@War: The Rise of the Military-Internet Complex (2 page)

The investigators discovered that this was no one-off break-in. Lockheed's networks had been breached repeatedly. They couldn't say precisely how many times, but they judged the damage as severe, given the amount of information stolen and the intruders' unfettered access to the networks. In the entire campaign, which also targeted other companies, the spies had made off with several terabytes of information on the jet's inner workings.
In absolute size, that was roughly equal to 2 percent of the collection of the Library of Congress.

In another era, running a human spy inside an American corporation and planting a listening device would have counted as a heroic feat of espionage. Now one just had to infect a computer with a malicious software program or intercept a communication over the Internet and listen in from the other side of the world.

The more investigators combed Internet logs and computer drives, the more victims they found. The spies had penetrated the networks of subcontractors in several countries.
Technicians traced the Internet protocol addresses and the techniques the spies had used. There was little doubt they were in China, and were probably the same group that has been linked to other break-ins aimed at the US military and large American companies, particularly in the technology and energy industries. The breadth, persistence, and sophistication of Chinese cyber espionage was just beginning to dawn on US military and intelligence leaders. Whether they feared embarrassment and ridicule or because they didn't want to tip off the Chinese that they were being watched, US officials didn't publicly reveal the extent of the espionage.

The spies were hunting for details about the fighter's mechanical design and how well it held up under the stresses of flight and aerial combat. This suggested that they wanted to learn the weaknesses of the aircraft—but also that they wanted to build one themselves. The implications were chilling. Presuming the spies were working for the Chinese military, American fighters might one day go into battle against their clones. American pilots might be flying against Chinese foes who already knew the F-35's vulnerabilities.

At the moment, the jet's sensors and flight controls, which allowed the aircraft to detect its adversaries or perform complicated maneuvers, appeared to be safe, because those plans were stored on computers that weren't connected to the Internet. But more than a year later, investigators were still discovering breaches that they'd missed earlier. One had to assume that the campaign might continue, and that even an offline computer was a target. The very fact that it wasn't connected to the public network suggested it contained the most sensitive information.

Investigators eventually concluded that the spies weren't initially looking for information about the F-35 at all but that they'd targeted another classified program. Perhaps they found it an easier target given how much information was lying unprotected on company networks. That they'd switched plans mid-heist hinted at the spies' audacity. Some officials marveled at how little care the intruders took to cover themselves. They didn't seem to care if they were exposed. It was like they were daring the Americans to come after them, believing they wouldn't.

The spies had made off with potentially useful intelligence, but they'd also set back the development of the F-35. US officials later said that rampant penetrations of subcontractors' computers had forced programmers to rewrite software code for the jet, contributing to a one-year delay in the program and a 50 percent increase in its cost. The Chinese might never have to fight the jet if it didn't get off the ground. But China also moved forward with its own design. In September 2012, during a visit by Defense Secretary Leon Panetta, Chinese officials leaked photographs of their newest fighter jet parked on an airfield. It bore a number of design similarities to the F-35, which was no coincidence, US officials acknowledged.
The Chinese jet's design was based partly on information the spies had stolen from American companies six years earlier.

 

The CEOs weren't sure why they'd been summoned to the Pentagon.
Or why they'd been granted temporary top-secret security clearances. Looking around the room, they saw plenty of familiar faces. The chief executives or their representatives worked for the twenty biggest US defense contractors: Lockheed Martin, Raytheon, General Dynamics, Boeing, and Northrop Grumman, among others. These were blue-chip companies in their own right, and collectively they had spent decades building the American war machine. Whatever had brought them all together at Defense Department headquarters that summer day in 2007, on such short notice, it couldn't be good news.

The executives gathered outside a “sensitive compartmented information facility,” or SCIF (pronounced “skiff”), a room built to be impervious to eavesdropping. Their hosts began what had been billed as a “threat briefing,” which didn't seem unusual, since military officers routinely talked to defense company chiefs about threats to national security. But this briefing was about threats to corporate security. Specifically, the corporations run by these executives.

Military personnel who'd investigated the F-35 breach described what they'd learned. A massive espionage campaign had targeted each of the companies' computer networks. The spies weren't looking just for information about the F-35; they stole as many military secrets as they could find. Spies had overrun the companies' weak electronic defenses and relayed classified information back to their home servers. They had sent employees working on secret projects innocuous-looking e-mails that appeared to come from trusted sources inside the company. When the employee opened such an e-mail, it installed a digital backdoor and allowed the Chinese to monitor every keystroke the employee typed, every website visited, every file downloaded, created, or sent. Their networks had been infiltrated. Their computers compromised and monitored. America's military-industrial complex had, in the language of hackers, been owned.

And the spies were still inside these companies' networks, mining for secrets and eavesdropping on employees' communications. Maybe they were monitoring the executives' private e-mails right now. “A lot of people went into that room with dark hair, and when they came out, it was white,” says James Lewis, a prominent cyber security expert and a fellow at the Center for Strategic and International Studies, a think tank in Washington, who knows the details of the meeting.

These companies were the weak link in the security chain. Pentagon officials told the executives that responding to theft of military secrets was a matter of urgent national security. And for the companies, it was a matter of survival. Most of their businesses depended on the money they made selling airplanes, tanks, satellites, ships, submarines, computer systems, and all manner of technical and administrative services to the federal government. Officials were clear: if the contractors wished to continue in their present business arrangements, they would have to do a better job defending themselves.

