@War: The Rise of the Military-Internet Complex (33 page)

Mandiant executives decided that a short paper on Chinese spying wouldn't suffice. The company believed that it had plenty of evidence of a broad, persistent campaign going back to 2006, targeting different sectors of the US economy, including defense contractors. Chinese officials' denials had become “comical,” McWhorter says. In January 2013 the
Times
wrote about its own experience getting hacked. Chinese officials publicly questioned Mandiant's credibility—the company had assisted in the investigation and was quoted in the
Times
article, which could have been read as an endorsement of Mandiant's investigative work. The company decided it was time to name names. China's attempts to discredit the firm and what it knew “definitely cemented our resolve to make this a very public document,” McWhorter says.

Obama administration officials were generally pleased with Mandiant's decision. It wasn't as though the president and his national security team didn't already know what China was up to; but now a credible document, filled with evidence that could be tested and debated by experts, had changed the nature of the conversation about Chinese spying. No more off-the-record accusations. No more using “advanced persistent threat” as a euphemism for China. And the United States wouldn't have to reveal any secret intelligence sources and methods to talk openly about Chinese spying. (At the same time Mandiant was crafting its report, the Justice Department was secretly building a legal case against members of the 61398 hacker group. In May 2014, prosecutors announced indictments against five Chinese military officials, whom they claimed were connected to the group, marking the first time the United States had ever filed criminal hacking charges against nation-state actors.)

On the same day Mandiant released its report, the Homeland Security Department issued a bulletin to a select group of critical infrastructure owners and operators and other information security professionals authorized to see government information. It contained some of the same Internet addresses and websites that appeared in the Mandiant report. But notably the Homeland Security document never mentioned China and didn't tie the cyber spies to any particular location. Nor did the report mention Mandiant. Sharing of the report was restricted to “peers and partner organizations,” and it was not to be distributed via publicly accessible channels, the department advised. Mandiant's report was more useful, because it was more detailed and accessible to anyone. But the government report supported its findings. Its timing was also telling. Homeland Security could have released its version first, but it waited for Mandiant to lift the veil on APT1. Mandiant was doing the government a favor. Sources close to the drafting of the report say that the government also gave Mandiant some intelligence it used in the report, but the vast majority of the findings came from its own investigative work, going back seven years.

Practically overnight, Mandiant went from a relatively obscure forensics company known mostly to security experts and other tech startups to a sought-after name in computer security. Mandiant executives became go-to sources for journalists and sat on panels with former intelligence officials and think tank members, opining on how best to defend cyberspace from spies and attackers. Business ticked up. In 2013 the company made more than $100 million in sales, more than half of which came from a proprietary software Mandiant developed to help companies guard against APT hackers. Reportedly, more than a third of Fortune 100 companies have hired Mandiant after their computers were breached.
In January 2014, less than a year after Mandiant released the APT1 report, it was bought by another computer security firm, FireEye, for $1 billion. It was the biggest acquisition in the cyber security business in recent years and one of ten in 2013, a twofold increase from 2012.

FireEye was already a darling of Silicon Valley. The company began publicly offering shares on the Nasdaq in September 2013, and by January, the per share price had more than doubled. FireEye's was the most successful IPO for a cyber security company in 2013. Teaming up with Mandiant would make a formidable security operation. Whereas Mandiant specialized in investigating cyber intrusions, FireEye aimed to prevent them. Its technology pulls aside incoming traffic on a network into a virtual cage and examines it for any signs of malware before deciding whether to let it pass. The process was similar to one used by the Homeland Security Department to screen traffic on government networks, yet another sign that officials had no monopoly on cyber defense.

For Mandiant and FireEye, widespread Chinese spying coupled with revelations about the NSA's global intelligence operations helped to create new business and directly led to the merger. “A lot of companies, organizations, and governments said, ‘Look how pervasive these superpowers are in monitoring and stealing from these companies,'” said David DeWalt, FireEye's chairman and CEO.
His customers decided they needed to protect themselves. “There is an accelerating awareness that just wasn't there a year ago.”

 

If companies needed any more reason to hire a private security company, it arrived in June 2013, when a twenty-nine-year-old NSA contractor named Edward Snowden revealed himself as the source of an enormous cache of stolen classified documents about the agency's global surveillance apparatus. Snowden shared the documents with journalists working for the
Guardian
and the
Washington Post
, and a cascade of press coverage followed, unprecedented in its scope and specificity. Practically every conceivable aspect of how the agency spies was laid bare. The documents showed how the NSA collected vast stores of information from Google, Facebook, Yahoo, and other technology and telecommunications companies. The agency had also been scooping up the phone records of hundreds of millions of Americans and holding on to them for five years. Administration officials tried to reassure anxious citizens that most of the NSA's spying was aimed at foreigners overseas. Technology executives were dumbfounded. As they explained to officials, publicly and in private meetings, many of their customers lived in foreign countries, and were hardly at ease with the NSA spying on them simply because they weren't Americans.

 

Before the Snowden leaks, the NSA had made a public effort to court support among hackers for its cyber defense mission. In 2012, Keith Alexander had famously appeared at that Def Con, hacker conference in Las Vegas, dressed in blue jeans and a black T-shirt, shedding his army uniform for an outfit he deemed more palatable to his audience of hackers and security researchers. In July 2013, a month after the first NSA stories appeared, Def Con's organizers rescinded their invitation to have Alexander give another speech. Def Con's sister conference, Black Hat, was willing to host the spymaster. But about a half hour into his talk, members of the audience began heckling him. “Freedom!” shouted one of them, a private security consultant. “Exactly, we stand for freedom,” Alexander replied.

