Kingdom of Lies
Page 2
I didn’t know when I entered the field that I was going to write a book, I just knew I wanted to know more about these interesting people who were passing in and out of my life. Writing a book has been very different from being a journalist, in that I’m not objective about some of the individuals I write about here. I consider many of them personal friends; some I consider enemies. I have saved their stories for this book.
Ultimately, this book is about control. If there is one common theme in everything that happens to us when we interact with technology, it’s our desire to control our environment in a way that benefits us. This desire to come out on top drives nearly every technical decision we make.
Every catalyst to innovate, every curve in the trajectory forward is borne by someone who wants to control something or someone, or everything and everyone. Maybe with technology, maybe with authority, maybe with brilliance or whatever skill they bring to the table. To be the one who holds the reins high on this monstrous beast we’ve created—that’s the prize. At any given time, hundreds of thousands of people are scrambling and punching and grappling for their ins.
Of course, you already know the answer to the question of who is really in control. Because you know more about cybersecurity than you think you do.
1.
The Futurethreat
Carl knows that if bank systems are flooded with packets, they won’t be able to handle the traffic, web applications will overload, and the bank’s websites will go down. People won’t be able to bank or pay bills. Twitter will blow up. Call center phones will start ringing like a sadistic chorus. Bank executives will look bad.
That’s what happened in September. And that’s what the terrorists are trying to do now, for a second time.
But it had better not fucking work, Carl has been told over and over these past few weeks. This can’t happen again.
Carl doesn’t care why this is happening, but bankers always want to know why. So, in Joe’s report, he explains the reason that the terrorists have provided for their attack, a rationale that makes little sense but was apparently proposed by the Izz ad-Din themselves online: There’s an American preacher named Terry Jones who is threatening to burn Qurans and a YouTube video criticizing Islam, and the Izz ad-Din want both to stop. And also Israel. The group has lots to say about Israel.
The Izz ad-Din claim they have waited four months because they are merciful. They delayed their second action due to the U.S. presidential election and Hurricane Sandy.
But that is all B.S.
Because this kind of thing happens to banks all the time. DDoS (distributed denial-of-service) attacks come from aggrieved teenagers and foreign ne’er-do-wells and every class of hacker in between. They are a dime a dozen. Especially after the financial crisis, when a surge of hostility from Anonymous and activists against “the 1 percent” spiked.
Carl and Joe and the cybersecurity team have stopped DDoS attacks many, many times before. The Izz ad-Din are different. They have the skills and they have the hardware. And people. Lots and lots of people. They are not a loosely defined network of 20-something terrorists scattered across Eastern Europe. Not some kids in a basement somewhere. They are an entire nation-state.
Iran, to be specific.
* * *
Over the course of the next several days, Carl and a team of five other security professionals battle the bad guys.
Carl spends all his time in the room. They turn the heat down in the room until it is freezing so everyone can stay awake. Somebody keeps bringing up sandwiches from the cafeteria. Executives drift in and out of the room. Some stand next to him, look over his shoulder, and make significant gestures and solemn sighs before leaving again.
They code name the attack Deep Blue, have daily and nightly and sometimes hourly phone calls about it. More and more people get involved. Some of them Carl has never seen before. Some of them, he knows, are consultants not even affiliated with the bank. The longer the attacks go on, the more people get involved in the crisis. And it is a crisis. No one has ever seen anything like this before. From the outside looking in, from the inside looking out, one fact becomes obvious to all: The bank’s management needs to make cybersecurity a priority. Not tomorrow, not next week, but right now.
* * *
As the suits pile in, act interested, and watch Carl sit at the computer and fight the Iranian Army every fucking day, he becomes more detached and more alone. The attacks surpass the skills of his colleagues, relegating them to supporting roles on the sidelines. Carl is a real hacker, an extremely good one, and he’s seen it all, but never an attack this big.
