Dark Territory
Page 16
Now, four years after 9/11, following a brief term as the Army’s top intelligence officer in the Pentagon, Alexander was taking over the palace at Fort Meade, taking possession of the databases—and bringing along Heath as his scientific adviser.
* * *
In his opening months on the job, Alexander had no time to push ahead with his metadata agenda. The top priority was the war in Iraq, which, for him, meant loosening the traditional strictures on NSA assets, putting SIGINT teams in regular contact with commanders on the ground, and tasking TAO—the elite hackers in the Office of Tailored Access Operations—to address the specific, the tailored, needs of General McChrystal’s Special Forces in their fight against the insurgents.
He also had to repair some damage within NSA.
One week before Alexander arrived at Fort Meade, William Black, Hayden’s deputy for the previous five years, pulled the plug on Trailblazer, the agency’s gargantuan outsourced project to monitor, intercept, and sift communications from the digital global network.
Trailblazer had consumed $1.2 billion of the agency’s budget since the start of the decade, and it had proved to be a disaster: a fount of corporate mismanagement, cost overruns, and—more to the point, as Alexander saw it—conceptual wrongheadedness. It was a monolithic system, built around massive computers to capture and process the deluge of digital data. The problem was that the design was too simple. Mathematical brute force worked in the era of analog signals intelligence, when an entire conversation or fax transmission spilled through the same wire or radio burst; but digital data streamed through cyberspace in packets, breaking up into tiny pieces, each of which traveled the fastest possible route before reassembling at the intended destination. It was no longer enough to collect signals from sensors out in the field, then process the data at headquarters: there were too many signals, racing too quickly through too many servers and networks. Trailblazer could be “scaled up” only so far, before the oceans of data overwhelmed it. Sensors had to process the information, and integrate it with the feed from other sensors, in real time.
Alexander’s first task, then, was to replace Trailblazer—in other words, to devise a whole new approach to SIGINT for the digital age. His predecessors of the last decade had faced the same challenge, though less urgently. Ken Minihan possessed the vision, but lacked the managerial skills; Mike Hayden had the managerial acumen, but succumbed to the presumed expertise of outside contractors, who led him down a costly path to nowhere. Alexander was the first NSA director who understood the technology at the center of the enterprise, who could talk with the SIGINT operators, TAO hackers, and Information Assurance analysts on their own level. He was, at heart, one of them: more a computer geek than a policy maven. He would spend hours down on the floor with his fellow geeks, discussing the problems, the possible approaches, the solutions—so much so that his top aides installed more computers in his office on the building’s eighth deck, so he could work on his beloved technical puzzles without spending too much time away from the broader issues and agendas that he needed to address as director.
As a result of his technical prowess and his ability to speak a common language with the technical personnel, he and his staff devised the conceptual outlines of a new system in a matter of months and launched the first stages of a new program within a year. They called it Turbulence.
Instead of a single, monolithic system that tried to do everything, Turbulence consisted of nine smaller systems. In part, the various systems served as backups or alternative approaches, in case the others failed or the global technology shifted. More to the point, each of the systems sliced into the network from a different angle. Some pieces intercepted signals from satellites, microwave, and cable communications; others went after cell phones; still others tapped into the Internet—and they went after Internet traffic on the level of data packets, the basic unit of the Internet itself, either tracking the packets from their origins or sitting on the backbone of Internet traffic (often with the cooperation of the major Internet service providers), detecting a target’s packet, then alerting the hackers at TAO to take over.
It wasn’t just Alexander’s technical acumen that made Turbulence possible; it was also the huge advances—in data processing, storage, and indexing—that had taken place in just the previous few years. Alexander took over Fort Meade at just the moment when, in the world of computers, his desires converged with reality.
Over the ensuing decade, as Turbulence matured and splintered into specialized programs (with names like Turbine, Turmoil, QuantumTheory, QuantumInsert, and XKeyscore), it evolved into a thoroughly interconnected, truly global system that would make earlier generations of signals intelligence seem clunky by comparison.
Turbulence drew on the same massive databases as Trailblazer; what differed was the processing and sifting of the data, which were far more precise, more tailored to the search for specific information, and more closely shaped to the actual pathways—the packets and streams—of modern digital communications. And because the intercepts took place within the network, the target could be tracked on the spot, in real time.
In the early stages of Turbulence, a parallel program took off, derived from the same technical concepts, involving some of the same technical staff, but focused on a specific geographical region. It was called the RTRG—for Real Time Regional Gateway—and its first mission was to hunt down insurgents in Iraq.
RTRG got under way early in 2007, around the same time that General David Petraeus assumed command of U.S. forces in Iraq and President Bush ordered a “surge” in the number of those forces. Petraeus and Alexander had been friendly for more than thirty years: they’d been classmates at West Point, a source of bonding among Army officers, and they’d renewed their ties years later as brigade commanders at Fort Bragg. When they met again, as Petraeus led the fight in Baghdad, they made a natural team: Petraeus wanted to win the war through a revival of counterinsurgency techniques, and Alexander was keen to plow NSA resources into helping him.
