by Fred Kaplan
“Who’s in charge?”: “Lessons from Our Cyber Past—The First Military Cyber Units,” symposium transcript, Atlantic Council, March 5, 2012, http://www.atlanticcouncil.org/news/transcripts/transcript-lessons-from-our-cyber-past-the-first-military-cyber-units.
“responsible for coordinating”: Maj. Gen. John H. Campbell, PowerPoint presentation, United States Attorneys’ National Conference, June 21, 2000.
Meanwhile, the FBI was probing all leads: See the many FBI memos, to and from various field offices, in the declassified documents obtained by the Cyber Conflict Studies Association.
5.5 gigabytes of data: The figure of 5.5 gigabytes comes from Maj. Gen. John H. Campbell, PowerPoint briefing on computer network defense, United States Attorneys’ National Conference, June 21, 2000.
Days later, the news leaked to the press: “Cyber War Underway on Pentagon Computers—Major Attack Through Russia,” CNN, March 5, 1999; Barbara Starr, “Pentagon Cyber-War Attack Mounted Through Russia,” ABC News, March 5, 1999, http://www.rense.com/politics2/cyberwar.htm.
They flew to Moscow on April 2: Declassified FBI memos, in the files of the Cyber Conflict Studies Association, mention the trip: for instance, FBI, Memo, from NatSec, “Moonlight Maze,” March 31, 1999; FBI, Memo (names redacted), Secret/NoForn, “Moonlight Maze Coordinating Group,” April 15, 1999. The rest of the material comes from interviews. (The April 15 memo also mentions that Justice and Defense Department officials, including Michael Vatis and Soup Campbell, briefed key members of House and Senate Intelligence Committees on Feb. 21, 1999, and that the first public mention of Moonlight Maze was made by John Hamre on March 5, 1999, one year after the first intrusions.)
CHAPTER 6: THE COORDINATOR MEETS MUDGE
The collective had started: The section on Mudge and the L0pht comes mainly from interviews, though also from Bruce Gottlieb, “HacK, CouNterHaCk,” New York Times, Oct. 3, 1999; Michael Fitzgerald, “L0pht in Transition,” CSO, April 17, 2007, http://www.csoonline.com/article/2121870/network-security/lopht-in-transition.html; “Legacy of the L0pht,” IT Security Guru, http://itsecurityguru.org/gurus/legacy-l0pht/#.VGE-CIvF_QU. Clarke later wrote a novel, Breakpoint (New York: G. P. Putnam’s Sons, 2007), in which one of the main characters, “Soxster,” is based on Mudge; and a hacker underground called “the Dugout” is modeled on the L0pht.
He’d been a hacker: His guitar playing at Berklee comes from Mark Small, “Other Paths: Some High-Achieving Alumni Have Chosen Career Paths That Have Led Them to Surprising Places,” Berklee, Fall 2007, http://www.berklee.edu/bt/192/other_paths.html.
He and the other L0pht denizens: The hearing can be seen on YouTube, http://www.youtube.com/watch?v=VVJldn_MmMY.
Three days after Mudge’s testimony: Bill Clinton, Presidential Decision Directive/NSC-63, “Critical Infrastructure Protection,” May 22, 1998, http://fas.org/irp/offdocs/pdd/pdd-63.htm.
FIDNET, as he called it: John Markoff, “U.S. Drawing Plan That Will Monitor Computer Systems,” New York Times, July 28, 1999; and interviews.
“Orwellian”: Tim Weiner, “Author of Computer Surveillance Plan Tries to Ease Fears,” New York Times, Aug. 16, 1999; and interviews.
“While the President and Congress can order”: Bill Clinton, National Plan for Information Systems Protection, Jan. 7, 2000, http://cryptome.org/cybersec-plan.htm.
Still, Clarke persuaded the president to hold a summit: Most of this comes from interviews, but see also Gene Spafford, “Infosecurity Summit at the White House,” Feb. 2000, http://spaf.cerias.purdue.edu/usgov/pres.html; CNN, Morning News, Feb. 15, 2000, http://transcripts.cnn.com/TRANSCRIPTS/0002/15/mn.10.html; Ricardo Alonso-Zaldivar and Eric Lichtblau, “High-Tech Industry Plans to Unite Against Hackers,” Los Angeles Times, Feb. 16, 2000.
