by Fred Kaplan
However, Obama agreed with the group’s general point on “the risk of government overreach” and the “potential for abuse.” And so, he accepted many of its other recommendations. He rejected the proposal to require FISA Court orders for the FBI’s National Security Letters, but he did limit how long the letters could remain secret. (He eventually settled on a limit of 180 days, with a court order required for an extension.) There would be no more surveillance of “our close friends and allies” without some compelling reason (a reference to the monitoring of Angela Merkel’s cell phone, though Obama’s wording allowed a wide berth for exceptions). And his national security team would conduct annual reviews of the surveillance programs, weighing security needs against policies toward alliances, privacy rights, civil liberties, and the commercial interests of U.S. companies.
This last idea led, three months later, to a new White House policy barring the use of a zero-day exploit, unless the NSA made a compelling case that the pros outweighed the cons. And the final verdict on its case would be decided not by the NSA director but by the cabinet secretaries in the NSC and, ultimately, by the president. This was potentially a very big deal. Whether it would really limit the practice—whether it amounted to a political check or a rubber stamp—was another matter.I
Finally, Obama spoke of the most controversial program, the bulk collection of telephone metadata under Section 215 of the Patriot Act. First, as an immediate step, he ordered the NSA to restrict its data searches to two hops, down from its previously allowed limit of three. (Though potentially significant, this had little real impact, as the NSA almost never took three hops.) Second, and more significant, he endorsed the proposal to store the metadata with a private entity and to allow NSA access only after a FISA Court order.
These endorsements seemed doomed, though, because any changes in the storage of metadata or in the composition of the FISA Court would have to be voted on by Congress. Under ordinary conditions, Congress—especially this Republican-controlled Congress—wouldn’t schedule such a vote: its leaders had no desire to change the operations of the intelligence agencies or to do much of anything that President Obama wanted them to do.
But these weren’t ordinary conditions. The USA Patriot Act had been passed by Congress, under great pressure, in the immediate aftermath of the September 11 attacks: the bill came to the floor hot off the printing presses; almost no one had time to read it. In exchange for their haste in passing it, key Democratic legislators insisted, over intense opposition by the Bush White House, that a sunset clause—an expiration date—be written into certain parts of the law (including Section 215, which allowed the NSA to collect and store metadata), so that Congress could extend its provisions, or let them lapse, at a time allowing more deliberation.
In 2011, when those provisions had last been set to expire, Congress voted to extend them until June 2015. In the interim four years, three things happened. First, and pivotally, came Edward Snowden’s disclosures about the extent of NSA domestic surveillance. Second, the five guys report concluded that this metadata hadn’t nabbed a single terrorist and recommended several reforms to reduce the potential for abuse.
Third, on May 7, just weeks before the next expiration date, the U.S. 2nd Circuit Court of Appeals ruled that Section 215 of the Patriot Act did not in fact authorize anything so broad as the NSA’s bulk metadata collection program—that the program was, in fact, illegal. Section 215 permitted the government to intercept and store data that had “relevance” to an “investigation” of a terrorist plot or group. The NSA reasoned that, in tracing the links of a terrorist conspiracy, it was impossible to know what was relevant—who the actors were—ahead of time, so it was best to create an archive of calls that could be plowed through in retrospect; it was necessary, by this logic, to collect everything because anything might prove relevant; to find a needle in a haystack, you needed access to “the whole haystack.” The FISA Court had long ago accepted the NSA’s logic, but now the 2nd Circuit Court rejected it as “unprecedented and unwarranted.” In the court case that culminated in the ruling, the Justice Department (which was defending the NSA position) likened the metadata collection program to the broad subpoena powers of a grand jury. But the court jeered at the analogy: grand juries, it noted, are “bounded by the facts” of a particular investigation and “by a finite time limitation,” whereas the NSA metadata program required “that the phone companies turn over records on an ‘ongoing daily basis’—with no foreseeable end point, no requirement of relevance to any particular set of facts, and no limitations as to subject matter or individuals covered.”
The judges declined to rule on the program’s constitutionality; they even allowed that Congress could authorize the metadata program, if it chose to do so explicitly. And so it was up to Congress—and its members couldn’t evade the moment of truth. Owing to the sunset clause, the House and Senate had to take a vote on Section 215, one way or the other; if they didn’t, the metadata program would expire by default.
In this altered climate, the Republican leaders couldn’t muster majority support to sustain the status quo. Moderates in Congress drafted a bill called the USA Freedom Act, which would keep metadata stored with the telecom companies and allow the NSA access only to narrowly specified pieces of it, and only after obtaining a FISA Court order to do so. The new law would also require the FISA Court to appoint a civil-liberties advocate to argue, on occasion, against NSA requests; and it would require periodic reviews to declassify at least portions of FISA Court rulings. The House passed the reform bill by a wide majority; the Senate, after much resistance by the Republican leadership, had no choice but to pass it as well.
Against all odds, owing to the one bit of farsighted caution in a law passed in 2001 amid the panic of a national emergency, Congress approved the main reforms of NSA practices, as recommended by President Obama’s commission—and by President Obama himself.
