NOTES
INTRODUCTION
1. The figure of $5 billion comes from the reported cost of developing quiet drive technology for the navy’s DD-21 destroyers. Harold Kennedy suggests an R&D figure of $3 billion to $5 billion, but my analysis of the budget suggests the higher figure. “Navy Propulsion System Approaches Critical Stage,” National Defense, March 2001, at www.nation aldefensemagazine.org/archive/2001/March/Pages/Navy_Propulsion4279.aspx, accessed February 12, 2011.
2. “Red Storm Rising,” Government Computer News, August 17, 2006, at http://gcn.com/Articles/ 2006/08/17Red-storm-rising.aspx?p=1, accessed August 22, 2009.
3. Brian Grow and Mark Hosenball, “Special Report: In Cyberspy vs. Cyberspy, China Has the Edge,” Reuters, April 14, 2011, at www.reuters.com/article/2011/04/14/ctech-us-china -usa-cyberespionage-idCATRE73D24220110414, accessed April 30, 2011.
4. Wikipedia, “Moore’s Law,” at http://en.wikipedia.org/wiki/Moore’s_law, accessed December 7, 2010.
5. “Global Mobile Statistics 2011,” MobiThinking, March 2011, at http://mobithinking.com/stats-corner/global-mobile-statistics-2011-all-quality-mobile-marketing-research-mobile -web-stats-su, accessed April 30, 2011.
6. Executive Office of the President, “National Security Strategy,” May 2010, at www.white house.gov/sites/default/files/rss_viewer/national_security_strategy.pdf, accessed Decem ber 7, 2010.
CHAPTER 1: ELECTRONICALLY UNDRESSED
1. Justin Smith, “Fastest Growing Demographic on Facebook: Women over 55,” Inside Facebook, at www.insidefacebook.com/2009/02/02/fastest-growing-demographic-on-facebook -women-over-55/, accessed December 8, 2010.
2. This is a statement of Moore’s Law, named for Intel cofounder Gordon E. Moore. He initially postulated that the number of transistors that could cost-effectively be placed on an integrated circuit would double every year. Gordon E. Moore, “Cramming More Components onto Integrated Circuits,” Electronics, Vol. 38, No, 8, April 19, 1965, pp. 114–117. Later he revised his estimate to a doubling every two years. G. E. Moore, “Progress in Digital Integrated Electronics” (1975) at ftp://download.intel.com/museum/Moores _Law/Articles-Press_Releases/Gordon_Moore_1975_Speech.pdf, accessed March 30, 2011. According to Moore, a colleague, not Moore, rephrased Moore’s Law to say that performance (rather than the number of transistors) would double every eighteen months. “Excerpts from a Conversation with Gordon Moore: Moore’s Law” (Intel Corp., 2005), at ftp://download.intel.com/museum/Moores_Law/Video-Transcripts/Excerpts_A _Conversation_with_Gordon_Moore.pdf, accessed December 31, 2009.
3. Erik Brynjolfsson and Adam Saunders, Wired for Innovation: How Information Technology Is Reshaping the Economy (Cambridge, MA: MIT Press, 2010), p. 12, citing Intel Corp., “Moore’s Law in Perspective” (2005).
4. Joseph D. Szydlowski, “Federal Officers Use Video Game Console to Catch Child Pornographers,” December 8, 2010, at http://axcessnews.com/index.php/articles/show/id/19037, accessed December 8, 2010. If 10 numbers, 52 upper- and lowercase letters, and 8 “special characters” are usable, an 8-digit password would have possibilities of 70 to the eighth power, or 576,480,100,000,000. That’s more than 576 trillion. According to one official, PlayStation 3 can run through about 4 million possibilities per second. Ibid. The computing power in an earlier version of this toy, PlayStation 2, is adequate to guide a cruise missile to its target. John Robb, Brave New War: The Next Stage of Terrorism and the End of Globalization (Hoboken: John Wiley & Sons, Inc., 2007), p. 9, citing “Military Fears over PlayStation 2,” BBC News, April 17, 2007.
5. Scientific and Advanced-Technology Act, 42 U.S.C. §1862(g), Pub. L. 102–476 and Pub. L. 102–588, amended section identically, adding subsec. (g).
6. Unpublished figures provided to the author by the National Security Agency (NSA), Threat Operations Center (2009). Between 2006 and 2009 mobile data traffic increased fifty times. Morgan Stanley, “Economy + Internet Trends,” presented at the Web 2.0 Summit, San Francisco, October 20, 2009, citing unspecified AT&T data.
7. By 2012, U.S. online retail sales may grow to $335 billion. Forrester Research, at www .forrester.com/Research/Document/Excerpt/0,7211,41592,00.html?cm_mmc =Google-_-Recent%20Research-_-ecommerce%20growth-_-5593380&utm_source =google&utm_medium=cpc&utm_term=5593380&gclid=CP7Xtue0u5UCFSXNIgod wyq_QA, accessed September 1, 2008; Juan Carlos Perez, “Forrester Bullish on US E-commerce Market,” March 1, 2011; “U.S. Online Retail Sales, Which Rose 12.6 Percent to US$176.2 Billion in 2010, Are Expected to Grow at a Compound Annual Rate of 10 Percent Through 2015, After Dampening in 2008 and 2009 Due to the Economic Downturn,” PC World at www.pcworld.com/businesscenter/article/221055/forrester _bullish_on_us_ecommerce_market.html, accessed March 1, 2011; US Online Retail Forecast, 2010 to 2015, at www.forrester.com/rb/Research/us_online_retail_forecast,_2010_to_2015/q/id/58596/t/2. For numbers of current Internet users, see Miniwatts Marketing Group, “Internet World Stats,” updated March 26, 2011, at www.internet worldstats.com/stats.htm, accessed March 30, 2011.
8. Morgan Stanley, “Economy + Internet Trends,” October 20, 2009, as measured by market capitalization.
9. Unpublished figures provided to the author by the National Security Agency (NSA), Threat Operations Center (2009), citing W. D. Sincoskie, formerly of Telecordia Technologies.
10. Nick Saint, “The ‘Walk Past a Starbucks, Get a Coupon Sent to Your Phone’ Cliché Is About to Become a Reality,” Business Insider, June 28, 2010, at www.businessinsider.com/its-finally-here-a-mobile-app-that-texts-you-when-you-walk-near-a-discount-2010-6, accessed March 1, 2011.
11. Reed Elsevier PLC, at www.reed-elsevier.com/investorcentre/presentationsandwebcasts/ Documents/Reed%20Elsevier%202008%20Interim%20Results%20Presentation %20with%20appendices.pdf, accessed September 1, 2008.
12. ChoicePoint also supports law enforcement, public safety, health care, and other government programs. See ChoicePoint, at www.choicepoint.com, accessed September 1, 2008.
13. “MasterCard Incorporated Reports Fourth-Quarter and Full-Year 2010 Financial Results, February 3, 2011,” at http://newsroom.mastercard.com/press-releases/mastercardincorpo rated-reports-fourth-quarter-and-full-year-2010-financial-results/, accessed March 1, 2011.
14. “Learning to Live with Big Brother,” The Economist, September 27, 2007.
15. For a summary of the data environment in the United States, see Jeff Jonas, “The Landscape of Available Data,” Appendix H to “Creating a Trusted Network for Homeland Security,” Second Report of the Markle Foundation Task Force (2003), at www.markle .org/sites/default/files/nstf_report2_full_report.pdf, accessed March 30, 2011.
16. Unless you’ve been the subject of a criminal investigation, served in the military, or held a security clearance the police and FBI probably know nothing about you, but Walmart knows a lot. Walmart, by the way, is on both ends of the surveillance telescope. Wall Street analysts scrutinize satellite photography of Walmart’s parking lots. The imagery is a good proxy for sales data (which Walmart keeps confidential), which in turn helps Wall Street predict the company’s financial results. Raj Patel, “5 Things You Didn’t Know About Supermarkets,” Foreign Policy, November 2010, p. 104, also at www.foreignpolicy .com/articles/2010/10/11/supermarkets?page=0,2, accessed December 8, 2010.
17. Emily Steel and Julia Angwin, “On the Web’s Cutting Edge, Anonymity in Name Only,” Wall Street Journal, August 4, 2010, at http://online.wsj.com/article/SB10001424052748703294904575385532109190198.html?KEYWORDS=On+the+Web%27s+Cutting +Edge, accessed August 4, 2010.
18. Jeff Jonas, “Your Movements Speak for Themselves: Space-Time Travel Data Is Analytic Super-Food!” August 16, 2009, at http://jeffjonas.typepad.com/jeff_jonas/2009/08/your -movements-speak-for-themselves-spacetime-travel-data-is-analytic-superfood.html, accessed June 16, 2010.
19. Jeff Jonas, e-mail to the author, February 11, 2011.
20. Ibid.
21. Robert Lee Hotz, “The Really Smart Phone,” Wall Street Journal, April 23, 2011, at http://online.wsj.com/article/SB10001424052748704547604576263261679848814.html, accessed May 15, 2011.
22. The law on this point is in flux. See In the Matter of the Application of the United States of America for an Order Directing a Provider of Electronic Communication Service to Disclose Records to the Government, 3rd Cir., No. 08-4227, decided September 7, 2010, at www.ca3.uscourts.gov/opinarch/084227p.pdf, accessed March 6, 2011; U.S. v. Maynard, D.C. Cir., No. 08-3030, decided August 6, 2010, at www.cadc.uscourts.gov/inter net/opinions.nsf/FF15EAE832958C138525780700715044/$file/08-3030-1259298 .pdf, accessed March 15, 2011.
