@War: The Rise of the Military-Internet Complex
Page 19
No one was sure when, or if, the malware would attempt to execute its mission—whatever it might be. But the members of the NSA hunt team who discovered the worm thought they had a way to neutralize it. It was sending out a message for orders from a host server. So why not give the worm what it wanted? The hunt team wanted to build an impostor command-and-control server that would make contact with the worm and then tell it, in effect, to go to sleep and take no further actions. The plan wasn’t without risk. If the team disrupted or disabled legitimate programs running on the classified network, such as those that controlled communications among battlefield commanders, then they could harm military operations in Afghanistan and Iraq. The classified network still had to function.
The Pentagon told the NSA to move forward with its plan, which was given the code name Buckshot Yankee. The hunt team worked all Friday night to fine-tune the details, drinking soda to stay awake and bingeing on pizza. On Saturday they put a computer server onto a truck and drove to the nearby Defense Information Systems Agency, which runs the Defense Department’s global telecommunications systems. They allowed the server to become infected with the malware, then activated the impostor controller that told the worm to stand down. It worked.
Now the NSA had a way to deactivate the worm. But first it had to find it—and all of the copies it had made of itself that had spread across Defense Department networks. The NSA called in its best hackers, the elite Tailored Access Operations group. They looked for worm infections on the military’s computers. But then they went farther out, looking for its traces on nonmilitary computers, including those on civilian US government networks and in other countries. They found that the worm had spread widely.
That was not surprising. As it turned out, the worm was not so new. It had been discovered by a Finnish security researcher and, in June 2008, had shown up on the military computers of a NATO member country. The researcher dubbed it Agent.btz, agent being a generic name for a newly discovered piece of malware, and the .btz an internal reference marker. There was no evidence that any infection of Agent.btz on a US computer had resulted in stolen or destroyed data. In fact, the worm didn’t appear to be that sophisticated, which raised the question of why a foreign intelligence service would go to the trouble of building a worm that burrowed into computers around the world and didn’t steal anything.
But military leaders still treated the breach as a dire threat to national security. The week after the NSA alerted the Pentagon, Mullen briefed President Bush and Secretary of Defense Gates. The NSA took on the mission of hunting down every infection of Agent.btz and using the impostor controller to turn it off. In November, US Strategic Command, which at that time had overall responsibility for cyber warfare, sent out a decree: the use of thumb drives was henceforth banned on all Defense Department and military computers worldwide. It was an overreaction, and underscored the degree to which senior military leaders felt threatened.
Alexander was not so alarmed. In the panic he saw the chance to make the NSA the military’s new leader in cyberspace. It was his hunt team that discovered the worm, he argued. His experts who devised a clever way to kill it. His elite hackers who used their spying skills to track the worm in its hiding places. Pentagon officials wondered if they should launch an offensive cyber strike to eradicate the worm, rather than just tricking it into talking to their impostor. (The process of getting rid of the infections ultimately took fourteen months.)
At the time, the responsibility for carrying out a coordinated military strike—a true cyber war—lay principally with the Joint Functional Component Command for Network Warfare, a subordinate to Strategic Command. But it was small in comparison with the NSA, and it didn’t have the NSA’s expertise in computer defense and espionage. Officials decided that an offensive strike, particularly on computers in other countries, was a step too far for countering Agent.btz—which after all hadn’t done any damage. But the Buckshot Yankee operation showed them that in the event of a real national crisis—a cyber attack on a power grid or a bank—the military needed all its sharpest shooters under one roof.
“It became clear that we needed to bring together the offense and defense capabilities,” Alexander told a congressional committee in 2010, after the Pentagon declassified certain details of the operation. It was what he had wanted all along.
The Buckshot Yankee operation became the catalyst for establishing US Cyber Command, a single entity that oversaw all of the military’s efforts to defend against virtual attacks on their systems, and to initiate their own. This was the idea that national intelligence director Mike McConnell had backed and that eventually won the support of Bob Gates. Senior military leaders realized that they’d been caught flatfooted, and that many of them had overestimated their ability to respond quickly to an incursion into the Pentagon’s computers. “It opened all our eyes,” Basla says.
The quick thinking of Alexander and his team of cyber warriors convinced the Pentagon brass, Gates, and the White House that the NSA was best positioned to marshal the military’s cyber forces, and therefore should take the lead. Alexander would run the new Cyber Command from Fort Meade. He would get more personnel and a budget. But the warriors and the infrastructure would come mostly from the NSA.
The NSA also still had to completely eradicate the Agent.btz infections. That process lasted more than a year, and the agency used it to expand its newfound power. Whenever a new infection was found, the NSA restricted all information to those with a “need to know” what had occurred. Each instance became a kind of classified sub-project of the larger operation. According to a former Defense Department intelligence analyst who was cleared to know about Buckshot Yankee, this made it more difficult for agencies other than the NSA to respond to the breach and to gather information about what had happened—which is apparently just what Alexander wanted. A veil of secrecy fell over nearly every aspect of the NSA’s new cyber mission. The former Defense Department analyst describes the NSA’s response to Buckshot Yankee as “a power grab.”