Then just as suddenly as it began, it ends. Somebody has finally taken down the stupid anti-Islam YouTube video. The Izz declare the war is over. Carl can’t believe it. He sits at his desk, fingers poised over the keyboard, exhausted, overcaffeinated, buzzing just a little bit, wondering if it’s really over.
Everyone goes home. Carl stays behind, putting together one more security report for the bank’s board of directors. They have asked him to predict when the next strike will come. He considers the request and begins to type. “Futurethreat, a type of cyberthreat from a heavily weaponized nation-state…”
Carl reconsiders, hits delete. “Futurethreat” is a garbage term, he thinks. It was probably invented by some government lunkhead. It will make the bankers’ eyes glaze over. He can’t have that. He has their attention and he wants to keep it because Deep Blue has created a golden opportunity for Carl and his colleagues’ cybersecurity team.
And his boss. Joe Marcella, beloved by his employees, reviled by his superiors, bursts into the room. He has never, Carl has noticed, entered a room any other way. It is what earned him the nickname among some of his colleagues of Kool-Aid Man. Taller and with about 150 pounds on Carl, when Joe opens a door it has the same look and feel of a giant pitcher of punch smashing through a wall.
“Where the fuck have you been? The fucking suits want another fucking PowerPoint about this shit if you can believe it.”
Carl smiles. Joe’s his friend. Joe is unpolished—to say the least—but he has a way of earning a great deal of loyalty from his employees, which starts and ends with fighting with the higher-ups to pay them very well. Joe won’t make it long past the DDoS attacks. He’ll be replaced by executives who don’t fight hard for good pay, with predictable consequences.
But those days are more than a year away. Right now, Carl is dealing with the fact that the top-level executives at NOW Bank suddenly care about cybersecurity, and the way bankers show that they care is with money.
Carl writes, “Other hostile nations will have used DDoS attacks as cover for entering and persisting on our networks, with the goal of gathering information covertly over long periods of time.”
Carl rubs his eyes, closes his laptop. As he walks into the lobby, now dark, he blows on his knuckles like a gunslinger.
* * *
At around that same moment, Bob Raykoff, a former Air Force commander, reads some of the text he and a ghostwriter have cobbled together for the next edition of his textbook.
Futurethreats in cyberspace will require that we take some type of offensive action, heretofore under the characterization active defense. The only way to ensure the safety of these active defense measures is to design clear military protocols around them, and to the extent possible, engage other nations—even hostile nations—in creating a more robust international norm for cyberattacks, cyber-reconnaissance and other tactics.
Bob Raykoff was one of the first people to use the term “futurethreat.” He is working on his latest book and writing a chapter with that name. He is obsessed with futurethreat. He has been watching the DDoS attacks against the banks and wonders who will make use of the distraction caused by the Islamists. The Chinese? The Russians?
Definitely the Russians. Bob hates the Russians.
Military men and women who engage the enemy today may give little thought … to the damage they may cause digitally. As w
ith military actions from the air or by drone, military personnel may not be significantly or closely engaged with the people who are affected at the other end of their attack. The collateral damage in cyberwarfare, particularly in the private sector, where these battles will most likely be fought, could be catastrophic.
A little over a year from now, Bob will be Carl’s boss. Neither of them knows it; nor can they even fathom the possibility. There are a lot of things that Bob knows about cybersecurity, but there are even more things that he doesn’t know. But he’s right on the money when it comes to the fallout from the DDoS attack at NOW Bank. It will be catastrophic. There will be considerable collateral damage, and he will be right in the middle of it.
From his office in the Washington, D.C., suburbs, Bob considers the futurethreat again.
Definitely Russia, he thinks. Or China.
As it turns out, the futurethreat is neither Russia nor China, It is a 15-year-old girl living in the Romanian countryside, dancing to music so loud she can barely hear herself think.