23. My thinking on this point has been enjoyably influenced by many conversations with Jeff Jonas.
24. A census was taken in New France (Quebec) in 1666, which at the time had a population of only 3,215. “Statistics Canada,” at www.statcan.gc.ca/kits-trousses/jt2-eng.htm, accessed December 9, 2010.
25. In this respect, Art. I, Sec. 2 of the U.S. Constitution as originally adopted is a record of shame as well as rationality in its provision for counting slaves: “Representatives and direct Taxes shall be apportioned among the several States which may be included within this Union, according to their respective Numbers, which shall be determined by adding to the whole Number of free Persons, including those bound to Service for a Term of Years, and excluding Indians not taxed, three fifths of all other Persons. The actual Enumeration shall be made within three Years after the first Meeting of the Congress of the United States, and within every subsequent Term of ten Years, in such Manner as they shall by Law direct.”
26. John Leyden, “Fingerprinting of UK School Kids Causes Outcry,” The Register, July 22, 2002, at www.theregister.co.uk/2002/07/22/fingerprinting_of_uk_school_kids/, accessed March 30, 2011. For a good history of fingerprinting, see Wikipedia, “Fingerprint,” at http://en.wikipedia.org/wiki/Fingerprint#Fingerprinting_of_children, accessed December 9, 2010.
27. Fingerprinting, “Fingerprinting Products,” at www.fingerprinting.com/fingerprinting-products .php, accessed December 9, 2010.
28. Niall Ferguson, The Ascent of Money: A Financial History of the World (New York: Penguin Press, 2008), chapter 1.
29. Amol Sharma, “India Launches Project to ID 1.2 Billion People,” Wall Street Journal, September 29, 2010, at http://online.wsj.com/article/SB10001424052748704652104575493490951809322.html, accessed September 29, 2010.
30. U.S. federal standards for information handling are set by the Office of Management and Budget, which defines PII as information that “can be used to distinguish or trace an individual’s identity, such as their name, social security number, biometric records, etc. alone, or when combined with other personal or identifying information which is linked or linkable to a specific individual, such as date and place of birth, mother’s maiden name, etc.” OMB Circular M-07-16, “Safeguarding Against and Responding to the Breach of Personally Identifiable Information,” May 22, 2007. Under California law, which is typical of many states, PII “means an individual’s first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted: (1) Social security number. (2) Driver’s license number or California Identification Card number. (3) Account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account. For purposes of this section, ‘personal information’ does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records.” Under EU Directive 95/46/EC, Art. 2a, “‘personal data’ shall mean any information relating to an identified or identifiable natural person (‘data subject’); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity.”
31. “The Information That Is Needed to Identify You: 33 Bits,” Wall Street Journal, August 4, 2010, at http://blogs.wsj.com/digits/2010/08/04/the-information-that-is-needed-to-identify-you -33-bits/, accessed August 4, 2010. A mere 32 bits of information would yield a mere 4.3 billion possibilities, which is fewer than the world’s population of about 6.6 billion.
32. The patent application appears at www.faqs.org/patents/app/20100010993, accessed Dec-ember 11, 2010.
CHAPTER 2: A PRIMER ON CYBERCRIME
1. Sharon Gaudin, “Federal Prosecutor: Cybercrime is Funding Organized Crime,” Information Week, July 20, 2007, at www.informationweek.com/news/security/government/showArticle.jhtml?articleID=201200167, accessed September 27, 2008; Paul Horn, “It’s Time to Arrest Cybercrime,” Bloomberg/BusinessWeek, February 2, 2006, at www .businessweek.com/technology/content/feb2006/tc20060202_832554.htm, accessed December 10, 2010, citing U.S. Treasury officials.
2. Brian Krebs, “Cyber Thieves Steal Nearly $1,000,000 from University of Virginia College,” KrebsOnSecurity.com, September 1, 2010, at http://krebsonsecurity.com/2010/09/cyber -thieves-steal-nearly-1000000-from-university-of-virginia-college/, accessed September 2, 2010; Brian Krebs, “Crooks Who Stole $600,000 From Catholic Diocese Said Money Was for Clergy Sex Abuse Victims,” KrebsOnSecurity.com, August 30, 2010, at http://krebsonsecurity.com/2010/08/crooks-who-stole-600000-from-catholic-diocese-said-money-was-for -clergy-sex-abuse-victims, accessed September 2, 2010. Owen Fletcher, “Report: Russian Gang Linked to Big Citibank Hack,” Computerworld, December 22, 2009, at www.com puterworld.com/s/article/9142578/Report_Russian_gang_linked_to_big_Citibank_hack, accessed December 11, 2010. Christopher Williams, “Russian Hacker Avoids Jail for $10M Royal Bank of Scotland Raid,” The Telegraph, February 10, 2011, at www.telegraph.co.uk/technology/news/8316246/Russian-hacker-avoids-jail-for-10m-Royal-Bank-of-Scotland-raid.html, accessed March 1, 2011; Siobhan Gorman, August Cole, and Yochi Dreazen, “Computer Spies Breach Fighter-Jet Project,” Wall Street Journal, April 21, 2009, at http://online.wsj.com/article/SB124027491029837401.html, accessed March 1, 2011; Andy Greenberg, “For Pentagon Contractors, Cyberspying Escalates,” Forbes, February 17, 2010, at www.forbes.com/2010/02/17/pentagon-northrop-raytheon-technology-security-cyberspy ing.html, accessed March 1, 2011.
3. Verizon, 2010 Data Breach Investigations Report, p. 2, at www.verizonbusiness.com/resources/reports/rp_2010-data-breach-report_en_xg.pdf, accessed December 12, 2010. At about the same time, the Privacy Rights Clearinghouse reported that the number of sensitive data thefts in the United States had shot up to more than five hundred million—and they only started counting in 2005. Privacy Rights Clearinghouse, “500 Million Sensitive Records Breached Since 2005,” August 26, 2010, at www.privacyrights.org/500-million -records-breached, accessed December 12, 2010. This is a series of annual reports. Starting with 2010 (reporting 2009 data), Verizon began producing it in cooperation with the U.S. Secret Service. Meanwhile the Identity Theft Resource Center reported more than 222 million personal records were exposed—not necessarily stolen—in 2009 alone. “Affinion Security Center Updates BreachShield, Targets Medical Industry,” Security Week News, April 19, 2010, at http://s1.securityweek.com/content/affinion-security -center-updates-breachshield-targets-medical-industry, accessed December 12, 2010.
4. Verizon, 2010 Data Breach Investigations Report.
5. Kroll International, “Global Fraud Report 2009/2010,” at www.kroll.com/about/library/fraud/Oct2009/downturn_and_fraud.aspx, accessed December 12, 2010.
6. The report also noted that 285 million records were compromised in 2008 alone. Verizon, 2009 Data Breach Investigation Report, pp. 20, 22, at www.verizonbusiness.com/resources/security/reports/2009_databreach_rp.pdf, accessed April 8, 2010.
7. Jason Franklin and Adrian Perrig, “An Inquiry into the Nature and Causes of the Wealth of Internet Miscreants” (Carnegie Mellon University, 2007), research paper, at www .cs.cmu.edu/~jfrankli/acmccs07/ccs07_franklin_eCrime.pdf, accessed March 31, 2011.
8. “Revealed: 8 Million Victims in the World’s Biggest Cyber Heist,” Scotland Sunday Herald, August 25, 2008, at www.sundayherald.com/news/heraldnews/display.var.2432225.0.0 .php, accessed September 27, 2008.
9. Hospitals may be even more careless than hotels. According to one report, “[P]rotecting patient data is not a priority” for hospitals. Perhaps that will change, because data breaches are costing hospitals serious money in damages and expenses under data breach laws—as much as $2 million annually per organization in the United States. Ponemon Institute, “Benchmark Study on Patient Privacy and Data Security,” November 2010, at www2 .idexpertscorp.com/resources/healthcare/healthcare-articles-whitepapers/ponemon-benchmark-study-on-patient-privacy-and-data-security/, accessed December 12, 2010.
10. Zeijka Zorz, “Hotel Systems Breaches and Card Info Stolen All Over the U.S.,” Help Net Security, September 10, 2010, at www.net-security.org/secworld.php?id=9853, accessed September 10, 2010.
11. Verizon, 2009 Report, p. 5.
12. This description of Shadowcrew relies chiefly on the indictment, U.S. District Court, D.N.J., No. 2:04-CRr-0076-WJM-1, October 28, 2004, at www.justice.gov/usao/nj/press/files/pdffiles/firewallindct1028.pdf, accessed January 17, 2010. For more on the unraveling of the group, see Brad Stone, “Global Trail of an Online Crime Ring,” New York Times, August 12, 2008, at www.nytimes.com/2008/08/12/technology/12theft .html?pagewanted=print, accessed January 17, 2010. For a discussion of the number of members and amount of damage created by this group, see Wikipedia, “Shadowcrew,” at http://en.wikipedia.org/wiki/ShadowCrew, accessed January 18, 2010. Other details come from James Verini, “The Hacker Who Went Into the Cold,” New York Times Magazine, November 14, 2010, p. 44, at www.nytimes.com/2010/11/14/maga zine/14Hacker-t.html?scp=1&sq=The+Hacker+Who+Went+Into+the+Cold&st=nyt, accessed November 14, 2010. One of the Shadowcrew founders, Andrew Mantovani, was sentenced to thirty-two months in prison. Charles Harman, “Online Identity Theft Ring Out of the ‘Shadows,’” ABC News, June 29, 2006, at http://abcnews.go.com/Tech nology/story?id=2136453&page=1, accessed March 22, 2011.
