Dark Territory
Page 32
The day before, he’d given Clapper’s office: Senator Ron Wyden, press release, June 11, 2013, http://www.wyden.senate.gov/news/press-releases/wyden-statement-responding-to-director-clappers-statements-about-collection-on-americans.
“I thought, though, in retrospect”: Andrea Mitchell, interview with General James Clapper, NBC-TV, June 9, 2013.
“besmirching the reputation”: Steven Burke, “Cisco Senior VP: NSA Revelations Besmirched Reputation of US Companies,” CRN News, Jan. 17, 2014, http://www.crn.com/news/security/240165497/cisco-senior-vp-nsa-revelations-besmirched-reputation-of-us-companies.htm?cid=rssFeed.
Merkel was outraged: Philip Oltermann, “Germany Opens Inquiry into Claims NSA Tapped Angela Merkel’s Phone,” The Guardian, June 4, 2014.
There was more than a trace: Anthony Faiola, “Germans, Still Outraged by NSA Spying, Learn Their Country May Have Helped,” Washington Post, May 1, 2015; Reuters, “Germany Gives Huge Amount of Phone, Text Data to US: Report,” http://www.nytimes.com/reuters/2015/05/12/world/europe/12reuters-germany-spying.html.
CHAPTER 14: “THE FIVE GUYS REPORT”
“a high-level group”: President Obama, press conference, Aug. 9, 2013, https://www.whitehouse.gov/the-press-Noffice/2013/08/09/remarks-president-press-conference.
That same day: “Administration White Paper: Bulk Collection of Telephony Metadata Under Section 215 of the USA Patriot Act,” Aug. 9, 2013, http://www.publicrecordmedia.com/wp-content/uploads/2013/08/EOP2013_pd_001.pdf; “The National Security Agency: Missions, Authorities, Oversight and Partnerships,” Aug. 9, 2013, https://www.nsa.gov/public_info/_files/speeches_testimonies/2013_08_09_the_nsa_story.pdf.
Sunstein had written an academic paper in 2008: Cass R. Sunstein and Adrian Vermeule, “Conspiracy Theories” (Harvard Public Law Working Paper No. 08-03; University of Chicago Public Law Working Paper No. 199), Jan. 15, 2008, http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1084585.
The other Chicagoan, Geoffrey Stone: See esp. Geoffrey R. Stone, Perilous Times: Free Speech in Wartime from the Sedition Act of 1798 to the War on Terrorism (New York: W. W. Norton, 2006); Geoffrey Stone, Top Secret: When Our Government Keeps Us in the Dark (New York: Rowman & Littlefield, 2007).
Peter Swire: peterswire.net; and interviews.
“To the loved ones”: Transcript, Richard A. Clarke, testimony, 9/11 Commission, March 24, 2004, http://www.cnn.com/TRANSCRIPTS/0403/28/le.00.html.
a segment on CBS TV’s 60 Minutes: “The CBS 60 Minutes Richard Clarke Interview,” http://able2know.org/topic/20967-1.
Published in April 2010: For examples of criticism, see Ryan Singel, “Richard Clarke’s Cyber War: File Under Fiction,” Wired, April 22, 2010.
“Cyber-war, cyber-this”: Jeff Stein, “Book Review: ‘Cyber War’ by Richard Clarke,” Washington Post, May 23, 2010.
On August 27: http://www.dni.gov/index.php/intelligence-community/review-group; the substance of the meeting comes from interviews.
The next morning: The date of the first meeting at Fort Meade comes from a highly entertaining video of Geoffrey Stone delivering the “Journeys” lecture at the University of Chicago, sometime in 2014, http://chicagohumanities.org/events/2014/journeys/geoffrey-stone-on-the-nsa; substance of the session comes from that video and interviews.
In Cyber War, he’d criticized: Richard A. Clarke and Robert K. Knake, Cyber War (New York: HarperCollins, 2010), passim, esp. 44ff.
