@War: The Rise of the Military-Internet Complex
Page 10
In 2013 the computer security research firm Mandiant released a groundbreaking report that identified and gave the location of one suspected APT group, known as Unit 61398—a Chinese military cover name—based in Shanghai. One of its main centers of operations is a twelve-story, 130,000-square-foot building capable of holding as many as two thousand people. The security company studied Unit 61398 going back to 2006 and discovered it had broken in to the systems of nearly 150 “victims.” Mandiant judged the unit to be one of the most prolific cyber spying outfits in China. And other computer security experts linked the group to an incursion in 2012 on the networks of the Canadian arm of Telvent, which designs industrial control software used to regulate valves and security systems for oil and gas pipeline companies in North America. Telvent has acknowledged that the intruders stole project files. Hackers could use those to map out the networks of oil and gas companies and find their weaknesses.
Unit 61398 was formidable, and clearly interested in potential attacks on critical infrastructure. But it was just one of twenty hacker groups that Mandiant was tracking. Chinese hackers in general are mostly engaged in espionage. But it would be easy for its members to switch into cyber warfare mode and start taking down systems, corrupting data and information, or launching malware against critical infrastructure, such as power plants and communications facilities. If each of those twenty groups was just half as large as Unit 61398, the Chinese APT would consist of more than twenty thousand people.
The United States has a long way to go to match the size of China’s cyber force. In 2013 there were only about three hundred people working for Tailored Access Operations, the NSA’s elite hacker core. The US Cyber Command, which is responsible for coordinating all the cyber components of the military services, employed only about nine hundred people total in 2013, including administrators and officers who aren’t actively engaged in hacking. The Defense Department plans to grow the ranks to six thousand by the end of 2016. If the Chinese military stopped growing its cyber forces today, it would still be at least five times larger than the Americans’.
To expand the US cyber force, commanders plan to retrain network defenders to be warriors. In the air force, for instance, the vast majority of the cyber staff are support staff and systems administrators—its version of the help desk.
But they’re all the air force has got for now. There are no plans to add new cyber positions. Indeed, the overall active-duty air force is the smallest it has ever been, and it will shrink even more, owing to mandatory spending cuts that were enacted in 2013. US Cyber Command, which oversees all military cyber operations, also plans to pull from the ranks of support staff. Officials want to automate much of the military’s IT support functions, theoretically freeing those personnel for offensive operations.
“There aren’t enough of the most critically skilled professionals to go around,” says Major General John Davis, senior military adviser for cyberspace policy at the Pentagon. The military can’t pay its personnel what they’d make in the private sector, where the most highly trained military hackers could easily double their salaries working for a government contractor. “The air force will never win a bidding war” with businesses, says Mark Maybury, the service’s chief scientist. The same goes for the other branches of the armed forces. And there’s no obvious solution to this labor problem. There’s not much money in the military to hire more cyber warriors. And there’s little appetite in Congress for raising the salaries of the existing force.
The military has urged colleges and universities to teach cyber warfare, like the air force does. A few undergraduate institutions do. But most regard computer hacking as unsavory business. “Universities don’t want to touch [it], they don’t want to have the perception of teaching people how to subvert things,” Steven LaFountain, an NSA official who helps develop new academic programs, told a reporter. And by the time some students reach the agency, officials discover they haven’t always been trained to NSA standards. “We have to teach them the technical skills we thought they should have gotten in school, and then we have to teach them the specific skills related to their mission,” LaFountain said.
The NSA has teamed up with a handful of universities to help write their curriculum. (Students who want to enroll have to pass a background check and obtain a top-secret security clearance. Part of the coursework includes classified seminars at the NSA.) The agency will also help pay for some students to get a bachelor’s degree in computer science and take courses in basic security—the agency even gives them a laptop and a monthly stipend. In exchange, they go to work for the agency when they graduate. Most of these schools—which range from Princeton University to small community colleges in nearly every state—don’t teach cyber offense. The NSA takes care of that part of the education when the student shows up for work.
Even before students reach college, the military sponsors cyber defense clubs and competitions for school-aged children, such as the CyberPatriot program, a nationwide competition for middle and high schoolers. The program is cosponsored by defense contractors, including Northrop Grumman and SAIC, the company that built the prototype for the RTRG. The competition partners with Boy Scout troops and the Boys & Girls Clubs of America as well as Junior ROTC programs, Civil Air Patrol squadrons, and Naval Sea Cadet Corps units. Davis calls the program “a way [for young people] to contribute to the national and economic security of this nation.”