13. Stone, “Global Trail,” New York Times, August 12, 2008.
14. Ibid.
15. Joseph Menn and Francesco Guerrera, “Cyber-thieves Linked to Citibank ATM Breach,” Financial Times, August 24, 2009.
16. Kim Zetter, “TJX Hacker Gets 20 Years in Prison,” Wired, March 25, 2010, at www.wired .com/threatlevel/2010/03/tjx-sentencing/, accessed March 22, 2011.
17. Trend Micro, “2010 in Review: No Recession for Cybercrime,” December 23, 2010, at http://blog.trendmicro.com/2010-in-review-no-recession-for-cybercrime/, accessed December 31, 2010; Verizon, 2010 Data Breach Investigations Report, p. 2; “Norton Cybercrime Report: The Human Impact,” August 2010, at http://us.norton.com/content/en/us/home _homeoffice/media/pdf/cybercrime_report/Norton_USA-Human%20Impact-A4 _Aug4-2.pdf, accessed December 31, 2010.
18. Kim Zetter, “Big-Box Breach: The Inside Story of Wal-Mart’s Hacker Attack,” Wired, October 13, 2009, at www.wired.com/threatlevel/2009/10/walmart-hack/, accessed October 30, 2009.
19. Brian Bergstein, “Wards Didn’t Tell Customers About Credit Card Hack,” USA Today, June 27, 2008, at www.usatoday.com/tech/news/computersecurity/infotheft/2008-06-27-wards -data-theft_N.htm, accessed December 16, 2010.
20. Help Net Security, “Every Week 57,000 Fake Web Addresses to Try to Infect Users,” September 6, 2010, at www.net-security.org/malware_news.php?id=1456, accessed September 6, 2010.
21. Fletcher, “Report: Big Citibank hack,” December 22, 2009.
22. Rhys Blakely et al., “Cybergang Raises Fear of New Crime Wave,” The Times (London), November 10, 2007, at http://technology.timesonline.co.uk/tol/news/tech_and_web/the_web/article2844031.ece, accessed November 18, 2010.
23. Help Net Security “Twitter Accounts Spreading Malicious Code,” December 3, 2010, at www.net-security.org/malware_news.php?id=1554, accessed December 3, 2010; “The Rise of Crimeware,” October 6, 2010, at www.net-security.org/malware_news.php?id =1488, accessed October 6, 2010. Al-Qaeda is also busy making friends on Facebook. Jane Winter, “Al Qaeda Looks to Make New ‘Friends’—on Facebook,” Fox News, December 9, 2010, at www.foxnews.com/scitech/2010/12/09/facebook-friends-terror/, accessed December 10, 2010.
24. Darren Waters, “Spam Overwhelms E-Mail Messages,” BBC News, April 8, 2009, at http://news.bbc.co.uk/2/hi/technology/7988579.stm, accessed December 12, 2010.
25. Help Net Security, “420,000 Scam E-Mails Sent Every Hour,” June 16, 2010, at www.net -security.org/secworld.php?id=9421, accessed August 24, 2010.
26. According to UK law enforcement officials I spoke with, some of these attacks were carried out by simply entering a shop and swapping out a “straight” device for one that had been doctored. See also Henry Samuel, “Chip and Pin Scam Has Netted Millions From British Shoppers,” Daily Telegraph, at www.telegraph.co.uk/news/newstopics/politics/lawandorder/3173346/Chip-and-pin-scam-has-netted-millions-from-British-shoppers .html, accessed October 12, 2008; Siobhan Gorman, “Fraud Ring Funnels Data from Cards to Pakistan,” Wall Street Journal, October 11, 2008, at http://online.wsj.com/article/SB122366999999723871.html, accessed October 12, 2008. Unlike the one-time big heist, which is usually discovered quickly, the long-term slow pilfering of relatively small amounts from many accounts can generate greater returns. One wealthy investor lost $300,000 this way from an account at JPMorgan Chase over a fifteen-month period. Dana B. Hernriques, “The Bank Account that Sprang a Leak,” New York Times, August 30, 2008, at www.nytimes.com/2008/08/30/business/yourmoney/30theft.html?ei=5070&emc=etal&p, accessed September 6, 2008.
27. For perhaps the best inside account of a criminal cyberoperation, see Kevin Poulson, “One Hacker’s Audacious Plan to Rule the Black Market in Stolen Credit Cards,” Wired, December 22, 2008, at www.wired.com/print/techbiz/people/magazine/17-01/ff_max_butler, accessed January 17, 2010.
28. Internet Crime Complaint Center, 2010 Internet Crime Report, p. 7, at www.ic3.gov/media/annualreport/2010_ic3report.pdf, accessed March 1, 2011. The Internet Crime Complaint center is a joint project of the Justice Department, the FBI, and the National Crime Complaint Center. Government statistics on Internet crime are difficult to fathom. It is not clear, for example, whether arrests or convictions reported in any year arise from investigations opened in that year, or from those opened in prior years. The mismatch between convictions and crimes is clear, however. The hundreds of thousands of complaints reviewed by the FBI and referred to law enforcement in 2010 appear to have resulted in only thirty-one arrests and six convictions. Internet Crime Complaint Center, 2010 Internet Crime Report, p. 5, at www.ic3.gov/media/annualreport/2010_ic3 report.pdf, accessed March 1, 2011.
29. Byron Acohido, “Theft of Personal Data More Than Triples This Year,” USA Today, December 10, 2007, at www.usatoday.com/money/industries/technology/2007-12-09-data-theft_ N.htm, accessed March 31, 2011.
30. Verizon, 2009 Report, p. 13.
31. In early 2011, for example, the NASDAQ Stock Market confirmed that its network had been breached—not its trading platform but an electronic service on which corporate leaders post confidential documents. Devlin Barrett, Jenny Strasburg, and Jacob Bunge, “Nasdaq Confirms Breach in Network,” Wall Street Journal, February 7, 2011, at http://online.wsj.com/article/SB10001424052748703989504576128632568802332.html, accessed February 7, 2011. As of March 2011, the investigation was ongoing, and the full extent and consequences of the breach were far from clear. Trial of this case has been delayed. Mark Ballard, “Zeus Fraud Gang Trial Hits Another Delay,” ZDNet UK, accessed March 21, 2011.
32. “[I]n 2009, there were 25 million new strains of malware. That equals a new strain of mal- ware every 0.79 seconds.” Kevin Coleman, “Stronger Measures Necessary to Address More Frequent and Sophisticated Attacks,” Defense Systems, April 22, 2010, at www .defensesystems.com/Articles/2010/04/26/Digital-Conflict-Cyber-Defense.aspx, acces- sed May 15, 2011. As to the lack of trained cyberinvestigators, see Pete Yost, “Many FBI Agents Said Lack Ability in Cyber Cases,” Associated Press, April 28, 2011, at http://news .yahoo.com/s/ap/20110429/ap_on_go_ca_st_pe/us_fbi_cybersecruity, accessed May 15, 2011. For recent law enforcement successes, see Gregg Keizer, “Court Order Cripples Coreflood Botnet, Says FBI,” Computerworld, April 26, 2011, at www.computerworld.com/s/article/9216190/Court_order_cripples_Coreflood_botnet_says_FBI, accessed April 28, 2011; Nick Wingfield, “Spam Network Shut Down,” Wall Street Journal, March 18, 2011, at http://online.wsj.com/article/SB10001424052748703328404576207173861008758 .html, accessed April 13, 2011; Internet Law Resource Center, “Jury Convicts Last of Defendants in Massive Bank Fraud Phishing Scheme,” Bureau of National Affairs, March 30, 2011, at www.alacrastore.com/storecontent/BNA_Banking_Daily-Jury_Convicts_Last_of_Defendants_In_Massive_Bank_Fraud_Phishing_Scheme-2101-3939, accessed March 30, 2011; Kim Zetter, “Carder Pleads Guilty to Fraud Involving $26 Million in Losses,” Wired, April 21, 2011, at www.wired.com/threatlever/2011/04/rogelio-hackett-guilty, accessed April 25, 2011.
33. Jaikumar Vijayan, “Poughkeepsie, N.Y., Slams Bank for $378,000 Online Theft,” Computerworld, February 8, 2010, at www.computerworld.com/s/article/9153598/Poughkeepsie_N.Y._slams_bank_for_378_000_online_theft, accessed February 10, 2010.
34. A Web address is called a URL, for “uniform resource locator.” This is the plain English tag for an Internet Protocol, or IP, address that tells your computer where to look for information, or how to find your correspondent. The Internet works because everyone on it uses this consistent method of addressing. An IP address looks like this: 100.148.0.11. A URL is a lot easier to remember than an IP address, which is why we use them.
35. Internet Crime Complaint Center, 2010 Internet Crime Report, p. 10, at www.ic3.gov/media/annualreport/2010_ic3report.pdf, accessed March 31, 2011.
36. Help Net Security “Sensitive Information Retrieved from P2P Networks,” February 8, 2010, at www.net-security.org/secworld.php?id=8841, accessed February 8, 2010.
37. Bill Brubaker, “Online Records May Aid ID Theft,” Washington Post, January 2, 2008, A1, at http://pqasb.pqarchiver.com/washingtonpost/access/1406254921.html?FMT=ABS &FMTS=ABS:FT&date=Jan+2%2C+2008&author=Bill+Brubaker+-+Washing ton+Post+Staff+Writer&pub=The+Washington+Post&edition=&startpage=A.1&desc=Online+Records+May+Aid+ID+Theft%3B+Government+Sites+Post+Personal +Data, accessed January 4, 2008.
