by Shane Harris
Military personnel who’d investigated the F-35 breach described what they’d learned. A massive espionage campaign had targeted each of the companies’ computer networks. The spies weren’t looking just for information about the F-35; they stole as many military secrets as they could find. Spies had overrun the companies’ weak electronic defenses and relayed classified information back to their home servers. They had sent employees working on secret projects innocuous-looking e-mails that appeared to come from trusted sources inside the company. When the employee opened such an e-mail, it installed a digital backdoor and allowed the Chinese to monitor every keystroke the employee typed, every website visited, every file downloaded, created, or sent. Their networks had been infiltrated. Their computers compromised and monitored. America’s military-industrial complex had, in the language of hackers, been owned.
And the spies were still inside these companies’ networks, mining for secrets and eavesdropping on employees’ communications. Maybe they were monitoring the executives’ private e-mails right now. “A lot of people went into that room with dark hair, and when they came out, it was white,” says James Lewis, a prominent cyber security expert and a fellow at the Center for Strategic and International Studies, a think tank in Washington, who knows the details of the meeting.
These companies were the weak link in the security chain. Pentagon officials told the executives that responding to theft of military secrets was a matter of urgent national security. And for the companies, it was a matter of survival. Most of their businesses depended on the money they made selling airplanes, tanks, satellites, ships, submarines, computer systems, and all manner of technical and administrative services to the federal government. Officials were clear: if the contractors wished to continue in their present business arrangements, they would have to do a better job defending themselves.
But they wouldn’t be doing it alone.
After the meeting the Defense Department began giving the companies information about cyber spies and malicious hackers being monitored by US intelligence agencies. At the time, the Pentagon was tracking about a dozen espionage campaigns—distinct groups of hackers that could be categorized based on their interest in certain military technologies, aspects of military operations or organizations, or defense contractors. This information about foreign spies was the fruit of American espionage, gathered by monitoring and studying attempts to penetrate military networks, but also by breaking in to the computers and networks of America’s adversaries. US intelligence agencies were also monitoring huge flows of traffic over the global telecommunications networks for viruses, worms, and other malicious computer programs. Never before had the United States shared so much classified information with private individuals. The work of securing the nation had historically been the government’s exclusive domain. But now government and industry formed an alliance against a common threat. The Pentagon gave the companies Internet addresses that were tied to computers and servers where the foreign spies were believed to be sending stolen information, as well as the e-mail addresses that were known to have sent those innocuous-looking messages that actually contained a virus or a piece of spyware. Government analysts shared the latest tools and techniques that they’d seen foreign hackers use against their targets. And they alerted companies to the types of malicious software hackers were using to pry into computers and pilfer files. Armed with these data points, known as threat signatures, the companies were supposed to bolster their own defenses and focus their attention on repelling the intruders before they compromised their networks again. The threat signatures were compiled by the National Security Agency, the government’s largest intelligence organization. Its global network of surveillance plucks data out of tens of thousands of computers that the agency itself has penetrated and implanted with spyware—just like the Chinese spies who broke in to the defense companies’ computers. Information gathered by the National Security Agency (NSA) is some of the most revealing about the capabilities, plans, and intentions of America’s adversaries, and as such it is highly classified. Now the government was sharing it with companies under strict secrecy rules. The recipients were not to disclose that they’d received the threat signatures, and they were to keep the Pentagon apprised of any incursions into their own networks.
The Defense Industrial Base Initiative, as the intelligence-sharing program is called, started small, with just the 20 companies whose executives had gathered in the SCIF at the Pentagon. But within a year there were 30 members. Today there are about 100. Pentagon officials want to add as many as 250 new members per year to the secretive club, known by its members as the DIB (pronounced “dib”).
But officials don’t want only to protect military contractors. They see the DIB as a model for securing whole industries, from telecommunications to energy to health care to banking—any business, system, or function that uses a computer network. Which today means nearly everything. The DIB was the seed of a much larger and still evolving alliance between government and industry.
The leaders of the intelligence agencies, top military officers, and the president himself say that the consequences of another major terrorist attack on American soil pale in comparison with the havoc and panic a determined and malicious group of hackers could cause. Instead of stealing information from a computer, they could destroy the computer itself, crashing communications networks or disabling systems that run air traffic control networks. They could hijack the Internet-connected devices that regulate the flow of electrical power and plunge cities into darkness. Or they could attack information itself, erasing or corrupting the data in financial accounts and igniting a national panic.
