Dark Territory
Page 28
But its third, new mission—defending civilian critical infrastructure—was another matter. The nation’s financial institutions, power grids, transportation systems, waterworks, and so forth had thousands of access points to the Internet—no one knew precisely how many. And even if the NSA could somehow sit on those points, it lacked the legal authority to do so. Hence Obama’s executive order, which relied on private industry to share information voluntarily—an unlikely prospect, but the only one available.
It was a bitter irony. The growth of this entire field—cyber security, cyber espionage, cyber war—had been triggered by concerns, thirty years earlier, about the vulnerability of critical infrastructure. Yet, after all the commissions, analyses, and directives, the problem seemed intractable.
Still, Keith Alexander not only accepted the new mission, he aggressively pushed for it; he’d helped Gates draft the directive that gave the mission to Cyber Command. To Alexander’s mind, not only did Homeland Security lack the resources to protect the nation, it had the wrong concept. It was trying to install intrusion-detection systems on all the networks, and there were just too many networks: they’d be impossible to monitor, and it would cost way too much to try. Besides, what could the DHS bureaucrats do if they detected a serious attack in motion?
The better approach, to Alexander’s mind, was the one he knew best: to go on the offensive—to get inside the adversary’s networks in order to see him preparing an attack, then deflect it. This was the age-old concept of “active defense” or, in its cyber incarnation, CNE, Computer Network Exploitation, which, as NSA directors dating back to Ken Minihan and Mike Hayden knew well, was not much different from Computer Network Attack.
But Alexander advocated another course, too, a necessary supplement: force the banks and the other sectors—or ply them with alluring incentives—to share information about their hackers with the government: and by “government,” he meant the FBI and, through it, the NSA and Cyber Command. He decidedly did not mean the Department of Homeland Security—though, in deference to the White House, which had designated DHS as the lead agency on protecting critical infrastructure, he would say the department could act as the “router” that sent alerts to the other, more active agencies.
Alexander was insistent on this point. Most private companies refused to share information, not only because they lacked incentives but also because they feared lawsuits: some of that information would include personal data about employees and customers. In response, President Obama urged Congress to pass a bill exempting companies from liability if they shared data. But Alexander opposed the bill, because Obama’s version of the bill would require them to share data with the Department of Homeland Security. Without telling the White House, Alexander lobbied his allies on Capitol Hill to amend or kill his commander-in-chief’s initiative.
It was an impolitic move from someone who was usually a bit more adroit. First, the White House staff soon heard about his lobbying, which didn’t endear him to the president, especially in the wake of the Snowden leaks, which were already cutting into the reserves of goodwill for Fort Meade. Second, it was self-defeating from a substantive angle: even with exemption from liability, companies were averse to giving private data to the government—all the more so if “government” was openly defined as the NSA.
The information-sharing bill was endangered, then, by an unlikely coalition of civil liberties advocates, who opposed sharing data with the government on principle, and NSA boosters, who opposed sharing it with any entity but Fort Meade.
So, the only coordinated defense left would be “active defense”—cyber offensive warfare.
That was the situation inherited by Admiral Michael Rogers, who replaced Alexander in April 2014. A career cryptologist, Rogers had run the Navy’s Fleet Cyber Command, which was also based at Fort Meade, before taking over the NSA and U.S. Cyber Command. He was also the first naval officer to earn three stars (and now he had four stars) after rising through the ranks as a code-breaker. Shortly after taking the helm, he was asked, in an interview with the Pentagon’s news service, how he would protect critical infrastructure from a cyber attack—Cyber Command’s third mission. He replied that the “biggest focus” would be “to attempt to interdict the attack before it ever got to us”—in other words, to get inside the adversary’s network, in order to see him prepare an attack, then to deflect or preempt it.
“Failing that,” Rogers went on, he would “probably” also “work directly with those critical infrastructure networks” that “could use stronger defensive capabilities.” But he knew this was backup, and flimsy backup at that, since neither Fort Meade nor the Pentagon could do much to bolster the private sector’s defenses on its own.
In April 2015, the Obama administration endorsed the logic. In a thirty-three-page document titled The Department of Defense Cyber Strategy, signed by Ashton Carter, a former Harvard physicist, longtime Pentagon official, and now Obama’s fourth secretary of defense, the same three missions were laid out in some detail: assisting the U.S. combatant commands, protecting Defense Department networks, and protecting critical infrastructure. To carry out this last mission, the document stated that, “with other government agencies” (the standard euphemism for NSA), the Defense Department had developed “a range of options and methods for disrupting cyber attacks of significant consequence before they can have an impact.” And it added, in a passage more explicit than the usual allusions to the option of Computer Network Attack, “If directed, DoD should be able to use cyber operations to disrupt an adversary’s command-and-control networks, military-related critical infrastructure, and weapons capabilities.”
A month earlier, on March 19, at hearings before the Senate Armed Services Committee, Admiral Rogers expressed the point more directly still, saying that deterring a cyber attack required addressing the question: “How do we increase our capacity on the offensive side?”
