@War: The Rise of the Military-Internet Complex
Page 8
Cyber needed its own command, McConnell thought, so that the unique expertise and capabilities of each branch of the armed forces could be harnessed. Military leaders and administration officials were coming around to the idea that future wars would be fought on the Internet as well as in the physical domains. But a new command would make it clear that cyber warfare was not a passing fashion. McConnell thought there was no better way to establish cyber’s staying power than to enshrine it in the military’s command-and-control structure.
As it happened, in late October, less than two weeks before the election, a computer worm had infected military networks, a major breach that persuaded the Pentagon brass that their cyber defenses were lacking. The NSA had quickly neutralized the intrusion and was leading the cleanup through the remainder of Bush’s term. McConnell conferred with his old friend Bob Gates, who had agreed to stay on as secretary of defense under the new administration. Gates agreed there should be a new cyber command. It wouldn’t happen while McConnell was in office. Official Washington would be consumed by the ritual of the presidential transition, as Bush administration officials handed off the keys to the incoming crew and explained in detail everything they’d been working on. But Gates took the baton. In June 2009 he ordered the commander of US Strategic Command to establish a new Cyber Command, or CyberCom. Strategic Command seemed like an obvious home—it had nominal responsibilities for coordinating information warfare across the military services. But by now the NSA was effectively in charge of that mission. Therefore, the NSA director should run CyberCom, Pentagon officials reasoned. The plan was to keep it as a subordinate command temporarily, let it grow, and then elevate CyberCom to full combatant command status.
In ways that few could discern at the moment, the current NSA director, army general Keith Alexander, had been groomed for the role of cyber commander his entire military career. Over time he would be revealed as an erudite technologist, a cunning warrior, and one of the most politically skillful generals in recent memory. For now, though, as the new Cyber Command got on its feet, he was one of its strongest supporters on Capitol Hill, in the military ranks, and at the White House.
At an “activation ceremony” on May 21, 2010, at Fort Meade, Alexander was sworn in as the first commander of US Cyber Command. Gates attended, along with David Petraeus, who was then in charge of Central Command. The only man missing from the bunch of founding fathers was McConnell. But his work was done. The United States had officially entered the age of cyber war.
The military-intelligence alliance proved it was very good at attacking bands of insurgents and terrorists in Iraq. But what would happen when the United States met a large, organized national military on the battlefield of cyberspace—and it fought back?
To find out, on May 7, 2010, around six hundred people showed up at Nellis Air Force Base, on the outskirts of Las Vegas, for the annual Schriever Wargame. Every year the game was premised on some hot-button issue of strategy currently vexing US forces. (In 2012, the participants fought pirates around the Horn of Africa.) The name Schriever, in addition to being attached to the base in Colorado that administered the game, was an important one in air force history: Bernard Adolph Schriever, or Bennie, was a German immigrant who became a US general in 1961 and was a pioneer in space and ballistic missile research.
The participants for the 2010 game included senior military officers, representatives from all the combatant commands, and military and civilian cyber security experts from more than thirty US government agencies—including the NSA, the Homeland Security Department, and the National Reconnaissance Office, which runs a network of spy satellites and is arguably the most secretive of all the spy agencies. Executives from technology companies also showed up, along with policy wonks, official delegations from Australia, Canada, and Great Britain—the United States’ three closest allies—as well as one former member of Congress, Tom Davis, whose district included many of the biggest Defense Department and spy agency contractors. For the war game, Davis played the role of president of the United States.
The year was 2022. A “regional adversary” in the Pacific—it was never named, but everyone seemed to pretend it was China or North Korea—perceived a military provocation from a US ally. In response, the adversary launched a crippling cyber attack on the ally’s computer networks. The ally invoked its mutual defense agreement with the United States. Washington had to respond.
Before the US forces could decide on their first move, the adversary struck preemptively, attacking “aggressively, deliberately, and decisively” to block the US forces’ access to the computer networks they would need to communicate and send orders, according to a senior US general who participated.
“Red blockades Blue,” the players were informed.
Blue had trained for a blockade on water, not on the Internet. They knew how to signal to an adversary, “We see you—back off.” They could hail him over a radio frequency. Flash lights. Sound sirens. They could summon other ships to the area as a show of force. There were assertive but nonlethal steps a commander could take, short of actually firing on the enemy’s ship, to halt his advance.
But in cyberspace, the only thing the players knew how to do was attack the enemy’s network and destroy it, skipping all the posturing and signals and heading straight to full-on combat. There was no cyber equivalent, that they knew of, for summoning all hands to battle stations. It was either attack or don’t. The traditional deterrence strategy was useless.