38. Brian Krebs, “Justice Breyer Is Among Victims in Data Breach Caused by File Sharing,” Washington Post, July 9, 2008, at www.washingtonpost.com/wp-dyn/content/article/2008/07/08/AR2008070802997.html, accessed September 26, 2008. As of this writing (mid-2011), LimeWire has effectively been shut down by a federal injunction after a finding that it was engaging in copyright enfringement. Joseph Plambeck, “Court Rules That File-Sharing Service Infringed Copyrights,” New York Times, May 12, 2010, at www.nytimes.com/2010/05/13/technology/13lime.html, accessed December 13, 2010. According to LimeWire’s Web site, the injunction remained in effect as of this writing. See www.limewire.com, accessed March 22, 2011. For more on P2P, see “Classified U.S. Military Info, Corporate Data Available Over P2P,” Computerworld, July 25, 2007, at www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9027949, accessed September 25, 2008. See “P2P Increasingly Favored by Malware Attackers,” Help Net Security, July 27, 2010, at www.net-security.org/secworld.php?id=9641, accessed August 24, 2010, citing Cisco, 2010 Global Threat Report.
39. See, e.g., Zelijka Zorz, “A Lesson to Learn from the HPGary Breach,” Help Net Security, February 18, 2011, at www.net-security.org/article.php?id=1559, accessed February 19, 2011.
40. Mark Clayton, “How the FBI and Interpol Trapped the World’s Biggest Butterfly Botnet,” Christian Science Monitor, June 30, 2011, at http://news.yahoo.com/fbi-interpol -trapped-worlds-biggest-butterfly-botnet-221210285.html, accessed June 30, 2011; Help Net Security, “Large Zeus Botnet Used For Financial Fraud,” August 4, 2010, at www.net-security.org/malware_news.php?id=1418, accessed August 4, 2010; see also Roger Thompson, “Mumba Botnet Shows the Sophistication of Criminal Gangs,” AVG, August 2, 2010, at http://thompson.blog.avg.com/2010/08/todays-battle-with-cyber -criminals-is-a-bit-like-the-old-fashioned-cops-and-robbers-stories-of-years-ago-the -police-were-cons.html, accessed August 25, 2010.
41. Noam Cohen, “Web Attackers Find Cause in WikiLeaks,” The New York Times, December 9, 2010, at www.nytimes.com/2010/12/10/world/10wiki.html?_r=1, accessed January 6, 2011.
42. Elinor Mills, “Heartland Sued Over Data Breach,” CNET News, January 28, 2009, at http://news.cnet.com/8301-1009_3-10151961-83.html, accessed January 19, 2010.
43. In re Heartland Payment Systems, Inc. Securities Litigation, Civ. No. 09-1043 (D.N.J., December 7, 2009). Opinion at www.huntonfiles.com/files/webupload/PrivacyLaw _Heartland_Decision.pdf, accessed December 9, 2009. The attack used a “structured query language,” or SQL, attack, which injects code where it does not belong in order to take control of a system.
44. Heartland Payments Systems, Inc. Annual Report on SEC Form 10-K, March 10, 2011, at www.faqs.org/sec-filings/110310/HEARTLAND-PAYMENT-SYSTEMS-INC_10-K/, accessed March 30, 2011; see also Jaikumar Vijayan, “Heartland Breach Expenses pegged at $140M—so far,” Computerworld, May 10, 2010, at www.computerworld .com/s/article/9176507/Heartland_breach_expenses_pegged_at_140M_so_far, accessed March 31, 2011.
45. Oscar Wilde, “The Critic as Artist,” Part 2, in The Complete Works of Oscar Wilde (New York: Wm. H. Wise & Company, 1927), v. 5, p. 203.
46. One of the most ancient propositions of the common law is Sic utere tuo ut alienam non lædas, or: Use what is yours so you do not harm others. See Joel F. Brenner, “Nuisance Law and the Industrial Revolution,” J. Legal Studies (1974)3: 403.
47. Terry v. Ohio, 392 U.S. 1 (1968) decided that evidence from such an encounter was admissible in the federal courts.
CHAPTER 3: BLEEDING WEALTH
1. McAfee, the antivirus company, dubbed the attacks Operation Aurora, and the name stuck. George Kurtz, “Operation ‘Aurora’ Hit Google, Others,” McAfee Security Insights Blog, January 14, 2010, at http://siblog.mcafee.com/cto/operation-“aurora”-hit-google-others/, accessed January 27, 2010. McAfee chose that name—the attackers used it. This operation has nothing to do with another Aurora project, the simulated remote attack on electricity generating equipment described in chapter 5.
2. In its original release, the company stated that the attacks “resulted in the theft of intellectual property,” but it did not specify that source code had been stolen. “A New Approach to China,” January 12, 2010, at http://googleblog.blogspot.com/2010/01.new -approach-to-china.html, accessed February 22, 2010.
3. The notable exception was Ariana Eunjung Cha and Ellen Naksahima, “Google China Cyber-attack Part of Vast Espionage Campaign, Experts Say,” Washington Post, January 14, 2010, at www.washingtonpost.com/wp-dyn/content/article/2010/01/13/AR2010011300359.html, accessed February 21, 2010.
4. Google, “A New Approach to China,” January 12, 2010, at http://googleblog.blogspot.com/2010/01/new-approach-to-china.html, accessed April 4, 2011.
5. Based partly on private sources. McAfee concurs that the attacks targeted intellectual pro- perty. Kurtz, “Operation ‘Aurora,’” McAfee Blog, January 14, 2010; Kim Zetter, “Google Hackers Targeted Source Code of More than 30 Companies,” Wired, January 13, 2010, at www.wired.com/threatlevel/2010/01/google-hack-attack/, accessed December 14, 2010.
6. Kim Zetter, “Report Details Hacks Targeting Google, Others,” Wired, February 3, 2010, at www.wired.com/threatlevel/2010/02/apt-hacks/, accessed December 26, 2010.
7. See Cha and Nakashima, “Google China Cyberattack,” January 14, 2010. They name Yahoo, Symantec, Adobe, Northrop Grumman, and Dow Chemical. A day later the New York Times added Juniper to the list. Juniper is the second largest manufacturer of network routers in the United States. David E. Sanger and John Markoff, “After Google’s Stand on China, U.S. Treads Lightly,” New York Times, January 15, 2010, at www.nytimes .com/2010/01/15/world/asia/15diplo.html?scp=1&sq=After%20Google’s%20Stand%20on%20China,%20U.S.%20Treads%20Lightly&st=cse, accessed February 21, 2010. In its 2009 annual report filed with the SEC, Intel stated that it had been targeted by “sophisticated” attacks during the same time, but did not state what, if anything, had been stolen. Computerworld Security, “Intel Confirms ‘Sophisticated’ Attacks in January,” February 23, 2010, at www.computerworld.com/s/article/9160999/Intel_con firms_sophisticated_attacks_in_January, accessed February 23, 2010. For the attack on Morgan Stanley, see Zeljka Zorz, “Stolen E-Mails Reveal Morgan Stanley Was Hit by Aurora Attacks,” Help Net Security, March 1, 2011, at www.net-security.org/secworld .php?id=10679, accessed March 1, 2011. The attack on Morgan Stanley came to light when the bank’s security consultant, HBGary, was in turn penetrated by the group Anonymous.
8. Kurtz, “Operation ‘Aurora,’” McAfee Blog, January 14, 2010; McAfee, “Operation Aurora: How to Respond to the Recent Internet Explorer Vulnerability,” [n.d.], at www.mcafee .com/us/threat_center/operation_aurora.html, accessed January 26, 2010. The encryption is described in Kim Zetter, “Google Hack Attack Was Ultra Sophisticated, New Details Show,” Wired, January 14, 2010, at www.wired.com/threatlevel/2010/01/opera tion-aurora/, accessed January 27, 2010.
9. Google cofounder Sergey Brin confirmed the theft of Google’s code. Jessica E. Vascellaro, “Brin Drove Google to Pull Back in China,” New York Times, March 24, 2010.
10. Note to Mr. Li’s translator: In English, “top dog” means “big shot.” It’s not an insult.
11. See James Glanz and John Markoff, “Cables Discuss Vast Hacking by a China Fearful of the Web,” New York Times, December 4, 2010, at www.nytimes.com/2010/12/05/world/asia/05wikileaks-china.html, accessed December 4, 2010. Among other things, they cite a cable dated May 18, 2009.
12. Sanger and Markoff, “After Google’s Stand,” New York Times, January 15, 2010; Michael Richardson, “Details on Taiwan connection emerge in Operation Aurora hack of Google,” Examiner.com, January 27, 2010, at www.examiner.com/x-34331-Taiwan -Policy-Examiner~y2010m1d25-Details-on-Taiwan-connection-emerge-in-Operation -Aurora-hack-of-Google, accessed January 27, 2010.
13. Ellen Nakashima, “U.S. Plans to Issue Official Protest to China Over Attack on Google,” Washington Post, January 16, 2010, at www.washingtonpost.com/wp-dyn/content/ article/2010/01/15/AR2010011503917.html, accessed February 21, 2010.
14. John Markoff, “Evidence Found for Chinese Attack on Google,” New York Times, January 20, 2010, at www.nytimes.com/2010/01/20/technology/20cyber.html?hp, accessed January 20, 2010.
15. Michael Wines, “China Issues Sharp Rebuke to U.S. Calls for an Investigation on Google Attacks,” New York Times, January 26, 2010, at www.nytimes.com/2010/01/26/world/asia/26google.html?scp=1&sq=China%20Issues%20Sharp%20Rebuke%20to%20U.S.%20Calls%20for%20an%20Investigation%20on%20Google%20Attacks&st=cse, accessed January 26, 2010.
