by Fred Kaplan
Alexander put out the word: Alexander cited the “Maginot Line” analogy many times; see for instance, “Defenses Against Hackers Are Like the ‘Maginot Line,’ NSA Chief Says,” Blog, WSJ Tech, Jan. 13, 2012, http://blogs.wsj.com/digits/2012/01/13/u-s-business-defenses-against-hackers-are-like-the-maginot-line-nsa-chief-says/; and interviews.
The pivotal moment: The section on Buckshot Yankee comes mainly from interviews, but also from Karl Grindal, “Operation Buckshot Yankee,” in Jason Healey, ed., A Fierce Domain: Conflict in Cyberspace 1986 to 2012 (Washington, D.C.: Atlantic Council, 2013); Harris, @War, Ch. 9; William J. Lynn III, “Defending a New Domain: The Pentagon’s Cyberstrategy,” Foreign Affairs, Sept./Oct. 2010.
When he first took the job: For more on Gates as defense secretary, see Kaplan, “The Professional”; and Kaplan, The Insurgents: David Petraeus and the Plot to Change the American Way of War (New York: Simon & Schuster, 2013), Ch. 18.
On June 23, 2009: U.S. Dept. of Defense, “U.S. Cyber Command Fact Sheet,” May 25, 2010, http://www2.gwu.edu/~nsarchiv/NSAEBB/NSAEBB424/docs/Cyber-038.pdf.
On July 7, 2010, Gates had lunch: This section comes mainly from interviews, though the plan is briefly mentioned, along with the dates of the two meetings, in Robert Gates, Duty: Memoirs of a Secretary at War (New York: Alfred A. Knopf, 2014), 450–51.
“war zone”: This section is based mainly on interviews, though in a Reuters profile, upon her resignation in 2013, Lute said, “The national narrative on cyber has evolved. It’s not a war zone, and we certainly cannot manage it as if it were a war zone. We’re not going to manage it as if it were an intelligence program or one big law-enforcement operation.” (Joseph Menn, “Exclusive: Homeland Security Deputy Director to Quit; Defended Civilian Internet Role,” Reuters, April 9, 2013, http://www.reuters.com/article/2013/04/09/us-usa-homeland-lute-idUSBRE9380DL20130409.)
In the end, they approved Brown: The watered-down version of the arrangement, “Memorandum of Agreement Between the Department of Homeland Security and the Department of Defense Regarding Cybersecurity,” signed by Gates on Sept. 24 and by Napolitano on Sept. 27, 2010, can be found at http://www.defense.gov/news/d20101013moa.pdf.
CHAPTER 11: “THE WHOLE HAYSTACK”
The hearings led to the passage: The section of FISA dealing with electronic surveillance is 50 U.S.C. 1802(a).
After the attacks of September 11: A good summary is Edward C. Liu, “Amendments to the Foreign Intelligence Surveillance Act (FISA) Extended Until June 1, 2015,” Congressional Research Service, June 16, 2011, https://www.fas.org/sgp/crs/intel/R40138.pdf.
“badly out of date”: “The President’s Radio Address,” July 28, 2007, Public Papers of the Presidents of the United States: George W. Bush, 2007, Book II (Washington, D.C.: US Government. Printing Office, 2007), 1027–28, http://www.gpo.gov/fdsys/pkg/PPP-2007-book2/html/PPP-2007-book2-doc-pg1027.htm.
“electronic surveillance of” an American: Text of the Protect America Act of 2007, https://www.govtrack.us/congress/bills/110/s1927/text.
“connect the dots”: For instance, see The 9/11 Commission Report, 408 and passim, http://www.9-11commission.gov/report/911Report.pdf.
“the whole haystack”: The metaphor was first used by a “former intelligence officer” quoted in Ellen Nakashima and Joby Warrick, “For NSA Chief, Terrorist Threat Drives Passion to ‘Collect It All,’ ” Washington Post, July 14, 2013. But Alexander was known to use the phrase, too. (Interviews.)