A few weeks earlier, Mudge had gone legit: Kevin Ferguson, “A Short, Strange Trip from Hackers to Entrepreneurs,” Businessweek Online Frontier, March 2, 2000, http://www.businessweek.com/smallbiz/0003/ep000302.htm?scriptframed.
CHAPTER 7: DENY, EXPLOIT, CORRUPT, DESTROY
“the first of its kind”: U.S. Air Force, 609 IWS: A Brief History, Oct 1995–Jun 1999, https://securitycritics.org/wp-content/uploads/2006/03/hist-609.pdf.
“any action to deny, exploit”: U.S. Air Force, Cornerstones of Information Warfare, April 4, 1997, www.dtic.mil/cgi-bin/GetTRDoc?AD=ADA323807/.
J-39 got its first taste of action: On Operation Tango (though not J-39’s role), see Richard H. Curtiss, “As U.S. Shifts in Bosnia, NATO Gets Serious About War Criminals,” Christian Science Monitor, July 18, 1997; and interviews.
more than thirty thousand NATO troops: NATO, “History of the NATO-led Stabilisation Force (SFOR) in Bosnia and Herzegovina,” http://www.nato.int/sfor/docu/d981116a.htm.
“at once a great success”: Admiral James O. Ellis, “A View from the Top,” PowerPoint presentation, n.d., http://www.slideserve.com/nili/a-view-from-the-top-admiral-james-o-ellis-u-s-navy-commander-in-chief-u-s-naval-forces-europe-commander-allied.
CHAPTER 8: TAILORED ACCESS
In the summer of 1998: The Air Force tried to take ownership of Joint Task Force-Computer Network Defense, arguing that its Information Warfare Center had unique resources and experience for the job, but Art Money and John Hamre thought it needed to be an organization that either included all services or transcended them. (Interviews.)
So, on April 1, 2000: U.S. Space Command, “JTF-GNO History—The Early Years of Cyber Defense,” Sept. 2010; and interviews.
A systematic thinker who liked: GEDA is cited by Richard Bejtlich, “Thoughts on Military Service,” TAO Security blog, Aug. 3, 2006, http://taosecurity.blogspot.com/2006/08/thoughts-on-military-service.html; and interviews.
Suddenly, if just to stake a claim: William M. Arkin, “A Mouse That Roars?,” Washington Post, June 7, 1999; Andrew Marshall, “CIA Plan to Topple Milosevic ‘Absurd,’ ” The Independent, July 8, 1999; and interviews.
To keep NSA at the center of this universe: NSA/CSS, Transition 2001, Dec. 2000, http://www2.gwu.edu/~nsarchiv/NSAEBB/NSAEBB24/nsa25.pdf; George Tenet, CIA Director, testimony, Senate Select Committee on Government Affairs, June 24, 1998, https://www.cia.gov/news-information/speeches-testimony/1998/dci_testimony_062498.html; Arkin, “A Mouse That Roars?”; and interviews.
The report was written by the Technical Advisory Group: Much of the section on TAG comes from interviews; the TAG report is mentioned in Douglas F. Garthoff, Directors of Central Intelligence as Leaders of the U.S. Intelligence Community, 1946–2005 (Washington, D.C.: CIA Center for the Study of Intelligence, 2005), 273.
The Senate committee took his report very seriously: Senate Select Committee on Intelligence, Authorizing Appropriations for Fiscal Year 2001 for the Intelligence Activities of the United States Government, Senate Rept. 106-279, 106th Congress, May 4, 2000, https://www.congress.gov/congressional-report/106th-congress/senate-report/279/1; and interviews.
“poorly communicated mission”: NSA/CSS, External Team Report: A Management Review for the Director, NSA, Oct. 22, 1999, http://fas.org/irp/nsa/106handbk.pdf; and interviews.
“is a misaligned organization”: NSA/CSS, “New Enterprise Team (NETeam) Recommendations: The Director’s Work Plan for Change,” Oct. 1, 1999, http://cryptome.org/nsa-reorg-net.htm.
