@War: The Rise of the Military-Internet Complex (10 page)

But those aggressive programming features also increased the chances that Stuxnet would be discovered, which eventually it was, in June 2010, when an obscure security company in Belarus discovered the first evidence of a computer virus that would later be dubbed Stuxnet. Researchers initially speculated that a flaw in the worm's code (which of course was now more complex, and thus more prone to error) had allowed it to “escape” beyond the confines of its initial target's networks, perhaps after an engineer at Natanz connected a laptop to an infected machine, then took it home or to the office and connected to the Internet. But what's not generally known is that this leaping aspect was perhaps not a bug but a feature. In addition to breaking centrifuges, Stuxnet was also designed for reconnaissance. It sent the Internet address and host names of infected computers back to its command center. Why would any of these features be necessary for a weapon that was built to attack machines behind an air gap, where they were separated from the Internet? The obvious answer is that Stuxnet's designers knew it wouldn't stay behind the air gap for long. And perhaps they didn't want it to. Stuxnet was also designed to scout out networks and computers inside Natanz as it looked for the right target to attack. The contractors inside the plant worked for other clients as well. If their laptops became infected with Stuxnet, and they carried those computers to their other work sites, the worm might perform this reconnaissance function at other nuclear facilities in Iran. Stuxnet could tell the United States who those nuclear contractors were working for, where other nuclear facilities in Iran were located, and perhaps how far along those plants might be on their respective enrichment paths. It could potentially give the Americans more insight into Iran's nuclear program than any human spies ever had. Obama's decision to escalate the Stuxnet attack wasn't without risk, but the potential upside to US intelligence-gathering efforts was too tempting to ignore. No wonder McConnell and Bush took so much time to explain cyber warfare and its benefits to the new commander in chief.

As McConnell was nearing the end of his time in office and preparing to return to Booz Allen Hamilton, he felt he had one task left to do. The NSA had made great strides in cyber warfare. The military was developing its own capabilities. But there was no commander in charge of all their work. The military runs on a rigid hierarchy, the core philosophy of which is that in war the armed forces fight jointly. The army and the air force don't head into battle with separate missions and agendas. They make plans and then fight together. So should it be in cyber war, McConnell thought.

He wanted to establish a new cyber command, designed along the lines of the military's combatant command structure, which divided the world up into geographic regions—Pacific Command, European Command, Central Command for the Middle East, and so on—and also around specific missions. The special operations forces, JSOC, which had worked so closely with the NSA in Iraq, fell under the direction of US Special Operations Command. And the Strategic Command conducted operations in outer space and managed the United States' nuclear weapons.

Cyber needed its own command, McConnell thought, so that the unique expertise and capabilities of each branch of the armed forces could be harnessed. Military leaders and administration officials were coming around to the idea that future wars would be fought on the Internet as well as in the physical domains. But a new command would make it clear that cyber warfare was not a passing fashion. McConnell thought there was no better way to establish cyber's staying power than to enshrine it in the military's command-and-control structure.

As it happened, in late October, less than two weeks before the election, a computer worm had infected military networks, a major breach that persuaded the Pentagon brass that their cyber defenses were lacking. The NSA had quickly neutralized the intrusion and was leading the cleanup through the remainder of Bush's term. McConnell conferred with his old friend Bob Gates, who had agreed to stay on as secretary of defense under the new administration. Gates agreed there should be a new cyber command. It wouldn't happen while McConnell was in office. Official Washington would be consumed by the ritual of the presidential transition, as Bush administration officials handed off the keys to the incoming crew and explained in detail everything they'd been working on. But Gates took the baton. In June 2009 he ordered the commander of US Strategic Command to establish a new Cyber Command, or CyberCom. Strategic Command seemed like an obvious home—it had nominal responsibilities for coordinating information warfare across the military services. But by now the NSA was effectively in charge of that mission. Therefore, the NSA director should run CyberCom, Pentagon officials reasoned. The plan was to keep it as a subordinate command temporarily, let it grow, and then elevate CyberCom to full combatant command status.

In ways that few could discern at the moment, the current NSA director, army general Keith Alexander, had been groomed for the role of cyber commander his entire military career. Over time he would be revealed as an erudite technologist, a cunning warrior, and one of the most politically skillful generals in recent memory. For now, though, as the new Cyber Command got on its feet, he was one of its strongest supporters on Capitol Hill, in the military ranks, and at the White House.

At an “activation ceremony” on May 21, 2010, at Fort Meade, Alexander was sworn in as the first commander of US Cyber Command. Gates attended, along with David Petraeus, who was then in charge of Central Command. The only man missing from the bunch of founding fathers was McConnell. But his work was done. The United States had officially entered the age of cyber war.

 

The military-intelligence alliance proved it was very good at attacking bands of insurgents and terrorists in Iraq. But what would happen when the United States met a large, organized national military on the battlefield of cyberspace—and it fought back?

To find out, on May 7, 2010, around six hundred people showed up at Nellis Air Force Base, on the outskirts of Las Vegas, for the annual Schriever Wargame.
Every year the game was premised on some hot-button issue of strategy currently vexing US forces. (In 2012, the participants fought pirates around the Horn of Africa.) The name Schriever, in addition to being attached to the base in Colorado that administered the game, was an important one in air force history: Bernard Adolph Schriever, or Bennie, was a German immigrant who became a US general in 1961 and was a pioneer in space and ballistic missile research.

