Dark Territory
Page 20
In fact, McConnell next saw Obama in his transition office, on December 8, midway between his election-night victory and inauguration day. He brought with him his aide, Melissa Hathaway, who briefly outlined the Comprehensive National Cybersecurity Initiative that she’d written for Bush but that hadn’t yet been implemented. Obama told her to start thinking about a sixty-day review of U.S. cyber policy.
The review hit a slight delay. Cyber was hardly the most urgent issue on the new president’s agenda. He first ordered another campaign aide, a former CIA analyst named Bruce Riedel, to write a sixty-day review of U.S. policy in Afghanistan. Then there was the matter of solving the banking crash, the collapse of the auto industry, and the worst economic crisis since the Great Depression.
Still, on February 9, just three weeks into his term, not too far behind schedule, Obama publicly announced the sixty-day cyber review and presented Hathaway as its chair. It took longer than sixty days to complete—it took 109 days—but on May 29, she and her interagency group issued their seventy-two-page document, titled Cyberspace Policy Review: Assuring a Trusted and Resilient Information and Communications Infrastructure.
It read uncannily like the reports, reviews, and directives that had come before it, and even referred to several of them by name, among them Bush’s NSPD-54 and his National Strategy to Secure Cyberspace, the Marsh Report, a few Defense Science Board studies, and Senator Nunn’s hearings. There was little new to say about the subject; but few of the old things had ever been officially adopted, so no one had heard of them—outside the coterie of experts who’d been following the cycles for years or decades—and it was, therefore, no redundancy for Hathaway to re-recite the same old problems and remedies.
Once again, then, there was the preface noting the ubiquity of cyberspace, its “strategic vulnerabilities,” the “great risks” posed to “critical infrastructure” and “sensitive military information.” There was the bit about the “overlapping authorities” among federal agencies, the need for a “national dialogue,” an “action plan” for “information sharing” with “public-private partnerships,” and, finally, the proposed appointment of a “cybersecurity policy official” in the White House—a position that Hathaway assumed she would hold, just as Dick Clarke designated himself the “national coordinator” in a similar document for Bill Clinton.
But from the outset, Hathaway ran into obstacles. White House staffers disdained her as “prickly” and “sharp-elbowed,” diatribes commonly hurled at women—Hathaway was blond, attractive, and barely forty—for behavior that would be tolerated as merely aggressive, or even normal, possibly admirable, in men. Hathaway’s elbows were certainly less sharp than Clarke’s, but Clarke was a master of office politics, cultivating protectors at the highest echelons and allies throughout the bureaucracy. Hathaway had only one protector, Mike McConnell, and when Obama replaced him in the first week of his presidency, she was left with no cover.
There was another problem, one that Clarke had also faced. Hathaway’s review noted that private companies owned most of the pathways of cyberspace and thus must “share the responsibility” for its security—a line that triggered reflexive fears of government regulation, still the nastiest word in the book among the executives of Silicon Valley. Obama’s brash economic adviser, Lawrence Summers, took industry’s side in this dispute, insisting that, especially during what had come to be called the Great Recession, the engines of economic growth must not be constrained. (As Clinton’s treasury secretary, Summers had been Clarke’s bête noire when he tried to push for regulations, as well.)
Between the prominence of economic concerns and her own bureaucratic isolation, Hathaway and her portfolio took a tumble. She was gone by August and sidelined well before then.
Yet Obama didn’t ignore Hathaway’s concerns. On May 29, the same day that she released her review, he spoke for seventeen minutes in the East Room of the White House on cyberspace, its central place in modern life, and “this cyber threat” as “one of the most serious economic and national security challenges we face as a nation.”
He spoke not just from a script but also from personal experience. Born in 1961, near the end of the baby boom (unlike Bush and Clinton, who were born fifteen years earlier, at the boom’s onset), Obama was the first American president who surfed through cyberspace in his daily life. (When the Secret Service demanded that he give up his BlackBerry for security reasons, Obama resisted; as a compromise, the NSA Information Assurance Directorate built him a one-of-a-kind BlackBerry, equipped with state-of-the-art encryption, shielding, and a few other highly classified tricks.) And he was the first president whose campaign records had been hacked by a foreign power. Obama understood the stakes.
