by Shane Harris
Most meetings have dealt with protecting industrial control systems, the Internet-connected devices that regulate electrical power equipment, nuclear reactors, banks, and other vital facilities. That’s the weakness in US cyberspace that most worries intelligence officials. It was the subject that so animated George W. Bush in 2007 and that Barack Obama addressed publicly two years later. The declassified agendas for these meetings offer a glimpse at what companies and the government are building for domestic cyber defense.
On September 23, 2013, the Cross Sector Enduring Security Framework Operations Working Group discussed an update to an initiative described as “Connect Tier 1 and USG Operations Center.” “Tier 1” usually refers to a major Internet service provider or network operator. Some of the best-known Tier 1 companies in the United States are AT&T, Verizon, and CenturyLink. “USG” refers to the US government. The initiative likely refers to a physical connection running from an NSA facility to those companies, as part of an expansion of the DIB pilot program. The expansion was authorized by a presidential executive order in February 2013 aimed at increasing security of critical-infrastructure sites around the country. The government, mainly through the NSA, gives threat intelligence to two Internet service providers, AT&T and CenturyLink. They, in turn, can sell “enhanced cybersecurity services,” as the program is known, to companies that the government deems vital to national and economic security. The program is nominally run by the Homeland Security Department, but the NSA provides the intelligence and the technical expertise.
Through this exchange of intelligence, the government has created a cyber security business. AT&T and CenturyLink are in effect its private sentries, selling protection to select corporations and industries. AT&T has one of the longest histories of any company participating in government surveillance. It was among the first firms that voluntarily handed over call records of its customers to the NSA following the 9/11 attacks, so the agency could mine them for potential connections to terrorists—a program that continues to this day. Most phone calls in the United States pass through AT&T equipment at some point, regardless of which carrier initiates them. The company’s infrastructure is one of the most important and frequently tapped repositories of electronic intelligence for the NSA and US law enforcement agencies.
CenturyLink, which has its headquarters in Monroe, Louisiana, has been a less familiar name in intelligence circles over the years. But in 2011 the company acquired Qwest Communications, a telecommunications firm that is well known to the NSA. Before the 9/11 attacks, NSA officials approached Qwest executives and asked for access to its high-speed fiber-optic networks, in order to monitor them for potential cyber attacks. The company rebuffed the agency’s requests because officials hadn’t obtained a court order to get access to the company’s equipment. After the terrorist attacks, NSA officials again came calling, asking Qwest to hand over its customers’ phone records without a court-approved warrant, as AT&T had done. Again, the company refused. It took another ten years and the sale of the company, but Qwest’s networks are now a part of the NSA’s extended security apparatus.
The potential customer base for government-supplied cyber intelligence, sold through corporations, is as diverse as the US economy itself. To obtain the information, a company must meet the government’s definition of a critical infrastructure: “assets, systems, and networks, whether physical or virtual, so vital to the United States that their incapacitation or destruction would have a debilitating effect on security, national economic security, national public health or safety, or any combination thereof.” That may seem like a narrow definition, but the categories of critical infrastructure are numerous and vast, encompassing thousands of businesses. Officially, there are sixteen sectors: chemical; commercial facilities, to include shopping centers, sports venues, casinos, and theme parks; communications; critical manufacturing; dams; the defense industrial base; emergency services, such as first responders and search and rescue; energy; financial services; food and agriculture; government facilities; health care and public health; information technology; nuclear reactors, materials, and waste; transportation systems; and water and wastewater systems.
It’s inconceivable that every company on such a list could be considered “so vital to the United States” that its damage or loss would harm national security and public safety. And yet, in the years since the 9/11 attacks, the government has cast such a wide protective net that practically any company could claim to be a critical infrastructure. The government doesn’t disclose which companies are receiving cyber threat intelligence. And as of now the program is voluntary. But lawmakers and some intelligence officials, including Keith Alexander and others at the NSA, have pressed Congress to regulate the cyber security standards of critical-infrastructure owners and operators. If that were to happen, then the government could require that any company, from Pacific Gas and Electric to Harrah’s Hotels and Casinos, take the government’s assistance, share information about its customers with the intelligence agencies, and build its cyber defenses according to government specifications.
In a speech in 2013 the Pentagon’s chief cyber security adviser, Major General John Davis, announced that Homeland Security and the Defense Department were working together on a plan to expand the original DIB program to more sectors. They would start with energy, transportation, and oil and natural gas, “things that are critical to DOD’s mission and the nation’s economic and national security that we do not directly control,” Davis said. The general called foreign hackers’ mapping of these systems and potential attacks “an imminent threat.” The government will never be able to manage such an extensive security regime on its own. It can’t now, which is why it relies on AT&T and CenturyLink. More companies will flock to this new mission as the government expands the cyber perimeter. The potential market for cyber security services is practically limitless.