Roadside bombs were the biggest threat to American soldiers in Iraq. Intelligence on the bombers and their locations flooded into NSA computers, from cell phone intercepts, drone and satellite imagery, and myriad other sources. But it took sixteen hours for the data to flow to the Pentagon, then to Fort Meade, then to the tech teams for analysis, then back to the intel centers in Baghdad, then to the soldiers in the field—and that was too long: the insurgents had already moved elsewhere.
Alexander proposed cutting out the middlemen and putting NSA equipment and analysts inside Iraq. Petraeus agreed. They first set up shop, a mini-NSA, in a heavily guarded concrete hangar at Balad Air Base, north of Baghdad. After a while, some of the analysts went out on patrol with the troops, collecting and processing data as they moved. Over the next few years, six thousand NSA officials were deployed to Iraq and, later, Afghanistan; twenty-two of them were killed, many of them by roadside bombs while they were out with the troops.
But their efforts had an impact: in the first few months, the lag time between collecting and acting on intelligence was slashed from sixteen hours to one minute.
By April, Special Forces were using this cache of intelligence to capture not only insurgents but also their computers; and stored inside those computers were emails, phone numbers, usernames, passwords of other insurgents, including al Qaeda leaders—the stuff of a modern spymaster’s dreams.
Finally, Alexander and McChrystal had the ingredients for the cyber offensive campaign that they’d discussed with John Abizaid four years earlier. The NSA teams at Balad Air Base hoisted their full retinue of tricks and tradecraft. They intercepted insurgents’ emails: in some cases, they merely monitored the exchanges to gain new intelligence; in other cases, they injected malware to shut down insurgents’ servers; and in other—many other—cases, they sent phony emails to insurgents, ordering them to meet at a certain time, at a certain location, where U.S. Special Forces would be hiding and waiting to kill them.
The effect was not decisive, nor was it meant to be: the idea was to provide some breathing space, a zone of security, for Iraq’s political factions to settle their quarrels and form a unified state without having to worry about bombs blowing up every day. The problem was that the ruling faction, the Shiite government of Prime Minister Nouri al-Maliki, didn’t want to settle its quarrels with rival factions among the Sunnis or Kurds; and so, after the American troops left, the sectarian fighting resumed.
But that pivotal year of 2007 saw a dramatic quelling of violence and the taming, co-optation, or surrender of nearly all the active militias. Petraeus’s counterinsurgency strategy had something to do with this, as did Bush’s troop surge. But the tactical gains could not have been won without the Real Time Regional Gateway of the NSA.
* * *
RTRG wasn’t the only innovation that the year saw in cyber offensive warfare.
On September 6, just past midnight, four Israeli F-15 fighter jets flew over an unfinished nuclear reactor in eastern Syria, which was being built with the help of North Korean scientists, and demolished it with a barrage of laser-guided bombs and missiles. Syrian president Bashar al-Assad was so stunned that he issued no public protest: better to pretend nothing happened than to acknowledge such a successful incursion. The Israelis said nothing either.
Assad was baffled. The previous February, his generals had installed new Russian air-defense batteries; the crews had been training ever since, and, owing to tensions on the Golan Heights, they’d been on duty the night of the attack; yet they reported seeing no planes on their radar screens.
The Israelis managed to pull off the attack—code-named Operation Orchard—because, ahead of time, Unit 8200, their secret cyber warfare bureau, had hacked the Syrian air-defense radar system. They did so with a computer program called Suter, developed by a clandestine U.S. Air Force bureau called Big Safari. Suter didn’t disable the radar; instead, it disrupted the data link connecting the radar with the screens of the radar operators. At the same time, Suter hacked into the screens’ video signal, so that the Unit 8200 crew could see what the radar operators were seeing. If all was going well, they would see blank screens—and all went well.
It harked back to the campaign waged in the Balkans, ten years earlier, when the Pentagon’s J-39 unit, the NSA, and the CIA’s Information Operations Center spoofed the Serbian air-defense command by tapping into its communications lines and sending false data to its radar screens. And the Serbian campaign had its roots in the plan dreamed up, five years earlier, by Ken Minihan’s demon-dialers at the Air Force Information Warfare Center in San Antonio, to achieve air surprise in the (ultimately aborted) invasion of Haiti by jamming all the island’s telephones.
The Serbian and Haitian campaigns were classic cases of information warfare in the pre-digital age, when the armed forces of many nations ran communications through commercial phone lines. Operation Orchard, like the NSA-JSOC operation in Iraq, exploited the growing reliance on computer networks. Haiti and the Balkans were experiments in proto-cyber warfare; Operation Orchard and the roundup of jihadists in Iraq marked the start of the real thing.
* * *
Four and a half months earlier, on April 27, 2007, riots broke out in Tallinn, the capital of Estonia, the smallest and most Western-leaning of the three former Soviet republics on the Baltic Sea, just south of Finland. Estonians had chafed under Moscow’s rule since the beginning of World War II, when the occupation began. When Mikhail Gorbachev took over the Kremlin and loosened his grip almost a half century later, Estonians led the region-wide rebellion for independence that helped usher in the collapse of the Soviet Union. When Vladimir Putin ascended to power at the turn of the twentyfirst century on a wave of resentment and nostalgia for the days of great power, tensions once again sharpened.