But something else stirred his concerns. A few days before inauguration day, President Bush had briefed him on two covert operations that he hoped Obama would continue. One concerned secret drone strikes against al Qaeda militants in Pakistan. The other involved a very tightly held, astonishingly bold cyber offensive campaign—code-named Operation Olympic Games, later known as Stuxnet—to delay and disable what seemed to be a nuclear weapons program in Iran.
Coming so soon after Mike McConnell’s briefing on America’s vulnerability to cyber attacks, this disclosure switched on a different light bulb from the one that had flashed in the heads of presidents, senior officials, and advisers who’d been exposed to the subject in the decades before. It was the obverse of the usual lesson: what the enemy might someday do to us, we can now do to the enemy.
* * *
I. In the late 1990s, when he started researching the vulnerability of infrastructure, Richard Clarke learned that 80 percent of global Internet traffic passed through just two buildings in the United States: one, called MAE West (MAE standing for Metropolitan Area Exchange), in San Jose, California; the other, MAE East, above a steakhouse in Tysons Corner, Virginia. One night, Clarke took a Secret Service agent to dinner at the steakhouse, after which they took a look at the room upstairs. (He brought the agent along to avoid getting arrested.) They were both shocked at how easily a saboteur could wreak devastating damage.
CHAPTER 12
* * *
“SOMEBODY HAS CROSSED THE RUBICON”
GEORGE W. BUSH personally briefed Barack Obama on Olympic Games, rather than leave the task to an intelligence official, because, like all cyber operations, it required presidential authorization. After his swearing-in, Obama would have to renew the program explicitly or let it die; so Bush made a forceful plea to let it roll forward. The program, he told his successor, could mean the difference between a war with Iran and a chance for peace.
The operation had been set in motion a few years earlier, in 2006, midway through Bush’s second term as president, when Iranian scientists were detected installing centrifuges—the long, silvery paddles that churn uranium gas at supersonic speeds—at a reactor in Natanz. The avowed purpose was to generate electrical power, but if the centrifuges cascaded in large enough quantities for a long enough time, the same process could make the stuff of nuclear weapons.
Vice President Cheney advocated launching air strikes on the Natanz reactor, as did certain Israelis, who viewed the prospect of a nuclear-armed Iran as an existential threat. Bush might have gone for the idea a few years earlier, but he was tiring of Cheney’s relentless hawkishness. Bob Gates, the new defense secretary, had persuaded Bush that going to war against a third Muslim country, while the two in Afghanistan and Iraq were still raging, would be bad for national security. And so Bush was looking for a “third option”—something in between air strikes and doing nothing.
The answer came from Fort Meade—or, more precisely, from the decades-long history of studies, simulations, war games, and clandestine real-life excursions in counter-C2 warfare, information warfare, and cyber warfare, whose innovations and operators were now all centered at Fort Meade.
Like most reactors, Natanz operated with remote computer controls, and it was by now widely known—
in a few months, it would be demonstrated with the Aurora Generator Test at the Idaho National Laboratory—that these controls could be hacked and manipulated in a cyber attack.
With this in mind, Keith Alexander, the NSA director, proposed launching a cyber attack on the controls of the Natanz reactor.
Already, his SIGINT teams had discovered vulnerabilities in the computers controlling the reactor and had prowled through their network, scoping out its dimensions, functions, and features, and finding still more vulnerabilities. This was digital age espionage, CNE—Computer Network Exploitation—so it didn’t require the president’s approval. For the next step, CNA, Computer Network Attack, the commander-in-chief’s formal go-ahead would be needed. In preparation for the green light, Alexander laid out the rudiments of a plan.