The measures wouldn’t change much about cyber espionage, cyber war, or the long reach of the NSA, to say nothing of its foreign counterparts. For all the political storms that it stirred, the bulk collection of domestic metadata comprised a tiny portion of the agency’s activities. But the reforms would block a tempting path to potential abuse, and they added an extra layer of control, albeit a thin one, on the agency’s power—and its technologies’ inclination—to intrude into everyday life.
* * *
On March 31, two and a half months after Obama’s speech at the Justice Department, in which he called for those reforms, Geoffrey Stone delivered a speech at Fort Meade. The NSA staff had asked him to recount his work on the Review Group and to reflect on the ideas and lessons he’d taken away.
Stone started off by noting that, as a civil libertarian, he’d approached the NSA with great skepticism, but was quickly impressed by its “high degree of integrity” and “deep commitment to the rule of law.” The agency made mistakes, of course, but they were just that—mistakes, not intentional acts of illegality. It wasn’t a rogue agency; it was doing what its political masters wanted and what the courts allowed, and, while reforms were necessary, its activities were generally lawful.
His speech lavished praise a little while longer on the agency and its employees, but then it took a sharp turn. “To be clear,” he emphasized, “I am not saying that citizens should trust the NSA.” The agency needed to be held up to “constant and rigorous review.” Its work was “important to the safety of the nation,” but, by nature, it posed “grave dangers” to American values.
“I found, to my surprise, that the NSA deserves the respect and appreciation of the American people,” he summed up. “But it should never, ever, be trusted.”
* * *
I. The questions to be asked, in considering whether to exploit a zero-day vulnerability, were these: To what extent is the vulnerable system used in the critical infrastructure; in other words, does the vulnerability, if left unpatched, pose significant risk to our own society? If an adversary or cri
minal group knew about the vulnerability, how much harm could it inflict? How likely is it that we would know if someone else exploited it? How badly do we need the intelligence we think we can get from exploiting it? Are there other ways to get the intelligence? Could we exploit the vulnerability for a short period of time before disclosing and patching it?
CHAPTER 15
* * *
“WE’RE WANDERING IN DARK TERRITORY”
IN the wee hours of Monday, February 10, 2014, four weeks after President Obama’s speech at the Justice Department on NSA reform, hackers launched a massive cyber attack against the Las Vegas Sands Corporation, owner of the Venetian and Palazzo hotel-casinos on the Vegas Strip and a sister resort, the Sands, in Bethlehem, Pennsylvania.
The assault destroyed the hard drives in thousands of servers, PCs, and laptops, though not before stealing thousands of customers’ credit-card charges as well as the names and Social Security numbers of company employees.
Cyber specialists traced the attack to the Islamic Republic of Iran.
The previous October, Sheldon Adelson, the ardently pro-Israel, right-wing billionaire who owned 52 percent of Las Vegas Sands stock, had spoken on a panel at Yeshiva University in New York. At one point, he was asked about the Obama administration’s ongoing nuclear negotiations with Iran.
“What I would say,” he replied, “is, ‘Listen. You see that desert out there? I want to show you something.’ ” Then, Adelson said, he would drop a nuclear bomb on the spot. The blast “doesn’t hurt a soul,” he went on, “maybe a couple of rattlesnakes or a scorpion or whatever.” But it does lay down a warning: “You want to be wiped out?” he said he’d tell the mullahs. “Go ahead and take a tough position” at those talks.
Adelson’s monologue went viral on YouTube. Two weeks later, the Ayatollah Ali Khamenei, Iran’s supreme leader, fumed that America “should slap these prating people” and “crush their mouths.”
Soon after, the hackers went to work on Adelson’s company. On January 8, they tried to break into the Sands Bethlehem server, probing the perimeters for weak spots. On the twenty-first, and again on the twenty-sixth, they activated password-cracking software, trying out millions of letter-and-number combinations, almost instantaneously, to hack into the company’s Virtual Private Network, which employees used at home or on the road.
Finally, on February 1, they found a weakness in the server of a Bethlehem company that tested new pages for the casino’s website. Using a tool called Mimikatz, which extracted all of a server’s recent records, the hackers found the login and password of a Sands systems engineer who’d just been in Bethlehem on a business trip. Using his credentials, they strolled into the Vegas-based servers, probed their pathways, and inserted a malware program, consisting of just 150 lines of code, that wiped out the data stored on every computer and server, then filled the spaces with a random stream of zeroes and ones, to make restoring the data nearly impossible.
Then they started to download really sensitive data: the IT passwords and encryption keys, which could take them into the mainframe computer, and, potentially more damaging, the files on high-rolling customers—“the whales,” as casino owners called them. Just in time, Sands executives shut off the company’s link to the Internet.
Still, the next day, the hackers found another way back in and defaced the company’s website with a message: “Encouraging the Use of Weapons of Mass Destruction UNDER ANY CONDITION Is a Crime.” Then they shut down a few hundred more computers that hadn’t been disabled the first time around.
After the storm passed, the casino’s cyber security staff estimated that the Iranians had destroyed twenty thousand computers, which would cost at least $40 million to replace.