Still, on February 9: White House press release, Feb. 9, 2009, http://www.whitehouse.gov/the_press_office/AdvisorsToConductImmediateCyberSecurityReview/.
It took longer than sixty days: White House press release, May 29, 2009, http://www.whitehouse.gov/the-press-office/cybersecurity-event-fact-sheet-and-expected-attendees.
It read uncannily like: White House, Cyberspace Policy Review, http://www.whitehouse.gov/assets/documents/Cyberspace_Policy_Review_final.pdf; quotes come from i, iv, v, vi.
“share the responsibility”: Ibid., 17.
“this cyber threat”: White House, “Remarks by the President on Securing the Nation’s Cyber Infrastructure,” East Room, May 29, 2009.
CHAPTER 12: “SOMEBODY HAS CROSSED THE RUBICON”
George W. Bush personally briefed: David Sanger, Confront and Conceal (New York: Crown, 2012), xii, 190, 200–203.
The operation had been set in motion: Ibid., 191–93.
In their probes: Ibid., 196ff; Kim Zetter, Countdown to Zero Day: Stuxnet and the Launch of the World’s First Digital Weapon (New York: Crown, 2014), Ch. 1.
This would be a huge operation: Ellen Nakashima and Joby Warrick, “Stuxnet Was Work of U.S. and Israeli Experts, Officials Say,” Washington Post, June 2, 2012.
uninterruptible power supplies: Zetter, Countdown to Zero Day, 200–201.
A multipurpose piece of malware: Ibid., 276–79. Much of Zetter’s information comes from the computer virus specialists at Symantec and Kaspersky Lab who discovered Stuxnet. A typical malicious code took up, on average, about 175 lines. (Interviews.)
To get inside the controls: Ibid., 90, 279.
It took eight months: Sanger, Confront and Conceal, 193.
At the next meeting: Ibid., xii.
There was one more challenge: Ibid., 194–96; and interviews. It has not yet been revealed who installed the malware-loaded thumb drives on the Iranian computers. Some speculate that it was an Israeli agent working at Natanz, some that a foreign agent (possibly with the CIA’s Information Operations Center) infiltrated the facility, some say that contaminated thumb drives were spread around the area until someone unwittingly inserted one into a computer.
Not only would the malware: Zetter, Countdown to Zero Day, 61, 117, 123.
Once in the White House: Ibid., 202.
but this particular worm was programmed: Ibid., 28.
Obama phoned Bush to tell him: In his memoir, Duty (New York: Alfred A. Knopf, 2014), 303, Robert Gates writes that “about three weeks after” Obama’s inauguration, “I called Bush 43 to tell him that we had had a significant success in a covert program he cared about a lot.” Soon after, “Obama told me he was going to call Bush and tell him about the covert success.” Gates doesn’t say that the classified program was Stuxnet, but it’s clear from the context—and from other sections of the book where he mentions a classified program related to Iran (190–91) and denounces the leak (328)—that it is.
In March, the NSA shifted its approach: Zetter, Countdown to Zero Day, 303.
The normal speed: David Albright, Paul Brannan, and Christina Walrond, “ISIS Reports: Stuxnet Malware and Natanz” (Washington, D.C.: Institute for Science and International Security), Feb. 15, 2011, http://isis-online.org/uploads/isis-reports/documents/stuxnet_update_15Feb2011.pdf.
They’d experienced technical problems: An unclassified version of a 2007 National Intelligence Estimate noted that Iran was experiencing “significant technical problems operating” centrifuges (“Key Judgments from a National Intelligence Estimate on Iran’s Nuclear Activity,” reprinted in New York Times, Dec. 4, 2007); this was well before Stuxnet was activated.
By the start of 2010: Zetter, Countdown to Zero Day, 1–3. Similar estimates are in Albright et al., “ISIS Reports: Stuxnet Malware and Natanz.”
President Obama—who’d been briefed: During briefings on Olympic Games, large foldout maps of the Natanz reactor were spread across the Situation Room (Sanger, Confront and Conceal, 201).
