by Shane Harris
PDD-20 is seen by military commanders and civilians as the rules of the road for cyber war, a crucial document that spells out lines of authority and command, responsibilities, and broad principles. It says the United States will conduct cyber warfare consistent with the international law of armed conflict: strikes must be designed to cause minimal collateral damage and must be waged in proportion to the threat or the attack on the United States. The military must also be cautious not to disrupt or destroy networks that may be connected to the ones they’re targeting. A virus or worm designed to attack a power plant in Iran must not be allowed to destroy a plant in China. “We don’t want to start World War III,” says Ann Barron-DiCamillo, a senior official at the Homeland Security Department who works with the Defense Department to coordinate responses to cyber attacks in the United States.
As important as these rules are, PDD-20 does something more fundamental to the way the United States will fight wars in the future: it elevates cyber operations to the status of traditional combat, and instructs the armed forces to integrate offensive cyber warfare “with other US offensive capabilities,” on land, in the air, at sea, and in space.
The military has three principal cyber war missions, and three kinds of forces with which to conduct them.
The first mission, and the largest force, runs and defends the military’s networks around the world—everywhere from the battlefields of Iraq and Afghanistan to the waters of the Pacific, where the combined forces of the army, navy, air force, and marines would be the first line of attack in any war with China. These “cyber protection forces,” as the military calls them, try to keep foreign adversaries and hackers out of those military networks. Attempted intrusions occur several thousands of times a day, but these are mostly automated probes, not really attacks, and they can be fended off with automated software. The Defense Department also limits the number of points where its networks connect to the public Internet, which helps fortify the military’s defenses. Filters scan every piece of information that moves through those points, looking for worms, viruses, and other indicators of an attempted intrusion, such as traffic coming from Internet addresses suspected of being used by foreign militaries and intelligence services.
This is everyday defense. The protection forces would really earn their stripes in the event of a full-scale war, when a US adversary would bring out its most sophisticated cyber weapons and best warriors in order to disable the military’s command-and-control networks or corrupt information inside them. These cyber strikes might happen before the first exchange of gunfire, as a prelude to more traditional combat, or as part of an active “kinetic” operation. For instance, during the war in the Balkans in the 1990s, US hackers penetrated Bosnian air defense systems and tricked controllers into thinking that invading aircraft were coming from one direction, when really they were coming from another.
The military’s defense mission is constrained by the fact that it doesn’t actually own and operate most of its network infrastructure: 99 percent of the electricity and 90 percent of the voice-communications services the military uses come from privately owned cables, routers, and other infrastructure. Protecting the military’s networks “is not getting any easier because of our reliance on key networks and systems that are not directly under DOD’s control,” says Major General John Davis, the Pentagon’s military cyber security adviser.
So, the cyber protection forces have created “hunt teams” that work with the cyber spies at the NSA and the Defense Intelligence Agency to find potential threats in military networks before they strike. As part of those efforts, the military has access to a database containing dossiers on every known hacker in China, according to an official with a Pentagon contractor that provides tracking services. The dossier notes which kinds of malware the hacker likes to use, what systems he has been known to target, and where he is believed to be operating. In some cases the dossier also includes a photograph, obtained by intelligence operatives in China or purchased through private intelligence companies whose employees follow hackers on the ground. By knowing who the hackers are, the military can raise defenses against their preferred targets. But it can also attempt to lure the hacker into a system with false or misleading information, known as a honeypot, and then track his movements in a controlled environment. The longer he stays inside, trying to steal what he believes to be important documents, the longer the US spies can study his craft and develop ways to counter it.
An NSA unit known as the Transgression Branch specializes in this kind of track-the-hacker work and takes things one step further. The branch watches a hacker break into another country’s computer system, then follows him inside. In a 2010 operation called Ironavenger, the Transgression Branch saw e-mails containing malware being sent to a government office in a hostile country—one that the NSA wanted to know more about. Upon further inspection, the branch discovered that the malware was coming from a US ally, whose own intelligence service was trying to break in. The Americans let their allies do the hard work and watched silently as they scooped up passwords and sensitive documents from the adversary’s system. The Americans saw everything the allies saw and got some inside knowledge about how they spied.
The second of the military’s cyber missions is supporting the armed forces in combat. These are the cyber warriors fighting alongside their traditionally armed compatriots. They comprise teams that conduct defense and offense, and they are spread out across the armed forces. Each one has a separate focus, depending on its branch of service. For instance, the air force is training its cyber warriors to hack into enemy air defense and traffic control systems, while the army is focused on land operations, penetrating command-and-control systems of artillery, for instance.