But to attract the best talent the NSA has to compete with private industry. It recruits from the best computer science schools, including Stanford University and Carnegie Mellon. And it sends representatives to the most important annual hacker conventions, Black Hat and Def Con, in Las Vegas. In July 2012, Keith Alexander, NSA director, gave a speech at Def Con, calling on the assembled hackers to join forces with his agency, either by coming to work there or by collaborating with his team. Many of the hackers worked for security companies, but some were freelance operators who made their living discovering holes in systems and then alerting the manufacturer or developer, so they could be patched. To appeal to his audience, Alexander shed his army uniform in favor of a pair of jeans and a black T-shirt. “This is the world’s best cybersecurity community. In this room right here is the talent our nation needs to secure cyberspace,” he told the hackers, any number of whom US law enforcement agencies might regard as criminals. “Sometimes you guys get a bad rap,” Alexander said. “From my perspective, what you’re doing to figure out vulnerabilities in our systems is great. We have to discover and fix those. You guys hold the line.”
But Alexander wasn’t the only one in Las Vegas on a recruitment campaign. On the convention floor, executives and employees from cyber security firms were handing out brochures and T-shirts of their own. Among them were former NSA employees, whom the agency had trained to become top-tier hackers.
Alexander’s recruitment challenge became harder the following summer, after documents leaked by a former NSA contractor—whom the agency had trained to be a hacker—revealed extraordinary amounts of detail about clandestine efforts to spy on systems around the world, including a program that allows that agency to collect every telephone record in the United States, and another one that gathers data from some of the world’s more important technology companies, including Google, Facebook, and Apple. It was hardly a secret that the NSA was in the espionage business, but the scale of the spying caught some hackers by surprise (as it did many in the public at large). Def Con rescinded an invitation for Alexander to give another keynote speech. He appeared instead at Black Hat, where he was heckled by audience members.
FOUR
The Internet Is a Battlefield
BY THE TIME he was named commander of US Cyber Command, in 2010, Keith Alexander had had five years to master the signals intelligence domain as the director of the NSA. He was an adept technician. “When he would talk to our engineers, he would get down in the weeds as far as they were. And he’d understand what they were talking about,” says a form
er senior NSA official. Then, when surveillance laws were changed in 2007 and 2008 to allow broader access to communications networks, Alexander seized the political moment and turned the NSA into the undisputed spymaster of the Internet. The agency was given the authority and the money to build up a hacker force. Technically speaking, they were intelligence agency employees, instructed only to monitor networks. But when they linked up with Cyber Command, they became warriors. The hackers flowed freely from one mission to the other and blurred the lines between espionage and combat. And one group of hackers in particular became the NSA’s secret weapon.
The agency’s best-trained and most skilled hackers work in its Tailored Access Operations office, or TAO. Estimates on the number of personnel assigned there vary, from three hundred on the low end to perhaps as many as six hundred, but this latter number may include analysts and support personnel as well.
Within TAO, different groups carry out a range of espionage and attack operations. One conducts surveillance to map out the computer networks of its targets and find their vulnerabilities. Another unit researches the latest hacking tools and techniques for penetrating secure computer networks. Another builds penetration tools tailored just for telecommunications networks. Within that group are hackers who develop tools for commandeering video cameras, particularly on laptop computers, and industrial control systems, devices that control and regulate power grids, nuclear reactors, dams, and other infrastructure. And yet another unit carries out computer network attacks in conjunction with a CIA group called the Technology Management Office, which helps the NSA break in to hard-to-reach networks where a person might be required to manually insert a virus or piece of spyware with, say, a USB thumb drive.
TAO’s offices are located in a secure building at Fort Meade, Maryland. To get inside, employees must pass a retinal scan and enter a six-digit code outside a large steel door manned by armed guards. The hacker unit is one of the most secretive organizations in the intelligence community. Few NSA employees have the high levels of security clearance necessary to know about what TAO does or step foot inside its fortified chamber at Fort Meade.
The TAO hackers have only one job: to get inside adversaries’ networks, by hook or by crook. They steal or crack passwords, implant spyware, install backdoors, and work with CIA’s networks of human spies, all in a broad effort to obtain information. There are two purposes for this espionage. One is to obtain the secrets of the United States’ competitors—whether friend of foe. The other is to gather information on how to destroy those computer networks and the infrastructure attached to them should the president ever give that order. On the Internet battlefield, TAO is surveilling potential targets. Were an order to attack ever given, they would help lead the charge.
US officials and intelligence experts estimate that TAO has implanted spying devices in at least 85,000 computer systems in 89 countries, according to classified documents that were released by former NSA contractor Edward Snowden. In 2010, TAO conducted 279 operations. The unit has cracked the encryption that underpins widely used e-mail systems, including BlackBerry, in order to spy on computer users around the world. It has even gone so far as to divert the shipments of its targets’ computers to an NSA facility and then implant spyware inside the computers. A TAO PowerPoint presentation detailing its exploits boasts a modified version of the familiar Intel logo. It reads, “TAO Inside.”
In most cases the infected machine’s owner has no idea that TAO hackers are watching it. That’s because the unit relies on a stockpile of so-called zero day vulnerabilities, which are essentially flaws in a computer system known only to the hacker. The agency buys these vulnerabilities on a gray market from hackers who have discovered them, sometimes for several thousand dollars each. In other instances the NSA pays software and hardware companies not to disclose vulnerabilities or backdoors in their products, so that the spy agency and the TAO hackers can exploit them.