Stone was no admirer of Snowden: “Is Edward Snowden a Hero? A Debate with Journalist Chris Hedges and Law Scholar Geoffrey Stone,” Democracy Now, June 12, 2013, http://www.democracynow.org/2013/6/12/is_edward_snowden_a_hero_a.; and interviews.
Moreover, if the metadata revealed: The figure of twenty-two NSA officials comes from the White House, Liberty and Security in a Changing World: Report and Recommendations of the President’s Review Group on Intelligence and Communication Technologies, Dec. 12, 2013 (hereinafter cited as “President’s Review Group”), 98, https://www.nsa.gov/civil_liberties/_files/liberty_security_prgfinalreport.pdf; the rest of this section, unless otherwise noted, comes from interviews.
second hop: A clear discussion of hops can be found in ibid., 102–3.
For all of 2012: The numbers—288, 12, and 0—are cited in ibid., 104.
“Uh, hello?”: Geoffrey Stone, interview, NBC News, “Information Clearing House,” Dec. 20, 2013, http://www.informationclearinghouse.info/article37174.htm; and interviews.
It concerned the program known as PRISM: This was the first news leak from Snowden, who had not yet come out as the source. See Barton Gellman and Laura Poitras, “U.S., British Intelligence Mining Data from Nine U.S. Internet Companies in Broad Secret Program,” Washington Post, June 7, 2013; the discussion at Fort Meade comes from interviews.
“the most significant tool”: Quoted in Jack Bouboushian, “Feds Ponder Risk in Preserving Spying Data,” Courthouse News Service, June 6, 2014, http://www.courthousenews.com/2014/06/06/68528.htm. The same language was later used in the NSA’s Aug. 9 release on its missions and authorities (see above), as well as in a joint statement on Aug. 22, 2013 by the NSA and the Office of the Director of National Intelligence, http://www.dni.gov/index.php/newsroom/press-releases/191-press-releases-2013/917-joint-statement-nsa-and-office-of-the-director-of-national-intelligence.
General Alexander had publicly claimed: NBC News, June 27, 2013, http://usnews.nbcnews.com/_news/2013/06/27/19175466-nsa-chief-says-surveillance-programs-helped-foil-54-plots; and interviews.
“selectors”. . . “foreignness” . . . 52 percent: This was also cited in Gellman and Poitras, “U.S., British Intelligence Mining Data from Nine U.S. Internet Companies in Broad Secret Program.”
Each year the agency’s director: President’s Review Group, 138.
“tens of thousands of wholly domestic communications”: Cited in ibid., 141–42.
But to some of the panelists: This comes from interviews, but the thought is expressed throughout the report, for instance, 61, 76, 113–16, 125.
Morell and the staff . . . concluded: Ibid., 144–45.
However, in none of those fifty-three files: Ibid., 104; and interviews.
Alexander also revealed: Ibid., 97; and interviews.
“This is bullshit”: Stone, “Journeys” lecture, University of Chicago; and interviews.
“reduce the risk”: President’s Review Group, 118. For the other recommendations cited, see 34, 36, 86, 89.
“subvert, undermine, weaken”: Ibid., 36–37.
Finally, lest anyone interpret the report: These were Recommendations Nos. 37 through 46. Ibid., 39–42.
On December 13: White House press spokesman Jay Carney cited the date in his Dec. 16 briefing, https://www.whitehouse.gov/the-press-office/2013/12/16/daily-briefing-press-secretary-12162013.
“to promote public trust”: President’s Review Group, 49.
“Although recent disclosures”: Ibid., 75–76.
“no evidence of illegality”: Ibid, 76.
“the lurking danger”: Ibid., 113.
“We cannot discount”: Ibid., 114.
On December 18: White House, President’s Schedule, https://www.whitehouse.gov/schedule/president/2013-12-18.
“We cannot prevent terrorist attacks”: “Remarks by the President on Review of Signals Intelligence,” Jan. 17, 2014, https://www.whitehouse.gov/the-press-office/2014/01/17/remarks-president-review-signals-intelligence.
