Putin, Rogers said, “has clearly come to the conclusion that there’s little price to pay here and that therefore ‘I can continue this activity.’ ” Russia was not alone in reaching this conclusion. Indeed, many adversaries used cyberweapons precisely because they believed them to be a way of undercutting the United States without triggering a direct military response. North Korea paid little price for attacking Sony or robbing central banks. China paid no price for stealing the most private personal details of about 21 million Americans.
The message to our adversaries around the world is clear: cyberweapons, in all their various forms, are uniquely designed to hit America’s softest targets. And because they rarely leave smoking ruins, Washington remains befuddled about how to answer all but the biggest and most blatant attacks.
Rogers told me as he began the job in 2014 that his number-one priority was to “establish some cost” for using cyberweapons against America. “If we don’t change the dynamic here,” he added, “this is going to continue.” He left office, in 2018, with the nation facing a far larger problem than when he began.
* * *
—
In late July 1909, Wilbur and Orville Wright arrived in Washington to show off their Military Flyer. In the grainy pictures that have survived, Washington’s swamp creatures streamed across the bridges spanning the Potomac to see the show; even President William Howard Taft got into the act, though the Wright brothers were not about to take the risk of giving him a ride.
Not surprisingly, the army was fascinated by the potential of this wild invention. Generals imagined flying the craft over enemy lines, outflanking an oncoming force, and then sending the cavalry off to dispense with them. It wasn’t until three years later, in 1912, that someone thought of arming one of the new “observation aircraft” with a machine gun. Things both ramped up and spiraled down from there. A technology first imagined as a revolutionary means of transportation revolutionized war overnight. In 1913 there were fourteen military airplanes manufactured in the United States; five years later, with World War I raging, there were fourteen thousand.
And they were being used in ways the Wrights never imagined. The Red Baron shot down his first French aircraft in April 1916, over Verdun. Dogfights became monthly, then weekly, then daily events. By World War II, Japanese Zeros were bombing Pearl Harbor and performing kamikaze raids on my father’s destroyer in the Pacific. (They missed, twice.) Thirty-six years after Orville’s first flights in front of President Taft, the Enola Gay banked over Hiroshima and changed the face of warfare forever, combining the reach of airpower and the destructive force of the world’s newest ultimate weapon.
In the cyber world today, we are somewhere around World War I. A decade ago there were three or four nations with effective cyber forces; now there are more than thirty. The production curve of weapons produced over the past ten years roughly follows the trajectory of military aircraft. The new weapon has been fired, many times, even if its effects are disputed. As of this writing, in early 2018, the best estimates suggest there have been upward of two hundred known state-on-state cyberattacks over the past decade or so—a figure that describes only those that have become public.
And, as in World War I, this glimpse into the future has led nations to arm up, fast. The United States was among the first, building “Cyber Mission Forces,” as they call them—133 teams, totaling more than 6,000 troops, were up and running by the end of 2017. While this book deals largely with the “Seven Sisters” of cyber conflict—the United States, Russia, China, Britain, Iran, Israel, and North Korea—nations from Vietnam to Mexico are emulating the effort. Many have started at home by testing their cyber capabilities against dissidents and political challengers. But no modern military can live without cyber capabilities, just as no nation could imagine, after 1918, living without airpower. And now, as then, it is impossible to imagine fully how dramatically this invention will alter the exercise of national power.
* * *
—
In 1957, with the world on the nuclear precipice, a young Harvard scholar named Henry Kissinger wrote Nuclear Weapons and Foreign Policy. The book was an effort to explain to an anxious American public how the first use, a dozen years before, of a powerful new weapon whose implications we barely understood was fundamentally reordering power around the world.
One doesn’t have to endorse Kissinger’s conclusions in that book—especially his suggestion that the United States could fight and survive a limited nuclear war—to admire his understanding that after the invention of the Bomb, nothing could ever be the same. “A revolution cannot be mastered until it is understood,” he wrote. “The temptation is always to seek to integrate it into familiar doctrine: to deny a revolution is taking place.” It was time, he said, “to attempt an assessment of the technological revolution which we have witnessed in the past decade” and to understand how it affected everything we once thought we understood. The Cuban Missile Crisis erupted only five years later, the closest the world came in the Cold War to annihilation by miscalculation. That crisis was followed by the first efforts to control the spread of nuclear weapons before they dictated our fate.
While most nuclear analogies do not translate well to the new world of cyber conflict, this one does: We all live in a state of fear of how our digital dependencies can be hijacked by nations that in the past decade have discovered a new way to pursue old struggles. We have learned that cyberweapons, like nuclear weapons, are a great leveler. And we worry, with good reason, that within just a few years these weapons, merged with artificial intelligence, will act with such hyperspeed that escalatory attacks will take place before humans have the time—or good sense—to intervene. We keep digging for new technological solutions—bigger firewalls, better passwords, better detection systems—to build the equivalent of France’s Maginot Line. Adversaries do what Germany did: they keep finding ways around the wall.