Once inside those computers, a hacker can read and copy all unencrypted documents on the machine, including text files, e-mails, audiovisual files, presentations, contact lists—everything. Encrypted information is harder to read, but not impossible. Part of the NSA’s mission, after all, is code breaking, and it’s been the best in the business for more than sixty years.
About the only thing that the TAO hackers can’t do is spy on a country with restricted access to the Internet. That’s why North Korea has generally been beyond the elite group’s reach. The country’s connections to the outside world are so limited, and so tightly defended and monitored, that TAO has very few points of easy entry.
The same cannot be said for China.
China is the most important target for NSA surveillance and cyber warfare planning. And although Chinese officials have gone to great lengths to control access to and activity on the Internet from inside the country, China is a large, technologically evolving nation, and that makes it vulnerable.
The intelligence historian and journalist Matthew Aid learned that TAO “has successfully penetrated Chinese computer and telecommunications systems for almost 15 years, generating some of the best and most reliable intelligence information about what is going on inside the People’s Republic of China.” Indeed, it was TAO that gave US officials the evidence that China had penetrated the computer networks of defense contractors and other US companies. Classified NSA documents show that the agency has targeted the networks of Huawei, the world’s biggest telecommunications maker, which is based in China. US intelligence officials and some lawmakers have suspected for years that Huawei is a proxy for the Chinese military and intelligence services. US regulatory agencies have blocked the installation of Huawei telecom equipment, including switches and routers, in this country for fear they’ll be used as a conduit for cyber spying.
Edward Snowden told Chinese journalists that the NSA broke in to computers at Beijing’s Tsinghua University, one of the country’s top education and research institutions. Snowden described the hacking as extensive. On one day in January 2013, the NSA had penetrated at least sixty-three university computers or servers, according to documents Snowden showed the journalists. Those documents proved the NSA had done as he claimed, Snowden said, because they showed Internet protocol addresses that could have been obtained only by someone with physical access to the computers.
Why would the NSA be interested in hacking a Chinese university? The journalists Snowden talked to noted that Tsinghua is home to the China Education and Research Network, a government-run system from which “Internet data from millions of Chinese citizens could be mined.” That may be one reason the NSA wanted inside. But US analysts and investigators believe that Chinese universities are a major talent pool for the government. Unit 61398, the People’s Liberation Army cyber outfit based in Shanghai, “aggressively recruits new talent from the Science and Engineering departments of universities such as Harbin Institute of Technology and Zhejiang University School of Computer Science and Technology,” according to the computer security firm Mandiant. “The majority of ‘profession codes’ describing positions that Unit 61398 is seeking to fill require highly technical computer skills.”
It’s also possible that by hacking into computers at Tsinghua, the NSA was trying to get the names of Chinese recruits or learn more about how they’re trained. Tsinghua’s own computer science and technology department offers undergraduate-, master’s-, and PhD-level classes. According to one international study, Tsinghua is the top computer science university in mainland China and ranks twenty-seventh in the world. The university publicly bills itself as a leading institution. The NSA and the military maintain a database of all known hackers working in China. If the NSA wanted to identify future Chinese hackers when they are just getting into the business, Tsinghua would be a logical place to look.
China is the biggest target of late, but it’s not the only one on which TAO hackers have set their sights. They assisted in tracking down hundreds of al-Qaeda terrorists and insurgents during the 2007 surge
in Iraq. That year they also were recognized with an award from NSA leadership for their work gathering intelligence about the capabilities of Iran’s nuclear weapons program. Matthew Aid writes that TAO “is the place to be right now,” according to a recently retired NSA official. Personnel who want to get promoted or win professional awards try to get transferred to TAO, where they have many opportunities to show off their electronic spying skills. One NSA official, Teresa Shea, got her job as the head of NSA’s Signals Intelligence Directorate—one of the most prestigious and senior posts in the agency—thanks to the work she did as the chief of TAO, gathering intelligence that most agencies in the government could not.
Service in the crack unit also gives members an impressive credential and sophisticated training that they can parlay into a more lucrative job doing cyber security operations for businesses. Former members of TAO have gone on to work for government contractors, including the software maker SAP and Lockheed Martin, and for brand-name corporations, including Amazon; they have formed their own private cyber security companies, conducting hacker-for-hire operations against companies and foreign groups that are trying to steal information from the private firms’ clients.
If TAO represents the elite of NSA hackers, a unit within it gathers together the elite of the elite. Its official name is the Remote Operations Center, but insiders call it simply the ROC—pronounced “rock.”
The ROC is home to the most highly skilled and experienced hackers in the government, working at Fort Meade or at outposts in Colorado, Georgia, Texas, and Hawaii, beyond the reach of senior policymakers in Washington. In fiscal year 2013, the ROC was authorized to spend $651.7 million to break in to computer systems around the world, according to the NSA’s classified budget. That was twice as much as the entire intelligence community spent defending US military and classified computer networks from attack.