by Shane Harris
If companies needed any more reason to hire a private security company, it arrived in June 2013, when a twenty-nine-year-old NSA contractor named Edward Snowden revealed himself as the source of an enormous cache of stolen classified documents about the agency’s global surveillance apparatus. Snowden shared the documents with journalists working for the Guardian and the Washington Post, and a cascade of press coverage followed, unprecedented in its scope and specificity. Practically every conceivable aspect of how the agency spies was laid bare. The documents showed how the NSA collected vast stores of information from Google, Facebook, Yahoo, and other technology and telecommunications companies. The agency had also been scooping up the phone records of hundreds of millions of Americans and holding on to them for five years. Administration officials tried to reassure anxious citizens that most of the NSA’s spying was aimed at foreigners overseas. Technology executives were dumbfounded. As they explained to officials, publicly and in private meetings, many of their customers lived in foreign countries, and were hardly at ease with the NSA spying on them simply because they weren’t Americans.
Before the Snowden leaks, the NSA had made a public effort to court support among hackers for its cyber defense mission. In 2012, Keith Alexander had famously appeared at that Def Con, hacker conference in Las Vegas, dressed in blue jeans and a black T-shirt, shedding his army uniform for an outfit he deemed more palatable to his audience of hackers and security researchers. In July 2013, a month after the first NSA stories appeared, Def Con’s organizers rescinded their invitation to have Alexander give another speech. Def Con’s sister conference, Black Hat, was willing to host the spymaster. But about a half hour into his talk, members of the audience began heckling him. “Freedom!” shouted one of them, a private security consultant. “Exactly, we stand for freedom,” Alexander replied.
“Bullshit!” the consultant retorted. The crowd applauded.
Some “white hat hackers,” the ones who ply their trade to improve cyber defense and who had been cooperating with the NSA on technical discussions, are now questioning their decision, according to former agency officials who fear that the hackers may now take up arms against the government and try to expose more secrets or even attack government agencies and contractors’ systems. Snowden showed that just one person could expose vast swaths of the NSA’s surveillance architecture. What damage could an entire movement of highly motivated hackers do?
Snowden himself was a trained hacker. While working as an NSA contractor, he took advanced courses in “ethical hacking” and malware analysis at a private school in India. He was in the country on a secret mission for the government, performing work at the US embassy in New Delhi, according to people familiar with his trip. The exact nature of the job is classified, but by the time he arrived, in September 2010, Snowden had already studied some advanced hacking techniques and was a quick learner in class, according to his instructor. He was taught how to break in to computers and steal information, ostensibly for the purpose of learning how to better fend off malicious hackers. He wouldn’t need those skills to steal most of the classified NSA documents, to which he had unfettered access by virtue of his top-secret security clearance. It turned out that the NSA, which wanted to protect computers from Wall Street to the water company, couldn’t keep a twenty-nine-year-old contractor from making off with the blueprints to its global surveillance system.
The Snowden revelations were the most politically damaging in the NSA’s sixty-one-year history. In July the House of Representatives nearly passed a bill that would have declawed the agency’s collection of Americas’ phone records, which would have been the first significant rollback of the government’s surveillance powers since the 9/11 attacks. Republicans and Democrats found a rare bipartisan alliance in their desire to put the spy agency on a leash. President Obama appointed a panel of intelligence and legal experts to suggest changes to NSA surveillance. They came back with a three-hundred-plus-page report and forty-six recommendations, among them ending the NSA’s practice of acquiring zero day exploits, no longer inserting backdoors into encryption products, putting a civilian in charge of the spy agency, and splitting the leadership of NSA and Cyber Command so that they weren’t led by the same person. It was a blueprint for diminishing the agency’s leading role in cyber security.
And yet the need to defend cyberspace was as urgent as ever. In September 2013 a senior air force official said the service still didn’t know how vulnerable to hackers its networks were, because it was only a quarter of the way through a comprehensive vulnerability review. And this more than four years after intruders were able to penetrate the air force’s air traffic control system, which could have allowed them to interfere with aircraft flight plans and radar systems. A month after the air force’s admission, a Defense Department inspector general issued a report that found that the Pentagon, the Homeland Security Department, and the NSA had no central system for sharing cyber alerts with one another and companies in real time. The government had a system for circulating alerts, and another for sending follow-up instructions on how to respond to cyber threats, but those two systems weren’t connected.
News from the critical-infrastructure sectors that the government wanted to protect wasn’t any more encouraging. Earlier in the year a pair of engineers had discovered vulnerabilities in communications systems used by power and water utilities across the country that could allow an attacker to cause a widespread power outage or damage water supplies. Homeland Security officials issued alerts, but few utilities had applied a patch to the vulnerable software. And cyber espionage against US companies showed no signs of abating. “There isn’t a computer system in this country of consequence that isn’t penetrated right now with information going out at the terabyte level,” former NSA director McConnell said during a speech in Washington in October, a claim echoed publicly and privately by numerous intelligence, military, and law enforcement officials.
