@War: The Rise of the Military-Internet Complex
“[C]yber secrets are hard to keep and easy to exploit, to the effect that “today’s secret NSA programs are tomorrow’s PhD dissertations and the next day’s hacker tools.”
@War identifies a variety of cyber attacks on the U.S. up to March of 2014. Its strength is in providing context; its weakness is in a lack of critical judgment. Given the pedigree of the author as a journalist, @War was not everything this reviewer had hoped for. True, @War will hold readers’ interest; however, as to investigative reporting, @War is disproportionately weighted toward acceptance of U.S government spying on its own citizens.
@War is comprised of several narrative threads. One thread follows Bob Stasio, a second lieutenant in signals intelligence (SIGINT) in the U.S. Army in 2004. This thread addresses the modernization of cyber abilities of the warfighter in Iraq. SIGINT in the Iraq war included hacking Iraq’s cell phone network to find terrorist communication networks and funding sources and passing that information to (presumably NSA) data analysts who drew up new targets for attack; further intelligence came from captured sites; however, Harris also gives the mistaken impression that the U.S. won the most recent war in Iraq.
From this thread however one can step through the rationalizations that led from spying on Iraqi terrorists outside the U.S. to spying on Americans inside the U.S. The concern over possible terrorists inside the U.S. was so urgent that spying on American citizens by the NSA began prior to 2004, irrespective of legal niceties. After 2004, collecting metadata became legal when collecting was redefined to be different from looking at. There was a significant amount of controversy within the government in doing this and high officials at the time threatened to resign but in the end did not. Harris states, “for all the high drama surrounding the Internet metadata collection program, it turned out to be only a momentary hiccup in NSA’s insatiable consumption of intelligence.” Harris also points out that the NSA is not a rogue agency but a tool of the Executive branch.
The FBI is the NSA’s interface to the U.S. telecommunications companies to make sure they are in compliance and can be easily tapped. Using the FBI provides a layer of cover between telecoms and the NSA. In 2007 legal bulk collection of emails and Internet communications from US companies started, and though government agents still needed a warrant to obtain the contents of an American’s communications, the rest of the world is “more or less fair game.” As the scope of spying widened, so did the technology needed to support the scope along with consolidation under the NSA of independent data collection programs across government agencies. Before consolidation over 18 separate government organizations were collecting vulnerability information of technology from manufacturers.
Another thread of @War follows cyber spying by foreign agents on U.S. computer networks. Harris provides an entire half-page of U.S. military systems whose electronic documents are believed to have ended up in the hands of the Chinese government including plans for the Joint Strike Fighter, the Blackhawk helicopter, the Global Hawk surveillance drone, the Patriot Missile system, and GE’s latest jet engines. The surprise to the U.S. military was not just every branch of the U.S. armed forces was compromised but that the data did not come from defense department computers but from military contractors’ computers.
President Bush used a presidential directive in January 2006 to authorize spending $40 billion over five years to enhance the U.S.’s cyber abilities, and support continued into the Obama administration. Today the Military-Internet Complex for cyber security spends $67 billion in protecting computers and networks. However, the Military-Internet Complex began with a rocky start. When the military began its investigation in 2006 of the computer security of one of the firms that was believed to be the source of the data in the theft of F-35 fighter plane documents, they were met by corporate lawyers who tried to block the investigation.
When the Air Force was allowed into the defense contractor’s computer networks they discovered that the contractor’s networks had been not just penetrated but penetrated thoroughly and repeatedly, though the spies did leave a trail, and its study showed the spies’ breadth, persistence and sophistication. Later the defense department began to share information and form alliances with industry for better defense against hackers. Select corporations became members of the Department of Defense (DOD) cyber Defense Industrial Base (DIB), to safeguard DOD information.
Another thread in @War addresses guarding the security of non-military computers against foreign spies. Computers that become infected with spyware are an everyday occurrence, not just for private citizens but also for government agencies. The U.S. military defense is constrained from protecting commercial industry’s computers because the military does not actually own or operate the major portion this country’s network infrastructure. Of the military’s voice and voice communications services as much as 90% of comes from commercially owned infrastructure. By default, the NSA plays a key role in protecting computer and communications infrastructure. The U.S. military Cyber Command was established in 2009 led by Keith Alexander, the Director of the NSA. Harris describes military offensive cyber operations’ recruiting and training.
For the NSA to properly protect critical commercial infrastructure they would have to be placed in charge of that infrastructure, and to this end Alexander pushed Congress to require all designated companies to share their data with NSA-appointed data traffic scanners. Harris claims Alexander’s request was without support from the Obama administration, and though he couldn’t get what he wanted from Congress, Alexander did obtain signoff from President Obama on Presidential Policy Directive 20 (PPD-20) to allow NSA involvement in the “Nation’s critical infrastructure.” Description of PDD-20 can be found on Wikipedia, and the document itself was made public by Edward Snowden and can be found on the Federation of American Scientists (FAS) website.