Great powers and once-great powers, like China and Russia, are already thinking forward to a new era in which such walls pose no obstacle and cyber is used to win conflicts before they appear to start. They look at quantum computers and see a technology that could break any form of encryption and perhaps get into the command-and-control systems of America’s nuclear arsenal. They look at bots that could not only replicate real people on Twitter but paralyze early-warning satellites. From the NSA headquarters at Fort Meade to the national laboratories that once created the atomic bomb, American scientists and engineers are struggling to maintain a lead. The challenge is to think about how to defend a civilian infrastructure that the United States government does not control, and private networks where companies and American citizens often don’t want their government lurking—even for the purpose of defending them.
What’s missing in these debates, at least so far, is any serious effort to design a geopolitical solution in addition to a technological one. In my national security reporting for the New York Times, I’ve often been struck by the absence of the kind of grand strategic debates surrounding cyber that dominated the first nuclear age. Partly that is because there are so many more players than there were during the Cold War. Partly it is because the United States is so politically divided. Partly it is because cyberweapons were created by the US intelligence apparatus, instinctively secretive institutions that always err on the side of overclassification and often argue that public discussion of how we might want to use or control these weapons imperils their utility.
Some of that secrecy is understandable. Vulnerabilities in computers and networks—the kind that allowed the United States to slow Iran’s nuclear progress, peer inside North Korea, and trace Russia’s role in the 2016 election—are fleeting. But there is a price for secrecy, and the United States has begun to pay that price. It is impossible to begin to negotiate norms of behavior in cyberspace until we too are willing to declare our capabilities and live within some limits. The United States, for examp
le, would never support rules that banned cyber espionage. But it has also resisted rules prohibiting the placement of “implants” in foreign computer networks, which we also use in case the United States needs a way to bring those networks down. Yet we are horrified when we find Russian or Chinese implants in our power grid or our cell-phone systems.
“The key issue, in my opinion,” says Jack Goldsmith, a Harvard law professor who served in George W. Bush’s Justice Department, “is the US government’s failure to look in the mirror.”
* * *
—
On a summer day in 2017, I went to Connecticut to see Kissinger, who was then ninety-four, and asked him how this new age compared to what he grappled with in the Cold War. “It is far more complex,” he said. “And over the long-term, it may be far more dangerous.”
This book tells the story of how that complexity and danger are already reshaping our world, and explores whether we can remain masters of our own invention.
PROLOGUE
FROM RUSSIA, WITH LOVE
As the lights went out in western Ukraine the day before Christmas Eve 2015, Andy Ozment had a queasy feeling.
The giant screens in the war room just down the hall from his office—in an unmarked Department of Homeland Security building a quick drive over the Potomac River from the White House—indicated that something more nefarious than a winter storm or a blown-up substation had triggered the sudden darkness across a remote corner of the embattled former Soviet republic. The event had all the markings of a sophisticated cyberattack, remote-controlled from someplace far from Ukraine.
It had been less than two years since Vladimir V. Putin had annexed Crimea and declared it would once again be part of Mother Russia. Putin’s tanks and troops—who traded in their uniforms for civilian clothing and became known as the “little green men”—were sowing chaos in the Russian-speaking southeast of Ukraine, and doing what they could to destabilize a new, pro-Western government in Kiev, the capital.
Ozment knew that a Russian cyberattack against Ukrainians, far from the active combat zones, would make sense now, in the middle of the holidays. The electric utility providers were operating with skeleton staffs. To Putin’s secret army of patriotic hackers, Ukraine was a playground and testing ground. What happened there, Ozment often told his staff, was a prelude to what might well happen in the United States. As he regularly reminded them, in the world of cyber conflict, attackers came in five distinct varieties: “vandals, burglars, thugs, spies, and saboteurs.”
“I’m not that worried about the thugs, the vandals, and the burglars,” he would quickly add. It was up to companies and government agencies to guard against the run-of-the-mill bad actors on the Internet. It was the spies—and particularly the saboteurs—who kept him up at night. And the saboteurs who hit Ukraine’s power grid in 2015 were not amateurs. “All the advantages go to the attacker,” Ozment warned. Putin appeared to be making that point in Ukraine.
A bearded computer scientist in his late thirties, Ozment seemed to deliberately cultivate a demeanor suggesting it hadn’t been that long since he graduated from Georgia Tech and that he’d rather be hiking than cracking malware. He lived with his Norwegian wife in a two-story redbrick townhouse in a funky section of Washington, north of the Capitol. He always managed to look like he just walked out of one of the weekend farmers markets in his neighborhood, rather than off the front lines of America’s daily cyberwars. It was an admirable feat, considering he was running the closest thing the US government had to a fire department for cyberattacks. His team in Arlington functioned as the first responders when banks or insurance companies were attacked, utility companies found viruses lurking in their networks and suspected foul play, or incompetent federal agencies—like the Office of Personnel Management—discovered that Chinese intelligence agents were walking off with millions of highly sensitive security-clearance files. In other words, Ozment’s team got called all the time, like an engine company in a neighborhood of arsonists.