But they wouldn't be doing it alone.

 

After the meeting the Defense Department began giving the companies information about cyber spies and malicious hackers being monitored by US intelligence agencies.
At the time, the Pentagon was tracking about a dozen espionage campaigns—distinct groups of hackers that could be categorized based on their interest in certain military technologies, aspects of military operations or organizations, or defense contractors. This information about foreign spies was the fruit of American espionage, gathered by monitoring and studying attempts to penetrate military networks, but also by breaking in to the computers and networks of America's adversaries. US intelligence agencies were also monitoring huge flows of traffic over the global telecommunications networks for viruses, worms, and other malicious computer programs. Never before had the United States shared so much classified information with private individuals. The work of securing the nation had historically been the government's exclusive domain. But now government and industry formed an alliance against a common threat. The Pentagon gave the companies Internet addresses that were tied to computers and servers where the foreign spies were believed to be sending stolen information, as well as the e-mail addresses that were known to have sent those innocuous-looking messages that actually contained a virus or a piece of spyware. Government analysts shared the latest tools and techniques that they'd seen foreign hackers use against their targets. And they alerted companies to the types of malicious software hackers were using to pry into computers and pilfer files. Armed with these data points, known as threat signatures, the companies were supposed to bolster their own defenses and focus their attention on repelling the intruders before they compromised their networks again. The threat signatures were compiled by the National Security Agency, the government's largest intelligence organization. Its global network of surveillance plucks data out of tens of thousands of computers that the agency itself has penetrated and implanted with spyware—just like the Chinese spies who broke in to the defense companies' computers. Information gathered by the National Security Agency (NSA) is some of the most revealing about the capabilities, plans, and intentions of America's adversaries, and as such it is highly classified. Now the government was sharing it with companies under strict secrecy rules. The recipients were not to disclose that they'd received the threat signatures, and they were to keep the Pentagon apprised of any incursions into their own networks.

The Defense Industrial Base Initiative, as the intelligence-sharing program is called, started small, with just the 20 companies whose executives had gathered in the SCIF at the Pentagon. But within a year there were 30 members. Today there are about 100. Pentagon officials want to add as many as 250 new members per year to the secretive club, known by its members as the DIB (pronounced “dib”).

But officials don't want only to protect military contractors. They see the DIB as a model for securing whole industries, from telecommunications to energy to health care to banking—any business, system, or function that uses a computer network. Which today means nearly everything. The DIB was the seed of a much larger and still evolving alliance between government and industry.

 

The leaders of the intelligence agencies, top military officers, and the president himself say that the consequences of another major terrorist attack on American soil pale in comparison with the havoc and panic a determined and malicious group of hackers could cause. Instead of stealing information from a computer, they could destroy the computer itself, crashing communications networks or disabling systems that run air traffic control networks. They could hijack the Internet-connected devices that regulate the flow of electrical power and plunge cities into darkness. Or they could attack information itself, erasing or corrupting the data in financial accounts and igniting a national panic.

In October 2012 then defense secretary Leon Panetta warned that the United States was on the verge of a “cyber Pearl Harbor: an attack that would cause physical destruction and the loss of life, that would paralyze and shock the nation and create a profound new sense of vulnerability.”
Five months earlier President Barack Obama wrote in a newspaper editorial that the wars of the future would be fought online, where “an adversary unable to match our military supremacy on the battlefield might seek to exploit our computer vulnerabilities here at home.”
Obama painted a dire and arguably hyperbolic picture. But his choice of imagery reflected the anxiety gripping senior leaders in government and business that cyberspace, which seems to hold boundless promise for the nation, is also its greatest unaddressed weakness. “Taking down vital banking systems could trigger a financial crisis,” Obama wrote. “The lack of clean water or functioning hospitals could spark a public health emergency. And as we've seen in past blackouts, the loss of electricity can bring businesses, cities and entire regions to a standstill.” FBI director James Comey has said the risk of cyber attacks and a rise in cyber-related crime—to include espionage and financial fraud—will be the most significant national security threat over the next decade.
For the past two years the possibility of a crippling cyber attack has topped the list of “global threats” compiled by all seventeen US intelligence agencies in a report to Congress. Protecting cyberspace has become the US government's top national security priority, because attacks online could have devastating effects offline.

And yet the government is not telling us the whole story. Officials are quick to portray the nation as a victim, suffering ceaseless barrages from an unseen enemy. But the US military and intelligence agencies, often with the cooperation of American corporations, are some of the most aggressive actors in cyberspace. The United States is one of a handful of countries whose stated policy is to dominate cyberspace as a battlefield and that has the means to do it. For more than a decade, cyber espionage has been the single most productive means of gathering information about the country's adversaries—abroad and at home. The aggressive actions the United States is taking in cyberspace are changing the Internet in fundamental ways, and not always for the better. In its zeal to protect cyberspace, the government, in partnership with corporations, is making it more vulnerable.

 

The story of how securing cyberspace became so important for the United States starts with its efforts to control it, to use it as both a weapon and a tool for spying. The military now calls cyberspace the “fifth domain” of warfare, and it views supremacy there as essential to its mission, just as it is in the other four: land, sea, air, and space. The United States has already incorporated cyber attacks into conventional warfare, and it has used them to disable infrastructure in other countries—precisely the same kinds of malicious acts that US officials say they fear domestically and must take extraordinary measures to prevent. On the spectrum of cyber hostilities, the United States sits at the aggressive end.