@War: The Rise of the Military-Internet Complex (23 page)

Jeffrey Hammond alleges that Monsegur's work for the government went well beyond targeting groups such as Anonymous. “What many do not know is that Sabu was also used by his handlers to facilitate the hacking of targets of the government's choosing—including numerous websites belonging to foreign governments. What the United States could not accomplish legally, it used Sabu, and by extension, me and my co-defendants, to accomplish illegally.”
Hammond, who was later sentenced to ten years in prison for the Stratfor hack, offered no evidence for his claims, and the FBI has never acknowledged enlisting hackers to penetrate foreign targets.

 

Sometimes the government and the companies they're ostensibly trying to protect seem to be working against each other. But as contentious as the relationship can be, there's an alliance forming between government and business in cyberspace. It's born of a mutual understanding that US national security and economic well-being are fundamentally threatened by rampant cyber espionage and potential attacks on vital infrastructure. The government views protecting whole industries as the best way to protect cyberspace writ large. But it can't do it alone. About 85 percent of the computer networks in the United States are owned and operated by private groups and individuals, and any one of them could be the weak link in the cyber security chain. They're the big telecom companies that run the Internet backbone. They're tech titans such as Google, which is responsible for a huge portion of Internet traffic and is beginning to lay its own cables in some American cities to provide Internet and television service. They're the financial institutions whose proprietary data networks reconcile trillions of dollars in transactions every day and move money seamlessly between accounts around the world. And they're the defense contractors, the traditional allies of government, whose networks are chock-full of top-secret weapons plans and classified intelligence. The government has decided that protecting cyberspace is a top national priority. But the companies have a voice in how that job gets done. That's the alliance at the heart of the military-Internet complex, and it will define the nature of cyberspace, and how we all work and live there, in the twenty-first century.

 

 

 

 

EIGHT

May 2007

The Oval Office

I
T HAD TAKEN
Mike McConnell just fifteen minutes to persuade George W. Bush to authorize a cyber war in Iraq. McConnell had asked for an hour with the president and his top national security advisers, figuring it'd take at least that long to convince them that such a risky undertaking was worth considering. What was he to do with the remaining forty-five minutes?

“Is there anything else?” Bush asked.

“Well, as a matter of fact, there is,” McConnell replied.

Ever since he'd returned to government service in February, McConnell had been looking for an opportunity to talk with Bush about one of his biggest unaddressed concerns for national security: that the United States was vulnerable to a devastating cyber attack on a national scale. McConnell feared that the country's communications systems, like those in Iraq, could be penetrated by outsiders and disrupted or destroyed. And he was especially worried that the financial sector hadn't taken sufficient precautions to guard account information and records of stock transactions and funds transfers, or to stop criminals from stealing billions of dollars from personal and corporate bank accounts.

But physical infrastructure was also at risk. Two months earlier, the Homeland Security Department had asked the Idaho National Laboratory, which conducts nuclear and energy research for the federal government, to test whether hackers could gain remote access to an electrical power plant and cause a generator to spin out of control. The results were startling. A videotape of the test, which was later leaked to the press, showed a hulking green generator shaking as if in an earthquake, until steam and black smoke billowed out. The effect was almost cartoonish, but it was real, and the test revealed a critical weakness at the heart of America's electrical grid. Officials feared that hackers could disable electrical power equipment and cause blackouts that might last for weeks or even months while the equipment was replaced.

The cyber threat was no longer theoretical. Defense Department officials had by now begun to notice intrusions into contractors' computer networks. Among the secret plans and designs for weapons systems that the spies either had stolen or would eventually steal were those for the Joint Strike Fighter; Black Hawk helicopters; the Global Hawk long-range surveillance drone, as well as information on drone video systems and the data links used to remotely fly the unmanned aircraft; the Patriot missile system; a line of General Electric jet engines; the Aegis missile defense system; mine reconnaissance technology; sonar used for undersea mapping; the navy's littoral combat ship; schematics for lightweight torpedoes; designs for Marine Corps combat vehicles; information on the army's plans to equip soldiers with advanced surveillance and reconnaissance equipment; designs for the behemoth cargo plane, the C-17 Globemaster, as well as information on the army's global automated freight-management system; and systems designs for the RC-135 reconnaissance aircraft, signals intercept technology, and antenna mechanisms used by the navy.
Every branch of the US Armed Forces had been compromised, along with the technology and weapons that the United States used to fight in every domain—land, air, sea, and space.

But how to convey this urgency to Bush? McConnell knew the president was no technologist. This was the man who had once said he used “the Google” only occasionally, to look at satellite images of his ranch in Texas. It would be difficult to explain in technical terms how someone sitting at a keyboard could wreak havoc from thousands of miles away, using a machine with which the president was largely unfamiliar. So McConnell appealed to the idea that had most captivated Bush's attention during most of his presidency: terrorism.

McConnell asked Bush to consider a hypothetical scenario: if instead of hijacking commercial airliners and flying them into buildings on September 11, 2001, al-Qaeda terrorists had broken into the databases of a major financial institution and erased its contents, the gears of the global financial system could grind to a halt. Transactions couldn't be processed. Trades wouldn't clear. The trillions of dollars that sloshed around the world every day did so through computer networks. The “money” was really just data. It was balances in accounts. A distributed network of electronic ledgers that kept track of who bought and sold what, who moved money where, and to whom. Corrupt just a portion of that information, or destroy it, and mass panic would ensue, McConnell said. Whole economies could collapse just for lack of confidence, to say nothing of whether all banks and financial institutions would ever be able to recover the data they lost.

