@War: The Rise of the Military-Internet Complex (27 page)

Still, Alexander persisted. In 2011 he traveled to New York and met with executives from some of the country's biggest financial institutions. Sitting in a conference room in Manhattan, he'd have been forgiven for thinking he was back in that secure room at the Pentagon in 2007, about to tell titans of industry what a big problem they had on their hands.

The NSA had already been sharing some threat signatures with the banks through a nonprofit group the banks themselves had set up, called an information sharing and analysis center. It wasn't a real-time system, but it helped the banks stay abreast of security trends and in some cases get early warning about types of malware and intrusion techniques. Other industries had set up similar centers as a way of pooling their collective knowledge, but the banks were generally thought to be the best at it, because they had so much to lose (billions of dollars a year to cyber theft) and because their businesses ran on data networks.

Alexander told the executives that he wanted to expand the DIB information-sharing program to the banking sector, but this time with a twist. It would be much easier to protect the companies, Alexander explained, if they let the NSA install surveillance equipment on their networks. Cut out the middleman. Let the analysts at Fort Meade have a direct line into Wall Street.

A silence fell over the room. The executives looked at one another, incredulous.
Is this guy serious?

“They thought he was an idiot,” says a senior financial services executive who was at the meeting and who had met Alexander on previous occasions.
“These are all private networks he was talking about. The attacks we've seen in the industry have generally been on Internet interfaces with customers—websites for online banking, or the website for Nasdaq.” Those websites had been hit in recent years with so-called denial-of-service attacks, which flood servers with requests for information and cause them to crash but don't do any damage to the account data inside a bank's computers. And much of that information, the executive says, moves over networks that are air-gapped, or have very few connections to the public Internet. “Just to say that the banks are open to Internet attacks is not true. And the Federal Reserve, the Treasury Department, the securities brokers, the settlement systems—they all have a really good handle on the whole financial services infrastructure and how it works. Alexander didn't understand it at all.”

 

The financial services companies weren't indifferent to the cyber threat. Two-thirds of US banks reported that they'd been affected by denial-of-service attacks, according to one study. But Alexander was asking the companies to take on inordinate risk. He was trying to embed his spies in their computers. The political ramifications were enormous if the operations ever became known. Furthermore, the companies could be held liable for illegal surveillance if the agency installed equipment without a warrant or some legal order approved by a court.

Even if the banks had let the NSA in, it's debatable how much the spy agency could have told them that they didn't already know from their own sources. Many large US banks have set up their own security divisions to monitor credit card fraud and account theft. Estimates vary as to the amount of money financial institutions lose to cybercrime each year, but they range from hundreds of millions of dollars to billions depending on the type and scale of the crime. The FBI investigates hacker rings that try to infiltrate bank networks and steal funds or process fraudulent credit card transactions, and it has tried to share what it knows with financial institutions. But frequently the G-men find that their corporate security counterparts are already ahead of them.

In 2009 about thirty law enforcement and intelligence officials met with security personnel from the leading US banks at FBI headquarters in Washington. “Halfway through the meeting, we asked, ‘How is information sharing going between the financial services sector and the government?'” says Steve Chabinsky, who was the FBI's deputy assistant director for cyber issues and now works for the private security firm CrowdStrike.
“Everyone took a deep breath.”

“You want us to be honest?” asked a representative from the banks' information-sharing council, which they'd set up to communicate with one another and the authorities. “It's not going very well. We give you all our information voluntarily, and we get nothing back.”

The FBI countered that it had just given the banks a list of threat signatures, including suspicious Internet addresses linked to cybercriminals. The report had taken a lot of effort to produce. Some of the information was considered “law enforcement sensitive” and even classified.

“Well,” the bank representative replied, “if that's the best you can do, we're in trouble. Because we knew all that information already.”

The banks were sharing information with one other, and they were buying information from private intelligence firms. Government officials began to realize that they didn't have a monopoly on intelligence gathering. The FBI decided to share with the banks the rundown of cases it was tracking, so the banks could see for themselves the breadth of the bureau's knowledge, Chabinsky says. It turned out that the banks had been tracking every case on the list, except one. Hackers had targeted the automated clearinghouse network, an electronic system that processes bulk transactions, including direct deposits, credit and debit card purchases, and electronic funds transfers between accounts. After stealing username and password credentials of people using the network, the thieves were able to move money out of various accounts, to the tune of $400 million. The banks were aware that hackers had gone after the clearinghouse network before, but not on this scale, and not using the particular techniques the FBI had detected for stealing log-in credentials. The banks were grateful for the intelligence and were able to shore up a weakness in their security systems. But it was a rare instance in which the FBI knew something that the banks didn't.

Prosecuting cybercriminals is rarely an option, particularly when the crooks are based in countries with weak cybercrime laws and a policy of not extraditing suspects to the United States. “The Russians will alert hackers that we're tracking them and tell them to change their names, so they're harder for us to find,” says a senior law enforcement official who works on cybercrime cases.
That leaves banks in the unenviable position of having to mostly fend for themselves against a wave of criminal activity that is growing in size, scope, and ambition, and that law enforcement has proven generally powerless to hold back.

 

The financial executives resisted Alexander's plan to install surveillance equipment on their networks. But they didn't stop his bigger campaign. Back in Washington, he lobbied to put the NSA in charge of defending other critical industries. High on the list was the electric power sector, followed by water utilities. “He wanted to create a wall around other sensitive institutions in America . . . and to install equipment to monitor their networks,” says the former administration official. Tranche 2 was dead, and the DIB pilot had undermined NSA's preeminent standing, but Alexander pressed on. And largely with the administration's backing. The pilot program was not greeted as a total failure. Some administration officials—including at the Homeland Security Department—said it showed that a government-appointed third party could channel classified information to industry. That they could work in an alliance—however uneasy—to defend cyberspace. Even though the NSA data detected only two unique threats, that was better than nothing, they reasoned.

