But the government is, of course, expected to protect against—or at least respond to—armed attacks on American cities. So what was a cyberattack more like? A home burglary or a missile attack from abroad? Or was it something completely different? And when was the potential peril to the United States so great that the government could no longer rely on companies or individual citizens to defend themselves but had to respond?
In eight years in the White House—years in which cyber went from a nuisance to a mortal threat—neither Obama nor the bureaucracy ever formulated a satisfying answer to those questions. Clearly, the first line of defense had to be the companies themselves. It made sense that when banks came under denial-of-service attacks, or utilities saw malware being implanted in their systems, the United States should hold back. After all, if corporate America thought the government was going to deal with cyber threats, they wouldn’t invest in protecting themselves. And many companies didn’t want the government inside their systems, even to play defense.
But when, exactly, would the United States intervene? Run-of-the-mill DoS attacks are one thing; attacks that threaten to turn off the power or freeze the financial markets are another. In the Sony case, Obama’s answer seemed to be that the United States would get involved when a fundamental American value—in this case, freedom of speech and assembly—seemed threatened by a foreign power. But he never publicaly justified that conclusion—or explained which other attacks might rise to the level of a federal response. Understandably, the government did not want to draw bright lines, for fear that attackers would walk right up to them. But Americans need to know who is responsible for protecting us and our data—just as we need to know that it is the police who protect us against home invasions and the Pentagon that defends us against intercontinental ballistic missiles.
The closest the government came to drawing clear lines came when Ashton Carter, the secretary of defense in Obama’s last years in office, presented a new cyber strategy at Stanford in April 2015—a strategy in which the military would take a larger role in defending American networks. “The cyber threat against US interests is increasing in severity and sophistication,” he told a Silicon Valley audience that was clearly divided on the question of how much it wanted the Pentagon to be involved in policing US networks. “While the North Korean cyberattack on Sony was the most destructive on a US entity so far, this threat affects us all….Just as Russia and China have advanced cyber capabilities and strategies ranging from stealthy network penetration to intellectual property theft, criminal and terrorist networks are also increasing their cyber operations.”
He went on to describe the “Cyber Missions Forces” that were being built up at US Cyber Command: 6,200 American warriors, including defensive teams and combat teams. And he called on Silicon Valley to send some of its best and brightest for tours of a year in the Pentagon so that the United States would be on the cutting edge of defense. (Silicon Valley executives were cautious about this idea. The head of a major firm doing business with the Pentagon told Carter’s entourage that he doubted his talented group of coders would be able to obtain security clearances. “Because they smoked pot in college?” he was asked. No, the executive clarified, “because they smoke pot on the job, while programming.”)
The new Pentagon policy described by Carter left deliberately vague when those teams of cyberwarriors would be called into action. Some of Carter’s aides spoke about employing American government defenses to protect against the top 2 percent of attacks—those that threaten America’s vital national interests. That made sense, though that likely meant the government would step in to defend the country only for a much smaller fraction of cyberattacks, maybe the top .02 percent. And what of the other 99.98 percent? Could companies be expected to defend themselves? And what would that defense look like?
The policy revived a long-simmering debate about the advisability of letting companies go beyond building bigger defenses to actually striking back themselves at their attackers—something called “hacking back.” It’s illegal, just as it’s illegal to break into the house of someone who robbed your house in order to retrieve your own property. But the fact of its illegality didn’t stop more than a few companies from trying, often through offshore subsidiaries or through proxies. (Google engineers thought seriously in 2009 about doing harm to servers in China where attacks on the company had originated, before cooler heads prevailed.) Periodically there have been movements in Congress to make hacking back legal—often under the rubric of “active defense”—as a way of letting cyber victims create some deterrence. Regardless of whether it would work or not, hacking back would certainly be satisfying for companies. It could also start a war.
“It would be a total disaster,” one senior military strategist said to me when the issue came up anew around the JPMorgan and Sony attacks. “Imagine a company takes out a big server in Russia or North Korea,” the official went on. “The Russians or the Koreans see it as a state-sponsored attack. So they escalate…” Before the first meeting on the confrontation is held in the Situation Room, a full-scale conflict ensues, all for a retaliatory strike the president was never so much as consulted about.
That prospect—how a cyberwar could turn into a shooting war—leaves a lot of people very scared. “We need arms control,” Brad Smith, the general counsel of Microsoft, told me in the weeks after the Sony hack.
But just as America did not want to discuss limiting nuclear weapons when it thought it was leading the world in the 1950s, it does not seem interested in any agreement that would limit its ability to develop its cyber arsenal. Instead, it was trying to develop new tools, and repurpose old ones, to retaliate—deterrence by the threat of force. The possibility of arms control appeared to be off the table.
* * *
—
Almost as quickly as Obama stepped into Air Force One for his Christmas vacation, the blogs and Twitter feeds erupted with doubters. Wasn’t this just the cyber equivalent to the faulty case against Iraq in 2003—when America was also told that the evidence against the Iraqi regime was too sensitive to reveal? Since hacks are notoriously hard to trace, how come the president was so sure about North Korea? Responses such as these revealed how deeply entrenched distrust of America’s intelligence agencies had become in the post-Snowden era.
