CHAPTER I
ORIGINAL SINS
This has a whiff of August 1945. Somebody just used a new weapon, and this weapon will not be put back in the box.
—Gen. Michael Hayden, former director, National Security Agency and Central Intelligence Agency
On an early spring day in 2012, I drove along the winding, wooded driveway of the Central Intelligence Agency and pulled up in front of what the agency quaintly calls its “Old Headquarters.”
I knew that the meeting I was headed to—with Michael Morell, the agency’s deputy director—was likely to be difficult. A few weeks before, the White House had asked me to see Morell and talk with him about an especially sensitive story the Times was preparing to publish. The two of us had met briefly in the West Wing basement office of Benjamin J. Rhodes, then the deputy national security advisor for strategic communications, as I explained what I had learned: how two presidents of strikingly different temperaments, George W. Bush and Barack Obama, had both come to the decision to use the most sophisticated cyberweapon in history against Iran as the last, best chance to forestall a new war in the Middle East.
Neither Rhodes nor Morell seemed surprised that I had pieced the story together; the weapon’s code, called “Stuxnet,” had accidentally spread around the world nearly two years before, making it evident that someone was using malware in an attempt to blow up Iran’s nuclear facilities. Stuxnet was filled with digital fingerprints and other clues about where and when it had been written. That someone eventually would follow those clues to discover the plan that had launched it seemed inevitable. The operation, which I learned through months of reporting had been code-named “Olympic Games,” was simply too big, and involved too many players, to stay secret forever. The Iranians themselves had long ago declared, with relatively little proof, that the United States and Israel were behind the attack. But neither government had ever uttered an admission, emblematic of the reflexive secrecy they wrapped around all cyber operations.
As is true with nuclear weapons, only the president could authorize the American use of a cyberweapon for destructive purposes. Yet because virtually all offensive cyber operations take place as covert actions, which by law must be designed to be deniable, no American president had ever been caught authorizing one. The Times piece would lay out the Situation Room debate over using a cyberweapon to mount the kind of attack that, previously, could have been executed only by bombing or sending in saboteurs.
But as I walked across the famous atrium of the CIA—its walls dotted with bronze-colored stars, one for each of the CIA officers who had died in defense of the country—and headed up the elevator to Morell’s office, there was no way for me to know how the story threatened to disrupt the web of secrecy the United States had built around its decade-long race to build up its cyber capabilities. Nor could I have known that I would touch off one of the larger federal leak investigations of modern times, or that it would lead to the unfair prosecution of a military officer who was highly valued by Obama and who was among the cohort who had brought the US military into the era of modern cyberwarfare.
It turned out that the US government was not yet ready to discuss the consequences of its decision to use cyberweapons against another state in peacetime. Nor was it eager to assess the degree to which America’s actions contributed to a cyber arms race that Iran, Russia, North Korea, and China had joined.
* * *
—
Beyond the oft-photographed lobby, the CIA’s well-worn executive offices resembled those of the declining computer firms—like the now-extinct Burroughs and Digital Equipment Corporation—that I had covered decades ago as a young technology reporter. The retro look prevailed especially on the seventh floor, in the suite that Allen Dulles, CIA director under Eisenhower and Kennedy, designed so that he could sit within feet of his deputy director as they oversaw the vast and complex Cold War effort to steal secrets and take down adversaries. Appropriately, the look of the world’s most famous spy agency was a bit deceiving: As the story of Olympic Games made clear, the agency was deeply into the digital age. But it had no interest in overtly displaying its prowess.
I had come to the Old Headquarters to hear about which details of the emerging story so concerned Morell and his colleagues that they were preparing to ask the Times to withhold them, lest we tip off other targets of ongoing operations. By their nature such conversations are fraught. News organizations must be willing to listen to government concerns, but insist, for obvious First Amendment reasons, that the decision to publish belongs to them, not the government. Morell, while always friendly and professional, had already indicated that, in his view, none of the Olympic Games story should be published. But he was a realist, and knew that the accidental revelation and dissemination of the Stuxnet worm meant the story was not going to disappear. For the CIA, that day’s meeting was an exercise in learning what I had learned, and in directing damage control.
Operation Olympic Games was largely the work of the NSA and Israel’s Unit 8200, its military cyber operation. But the CIA, I had learned over time, played a key part, executing a presidential authorization for covert action—known in Washington as a “finding”—to slow Iran’s nuclear program. Because “findings” are secret and intended to be denied publicly, I had no expectation that the agency officials I saw that day would acknowledge their role in deploying the weapon, much less the subsequent destruction of roughly one thousand centrifuges that had been spinning beneath the Iranian desert. And they did not.
But something about this story was different, and it added to the tension over its forthcoming publication. Cyberweapons, among the first strategic weapons created by the intelligence agencies rather than by the military, had been swaddled in more secrecy than that surrounding nuclear and biological weapons, or new generations of stealth fighters and drones. There was an assumption inside the government that anything published about the use of cyberweapons would impede their future use. While the government would describe in great detail its outrage about cyberattacks against the United States—or even trace evidence that other powers had entered the networks of our banks or electric systems—it considered the most basic conversations about US capabilities, intentions, or doctrines off-limits. Even some inside the US government deemed this level of secrecy ridiculous: How could you begin to discuss setting international rules about the use of weapons you won’t acknowledge owning, much less using?