René Kreutz shouts in ecstasy as another wave of her high school friends makes it through the door of a pop-up nightclub in a small Transylvanian town called Arnica Valka. It’s a town hardly anyone has ever heard of. It is known mostly as an acceptable place to stop for lunch between Bucharest and Budapest.
René is a little bit drunk. The club is the center of the world, as far as she’s concerned. Everywhere else is orbiting around this spot. Around her.
She dances, the eye of a sweaty storm of teenagers, and screams the lyrics to a Bucharest rapper’s hit song, spoken in half English, half Romanian, called “Americandrim.” It references every pop-culture trope, one after the other: Coca-Cola, MTV, George W. Bush, McDonald’s.
I can be what I want to be
Losing my identity
René’s friends scream the last line into the sooty air above them. Everything around her smells like cheap liquor and cherry-flavored lip gloss. In fact, René’s drink tastes like cherry-flavored lip gloss.
Is there anything more to life than this? she wonders, happily, drunkenly.
There is. A great deal more, in fact. In three years, René, who is no good at computers but who is utterly charming, will become one of the world’s most influential hackers practically overnight.
René squeezes next to her friends and flashes a peace sign for a selfie on an old Motorola cell phone.
* * *
At around this same moment in Moscow, one of the world’s most influential hackers, Valery Romanov, is taking a selfie, too. It’s his favorite pose: Valery Romanov, hacker extraordinaire, with stacks and stacks of cash.
Valery is dressed like an extra in an American office-based situation comedy. A short-sleeved, button-down shirt, wrinkled khakis. Blond and pudgy, he isn’t really focusing on his own bland countenance. He centers the photograph on the cash instead, the real star of this portrait. He flashes a peace sign.
Romanov has just finished watching the DDoS attack against NOW Bank from inside the bank’s networks. He’s in there, too. But not for silly Islamist reasons. He enjoys live-action fighting. Like pay-per-view only without the pay. He smiles and contemplates the bottle of vodka beside him.
The DDoS attack presents a big opportunity for somebody, he thinks as he looks at the open ports at the bank, the unguarded sections of a huge, vast enterprise. The data has been left unguarded because the bank is pouring all its resources into fighting the DDoS attack.
Valery notices that all of the credit cards issued by the bank are now expired. Somebody has slipped in while the bank was fighting off the Iranians and made the change. But it wasn’t him. Not this time.
Valery is a little preoccupied these days. The FBI is after him. And Interpol. And now the surprisingly fast and frightening Direction Générale de la Sécurité Extérieure in France. He’s drinking too much. His new fiancée is pregnant. The selfies with the cash make him feel better.
Two years earlier, he got caught up in stupid Islamist bullshit when the cafe in Marrakesh he happened to be eating at was blown up in a terrorist attack. Now part of his head is missing. Before that, and for a little while afterward, he was one of the greatest, most prolific, and most influential hackers in the world.
Now it’s 2012, and his number is just about up.
2.
The Charlatan
Caroline Chan is a killer.
Her new boss doesn’t know this. And he won’t realize it when he meets her today. In fact, he never will.
Caroline works at NOW Bank, one of the world’s biggest banks. She doesn’t wear a suit. She’s not in Manhattan. She’s in a back office in New Jersey and doesn’t dress to impress.
Caroline is what is known in the staid language of corporate finance as a business manager, and she manages the business of the bank’s cybersecurity. She manages the shit out of it. She does the budget; builds teams of engineers, technicians, security executives; and keeps the factions from fighting with one another.
She also hires the hackers. She’s been doing this for nearly 20 years, since she was an intern fresh out of college. She’s been hiring hackers since before the bank knew it needed to hire them. She’s the hacker whisperer, and they are her dragons.
Caroline is a 4-foot, 11-inch Chinese woman with a New Jersey accent and an Irish Catholic husband. She doesn’t crush nuts in board meetings. Her ambition extends to doing good for the people who have become her friends and carving out a comfortable existence in the New Jersey suburbs.