“in the sense that there’s no clear line”: Liz Gannes, “How Cyber Security Is Like Basketball, According to Barack Obama,” re/code, Feb. 14, 2015, http://recode.net/2015/02/14/how-cyber-security-is-like-basketball-according-to-barack-obama/.
The questions to be asked: Michael Daniel, White House cybersecurity chief, revealed this decision, and outlined these criteria, in his blog of April 28, 2014, headlined “Heartbleed: Understanding When We Disclose Cyber Vulnerabilities,” https://www.whitehouse.gov/blog/2014/04/28/heartbleed-understanding-when-we-disclose-cyber-vulnerabilities.
“unprecedented and unwarranted”: The ruling came in the case of ACLU v. Clapper, http://pdfserver.amlaw.com/nlj/NSA_ca2_20150507.pdf. A lower court had ruled in favor of Clapper and thus upheld the FISA Court’s concept of “relevance” and the legality of NSA bulk collection; the U.S. Court of Appeals for the 2nd Circuit in New York overturned that ruling. I analyzed the ruling and its implications in Fred Kaplan, “Mend It, Don’t End It,” Slate, May 8, 2015, http://www.slate.com/articles/news_and_politics/war_stories/2015/05/congress_should_revise_the_patriot_act_s_section_215_the_national_security.html.
“To be clear”: Stone published a shortened version of his talk, on the same day, as Geoffrey R. Stone, “What I Told the NSA,” Huffington Post, March 31, 2014, http://www.huffingtonpost.com/geoffrey-r-stone/what-i-told-the-nsa_b_5065447.html; this account of his speech is based on that article and on interviews.
CHAPTER 15: “WE ARE WANDERING IN DARK TERRITORY”
In the wee hours: Most of the material on the Vegas hack is from Ben Elgin and Michael Riley, “Now at the Sands Casino: An Iranian Hack in Every Server,” Bloomberg Businessweek, Dec. 11, 2014, http://www.bloomberg.com/bw/articles/2014-12-11/iranian-hackers-hit-sheldon-adelsons-sands-casino-in-las-vegas; a bit is from interviews.
“Guardians of Peace”: James Cook, “Sony Hackers Have Over 100 Terabytes of Documents,” Business Insider, Dec. 16, 2014; Mark Seal, “An Exclusive Look at Sony’s Hacking Saga,” Vanity Fair, Feb. 2015; Kevin Mandia, quoted in “The Attack on Sony,” 60 Minutes, CBS TV, Apr. 12, 2015, http://www.cbsnews.com/news/north-korean-cyberattack-on-sony-60-minutes/.
Sony had been hacked before: Keith Stuart and Charles Arthur, “PlayStation Network Hack,” The Guardian, April 27, 2011; Jason Schreier, “Sony Hacked Again: 25 Million Entertainment Users’ Info at Risk,” Wired.com, May 2, 2011, http://www.wired.com/2011/05/sony-online-entertainment-hack/.
The cost, in business lost: Jason Schreier, “Sony Estimates $171 Million Loss from PSN Hack,” Wired.com, May 23, 2011, http://www.wired.com/2011/05/sony-psn-hack-losses/.
So the lessons learned in one realm: John Gaudiosi, “Why Sony Didn’t Learn from Its 2011 Hack,” Fortune.com, Dec. 24, 2014, http://fortune.com/2014/12/24/why-sony-didnt-learn-from-its-2011-hack/.
“DarkSeoul”: Brandon Bailey and Youkyung Lee, “Experts Cite Similarities Between Sony Hack and 2013 South Korean Hacks,” Associated Press, Dec. 4, 2014, http://globalnews.ca/news/1707716/experts-cite-similarities-between-sony-hack-and-2013-south-korean-hacks/.
“mercilessly destroy”: David Tweed, “North Korea to ‘Mercilessly’ Destroy Makers of Rogen Film,” BloombergBusiness, June 26, 2014, http://www.bloomberg.com/news/articles/2014-06-26/north-korea-to-mercilessly-destroy-makers-of-seth-rogan-film.