Bush seemed incredulous. How could an intruder armed with only a computer penetrate the inner sanctums of the US financial system? Surely those companies would have taken precautions to protect such precious assets. What else was vulnerable? Bush wanted to know. Was the White House at risk? Bush pointed to the secure phone on his desk that he used to talk to cabinet officials and foreign leaders. “Could someone get into that?” he asked.

A silence fell over the Oval Office. Some of Bush's senior national security aides looked nervously at one another. McConnell realized that until this moment, the president had never been told just how weak the government's own electronic defenses were, or the country's.

“Mr. President,” McConnell said, “if the capability to exploit a communications device exists, we have to assume that our enemies either have it or are trying to develop it.”

And this after McConnell had been telling Bush about all the ways that the United States could exploit Iraq's communications systems. It was starting to dawn on the president: what he could do to others, they could do to him.

Returning to the hypothetical cyber attack on the financial system, McConnell drew another comparison to terrorism.

“The economic effects of this attack would be far worse than those of the physical attacks of 9/11,” McConnell told Bush, who knew that the strike on the Twin Towers and the Pentagon had plunged the United States even deeper into a recession.

Bush looked stunned. He turned to his Treasury secretary, Henry Paulson, whose last job was CEO of Goldman Sachs. “Hank, is what Mike is saying true?”

Paulson replied, “Not only is it true, Mr. President, but when I was in charge of Goldman, this is the scenario that kept me up at night.”

Bush stood up. “The Internet is our competitive advantage,” he told his aides and cabinet officials. “We have to do what's necessary to protect it. We'll do another Manhattan Project if we have to,” Bush said, alluding to the secret World War II program that built the first atom bomb.

McConnell had never imagined such a muscular response. For more than a decade he'd been hoping the president—any president—would hone in on the dangers that he believed were lurking right beneath the surface of daily life.

Bush turned to McConnell. “Mike, you brought this problem in here. You've got thirty days to fix it.”

 

No one could “fix” this problem in thirty days—if it could truly be solved at all. But President Bush had just asked for a comprehensive, national plan to shore up the nation's cyber defenses, invoking one of the greatest scientific challenges in American history. McConnell saw a rare opportunity, and he seized it. But he couldn't do the work alone. So, the spymaster turned to the source of technical wizardry that he knew best.

From the beginning, the government's cyber defense plan was run by the NSA. It was treated as a military and intelligence program and, as such, kept in strict secrecy. It was officially codified in a presidential directive that Bush signed in January 2008. The administration proposed to spend $40 billion on the effort in its first five years—a huge sum of money for a single initiative. Like McConnell, Keith Alexander had been waiting for a moment when a president put his full weight and influence behind a national effort to push back against the invisible enemies that Alexander believed posed a near-existential threat to the United States. Alexander also thought that malicious hackers, probably acting on behalf of enemy nations or terrorist groups, would eventually target Wall Street financial institutions, the power grid, and other vital infrastructure.

The first stage of the national counteroffensive was to give the enemy fewer targets to hit. The Defense Department pared down its own network connections to the public Internet to a mere eighteen points, called gateways. That in itself was an extraordinary feat, considering that Internet access had been distributed to every far-flung corner of the armed forces, down to most company headquarters in war zones.
(That was what made the insurgent-hunting machine in Iraq work so smoothly.) The Defense Department did a better job than any other government agency fending off intrusions to its networks, but occasionally adversaries got through. In June 2007, hackers broke in to the unclassified e-mail system that Secretary of Defense Robert Gates and hundreds of other department officials used. It was an urgent reminder that the time had come to pull up the virtual drawbridges, tightly restricting access to the outside world.

Meanwhile, the NSA began to intensely monitor those gateways for signs of malicious activity. This was the active side of computer defense, what a senior Pentagon official would later describe as “part sensor, part sentry, part sharpshooter.”
If the hackers or their botnets touched a Defense Department network, the military could block an Internet address to prevent the computer from sending malicious traffic, and then send out the alert to military and intelligence organizations that they should watch for dangerous traffic coming from that location. The idea was to better protect the Defense Department's own networks using the NSA's intelligence-gathering skills, but also to provide a kind of early-warning system to companies by watching for any passing malware that might indicate a campaign targeting critical industries, and then pass along the intelligence to them. Energy and financial services companies were at the top of the list to receive warnings.

But these were piecemeal measures that didn't amount to a broad plan for protecting the nation. Trying to spot malware across the Internet through a handful of access points was like trying to find a fly on a wall while looking through a soda straw. (There is no evidence that the NSA ever helped avert a major cyber attack as part of this strategy of monitoring its own networks.) Alexander said that to thoroughly defend the country, the NSA needed more pathways into the networks of US companies. It had some through a secret counterintelligence program called Operation Byzantine Foothold, in which NSA hackers traced Chinese and other foreign spies who had penetrated military contractors. The NSA followed the trail of spear-phishing e-mails loaded with malware back to their source, and the intelligence they gleaned about hacker tactics helped fortify the companies' defenses. But only a few dozen companies were cooperating with the Pentagon, sharing information from their own networks and letting the NSA get a glimpse inside. Alexander wanted the government to expand the plan to companies beyond the Defense Industrial Base. But that would take time and a level of political will that Bush might not have at this late point in his presidency. McConnell, for one, thought it'd be politically disastrous if the NSA's hands-on role in domestic cyber defense were revealed. It had been less than two years since a front-page article in the
New York Times
exposed the NSA's program of warrantless phone and e-mail surveillance inside the United States. The agency's role in cyber defense marked an expansion of those activities, and a blending of intelligence gathering and warfare—to the extent that the agency fought back against the hackers. Some members of Congress wanted to rein in the NSA's surveillance efforts, which were a requisite piece of its cyber defense mission. McConnell thought that for now the agency needed to keep a low profile and stay focused on the least controversial part of defense, scanning the department's networks and those of its contractors.