It was an eerie moment for me, as I thought back to the dinner I’d had on Friday night, November 7—the wonderful food and the hostile company. General Kim, whom I had assumed was my host until I learned we’d actually paid for the meal, was the director of the RGB—the agency that ran foreign intelligence collection, special operations, and cyber operations. So, it was he who ultimately would have ordered the cyber assault against Sony. Reading the intelligence assessments, I realized the hacking operation had been well under way as we were “enjoying” each other’s company that night. I would say he kept a good poker face, except that I’ve never played poker with anyone who just yelled at me for hours on end.
All of the vitriol he spewed over that dinner was genuine. The DPRK really does believe it’s under siege from all directions, its people are deadly serious about affronts to the Supreme Leader, whom they consider to be a deity, and there’s no room for dissent—not when the favorite management technique of its leader is public executions. It’s “super effective.” That’s why The Interview upset them so much.
In Kim Jong-un’s mind, allowing this film to be released would mean showing weakness, which might cost him his rule and his status as a deity, not to mention his life. In response, in June 2014, North Korea threatened action against the US government. Sometime between then and November, the DPRK realized that the government doesn’t control the American film industry, so it went after the distributor, first hacking and leaking damaging information, and then threatening terrorist attacks on any theater that screened the film. A few independent movie chains, like Alamo Drafthouse, wanted to call the North Korean government’s bluff, but for larger theater chains the 2012 shooting at an Aurora, Colorado, movie theater was still too fresh and raw. So Sony Pictures canceled the theatrical release and instead, on December 24, released the film for online rental and purchase, where it still turned a profit. I did my patriotic duty and paid to stream the film, which confirmed two things I already knew: One, Franco and Rogen have a lot of fun making silly movies together. And two, the North Koreans don’t have a sense of humor.
In January 2015, I spoke at the International Conference on Cyber Security at Fordham University—the first government official to discuss North Korea as the perpetrator of the Sony Pictures hack. (I was first only because Jim Comey and Mike Rogers were scheduled to speak on the subject later in the day.) After telling them about my interactions with General Kim over dinner, I figured I should offer some insight from our IC cyber experts, since industry was under a constant barrage of cyber intrusions. First, I gave the conference the IC’s perspective:
Taken all together, cyber poses an incredibly complex set of threats, because criminals, and “hacktivist” collectives like Anonymous, are all thrown in together with aggressors like North Korea and Iran, and with the Russians and Chinese, who could do real damage if they are so inclined. Each of those actors has different capabilities and different objectives when they engage in Cyberspace, and all of them operate on the same Internet.
Back in the halcyon days of the Cold War, the world essentially had two large, mutually exclusive communications networks. One was dominated by the United States and our allies, and the other by the Soviets. We could therefore be reasonably sure that if we were listening to someone on the Soviet-dominated network, that person was not a US citizen. Today, it’s not so clean and easy.
I also offered the conference four pieces of advice from our cyber experts: One: “Patch IT software obsessively. Most Chinese cyber intrusions are through well-known vulnerabilities that can be fixed with patches already available.” Two: “Segment your data. A single breach shouldn’t give attackers access to an entire network infrastructure and a mother lode of proprietary data.” Three: “Pay attention to the threat bulletins that DHS and FBI put out.” And four: “Teach folks what spear phishing looks like. So many times, the Chinese and others get access to our systems just by pretending to be someone else and then asking for access, and someone gives it to them.” A few months later, I was surprised to find an online article with the headline: “What Law Firms Can Learn from James Clapper.” Since most of the time Bob Litt and the other attorneys on ODNI’s staff are educating me, I succumbed to the clickbait and read the article. A guy named Daniel Lewis, who specializes in firm security, had picked up my four points and applied them to law firm cyber practices. If that resulted in a single firm protecting its systems better, I’m glad he shared it.
Of course, my last piece of advice didn’t concern protecting systems from hacking. Spear phishing doesn’t require someone to have special coding skills to obtain unauthorized access or control of your computer or network. It’s social engineering—tricking people, not systems—and everyone’s vulnerable to it. About a year after my speech at Fordham, someone called the phone and internet service provider Sue and I used claiming to be someone he wasn’t, and our provider gave them access to Sue’s email account. From there, they got into an account assigned to me that I’d never used, and leveraged that access to play some jokes. It was less of a security issue and more like “griefing”—cyber vandalism—and by then it had become something of a status symbol among the Washington Beltway “elites” to be cool enough to get “hacked.” I got to join John Brennan as one of the new initiates in that club.
Later in 2015, our counterintelligence and security team determined that approximately 90 percent of all cyber intrusions start with phishing, because there are always unwitting victims who fall for the scheme. So, when I was giving my four pieces of advice to industry, I was careful not to sound too pious. In January 2015, we hadn’t had any massive government losses—at least not that we knew of—on the scale of what had happened to Sony, which was already costing them hundreds of millions of dollars. We did know, though, that the larger federal government wasn’t following the advice my security folks had armed me with, and we were just as vulnerable as everyone else.