16. John Markoff and David Barboza, “Two Chinese Schools Said to Be Tied to Online Attacks,” New York Times, February 19, 2010, at www.nytimes.com/2010/02/19/tech nology/19china.html, accessed February 19, 2010.
17. McAfee, “Global Energy Cyberattacks: ‘Night Dragon,’” February 10, 2011, at www.mcafee .com/us/resources/white-papers/wp-global-energy-cyberattacks-night-dragon.pdf, accessed February 11, 2011. International organizations have suffered similar attacks. In 2008, cyberspies deeply penetrated the computer networks of the World Bank and for nearly a month had access to sensitive economic information from many nations.
18. Even if an intrusive caller from a phone bank blocks his caller ID, the telephone company can determine its location with certainty and shut it down. This may change as telephone and Internet communications converge.
19. According to officials, countries in Eastern Europe, Africa, and South America—including Nigeria, Brazil, Ukraine, and until recently Romania—have become burgeoning sanctuaries for hackers because of weak law enforcement. “U.S. Takes Fight Against Hackers Overseas,” December 9, 2009, at www.msnbc.msn.com/id/34351026/ns/technology _and_science-security/, accessed December 28, 2010; Saleh Sikandar, “FIA Says No Law Now to Check Cyber Crimes,” July 15, 2010, at http://propakistani.pk/2010/07/15/ fia-says-no-law-now-to-check-cyber-crimes/, accessed March 1, 2011, see also www .i-policy.org/2011/02/the-international-convention-on-cybercrime-one-of-the-most -needed-treaties-of-this-century.html.
20. Major David Willson, U.S. Army, “When Does Electronic Espionage or a Cyber Attack Become an ‘Act of War’?” CyberPro, National Security Cyberspace Institute, May 2010, at www.nsci-va.org/WhitePapers/2010-05-06-David%20Willson-Electronic%20 Espionage-Act%20of%20War.pdf, accessed December 29, 2010; Kim Zetter, “Former NSA Director: Countries Spewing Cyberattacks Should Be Held Responsible,” Wired, July 29, 2010, at www.wired.com/threatlevel/2010/07/hayden-at-blackhat/, accessed December 29, 2010.
21. “The United States was the top country for malicious activity.” See Symantec Intelligence Quarterly Reports for 2010 (up to September 2010), at www.symantec.com/business/theme.jsp?themeid=threatreport, accessed December 29, 2010.
22. Sharon LaFraniere and Jonathan Ansfield, “China Alarmed by Security Threat from Internet,” New York Times, February 12, 2010, at www.nytimes.com/2010/02/12/world/asia/12cyberchina.html?ref, accessed February 12, 2010.
23. Ellen Nakshima, “Diverse Group of Chinese Hackers Wrote Code in Attacks on Google, U.S. Companies,” Washington Post, February 20, 2010, at www.washingtonpost.com/wp-dyn/content/article/2010/02/19/AR2010021902643.html, accessed February 23, 2010.
24. Kelly Jackson Higins, “Anatomy of a Targeted, Persistent Attack,” Dark Reading, January 27, 2010, at www.darkreading.com/shared/printableArticleSrc.jhtml?articleID=222600139, accessed February 5, 2010.
25. “CATIC is a professional state-owned enterprise with aviation products & technology import and export as its core business. With 1 billion’ register [sic] capital and hundreds of million’s [sic] property, CATIC has exported fighters, trainers, bombers, helicopters, transporters, general aviation aircraft and associated airborne equipment and ground support equipment as well as various components and spare parts. Through multinational cooperation, CATIC has invested and developed high-performance aircrafts such as K-8 trainer, JF-17 fighter and EC-120 helicopter. CATIC has provided to its customers from home and abroad and to the national key projects with professional value-added services including market surveys and analysis, project development, business planning, program management, investment and financing, technology introduction, international trade and cooperation.” See “About CATIC,” at www.catic.cn/indexPortal/home/index .do?cmd=goToChannel&cid=754&language=US, accessed December 29, 2010; see also “China National Aero-Technology Import and Export Corporation,” at http://en.wiki pedia.org/wiki/China_National_Aero-Technology_Import_%26_Export_Corporation, accessed December 29, 2010.
26. Department of Commerce Bureau of Industry and Security, “McDonnell Douglas, China National Aero Technology Import and Export Corporation and Others Indicted on Federal Charges for Making False and Misleading Statements in Connection with Exporting Machinery to the People’s Republic of China,” October 19, 1999, at www.bis.doc .gov/news/archive99/dojindictmentmcdonneldouglas.html, accessed February 28, 2010; DoC BIS, “People’s Republic of China Corporate Entity Waives Soverign Immunity and Enters Plea to Felony Export Violation; Sentenced to Pay $1 Million Criminal Fine and Five Year Term of Corporate Probation,” May 11, 2001, at www.bis.doc.gov/news/archive2001/dojreleaseprccase.htm, accessed February 28, 2010.
27. Gerald Posner, “China’s Secret Cyberterrorism,” TheDailyBeast.com, January 13, 2010, at www.thedailybeast.com/blogs-and-stories/2010-01-13/chinas-secret-cyber-terrorism/p/, accessed February 1, 2010.
28. A 2008 Pew Research Center report found that 86 percent of Chinese citizens were satisfied with the direction of their country and that 65 percent thought the Chinese government was doing a good job addressing critical issues. This statistic inched higher among wealthy Chinese citizens, 72 percent of whom gave the government a positive review. The 2008 Pew Global Attitudes Survey in China: The Chinese Celebrate Their Roaring Economy, As They Struggle With its Costs, July 22, 2008, p. 17, at http://pewglobal.org/reports/pdf/261.pdf, accessed April 4, 2011.
29. Robert Lemos, “Law Firm Suing China Suffers Attack,” SecurityFocus, a Semantec-sponsored Web site, January 14, 2010, at www.securityfocus.com/print/brief/1062, accessed January 27, 2010.
30. For a discussion of current U.S. counterespionage strategy, see the National Counterintelligence Strategy of the United States of America (2008), at www.ncix.gov/publications/policy/2008_Strategy.pdf, accessed March 2, 2010.
31. The French have successfully created a widely accepted myth to the contrary, but it’s false. See Jacques Isnard, “L’Europe « piégée » par le réseau d’espionnage Echelon,” Le Monde, October 13, 2000, at www.lemonde.fr/cgi-bin/ACHATS/acheter.cgi?offre=ARCHIVES&type_item=ART_ARCH_30J&objet_id=105523, accessed April 4, 2011; Duncan Campbell and Paul Lashmar, “Revealed: 30 More Nations with Spy Stations,” The Independent, July 9, 2000, at www.independent.co.uk/news/uk/politics/revealed-30-more-nations-with-spy-stations-707320.html, accessed April 4, 2011.
32. Hedieh Nasheri, Economic Espionage and Industrial Spying (Cambridge, UK: Cambridge University Press, 2005), p. 197, n. 14, quoting the New York Daily News, September 5, 1994; see also Harvey Rishikof, “Economic and Industrial Espionage: Who Is Eating America’s Lunch, and How Do We Stop It?” in Jennifer E. Sims and Burton Gerber, eds., Vaults, Mirrors and Masks: Rediscovering U.S. Counterintelligence (Washington, DC: Georgetown University Press, 2009), p. 201.
33. Susan W. Brenner and Anthony C. Crescenzi, “State-Sponsored Crime: The Futility of the Economic Espionage Act,” v. 1, n. 28, Houston Journal of Int’l Law (January 2006): p. 389, at http://findarticles.com/p/articles/mi_hb3094/is_2_28/ai_n29266288/?tag=con tent;col1l, accessed December 15, 2010; United States v. Hsu, 155 F.3d 189, 194 (3d Cir. 1998). (“The end of the cold war sent government spies scurrying to the private sector to perform illicit work for businesses and corporations . . . and by 1996 . . . nearly $24 billion of corporate intellectual property was being stolen each year.”)
34. Economic Espionage Act of 1996, Pub. L. No. 104-294, 11, 110 Stat. 3488, 18 U.S.C. § 1831 (1996).
35. Brenner and Crescenzi, “State Sponsored Crime,” p. 390, citing S. Rep. No. 104-359, at 11 (1996): “Only by adopting a national scheme to protect U.S. proprietary economic information can we hope to maintain our industrial and economic edge and thus safeguard our national security. Foremost, we believe that the greatest benefit of the Federal statute will be as a powerful deterrent.”
36. “The development of the U.S. textile industry in the early 1800s is a direct result of Francis Cabot Lowell visiting England and memorizing the workings of their power looms. Upon returning to New England he recruited a master mechanic to recreate and develop what he had memorized. The Chinese were able to protect their proprietary interests in the silk trade for in excess of two thousand years, further illustrating that economic espionage is not a recent phenomena. The secret was ultimately lost, according to one account, when a Chinese princess married a foreign prince and smuggled silkworm eggs out of China by hiding them in her voluminous hair piece (circa AD 440). A second account credits two Nestorian monks (circa AD 550) with smuggling silkworm eggs in their hollow bamboo staves for delivery to the Byzantine Emperor Justinian. Brenner and Crescenzi, “State Sponsored Crime,” p. 395.