The need for secrecy would be understandable if the Agent.btz infection really was part of an intelligence campaign by Russia, China, or a hostile nation. But Pentagon officials never claimed that the breach caused a loss of secrets or any other vital information. And it was never settled whether the infected USB drive that analysts thought was the initial vector was deliberately planted near a military facility or if some careless soldier or contractor had just picked up the Agent.btz worm on the outside, maybe when connecting a laptop at an Internet café, and then brought the worm behind the air gap. It’s possible that patient zero simply happened upon the worm, and that it wasn’t the handiwork of a foreign government at all. In fact, Agent.btz turned out to be a variant of a three-year-old, mostly harmless worm. Some officials who worked on Buckshot Yankee doubted that foreign spies were to blame. If they were going to break in to the inner sanctum of military cyberspace, wouldn’t they be craftier? And wouldn’t they actually steal something? Then again, perhaps they were testing the Americans’ defenses, seeing how they’d respond to an incursion in order to learn how they’d designed their security.
Had lawmakers and Bush administration officials understood that the Agent.btz infection was relatively benign, they might have thought twice about giving the NSA so much authority to control cyber defense and offense. Perhaps Alexander and his lieutenants were eager to keep the details of the incursion a secret so as not to undercut their own case for putting NSA in charge of Cyber Command. That would be in keeping with Alexander’s pattern of trying to frighten government officials about the cyber threat, and then assure them he was the one who could keep the bogeymen at bay. “Alexander created this aura, like the Wizard of Oz, of this incredible capability behind the curtain at Fort Meade,” says a former Obama administration official who worked closely with the general on cyber security issues. “He used classification to ensure that no one could pull back that veil.”
Secrecy was—and still is—a grea
t source of the NSA’s power. But the agency was also aided by a low-grade paranoia that took root among senior Defense Department officials after Buckshot Yankee. To ward off the risk of future infections, senior leaders banned the use of thumb drives across the entire department and in all branches of the armed forces, a decree met with outrage by service members in the field who relied on the portable storage devices to carry documents and maps between computers. The ban persisted for years after Buckshot Yankee. “If you pulled out a USB and put it in my computer, in a few minutes someone will knock on my door and confiscate the computer,” Mark Maybury, chief scientist of the air force, said during an interview in his Pentagon office in 2012.
Bush administration officials were swept up in a wave of cyber anxiety. It washed over them, and onto the next president.
TEN
The Secret Sauce
FROM THE MOMENT he took the oath of office, Barack Obama was bombarded with bad news about the state of America’s cyber defenses. He’d already had his classified national security briefing with Mike McConnell in Chicago, where the intelligence director told him a version of the dire story he’d laid out for Bush in 2007. During the campaign, Obama staffers’ e-mail accounts had been hacked by spies in China, as had those of his opponent, Senator John McCain. Now, as the forty-fourth president settled into the Oval Office, the Center for Strategic and International Studies, a respected Washington think tank, had just issued a comprehensive and discouraging analysis of US cyber security. The report’s authors, who had conducted at least sixteen closed-door sessions with senior government and military officials, listed a number of hair-raising intrusions that had been declassified. Among them were the hacking of Secretary of Defense Robert Gates’s e-mail; a spyware infection at the Commerce Department, which was attributed by several outside experts to a program that Chinese hackers had installed on the laptop computer of Secretary of Commerce Carlos Gutierrez during an official visit to Beijing; and computer break-ins at the State Department that caused the loss of “terabytes” of information. But these and other incursions enumerated in the final document were only about 10 percent of all the breaches the authors had identified, according to a staff member who worked on the report. The rest were too sensitive, and perhaps too alarming, to discuss publicly.
The panel members—which included senior officials from the National Security Agency, executives at some of the country’s biggest technology and defense companies, members of Congress, and cyber security experts who would go on to serve in the new administration—praised the Manhattan Project–style initiative that Bush had launched. But they said it didn’t go far enough. The Obama administration should build on those efforts and enact regulations requiring certain industries and critical infrastructure to fortify and maintain their cyber security. “This is a strategic issue on par with weapons of mass destruction and global jihad, where the federal government bears primary responsibility,” the panel members wrote. “America’s failure to protect cyberspace is one of the most urgent national security problems facing the new administration. . . . It is a battle we are losing.”