On November 15, he inaugurated: Seymour M. Hersh, “The Intelligence Gap,” The New Yorker, Dec. 6, 1999; and interviews.
The NSA’s main computer system crashed: “US Intelligence Computer Crashes for Nearly 3 Days,” CNN.com, Jan. 29, 2000, http://edition.cnn.com/2000/US/01/29/nsa.computer/; and interviews.
He called the new program Trailblazer: NSA Press Release, “National Security Agency Awards Concept Studies for Trailblazer,” April 2, 2001, https://www.nsa.gov/public_info/press_room/2001/trailblazer.shtml; Alice Lipowicz, “Trailblazer Loses Its Way,” Washington Technology, Sept. 10, 2005, https://washingtontechnology.com/articles/2005/09/10/trailblazer-loses-its-way.aspx.
SAIC was particularly intertwined: Siobhan Gorman, �
��Little-Known Contractor Has Close Ties with Staff of NSA,” Baltimore Sun, Jan. 29, 2006, http://articles.baltimoresun.com/2006-01-29/news/0601290158_1_saic-information-technology-intelligence-experts; “Search Top Secret America’s Database of Private Spooks,” Wired, July 19, 2010, http://www.wired.com/2010/07/search-through-top-secret-americas-network-of-private-spooks/.
In the coming years, TAO’s ranks would swell: “Inside TAO: Documents Reveal Top NSA Hacking Unit,” Der Spiegel, Dec. 29, 2013, http://www.spiegel.de/international/world/the-nsa-uses-powerful-toolbox-in-effort-to-spy-on-global-networks-a-940969.html.
These devices—their workings: Matthew M. Aid, “Inside the NSA’s Ultra-Secret China Hacking Group,” Foreign Policy, June 10, 2013.
One device, called LoudAuto: The names of these programs come from a fifty-eight-page TAO catalogue of tools and techniques, among the many documents leaked by former NSA contractor Edward Snowden. No U.S. newspaper or magazine reprinted the list (the reporters and editors working the story considered it genuinely damaging to national security), but Der Spiegel did, in its entirety (Jacob Appelbaum, Judith Horchert, and Christian Stöcker, “Shopping for Spy Gear: Catalog Advertises NSA Toolbox,” Dec. 29, 2013), and computer security analyst Bruce Schneier subsequently reprinted each item, one day at a time, on his blog.
As hackers and spies discovered vulnerabilities: “Inside TAO.”
In the ensuing decade, private companies: For more on zero-day exploits, see Neal Ungerleider, “How Spies, Hackers, and the Government Bolster a Booming Software Exploit Market,” Fast Company, May 1, 2013; Nicole Perlroth and David E. Sanger, “Nations Buying as Hackers Sell Flaws in Computer Code,” New York Times, July 13, 2013; Kim Zetter, Countdown to Zero Day: Stuxnet and the Launch of the World’s First Digital Weapon (New York: Crown, 2014). Specific stories come from interviews.
During the first few months of Bush’s term: Richard A. Clarke, Against All Enemies (New York: Free Press, 2004); Steve Coll, Ghost Wars: The Secret History of the CIA, Afghanistan, and Bin Laden, from the Soviet Invasion to September 10, 2001 (New York: Penguin, 2004), 435.
On the day of the 9/11 attacks: Robin Wright, “Top Focus Before 9/11 Wasn’t on Terrorism,” Washington Post, April 1, 2004.
Rice let him draft: Executive Order 13226—President’s Council of Advisors on Science and Technology, Sept. 30, 2001, http://www.gpo.gov/fdsys/pkg/WCPD-2001-10-08/pdf/WCPD-2001-10-08-Pg1399.pdf; background, town halls, etc. come from interviews.
As it turned out, the final draft: President George W. Bush, The National Strategy to Secure Cyberspace, Feb. 2003, https://www.us-cert.gov/sites/default/files/publications/cyberspace_strategy.pdf.
CHAPTER 9: CYBER WARS
When General John Abizaid: For more on Abizaid and the Iraq War, see Fred Kaplan, The Insurgents: David Petraeus and the Plot to Change the American Way of War (New York: Simon & Schuster, 2013), esp. 182; the rest of this section comes from interviews.