In a remarkable shift from the earlier days of cyber war, cyber attacks in battle no longer require the approval of the president in every instance. According to the Joint Chiefs of Staff’s official guidance on targeting, much of the decision making about who and what to attack is up to the head of US Cyber Command. “Targeting for cyberspace generally follows the processes and procedures used for traditional targeting,” the guidance states. In other words, the military now thinks cyber weapons are not so different from missiles, bombs, and bullets. Military commanders are cautioned to remember “the unique nature of cyberspace as compared to the traditional physical domains”—that is, the possibility that a cyber weapon could cause widespread collateral damage.
The skills of these support teams are overlapping, which means that in future wars, an army hacker could hop over to an air force mission with little trouble. During the Iraq War, army operators cracked the cell phones of insurgents and sent them misleading messages, because the army was on the ground fighting the insurgents. But air force cyber warriors also have the skills to conduct that kind of deception operation, and there’s no reason they couldn’t step in if the army was tied up fighting other battles. Likewise, a navy cyber warrior, who is trained to hack the navigation systems of an enemy submarine or fry a ship’s radar, could wreak havoc on a commercial telecom network.
The third mission is protecting the United States itself, using what the military calls the Cyber National Mission Force. This force only conducts offensive operations. It would get the call from the president or the secretary of defense if China were trying to disable an electrical power plant or Iran were attempting to alter the databases of major banks or financial transaction systems. The members of the National Mission Force are trained to reroute malicious traffic away from its target, breaking in to networks if necessary, or to strike back at the source and take it offline. It reports to US Cyber Command, which is linked to the National Security Agency and its crack Tailored Access Operations unit. The Cyber National Mission Force represents a tiny portion of the overall military cyber force—probably about 1 percent, though the precise number is classified.
The Pentagon is “at full speed working our way through how the services will implement” the three-tiered struct
ure of US cyber forces, Davis says. Beginning in 2011, the military began conducting regular cyber war games at Nellis Air Force Base, where the pivotal Schriever Wargame took place. Officials have set up joint cyber operations centers in each of the military’s combatant commands, which are organized according to regions of the world and are run by a four-star general or admiral. There is now an emergency conference-call system so that in the event of an imminent or ongoing cyber attack on the United States, military, Defense Department, intelligence, and law enforcement officials can be looped in with the president and the National Security Council—constituting a kind of cyber war cabinet—to decide how to respond. A command-and-control system for US cyber attacks is also in place. There is even an emergency communications line from Washington to Moscow, the cyber equivalent of the Cold War red phone.
The core infrastructure for fighting a cyber war has been created. Now the United States is raising an army.
To build a cyber force, the military first has to recruit the best warriors. Each branch of the armed forces has developed aptitude tests, molded on those used by corporations, to determine whether someone might be suited to network maintenance and defense or shows promise for the rarer, more sophisticated offensive missions. The service branches are beginning to introduce basic cyber security training for all new officers; in the air force it’s already mandatory. And the five military service academies now include cyber warfare as a field of study. Every year since 2000, the best hackers from each academy have competed against one another in a war game sponsored by the NSA. The simulation is meant to pit the schools against one another but also to test their mettle against the government’s best cyber warriors.
“We build a network, all from scratch, then defend it against a team from NSA,” says Martin Carlisle, professor of computer science at the Air Force Academy and director of its Center for Cyberspace Research. The battle lasts for two and a half days. In 2013 the academy fielded a team of fifteen computer science and engineering majors who squared off against an NSA “red team,”—war game code for the aggressor—of about thirty military officers, civilians, and contractors from the NSA. The agency’s team was not allowed to use any classified hacking techniques, but they ran operations against the cadets that they would likely see if the United States ever fought a cyber war with a foreign military. The NSA red team attempted to get inside the air force network and modify crucial data, so that the cadets could no longer trust its veracity. They launched known computer viruses against the cadets’ network and tried to install backdoors in their systems.
The air force won the 2013 competition, its fourth victory since the game began in 2001, and its first consecutive win.
Future air force cyber specialists take special training at Keesler Air Force Base, on the Gulf Coast of Mississippi. Just like pilots have to pass flight school, the would-be cyber warriors have to run a gauntlet before they can wear the cyberspace badge—a pair of silver wings crossed by a lightning bolt centered on a globe.
The next and most important step in the education of cyber warriors is on-the-job training, “where you have your hands on the keyboard,” says Lieutenant General Michael Basla, chief of information dominance and the chief information officer, or CIO, of the air force. Basla’s dual titles reflect the air force’s approach to its cyber warfare mission. “Information dominance” encompasses propaganda, deception, and computer operations. And a CIO, generally, is the head techie in an organization, responsible for keeping the networks up to date and running. The air force lumps its network maintenance staff with its defenders, as well as those who conduct offense. It’s one big techie pool.
About 90 percent of the air force’s cyber force (which consisted of approximately 12,600 people in 2013) works on defense. They are guarding networks, patching vulnerabilities, and trying to keep abreast of changes to hardware and software that might create more holes for an intruder to use. Less than 1 percent of all air force cyber warriors are engaged in what Basla calls the “exquisite” work of penetrating an enemy’s computer systems.
