The Perfect Weapon
Page 19
The attack was designed to look like a national shakedown scheme. It wasn’t. The hackers weren’t after money, and they didn’t get much.
This was “NotPetya”—so nicknamed by Kaspersky Lab, which was itself suspected by the US government of providing back doors to the Russian government via its profitable security products. (The attack got its odd-sounding name because cyber-threat experts, trying to understand the inner dynamics of the attack, found elements in it that were similar to malware called “Petya” used in an attack the year before.) It didn’t seem coincidental that the malicious code detonated just before the holiday that marks the adoption, in 1996, of Ukraine’s first constitution after its break from the Soviet Union. But how had the hackers managed to freeze so many systems at once—upward of 30 percent of the nation’s computers, of many different types?
It turned out that Ukraine’s own backwardness—and an archaic remnant of its past—had played into the hands of the attackers. In true post-Soviet style, Ukraine required businesses to use a common piece of accounting software, M.E.Doc. It was clunky, it was old, but it was required by the state. Corrupting the software with malware was ridiculously easy: No one had invested in updating it in years. In fact, it used an outdated “platform” that had not even been supported by its manufacturer since 2013. No updates, no security patches.
By the time Shymkiv sped back to Kennedy Airport, his staff had discovered that the attack was no one-day event. “It turned out that bringing all those businesses down was the very end of a much bigger operation,” he told me later. For months, the forensics showed, the Russian hackers had been gathering intelligence on Ukraine’s top businesses, downloading emails and looking for everything from passwords to good blackmail material.
“Then, at the end, when they were done, they planted the bombs,” Shymkiv said. “It was like the old Soviet days: First you rob the village, then you burn it.”
* * *
—
It is tempting to think of cyberwar as something that takes place separate and apart from other conflicts, that what happens in the cloud is somehow divorced from what happens on the ground. When nations first built air forces, they thought something similar: dogfights in the air were one campaign, shooting in the trenches another. It was not until World War II that the concept of a “single battle space”—air, land, and sea—took hold. In some corners of the world that concept was already happening in cyber. It was just harder to see.
In the battle for Ukraine’s territory and its soul, conventional war and cyberwar did more than just complement each other. They became the Möbius strip of twenty-first-century conflict, one continuous band, with surfaces that seem to blend seamlessly into each other. Putin showed the world how effective this strategy, what the Pentagon terms “hybrid warfare,” can be.
The strategy was hardly a state secret. In fact, Valery Gerasimov, the chief of the general staff of the Russian Federation armed forces, described it in a much-quoted 2014 article in a Russian defense journal (the wonderfully named The Military-Industrial Courier) articulating what is now widely known as the Gerasimov doctrine.
Gerisamov described what any historian of Russian war fighting knows well: a battlefield war that merges conventional attacks, terror, economic coercion, propaganda, and, most recently, cyber. Each component enhanced the others. This blended approach had long helped Russia to project power around the globe, even when it was outgunned and outspent. Stalin was a master of information warfare, at home and abroad, and used it to increase his odds of victory in conventional war. If it confused and divided his enemies at home, all the better.
What is different now is the great amplifier of social media. Stalin would have loved Twitter. Skillful as he was as a propagandist, his transmission capability was primitive. “What’s new is not the basic model; it’s the speed with which such disinformation can spread and the low cost of spreading it,” American political scientist Joseph Nye, the man who invented the term “soft power,” wrote in describing how Russia was making use of “sharp power.” If soft power is the ability to win over other societies because of the attractiveness of your culture, economy, and civic discourse, sharp power is the ability to insert the knife, stealthily and surgically. As Nye says, “Electrons are cheaper, faster, safer, and more deniable than spies.”
There were many critiques of the Gerasimov doctrine, most arguing that far too much importance was given to a single article in a weekly journal. They contended that Gerasimov was simply observing an element of military strategy that both long pre-dated Putin and wasn’t specific to Russia.
Fair enough, but Gerasimov’s observations grew ever more relevant because cyber had forever altered the hybrid warfare game, and Russia had incorporated it more brilliantly than most other powers. When Gerasimov published his article in 2013, American war fighters looking at cyberpower were still focusing on its physical effects on power plants or equipment, as embodied by Operation Olympic Games. For them, cyberwar was one thing, information war another. To the Russians, it was all on a spectrum. At one end was pure propaganda. Then came fake news, manipulated election results, the publication of stolen emails. Physical attacks on infrastructure marked the far end.
Ukraine was where the techniques all came together, starting in early 2014. In the country’s east, Putin sent in the Little Green Men—his unofficial army of soldiers, so named for their unmarked green uniforms—to maintain a simmering, low-level insurrection that used assassinations and bombings to keep the Ukrainian government off balance. To Putin, his plainclothes fighters served the same role on the streets that his hackers served on the Internet: deniability. Accustomed to an era when battles were fought by soldiers, the international community was hesitant to act without ascertaining the same level of attribution that insignia once provided. His green men and hackers alike were cloaked in enough ambiguity that Putin could get away with attacks consequence-free—even when there was little doubt that he was the source.