Homeland Security took over nominal control of an expanded DIB program and made membership available to non-defense companies that were deemed essential to US national and economic security. The government was picking and choosing which kinds of companies would get special protection. And the threat signatures and most of the technical analysis of malware and intrusions were still coming from the NSA, often working with teams at the FBI, which now had an even bigger stake in cyber security as it shifted its focus—and its budgets—from counterterrorism cases. As of 2013, the NSA employed more than one thousand mathematicians, the largest number working for a single organization in the United States; more than nine hundred PhDs; and more than four thousand computer scientists.
The brains and the muscle for government cyber defense continue to come from the NSA, and probably always will.

There'd been a bureaucratic brawl, but in the end the government was still taking control of protecting cyberspace and treating the Internet as a strategic national asset, just as Obama had promised he would in his White House speech in May 2009. Alexander knew that his agency couldn't follow every threat on the Internet; it still needed intelligence from the companies. So he ratcheted up the public pressure. In speeches and congressional testimony, he warned that the hackers were getting better, that cybercrime was on the rise, and that companies were ill equipped to defend themselves. He pressed for more regulation, to force companies to raise their security standards and to provide legal immunity for those that handed over information about their customers' communications without a warrant or a court order, so that the NSA could study it. Alexander called cybercrime and espionage “the greatest transfer of wealth in history” and warned that unless American businesses shored up their digital defenses, the nation faced the prospect of a “Cyber Pearl Harbor.”

“What we see is an increasing level of activity on the networks,” Alexander warned at a security conference in Canada in 2013, two years after his meeting with financial executives. “I am concerned that this is going to break a threshold where the private sector can no longer handle it and the government is going to have to step in.”

Some companies were getting the message. But not in the way Alexander thought. They knew that threats were lining up against them. They saw them rooting around in their networks and stealing data every day. But they'd concluded that despite the NSA's big talk, the government couldn't protect everyone. The companies had to defend themselves.

ELEVEN

I
N MID-DECEMBER
2009, engineers at Google's headquarters in Mountain View, California, began to suspect that hackers in China had obtained access to private Gmail accounts, including those used by Chinese human rights activists opposed to the government in Beijing. Like a lot of large, well-known Internet companies, Google and its users were frequently targeted by cyber spies and criminals. But when the engineers looked more closely, they discovered that this was no ordinary hacking campaign.

In what Google would later describe as “a highly sophisticated and targeted attack on our corporate infrastructure originating from China,” the thieves were able to get access to the password system that allowed Google's users to sign in to many Google applications at once.
This was some of the company's most important intellectual property, considered among the “crown jewels” of its source code by its engineers.
Google wanted concrete evidence of the break-in that it could share with US law enforcement and intelligence authorities. So they traced the intrusion back to what they believed was its source—a server in Taiwan where data was sent after it was siphoned off Google's systems, and that was presumably under the control of hackers in mainland China.

“Google broke in to the server,” says a former senior intelligence official who's familiar with the company's response.
The decision wasn't without legal risk, according to the official. Was this a case of hacking back? Just as there's no law against a homeowner following a robber back to where he lives, Google didn't violate any laws by tracing the source of the intrusion into its systems. It's still unclear how the company's investigators gained access to the server, but once inside, if they had removed or deleted data, that would cross a legal line. But Google didn't destroy what it found. In fact, the company did something unexpected and unprecedented—it shared the information.

Google uncovered evidence of one of the most extensive and far-reaching campaigns of cyber espionage in US history.
Evidence suggested that Chinese hackers had penetrated the systems of nearly three dozen other companies, including technology mainstays such as Symantec, Yahoo, and Adobe, the defense contractor Northrop Grumman, and the equipment maker Juniper Networks. The breadth of the campaign made it hard to discern a single motive. Was this industrial espionage? Spying on human rights activists? Was China trying to gain espionage footholds in key sectors of the US economy or, worse, implant malware in equipment used to regulate critical infrastructure? The only things Google seemed certain of was that the campaign was massive and persistent, and that China was behind it. And not just individual hackers, but the Chinese government, which had the means and the motive to launch such a broad assault.

Google shared what it found with the other targeted companies, as well as US law enforcement and intelligence agencies. For the past four years, corporate executives had been quietly pressing government officials to go public with information about Chinese spying, to shame the country into stopping its campaign. But for President Obama or Secretary of State Hillary Clinton to give a speech pointing the finger at China, they needed indisputable evidence that attributed the attacks to sources in China. And looking at what Google had provided it, government analysts were not sure they had it. American officials decided the relationship between the two economic superpowers was too fragile and the risk of conflict too high to go public with what Google knew.

Google disagreed.

 

Deputy Secretary of State James Steinberg was at a cocktail party in Washington when an aide delivered an urgent message: Google was going to issue a public statement about the Chinese spying campaign.
Steinberg, the second-highest-ranking official in US foreign policy, immediately grasped the significance of the company's decision. Up to that moment, American corporations had been unwilling to publicly accuse the Chinese of spying on their networks or stealing their intellectual property. The companies feared losing the confidence of investors and customers, inviting other hackers to target their obviously weak defenses, and igniting the fury of Chinese government officials, who could easily revoke access to one of the biggest and fastest-growing markets for US goods and services. For any company to come out against China would be momentous. But for Google, the most influential company of the Internet age, it was historic.