Clearly, there was no consensus within the Obama administration about how these weapons should be used. Even while Obama was approving new strikes on the Iranian nuclear plant, he harbored his own doubts. As our story explained, in meetings in the Situation Room in the first year of his presidency, Obama had repeatedly questioned whether the United States was setting a precedent—using a cyberweapon to cripple a nuclear facility—that the country would one day regret. This was, he and others noted, exactly the kind of precision-guided weapon that other nations would someday learn to turn on us. “It was the right question,” said one senior official who came into the administration after the Stuxnet attacks were over. “But no one understood how quickly that day would come.”
Curiously, Obama had already proven willing to engage in a public argument over similar questions about drones. Everything about drone warfare had been secret when he came to office, but over time Obama made elements of the program public and proved willing to explain the law and reasoning behind his decision to deploy these remote-controlled killing machines. In doing so, he gradually lifted the secrecy surrounding the use of drones so that the world could understand whether they were hitting terrorists, and when they went awry and killed children or wedding guests.
Cyberweapons were different. The government would barely admit to owning them, much less talk about the rules for when and why it used them. But the issues were very similar; just as investigative reporting about the unintended costs of drone strikes had forced
the debate about unmanned weapons, my editors and I felt a journalistic imperative to explain to readers how the government was embracing cyberweapons that could ultimately be turned against our homeland. Olympic Games had opened the door to a new dimension of warfare that no one fully understood.
The only thing that was clear was that there would be no backpedaling. When Michael Hayden, who had been central to the early days of America’s experimentation with cyberweapons, said that the Stuxnet code had “the whiff of August 1945” about it—a reference to the dropping of the atomic bomb on Hiroshima and Nagasaki—he was making clear that a new era had dawned. Hayden’s security clearances meant he couldn’t acknowledge American involvement in Stuxnet, but he left no doubt about the magnitude of its importance.
“I do know this,” Hayden concluded. “If we go out and do something, most of the rest of the world now feels that this is a new standard, and it’s something that they now feel legitimated to do as well.”
That is exactly what happened.
* * *
—
Hayden was well practiced at talking about Stuxnet as if he were an outsider looking in, a zoologist who had just observed the odd behavior of an animal and declared the discovery of a new species. But in fact, he likely knew exactly what he was looking at. Hayden served as director of the CIA during the early days of Olympic Games. By that time, he was already in the vanguard of those who, in the mid-1990s, came to believe that cyberweapons were not simply a new tool but also what war fighters call a “new domain”: the place where future power conflicts great and small would play out.
As Hayden rose through the ranks of the air force in the 1970s, everyone agreed on the four physical domains that had long defined warfare: People had fought on land and sea for millennia, and in the air since World War I. Space was added in the 1950s and ’60s, when satellites begat antisatellites, and intercontinental ballistic missiles led to antiballistic missile systems. But cyberspace? As one long-retired general once asked me with genuine mystification at the Air Force Academy in Colorado Springs, “How do you fight in a place you can’t see?”
Hayden’s insight into the game-changing nature of cyber conflict began to form more than twenty years earlier, when he was assigned to San Antonio, Texas, as the commander of the Air Intelligence Agency, an air force unit that gave him an early glimpse of the power of a new generation of electronic weapons. He remembered watching in wonder as members of the staff disabled remote workstations and used electronic-warfare techniques to fool a radarscope that was trying to track a fighter plane. But what struck him most, fresh back from the wars in the Balkans, was how relentlessly the US military was coming under regular attack in peacetime.
The year after Hayden got to Texas, in 1998, the FBI was called in to investigate seemingly bizarre intrusions that had begun popping up in strange places connected to military or intelligence networks, from the Los Alamos and Sandia National Laboratories—where nuclear weapons are designed—to universities, such as the Colorado School of Mines, which held a significant contract with the Navy. There was a particular concentration of intrusions around the networks of Wright-Patterson Air Force Base in Ohio, located on the site where the Wright brothers once tested many of their early planes.
It was a computer operator at the School of Mines who first discovered the hack, after he saw some nighttime computer activity he could not explain. The attack turned out to be a very large one, and persistent, seemingly coming from Russia. The hackers had lurked in some of these systems for two years and had stolen thousands of pages of unclassified material concerning sensitive technologies.
Shock soon gave way to the accompanying recognition of a new reality. The attack was given the name “Moonlight Maze.” The Russians were initially helpful in the investigation, until they realized that the FBI had evidence that it was the Russian government, not some teenage hackers, behind the intrusions. Moscow shut down its cooperation. John Hamre, the bookish, usually unflappable defense scholar who was serving as deputy secretary of defense, told Congressional intelligence committees, “We’re in the middle of a cyberwar.”