Meanwhile, Secretary of Defense Donald Rumsfeld: See ibid., Ch. 4.
Seventeen years had passed: https://www.nsa.gov/about/leadership/former_directors.shtml.
That same month, Rumsfeld signed: Dana Priest and William Arkin, Top Secret America: The Rise of the New American Security State (New York: Little, Brown, 2011), 236.
A few years earlier, when Alexander: The section on the Alexander-Hayden feud and James Heath’s experiment at Fort Belvoir comes from interviews. Some material on Heath also comes from Shane Harris, “The Cowboy of the NSA,” Foreign Policy, Sept. 2013; and Shane Harris, The Watchers: The Rise of America’s Surveillance State (New York: Penguin, 2010), 99, 135. Some have reported that Alexander designed the Information Dominance Center’s command post to look like the captain’s deck on Star Trek, but in fact it was set up not by Alexander or even by Noonan, but rather by Noonan’s predecessor, Major General John Thomas. (Ryan Gallagher, “Inside the U.S. Army’s Secretive Star Trek Surveillance Lair,” Slate, Sept. 18, 2013, http://www.slate.com/blogs/future_tense/2013/09/18/surveilliance_and_spying_does_the_army_have_a_star_trek_lair.html; and interviews.)
But Alexander won over Rumsfeld: Most of this comes from interviews, but the transfer of data in June 2001 is also noted in Keith Alexander, classified testimony before House Permanent Select Committee on Intelligence, Nov. 14, 2001, reprinted in U.S. Army Intelligence and Security Command, Annual Command History, Fiscal Year 2001, Sept. 30, 2002 (declassified through Freedom of Information Act).
Ironically, while complaining: For details on Stellar Wind, see Barton Gellman, “U.S. Surveillance Architecture Includes Collection of Revealing Internet, Phone Metadata,” Washington Post, June 15, 2013, and, attached on the Post website, the top secret draft of an inspector general’s report on the program, http://apps.washingtonpost.com/g/page/world/national-security-agency-inspector-general-draft-report/277/.
Trailblazer had consumed $1.2 billion: Siobhan Gorman, “System Error,” Baltimore Sun, Jan. 29, 2006, http://articles.baltimoresun.com/2006-01-29/news/0601280286_1_intelligence-experts-11-intelligence-trailblazer; Alice Lipowicz, “Trailblazer Loses Its Way,” Washington Technology, Sept. 10, 2005, http://washingtontechnology.com/articles/2005/09/10/trailblazer-loses-its-way.aspx; and interviews.
Turbulence consisted of nine smaller systems: Robert Sesek, “Unraveling NSA’s Turbulence Programs,” Sept. 15, 2014, https://robert.sesek.com/2014/9/unraveling_nsa_s_turbulence_programs.html; and interviews.
RTRG got under way: This comes mainly from interviews, but also from Bob Woodward, Obama’s Wars (New York: Simon & Schuster, 2010), 10; Ellen Nakashima and Joby Warrick, “For NSA Chief, Terrorist Threat Drives Passion to ‘Collect It All,’ ” Washington Post, July 14, 2013; Shane Harris, @War: The Rise of the Military-Internet Complex (New York: Houghton Mifflin Harcourt, 2014), Ch. 2.
In 2007 alone, these sorts of operations: “General Keith Alexander Reveals Cybersecurity Strategies and the Need to Secure the Infrastructure,” Gartner Security and Risk Management Summit, June 23–26, 2014, http://blogs.gartner.com/security-summit/announcements/general-keith-alexander-reveals-cybersecurity-strategies-and-the-need-to-secure-the-infrastructure/; and interviews.
The effect was not decisive: For more on this point, see Kaplan, The Insurgents, esp. Ch. 19.