It was a typical, if somewhat sophisticated, cyber attack for the second decade of the twenty-first century. Yet there was one thing odd about these hackers: anyone breaking into the servers of a Las Vegas resort hotel casino could have made off with deep pools of cash—but these hackers didn’t take a dime. Their sole aim was to punish Sheldon Adelson for his crude comments about nuking Iran: they launched a cyber attack not to steal money or state secrets, but to influence a powerful man’s political speech.
It was a new dimension, a new era, of cyber warfare.
Another notable feature, which the Sands executives picked up on after the fact: the Iranians were able to unleash such a destructive attack, after making such extensive preparations, without arousing notice, because the company’s cyber security staff consisted of just five people.
Las Vegas Sands—one of the largest resort conglomerates in the world, with forty thousand employees and assets exceeding $20 billion—wasn’t ready to deal with the old era of cyber war, much less the new one.
At first, not wanting to scare off customers, the executives tried to cover up just how badly the hack had hurt them, issuing a press release commenting only on their website’s defacement. The hackers struck back, posting a video on YouTube showing a computer screen with what seemed like thousands of the Sands’ files and folders, including passwords and casino credit records, underscored with a text box reading, “Do you really think that only your mail server has been taken down?!! Like hell it has!!”
The FBI took down the video within a few hours, and the company managed to quash much further exposure, until close to the end of the year, when Bloomberg Businessweek published a long story detailing the full scope of the attack and its damage. But the piece drew little notice because, two weeks earlier, a similar, though far more devastating attack hit the publicity-drenched world of Hollywood, specifically one of its major studios—Sony Pictures Entertainment.
On Monday morning, November 24, a gang of hackers calling themselves “Guardians of Peace” hacked into Sony Pictures’ network, destroying three thousand computers and eight hundred servers, carting off more than one hundred terabytes of data—much of which was soon sent to, and gleefully reprinted by, the tabloid, then the mainstream, press—including executives’ salaries, emails, digital copies of unreleased films, and the Social Security numbers of 47,000 actors, contractors, and employees.
Sony had been hacked before, twice in 2011 alone: one of the attacks shut down its PlayStation network for twenty-three days after purloining data from 77 million accounts; the other stole data from 25 million viewers of Sony Online Entertainment, including twelve thousand credit card numbers. The cost, in business lost and damages repaired, came to about $170 million.
But, like many conglomerates, Sony ran its various branches in stovepipe fashion: the executives at PlayStation had no contact with those at Online Entertainment, who had no contact with those at Sony Pictures. So the lessons learned in one realm were not shared with the others.
Now, the executives realized, they had to get serious. To help track down the hacker and fix the damage, they contacted not only the FBI but also FireEye, which had recently purchased Mandiant, the company—headed by the former Air Force cyber crime investigator Kevin Mandia—that had, most famously, uncovered the massive array of cyber attacks launched by Unit 61398 of the Chinese army. Soon enough, both FireEye and the FBI, the latter working with NSA, identified the attackers as a group called “DarkSeoul,” which often did cyber jobs for the North Korean government from outposts scattered across Asia.
Sony Pictures had planned to release on Christmas Day a comedy called The Interview, starring James Franco and Seth Rogen as a frothy TV talk show host and his producer who get mixed up in a CIA plot to assassinate North Korea’s ruler, Kim Jong-un. The previous June, when the project was announced, the North Korean government released a statement warning that it would “mercilessly destroy anyone who dares hurt or attack the supreme leadership of the country, even a bit.” The hack, it seemed, was the follow-up to the threat.
Some independent cyber specialists doubted that North Korea was behind the attack, but those deep inside the U.S. intelligence community were unusually confident. In public, officials said that the hackers used
many of the same “signatures” that DarkSeoul had used in the past, including an attack two years earlier that wiped out forty thousand computers in South Korea—the same lines of code, encryption algorithms, data-deletion methods, and IP addresses. But the real reason for the government’s certainty was that the NSA had long ago penetrated North Korea’s networks: anything that its hackers did, the NSA could follow; when the hackers monitored what they were doing, the NSA could intercept the signal from their monitors—not in real time (unless there was a reason to be watching the North Koreans in real time), but the agency’s analysts could retrieve the files, watch the images, and compile the evidence retroactively.
It was another case of a cyber attack launched not for money, trade secrets, or traditional espionage, but to influence a private company’s behavior.
This time, the blackmail worked. One week before opening day, Sony received an email threatening violence against theaters showing the film. Sony canceled its release; and, suddenly the flow of embarrassing emails and data to the tabloids and the blogosphere ceased.
The studio’s cave-in only deepened its problems. At his year-end press conference, traditionally held just before flying off to his Hawaii home for the holidays, President Obama told the world that Sony “made a mistake” when it canceled the movie. “I wish they had spoken to me first,” he went on. “I would have told them, ‘Do not get into a pattern in which you’re intimidated by these kinds of criminal acts.’ ” He also announced that the United States government would “respond proportionally” to the North Korean attack, “in a place and time and manner that we choose.”