But Putin also recognized early, long before the West caught on to his scheme, that Ukraine’s political divisions were ripe for exploitation. The divide between the Russian-speaking sections of the country and the rest would be particularly vulnerable to his cyber schemes, designed to hollow out a state, gradually degrade its institutions, and undermine confidence in everything from election boards to the courts and the embattled local governments. Not surprisingly, every technique Americans soon worried about began in the Ukraine: manipulated election results, fictional online personas who widen social divisions and stoke ethnic fears, and what was called “fake news” before the phrase was twisted into new meaning by an American president.
Putin’s goals in Ukraine were as much psychological as physical. He wanted to declare to Ukrainians that their country exists only because Russia allows it to exist. Putin’s message to the Ukrainians was simple: We own you.
It is no surprise that Putin picked the Soviet Union’s old breadbasket for this experiment. Ukraine has never qualified for NATO membership. And even if it ever does manage to qualify, it is unclear whether NATO will take the risk of accepting it into the fold. Putin could attack without fear that the Western alliance will do more than issue international condemnations and sanctions. And in 1994, when Ukraine voluntarily gave up the nuclear weapons based there since the Soviet days—destroying them in return for a vague commitment that all nations will “refrain from the threat or use of force against the territorial integrity or political independence of Ukraine”—it also gave up any credible threat that it could strike back.
That commitment to Ukraine’s independence—or what the West carefully termed an “assurance” because they actually committed to nothing—was shown to be empty when Putin seized Crimea in March 2014. The territory, he argued, had been part of Russia from 1783 to 1954, when Khrushchev handed it over to the Ukrainians. It was a blurry-enough history, and Putin rightly calculated that no Am
erican president or European leader would risk lives to defend a Russian-speaking corner of a faraway nation, especially outside the Western alliance.
In keeping with the Gerasimov doctrine, the violent seizure of the Ukrainian territory included political tactics, as Putin sought to boost the legitimacy of his actions through a “democratic” referendum over the status of the territory in March 2014. Media accounts suggested that the decision of the parliament to hold a referendum in the first place was achieved by fraud. One indicator of the dubious electoral practices, Forbes later reported, was that 123 percent of registered voters in Sevastopol cast ballots in the referendum.
There was enough confusion, plausible deniability, and disinterest in the region as a whole that Putin largely got away with it. At the time, he was doing the same in Syria, preparing the ground for what would become a full-scale military intervention in 2015. But the United States was oddly passive in both cases. Obama seemed fatalistic about Ukraine when he told Jeffrey Goldberg of The Atlantic that “the fact is that Ukraine, which is a non-NATO country, is going to be vulnerable to military domination by Russia no matter what we do.” He was similarly cautious about Syria. When the Pentagon and the National Security Agency came to him with a battle plan that featured a sophisticated cyberattack on the Syrian military and President Bashar al-Assad’s command structure, Obama said he saw no strategic value in pushing back in Syria.
In both cases, the United States and its allies deployed their standard tool for when military action seems too costly and doing nothing seems too feckless: economic sanctions. In the face of the Gerasimov doctrine and Putin’s asymmetrical warfare, the best the US could do was make it difficult for Putin to ship out his oil and gas or lure new investors to revitalize a languishing Russian economy. After oil prices collapsed in late 2014, the sanctions began to cause real pain—chasing away foreign investors and undercutting Putin’s support by undercutting growth. And one of the potential investors who was trying yet again to build a hotel in Moscow was Donald Trump.
During the first year of sanctions, one European diplomat who dealt often with Russia reported, “the Russians were telling the oligarchs, ‘Just wait it out. The sanctions cost Europe too much business. They will go away.’ ” But in fact, the sanctions held, and in the United States they received overwhelming bipartisan support. Overwhelming—but not unanimous, at least after Donald Trump came along. One of the most striking aspects of one of the interviews Maggie Haberman and I conducted with Trump during his presidential campaign—long before there were charges that Trump was somehow in Putin’s thrall—came when the new-to-foreign-affairs candidate told us he had doubts that the sanctions made sense at all. He did it in typical Trumpian style, assuring us of his deep interest in Ukraine and then asking why Americans should be paying the whole price for keeping Putin at bay:
Now I’m all for Ukraine, I have friends that live in Ukraine, but it didn’t seem to me, when the Ukrainian problem arose, you know, not so long ago, and we were, and Russia was getting very confrontational, it didn’t seem to me like anyone else cared other than us. And we are the least affected by what happens with Ukraine because we’re the farthest away. But even their neighbors didn’t seem to be talking about it.
And, you know, you look at Germany, you look at other countries, and they didn’t seem to be very much involved. It was all about us and Russia. And I wondered, why is it that countries that are bordering the Ukraine and near the Ukraine—why is it that they’re not more involved? Why is it that they are not more involved? Why is it always the United States that gets right in the middle of things, with something that—you know, it affects us, but not nearly as much as it affects other countries.
