@War: The Rise of the Military-Internet Complex (25 page)

Bush administration officials were swept up in a wave of cyber anxiety. It washed over them, and onto the next president.

TEN

F
ROM THE MOMENT
he took the oath of office, Barack Obama was bombarded with bad news about the state of America's cyber defenses. He'd already had his classified national security briefing with Mike McConnell in Chicago, where the intelligence director told him a version of the dire story he'd laid out for Bush in 2007. During the campaign, Obama staffers' e-mail accounts had been hacked by spies in China, as had those of his opponent, Senator John McCain.
Now, as the forty-fourth president settled into the Oval Office, the Center for Strategic and International Studies, a respected Washington think tank, had just issued a comprehensive and discouraging analysis of US cyber security.
The report's authors, who had conducted at least sixteen closed-door sessions with senior government and military officials, listed a number of hair-raising intrusions that had been declassified. Among them were the hacking of Secretary of Defense Robert Gates's e-mail; a spyware infection at the Commerce Department, which was attributed by several outside experts to a program that Chinese hackers had installed on the laptop computer of Secretary of Commerce Carlos Gutierrez during an official visit to Beijing; and computer break-ins at the State Department that caused the loss of “terabytes” of information.
But these and other incursions enumerated in the final document were only about 10 percent of all the breaches the authors had identified, according to a staff member who worked on the report.
The rest were too sensitive, and perhaps too alarming, to discuss publicly.

The panel members—which included senior officials from the National Security Agency, executives at some of the country's biggest technology and defense companies, members of Congress, and cyber security experts who would go on to serve in the new administration—praised the Manhattan Project–style initiative that Bush had launched. But they said it didn't go far enough. The Obama administration should build on those efforts and enact regulations requiring certain industries and critical infrastructure to fortify and maintain their cyber security. “This is a strategic issue on par with weapons of mass destruction and global jihad, where the federal government bears primary responsibility,” the panel members wrote. “America's failure to protect cyberspace is one of the most urgent national security problems facing the new administration. . . . It is a battle we are losing.”

Foreign spies worked relentlessly to get access to the communications, speeches, and position papers of senior members of the new president's administration. During Obama's first year in office, Chinese hackers launched a campaign targeting State Department officials, including Secretary of State Hillary Clinton. In a particularly clever play, five State Department employees who were negotiating with Chinese officials on reducing greenhouse-gas emissions received spear-phishing e-mails bearing the name and contact information of a prominent Washington journalist, Bruce Stokes.
Stokes was well known at the State Department because he covered global trade and climate change issues. He was also married to Ambassador Wendy Sherman, who'd been Bill Clinton's top policy adviser on North Korea and would later go on to the number three position at State, leading US negotiations with Iran over its nuclear program in 2013. The US climate change envoy to China, Todd Stern, was also an old friend of Stokes's. The subject line of the e-mail read, “China and Climate Change,” which seemed innocuous enough to pass for a reporter's inquiry. And the body of the message included comments related to the recipients' jobs and what they were working on at the time. Whoever sent the message had studied Stokes and knew his network of friends and sources well enough to pose as him in an e-mail. It's still unclear whether any of the recipients ever opened the messages, which came loaded with a virus that could have siphoned documents off the officials' computers and tracked their communications.

Also in 2009 a senior member of Hillary Clinton's staff received an e-mail that appeared to come from a colleague in the office next door.
The e-mail contained an attachment that the author claimed was related to a recent meeting. The recipient couldn't recall the meeting and wasn't sure it had ever occurred. He walked over to his colleague's office and asked about the e-mail he'd just sent.

“What e-mail?” his colleague asked.

Thanks to a young staffer's suspicions, the State Department blocked spies from potentially installing surveillance equipment on the computers in Clinton's office. It was a reminder of how sophisticated the spies had become, and clear evidence that they were mapping out the relationships of administration employees, most of whose names rarely or never appeared in the press. Chinese spies honed this technique over the coming years, and they still use it today. Charlie Croom, a retired air force general who ran the Defense Information Systems Agency and is now vice president for cyber security at Lockheed Martin, says cyber spies will scour the company's website looking for names of employees in press releases, lists of public appearances by executives, and other tiny nuggets of information that might help them refine their approach to a potential target.
A generation ago, spies had to rifle through people's garbage and trail them on the street to get those details.

In the face of warnings about American defenses and a foreign intelligence campaign against his own staff, Obama signaled early on that he intended to make cyber security one of the top priorities. In a speech from the East Room of the White House in May 2009 he said, “We know that cyber intruders have probed our electrical grid and that in other countries cyber attacks have plunged entire cities into darkness.” Obama didn't say where, but intelligence and military officials had concluded that two blackouts in Brazil, in 2005 and 2007, had been triggered by hackers who gained access to the SCADA systems that controlled electrical equipment there.

Until Obama's speech, US officials had, for the most part, only hinted that electrical grids had been breached, and they rarely agreed to be quoted by name. Owners and operators of electrical facilities denounced rumors of hacker-caused outages, including some in the United States, as speculative nonsense, and cited official investigations that usually attributed the outages to natural phenomena, like fallen trees or soot on power lines.
But now the president was acknowledging that the American electrical grid was vulnerable and that the nightmare of a cyber blackout had come true in another country.

“My administration will pursue a new comprehensive approach to securing America's digital infrastructure,” Obama announced. “This new approach starts at the top, with this commitment from me: From now on, our digital infrastructure—the networks and computers we depend on every day—will be treated as they should be: as a strategic national asset. Protecting this infrastructure will be a national security priority. We will ensure that these networks are secure, trustworthy and resilient. We will deter, prevent, detect, and defend against attacks and recover quickly from any disruptions or damage.”