Obama had made a critical mistake: he had accused an adversary of attacking the United States, but he omitted the evidence.
The White House was caught flat-footed. It hadn’t imagined, even in a post-Iraq age, that there would be serious doubts about the president’s accusation. But, of course, there were many doubts. A smattering of cybersecurity firms and private investigators came out with alternative theories. Some said it was the Chinese. Or the Russians. Or a disgruntled insider. Even Wired magazine, usually pretty careful about such topics, characterized the case as “flimsy.”
The truth was that the Obama administration had done a poor job of making its case against North Korea. There was no “Cuban Missile Crisis moment,” in which Obama, like Kennedy fifty-two years before, presented his evidence. And what would he have shown? Everyone could recognize the Soviet missiles in Kennedy’s spy-satellite photographs. But computer code was not made for vivid visuals.
“The best you can say is that there isn’t a shred of evidence that anyone else was behind the hack,” Kevin Mandia said to me at the time, after being called in to Sony to help.
In early January the White House announced some weak economic sanctions against North Korea—sanctions Kim may never even have noticed, given how many others had already been imposed. But afterward, the officials who designed that “proportional response” acknowledged that it was ridiculously weak, given the gravity of the attack on Sony and the president’s vow that the United States would not tolerate intimidation. Part of the problem, some of them admitted, was that many Americans simply didn’t believe the accusation against North Korea, or di
d not want to believe it. And the White House was still not ready to turn over evidence in public.
“If this had been a missile attack, we could have proved it,” one frustrated senior official told me. “No one would doubt us. But cyber is a different thing.”
In truth, even if he had been able to make the evidence public, Obama’s options were limited. Economic sanctions, the first tool of presidents who want to show they are doing something without risking conflict, might have been satisfying on the day they were announced. But there was no evidence that sixty years of sanctions had slowed, much less stopped, the North Koreans’ assembly of a good-sized nuclear stockpile. Why would sanctions do any better against a cyberattack?
In a series of Situation Room meetings in December, as aides tried to prepare options for Obama, more aggressive action was considered and rejected. The NSA and Cyber Command presented a list of responses Obama could order to disrupt North Korea’s ability to connect to the outside world—one reason so many suspected America’s fine hand when the North’s Internet links through China went dead for a while. (It now looks likely that switch was pulled by the Chinese themselves.) But in a hint of things to come in dealing with Russia, Obama’s aides feared that a counterstrike could start a cycle of escalation they could not stop. Clapper himself made the argument that the only deterrent that will work is a good defense, one that convinces would-be attackers that they will fail.
In short, in the Sony case, the government and the country got a glimpse of the disturbing, ambiguous nature of cyber conflict. It does not look like war as we know it, nor does it resemble Hollywood’s depictions of a devastating cyberattack. The Sony attack demonstrated how profoundly a new generation of weapons has changed the geography of conflict between states. The new targets will likely be all civilian: even a movie studio, hardly critical infrastructure, makes for a ripe target.
“In the end,” one of Obama’s advisers told me with resignation in his voice, “we’re a lot more vulnerable than they are.”
*1 It is almost impossible to verify what Kim actually said, unless his comments are made in statements broadcast by KCNA, the North Korean news agency.
*2 So far there has been no evidence of such help, but the hacker community is a pretty fluid one. It is just as likely the North Koreans got help from the Chinese, Russians, and Eastern Europeans.
*3 He was right: In late 2017—after blaming North Korea for a global cyberattack called “WannaCry”—Thomas Bossert, the Trump administration’s homeland security adviser, justified the United States’ failure to retaliate by admitting there was little way to strike back. “President Trump has used just about every lever you can use, short of starving the people of North Korea to death, to change their behavior.”
CHAPTER VII
PUTIN’S PETRI DISH
In the twenty-first century we have seen a tendency toward blurring the lines between the states of war and peace. Wars are no longer declared and, having begun, proceed according to an unfamiliar template.
—Valery Gerasimov, chief of the general staff of the Russian Federation Armed Forces, on Russia’s hybrid warfare strategy, 2013
In the last days of June 2017, Dmytro Shymkiv was 4,600 miles from Ukraine, dropping off his kids for summer camp in upstate New York. It was the family’s annual summer break from life in Kiev, a capital that still lives uncomfortably between the tug of old Soviet culture and the lure of new Europe.
At camp, the kids could practice their English and learn what it’s like to be American teenagers. But for Shymkiv, a broad-faced entrepreneur with spiky hair, then forty-one, who became one of Ukraine’s most recognizable techies long before he was lured into government service to help complete a revolution, the daily cyber battle with Moscow was never far away. Even in the mountains of New York.
“I had just gone out for a run,” Shymkiv recalled later that summer as we sat in his office in the presidential palace in Kiev, down the hall from President Petro Poroshenko. “When I came back, I caught my breath, and I looked at my phone and there was no real news. But then, on social media, there were indications of a problem. And not a little problem.”
Then the texts started pouring into his phone. Something—his staff could not tell exactly what—was freezing computers around Ukraine, simultaneously and seemingly permanently.
