even traveling out to Fort Meade, pounding on them to do more,” one senior official involved in the tense standoff told me. By the summer of 2016, the tension between Carter and Rogers had grown so intense that the defense secretary was looking to replace him—chiefly because of the continued leaks of cyberweapons from inside the NSA’s Tailored Access Operations Unit, but also because of the lack of progress in the digital war against ISIS. Clapper concurred, Pentagon and intelligence officials say, but lacked Carter’s enthusiasm.
“It was debated,” a top White House official told me later about the movement to replace Rogers. “But we concluded time was so short we probably couldn’t even get his replacement through.”
Carter kept pressing to take ISIS offline, and after many delays the last big cyber operation of the Obama years began three months behind schedule—in November 2016, just as questions about Russia and its election influence were dominating the post-election headlines. “Operation Glowing Symphony,” as it was code-named, would be the largest cyber effort against ISIS and one of the last big cyber operations that Obama approved in the Situation Room.
The idea was to combine the best skills of the NSA and US Cyber Command, steal the passwords of several Islamic State administrator accounts, and then use them to trigger chaos in the networks—blocking out some fighters, deleting some content, altering data to send convoys to the wrong place. It didn’t sound especially high-tech. And at first it looked successful because some battlefield videos disappeared. Clearly ISIS fighters were distracted, and disturbed.
But the effects were fleeting; the videos started reappearing elsewhere. And the ISIS commanders had backup systems, and quickly switched networks, using servers spread out over three dozen or so countries. One senior official recalled that Cyber Command would show up “with PowerPoints about all the setbacks they had caused, but they couldn’t answer the simple question: ‘How much lasting effect did you have?’ ”
That prompted the outbreak of another debate: Could Cyber Command go after the servers in three dozen nations—including in Germany—without telling allies that they were about to conduct offensive cyber operations against ISIS inside their national networks? “They wanted to use another country’s infrastructure, and the question was whether we had to tell the countries first—and if we did, whether the whole thing might leak out,” the official said. The debate dragged on for weeks; Obama ultimately decided that the intelligence agencies should seek permission from allied countries because the United States would be outraged if we discovered the British or the French or the South Koreans were using American networks to conduct military activity.
Ultimately, time ran out and the program was handed over to the Trump team. In 2017 ISIS was largely driven from Syria and Iraq, and Carter and his team deserved much of the credit; it was their plan. But once he left the Pentagon, Carter wrote a blistering assessment of how the cyber operations had played out.
“I was largely disappointed in Cyber Command’s effectiveness against ISIS,” he wrote in late 2017, in a remarkably candid account. “It never really produced any effective cyberweapons or techniques. When Cybercom did produce something useful, the intelligence community tended to delay or try to prevent its use, claiming cyber operations would hinder intelligence collection. This would be understandable if we had been getting a steady stream of actionable intel, but we weren’t.”
“In short,” he added, “none of our agencies showed very well in the cyber fight.”
Carter’s critique was about more than just how Cyber Command did against ISIS: many in the Pentagon, and certainly at the NSA, questioned the overall performance of America’s newest fighting unit. “There is just not much capacity there,” one senior Pentagon official said to me in 2017, trying to answer the question of why the attacks on ISIS had gone so slowly.
In fact, eight years after its creation, Cyber Comma
nd was still overly dependent on the technology and tools of the NSA; as one member of a key Cyber Mission Team told me, “Most of the time, we were just using their stuff.” Partly that was to be expected of a start-up venture, but partly it was because the rest of the military didn’t know exactly how to arm and train soldiers who worked at keyboards all day.
That was evident in how Cyber Command was staffed. Hundreds, then thousands, of enlisted women and men and their officers rotated through the Cyber Mission Forces for two-year stints, learning how to defend Pentagon assets in cyberspace, or how to provide specialty support to Pacific Command or Central Command as they took on the Chinese or the Iranians. But it turned out that two years was barely enough time to learn the intricacies of breaking into foreign computer networks and executing operations. That process could take years of patient work, and frequently the members of the 133 Cyber Mission Forces had moved on before their operations came to fruition. Worse yet, when they returned to the air force or the army or the marines, they were frequently assigned to jobs in which their newly acquired cyber skills played little or no role.
In contrast, the civilians working next door at the NSA spent years developing tools, learning the insides of Russian or North Korean or Iranian networks, and implanting their malware. Often they treated these “implants” like prized bonsais, to be watered, nurtured, and cared for. The culture of the NSA was far more risk-averse, and to them, Cyber Command offensive units were mostly interested in blowing things up, which exposed and rendered useless the implants the NSA had so carefully hidden.
The Perfect Weapon Page 28