Gordon M. Goldstein is a managing director at the global technology investment firm Silver Lake Partners and an adjunct senior fellow at the Council on Foreign Relations.
When the widely respected national security mandarin Robert Gates was appointed secretary of defense in late 2006, his daily intelligence reports on the cascade of cyberattacks directed against the United States left him incredulous. As author and Slate columnist Fred Kaplan recounts, Gates was “so stunned by the volume of attempted intrusions into American military networks — his briefings listed dozens, sometimes hundreds every day — that he wrote a memo to the Pentagon’s deputy general counsel. At what point, he asked, did a cyber attack constitute an act of war under international law?” When the defense secretary finally received a response — vague and evasive, in his estimation — almost two full years had passed.
The episode illustrates an enduring challenge for the United States in the digital age. While some bureaucratic actors within its government are not capable of operating at Internet speed, America’s adversaries — hostile sovereign powers, transnational criminal enterprises, hacker and terrorist collectives — continue to attack with all the relentless intensity and innovation afforded by a constantly evolving arsenal of modern cyberweapons, penetration technologies and tactics.
“Dark Territory” captures the troubling but engrossing narrative of America’s struggle to both exploit the opportunities and defend against the risks of a new era of global cyber-insecurity. Assiduously and industriously reported, Kaplan’s history underscores a double irony in American cyber-strategy. The severity and scope of cyberthreats against the United States have been consistently predicted and demonstrated for decades and have never meaningfully abated. The most extreme threats, such as “decapitation” strikes against U.S. military networks and critical infrastructure, have been effectively countered for more than 20 years, however, while the most pervasive and common penetrations against American business and corporate interests have been growing exponentially, with no plausible strategy in sight to engineer effective deterrence or a reliable defense.
America’s vulnerabilities have been clear for decades. In 1997, a secret National Security Agency “Red Team” was instructed to test the defenses protecting the Pentagon’s computer networks. The National Military Command Center was hacked in a day. The Defense Department’s intelligence directorate was then penetrated with stunning simplicity: A member of the Red Team called, claiming to be from the Pentagon IT department, and explained that the directorate’s password would need to be changed. “The person answering the phone gave him the existing password without hesitation,” Kaplan discovered. “The Red Team broke in.”
The following year, the computers at Andrews Air Force Base outside Washington were penetrated, a hack that swiftly spread to a dozen military locations. The breach, code-named Solar Sunrise, was initially traced by investigators to an Internet service provider in the United Arab Emirates, triggering speculation that the operation had originated from Iraq. Yet within days, a less dramatic explanation emerged. The culprits were a pair of 16-year-old boys in the San Francisco suburbs operating under the aliases Makaveli and Stimpy.
Kaplan recapitulates one hack after another, building a portrait of bewildering systemic insecurity in the cyber domain. Appointed director of national intelligence in 2007, Mike McConnell was by then a self-appointed proselytizer on the burgeoning cyberthreat. He lobbied the government’s national security agencies — as well as the Treasury, Energy and Commerce departments — seeking to impart a greater sense of awareness and urgency. “He would bring the cabinet secretary a copy of a memo,” Kaplan writes. “ ‘Here,’ McConnell would say, handing it over. ‘You wrote this memo last week. The Chinese hacked it from your computer. We hacked it back from their computer.’ ”
The cyberthreat posed by China is among the most acute, Kaplan observes, because it is driven by a diverse spectrum of incentives. China executed the most spectacular breach ever of U.S. government data, hacking the Office of Personnel Management (an event that followed the completion of Kaplan’s manuscript). According to a Senate briefing provided by FBI Director James Comey, the personal information of up to 18 million Americans was stolen. In addition to conventional spying and penetration operations, Kaplan explains, China engages in highly organized commercial cyberespionage and intellectual property theft. In March 2013, national security adviser Tom Donilon confronted Beijing over its attacks against American corporations and the “sophisticated, targeted theft of confidential business information and proprietary technologies through cyber intrusions emanating from China on an unprecedented scale.”
The principal Chinese antagonist of American business, according to Kaplan, was well known across the senior ranks of the Obama administration. It was the Second Bureau of the Third Department of the People’s Liberation Army’s General Staff, also known as Unit 61398, headquartered in a 12-story building outside Shanghai. It is but one cadre of a cyber-force estimated to be in the tens of thousands.
Kaplan alludes to the scope of the cybersecurity crisis for American businesses and corporations, citing a report by telecommunications giant Verizon that there were 79,790 verified security breaches in the United States in 2014, with approximately 25 percent more penetrations and 55 percent more data losses than the year before. As arresting as this statistic may be, it does not convey the ultimate economic costs at stake. According to some cybersecurity industry estimates, more than $750 billion in economic value is stolen through global cybercrime and commercial cyberespionage operations annually.
One of the deep insights of “Dark Territory” is the historical understanding by both theorists and practitioners that cybersecurity is a dynamic game of offense and defense, each function oscillating in perpetual competition. The United States, Kaplan demonstrates, has excelled in offense.
Tailored Access Operations, an elite unit within the NSA, developed an arsenal of technologies enabling penetration across the communications network. “Obscure points of entry were discovered in servers, routers, workstations, handsets, phone switches, even firewalls (which, ironically, were supposed to keep hackers out), as well as in the software that programmed, and the networks that connected, this equipment,” Kaplan notes, ticking off now-ubiquitous hacking technologies. “LoudAuto activated a laptop’s microphone and monitored the conversation of anyone in its vicinity. HowlerMonkey extracted and transmitted files via radio signals,” even when a computer was not connected to the Internet. “MonkeyCalendar tracked a cell phone’s physical location and conveyed the information through a text message. NightStand was a portable wireless system that loaded a computer with malware from several miles away.”
During the Iraq War, NSA equipment and analysts were deployed on the ground in a heavily fortified concrete bunker north of Baghdad to assist with the “surge” in American operations to crush insurgent militias and terrorist groups. Captured laptops yielded e-mails, passwords, phone numbers, usernames and the identities of al-Qaeda leaders, all of which were used to launch entrapment and assassination operations that in 2007 alone resulted in the deaths of 4,000 Iraqi insurgents.
In 2009, Defense Secretary Gates created a dedicated Cyber Command. In the first three years the command’s budget tripled from $2.7 billion to $7 billion, and cyberattack teams grew from 900 specialists to 4,000, with 14,000 anticipated by the end of the decade. The most ingenious and resourceful operation that has spilled into the public domain is code-named Olympic Games, a joint initiative by the NSA, the CIA and Israel’s cyberwar bureau, Unit 8200, to inject the now-famous “Stuxnet” malware program into the industrial computer systems at Iran’s nuclear facility in Natanz, disabling thousands of uranium centrifuges.
Today the United States — its defense complex, intelligence community, government agencies, and broad array of economic and corporate interests — is utterly engulfed in what appears to be a ceaseless cycle of offensive incursions and breached defenses. As the Defense Science Board stated in 2013 in a now grimly familiar conclusion, “The network connectivity that the United States has used to tremendous advantage, economically and militarily, over the past twenty years has made the country more vulnerable than ever to cyber attacks.” It is an unsettling thesis that “Dark Territory” indisputably substantiates.
By Fred Kaplan
Simon & Schuster.
338 pp. $28