He then argued, “we’re fighting for the Ukraine, but nobody else is fighting for the Ukraine.”
“It doesn’t seem fair,” Trump told us, never lingering on what Putin was doing to the Ukrainian people or the offenses to the country’s sovereignty. “It doesn’t seem logical.”
That was the part of the interview, we learned later, that the Russians noticed.
* * *
—
Before the United States was worried about Russian meddling in American elections, its fears were a lot more basic: the potential for a “Cyber Pearl Harbor.” That was the line Leon Panetta, by then Obama’s defense secretary, had used in 2012, in a speech aboard a World War II aircraft carrier moored in New York Harbor. Such a strike, he told an invited audience, could “paralyze and shock the nation and create a new, profound sense of vulnerability.”
He was hardly the first to use the evocative phrase; it had been employed for its rhetorical power for more than a quarter of a century. But Panetta, a savvy California politician, understood the power of the imagery. Congress, he once told me, “has a hard time funding defenses against a threat it can’t see.” So, even if it required bending reality a bit, he needed to liken cyberattacks to the most devastating surprise attack of the twentieth century. “We couldn’t get Congress to focus on the issue,” he told me later. “Somebody had to ring the bell, and the way to do that was to look at the potential for what a cyberattack could mean for our country.”
Yet Panetta, better than almost anyone, understood why the analogy was imperfect. The most devastating cyberattacks, his experience taught him, were the most subtle. As CIA director, the post he held before he moved over to the Pentagon, he was a key player in Operation Olympic Games—and he had come to appreciate that much of the power in that attack came from its corrosive psychological effects as much as its destructive effects.
Panetta had reported to Obama in 2009 and early 2010 that the Iranians were dismantling parts of their enrichment center because of their inability to comprehend what was happening, and their fear of more calamities. In fact, even after Panetta delivered the news to Obama that the Stuxnet worm had gotten loose and was replicating itself across the globe, they agreed to keep the attacks under way for a while. The Iranians probably still hadn’t grasped what was going on, Obama and Panetta bet, so the weapon had some lingering utility.
Panetta’s real worry after he gave the speech in 2012 was less about an attack that had the drama of Pearl Harbor and more about one with the subtlety of Olympic Games. His staff spent endless hours mapping out what it would look like if an attack hit American industrial control systems—either quietly paralyzing America’s ability to defend itself or causing damage akin to what the United States and Israel inflicted on the Natanz nuclear plant. When the electric grid began to fail, he thought, or communications were lost to submarines at sea, it might not look at first like a cyberattack. It might look more like a screw-up. Which of course is exactly how cyberattacks often unfolded in Ukraine, where screw-ups were a pretty common explanation for just about anything that went wrong.
* * *
—
Andy Ozment, of course, didn’t need a wake-up call in the days before Christmas 2015. When he stepped into the Department of Homeland Security’s giant war room—the National Cybersecurity & Communications Integration Center—it was clear that something was going wrong in Ukraine. The screens in the center mostly monitor events in the United States. But the command center also has linkages to the National Security Agency and Computer Emergency Readiness Teams, the organizations that keep each nation’s networks running around the world. And everyone on those channels was buzzing about the electric outage in Ukraine, because in the cyber world, what happens in Kiev almost never stays in Kiev.
For more than a year, secret briefings inside the US government suggested the Russians were already implanting similar software in the United States. In chilling detail, they revealed the degree to which a foreign power was poised to turn out the lights. Ozment knew that the Russians, among others, were littering American power plants, industrial systems, and communications networks with implants that could be used later on to alter data or shut those systems down. Since 2014
, intelligence agencies had been warning that Russia was likely already inside the American electric grid. The malware took many forms, often called “BlackEnergy.”
The implants scared the hell out of American defense officials—but they were determined not to show it. In their most benign mode, the implants are useful for surveillance—broadcasting back to their home base news about what is happening inside a network. But what makes cyber threats different is that the same implant that is used for surveillance can be repurposed as a weapon. All it requires is the injection of new code. So on one day, the implant may be sending back blueprints of the electric grid. The next day it can be used to fry that grid. Or wipe out data. Or allow someone in a remote locale to take control of the equipment—and drive it off a cliff, so to speak.
The problem, as Ozment saw it, was that no one knew whether the Russians intended the hack to be a nuisance, an attack, a warning, or a rehearsal for something much larger. Perhaps they were just exploring how easy—or difficult—it was to get inside America’s electric utilities, each of which is configured differently. Imagine a bank robber with global ambitions, facing the question of how to break into a series of bank vaults in New York, London, and Hong Kong. No two would be exactly alike. Everything would have to be custom-designed: Disabling the alarms, busting in, and making it impossible for outsiders to figure out what you are doing. A good escape plan, with no fingerprints or DNA left behind, would help too.