On September 6: David A. Fulghum, “Why Syria’s Air Defenses Failed to Detect Israelis,” Aviation Week & Space Technology, Nov. 12, 2013; Erich Follath and Holger Stark, “The Story of ‘Operation Orchard’: How Israel Destroyed Syria’s Al Kibar Nuclear Reactor,” Der Spiegel, Nov. 2, 2009, http://www.spiegel.de/international/world/the-story-of-operation-orchard-how-israel-destroyed-syria-s-al-kibar-nuclear-reactor-a-658663.html; Richard A. Clarke and Robert A. Knake, Cyber War (New York: HarperCollins, 2010), 1–8; Robin Wright, “N. Koreans Taped at Syrian Reactor,” Washington Post, April 24, 2008; “CIA Footage in Full,” BBC News, April 24, 2008, http://news.bbc.co.uk/2/hi/7366235.stm; and interviews.
They did so with a computer program called Suter: Fulghum, “Why Syria’s Air Defenses Failed to Detect Israelis”; and interviews. There was some controversy over whether the target was really a nuclear reactor, but in retrospect the evidence seems indisputable. Among other things, the International Atomic Energy Agency found, in soil samples it collected around the bombed reactor, “a significant number of anthropogenic natural uranium particles (i.e., produced as a result of chemical processing).” (Follath and Stark, “The Story of ‘Operation Orchard.’ ”)
Four and a half months earlier: “War in the Fifth Domain,” The Economist, July 1, 2010, http://www.economist.com/node/16478792; Andreas Schmidt, “The Estonian Cyberattacks,” in Jason Healey, ed., A Fierce Domain, 174–93; Clarke and Knake, Cyber War, 12–16.
On August 1, 2008, Ossetian separatists: U.S. Cyber Consequences Unit, Overview by the US-CCU of the Cyber Campaign Against Georgia in August of 2008 (Aug. 2009), http://www.registan.net/wp-content/uploads/2009/08/US-CCU-Georgia-Cyber-Campaign-Overview.pdf; Andreas Hagen, “The Russo-Georgian War,
2008,” in Healey, ed., A Fierce Domain, 194–204; Government of Georgia, Ministry of Foreign Affairs, Russian Invasion of Georgia: Russian Cyberwar on Georgia (Nov. 10, 2008), http://www.mfa.gov.ge/files/556_10535_798405_Annex87_CyberAttacks.pdf.
On March 4, 2007, the Department of Energy: The background of the test comes from interviews. See also “Mouse Click Could Plunge City into Darkness, Experts Say,” CNN, Sept. 27, 2007, http://www.cnn.com/2007/US/09/27/power.at.risk/index.html; Kim Zetter, Countdown to Zero Day: Stuxnet and the Launch of the World’s First Digital Weapon (New York: Crown, 2014), Ch. 9.
Almost instantly, the generator shook: For the video, see https://www.youtube.com/watch?v=fJyWngDco3g.
In 2000, a disgruntled former worker: Zetter, Countdown to Zero Day, 135ff.
CHAPTER 10: BUCKSHOT YANKEE
When the position was created: Fred Kaplan, “The Professional,” New York Times Magazine, Feb. 10, 2008.
So McConnell’s briefing: The date of the meeting comes from “NSC 05/16/2007-Cyber Terror” folder, NSC Meetings series, National Security Council-Records and Access Management Collection, George W. Bush Presidential Library (folder obtained through Freedom of Information Act). The substance of the meeting (which was not declassified) comes from interviews.
Bush quickly got the idea: This is based on interviews, though it’s also covered in Shane Harris, @War: The Rise of the Military-Internet Complex (New York: Houghton Mifflin Harcourt, 2014), Ch. 2.
But the task proved unwieldy: William Jackson, “DHS Coming Up Short on Einstein Deployment,” GCN, May 13, 2003, http://gcn.com/articles/2013/05/13/dhs-einstein-deployment.aspx; and interviews.
On January 9, 2008: President George W. Bush, National Security Presidential Directive (NSPD) 54, “Cyber Security Policy,” Jan. 8, 2008, http://www.fas.org/irp/offdocs/nspd/nspd-54.pdf. The background comes from interviews.
Meanwhile, Homeland Security upgraded Einstein: Steven M. Bellovin et al., “Can It Really Work? Problems with Extending Einstein 3 to Critical Infrastructure,” Harvard National Security Journal, Vol. 3, Jan. 2011, http://harvardnsj.org/wp-content/uploads/2012/01/Vol.-3_Bellovin_Bradner_Diffie_Landau_Rexford.pdf; and interviews.