TWELVE
Spring Awakening
THE UNITED STATES has never suffered a major cyber attack that disabled critical infrastructure. But in early 2012 some officials worried that the event they’d long feared might be in the offing.
In March of that year at least twenty natural gas pipeline companies in the United States alerted the Homeland Security Department to suspicious e-mails sent to their employees. They appeared to come from someone the employees knew or were likely to know because of their jobs—standard spear phishing. Some of the employees—it’s still unclear how many—opened the messages and released spyware onto the corporate networks of the pipeline operators. The hackers didn’t have access to the control systems of the pipelines themselves, but they were potentially within striking distance. If the pipeline operator had air-gapped the facility’s control systems from the public Internet, they were probably safe. Of course, there was always the risk that an unsuspecting employee could carry the malware over the air gap via a USB drive.
Officials at the highest levels of the FBI, Homeland Security, and the NSA were on alert. An intruder who could control the pipeline could conceivably disrupt the flow of natural gas, or perhaps cause internal controls to malfunction, leading to a breakdown or even an explosion. Approximately 200,000 miles of natural gas pipelines crisscross the United States, and natural gas accounts for nearly a third of the nation’s energy supply. There’d never been a confirmed cyber attack that destroyed a pipeline. But at the height of the Cold War, the CIA allegedly installed malicious software in equipment used on a Siberian pipeline that exploded in 1982. In theory, it was possible to remotely change the pressure inside the pipeline, a form of attack similar to the one the NSA used on the Iranian nuclear facility.
Once the natural gas companies informed the government that they were being probed, officials sent “fly away” teams to the facilities and gathered information from computer hard drives and network logs. The source of the e-mails was traced to a single campaign that analysts said started as early as December 2011. The alerts from companies about spies on their networks were
“never-ending,” says a former law enforcement official who worked on the case. But the true intent of the campaign still eluded analysts. Were the intruders trying to gather competitive information about the pipeline companies, such as where they planned to look next for gas or where they’d build their next facility? Or were they trying to disrupt energy flows, or plant malware that could be triggered at some later date to destroy the pipeline?
In order to find out, government investigators decided not to issue a public warning and instead to watch the intruders and see what information they went after. It was a risky move. At any moment the intruders might have launched an aggressive attack on the corporate networks, stealing or erasing valuable information. And there was still the chance, however slim, of an attack on the pipelines themselves, which would have disastrous economic consequences and could kill anyone near an explosion. The authorities met with individual companies and held classified briefings about what they knew so far. They shared “mitigation strategies” with corporate security personnel, including the known e-mail addresses that had sent the spear phishes and certain IP addresses to which the pipeline operators could block outbound access. But the government didn’t purge the networks of the spies, nor did it instruct the companies to do so. On March 29 an emergency response team stationed at the Homeland Security Department that works in tandem with the NSA posted an alert to all pipeline companies on a classified government website instructing them to allow the spies to keep rooting around as long as they didn’t appear to threaten the operations of the pipelines themselves. In Washington, government officials alerted the trade associations representing oil and gas companies and told them to keep the operation under wraps.
The response to the pipeline intrusions marked a new, heightened level of government influence over cyber defense in the energy sector. The natural gas companies and their lobbyists in Washington followed the government’s lead and instructions. Throughout most of the investigation, the government successfully enforced a press and public information blackout among the energy companies. A significant campaign against a vital US infrastructure had been under way for weeks, and barely anyone knew. News reports about the breach first appeared in May, two months after the government surveillance operation began.
The government pushed into other energy sectors as well. That summer, Homeland Security and the Energy Department sponsored a classified cyber threat briefing for the CEOs of electric utilities, offering them the temporary security clearances so they could learn more about threats against their sector. Energy companies were less cognizant of the dangers to their networks than companies in other sectors, particularly financial services, where companies shared information routinely and had set up systems for sharing details about intrusions and hacking trends in a classified setting. The energy companies, by contrast, feared looking weak to their competitors and possibly giving them insights about future strategy if they opened up about their inadequate cyber security.
But government officials had grown impatient. In Congress, advocates of a new law to regulate cyber security standards for utility companies continued to press their case, pointing to the rash of intrusions against natural gas pipelines to bolster their argument. Their efforts would ultimately fail that autumn, paving the way for Obama to implement as many defenses as he could through an executive order. Companies would be encouraged to adopt security standards and practices developed by the National Institute of Standards and Technology, which consulted with a broad range of industry experts and the intelligence agencies. Companies were free to ignore the government’s advice. But if their infrastructure were damaged by a preventable cyber attack, they might be held civilly or even criminally liable and then have to explain to a judge why they chose to strike out on their own.