37. The Independent, January 10, 1997, at http://www.independent.co.uk/news/business/vw-agrees-to-100m-settlement-with-gm-1282486.html, accessed March 21, 2011; “Inaki Lopez’s Last Stand,” Newsweek, August 2, 1993, at www.newsweek.com/1993/08/01/inaki-lopez-s-last-stand.html, accessed March 21, 2011. He was indicted in Germany but never convicted. By the time he was indicted in the United States, he had gone to Spain, which refused to extradite him. Emma Daly, “Spain Court Refuses to Extradite Man G.M. Says Took Its Secrets,” New York Times, June 20, 2001, at www .nytimes.com/2001/06/20/business/spain-court-refuses-to-extradite-man-gm-says -took-its-secrets.html, accessed March 21, 2001.
38. See Eamon Javers, Broker, Trader, Lawyer, Spy: The Secret World of Corporate Espionage (New York: HarperCollins, 2010).
39. The key allegations appear in Oracle’s “Fourth Amended Complaint for Damages and Injunctive Relief,” ¶¶ 16, 93, 96–100. SAP admitted liability. The judgment is reported in Cari Tuna, “Jury Rules SAP Owed Oracle $1.3 Billion,” Wall Street Journal, November 24, 2010, at http://online.wsj.com/article/SB10001424052748704369304575633150256505376.html, accessed November 24, 2010. As of this writing (early 2011), the judgment is under appeal.
40. Mike Lennon, “Former Bristol-Myers Squibb Employee Pleads Guilty to Theft of Trade Secrets,” Security Week News, November 8, 2010, at www.securityweek.com/former-bristol-myers-squibb-employee-pleads-guilty-theft-trade-secrets, accessed December 15,2010.
41. Robert McMillan, “Former Goldman Sachs Coder Gets 8-year Sentence,” Computerworld, March 21, 2011, at www.computerworld.com/s/article/9214880/Former_Gold man_Sachs_coder_gets_8_year_sentence?source=CTWNLE_nlt_security _2011-03-22&utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A +computerworld%2Fs%2Ffeed%2Ftopic%2F144+%28Computerworld+DRM+and +Legal+Issues+News%29, accessed March 22, 2011.
42. CERT, “Spotlight on: Insider Theft of Intellectual Property Inside the U.S. Involving Foreign Governments or Information,” June 2009, available through www.cert.org. CERT is part of the Software Engineering Institute, a federally funded research and development center at Carnegie Mellon University.
43. The State Department’s Directorate of Defense Trade administers the International Traffic in Arms Regulations, but violations of these regulations, as well as of the Arms Export Control Act, are enforced by the Homeland Security Department’s Immigration and Customs Enforcement agency. For the list of military items prohibited from export, see 15 C.F.R. 774, supp. 1. Other export controls are administered by the Commerce Department. 15 C.F.R. § 736, 50 U.S.C. app §§2401-2420. For the list of dual-use items controlled by the Commerce Department, see 22 CFR 121.
44. Except as otherwise noted, this account is based on the criminal complaint in United States v. Yang, case no. MJ10-498 (W.D. Wash.), filed December 2, 2010.
45. See Web site of Xian Space Star Technology (Group) Corporation, at http://nippledrinker .en.alibaba.com/aboutus.html, accessed December 16, 2010.
46. As of late March 2011, this case had not gone to trial.
47. FBI press release, August 31, 2010, at http://indianapolis.fbi.gov/dojpressrel/pressrel10/ip083110a.htm, accessed December 16, 2010; Christopher Drew, “New Spy Game: Firms’ Secrets Sold Overseas,” New York Times, October 17, 2010, at www.nytimes .com/2010/10/18/business/global/18espionage.html, accessed December 16, 2010. As of early April 2011, this case had not gone to trial.
48. Rhys Blakely, Jonathan Richards, James Rossiter, and Richard Beeston, “MI5 Alert on China’s Cyberspace Spy Threat,” The Sunday Times, December 1, 2007, at http://busi ness.timesonline.co.uk/tol/business/industry_sectors/technology/article2980250.ece, accessed March 1, 2011; “Merkel Tells China to Respect International Rules,” Agence France-Presse, August 27, 2007, at http://services.inquirer.net/print/print.php?article _id=20070827-85028, accessed March 1, 2011.
49. David Leppard, “China Bugs and Burgles Britain,” The Sunday Times, January 31, 2010, at www.timesonline.co.uk/tol/news/uk/crime/article7009749.ece, accessed February 16, 2010.
50. Some examples would be documents that contain a client’s strategy and bottom line terms for prospective negotiations with a foreign company or government; discuss a client’s plans to invest in oil and gas leases, and bid data; contain client plans for investment options in hot areas such as “clean tech”; analyze a foreign firm’s likely merger and acquisition targets and their chances of passing muster with U.S. regulatory authorities; analyze investment options in the United States for a foreign client; relate to a client’s physical and electronic security; contain a .pdf file for the entry pass to a restricted conference on export controls or another sensitive topic; or contain a partner’s travel plans for a trip to China, including contacts in China and hotel reservations (very useful in making sure he gets a bugged room).
51. Chuck Hawks, “The Best Fighter Aircraft of World War II,” at www.chuckhawks.com/best_fighter_planes.htm, accessed February 14, 2010; Larry Dwyer, “Mitsubishi A6M Zero-Sen—Japan,” at www.aviation-history.com/mitsubishi/zero.html, accessed April 4, 2011, citing Heiner Emde and Carlo Demand, Conquerors of the Air (New York: Viking Press, 1969), and David Mondey, The Concise Guide to Axis Aircraft of World War II (New York: Smithmark Publishers, 1996), p. 194.
52. “Ex-espionage Chief Admits France Engaged in Economic Spying,” Agence France-Presse, January 10, 1996, quoted in Charles Lathrop, The Literary Spy: The Ultimate Source for Quotations on Espionage and Intelligence (New Haven: Yale University Press, 2004), p. 131.
53. “Yugoslavia: Serb Hackers Reportedly Disrupt US Military Computer,” Bosnian Serb News Agency SRNA, March 28, 1999 (BBC Monitoring Service, March 30, 1999), cited in Kenneth Geers, “Cyberspace and the Changing Nature of Warfare,” NATO [n.d.] note 10, at www.blackhat.com/presentations/bh-jp-08/bh-jp-08-Geers/BlackHat -Japan-08-Geers-Cyber-Warfare-Whitepaper.pdf, accessed April 4, 2011; Michael Dobbs, “The War on the Airwaves,” Washington Post, April 19, 1999, reported that NATO controlled all four Internet access providers in Yugoslavia and intentionally kept them open to spread disinformation and propaganda.
54. Nathan Hodge, “Defense Mergers Opposed by U.S.,” Wall Street Journal, February 9, 2011, at http://online.wsj.com/article/SB10001424052748703313304576132522909188468 .html, accessed February 9, 2011.
55. Office of the National Counterintelligence Executive, 2008 Annual Report to Congress on Foreign Economic Collection and Industrial Espionage (hereafter, “2008 Economic Espionage Report”), App. B., at www.ncix.gov/publications/reports/fecie_all/fecie_2008/2008 _FECIE_Blue.pdf, accessed April 4, 2011.
56. The NetWitness press release is available at www.netwitness.com/resources/pressreleases/feb182010.aspx, accessed February 28, 2010. The companies were named by Siobhan Gorman, “Broad New Hacking Attack Detected,” Wall Street Journal, February 18, 2011, at http://online.wsj.com/article/SB10001424052748704398804575071103834150536 .html, accessed February 18, 2011.
57. “The Globalist,” The Economist [n.d.], at www.theglobalist.com/countryoftheweek/sample .htm, accessed February 15, 2010.
58. “It seems likely that average incomes in Japan, China, and parts of southeast Asia were comparable to (or higher than) those in western Europe even in the late eighteenth century.” Kenneth Pomeranz, The Great Divergence: China, Europe, and the Making of the Modern World (Princeton, Princeton University Press: 2000), p. 49.
59. “The Globalist,” The Economist [n.d.], at www.theglobalist.com/countryoftheweek/sam ple.htm, accessed February 15, 2010, citing OECD statistics.
60. Paul Halsall, ed., Internet Modern History Sourcebook, a project of the Fordham University Department of History, “Table Illustrating the Spread of Industrialization,” Table 1, at www.fordham.edu/halsall/mod/indrevtabs.1.html, accessed February 10, 2010.
61. Adda B. Bozeman, Strategic Intelligence and Statecraft: Selected Essays (Washington, DC: Brassey’s, 1992), p. 12. These essays deserve to be widely read and studied.
62. Ibid., p. 50.
63. Ibid., pp. 15–16.
64. Cited in ibid.
65. Alan Murray, “Parting Words,” Wall Street Journal, November 22, 2010, at http://online .wsj.com/article/SB10001424052748703628204575619250079601996.html?KEY WORDS=parting+words, accessed December 15, 2010, quoting Lawrence Summers, outgoing director of the U.S. National Economic Council.
CHAPTER 4: DEGRADING DEFENSE
1. The Chi Mak chronology is stated in detail in Calland F. Carnes, Snake Fish: The Chi Mak Spy Ring (New York: Barraclough, 2008), which provides most of the facts given in this account.
2. 2009 Report to Congress of the U.S.-China Economic and Security Review Commission, November 2009, pp. 5, 155–56, at www.uscc.gov/annual_report/2009/annual_report_full _09.pdf, accessed March 4, 2009.
3. Ibid., p. 2, at www.uscc.gov/annual_report/2009/annual_report_full_09.pdf, accessed March 4, 2009.
4. U.S. v. Tai Shen Kuo, U.S.D.C., E.D. Va., indictment filed February 6, 2008; U.S. v. Chung, U.S.D.C., C.D. Cal., indictment filed February 6, 2008.
5. 18 U.S.C. § 793.