Almost at once: Michael Joseph Gross, “A Declaration of Cyber-War,” Vanity Fair, February 28, 2011. For more details, see Nicholas Falliere, Liam O. Murchu, and Eric Chien, “Symantec Security Response: W32.Stuxnet Dossier,” https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_stuxnet_dossier.pdf; David Kushner, “The Real Story of Stuxnet,” IEEE Spectrum, Feb. 26, 2013, http://spectrum.ieee.org/telecom/security/the-real-story-of-stuxnet; Eugene Kaspersky, “The Man Who Found Stuxnet—Sergey Ulasen in the Spotlight,” Nota Bene,
Nov. 2, 2011, http://eugene.kaspersky.com/2011/11/02/the-man-who-found-stuxnet-sergey-ulasen-in-the-spotlight/.
Microsoft issued an advisory: “Microsoft Security Bulletin MS10—046—Critical: Vulnerability in Windows Shell Could Allow Remote Execution,” Aug. 2, 2010 (updated Aug. 24, 2010), https://technet.microsoft.com/en-us/library/security/ms10-046.aspx; Zetter, Countdown to Zero Day, 279.
By August, Symantec had uncovered: Nicolas Falliere, “Stuxnet Introduces the First Known Rootkit for Industrial Control Systems,” Symantec Security Response Blog, Aug. 6, 2010, http://www.symantec.com/connect/blogs/stuxnet-introduces-first-known-rootkit-scada-devices.
In September, a German security researcher: Sanger, Confront and Conceal, 205–6; Joseph Gross, “A Declaration of Cyber-War.”
At that point, some of the American software sleuths: Zetter, Countdown to Zero Day, 187–89; and interviews.
When Obama learned: Ibid., 357.
The postmortem indicated: David Sanger, “Obama Order Sped Up Wave of Cyberattacks Against Iran,” New York Times, June 1, 2012.
“offensive capabilities in cyber space”: Quoted in Richard A. Clarke and Robert K. Knake, Cyber War (New York: HarperCollins, 2010), 44–47.
“cyber-offensive teams”: Zachary Fryer-Biggs, “U.S. Sharpens Tone on Cyber Attacks from China,” DefenseNews, March 18, 2013, http://mobile.defensenews.com/article/303180021; and interviews.
In Obama’s first year as president: Choe Sang-Hun and John Markoff, “Cyberattacks Jam Government and Commercial Web Sites in U.S. and South Korea,” New York Times, July 18, 2009; Clarke and Knake, Cyber War, 23–30.
A year and a half later: Zetter, Countdown to Zero Day, 276–79.
Four months after that: “Nicole Perlroth, “In Cyberattack on Saudi Firm, U.S. Sees Iran Firing Back,” New York Times, Oct. 23, 2013.
“demonstrated a clear ability”: “Iran—Current Topics, Interaction with GCHQ: Director’s Talking Points,” April 2013, quoted and linked in Glenn Greenwald, “NSA Claims Iran Learned from Western Cyberattacks,” The Intercept, Feb. 10, 2015, https://firstlook.org/theintercept/2015/02/10/nsa-iran-developing-sophisticated-cyber-attacks-learning-attacks/. The document comes from the cache leaked by Edward Snowden. The essential point is confirmed by interviews.
At what point, he asked: Gates, Duty, 451; and interviews.
“Previous cyber-attacks had effects”: Sanger, Confront and Conceal, 200.
“Trilateral Memorandum of Agreement”: The memorandum of agreement is mentioned in a footnote in Barack Obama, Presidential Policy Directive, PPD-20, “U.S. Cyber Operations Policy,” Oct. 2012, https://www.fas.org/irp/offdocs/ppd/ppd-20.pdf. PPD-20 is among the documents leaked by Edward Snowden.
An action report on the directive: This is noted in boldfaced brackets in the copy of the document that Snowden leaked.
“You can’t have something that’s a secret”: Andrea Shalal-Esa, “Ex-U.S. General Urges Frank Talk on Cyber Weapons,” Reuters, Nov. 6, 2011, http://www.reuters.com/article/2011/11/06/us-cyber-cartwright-idUSTRE7A514C20111106.