A few weeks later, when I again presented the IC’s annual report, I again opened with cyber. As I told Congress, “Attacks against us are increasing in frequency, scale, sophistication, and severity of impact. Although we must be prepared for a catastrophic, large-scale strike, a so-called ‘Cyber Armageddon,’ the reality is that we’ve been living with a constant and expanding barrage of cyberattacks for some time.” The first draft of my statement actually called for me to say that we didn’t consider a “Cyber Armageddon” to even be a real threat, but we decided that having me state that on camera would only be tempting fate, and if, for instance, Russia ever decided to attack our infrastructure, as they’d done on a limited scale to several of their neighbors, a clip of me giving assurances that “Cyber Armageddon isn’t a real threat,” would be played on loop on whatever media infrastructure was left. So I merely focused on the ongoing cyber onslaught.
Citing cyber first in my presentation didn’t mean the terrorist threat had diminished; in fact, the cancer of al-Qaida had made further incursions into the Western world. On January 7, 2015, terrorists who claimed to represent al-Qaida on the Arabian Peninsula had walked into the Paris offices of Charlie Hebdo, a French satirical magazine that had pointedly lampooned the Prophet Muhammad. Calling out names of cartoonists and targeting them with gunfire, they killed twelve and wounded another eleven. A massive manhunt and continued violence in Paris followed. On January 10, 2 million people, including forty world leaders, marched in defiance of the violence through the streets of Paris, along with another 1.5 to 2 million in other French cities. I appreciated the show of worldwide solidarity, but I had also seen the intelligence and media reports that Boko Haram had murdered two thousand people in Nigeria between January 4 and 7, and I wished those victims could also have such public attention.
Terrorist violence was, in fact, accelerating around the entire world. I told Congress that while we only had statistics for the first nine months of 2014, in that period some thirteen thousand terrorist attacks had resulted in thirty-one
thousand deaths—far more than the twelve-month totals for 2013—and we already knew that 2015 was off to a horrific start. Many of the threats we laid out in our report were getting worse because of one major global trend that I called “unpredictable instability.”
I explained that unpredictable instability was both the “new normal” and the driving force behind many of the world’s woes: “The year 2014 saw the highest rate of political instability since 1992, the most deaths as a result of state-sponsored mass killings since the early 1990s, and the highest number of refugees and internally displaced persons . . . since World War II. Roughly half of the world’s currently stable countries are at some risk of instability over the next two years.” What made this instability unpredictable was that so many nations across the globe showed signs of it, and there was no way to predict what sort of event, even something as localized as a fruit seller’s self-immolation, might trigger citizens to revolt, a military to seize power, or an aggressive neighbor to grab territory.
My discussion of unpredictable instability made some headlines. What would have truly made national news was the conversations we’d had behind closed doors, that—based on publicly available information, and not on any particular intelligence—the United States had begun to show many of the same characteristics of instability we used to assess other nation-states. First among these was increasing inequality of income and wealth. The Center for American Progress had published a report in the fall of 2014 with some astounding statistics. As it wrote in an analysis of the 2007–9 recession, “Ninety-five percent of all income gains since the start of the recovery have accrued to the top 1 percent of US households.” This was only part of a longer trend. From 1983 to 2010, the top fifth of US families by net worth had increased their wealth by 120 percent and the middle fifth by only 13 percent; the net worth of the bottom fifth had decreased in that period.
Looking at the theoretical household at the perfect center of American earnings—50 percent of American families earning more, and 50 percent earning less—they wrote, “The median family saw its income fall by 8 percent between 2000 and 2012.” At the same time, they noted that child-care costs grew by 37 percent and health-care costs by 85 percent. “In fact,” they added, “investing in the basic pillars of middle-class security—child care, housing, and health care, as well as setting aside modest savings for retirement and college—cost an alarming $10,600 more in 2012 than it did in 2000.”
The United States also had an increasingly restive population of young people who couldn’t find work, many of them with crushing college debt. Companies had laid off workers of all ages during the recession, and on recovery found that with automation and digital technology advances, they didn’t need to hire people back once money started flowing again. Making the situation worse, unemployment was often geographically focused, with some small towns and even larger regions finding the manufacturing jobs that had supported their economies completely dried up. In many ways, there was a growing overlap of the urban versus rural divide and the have versus have-not divide. Those segments of society increasingly looked at each other with resentment, and people who lived in the more rural, less-educated areas of the country no longer felt represented in a government they perceived as dominated by liberal elites.