It also wasn’t clear that the other side had a deterrence strategy of its own, or even believed in the value of one. Military planners liked to compare cyber weapons to nuclear weapons, because they both could cause massive, strategic-level damage and required presidential authorization to use. But with nuclear hostilities there was a series of clear, mutually understood actions each side could take that stopped short of using the weapons. Throughout the Cold War, the United States and the Soviet Union helped keep a fragile peace in large part by making clear how they could—and would—destroy each other. The Soviets test a new missile, the Americans show off one of theirs. They talk of deploying missiles closer to targets in Europe, the US president talks openly about the possibility of using nuclear weapons, and says he hopes it never comes to that. In this back-and-forth, full of chest thumping and heated words, both sides implicitly agreed they were trying to avoid a nuclear war, not cause one. Signaling their hostile intent gave each side time to back down, cool off, and save face.
But now, in the game, the regional adversary continued attacking in unpredictable ways. After hitting the US forces’ computer networks, it sent “grappler” satellites to latch on to US satellites, pushing them out of their orbit and disabling them.
Over the next four days, military commanders struggled to come up with a response short of full-scale war, which they were convinced would result in enormous casualties on both sides. Senior leaders in the Defense Department and at the White House got involved. The US forces discovered they had no cyber war agreements with their foreign allies, so there was no road map for an international response. Military leaders turned to the corporate executives for help. What technology did the companies have to send some kind of signal to the enemy to change its tactics? Was there such a thing as a non-hostile cyber attack? No one was sure.
The enemy had already made a decision that cyber and space attacks were the best way to counter the perceived aggression from its neighbor and fend off a US response. They had already set their red line. And they had already gamed out the US response, which got bogged down as more and more senior executives weighed in about what moves would be effective, or even legal. The mighty superpower was reduced to a bunch of confused and disorganized players. Worse, in the words of one participant, this appeared to be exactly what the enemy wanted. “We were unwittingly and obediently following a script that the adversary had already written for the campaign, and our military actions to deter would have no effect on their decision calculus.”
<
br /> All war games start with a set of premises; the risk for the players is that they presume those facts will hold true in real life and fail to consider alternatives. The Schriever Wargame was designed so that China or North Korea would preemptively launch a cyber attack. Of course, they might not. Maybe in a real standoff they would fear a cyber counterstrike by the United States—or worse, a nuclear one. Arguably, one lesson of the war game was that the military should reexamine its premises and assess how likely another country was to launch a first strike in cyberspace, given the mutually assured destruction that the military believed would follow.
Instead, the game reinforced the military’s natural disposition toward war. And it convinced senior military and Pentagon leaders that if a cyber war ever did break out, it would happen “at the speed of light,” with practically no warning. From now on, whenever they testified before Congress or gave public speeches and press interviews, they warned about the instantly devastating nature of cyber warfare. It became an article of faith when it came to their planning. The United States, they said, had to prepare now for the inevitability of this conflict, and take extraordinary measures to strengthen its forces—for defense and offense.
As unnerving as the war game proved to be, there were threats closer to home that had US officials worried. In May 2009, in a speech in the East Room of the White House, President Obama revealed that “cyber intruders have probed our electrical grid and that in other countries cyber attacks have plunged entire cities into darkness.” Obama didn’t say that foreign hackers had actually turned off the lights in the United States. But privately, some intelligence officials claimed that Chinese hackers were responsible for two major blackouts, in 2003 and 2008. The first blackout was the largest in North American history, covering a 93,000-square-mile area including Michigan, Ohio, New York, and parts of Canada. An estimated 50 million people were affected. The ensuing panic was so severe that President Bush addressed the nation to assure people the lights would come back on. Within twenty-four hours, power was mostly restored.
One information security expert who was under contract to the government and large businesses, dissecting Chinese spyware and viruses found on their computers, claimed that in the second blackout, a Chinese hacker working for the People’s Liberation Army had attempted to case the network of a Florida utility and apparently made a mistake. “The hacker was probably supposed to be mapping the system for his bosses and just got carried away and had a ‘what happens if I pull on this’ moment.” This expert thought the hacker triggered a cascade effect, which shut down large portions of the power grid in Florida. “I suspect, as the system went down, the PLA hacker said something like, ‘Oops, my bad,’ in Chinese.”
The companies that operated the networks and the power plants vehemently denied the accusations and pointed to public investigations that concluded the blackouts were triggered by natural causes, including overgrown trees that had shorted out strained power lines. No government official ever offered verifiable evidence that the Chinese were behind the blackouts. But the persistent rumors of the country’s involvement were a measure of Washington’s paranoia and dread about cyber attacks.