US officials were still reeling over an attack the previous year against the Saudi Arabian state-owned oil company Aramco, which by some measures was the most valuable company in the world, supplying 10 percent of the world’s oil. Hackers used a powerful virus to completely erase information on about 75 percent of its computers, thirty thousand machines in all. The virus deleted e-mails, spreadsheets, and documents in an attack that company officials said was aimed at stopping its oil and gas production. The hackers didn’t succeed in disrupting Aramco’s production facilities, but the attack was a reminder that hackers could severely wound a company by obliterating its stores of corporate information. Some US officials suspected that Iran mounted the attack in retaliation for the Stuxnet worm. If that was so, it marked an escalation in intentional cyber warfare and showed that the United States couldn’t expect to launch cyber attacks without reprisals.
Cybercrime was also rampant in the United States. In mid-December 2013, the retail giant Target discovered that hackers had forced their way into the company’s systems and stolen debit and credit card information. The crooks installed malware directly onto cash registers in Target stores and siphoned financial data. The company initially estimated that thieves took 40 million customers’ financial information. But a month later, it revised that number to between 70 and 110 million. It was a staggering number, making the Target breach one of the biggest cyber thefts in history. Investigators concluded that the hackers were probably based in Eastern Europe or Russia, and that they first penetrated Target’s network using stolen network credentials from a Pennsylvania company that maintains refrigeration systems in supermarkets. Target also discovered that the thieves swiped customers’ names, phone numbers, and e-mail and mailing addresses. The company faced potentially steep fines for not complying with industry standards to protect credit and debit card information.
Government agencies didn’t fare much better in protecting their own networks. In February 2014 a Senate committee report found that with few exceptions, federal civilian agencies hadn’t installed
available software patches or kept antivirus software up to date. Unlike their military and intelligence agency counterparts, the civilian agencies lacked some of the most fundamental training and awareness about common sense security. Government employees were using flimsy passwords. One popular choice the investigators found: “password.” Even the Homeland Security Department hadn’t installed software security updates on all of its systems, “the basic security measure just about any American with a computer has performed,” the report found.
In the wake of the Snowden revelations, Alexander remained defiant. The bad news about weak cyber defenses only bolstered his own argument that the NSA should take a more forceful role protecting the country. At an October 2013 security conference in Washington, DC, sponsored by the military and cyber security contractor Raytheon, Alexander asked for more powers to defend the financial sector, using some questionable technical arguments. He imagined the NSA having real-time information from the banks so the agency could spot “a cyberpacket that’s about to destroy Wall Street” and intercept it like an incoming missile. The term “cyberpacket” had no clear meaning in that context. Presumably Alexander wanted to imply that a sophisticated computer worm or a virus could disrupt financial institutions’ computers or the data they house. But the notion that a single packet of data could wipe out Wall Street was absurd. That was like saying a paintball could take out a tank.
The degree to which Alexander was willing to exaggerate the cyber threat and dumb down his own agency’s response was a measure of how desperately he wanted public support for his mission, and how threatened he felt. Snowden had helped undermine the case Alexander had been building for years.
FOURTEEN
At the Dawn
ON JANUARY 17, 2014, Barack Obama stood at a lectern in the Great Hall of the Justice Department in Washington to announce his decision on which NSA surveillance and cyber security programs he’d keep and which ones he’d scrap. If America’s spies had feared the president would pull them back from the front, they could rest easy after they heard the first words out of his mouth.
Obama began by comparing the employees of the NSA to Paul Revere and the Sons of Liberty, who formed a “secret surveillance committee” to patrol the streets of colonial Boston, “reporting back any signs that the British were preparing raids against America’s early patriots.” It was the most full-throated defense of the NSA and US signals intelligence that Obama had ever given. The president had just likened them to the heroes of the American Revolution.
Obama then recounted how spies in balloons had tracked the size of the Confederate army during the Civil War, how code breakers during World War II had provided insights into Japanese war plans, and how “when Patton marched across Europe, intercepted communications helped save the lives of his troops.” It was in that spirit, and in the early days of a new Cold War, that President Harry Truman had created the National Security Agency “to give us insights into the Soviet bloc, and provide our leaders with information they needed to confront aggression and avert catastrophe.”
By the time Obama took the stage, White House officials had already briefed journalists on his intended changes to NSA surveillance. They were minimal. Obama would make some alterations to the controversial program of collating Americans’ phone records, namely, storing them somewhere other than in NSA’s databases. But he punted to Congress and the attorney general the hard work of figuring out where that storage should be. Eventually, the administration and lawmakers settled on a plan that kept the records with the phone companies but still allowed the NSA access to them for investigative purposes. Obama also afforded some relatively minor privacy protections to foreigners who came under scrutiny from NSA’s digital reconnaissance. But by and large, the agency’s surveillance powers were left intact.