“Bullshit!” the consultant retorted. The crowd applauded.

Some “white hat hackers,” the ones who ply their trade to improve cyber defense and who had been cooperating with the NSA on technical discussions, are now questioning their decision, according to former agency officials who fear that the hackers may now take up arms against the government and try to expose more secrets or even attack government agencies and contractors' systems. Snowden showed that just one person could expose vast swaths of the NSA's surveillance architecture. What damage could an entire movement of highly motivated hackers do?

Snowden himself was a trained hacker. While working as an NSA contractor, he took advanced courses in “ethical hacking” and malware analysis at a private school in India.
He was in the country on a secret mission for the government, performing work at the US embassy in New Delhi, according to people familiar with his trip. The exact nature of the job is classified, but by the time he arrived, in September 2010, Snowden had already studied some advanced hacking techniques and was a quick learner in class, according to his instructor. He was taught how to break in to computers and steal information, ostensibly for the purpose of learning how to better fend off malicious hackers. He wouldn't need those skills to steal most of the classified NSA documents, to which he had unfettered access by virtue of his top-secret security clearance. It turned out that the NSA, which wanted to protect computers from Wall Street to the water company, couldn't keep a twenty-nine-year-old contractor from making off with the blueprints to its global surveillance system.

 

The Snowden revelations were the most politically damaging in the NSA's sixty-one-year history. In July the House of Representatives nearly passed a bill that would have declawed the agency's collection of Americas' phone records, which would have been the first significant rollback of the government's surveillance powers since the 9/11 attacks. Republicans and Democrats found a rare bipartisan alliance in their desire to put the spy agency on a leash. President Obama appointed a panel of intelligence and legal experts to suggest changes to NSA surveillance. They came back with a three-hundred-plus-page report and forty-six recommendations, among them ending the NSA's practice of acquiring zero day exploits, no longer inserting backdoors into encryption products, putting a civilian in charge of the spy agency, and splitting the leadership of NSA and Cyber Command so that they weren't led by the same person.
It was a blueprint for diminishing the agency's leading role in cyber security.

And yet the need to defend cyberspace was as urgent as ever. In September 2013 a senior air force official said the service still didn't know how vulnerable to hackers its networks were, because it was only a quarter of the way through a comprehensive vulnerability review.
And this more than four years after intruders were able to penetrate the air force's air traffic control system, which could have allowed them to interfere with aircraft flight plans and radar systems.
A month after the air force's admission, a Defense Department inspector general issued a report that found that the Pentagon, the Homeland Security Department, and the NSA had no central system for sharing cyber alerts with one another and companies in real time.
The government had a system for circulating alerts, and another for sending follow-up instructions on how to respond to cyber threats, but those two systems weren't connected.

News from the critical-infrastructure sectors that the government wanted to protect wasn't any more encouraging. Earlier in the year a pair of engineers had discovered vulnerabilities in communications systems used by power and water utilities across the country that could allow an attacker to cause a widespread power outage or damage water supplies.
Homeland Security officials issued alerts, but few utilities had applied a patch to the vulnerable software. And cyber espionage against US companies showed no signs of abating. “There isn't a computer system in this country of consequence that isn't penetrated right now with information going out at the terabyte level,” former NSA director McConnell said during a speech in Washington in October, a claim echoed publicly and privately by numerous intelligence, military, and law enforcement officials.

US officials were still reeling over an attack the previous year against the Saudi Arabian state-owned oil company Aramco, which by some measures was the most valuable company in the world, supplying 10 percent of the world's oil. Hackers used a powerful virus to completely erase information on about 75 percent of its computers, thirty thousand machines in all. The virus deleted e-mails, spreadsheets, and documents in an attack that company officials said was aimed at stopping its oil and gas production. The hackers didn't succeed in disrupting Aramco's production facilities, but the attack was a reminder that hackers could severely wound a company by obliterating its stores of corporate information. Some US officials suspected that Iran mounted the attack in retaliation for the Stuxnet worm. If that was so, it marked an escalation in intentional cyber warfare and showed that the United States couldn't expect to launch cyber attacks without reprisals.

Cybercrime was also rampant in the United States. In mid-December 2013, the retail giant Target discovered that hackers had forced their way into the company's systems and stolen debit and credit card information. The crooks installed malware directly onto cash registers in Target stores and siphoned financial data. The company initially estimated that thieves took 40 million customers' financial information. But a month later, it revised that number to between 70 and 110 million. It was a staggering number, making the Target breach one of the biggest cyber thefts in history. Investigators concluded that the hackers were probably based in Eastern Europe or Russia, and that they first penetrated Target's network using stolen network credentials from a Pennsylvania company that maintains refrigeration systems in supermarkets.
Target also discovered that the thieves swiped customers' names, phone numbers, and e-mail and mailing addresses. The company faced potentially steep fines for not complying with industry standards to protect credit and debit card information.

Government agencies didn't fare much better in protecting their own networks. In February 2014 a Senate committee report found that with few exceptions, federal civilian agencies hadn't installed available software patches or kept antivirus software up to date.
Unlike their military and intelligence agency counterparts, the civilian agencies lacked some of the most fundamental training and awareness about common sense security. Government employees were using flimsy passwords. One popular choice the investigators found: “password.” Even the Homeland Security Department hadn't installed software security updates on all of its systems, “the basic security measure just about any American with a computer has performed,” the report found.