His first thought was that the Russians were back.
* * *
—
Before Shymkiv unexpectedly found himself playing the role of four-star general in the world’s most active cyberwar, he was a computer-obsessed kid growing up in a distant corner of the Soviet Union, and thinking constantly about how to get to the West. By the time he was a teenager, the Soviet Empire was no more, and by his twenties he had become one of the country’s first tech entrepreneurs, before pivoting to lead Microsoft’s small Ukraine operation. There he discovered just how vulnerable the country’s backward technological foundation—full of old machinery and pirated, unpatched software—was to a massive cyberattack. He knew how simple it was for Russia to exploit Ukraine’s weaknesses in the two wars simultaneously under way in Ukraine.
“There’s a shooting war in the Donbass, since Crimea,” he told me, referring to the eastern corner of the country where Russia’s military forces were conducting a guerilla war against Ukraine, after Vladimir Putin ordered the seizure of the Crimean territory in early 2014. “And there is a digital war, every day, in Kiev.” Shymkiv lived five hundred miles and a world away from that grim shooting war. But he had a front-row seat to the digital war, and it helped galvanize him to political action.
In February 2014, Shymkiv had taken vacation days from Microsoft to join the protests in Maidan Square at the center of Kiev—ground zero in the revolution that ousted Viktor Yanukovych, the corrupt former president and Russia-puppet. He camped with the protesters for two weeks, clearing snow and, ultimately, giving lectures on digital technology in the freezing cold in what came to be known, half in jest, as the “Open University of Maidan.” He kept his Microsoft affiliation quiet; the company didn’t know how the revolution was going to turn out and didn’t want to be associated with the uprising. But Shymkiv broke his cover one night when Poroshenko—the opposition politician who would ultimately prevail and emerge as the country’s president—came through. The two men chatted, a move that shocked some of Shymkiv’s fellow protorevolutionaries. Yanukovych, of course, was spending millions of dollars to stay in power, relying on the advice and services of Paul Manafort, his friend and chief political strategist. Ultimately, though, he fled to exile in Russia. The election to replace him, in May 2014, amounted to a stark choice between a Ukraine that would surrender to Putin and one that Shymkiv and a generation of young Ukrainians imagined—a country that would turn to Europe. That election was a major target for Putin, who sought to defeat Poroshenko or, if that failed, cast doubt on his legitimacy and the integrity of the Ukrainian democratic process.
Thirteen more months would pass before Donald Trump glided down the golden escalator at Trump Tower to announce his candidacy for president of the United States. But for anyone looking for a preview of coming attractions, this was it.
Putin’s cyber army went to work. Teams of hackers had scoped the Ukrainian election system, and planned their intrusions. On Election Day, they were ready. At the critical moment, they wiped out data in the system that tallied votes. But that was just the beginning. The hackers also managed to get into the reporting system that announced the results, altering the vote counts received by television networks. For a brief while, as news of the tally unfolded, it appeared to the Ukrainian media that Dmytro Yarosh, the leader of the nationalist and pro-Russia Right Sector Party, had emerged as the unlikely winner.
It was, of course, all a digital mind game. The Russian hackers didn’t think the television declaration would stick. Rather, they simply sought to create chaos, and fuel an argume
nt that Poroshenko manipulated the results to win. The plot failed: Ukrainian officials detected the attack, and corrected the results a nail-biting forty minutes before the networks aired them. Poroshenko had won, though not overwhelmingly—he had about 56 percent of the vote. Russia’s own television networks, apparently unaware that the cyberattack had been detected, announced the phony results, with Yarosh as the victor.
Within weeks Poroshenko had contacted Shymkiv, whom he knew only vaguely beyond that encounter in the square. “He didn’t give me much of a choice,” Shymkiv later said with a laugh. Soon the guy who had started in computing by playing with the portable Sinclair computers of the ’80s had been handed two tasks, both impossible: reforming Ukraine’s corrupt institutions and securing the country against the daily cyber onslaught from Russia.
Now, three years later, in the woods of New York state near his kids’ summer camp, Shymkiv fixated on his phone screen as texts from his Ukrainian colleagues pinged him in staccato. They reported that at around eleven-thirty in the morning computers across the country abruptly stopped working. ATMs were failing. Later the news got worse. There were reports that the automatic radiation monitors at the old Chernobyl nuclear plant couldn’t operate because the computers that controlled them went offline. Some Ukrainian broadcasters briefly went off the air; when they came back, they still could not report the news because their computer systems were frozen by what appeared to be a ransomware notice.
Ukraine had suffered cyberattacks before. But not like this one. The unfolding offensive seemed targeted at virtually every business in the country, both large and small—from the television stations to the software houses to any mom-and-pop shops that used credit cards. Computer users throughout the country all saw the same broken-English message pop onto their screens. It announced that everything on the hard drives of their computers had been encrypted: “Oops, your important files have been encrypted…Perhaps you are busy looking to recover your files, but don’t waste your time.” It went on to make the dubious claim that if they paid $300 in Bitcoin, the hard-to-trace cryptocurrency, their data would be unlocked.
The Perfect Weapon Page 18