6. Chi Mak was convicted of “conspiracy to commit economic espionage, six counts of economic espionage to benefit a foreign country, one count of acting as an agent of the People’s Republic of China and one count of making false statements to the FBI.” U.S. Department of Justice Press Release, “Former Boeing Engineer Convicted of Economic Espionage in Theft of Space Shuttle Secrets for China,” July 16, 2009, at www.justice.gov/opa/pr/2009/July/09-nsd-688.html, accessed March 21, 2011. See U.S. v. Chi Mak, second superseding indictment, SA CR 05-293 (B)-CJC, filed October 26, 2006.
7. H.G. Reza, “10 Years for Man in China Spy Case,” Los Angeles Times, April 22, 2008, at http://articles.latimes.com/2008/apr/22/local/me-spies22, accessed March 27, 2011; H.G. Reza, “3-Years Sentence in China Spy Case,” Los Angeles Times, October 3, 2008, accessed March 27, 2011.
8. 2009 Report to Congress, pp. 5–6, at www.uscc.gov/annual_report/2009/annual_report_full_09.pdf, accessed March 4, 2009.
9. 2008 Economic Espionage Report, App. B.
10. Migration Information Source, May 2010, at www.migrationinformation.org/USfocus/dis play.cfm?id=781, accessed December 27, 2010.
11. Yu Ran, “Growing Number of Chinese Students Head to US,” China Daily, December 27, 2010, at www.chinadaily.com.cn/china/2010-02/27/content_9513253.htm, accessed December 27, 2010, quoting a U.S. consular official.
12. Ray Clancy, “US Sees Significant Rise in the Number of Chinese Students,” EXPATFO RUM.com, November 24, 2010, at www.expatforum.com/america/us-sees-significant-rise-in-the-number-of-chinese-students.html, accessed December 27, 2010.
13. “1 million: The Number of Chinese Tourists that Visited the US in 2010,” China Economic Review, December 23, 2010, at www.chinaeconomicreview.com/today-in-china/2010 _12_23/1_million:_The_number_of_Chinese_tourists_that_visited_the_US_in_2010 .html, accessed December 27, 2010.
14. U.S. v. Chung, U.S.D.C., C.D. Cal., indictment filed February 6, 2008, ¶ 21.d. Chung was sentenced to nearly sixteen years in prison. U.S. Department of Justice press release, February 8, 2010, at http://losangeles.fbi.gov/dojpressrel/pressrel10/la020810.htm, accessed December 19, 2010.
15. Studies on this subject are appropriately inconclusive and generally lack psychological depth. See, e.g., Katherine L. Herbig and Martin F. Wiskoff, “Espionage Against the United States by American Citizens 1947–2001,” Technical Report 02-5, July 2002, based on research conducted by the Defense Personnel Security Research Center, at www.ncix.gov/docs/espionageAgainstUSbyCitizens.pdf, accessed December 19, 2010.
16. Ideologically motivated espionage was common during the 1950s but has reappeared several times in prominent cases in recent years. Apart from Chi Mak and related cases, the most striking example is the Cuban spy Ana Belem Montes. See Scott W. Carmichael, True Believer: Inside the Investigation and Capture of Ana Montes, Cuba’s Master Spy (Annapolis, MD: Naval Institute Press, 2007).
17. U.S. v. Tai Shen Kuo, case no. l:08mj-98, U.S.D.C., E.D. Va., Affidavit in Support of Criminal Complaint, Three Arrest Warrants, and Three Search Warrants, filed February 6, 2008, at www.justice.gov/opa/pr/2008/February/under-seal-bt-affidavit-edva.pdf, accessed April 18, 2010.
18. Alan Furst, Dark Star (New York: Random House, 2002), p. 102.
19. Based on an interview with a former intelligence official.
20. Ed Pilkington, “China Winning Cyber War, Congress Warned,” The Guardian, November 20, 2008, at www.guardian.co.uk/technology/2008/nov/20/china-us-military-hacking, accessed April 30, 2011; Congressional Research Service, “Terrorist Capabilities for Cyberattack: Overview and Policy Issues,” January 22, 2007, p. 17, at www.dtic.mil/cgi-bin/GetTRDoc?AD=ADA463774&Location=U2&doc=GetTRDoc.pdf, accessed February 15, 2010.
21. U.S.-China Economic and Security Review Commission, 2010 Report to Congress (November 2010), p. 237. For public references to Byzantine Hades, see, e.g., James Glanz and John Markoff, “Vast Hacking by a China Fearful of the Web” New York Times, December 4, 2010, at www.nytimes.com/2010/12/05/world/asia/05wikileaks-china.html?scp =1&sq=byzantine%20hades&st=cse, accessed December 4, 2010; “Bush Goes Looking for Cyber Battles,” The Inquirer, at www.theinquirer.net/inquirer/news/1001456/bush -wants-cyber-war, accessed April 4, 2011.
22. U.S.-China Economic and Security Review Commission, 2009 Report to Congress (November 2009), p. 168, at www.uscc.gov/annual_report/2009/annual_report_full_09 .pdf, accessed April 18, 2010.
23. Ellen Nakashima, “Soldiers’ Data Still Being Downloaded Overseas, Firm Says,” Washington Post, October 2, 2009, at www.washingtonpost.com/wp-dyn/content/article/2009/10/01/AR2009100104947.html, accessed October 2, 2009.
24. The Canadian government is fighting off similar attacks. Clement Sabourin, “China Hackers Behind Cyber Attack on Canada,” AFP, The Ottawa Citizen, February 17, 2011, at www.ottawacitizen.com/technology/China+hackers+behind+cyber+attack+Canada/4301051/story.html, accessed February 20, 2011.
25. Ibid.
26. Siobhan Gorman, A. Cole, and Y. Dreazen, “Computer Spies Breach Fighter-Jet Project,” Wall Street Journal, April 21, 2009, at http://online.wsj.com/article/SB124027491029837401 .html, accessed August 19, 2009; Jaikumar Vijayan, “Update: Strike Fighter Data Was Leaked on P2P Network in 2005, Security Expert Says,” Computerworld Security, May 5, 2009, at www.computerworld.com/s/article/9132571/Update_Strike_Fighter_data_was_leaked_on_P2P_network_in_2005_security_expert_says_, accessed May 28, 2009.
27. 2009 Report to Congress of the U.S.-China Economic and Security Review Commission, November 2009, p. 167, at www.uscc.gov/annual_report/2009/annual_report_full_09.pdf, accessed March 4, 2009.
28. Paul Watson, “Data Leaks Persist from Afghan Base,” Los Angeles Times, April 13, 2006, at http://articles.latimes.com/2006/apr/13/world/fg-disks13, accessed April 19, 2010.
29. “Computer Hard Drive Sold on Ebay ‘Had Details of Top Secret U.S. Missile Defence System,’” The Daily Mail, May 7, 2009, at www.dailymail.co.uk/news/article-1178239/Computer-hard-drive-sold-eBay-details-secret-U-S-missile-defence-system.html, accessed February 8, 2010.
30. www.nytimes.com/2010/04/20/technology/companies/20apple.html.
31. I’m making this up, but according to the U.S. military, this is how it may actually have happened. See, e.g., Julian Barnes, “Cyber-Attack on Defense Department Computers Raises Concerns,” Los Angeles Times, November 28, 2008, at www.latimes.com/news/nationworld/iraq/complete/la-na-cyberattack28-2008nov28,0,230046.story, accessed November 29, 2008.
32. Homeland Security Newswire, “Russian Hackers Attacked U.S. Central Command’s Networks,” December 2, 2008, at http://homelandsecuritynewswire.com/russian-hackers -attacked-us-central-commands-networks, accessed April 4, 2011.
33. “In 2008, the U.S. Department of Defense suffered a significant compromise of its classified military computer networks. It began when an infected flash drive was inserted into a U.S. military laptop at a base in the Middle East. The flash drive’s malicious computer code, placed there by a foreign intelligence agency, uploaded itself onto a network run by the U.S. Central Command. That code spread undetected on both classified and unclassified systems, establishing what amounted to a digital beachhead, from which data could be transferred to servers under foreign control. It was a network administrator’s worst fear: a rogue program operating silently, poised to deliver operational plans into the hands of an unknown adversary.” William J. Lynn III, “Defending a New Domain,” Foreign Affairs, September/October 2010, at www.foreignaffairs.com/articles/66552/william-j-lynn-iii/defending-a-new-domain, accessed September 30, 2010.
34. Reuters, “U.S. Code-Cracking Agency Works as if Compromised,” December 16, 2010, at www.reuters.com/article/idUSTRE6BF6BZ20101217, accessed December 16, 2010.
35. Noah Schachtman, “Under Worm Assault, Military Bans Disks, USB Drives,” Wired, November 19, 2008, at www.wired.com/dangerroom/2008/11/army-bans-usb-d/com ment-page-3/, accessed April 24, 2010.
36. Noah Shachtman, “Hackers, Troops Rejoice: Pentagon Lifts Thumb-Drive Ban (Updated),” Wired, February 8, 2010, at www.wired.com/dangerroom/2010/02/hackers-troops-rejoice-pentagon-lifts-thumb-drive-ban/, accessed April 19, 2010.
37. William Matthews, “Pentagon to Allow Thumb Drives with Strict Rules,” Federal Times, February 19, 2010, at www.federaltimes.com/article/20100219/IT03/2190306/1032/IT, accessed April 19, 2010.
38. Allan Holmes, “Malicious Thumb Drives in Justice,” Nextgov, August 20, 2008, at http://techinsider.nextgov.com/2008/08/malicious_thumb_drives_in_just.php, accessed April 24, 2009.