Senator John McCain, the committee’s Republican chairman, asked if it was true that the “current level of deterrence is not deterring.”
Rogers replied, “That is true.” More cyber deterrence meant more cyber offensive tools and more officers trained to use them, which meant more money and power for Cyber Command.
But was this true? At an earlier hearing, Rogers had made headlines by testifying that China and “probably one or two other countries” were definitely inside the networks that controlled America’s power grids, waterworks, and other critical assets. He didn’t say so, but America was also inside the networks that controlled such assets in those other countries. Would burrowing more deeply deter an attack, or would it only tempt both sides, all sides, to attack the others’ networks preemptively, in the event of a crisis, before the other sides attacked their networks first? And once the exchanges got under way, how would anyone keep them from escalating to more damaging cyber strikes or to all-out war?
These were questions that some tried to answer, but no one ever did, during the nuclear debates and gambits of the Cold War. But while nuclear weapons were incomparably more destructive, there were four differences about this new arms race that made it more likely to careen out of control. First, more than two players were involved, a few were unpredictable, and some weren’t even nation-states. Second, an attack would be invisible and, at first, hard to trace, boosting the chances of mistakes and miscalculations on the part of the country first hit. Third, a bright, bold firewall separated using nuclear weapons from not using nuclear weapons; the countries that possessed the weapons were constrained from using them, in part, because no one knew how fast and furious the violence would spiral, once the wall came down. By contrast, cyber attacks of one sort or another were commonplace: they erupted more than two hundred times a day, and no one knew—no one had ever declared, no one could predict—where the line between mere nuisance and grave threat might be drawn; and so there was a higher chance that someone would cross the line, perhaps without intending or even knowing it.
Finall
y, there was the extreme secrecy that enveloped everything about cyber war. Some things about nuclear weapons were secret, too: details about their design, the launch codes, the targeting plans, the total stockpile of nuclear materials. But the basics were well known: their history, how they worked, how many there were, how much destruction they could wreak—enough to facilitate an intelligent conversation, even by people who didn’t have Top Secret security clearances. This was not true of cyber: when Admiral Rogers testified that he wanted to “increase our capacity on the offensive side,” few, if any, of the senators had the slightest idea what he was talking about.
In the five guys report on NSA reform, which President Obama commissioned in 2013 in the wake of the Snowden revelations, the authors acknowledged, even stressed, the need to keep certain sources, methods, and operations highly classified. But they also approvingly quoted a passage from the report by Senator Frank Church, written in the wake of another intelligence scandal—that one, clearly illegal—almost forty years earlier. “The American public,” he declared, “should know enough about intelligence activities to be able to apply their good sense to the underlying issues of policy and morality.”
This knowledge, which Senator Church called “the key to control,” has been missing from discussions of policy, strategy, and morality in cyber war. We are all wandering in dark territory, most of us only recently, and even now dimly, aware of it.
* * *
I. As a compromise, when Obama issued an executive order imposing new sanctions against North Korea, on January 2, 2015, White House spokesman Josh Earnest pointedly called it “the first aspect of our response” to the Sony hacking. Listeners could infer from the word “first” that the United States had not shut down North Korea’s Internet eleven days earlier. But no official spelled this out explicitly, at least not on the record.
II. In 2013, two security researchers—including Charlie Miller, a former employee at the Office of Tailored Access Operations, the NSA’s elite hacking unit—hacked into the computer system of a Toyota Prius and a Ford Escape, then disabled the brakes and commandeered the steering wheel while the cars were driven around a parking lot. In that test, they’d wired their laptops to the cars’ onboard diagnostic ports, which service centers could access online. Two years later, they took control of a Jeep Cherokee wirelessly, after discovering many vulnerabilities in its onboard computers—which they also hacked wirelessly, through the Internet, cellular channels, and satellite data-links—while a writer for Wired magazine drove the car down a highway. Fiat Chrysler, the Jeep’s manufacturer, recalled 1.4 million vehicles, but Miller made clear that most, maybe all, modern cars were probably vulnerable in similar ways (though none of them were recalled). As with most other devices in life, their most basic functions had been computerized—and the computers hooked up to networks—for the sake of convenience, their manufacturers oblivious to the dangers they were opening up. The signs of a new dimension in the cyber arms race—involving sabotage, mayhem, terrorism, even assassination plots, carried out more invisibly than drone strikes—seemed ominous and almost inevitable.
ACKNOWLEDGMENTS
I CAME UP with the idea for this book—the contract was drawn up, the research was begun, the first interviews with sources were conducted—before the world had heard of Edward Snowden; before metadata, PRISM, and encryption entered the banter of common conversation; before cyber attacks—launched by China, Russia, North Korea, Iran, organized crime groups and, yes, the United States government—became the stuff of headline news seemingly every day. My proposal was to write a history of what has broadly come to be called “cyber war,” and my interest in the idea grew as the stories piled up about Snowden and the thousands of documents he leaked, because it was clear that few people, even among those who studied the documents closely (I suspect, even among those who wrote about the documents, even Snowden himself) knew that there was a history or, if they did, that this history stretched back not a few years but five decades, to the beginnings of the Internet itself.