Ozment’s cyberwar room—in bureaucratese, the “National Cybersecurity & Communications Integration Center”—looked like a Hollywood set. The screens ran for more than a hundred feet, showing everything from the state of Internet traffic to the operation of power plants. Tickers with news items sped by. The desks in front of the screens were manned by various three-letter agencies in the US government: the Federal Bureau of Investigation, the Central Intelligence Agency, the National Security Agency, the Department of Energy.
At first glance, the room resembled the kind of underground bunker that a previous generation of Americans had manned round the clock, in a mountain near Colorado Springs. But initial impressions were deceiving. The men and women who spent the Cold War glued to their giant screens in Colorado were looking for something that was hard to miss: evidence of nuclear missiles speeding into space, aimed at American cities and silos. If they saw a launch—and there were many false alarms—they knew they had only minutes to confirm the US was under attack and to provide warning to the president, who would have to decide whether to retaliate before the first blast. But there was a certain clarity: At least they could know who launched the missiles, where they came from, and how to retaliate. That clarity created a framework for deterrence.
Ozment’s screens, by contrast, provided proof that in the digital age, deterrence stops at the keyboard. The chaos of the modern Internet played out across screen after screen, often in an incomprehensible jumble. There were innocent service outages and outrageous attacks, yet it was almost impossible to see where any given attack came from. Spoofing the system came naturally to hackers, and masking their location was pretty simple. Even in the case of a big attack, it would take weeks, or months, before a formal intelligence “attribution” would emerge from American intelligence agencies, and even then there might be no certainty about who had instigated the attack. In short, it was nothing like the nuclear age. Analysts could warn the president about what was happening—and Ozment’s team often did—but they could not specify, in real time and with certainty, where an attack was coming from or against whom to retaliate.
The more data that flowed in about what was happening that winter day in Ukraine, the deeper Ozment’s stomach sank. “This was the kind of nightmare we’ve talked about and tried to head off for years,” he recalled later. It was a holiday week, a rare break from the daily string of crises, and Ozment had a few minutes to dwell on a chilling cell-phone video that his colleagues were passing around. Taken in the midst of the Ukraine attack by one of the operators at the beleaguered electricity provider, Kyivoblenergo, it captured the bewilderment and chaos among electric-grid operators as they frantically tried to regain control of their computer systems.
As the video showed, they were helpless. Nothing they clicked had any effect. It was as if their own keyboards and mice were disconnected, and paranormal powers had taken over their controls. Cursors began jumping across the screens at the master control center in Ukraine, driven by a hidden hand. By remote control, the attackers systematically disconnected circuits, deleted backup systems, and shut down substations. Neighborhood by neighborhood, the lights clicked off. “It was jaw-dropping for us,” said Ozment. “The exact scenario we were worried about wasn’t paranoia. It was playing out before our eyes.”
And the hackers had more in store. They had planted a cheap program—malware named “KillDisk”—to wipe out the systems that would otherwise allow the operators to regain control. Then the hackers delivered their finishing touch: they disconnected the backup electrical system in the control room, so that not only were the operators now helpless but they were sitting in darkness. All the Kyivoblenergo workers could do was sit there and curse.
For two decades—since before Ozment began his career in cyber defense—experts had warned that hackers might switch off a nation’s power grid, the first step in taking down an entire country. And for most of that time, eve
ryone seemed certain that when the big strike came, it would take out the power from Boston to Washington, or San Francisco to Los Angeles. “For twenty years we were paranoid about it, but it had never happened,” Ozment recalled.
“Now,” he said, “it was happening.”
* * *
—
It was happening, but on a much broader scale, in ways that Ozment could not yet imagine.
While Ozment struggled to understand the implications of the cyberattack unfolding half a world away in Ukraine, the Russians were already deep into a three-pronged cyberattack on the very ground beneath his feet. The first phase had targeted American nuclear power plants as well as water and electric systems, with the insertion of malicious code that would give Russia the opportunity to sabotage the plants or shut them off at will. The second was focused on the Democratic National Committee, an early victim in a series of escalating attacks ordered, American intelligence agencies later concluded, by Vladimir V. Putin himself. And the third was aimed at the heart of American innovation, Silicon Valley. For a decade the executives of Facebook, Apple, and Google were convinced that the technology that made them billions of dollars would also hasten the spread of democracy around the world. Putin was out to disprove that thesis and show that he could use those same tools to break democracy and enhance his own power.
It added up to a multifaceted attack on America’s infrastructure and institutions, and was remarkable in its scope, startling in its brazenness. Americans were shocked, but Putin’s moves had hardly come out of the blue. They were merely the latest phase of a global battle fought over unseen networks for the better part of a decade—a battle in which America had fired some of the opening shots.
The Perfect Weapon Page 2