Foreign spies worked relentlessly to get access to the communications, speeches, and position papers of senior members of the new president’s administration. During Obama’s first year in office, Chinese hackers launched a campaign targeting State Department officials, including Secretary of State Hillary Clinton. In a particularly clever play, five State Department employees who were negotiating with Chinese officials on reducing greenhouse-gas emissions received spear-phishing e-mails bearing the name and contact information of a prominent Washington journalist, Bruce Stokes. Stokes was well known at the State Department because he covered global trade and climate change issues. He was also married to Ambassador Wendy Sherman, who’d been Bill Clinton’s top policy adviser on North Korea and would later go on to the number three position at State, leading US negotiations with Iran over its nuclear program in 2013. The US climate change envoy to China, Todd Stern, was also an old friend of Stokes’s. The subject line of the e-mail read, “China and Climate Change,” which seemed innocuous enough to pass for a reporter’s inquiry. And the body of the message included comments related to the recipients’ jobs and what they were working on at the time. Whoever sent the message had studied Stokes and knew his network of friends and sources well enough to pose as him in an e-mail. It’s still unclear whether any of the recipients ever opened the messages, which came loaded with a virus that could have siphoned documents off the officials’ computers and tracked their communications.
Also in 2009 a senior member of Hillary Clinton’s staff received an e-mail that appeared to come from a colleague in the office next door. The e-mail contained an attachment that the author claimed was related to a recent meeting. The recipient couldn’t recall the meeting and wasn’t sure it had ever occurred. He walked over to his colleague’s office and asked about the e-mail he’d just sent.
“What e-mail?” his colleague asked.
Thanks to a young staffer’s suspicions, the State Department blocked spies from potentially installing surveillance equipment on the computers in Clinton’s office. It was a reminder of how sophisticated the spies had become, and clear evidence that they were mapping out the relationships of administration employees, most of whose names rarely or never appeared in the press. Chinese spies honed this technique over the coming years, and they still use it today. Charlie Croom, a retired air force general who ran the Defense Information Systems Agency and is now vice president for cyber security at Lockheed Martin, says cyber spies will scour the company’s website looking for names of employees in press releases, lists of public appearances by executives, and other tiny nuggets of information that might help them refine their approach to a potential target. A generation ago, spies had to rifle through people’s garbage and trail them on the street to get those details.
In the face of warnings about American defenses and a foreign intelligence campaign against his own staff, Obama signaled early on that he intended to make cyber security one of the top priorities. In a speech from the East Room of the White House in May 2009 he said, “We know that cyber intruders have probed our electrical grid and that in other countries cyber attacks have plunged entire cities into darkness.” Obama didn’t say where, but intelligence and military officials had concluded that two blackouts in Brazil, in 2005 and 2007, had been triggered by hackers who gained access to the SCADA systems that controlled electrical equipment there.
Until Obama’s speech, US officials had, for the most part, only hinted that electrical grids had been breached, and they rarely agreed to be quoted by name. Owners and operators of electrical facilities denounced rumors of hacker-caused outages, including some in the United States, as speculative nonsense, and cited official investigations that usually attributed the outages to natural phenomena, like fallen trees or soot on power lines. But now the president was acknowledging that the American electrical grid was vulnerable and that the nightmare of a cyber blackout had come true in another country.
“My administration will pursue a new comprehensive approach to securing America’s digital infrastructure,” Obama announced. “This new approach starts at the top, with this commitment from me: From now on, our digital infrastructure—the networks and computers we depend on every day—will be treated as they should be: as a strategic national asset. Protecting this infrastructure will be a national security priority. We will ensure that these networks are secure, trustworthy and resilient. We will deter, prevent, detect, and defend against attacks and recover quickly from any disruptions or damage.”
Protecting cyberspace, Obama declared, was the government’s job.
Keith Alexander agreed. For him, the only question was, who in the government should take on such a herculean task?
Not long after he became NSA director, in 2005, Alexander paid a visit to the headquarters of the Homeland Security Department, a complex of buildings in the prosperous Washington neighborhood
of Cathedral Heights where navy cryptologists had helped to break the Nazi Enigma code in World War II. He was carrying a rolled-up sheet of paper to share with Michael Chertoff, a former federal prosecutor and judge who had been confirmed as the new secretary of homeland security earlier that year. By law, the department was supposed to coordinate cyber security policy across the government, protect civilian agencies’ computer networks, and work with companies to protect critical infrastructure. It was a huge and ill-defined portfolio of responsibilities, and one of myriad tasks delegated to the two-year-old department, including patrolling US borders, screening airline passengers and cargo, fixing the nation’s broken immigration system, and ensuring that terrorists didn’t launch another surprise attack in the United States.
In an eavesdropping-proof room, Alexander rolled the paper out over the length of a conference table. It was a huge diagram, showing all the malicious activity on the Internet that NSA knew of at that time. Alexander’s message could be interpreted two ways. He was there to help the fledgling department fulfill its cyber defense mission. Or he was not so subtly conveying that the department would be lost without the NSA’s help, and that Homeland Security should step aside and let the experts take over. The truth was, Homeland Security couldn’t produce a diagram like the one Alexander had just presented. It lacked the trained personnel, the huge budgets, the global architecture of surveillance, and the bureaucratic and political clout in Washington to perform at the NSA’s level.