Protecting cyberspace, Obama declared, was the government's job.

 

Keith Alexander agreed. For him, the only question was, who in the government should take on such a herculean task?

Not long after he became NSA director, in 2005, Alexander paid a visit to the headquarters of the Homeland Security Department, a complex of buildings in the prosperous Washington neighborhood of Cathedral Heights where navy cryptologists had helped to break the Nazi Enigma code in World War II. He was carrying a rolled-up sheet of paper to share with Michael Chertoff, a former federal prosecutor and judge who had been confirmed as the new secretary of homeland security earlier that year.
By law, the department was supposed to coordinate cyber security policy across the government, protect civilian agencies' computer networks, and work with companies to protect critical infrastructure. It was a huge and ill-defined portfolio of responsibilities, and one of myriad tasks delegated to the two-year-old department, including patrolling US borders, screening airline passengers and cargo, fixing the nation's broken immigration system, and ensuring that terrorists didn't launch another surprise attack in the United States.

In an eavesdropping-proof room, Alexander rolled the paper out over the length of a conference table. It was a huge diagram, showing all the malicious activity on the Internet that NSA knew of at that time. Alexander's message could be interpreted two ways. He was there to help the fledgling department fulfill its cyber defense mission. Or he was not so subtly conveying that the department would be lost without the NSA's help, and that Homeland Security should step aside and let the experts take over. The truth was, Homeland Security couldn't produce a diagram like the one Alexander had just presented. It lacked the trained personnel, the huge budgets, the global architecture of surveillance, and the bureaucratic and political clout in Washington to perform at the NSA's level.

As Alexander and his lieutenants saw things, it would be irresponsible bordering on negligent not to assist the department however they could. But that didn't mean surrendering NSA's role as the center of gravity in cyber security. The agency was part of the Department of Defense, and its writ extended to protecting the nation from foreign attacks, whether on land, in the air, at sea, or on a computer network.

Chertoff and Alexander got along well, according to former officials who worked with both of them, and the secretary seemed happy to let the cyber warriors at Fort Meade take the lead. Alexander spent the next four years building up NSA's cyber forces, culminating in the successful Buckshot Yankee operation and the establishment of Cyber Command. In 2009, Obama named former Arizona governor Janet Napolitano as his homeland security secretary. Alexander told his staff to give Napolitano and her team whatever help and advice they needed. But he had no intention of ceding the battlefield. Not when he was about to launch his biggest campaign yet.

 

Alexander had seen how the Defense Industrial Base Initiative was able to give the government access to information from corporate computer networks. The companies had become digital scouts in cyberspace, and the information they reported back helped to feed NSA's catalog of threat signatures—the lists of known malware, hacker techniques, and suspect Internet addresses that could be used to fortify defenses. Alexander liked to call it “the secret sauce.” The DIB had started with just twenty companies. Now he wanted to use the DIB model in new industries, including the energy and financial sector, and to bring as many as five hundred companies into the fold.

At NSA the plan became known as Tranche 2.
Operators of “critical infrastructure”—which could be broadly defined to include electrical companies, nuclear power plant operators, banks, software manufacturers, transportation and logistics companies, even hospitals and medical device suppliers, whose equipment could be hacked remotely—would be required by law or regulation to submit the traffic to and from their networks for scanning by an Internet service provider. The provider would use the signatures supplied by the NSA to look for malware or signs of a cyber campaign by a foreign government. It was a version of Alexander's original plan to make the NSA the central clearinghouse for cyber threat intelligence. The NSA wouldn't do the scanning, but it would give all the requisite threat signatures to the scanner. That helped the NSA avoid the impression that it was horning its way into private computer networks, even though it was actually in control of the whole operation. Once the scanners detected a threat, NSA analysts would move in and assess it. They would decide whether to let the traffic pass or to block it, or, if need be, to strike back at the source.

The agency had already developed a scanning system called Tutelage that could isolate e-mails containing viruses and put them in a kind of digital petri dish, so that analysts could examine them without infecting any computers. This was the “sensor, sentry, and sharpshooter” that the NSA had used to monitor its Internet gateways back in 2009. Now Alexander wanted to bring that capability to bear as part of Tranche 2, effectively turning hundreds of companies and critical- infrastructure operators into a new front in the cyber wars.

This made some Obama administration officials nervous. The president had clearly stated his intentions to protect cyberspace as a critical national asset. But he had always been conflicted about how long a leash to give the NSA. Obama had never warmed to the agency or Alexander. And although he appreciated and embraced the powerful capabilities that the NSA had to offer, the culture of espionage seemed alien to him.

In the summer 2009, Pentagon officials drafted an “execute order” that would allow the military to launch a counterstrike on computers sending malicious traffic not just to a military system but also against privately owned critical-infrastructure facilities, such as electrical power stations. That was an extraordinary step. Heretofore, the government had only given assistance to companies in the form of intelligence about hackers and malware, which they could use to bolster their own defenses. Now the NSA wanted authority to launch a defensive strike against anyone attacking key American businesses in such a way that loss of life might occur—a blackout, say, or an attack on the air traffic control system—or if the US economy or national security would be jeopardized. That latter set of criteria was arguably broad and open to interpretation. Would a massive denial of service attack against American banks, for instance, which didn't shut them down or steal funds but disrupted their operations, count as a hostile act that jeopardized the US economy?

Obama administration officials pared back the order—but only slightly. Obama didn't push the NSA out of the business of retaliatory strikes. He just required it to get authorization from him or his secretary of defense.