In public, officials said: “The Attack on Sony,” 60 Minutes; “NSA Chief Says Sony Attack Traced to North Korea After Software Analysis,” Reuters, Feb. 19, 2015, http://www.nytimes.com/reuters/2015/02/19/technology/19reuters-nsa-northkorea-sony.html?_r=0.
But the real reason: David E. Sanger and Martin Fackler, “NSA Breached North Korean Network Before Sony Attack, Officials Say,” New York Times, Jan. 18, 2015; and interviews.
“made a mistake”: “Remarks by the President in Year-End Press Conference,” White House, Dec. 19, 2014, https://www.whitehouse.gov/the-press-office/2014/12/19/remarks-president-year-end-press-conference.
“not just an attack”: Statement by Secretary Johnson on Cyber Attack on Sony Pictures Entertainment, Department of Homeland Security, Dec. 19, 2014, http://www.dhs.gov/news/2014/12/19/statement-secretary-johnson-cyber-attack-sony-pictures-entertainment.
On December 22: Nicole Perlroth and David E. Sanger, “North Korea Loses Its Link to the Internet,” New York Times, Dec. 22, 2014. That the U.S. government did not launch the attack comes from interviews.
“the first aspect of our response”: Statement by the Press Secretary on the Executive Order “Imposing Additional Sanctions with Respect to North Korea,” White House, Jan. 2, 2015, https://www.whitehouse.gov/the-press-office/2015/01/02/statement-press-secretary-executive-order-entitled-imposing-additional-sanctions-respect-north-korea. The backstory on the pointed wording comes from interviews.
Those who heard Gates’s pitch: In President Obama’s PPD-20, “U.S. Cyber Operations Policy,” one of the directives, apparently inspired by Gates’s idea, reads as follows: “In coordination with the Secretaries of Defense and Homeland Security, the AG, the DNI, and others as appropriate, shall continue to lead efforts to establish an international consensus around norms of behavior in cyberspace to reduce the likelihood of and deter actions by other nations that would require the United States Government to resort to” cyber offensive operations. In a follow-on memo, summarizing actions that the designated departments had taken so far, the addendum to this one reads: “Action: [Department of] State; ongoing”—signifying, in other words, no progress (http://fas.org/irp/offdocs/ppd/ppd-20.pdf).
In 2014, there were almost: The precise numbers for 2014 were 79,790 breaches, with 2,122 confirmed data losses; for 2013, 63,437 breaches, with 1,367 losses. Espionage was the motive for 18 percent of the breaches; of those, 27.4 percent were directed at manufacturers, 20.2 percent at government agencies. Verizon, 2014 Data Breach Investigations Report, April 2015, esp. introduction, 32, 52, file:///Users/fred/Downloads/rp_Verizon-DBIR-2014_en_xg%20(3).pdf. For 2013 data: Verizon, 2013 Data Breach Investigations Report, April 2014, file:///Users/fred/Downloads/rp_data-breach-investigations-report-2013_en_xg.pdf.
On average, the hackers stayed inside: Cybersecurity: The Evolving Nature of Cyber Threats Facing the Private Sector, Before the Subcommittee on Information Technology, 114th Cong. (2015). (Statement of Richard Bejtlich, FireEye Inc.) http://oversight.house.gov/wp-content/uploads/2015/03/3-18-2015-IT-Hearing-on-Cybersecurity-Bejtlich-FireEye.pdf.
In 2013, two security researchers: Andy Greenberg, “Hackers Remotely Kill a Jeep on the Highway—With Me in It,” Wired, July 21, 2015, http://www.wired.com/2015/07/hackers-remotely-kill-jeep-highway/. A team of university researchers spelled out this vulnerability still earlier, in Stephen Checkoway, et al., “Comprehensive Experimental Analyses of Automotive Attack Surfaces,” http://www.autosec.org/pubs/cars-usenixsec2011.pdf. The 2013 experiment by Charlie Miller and his colleague, Chris Velasek, was designed to test that paper’s proposition.
“Nothing in this order”: President Barack Obama, Executive Order—Improving Critical Infrastructure Cybersecurity, Feb. 12, 2013, https://www.whitehouse.gov/the-press-office/2013/02/12/executive-order-improving-critical-infrastructure-cybersecurity.