In the wake of the 2012 intrusions into gas pipeline companies, the government has held classified briefings for nearly seven hundred utility company personnel. Homeland Security, the FBI, the Energy Department, and the Transportation Security Administration launched what officials called an “action campaign” to give companies “further context of the threat and to highlight mitigation strategies,” according to a Homeland Security bulletin. The campaign began in June 2013 and has featured classified meetings in at least ten American cities, including Washington, New York, Chicago, Dallas, Denver, San Francisco, San Diego, Seattle, Boston, and New Orleans, as well as “numerous others via secure video teleconferences.” Energy companies have also begun to train their employees in the basics of cyber defense. Shell, Schlumberger, and other major companies have sent their employees fake spear-phishing e-mails with pictures of cute cats and other enticements. Experts who’ve trained the companies say that nearly all employees initially fall for the e-mails, but after training, as many as 90 percent learn to avoid clicking on embedded links and attachments, which are the usual triggers to unleash malware.
Inside the NSA, officials have continued to press for greater authority to expand their defense writ. In a rare public appearance in Washington in May 2013, Charles Berlin, director of the NSA’s National Security Operations Center, reflected a widely held view among America’s spies that it would be “almost immoral” for the agency to focus solely on protecting government computer networks and information. “The mission of the Department of Defense . . . [is] to protect America,” said Berlin, who ran the agency’s nerve center for signals intelligence and defense of computer networks. “I’ve been on the ramparts pouring boiling oil on the attackers for years,” he said. “At the present time, we’re unable to defend America.”
Throughout the anxious spring of 2012, there was little doubt among law enforcement, intelligence, and private security officials where the attackers were coming from. But the question remained: what was their goal?
The former law enforcement official who worked the case says the hackers were based in China and that their campaign was part of a broader Chinese strategy of mapping critical infrastructure in the United States. Whether their precise purpose was espionage or laying the grounds for cyber warfare remains unclear. But the two activities are connected along a spectrum: in order to attack a facility, the intruder needs to map it out and understand its weak spots. And there are warning signs that the Chinese are looking for such vulnerabilities. A few months after the intrusions into the natural gas pipelines were revealed, the Canadian technology company Telvent, which makes industrial control or SCADA systems used in Canada and the United States, said its networks had been infiltrated by hackers the company believes were in China.
But cyber warfare with the United States isn’t in China’s long-term interest. Economic competition is, however. The country has a pressing need to learn more about where US companies have found sources of energy, and how they plan to extract it. In part, that’s to support China’s ambitions in the energy sphere. But the country also needs to fuel a rapidly expanding economy, which, though it has slowed in recent years, still saw GDP growth of 7.8 percent from 2009 to 2013.
China is seeking to replace its traditional sources of fossil fuels. The country depends mostly on coal for its energy, and the toxic air quality in many Chinese cities shows it. China is the world’s second-largest consumer of coal and accounts for nearly half of all coal consumption. Oil production in China has peaked, forcing the country to look more for deposits offshore and to turn toward cleaner and more abundant sources of fuel.
To secure China’s future sources of energy, state-run companies have been looking to extract natural gas, which so far accounts for a tiny fraction of the country’s energy consumption—just 4 percent in 2009. But to get that gas, the Chinese need fracking technology and insights into horizontal drilling techniques, which American companies pioneered and have continued to develop. A report in 2013 by the security research firm Critical Intelligence concluded that “Chinese adversaries” have infiltrated the networks of US energy companies in order to steal information about fracking and gas extraction. They noted that Chinese hackers h
ad also targeted companies that make petrochemicals, such as plastics, for which natural gas is a precursor ingredient. The intrusions into the gas pipeline companies in 2011 and 2012 may have been related to this campaign, the research company determined.
Not that China is giving up on its traditional sources of energy. In 2009, American oil companies were hit by a wave of cyber intrusions that stole information on oil deposits the companies had discovered around the world, according to the security firm McAfee. China is the world’s second-largest consumer of oil, behind the United States, and since 2009 the second-largest net importer of oil. At least one US energy company that planned to drill in disputed waters that China claims as its territory was infiltrated by Chinese hackers.
China is competing for natural resources at the same time that it tries to build a national energy industry. To that end, Chinese targeting of US energy companies and facilities is rampant. In 2012 the Homeland Security Department publicly reported 198 “attacks” against critical infrastructure, a 52 percent increase from the previous year. Forty percent of the attacks specifically targeted energy companies. If the United States ever went to war with China, its military would undoubtedly attempt to use footholds inside those companies’ computer networks to damage or disable vital infrastructures. But for the foreseeable future, China has little interest in wounding the US economy or turning out the lights. China is one of the United States’ biggest foreign lenders and its most important trading partner. It has a direct interest in America’s overall economic health and the purchasing power of US consumers. And the country has pursued legitimate paths toward finding sources of energy in the United States and learning about American technology, placing more than $17 billion in oil and natural gas deals in the United States and Canada since 2010.