“the authority to develop”: William B. Black Jr., “Thinking Out Loud About Cyberspace,” Cryptolog, Spring 1997 (declassified Oct. 2012), http://cryptome.org/2013/03/cryptolog_135.pdf. Black’s precise title at the NSA was special assistant to the director for information warfare.
CHAPTER 13: SHADY RATS
“rebalancing its global posture”: Thomas Donilon, speech, Asia Society, New York City, March 11, 2013, http://asiasociety.org/new-york/complete-transcript-thomas-donilon-asia-society-new-york.
Then on February 18, Mandiant: Mandiant, APT1: Exposing One of China’s Cyber Espionage Units, Feb. 18, 2013, http://intelreport.mandiant.com/Mandiant_APT1_Report.pdf.
The Times ran a long front-page story: David Sanger, David Barboza, and Nicole Perlroth, “Chinese Army Unit Is Seen as Tied to Hacking Against U.S.,” New York Times, Feb. 18, 2013. The Chinese response (“irresponsible,” “unprofessional,” etc.) is quoted in the same article.
As early as 2001: Nathan Thornburgh, “The Invasion of the Chinese Cyberspies (And the Man Who Tried to Stop Them),” Time, Sept. 5, 2005; Adam Segal, “From Titan Rain to Byzantine Hades: Chinese Cyber Espionage,” in Jason Healey, ed., A Fierce Domain: Conflict in Cyberspace, 1986–2012 (Washington, D.C.: Atlantic Council/Cyber Conflict Studies Association, 2013), 165–93; and interviews.
“information confrontation”: Bryan Krekel, Patton Adams, and George Bakos, Occupying the Information High Ground, Prepared for the U.S.-China Economic and Security Review Commission (Northrop Grumman Corporation, March 7, 2012), 9–11. http://www2.gwu.edu/~nsarchiv/NSAEBB/NSAEBB424/docs/Cyber-066.pdf
By the end of the decade: Ibid., 24–28, 40, 45–46; and interviews.
he had written his doctoral dissertation: It was published as Gregory J. Rattray, Strategic Warfare in Cyberspace (Cambridge: MIT Press, 2001); the rest of this section is from interviews.
The typical Chinese hack started off: Dmitri Alperovitch, McAfee White Paper, “Revealed: Operation Shady RAT,” n.d., http://www.mcafee.com/us/resources/white-papers/wp-operation-shady-rat.pdf; Ellen Nakashima, “Report on ‘Operation Shady RAT’ Identifies Widespread Cyber-Spying,” Washington Post, Aug. 3, 2011; Michael Joseph Gross, “Exclusive: Operation Shady RAT—Unprecedented Cyber-espionage Campaign and Intellectual-Property Bonanza,” Vanity Fair, Sept. 2011; Segal, “From Titan Rain to Byzantine Hades: Chinese Cyber Espionage,” 168.
On June 6, The Washington Post and The Guardian: “Verizon Forced to Hand Over Telephone Data—Full Court Ruling,” The Guardian, June 5, 2013, accompanying Glenn Greenwald, “NSA Collecting Phone Records of Millions of Verizon Customers Daily,” The Guardian, June 6, 2013; “NSA Slides Explain the Prism Data-Collection Program,” Washington Post, June 6, 2013, which accompanied Barton Gellman and Laura Poitras, “U.S., British Intelligence Mining Data from Nine U.S. Internet Companies in Broad Secret Program,” Washington Post, June 7, 2013; Glenn Greenwald and Ewen MacAskill, “NSA Prism Program Taps in to User Data of Apple, Google, and others,” The Guardian, June 7, 2013. The Guardian and the Post, which both had Snowden documents, were locked in a fierce competition over who could publish first. The Guardian’s Verizon story went online June 5, then appeared in its print edition June 6. The first Post story went online June 6, then in print June 7. For a list of all the Post’s Snowden-based stories, see http://dewitt.sanford.duke.edu/gellmanarticles/.