The participants for the 2010 game included senior military officers, representatives from all the combatant commands, and military and civilian cyber security experts from more than thirty US government agencies—including the NSA, the Homeland Security Department, and the National Reconnaissance Office, which runs a network of spy satellites and is arguably the most secretive of all the spy agencies. Executives from technology companies also showed up, along with policy wonks, official delegations from Australia, Canada, and Great Britain—the United States' three closest allies—as well as one former member of Congress, Tom Davis, whose district included many of the biggest Defense Department and spy agency contractors. For the war game, Davis played the role of president of the United States.

The year was 2022. A “regional adversary” in the Pacific—it was never named, but everyone seemed to pretend it was China or North Korea—perceived a military provocation from a US ally. In response, the adversary launched a crippling cyber attack on the ally's computer networks. The ally invoked its mutual defense agreement with the United States. Washington had to respond.

Before the US forces could decide on their first move, the adversary struck preemptively, attacking “aggressively, deliberately, and decisively” to block the US forces' access to the computer networks they would need to communicate and send orders, according to a senior US general who participated.

“Red blockades Blue,” the players were informed.

Blue had trained for a blockade on water, not on the Internet. They knew how to signal to an adversary, “We see you—back off.” They could hail him over a radio frequency. Flash lights. Sound sirens. They could summon other ships to the area as a show of force. There were assertive but nonlethal steps a commander could take, short of actually firing on the enemy's ship, to halt his advance.

But in cyberspace, the only thing the players knew how to do was attack the enemy's network and destroy it, skipping all the posturing and signals and heading straight to full-on combat. There was no cyber equivalent, that they knew of, for summoning all hands to battle stations. It was either attack or don't. The traditional deterrence strategy was useless.

It also wasn't clear that the other side had a deterrence strategy of its own, or even believed in the value of one. Military planners liked to compare cyber weapons to nuclear weapons, because they both could cause massive, strategic-level damage and required presidential authorization to use. But with nuclear hostilities there was a series of clear, mutually understood actions each side could take that stopped short of using the weapons. Throughout the Cold War, the United States and the Soviet Union helped keep a fragile peace in large part by making clear how they could—and would—destroy each other. The Soviets test a new missile, the Americans show off one of theirs. They talk of deploying missiles closer to targets in Europe, the US president talks openly about the possibility of using nuclear weapons, and says he hopes it never comes to that. In this back-and-forth, full of chest thumping and heated words, both sides implicitly agreed they were trying to avoid a nuclear war, not cause one. Signaling their hostile intent gave each side time to back down, cool off, and save face.

But now, in the game, the regional adversary continued attacking in unpredictable ways. After hitting the US forces' computer networks, it sent “grappler” satellites to latch on to US satellites, pushing them out of their orbit and disabling them.

Over the next four days, military commanders struggled to come up with a response short of full-scale war, which they were convinced would result in enormous casualties on both sides. Senior leaders in the Defense Department and at the White House got involved. The US forces discovered they had no cyber war agreements with their foreign allies, so there was no road map for an international response. Military leaders turned to the corporate executives for help. What technology did the companies have to send some kind of signal to the enemy to change its tactics? Was there such a thing as a non-hostile cyber attack? No one was sure.

The enemy had already made a decision that cyber and space attacks were the best way to counter the perceived aggression from its neighbor and fend off a US response. They had already set their red line. And they had already gamed out the US response, which got bogged down as more and more senior executives weighed in about what moves would be effective, or even legal. The mighty superpower was reduced to a bunch of confused and disorganized players. Worse, in the words of one participant, this appeared to be exactly what the enemy wanted. “We were unwittingly and obediently following a script that the adversary had already written for the campaign, and our military actions to deter would have no effect on their decision calculus.”

All war games start with a set of premises; the risk for the players is that they presume those facts will hold true in real life and fail to consider alternatives. The Schriever Wargame was designed so that China or North Korea would preemptively launch a cyber attack. Of course, they might not. Maybe in a real standoff they would fear a cyber counterstrike by the United States—or worse, a nuclear one. Arguably, one lesson of the war game was that the military should reexamine its premises and assess how likely another country was to launch a first strike in cyberspace, given the mutually assured destruction that the military believed would follow.

Instead, the game reinforced the military's natural disposition toward war. And it convinced senior military and Pentagon leaders that if a cyber war ever did break out, it would happen “at the speed of light,” with practically no warning. From now on, whenever they testified before Congress or gave public speeches and press interviews, they warned about the instantly devastating nature of cyber warfare. It became an article of faith when it came to their planning. The United States, they said, had to prepare now for the inevitability of this conflict, and take extraordinary measures to strengthen its forces—for defense and offense.

 

As unnerving as the war game proved to be, there were threats closer to home that had US officials worried. In May 2009, in a speech in the East Room of the White House, President Obama revealed that “cyber intruders have probed our electrical grid and that in other countries cyber attacks have plunged entire cities into darkness.” Obama didn't say that foreign hackers had actually turned off the lights in the United States. But privately, some intelligence officials claimed that Chinese hackers were responsible for two major blackouts, in 2003 and 2008.
The first blackout was the largest in North American history, covering a 93,000-square-mile area including Michigan, Ohio, New York, and parts of Canada. An estimated 50 million people were affected. The ensuing panic was so severe that President Bush addressed the nation to assure people the lights would come back on. Within twenty-four hours, power was mostly restored.

One information security expert who was under contract to the government and large businesses, dissecting Chinese spyware and viruses found on their computers, claimed that in the second blackout, a Chinese hacker working for the People's Liberation Army had attempted to case the network of a Florida utility and apparently made a mistake. “The hacker was probably supposed to be mapping the system for his bosses and just got carried away and had a ‘what happens if I pull on this' moment.” This expert thought the hacker triggered a cascade effect, which shut down large portions of the power grid in Florida.
“I suspect, as the system went down, the PLA hacker said something like, ‘Oops, my bad,' in Chinese.”