The riots began when Estonia’s president, under pressure from Putin, overruled a law that would have removed all the monuments that had gone up during the years of Soviet occupation, including a giant bronze statue of a Red Army soldier. Thousands of Estonians took to the streets in protest, rushing the bronze statue, trying to topple it themselves, only to be met by the town’s ethnic Russians, who fought back, seeing the protest as an insult to the motherland’s wartime sacrifices. Police intervened and moved the statue elsewhere, but street fights continued, at which point Putin intervened—not with troops, as his predecessors might have done, but with an onslaught of ones and zeros.
The 1.3 million citizens of Estonia were among the most digitally advanced on earth, a larger percentage of them hooked up to the Internet and were more reliant on broadband services than those of any other country. The day after the Bronze Night riot, as it was called, they were hit with a massive cyber attack, their networks and servers flooded with so much data that they shut down. And unlike most denial-of-service attacks, which tended to be one-off bits of mischief, this attack persisted and was followed up—in three separate waves—with infections of malware that spread from one computer to another, across the tiny nation, in all spheres of life. For three weeks, sporadically for a whole month, many Estonians were unable to use not just their computers but their telephones, bank accounts, credit cards: everything was hooked up to one network or another—the parliament, the government ministries, mass media, shops, public records, military communications—and it all broke down.
As a member of NATO, Estonia requested aid under Article 5 of the North Atlantic Treaty, which pledged each member-state to treat an attack on one as an attack on all. But the allies were skeptical. Was this an attack, in that sense? Was it an act of war? The question was left open. No troops were sent.
Nonetheless, Western computer specialists rushed to Estonia’s defense at their own initiative, joining and aiding the considerable, skilled white-hat hacker movement inside Estonia. Using a variety of time-honored techniques, they tracked and expelled many of the intruders, softening the effects that would have erupted had the Tallinn government been the only source of resistance and defense.
Kremlin officials denied involvement in the attack, and the Westerners could find no conclusive evidence pointing to a single culprit—one reason, among several, for their reluctance to regard the cyber attacks as cause to invoke Article 5. Attributing the source of a cyber attack was an inherently difficult matter, and whoever launched this one had covered his tracks expertly. Still, forensic analysts did trace the malware code to a Cyrillic keyboard; in response, Kremlin authorities arrested a single member of the nationalist youth organization Nashi (the Russian word for “ours”), fined him the equivalent of a thousand dollars, and pronounced the crime solved. But no one believed that a single lowly citizen, or a small private group, could have found, much less hacked, some of the sensitive Estonian sites that had been taken down all at once and for such a long time.
* * *
The cyber strikes in Estonia proved to be the dress rehearsal for a coordinated military campaign, a little over a year later, in which Russia launched simultaneous air, ground, naval, and cyber operations against the former Soviet republic of Georgia.
Since the end of the Cold War, tensions had been rife between Moscow and the newly independent Georgian government over the tiny oblasts of South Ossetia and Abkhazia, formally a part of Georgia but dense with ethnic Russians. On August 1, 2008, Ossetian separatists shelled the Georgian village of Tskhinvali. The night of August 7–8, Georgian soldiers mobilized, suppressing the separatists and recapturing the town in a few hours. The next day, under the pretense of “peace enforcement,” Russian troops and tanks rolled into the village, supported by air strikes and a naval blockade along the coast.
At the precise moment when the tanks and planes crossed the South Ossetian line, fifty-four Georgian websites—related to mass media, finance, government ministries, police, and armed forces—were hacked and, along with the nation�
��s entire Internet service, rerouted to Russian servers, which shut them down. Georgian citizens couldn’t gain access to information about what was happening; Georgian officers had trouble sending orders to their troops; Georgian politicians met long delays when trying to communicate with the rest of the world. As a result, Russian propaganda channels were first to beam Moscow’s version of events to the world. It was a classic case of what was once called information warfare or counter command-control warfare—a campaign to confuse, bewilder, or disorient the enemy and thus weaken, delay, or destroy his ability to respond to a military attack.
The hackers also stole material from some sites that gave them valuable intelligence on the Georgian military—its operations, movements, and communiqués—so the Russian troops could roll over them all the more swiftly.
Just as with Estonia, Kremlin spokesmen denied launching the cyber attacks, though the timing—coordinated so precisely with the other forms of attack—splashed extreme doubt on their claims of innocence.
After four days of fighting, the Georgian army retreated. Soon after, Russia’s parliament formally recognized South Ossetia and Abkhazia as independent states. Georgia and much of the rest of the world disputed the status, seeing the enclaves as occupied Georgian territory, but there wasn’t much they could do about it.
* * *
In the sixteen months from April 2007 to August 2008, when America hacked Iraqi insurgents’ email, Israel spoofed Syrian air defenses, and Russia flooded the servers of Estonia and Georgia, the world witnessed the dawn of a new era in cyber warfare—the fulfillment of a decade’s worth of studies, simulations, and, at the start of the decade in Serbia, a tentative tryout.