“disrupting or completely beating”: Department of Defense, Defense Science Board, Task Force Report, Resilient Military Systems and the Advanced Cyber Threat, Jan. 13, 2013, cover memo and executive summary, 1, http://www.acq.osd.mil/dsb/reports/ResilientMilitarySystems.CyberThreat.pdf.
Some of the task force members: Ibid., Appendix 2; “time machine” comes from interviews.
“The network connectivity”: Ibid., Executive Summary, 15.
“built on inherently insecure architectures”: Ibid., cover memo, 1, 31.
“With present capabilities”: Ibid.
“Thus far the chief purpose”: Bernard Brodie, The Absolute Weapon (New York: Harcourt Brace, 1946), 73–74, 76. For more on Brodie, and the subject generally, see Fred Kaplan, The Wizards of Armageddon (New York: Simon & Schuster, 1983).
“Define and develop enduring”: Barack Obama, White House, “The Comprehensive National Cybersecurity Initiative,” https://www.whitehouse.gov/issues/foreign-policy/cybersecurity/national-initiative.
“It took decades”: Department of Defense, Defense Science Board, Task Force Report, Resilient Military Systems and the Advanced Cyber Threat, 51. Actually, in the mid-1990s, the RAND Corporation did conduct a series of war games that simulated threats and responses in cyber warfare; several included upper-midlevel Pentagon officials and White House aides as players, but no insiders took them seriously; the ga
mes came just a little bit too early to have impact. The games were summarized in Roger C. Molander, Andrew S. Riddile, Peter A. Wilson, Strategic Information Warfare: A New Face of War (Washington, D.C.: RAND Corporation, 1996). The dearth of impact comes from interviews.The presented a ninety-page paper, explaining how they did the hack (and spelling out disturbing implications), at the August 2015 Black Hat conference in Las Vegas (Remote Exploitation of an Unaltered Passenger Vehicle,” illmatics.com//remote7.20Car7.20Hacking.pdf).
“to consider the requirements”: Undersecretary of Defense (Acquisition, Technology, and Logistics), Memorandum for Chairman, Defense Science Board, “Terms of Reference—Defense Science Board Task Force on Cyber Deterrence,” Oct. 9, 2014, http://www.acq.osd.mil/dsb/tors/TOR-2014-10-09-Cyber_Deterrence.pdf. The date of the first session and the names of the task force members come from interviews.
In 2011, when Robert Gates realized: The directive is summarized, though obliquely, in Department of Defense, Department of Defense Strategy for Operating in Cyberspace, July 2011, http://www.defense.gov/news/d20110714cyber.pdf; see also Aliya Sternstein, “Military Cyber Strike Teams Will Soon Guard Private Networks,” NextGov.com, March 21, 2013, http://www.nextgov.com/cybersecurity/cybersecurity-report/2013/03/military-cyber-strike-teams-will-soon-guard-private-networks/62010/; and interviews.
“biggest focus”: Quoted in Cheryl Pellerin, “Rogers: Cybercom Defending Networks, Nation,” DoD News, Aug. 18, 2014, http://www.defense.gov/news/newsarticle.aspx?id=122949.
“with other government agencies”: Department of Defense, The Department of Defense Cyber Strategy, April 2015; quotes on 5, 14, emphasis added; see also 6, http://www.defense.gov/home/features/2015/0415_cyber-strategy/Final_2015_DoD_CYBER_STRATEGY_for_web.pdf. The document clarified that the government would be responsible for deterring and possibly responding only to cyber attacks “of significant consequence,” which, it added, “may include loss of life, significant damage to property, serious adverse U.S. foreign policy consequences, or serious economic impact on the United States.” The terms “significant” and “serious” remained undefined—Robert Gates’s question, nine years earlier, of what kind of cyber attack constitutes an act of war remained unanswered—but the finesse reflected an understanding that all such questions are ultimately political, to be decided by political leaders. It also reflected the inescapable fact that this was not just dark but untrod territory.