This book can be seen as the third in a series of books that I’ve written about the interplay of politics, ideas, and personalities in modern war. The first, The Wizards of Armageddon (1983), was about the think-tank intellectuals who invented nuclear strategy and wove its tenets into official policy. The second, The Insurgents (2013), was about the intellectual Army officers who revived counterinsurgency doctrine and tried to apply it to the wars in Iraq and Afghanistan. Now, Dark Territory traces the players, ideas, and technology of the looming cyber wars.
On all three books, I’ve had the great fortune of working with Alice Mayhew, the legendary editor at Simon & Schuster, and it’s to her that I owe their existence. The seeds of this book were planted during a conversation in her office either in December 2012 or January 2013 (just before or just after publication of The Insurgents), when, trying to nudge me into writing another book, Alice asked what the next big topic in military matters was likely to be. I vaguely replied that this “cyber” business might get serious. She asked me more questions; I answered them as fully as I could (I didn’t really know a lot about the subject at the time). By the time the meeting ended, I was committed to looking into a book about cyber war—first, to see if there was a story there, a story with characters and a narrative pulse. It turned out, there was.
I thank Alice for prodding me in this direction and for asking other pointed questions at every step along the way. I thank the entire S&S team on the project: Stuart Roberts, Jackie Seow, Jonathan Evans, Maureen Cole, Larry Hughes, Ellen Sasahara, Devan Norman, and, especially, the publisher, Jonathan Karp. I thank Fred Chase for scrupulous copyediting. I thank Alex Carp and Julie Tate for diligent fact-checking (though I bear total responsibility for any errors that remain).
Additional support came from the Council on Foreign Relations, where I was the Edward R. Murrow press fellow during the year when I did much of the book’s research. I thank, in particular, the fellowship’s leaders, Janine Hill, Victoria Alekhine, and, my energetic assistant during the year, Aliya Medetbekova, as well as the Council’s many fellows, staff specialists, and visiting speakers with whom I had spirited conversations. (I should stress that neither the Council nor anyone at the Council had any role whatsoever in the book itself, beyond providing me a nice office, stipend, and administrative assistance.)
In the course of my research, I interviewed more than one hundred people who played a role in this story, many of them several times, with follow-ups in email and phone calls. They ranged from cabinet secretaries, generals, and admirals (including six directors of the National Security Agency) to technical specialists in the hidden corridors of the security bureaucracy (not just the NSA), as well as officers, officials, aides, and analysts at every echelon in between. All of these interviews were conducted in confidence; most of the sources agreed to talk with me only under those conditions, though I should note that almost all of the book’s facts (and, when it comes to historically new disclosures, all the facts) come from at least two sources in positions to know. I thank all of these people: this book would not exist without you.
I also thank Michael Warner, the official historian of U.S. Cyber Command, and Jason Healey and Karl Grindal of the Cyber Conflict Studies Association, whose symposiums and collections of declassified documents were instrumental in persuading me, at an early phase of the project, that there was a story, a history, to be told here.
This is my fifth book in thirty-three years, and they’ve all been guided into daylight by Rafe Sagalyn, my literary agent, who has stood by throughout as taskmaster, counselor, and friend. I thank him once again, as well as his patient assistants, Brandon Coward and Jake DeBache.
Finally, I am grateful to my friends and family for their encouragement in so many ways. I especially thank my mother Ruth Kaplan Pollack, who has always been there with support of various kinds; my wife, Brooke Gladstone, who has loomed as my best friend, life’s love, and moral compass since we were both
barely out of our teens; and our daughters, Sophie and Maxine, whose integrity and passion continue to astonish me.
ABOUT THE AUTHOR
© CAROL DRONSFIELD
Fred Kaplan writes the “War Stories” column for Slate. A former Pulitzer Prize-winning reporter for the Boston Globe, he is the author of four previous books, The Insurgents: David Petraeus and the Plot to Change the American Way of War (which was a Pulitzer Prize finalist), 1959: The Year Everything Changed, Daydream Believers: How a Few Grand Ideas Wrecked American Power, and The Wizards of Armageddon (which won the Washington Monthly Political Book of the Year Award). He has a PhD in political science from MIT. He lives in Brooklyn with his wife, Brooke Gladstone.
MEET THE AUTHORS, WATCH VIDEOS AND MORE AT
SimonandSchuster.com
authors.simonandschuster.com/Fred-Kaplan
ALSO BY FRED KAPLAN
The Insurgents: David Petraeus and the Plot to Change the American Way of War
1959: The Year Everything Changed
Daydream Believers: How a Few Grand Ideas Wrecked American Power
The Wizards of Armageddon
We hope you enjoyed reading this Simon & Schuster eBook.
* * *
Join our mailing list and get updates on new releases, deals, bonus content and other great books from Simon & Schuster.
CLICK HERE TO SIGN UP