In October 2012 then defense secretary Leon Panetta warned that the United States was on the verge of a “cyber Pearl Harbor: an attack that would cause physical destruction and the loss of life, that would paralyze and shock the nation and create a profound new sense of vulnerability.” Five months earlier President Barack Obama wrote in a newspaper editorial that the wars of the future would be fought online, where “an adversary unable to match our military supremacy on the battlefield might seek to exploit our computer vulnerabilities here at home.” Obama painted a dire and arguably hyperbolic picture. But his choice of imagery reflected the anxiety gripping senior leaders in government and business that cyberspace, which seems to hold boundless promise for the nation, is also its greatest unaddressed weakness. “Taking down vital banking systems could trigger a financial crisis,” Obama wrote. “The lack of clean water or functioning hospitals could spark a public health emergency. And as we’ve seen in past blackouts, the loss of electricity can bring businesses, cities and entire regions to a standstill.” FBI director James Comey has said the risk of cyber attacks and a rise in cyber-related crime—to include espionage and financial fraud—will be the most significant national security threat over the next decade. For the past two years the possibility of a crippling cyber attack has topped the list of “global threats” compiled by all seventeen US intelligence agencies in a report to Congress. Protecting cyberspace has become the US government’s top national security priority, because attacks online could have devastating effects offline.
And yet the government is not telling us the whole story. Officials are quick to portray the nation as a victim, suffering ceaseless barrages from an unseen enemy. But the US military and intelligence agencies, often with the cooperation of American corporations, are some of the most aggressive actors in cyberspace. The United States is one of a handful of countries whose stated policy is to dominate cyberspace as a battlefield and that has the means to do it. For more than a decade, cyber espionage has been the single most productive means of gathering information about the country’s adversaries—abroad and at home. The aggressive actions the United States is taking in cyberspace are changing the Internet in fundamental ways, and not always for the better. In its zeal to protect cyberspace, the government, in partnership with corporations, is making it more vulnerable.
&n
bsp; The story of how securing cyberspace became so important for the United States starts with its efforts to control it, to use it as both a weapon and a tool for spying. The military now calls cyberspace the “fifth domain” of warfare, and it views supremacy there as essential to its mission, just as it is in the other four: land, sea, air, and space. The United States has already incorporated cyber attacks into conventional warfare, and it has used them to disable infrastructure in other countries—precisely the same kinds of malicious acts that US officials say they fear domestically and must take extraordinary measures to prevent. On the spectrum of cyber hostilities, the United States sits at the aggressive end.
The US military and intelligence agencies are fielding a new generation of cyber warriors, trained to monitor the computer systems of foreign adversaries, break in to them, and when necessary disable and destroy them. Cyber warfare, like cyberspace, is an amorphous term. But it applies to a spectrum of offensive activities. Just as espionage is an inextricable part of traditional warfare, so too is spying on a computer a prerequisite to attacking it. To be sure, the United States has spent far more time and money spying on computers and stealing information than it has taking down critical infrastructures and destroying physical facilities through a computer connection. But it has done that, too. And it will do it more often, and more effectively. Indeed, cyber warfare—the combination of spying and attack—was instrumental to the American military victory in Iraq in 2007, in ways that have never been fully explained or appreciated. The military, working with US intelligence agencies, used offensive cyber techniques (hacking) to track down people in the physical world and then capture or kill them.
But just as protecting cyberspace is not the exclusive domain of government, waging war in cyberspace is becoming a private affair. A burgeoning industry of cyber arms merchants and private security forces is selling its goods and services both to the government and to corporations that will no longer endure relentless espionage or the risk of cyber attack. The armies of nations will inevitably meet one another on the cyber battlefield. But the armies of corporations will meet there, too.
Governments don’t operate in cyberspace alone. Defending computer networks, and launching attacks on them, requires the participation, willing or otherwise, of the private sector. The vast majority of computer networks in the United States are privately owned. The government cannot possibly protect or patrol all of them. But most of the world’s communications travel through equipment located in the United States. The government has a privileged position to exploit those networks, and an urgent need to protect them. To those ends, a military-Internet complex has emerged.
Like the military-industrial complex before it, this new cooperative includes the makers of tanks and airplanes, missiles and satellites. But it includes tech giants, financial institutions, and communications companies as well. The United States has enlisted, persuaded, cajoled, and in some cases compelled companies into helping it fend off foreign and domestic foes who have probed the American electrical grid and looked for other weaknesses in critical infrastructures. The NSA has formed secret arrangements with marquee technology companies, including Google, to monitor private networks for threats. It has shared intelligence with major banks and financial institutions in order to prevent a catastrophic cyber attack on Wall Street.
But the government also has attempted to force some companies into letting the NSA place monitoring equipment on its networks. And it has paid technology companies to install backdoors in their products that it can use to spy on foreign intelligence services and monitor military movements. Those clandestine access points also allow the military to launch cyber attacks in foreign countries. Without the cooperation of the companies, the United States couldn’t fight cyber wars. In that respect, the new military-Internet complex is the same as the industrial one before it. The government doesn’t fight wars alone. It relies on companies to design weapons, move and feed troops, build and maintain aircraft, ships, and satellites. The United States became the most formidable military in world history through a mutually beneficial alliance with corporations. It aims to do so again in cyberspace.
