Cyber-intruder sparks massive federal response — and debate over dealing with threats

The first sign of trouble was a mysterious signal emanating from deep within the U.S. military’s classified computer network. Like a human spy, a piece of covert software in the supposedly secure system was “beaconing” — trying to send coded messages back to its creator.

An elite team working in a windowless room at the National Security Agency soon determined that a rogue program had infected a classified network, kept separate from the public Internet, that harbored some of the military’s most important secrets, including battle plans used by commanders in Afghanistan and Iraq.

The government’s top cyberwarriors couldn’t immediately tell who created the program or why, although they would come to suspect the Russian intelligence service. Nor could they tell how long it had been there, but they soon deduced the ingeniously simple means of transmission, according to several current and former U.S. officials. The malicious software, or malware, caught a ride on an everyday thumb drive that allowed it to enter the secret system and begin looking for documents to steal. Then it spread by copying itself onto other thumb drives.

Pentagon officials consider the incident, discovered in October 2008, to be the most serious breach of the U.S. military’s classified computer systems. The response, over the past three years, transformed the government’s approach to cybersecurity, galvanizing the creation of a new military command charged with bolstering the military’s computer defenses and preparing for eventual offensive operations. The efforts to neutralize the malware, through an operation code-named Buckshot Yankee, also demonstrated the importance of computer espionage in devising effective responses to cyber­threats.

But the breach and its aftermath also have opened a rare window into the legal concerns and bureaucratic tensions that affect military operations in an arena where the United States faces increasingly sophisticated threats. Like the running debates over the use of drones and other evolving military technologies, rapid advances in computing capability are forcing complex deliberations over the appropriate use of new tools and weapons.

This article, which contains previously undisclosed information on the extent of the infection, the nature of the response and the fractious policy debate it inspired, is based on interviews with two dozen current and former U.S. officials and others with knowledge of the operation. Many of them assert that while the military has a growing technical capacity to operate in cyberspace, it lacks authority to defend civilian networks effectively.

“The danger is not so much that cyber capabilities will be used without warning by some crazy general,” said Stewart A. Baker, a former NSA general counsel. “The real worry is they won’t be used at all because the generals don’t know what the rules are.”

A furious investigation

The malware that provoked Buckshot Yankee had circulated on the Internet for months without causing alarm, as just one threat among many. Then it showed up on the military computers of a NATO government in June 2008, according to Mikko Hypponen, chief research officer of a Finnish firm that analyzed the intruder.