In their probes, the NSA SIGINT teams had discovered that the software controlling the Natanz centrifuges was designed by Siemens, a large German company that manufactured PLCs—programmable logic controllers—for industrial systems worldwide. The challenge was to devise a worm that would infect the Natanz system but no other Siemens systems elsewhere, in case the worm spread, as worms sometimes did.
Bush was desperate for some way out; this might be it; there was no harm in trying. So he told Alexander to proceed.
This would be a huge operation, a joint effort by the NSA, CIA, and Israel’s cyber war bureau, Unit 8200. Meanwhile, Alexander got the operation going with a simpler trick. The Iranians had installed devices called uninterruptible power supplies on the generators that pumped electricity into Natanz, to prevent the sorts of spikes or dips in voltage that could damage the spinning centrifuges. It was easy to hack into these supplies. One day, the voltage spiked, and fifty centrifuges exploded. The power supplies had been ordered from Turkey; the Iranians suspected sabotage and turned to another supplier, thinking that would fix the problem. They were right about the sabotage, but not about its source.
Shutting down the reactor by messing with its power supplies was a one-time move. While the Iranians made the fix, the NSA prepared the more durable, devastating potion.
Most of this work was done by the elite hackers in TAO, the Office of Tailored Access Operations, whose technical skills and resources had swelled in the decade since Ken Minihan set aside a corner of the SIGINT Directorate to let a new cadre of computer geeks find their footing. For Olympic Games, they took some of their boldest inventions—which astounded even the most jaded SIGINT veterans who were let in on the secret—and combined them into a single super-worm called Flame.
A multipurpose piece of malware that took up 650,000 lines of code (nearly 4,000 times larger than a typical hacker tool), Flame—once it infected a computer—could swipe files, monitor keystrokes and screens, turn on the machine’s microphone to record conversations nearby, turn on its Bluetooth function to steal data from most smart phones within twenty meters, among other tricks, all from NSA command centers across the globe.
To get inside the controls at Natanz, TAO hackers developed malware to exploit five separate vulnerabilities that no one had previously discovered—five zero-day exploits—in the Windows operating system of the Siemens controllers. Exploiting one of these vulnerabilities, in the keyboard file, gave TAO special user privileges throughout a computer’s functions. Another allowed access to all the computers that shared an infected printer.
The idea was to hack into the Siemens machines controlling the valves that pumped uranium gas into the centrifuges. Once this was accomplished, TAO would manipulate the valves, turning them way up, overloading the centrifuges, causing them to burst.
It took eight months for the NSA to devise this plan and design the worm to carry it out. Now the worm had to be tested. Keith Alexander and Robert Gates cooked up an experiment, in which the technical side of the intelligence community would construct a cascade of centrifuges, identical to those used at Natanz, and set them up in a large chamber at one of the Department of Energy’s weapons labs. The exercise was similar to the Aurora test, which took place around the same time, proving that an electrical generator could be destroyed through strictly cyber means. The Natanz simulation yielded similar results: the centrifuges were sent spinning at five times their normal speed, until they broke apart.
At the next meeting on the subject in the White House Situation Room, the rubble from one of those centrifuges was placed on the table in front of President Bush. He gave the go-ahead to try it out on the real thing.
There was one more challenge: after the Iranians replaced the sabotaged power supplies from Turkey, they took the additional precaution of taking the reactor’s computers offline. They knew about the vulnerability of digital controls, and they’d read that surrounding computers with an air gap—cutting them off from the Internet, making their operations autonomous—was one way to eliminate the risks: if the system worked on a closed network, if hackers couldn’t get into it, they couldn’t corrupt, degrade, or destroy it, either.
What the Iranians didn’t know was that the hackers of TAO had long ago figured out how to leap across air gaps. First, they’d penetrated a network near the air-gapped target; while navigating its pathways, they would usually find some link or portal that the security programmers had overlooked. If that path led nowhere, they would turn to their partners in the CIA’s Information Operations Center. A decade earlier, during the campaign against Serbian President Slobodan Milosevic, IOC spies gained entry to Belgrade’s telephone exchange and planted devices, which the NSA’s SIGINT teams then hacked, giving them full access to the nation’s phone system. These sorts of joint operations had blossomed with the growth of TAO.