The United States is rapidly building its capacity to dominate cyberspace. In 2014 the government planned to spend more than $13 billion on cyber defense programs, mostly to protect government computers and networks, and to share threat intelligence with private industry. To put that in some perspective, in the same year the government planned to spend $11.6 billion on direct efforts to combat climate change, which Obama has called “the global threat of our time.” Over the next five years, the Defense Department alone plans to spend $26 billion on technology for cyber defense and offense. Precisely how much the United States intends to spend on the offensive component is classified. But in cyberspace, the line between offense and defense is blurry and constantly shifting. The same infrastructure that is being put in place to defend networks is the one that is used to launch attacks. Government officials prefer to talk publicly about defense, which is a strategic and a cynical calculation: it’s easier to drum up funds and political support for repelling invaders than it is for building a cyber army to attack and spy on other countries. And yet, that is precisely what the United States is doing, and using some of the billions of dollars nominally appropriated for “defensive” purposes to do so.
The business of cyber security is booming. Companies and individuals around the world spend $67 billion a year protecting their computers and networks. Many of the experts they hire learned their trade in the military or an intelligence agency. Indeed, the Pentagon has become a training ground for private cyber sentries, who can double or even triple their salaries when they jump to a private security firm. The same defense contractors that were once the target of cyber spies now sell the expertise to protect networks and wage war on them to their customers, including utilities and banks—the very companies that the government had set out to protect in the first place.
The struggle to control cyberspace is defining American national security in the twenty-first century. But the response to cyber threats promises to change the shape of cyberspace more than the threats themselves do. The decisions that government and business leaders make today will have profound implications not just for Americans but for people around the world, who are increasingly united in their reliance on a broad, distributed, and often hard-to-define space that is neither entirely a commons nor the property of one corporation or government. That threats exist in cyberspace is undeniable. Answering them is a befuddling and often perilous exercise, but one in which we all have a stake.
PART I
ONE
The First Cyber War
BOB STASIO NEVER planned to become a cyber warrior. After he graduated high school, Stasio enrolled at the University at Buffalo and entered the ROTC program. He majored in mathematical physics, studying mind-bending theories of quantum mechanics and partial differential equations. The university, eager to graduate students steeped in the hard sciences, waived the major components of his core curriculum requirements, including English. Stasio never wrote a paper in his entire college career.
Stasio arrived at Fort Lewis, Washington, in 2004, when he was twenty-two years old. His new brigade intelligence officer took one look at the second lieutenant’s résumé, saw the background in math and physics, and told Stasio, “You’re going to the SIGINT platoon.”
SIGINT, or signals intelligence, is the capture and analysis of electronic communications. Like all branches of intelligence, it’s a blend of science and art, but it’s heavy on the science. The brigade intelligence officer had worked at the National Security Agency and recognized that Stasio’s physics training would come in handy, because so much of SIGINT involves the technical collection of radio signals, fiber-optic transmissions, and Internet packets.
Stasio’s military training in college focused on how to use a rifle and lead a squad. But he had spent six months learning the basics of intelligence gathering and an
alysis at the army’s intelligence school at Fort Huachuca, Arizona. When he came to Fort Lewis, Stasio was assigned to a Stryker brigade, a mechanized force designed to be light on its feet, capable of deploying into combat in just a few days. It was Stasio’s job to locate the enemy on the battlefield by tracking his communications signals. And he was also supposed to divine his adversary’s intentions by eavesdropping on the orders a commander gave to troops, or listening for the air strike that a platoon leader was calling in from behind the lines. Stasio would join the Fourth Brigade, Second Infantry Division, “the Raiders,” and deploy to Iraq. He’d be working with a team of linguists, who would be essential, since Stasio didn’t speak Arabic. But when it came time to meet them, Stasio started to worry: nearly all of the linguists spoke only English and Korean.
The army had designed its signals intelligence system for the Cold War. Thousands of troops still served on the Korean Peninsula. They were still trained in how to fight a land battle with North Korean forces, in which the physics of SIGINT—locating tanks and troops—would be central to the mission. But the Raiders were going off to fight a network of Iraqi insurgents, volunteer jihadists, and terrorists. These guys didn’t drive tanks. They didn’t organize themselves according to a military hierarchy. And of course, they didn’t speak Korean.
Stasio decided that his intelligence training would be mostly useless in Iraq, where the US occupation was coming unglued. Army casualties were mounting, the result of a well-orchestrated campaign of roadside bombings by insurgents. The soldiers who didn’t die in these attacks were coming home with limbs missing, or with severe brain injuries that would impair them physically and emotionally for the rest of their lives. SIGINT wasn’t preventing these attacks. Indeed, it was hardly being used at all. In October 2004 the military’s top signals intelligence officer estimated that as much as 90 percent of all information in Iraq was being supplied by a network of human spies and informants—and they weren’t helping the Americans reduce the bombing attacks and insurgent strikes.