The NSA pays phone and Internet companies to build their networks so the NSA can spy on them. Access to networks the NSA cannot purchase outright, they subvert, and Harris provides data from the U.S. “classified” budget that identify the amount the NSA has dedicated to hacking.
For example in 2012 the NSA set up their own TOR anonymizing routers to attack the TOR service from the inside. Though their attack was exposed in 2013, the repercussions of NSA’s hacking TOR have not fully shaken out.
The NSA has also co-opted the National Institute of Standards and Technology (NIST), the government organization that makes standards by co-opting the standard for random number generation by offering an inferior algorithm as the standard. As standards would be useless if no one followed them, the NSA also structured a deal with RSA, a leading security vendor to make the inferior standard their default, and paying them $10 million to do so.
In the U.S., the federal government reserves the right to offensive cyber attack, and the NSA runs to schools teach cyber offense. To prepare students for advanced classes in cyber warfare, the NSA has teamed with colleges to write curriculum to develop new academic programs to teach beginning courses on cyber warfare.
The NSA also buys zero-day vulnerabilities for use in cyber attack. Zero-day vulnerabilities are flaws that have not yet been used and are known only to hackers. The NSA by purchasing zero-day exploits and not warning industry appears to be covering up information that could be used to defend U.S. commercial infrastructure, and contributing to the insecurity of the Internet.
Harris goes on to describe the market lifecycle for zero-day exploits, identifying commercial companies that sell them, and conducts interviews at businesses that supply them. The first cyber spying corporation in Harris’ list is an American firm, EndGame. EndGame is one of the leading players in the global arms business, Focusing on selling to spies and hackers that operate on behalf of foreign governments, EndGame offers 25 exploits for $2.5 million, though for a measly $1.5 million, EndGame will provide the Internet addresses of 100’s of millions of vulnerable computers around the world. Only well funded hackers such as government agencies can afford this, and to no surprise EndGame’s biggest customer is the NSA; EndGame’s chairman is a former director of the NSA and also the CEO of In-Q-Tel, the venture capital arm of the CIA.
Firms in the cyber spy market are global. International companies include Vupen, a French firm; Gamma, which is based in the UK and sells spyware called FinFisher; Palantir Technologies, Berico Technologies, and Tiversa, which provides data analytics for cyber intelligence. Tiversa found blueprints for the presidential helicopter Marine One on a computer in Iran.
The problem with offering cyber technologies for sale is that these technologies can end up in the hands of repressive governments or used in politically motivated attacks in less repressive (i.e. more democratic) governments.
Sometimes rather than act directly, the U.S. government will outsource its cyber offensive activities to non-government organizations, and sometimes these cyber cutouts get caught being too enthusiastic in promoting their services. In one incident, LabMD has accused Tiversa of stealing patient medical records though their lawsuit appears to be related to LabMD itself being under investigation by the FTC for data breaches. LabMD’s lawsuit implies that Tiversa was extorting its cyber security services to LabMD. In different incident, Anonymous’ hackers released HB Gary Federal’s internal emails showing HB Gary’s unethical aggressiveness. A member of Anonymous was subsequently co-opted by the FBI turning into a double agent against Anonymous. (Those who live in glass houses . . .)
The day-to-day defense of non-military and non-government owned Internet infrastructure has been left to the corporations that own that infrastructure. The U.S. government offers at best voluntary cyber guidelines and “best practices.” though has been much greater sharing of information between U.S. government and corporations in regards to attacks from foreign hackers. As corporations are forced to fend for themselves, they have been hiring ex-military and intelligence employees and setting up their own cyber intelligence units.
In 2013, Mandiant a cyber data analytics company recently purchased by FireEye published a lengthy, detailed report on cyber-spying done by China on the U.S. This report was different from earlier reports because it was published by a private non-government organization and an open, direct accusation containing specific evidence. Recently Google traced an attack back to a server in China and publically released information that Chinese hackers had penetrated not just Google but also the computer systems of three-dozen other companies. Google subsequently teamed with the NSA to “do something about it,” though what that means is unclear.
The next to last chapter provides a look at the defense contractors who are increasing their involvement in cyber warfare, and the last chapter addresses the impact of Edward Snowden. Harris claims the damage done by Snowden is more political than anything else - Snowden’s revelations has not led to a reigning in of the NSA nor altered its mission. Harris repeats his claim that the NSA is not the enemy—the NSA is the tool of the Executive branch, and that Congress and the federal courts know this.
As author, Shane Harris steers a difficult course over a controversial topic. One can imagine Harris’ desire to stay on friendly terms with his sources, though at times the balancing act makes @War frustrating to read, for example Harris glibly compares academic security researchers to unethical hackers. Security researcher Bruce Schneier offers a more nuanced view: cyber secrets are hard to keep and easy to exploit, to the effect that “today’s secret NSA programs are tomorrow’s PhD dissertations and the next day’s hacker tools.”