After a possible attack on US power grids, officials’ next greatest concern is relentless theft of intellectual property and trade secrets from US companies, particularly by hackers in China. Alexander, who became the Cyber Command chief in 2010, called rampant Chinese industrial espionage “the greatest transfer of wealth in history.” By 2012, Congress finally felt compelled to act. It was six years after lawmakers’ own computers were found to have been infected with spyware that was probably implanted by Chinese hackers. Computers in several committee offices in the House of Representatives also were infected, including those overseeing commerce, transportation and infrastructure, homeland security, and the powerful Ways and Means Committee. The Congressional-Executive Commission on China, which monitors human rights and laws in China, was also hit. Most committee offices were found to have one or two infected computers. The International Relations Committee (now called the Foreign Affairs Committee), which oversees US foreign policy, including negotiations with China, had twenty-five infected computers and one infected server.
In 2012, proposals wound their way through Congress that, among other things, would give the government more authority to gather information about cyber intrusions and reconnaissance of networks from affected companies. The idea was to share information about potential threats but also to force companies to step up their own security. But some companies balked, fearful that the legislation marked a new wave of expensive and intrusive regulation. Companies were also worried that they might get sued by their customers for working with the government. Internet service providers wanted legal assurances that if they transmitted information about attacks in real time to the Defense or Homeland Security Departments, they wouldn’t be held liable for any personal data those warnings might contain, such as the identities or Internet addresses of people whose packets had been intercepted or whose computers had been compromised.
The US Chamber of Commerce, a powerful trade association with deep pockets and a history of supporting Republican candidates for office, said legislation would give the government “too much control over what actions the business community could take to protect its computers and networks.” At a moment when conservative officeholders in particular had been denouncing President Obama’s health care law as government intrusion into citizens’ private lives, the Chamber became the most vocal opponent of cyber legislation as another example of government excess. GOP lawmakers closed ranks behind them, and any chance for a comprehensive cyber law died.
In lieu of Congress acting, President Obama signed an executive order in February 2013 that made it US policy “to enhance the security and resilience of the Nation’s critical infrastructure.” That term, critical infrastructure, was intentionally broad, in order to encompass a multitude of businesses and industries. The president defined it as “systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.” By that definition, a power plant was certainly critical. But so was a bank. And a hospital. So were trains, buses, and trucking companies. Was UPS a critical infrastructure? To the extent that businesses depended on shipping and timely delivery of goods and services, maybe it was.
With the executive order, the Obama administration told Congress and businesses that it wasn’t going to wait for a new law to extend government influence over the Internet. The order instructed federal agencies to start sharing more cyber threat information with companies; authorized the Commerce Department and the National Institute of Standards and Technology to come up with a “framework” of security standards that companies would be encouraged to adopt; and told the secretary of Homeland Security to draw up a list of critical infrastructures “where a cybersecurity incident could reasonably result in catastrophic regional or national effects.”
The White House was still prepared to fight for a new cyber law. But in the meantime, Obama’s order did something profound: it gave the military the green light to prepare for cyber war.
Obama’s executive order, along with a classified presidential directive signed five months earlier and not released publicly, made it clear that the military had the lead in defending the nation during a cyber attack. Just as the armed forces would swing into action if the United States were invaded by a foreign army, or if missiles were flying toward US cities, the country’s cyber forces would get the call to defend against a digital attack—and to retaliate.
The executive order made it easier for the Defense Department to expand its classified threat intelligence sharing program beyond the defense industrial base to more of those “critical infrastructure” sectors that the government would define. And the separate directive, known as
PDD-20, spelled out how the military would go to cyber war, under what circumstances, and who may give the orders.
Any cyber strike has to be ordered by the president. But during an emergency the president can designate that authority to the secretary of defense. If a power plant, for instance, were under imminent attack, and there was no time to get the president’s approval for defensive actions—which could involve a counterstrike on the source of attack—then the secretary could give the order.
But PDD-20 isn’t really about cyber defense. It instructs the military to draw up a list of overseas targets “of national importance,” where it would be easier or more effective for the United States to attack with a cyber weapon than a conventional one. These are the equivalent of Cold War–era, high-priority targets in the Soviet Union, where bombers would drop their payload in the event of a war. PDD-20 does not name individual targets, but those of national importance would naturally be communications systems; command-and-control networks used by military forces; financial networks; air defense and traffic control systems; and critical infrastructures, such as electrical grids. These are the same kinds of targets that a foreign army would draw up on the United States for a cyber war.
The directive also instructs other government departments and agencies, including the State Department, the FBI, the NSA, the Treasury Department, and the Energy Department, to make plans for retaliating against “persistent malicious cyber activity against US Interests” when “network defense or law enforcement measures are insufficient or cannot be put in place in time.” The military would carry out those attacks as well, at the president’s instruction.