There are two big reasons for this mismatch. First, offense is a lot harder than defense. The tools and principles to do both are essentially the same in many ways. But asking a defender to go out and break in to a highly protected enemy computer would be like asking an auto mechanic, however talented, to fix the engine on a jet fighter. He may understand the principles of the task, but the application is an order of magnitude more difficult.
The second reason the offense side is so much smaller is that the military has only recently begun to make cyber warfare a priority. Protecting military networks and computers, which have proliferated in the past fifteen years, has long been part of its mission. That emphasis is changing now, as cyber warfare becomes integrated into military doctrine.
But if they ever go to war, US cyber forces will face an adversary just as skilled, and many times larger, than they are.
Groups of hackers have been operating in China for more than a decade. Some of their first handiwork was on display in 1999, after US forces inadvertently bombed the Chinese embassy in Yugoslavia during the Kosovo War. Outraged “patriotic hackers” hijacked the websites of the US Departments of Energy and the Interior and the National Park Service. The hackers took down the sites’ usual content and replaced it with anti-American messages: “Protest the USA’s Nazi action! Protest NATO’s brutal action!” The White House also came under a heavy denial-of-service attack, in which an aggressor floods a server with traffic in an attempt to knock it offline. The White House took down its website for three days as a precaution.
Today these Chinese hacker groups, who were once motivated by their sense of national pride and opposition to foreign military action, are taking their orders from China’s military and intelligence leaders. They weren’t conscripted so much as brought under the banner of the People’s Liberation Army, which has both clandestinely supported their work and officially ignored their existence. Lately that work consists mostly of stealing information. Chinese hackers have penetrated or tried to compromise classified computer systems of every department and agency of the federal government. They have broken in to countless corporate databases to steal trade secrets. Just like the hackers who broke in to US defense contractors in 2007, they are looking for any piece of information—however big or small—that will give China a military or economic edge and advance the country’s global strategy.
The Chinese hackers are skilled and relentless. They are also shameless. They’ve taken far fewer precautions than their American adversaries to cover their tracks. In part this is because they know the US government has been loath to call out one of its most important trading partners and lenders as the source of a global espionage campaign. But the Chinese also view cyber espionage and warfare as a set of tactics that helps them compete against more advanced economies, militaries, and intelligence organizations. They have little compunction about breaking in to competitors’ systems because they know it’s one of the few capabilities they have to gain some advantage over their adversaries. China has no blue-water navy capable of doing battle on the world’s oceans. But it does have a cyber force that can wreak havoc on US targets from the other side of the planet.
Chinese cyber forces, along with their counterparts in Russia, have designed technologies to hack into US military aircraft. The Chinese in particular have developed a method for inserting computer viruses through the air into three models of planes that the air force uses for reconnaissance and surveillance. The attack is launched via the electromagnetic spectrum and targets the onboard surveillance systems that emit a signal. It’s an ingenious tactic, and a potentially devastating one: such a strike could disrupt the aircrafts’ controls and cause them to crash.
But these advances were predictable. For centuries the Chinese have employed a strategy of asymmetry, overwhelming a larger enemy by attacking his weaknesses with basic weapons. Cyber espionage and warfare are just the latest examples in a long an
d, for the Chinese, proud tradition.
To speak of the Chinese hackers as a group is a bit of misnomer. They don’t operate entirely as a collective, and how they’re organized is still a mystery—unlike the Americans, the Chinese don’t publicize their cyber warfare hierarchy and command structure. But for the purposes of developing countermeasures, US security officials often view the hackers as one entity, because they are united by a set of characteristics—national pride, the belief in economic espionage as a tool for national advancement, and a strategy of asymmetric force. American security experts have given the Chinese cyber horde a name—the advanced persistent threat, or APT. It is responsible for a global spread of malware that has infected or attempted to infect every computer system of consequence in the United States, US officials say. Any American company operating abroad doing business with or in China or with any of its competitors can safely assume that it has been a target. Many of them don’t even know that. On average, at least a month passes before most companies ever learn they have an intruder on their networks.
The precise number of Chinese cyber warriors is not known, but experts uniformly agree on two things: it is very large, likely in the tens of thousands, and unlike those in the United States, the Chinese cyber warriors are mostly focused on offense.
Joe Stewart, director of malware research at Dell SecureWorks, has tracked twenty-four thousand Internet domains that he believes Chinese cyber spies have either rented or hacked and use as bases of operations against the US government and American companies, he told Bloomberg Businessweek in 2013. The precise number of hackers is hard to gauge, but Stewart identified three hundred types of malware and hacking techniques that the Chinese used, double the number he saw in 2012. “There is a tremendous amount of manpower being thrown at this from their side.”