The NSA also enjoyed close relations with Israel’s Unit 8200, which was tight with the human spies of Mossad. If it needed access to a machine or a self-contained network that wasn’t hooked up to the Internet, it could call on any of several collaborators—IOC, Unit 8200, the local spy services, or certain defense contractors in a number of allied nations—to plant a transmitter or beacon that TAO could home in on.
In Olympic Games, someone would install the malware by physically inserting a thumb drive into a computer (or a printer that several computers were using) on the premises—in much the same way that, around this same time, Russian cyber warriors hacked into U.S. Central Command’s classified networks in Afghanistan, the intrusion that the NSA detected and repelled in Operation Buckshot Yankee.
Not only would the malware take over the Natanz reactor’s valve pumps, it would also conceal the intrusion from the reactor’s overseers. Ordinarily, the valve controls would send out an alert when the flow of uranium rapidly accelerated. But the malware allowed TAO to intercept the alert and to replace it with a false signal, indicating that everything was fine.
The worm could have been designed to destroy every centrifuge, but that would arouse suspicions of sabotage. A better course, its architects figured, would be to damage just enough centrifuges to make the Iranians blame the failures on human error or poor design. They would then fire perfectly good scientists and replace perfectly good equipment, setting back their nuclear program still further.
In this sense, Operation Olympic Games was a classic campaign of information warfare: the target wasn’t just the Iranians’ nuclear program but also the Iranians’ confidence—in their sensors, their equipment, and themselves.
The plan was ready to go, but George Bush’s time in office was running out. It was up to Barack Obama.
To Bush, the plan, just like the one to send fake email to Iraqi insurgents, was a no-brainer. It made sense to Obama, too. From the outset of his presidency, Obama articulated, and usually followed, a philosophy on the use of force: he was willing to take military action, if national interests demanded it and if the risks were fairly low; but unless vital interests were at stake, he was averse to sending in thousands of American troops, especially given the waste and drain of the two wars he inherited in Afghanistan and Iraq. The two secret programs that Bush pressed him to continue—dron
e strikes against jihadists and cyber sabotage of a uranium-enrichment plant in Iran—fit Obama’s comfort zone: both served a national interest, and neither risked American lives.
Once in the White House, Obama expressed a few qualms about the plan: he wanted assurances that, when the worm infected the Natanz reactor, it wouldn’t also put out the lights in nearby power plants, hospitals, or other civilian facilities.
His briefers conceded that worms could spread, but this particular worm was programmed to look for the specific Siemens software; if it drifted far afield, and the unintended targets didn’t have the software, it wouldn’t inflict any damage.
Gates, who’d been kept on by Obama and was already a major influence on his thinking, encouraged the new president to renew the go-ahead. Obama saw no reason not to.
Not quite one month after he took office, the worm had its first success: a cascade of centrifuges at Natanz sped out of control, and several of them shattered. Obama phoned Bush to tell him the covert program they’d discussed was working out.
In March, the NSA shifted its approach. In the first phase, the operation hacked into the valves controlling the rate at which uranium gas flowed into the centrifuges. In the second phase, the attack went after the devices—known as frequency converters—that controlled how quickly the centrifuges rotated. The normal speed ranged from about 800 to 1,200 cycles per second; the worm gradually sped them up to 1,410 cycles, at which point several of the centrifuges flew apart. Or, sometimes, it slowed down the converters, over a period of several weeks, to as few as 2 cycles per second: as a result, the uranium gas couldn’t exit the centrifuge quickly enough; the imbalance would cause vibrations, which severely damaged the centrifuge in a different way.
Regardless of the technique, the worm also fed false data to the system’s monitors, so that, to the Iranian scientists watching them, everything seemed normal—and, when disaster struck, they couldn’t figure out what had happened. They’d experienced technical problems with centrifuges from the program’s outset; this seemed—and the NSA designed the worm to make it seem—like more of the same, but with more intense and frequent disruptions.