Obama either rejected or deferred on every substantive recommendation his advisers had given him for reining in the NSA. He had already overruled the proposal to split the leadership of NSA and Cyber Command. Now he dismissed a call by his appointed review panel to strip the agency of its information assurance mission, the work of defending computer systems from cyber attack and exploitation. Had Obama accepted the change, it would have fundamentally altered the NSA’s mission, to the point that the organization would be unrecognizable from its previous form.
Obama also rejected the panel’s suggestion that he take away the NSA’s authority to conduct or assist in operations inside the United States. And the president further rejected calls to make the NSA director a civilian and to subject his nomination to Senate confirmation. NSA director Keith Alexander could rest easy; much of his empire would remain intact, despite the beating he’d taken personally in the press after the Snowden leaks. The general planned to step down in March. To replace him, Obama chose Vice Admiral Michael Rogers, who had been groomed for the job of NSA director and cyber commander. Rogers ran the navy’s signals intelligence and its cyber warfare operations. Like Alexander, he was used to wearing two hats.
As for the panel’s recommendation that the NSA stop hoarding zero day exploits and undermining encryption standards, Obama said nothing in his speech. A senior administration official later said the president had asked his aides to look into these recommendations and report back to him. The administration eventually settled on a vague policy that was biased toward disclosing vulnerabilities but keeping secret any information that the government deemed vital to national security. That was a huge exception that could allow the NSA to classify all zero days as essential security tools and keep conducting business as usual. The new policy hardly ended the debate. Effectively, Obama had deferred on this issue as well, and it seemed unlikely that he or his advisers would propose any significant changes.
In practically every way, from operations to personnel, Obama had opted to maintain the status quo. Indeed, his embrace of the historic importance of intelligence to warfare underscored his desire to protect the NSA and keep its mission intact.
The timing of Obama’s speech was fitting, if unintentionally so. On January 17, 1961, exactly fifty-three years earlier, President Dwight Eisenhower had warned in his farewell address to the nation of a “military industrial complex,” whose “total influence—economic, political, even spiritual—is felt in every city, every state house, every office of the federal government.” Eisenhower said the military of the day bore little resemblance to the one in which he served during World War II or that his predecessors in the White House had commanded. “Until the latest of our world conflicts, the United States had no armaments industry,” Eisenhower said, admonishing his fellow citizens to “guard against the acquisition of unwarranted influence, whether sought or unsought,” by an alliance of government and industry, which he saw as a necessary bulwark against the forces of communist tyranny, and yet one that portended “grave implications” if “the potential for the disastrous rise of misplaced power” was not checked. “This conjunction of an immense military establishment and a large arms industry is new in the American experience,” Eisenhower said.
And so is the conjunction of that military establishment with a large Internet technology industry. Until recently, there was no cyber arms industry in the United States. The armed forces didn’t view the Internet as a battlefield. Corporations didn’t sell protection from spies and hackers. Barack Obama presided over the rise and rapid expansion of an alliance between big military and big business. But unlike Dwight Eisenhower, he sees little cause for dread and foreboding.
Eisenhower died eight years after his prescient speech. He correctly predicted the emergence of the military-industrial complex, but even he might not have imagined a day when the market value of top defense contractors exceeds the gross domestic product of many countries and the US Armed Forces rely on contractors to build their weapons, transport soldiers to battle, and even feed them in the war zone. The military-Internet complex will also dramatically change the nature of war and more broadly of cyberspace itself. What will the next decade
look like?
For starters, governments won’t be the dominant actors, at least not from day to day. That’s a fundamental shift in the balance of power since Eisenhower’s time, and suggests that his warning has gone unheeded. National governments will set policies and enact laws and regulate security standards that banks, public utilities, and other critical infrastructure will honor (perhaps in the breach). And they will raise cyber armies that train to fight on networks and will eventually become integrated into the full arsenal of national military might. If China, Iran, or another hostile nation ever launches a major attack on a US electrical plant or a bank, the military will respond, both in cyberspace and offline. An attack that causes widespread panic, disruption, or loss of life will be met with resounding force.
But the day-to-day work of defending critical facilities will be the job of corporations, who will perform the task as well if not better than government. Lockheed Martin and its ilk will create a new business in scanning traffic and applying their proprietary methods for detecting malware and hacker activity—methods that will be based on the real-time intelligence they collect from their own, vast global information networks, as well as those of their customers. It will be a kind of crowdsourcing. Similarly, companies such as CrowdStrike and the newly merged Mandiant and FireEye will promise to protect their customers’ networks from prospective threats, the same way we expect security guards to keep intruders out of our homes and office buildings, not just to investigate the invasion after it happens.