She is always handing the microphone to somebody else. She scoops the ice cream at retirement parties. She drops achievement certificates on her colleagues’ desks on their work anniversaries. She’s the one who hugs the interns when they are done for the summer. She does all of the dirty work.
But, by God, if you cross her …
Caroline incubates and raises hackers. She gets them when they’re young, watches them hatch, and turns them into dragons. Many of them grow into productive bank employees, testing the bank’s networks, rising through the executive ranks. The bank has 300,000 employees, and they’re spread out in all corners of the globe. There’s one guy in Greece, three people in Beirut, and a receptionist in Uzbekistan. Her dragons have grown up and spread their wings across the bank’s vast expanse. She protects them from the suits. She is the Daenerys Targaryen of cybersecurity.
Take Carl, for instance. He’s one of her dragons. Now he’s a high-level manager in Singapore. She made sure he was taken care of after the DDoS attacks. She takes care of her dragons when they deliver, and they always deliver.
Nobody has more dirt than Caroline. All those executives who try to score hookers on Craigslist? She knows them on a first-name basis. The traders who create their own applications so they can insider trade? She’s onto them. The derivative swappers who lose it from the pressure and send abusive emails to the CIA? She has some stories.
The executive who propositions his employees on one of those “disappearing” chat services? She’s got more than a few files saved.
The C-suiter who registered his corporate email with backpage.com—not to procure a hooker, but to be one? Oh, she’s keeping that one to herself for now.
Everyone at NOW Bank who has ever done anything at all related to cybersecurity has worked for Caroline. The senior guys, the junior guys, even some of the big shots who go on CNBC, they all sat in a room across from Caroline once. They slid a copy of their resume across the desk, answered her probing questions, and negotiated their salaries. She dealt with them all with the tenderness of a mother.
After the first round of DDoS attacks from Iran, it was Caroline who polished up the basement dwellers, freaks, and weirdos who saved the day. She made them presentable for the company’s board of directors, especially on paper. She made sense of what hackers do with neat charts and tidy graphs, workforce shortfalls and budget projections. Lingo the suits could understand.
She was the one who scored them a brand-spanki
ng-new budget and hundreds of new open positions. It was she who consoled them when the board then made a left turn and hired some new guy to be the top cybersecurity executive, some military guy who spewed a lot of manly stuff about battles and cyberwar that sounded impressive. Someone from outside.
This morning Caroline dusted off her best suit to go to Manhattan and meet the new guy. He has a litany of very impressive titles, but word from her sources is that he appears to know little about the nuts and bolts of the field of cybersecurity, nor, according to them, does he seem to know how a bank operates or what its workers do. Although she herself doesn’t trust him, she tells her colleagues to give Bob Raykoff a chance.
But she remains skeptical. She taps into her vast network of corporate hackers for all the intel on him they can muster. He’s a glad-hander they say, at best. Stories are already trickling in about how he needs an excessive amount of handholding. For instance, when he travels he insists on having someone accompany him to point out which service car is his. Not once or twice, but every single time. He suggests bringing in an ex-military general at an exorbitant salary to read a weekly report about cybersecurity to bank executives. Presumably with gravitas.
Bob Raykoff. A former military big shot. Then a consultant. Author of extremely boring academic textbooks, discussing untested theories on the nature of hacking, geopolitics, and cyberespionage.
Give him a chance, Caroline thinks as she smiles, shakes his hand. He seems to be nearly two feet taller than her. His height is not, she knows in her heart, why he looks right past the top of her head as if she isn’t even in the room. She gets out her four-color pen and a fresh notebook.
They talk. Well, Raykoff talks. Caroline will be his chief of staff. He doesn’t like the title “business manager.” Caroline knows the bank calls this function a business manager and not a chief of staff to confer a sort of corporate neutrality to the title. Something more sober and removed than charged and aligned, politically, with the senior-most leader.