These were the first of many stories: For the journalists’ accounts of their encounters with Snowden, see “Live Chat: NSA Surveillance: Q&A with Reporter Barton Gellman,” July 15, 2014, http://live.washingtonpost.com/nsa-surveillance-bart-gellman.html; and Laura Poitras’s documentary film, CitizenFour, 2014. For critical views of Snowden, see Fred Kaplan, “Why Snowden Won’t (and Shouldn’t) Get Clemency,” Slate, Jan. 3, 2014, http://www.slate.com/articles/news_and_politics/war_stories/2014/01/edward_snowden_doesn_t_deserve_clemency_the_nsa_leaker_hasn_t_proved_he.html; Mark Hosenball, “NSA Memo Confirms Snowden Scammed Passwords from Colleagues,” Reuters, Feb. 13, 2014, http://www.reuters.com/article/2014/02/13/us-usa-security-idUSBREA1C1MR20140213; George Packer, “The Errors of Edward Snowden and Glenn Greenwald,” Prospect, May 22, 2014, http://www.prospectmagazine.co.uk/features/the-errors-of-edward-snowden-and-glenn-greenwald.
From that point on, the Chinese retort: At a later summit, in September 2015, Obama and Xi agreed not to “conduct or knowingly support” cyber theft of “intellectual property” with the “intent of providing competitive advantage to companies or commercial sectors.” The language was loose: “knowingly support” would still allow “tolerate,” and an action’s “intent” can be briskly denied. In any case, the U.S. doesn’t conduct this type of cyber theft (it doesn’t need Chinese trade secrets), and Xi still (absurdly) denies government involvement. And the agreement doesn’t cover other forms of cyber attacks or cyber espionage, not least because the U.S. engages in them, too. Still, the deal did set up a hotline and a proces
s for investigating malicious cyber activities. It could enable deeper cooperation down the road. White House, “Fact Sheet: President Xi Jinping’s State Visit to the United States,” Sept. 25, 2015, https://www.whitehouse.gov/the-press-office/2015/09/25/fact-sheet-president-xi-jinpings-state-visit-united-states.
One week after the failed summit: Lana Lam and Stephen Chen, “Exclusive: Snowden Reveals More US Cyberspying Details,” South China Morning Post, June 22, 2013, http://www.scmp.com/news/hong-kong/article/1266777/exclusive-snowden-safe-hong-kong-more-us-cyberspying-details-revealed?page=all.
Soon came newspaper stories: For summary, see Kaplan, “Why Snowden Won’t (and Shouldn’t) Get Clemency.”
Fort Meade’s crown jewels: Jacob Appelbaum, Judith Horchert, and Christian Stocker, “Shopping for Spy Gear: Catalog Advertises NSA Toolbox,” Der Spiegel, Dec. 29, 2013, http://www.spiegel.de/international/world/the-nsa-uses-powerful-toolbox-in-effort-to-spy-on-global-networks-a-940969.html.
Under the surveillance system described: The potential extent of surveillance, covered by three hops, is most clearly explained in Liberty and Security in a Changing World: Report and Recommendations of the President’s Review Group on Intelligence and Communication Technologies (White House, Dec. 12, 2013), 103, https://www.google.com/webhp?sourceid=chrome-instant&ion=1&espv=2&ie=UTF-8#q=%22liberty%20and%20security%22%20clarke.
Following this disclosure: For instance, General Keith Alexander, testimony, House Permanent Select Committee on Intelligence, June 18, 2013, http://icontherecord.tumblr.com/post/57812486681/hearing-of-the-house-permanent-select-committee-on.
“Does the NSA collect”: Transcribed in Glenn Kessler, “James Clapper’s ‘Least Untruthful’ Statement to the Senate,” http://www.washingtonpost.com/blogs/fact-checker/post/james-clappers-least-untruthful-statement-to-thesenate/2013/06/11/e50677a8-d2d8-11e2-a73e-826d299ff459_blog.html.