“This was a real wake-up call for us,” Hamre told me. “Until then, we’d had incursions, but never a case of a foreign power that broke into our systems and simply wouldn’t leave—and was hard to evict.”
Some experts who have studied the intrusion argue that Moonlight Maze never really ended; it just morphed into new attacks that continued for the next two decades. Whatever the truth, the Russian attacks galvanized the first serious efforts by the United States to defend its networks and form its own offensive cyber forces.
The attack forced the United States to confront the implications of the digital age. As Hayden noted, in the 1980s, when he was based in Korea, a military communication would be typed, scanned, sent to Washington, and then printed for someone to deal with as if it were just another piece of classified paper. But suddenly emails and classified cables became the default mode of communication and gave skilled intelligence agencies worldwide a way to intercept a far wider range of information “in transit.”
The explosion of digital data gave the NSA a new mission. The agency responsible for encrypting and protecting sensitive information, mostly for the military and intelligence agencies, zeroed in on a vast new set of targets: computer data stored around the world that was vulnerable to the NSA’s fast-growing cadres of hackers. Much of this information was not the kind of “data in transit” the NSA had spent decades intercepting. Instead, it was locked away in computer complexes that foreign governments, in their naïveté, had viewed as largely invulnerable. That was a fantasy, of course. An agency that had spent decades intercepting electrons flying through phone lines and over satellites was suddenly focused on what they called “data at rest.” And getting that data meant breaking into computer networks around the world.
“This was all about going to the end point, the targeted network,” Hayden later wrote, rather than waiting in hopes a message could be plucked out of the sky. And that required figuring out how to break into systems. Soon the NSA, CIA, and Pentagon joined forces to create an organization, blandly called the Information Operations Technology Center, designed to do just that.
The center was regarded with enormous suspicion by old-timers at the CIA who thought it represented game playing by people who should be doing real spying. But these veterans were living in a lost world. In retrospect, by the early 2000s the United States was entering a new arms race, akin to the one in which it had invested billions for the first hydrogen bomb, then the first intercontinental ballistic missiles, and later still missiles with multiple warheads. But even the Pentagon didn’t know how to think about these new weapons or where to put them in its vast bureaucracy. Donald Rumsfeld, returning in 2001 to the post of secretary of defense, which he had held in the late 1970s, began searching for a place to house this strange new capability—offensive cyberweapons—in the vastness of the military’s combat commands.
From Rumsfeld’s recently declassified “snowflakes”—his brief messages to his staff ordering up studies—it is clear that he sensed that cyberweapons were enormously powerful tools. But he struggled to understand how the Pentagon would use them. Naturally, the military had already developed jargon for the variety of techniques, vulnerabilities, and weapons in the arsenal. There were “computer network exploitation” operations, a fancy way of describing the theft of an adversary’s data. And there were “computer network attacks,” which are cyberattacks with real-world effects of the kind that were later tested in Olympic Games.
“Everything at the Pentagon needs a home,” Hamre told me. “And Rumsfeld, rightly, saw this as a strategic weapon and gave it to Hoss Cartwright at Strategic Command.”
Gen. James Cartwright, a marine aviator whose nickname, “Hoss,” was taken from a character in the ’60s television show Bonanza, ranked among the best strategic minds in
a military consumed by the day-to-day battles in Iraq and Afghanistan. He walked around Strategic Command with a low-key demeanor and a crinkly smile, an everyman look from his days growing up in Rockford, Illinois. Cartwright had been pre-med and a competitive swimmer at the University of Iowa and, in the last days of the Vietnam War, signed up with the marines as a naval aviator. There’s no room for error when taking off from and landing on aircraft carriers, and those high stakes appealed to Cartwright’s sense of precision. But he also learned that naval aviators can never look like they are sweating the details, even when there is only one chance to catch the cable that keeps a plane from plunging into the sea during a deck landing.
By the time Bush took office in 2001, Cartwright had developed a fascination with the promise, and the danger, of cyberweapons. In his quiet but intense fashion, he began questioning whether the systems and strategies the Pentagon had built up in the decades after World War II were sufficient to meet the challenges of the next fifty years. The answer seemed obvious to him.
Yet inside the Pentagon one could make a lot of enemies questioning whether the conventional weapons that had gotten us through Vietnam and two wars in the Gulf remained critical in an age in which breaking into an industrial control network might be more important than fielding new tanks and bombers. “There were a lot of people in the Pentagon who found Hoss’s questioning refreshing,” one of the members of the Joint Chiefs who served with him said to me. “And there were a lot who found it threatening.”
That was especially true as Cartwright took on his first major job as a marine general in 2004: head of the US Strategic Command in Omaha, Nebraska. There was no job where precision and a strategic view of the world mattered more. Strategic Command, known as Stratcom, is in charge of the nation’s nuclear arsenal. During the Cold War, it was the first line of defense against a nuclear conflict with the Soviets and was responsible for maintaining and moving nuclear weapons, drilling its staff for every scenario under which they might be launched, and making sure that any order to use them was authentic and legal. The opportunities for error on a horrific scale were endless.
The Perfect Weapon Page 3