The state of political discourse in the media and among politicians, meanwhile, had descended to a winner-take-all, scorched-earth mentality. It was a trend that had been developing for decades, but one that Republican strategist Karl Rove turned into a science for the 2000 election, the Tea Party into an art form for the 2010 election, and social media into an epidemic since then. Social networks had siloed people into echo chambers with those who shared similar viewpoints, amplifying their anger. All of this concerned many of us who had watched the Arab Spring lead to uprisings throughout the Middle East and North Africa. We didn’t see the United States turning into the next Syria, but what these symptoms would eventually lead to was, again, unpredictable instability. Regardless, as always, our personal concerns remained private, because our professional attention as intelligence officers was always turned outward to understanding the world and helping policy makers work to make it safer.
March presented us with a great opportunity to advance global safety and security. At the end of the month, representatives from the permanent members of the UN Security Council—the United States, the United Kingdom, Russia, France, and China—met in Lausanne, Switzerland, with representatives from Germany, the European Union, and Iran to discuss creating the framework for a deal to stop Iran’s nuclear weapons program. Many people, including many politicians and recognizable media figures, misunderstood how narrow and limited this goal was. No deal we could achieve was going to be able to compel Iran to stop sponsoring terrorism, interfering with operations in Iraq and Syria, or menacing its neighbors—particularly Israel. As I said publicly, to me this all boiled down to the question of whether we would rather have a state sponsor of terrorism with a nuclear weapons capability or a state sponsor of terrorism without a nuclear weapons capability.
Between March 26 and April 2, Secretary of State John Kerry and his team became demanding consumers of intelligence. Their questions came in rapid-fire bursts, and we tasked the intelligence production cycle with responding to them quickly—sometimes within hours—all while meeting similar demands from the president and the National Security Council. It was a stressful eight days, but at the end, the group of foreign ministers announced they had reached “solutions on key parameters of a Joint Comprehensive Plan of Action”—namely, that Iran would give up nuclear materials that could be weaponized, and that it would allow international inspectors access to its nuclear power facilities at a level no other nation on earth had ever permitted. In return, it would regain access to perhaps $100 billion of its assets that had been frozen by sanctions specific to its nuclear weapons program. The April 2 agreement was just a framework for a future deal, a point stressed by Iranian foreign affairs minister Mohammad Javad Zarif, who announced: “No agreement has been reached, so we do not have any obligation yet.” That was true, but we knew that the mere fact of arriving at a framework for an agreement validated the work the Intelligence Community had been doing for decades and the power of political and economic pressures we’d worked so hard to support. It also illustrated the value of persistent intelligence over time—often a long time.
The announcement of the Iran nuclear deal framework was a terrific high note leading into ODNI’s tenth-anniversary celebration. On Friday, April 24, President Obama spoke at our headquarters, opening, as I mentioned earlier, by poking fun at my briefing proclivities and presenting me with a jar of paper clips he said I’d left strewn around the Oval Office. To further laughter and applause, he noted for the crowd, “Today is also special to him because it happens to be his fiftieth wedding anniversary to his wonderful wife, Sue. So we want to congratulate the two of them. And fear not, this is not all he’s doing for their fiftieth wedding anniversary.” Sue smiled in appreciation.
The president used most of his speech to recognize the effort and impact the IC has had on national security, repeatedly telling the workforce, “You can take great pride in your service.” He concluded with specific accomplishments he was grateful for:
I don’t want you or folks across the intelligence community to ever forget the difference that you make every day. Because of you, we’ve had the intelligence to take out al-Qaida leaders, including Osama bin Laden. Because of you, we’ve had the intelligence, quickly, that showed Syria had used chemical weapons, and then had the ability to monitor its removal. Because of you, we had the intelligence, despite Russia’s obfuscations, to tell the world the truth about the downing of Malaysia Airlines Flight 17 over Ukraine. Because of you, we had the intelligence support that helped enable our recent nuclear framework with Iran. And you’re going to be critical to our efforts to forge a comprehensive deal to prevent Iran from ever getting a nuclear weapon.
So you help keep us safe, but you also help protect our freedoms by doing it the right way. And the American people and people around the world may never know the full extent of your success. There may be those outside who question or challenge what we do, and we welcome those questions and those challenges because that makes us better. It can be frustrating sometimes, but that’s part of the function of our democracy.
But I know what you do. We’re more secure because of your service. We’re more secure because of your patriotism and your professionalism. And I’m grateful for that. And the American people are grateful as well: to you and your families who sacrifice alongside you.
Life has a strange way of keeping my ego in check whenever I’m starting to feel too puffed up about my role in community accomplishments. In April, one of those checks came in the form of a Fairfax County, Virginia, jury duty summons. My assistant, Stephanie Sherline, called the County Courthouse, got in touch with an actual person—a very sweet lady in the County Clerk’s Office—and explained who I was, what I did, and that my security detail would have to accompany me into court. The lady considered for a moment and then replied that none of that sounded like a legitimate reason for getting out of jury duty. However, she did note that I was seventy-four years old and that because many “older people” have a hard time sitting through the process, Fairfax County has an automatic exemption for anyone over the age of seventy. I’d like to think Stephanie paused at least a moment before saying, “Yes, we’ll take the geezer exemption.”
Facts and Fears Page 37