39. Gregg Keizer, “1-in-4 Worms Spread Through Infected USB Devices,” Computerworld, August 26, 2010, at www.computerworld.com/s/article/9182119/1_in_4_worms_spread _through_infected_USB_devices, accessed September 2, 2010.
40. Air Combat Command, U.S. Air Force, “CONCEPT OF OPERATIONS FOR ENDURANCE UNMANNED AERIAL VEHICLES 3 Dec 1996—Version 2,” Section 1, ¶ 1.6.4, at www.fas.org/irp/doddir/usaf/conops_uav/index.html, accessed April 26, 2010.
41. Mark Phillips, “Military Surveillance Hack Warning,” CBS News, December 17, 2009, at www.cbsnews.com/video/watch/?id=5990213n&tag=api, accessed April 26, 2010.
42. Declan McCullagh, “U.S. Was Warned of Predator Drone Hacking,” CBS News, December 17, 2009, at www.cbsnews.com/8301-504383_162-5988978-504383.html, accessed April 26, 2010.
43. Siobhan Gorman, Y. J. Dreazen, and A. Cole, “Insurgents Hack U.S. Drones,” Wall Street Journal, December 17, 2009, at http://online.wsj.com/article/SB126102247889095011 .html, accessed April 26, 2010. For another example of consumer technology with military application, see Jason Lewis, “Phone App That Tracks Planes ‘Is Aid to Terrorists Armed with Missiles,’” The Daily Mail, October 4, 2010, at www.dailymail.co .uk/sciencetech/article-1317184/Phone-app-tracks-planes-aid-terrorists-armed-missiles .html, accessed Octo-ber 4, 2010.
44. Barnaby J. Feder, “Peter F. Drucker, a Pioneer in Social and Management Theory, Is Dead at 95,” New York Times, November 12, 2005, at www.nytimes.com/2005/11/12/busi ness/12drucker.html?pagewanted=1&_r=1&sq=peter%20drucker%20obituary&st =nyt&scp=1, accessed April 26, 2010.
CHAPTER 5: DANCING IN THE DARK
1. Joseph Weiss, Protecting Industrial Control Systems from Electronic Threats (New York: Momentum Press, 2010), pp. 101, 105–6; author interview with Michael Assante, formerly of Idaho National Laboratories and former vice president and chief security officer, North American Electric Reliability Corporation, December 23, 2010.
2. Steve Kroft, “Cyber War: Sabotaging the System,” 60 Minutes, updated June 10, 2010, at www.cbsnews.com/video/watch/? id=6578069n&tag=related;photovideo, accessed June 1, 2011; video also available on YouTube at www.youtube.com/watch?v=rTkXgqK1|9A, accessed June 1, 2011. The AURORA experiment with the generator had nothing to do with the series of intrusions into Google in late 2009–early 2010 that are known by the same name.
3. E.g., Booz Allen Hamilton, “Convergence of Enterprise Security Organizations,” November 8, 2005, at www.asisonline.org/newsroom/alliance.pdf, accessed March 28, 2011; Joseph Weiss, Protecting Industrial Control Systems from Electronic Threats (New York: Momentum Press, 2010), chapters 3–5.
4. John D. Moteff, “Critical Infrastructure: Background, Policy, and Implementation,” Congressional Research Service, March 13, 2007, p. 1, n. 1, at http://assets.opencrs.com/rpts/RL30153_20081010.pdf, accessed May 9, 2010.
5. Tony Smith, “Hacker Jailed for Revenge Sewage Attacks,” The Register, October 31, 2001, at www.theregister.co.uk/2001/10/31/hacker_jailed_for_revenge_sewage/, accessed May 9, 2010.
6. Weiss, Protecting Industrial Control Systems, p. 8. By “electric grid,” I refer to the entire electricity infrastructure.
7. Ibid., p. 35.
8. Ibid., p. 26, describing Federal Energy Regulatory Commission Orders 888 and 889, April 24, 1996.
9. Ibid.
10. U.S.-Canada Power System Outage Task Force, “August 14th Blackout: Causes and Recommendations,” (“Blackout Report”), April 2004, p. 133, at https://reports.energy.gov/, accessed July 3, 2010.
11. Stuart Baker et al., “In the Crossfire: Critical Infrastructure in the Age of Cyber War,” Center for Strategic and International Studies and McAfee [January 28, 2010], p. 19, at http://img.en25.com/Web/McAfee/NA_CIP_RPT_REG_2840.pdf, accessed January 28, 2010.
12. Ibid. Also “Blackout Report,” p. 133; North American Electric Reliability Corporation and U.S. Department of Energy, “High-Impact, Low-Frequency Event Risk to the North American Bulk Power System” (hereafter “High-Impact, Low-Frequency Report”), June 2010, p. 30, at www.nerc.com/files/HILF.pdf, accessed June 22, 2010.
13. See, e.g., Bentek Systems, www.scadalink.com/support/technotesIP.html, accessed November 18, 2010, which says that Internet- and Web-based SCADA systems offer the advantage of “[i]ntegration of IT to Automation and Monitoring Networks,” notwithstanding “Security concerns”; Automation.com, at www.automation.com/content/arc -predicts-scada-market-in-water-wastewater-to-exceed-275-million, accessed November 18, 2010 (“Emerging technology is enabling SCADA to be tightly integrated to the domain of business processes, creating an improved value proposition for its usage”).
14. Juniper Networks, “Architecture for Secure Scada and Distributed Control System Networks” (2010), p. 1, at www.juniper.net/us/en/local/pdf/whitepapers/2000276-en.pdf, accessed November 18, 2010.
15. E-mail from Joseph Weiss to the author, December 27, 2010, stating, “Industrial control system field devices, whether in electric or any other industry, have minimal cyber security at best. These devices include programmable logic controllers (PLC) such as those targeted by Stuxnet, sensors, drives, chemical analyzers, breakers, etc. Moreover, these devices have minimal cyber forensic capabilities. Consequently, even if they are impacted, it may not be possible to know it was cyber.” See Weiss, Protecting Industrial Control Systems, Table 5.1, p. 34.
16. Eric Byres, David Leversage, and Nate Kube, “Security Incidents and Trends in SCADA and Process Industries,” The Industrial Ethernet Book (Symantec and Byres Secu- rity, May 2007), p. 16, at www.mtl-inst.com/images/uploads/datasheets/IEBook_May_07_SCADA_Security_Trends.pdf, accessed December 28, 2010. These authors note, “While commonly denied, both the ARC Study and a number of the incidents in the [Industrial Security Incident Database] show that control systems do get connected directly to the Internet. Reasons for this include a desire to download system patches or antivirus updates from vendor web sites, as well as a misguided desire to conduct typical office activities (such as e-mail) from the plant floor.”
17. Andy Greenberg, “Electric, Oil Companies Take Almost a Year to Fix Hackable Security Flaws,” Forbes, July 28, 2010, at http://blogs.forbes.com/firewall/2010/07/28/electric -oil-companies-take-almost-a-year-to-fix-known-security-flaws/, accessed July 29, 2010.
18. “Blackout Report,” p. 131.
19. Weiss, Protecting Industrial Control Systems, pp. 35–39.
20. Baker et al., “In the Crossfire,” p. 22. See Weiss, Protecting Industrial Control Systems, who says that patching industrial control systems is often “slow or impossible,” p. 34; that much off-the-shelf ICS software has been modified and thus patches are “not applicable,” p. 39.
21. Baker et al., “In the Crossfire,” p. 10.
22. Quotations from Michael Assante are from my interviews of him, June 25, 2010, and December 23 and 27, 2010, unless otherwise stated.
23. Federal Energy Regulatory Commission, “Mandatory Reliability Standards for the Bulk-Power System,” Docket no. RM06-16-000, order no. 693, March 16, 2007, at www.ferc.gov/whats-new/comm-meet/2007/031507/e-13.pdf, accessed November 27, 2010. This order became law when the industry failed to challenge it. In March 2010, after waiting three years for the industry to comply with Order 693, FERC issued a further order directing compliance and setting deadlines. FERC Docket no. RM06-16-009, “Order Setting Deadline for Compliance,” March 18, 2010, reported at 130 FERC ¶ 61,200; FERC Docket no. RM06-16-010, “Order Setting Deadline for Compliance,” March 18, 2010, reported at 130 FERC ¶ 61,218. With regard to FERC’s exercise of its limited power over critical infrastructure standards, see “Mandatory Reliability Standards for Critical Infrastructure Protection,” Docket no. RM06-22-000, Order no. 706, January 18, 2008.
24. FERC is powerless to set standards but wields substantial power to punish power generators for failing to comply with standards approved by NERC. In October 2009, for example, FERC fined Florida Power & Light $25 million for a February 2008 blackout during which millions of consumers in South Florida lost power for hours. FERC, “FERC Approves Settlement on FRCC’s Role in Florida Blackout,” Docket no. IN08-5-000, March 5, 2010, at www.ferc.gov/media/news-releases/2010/2010-1/03-05-10.pdf, ac-cessed November 27, 2010.
25. NERC, “High-Impact, Low-Frequency Report,” at www.nerc.com/files/HILF.pdf, accessed June 22, 2010.
26. Ibid., p. 9.
27. NERC, “Glossary of Terms Used in Reliability Standards,” April 20, 2009, at www.nerc .com/files/Glossary_2009April20.pdf, accessed March 28, 2011.
28. The Federal Power Act, section 215 (a)(4), (8), 16 U.S.C. §8240 (a)(4) and (8), includes “cybersecurity incidents” as an element of electric reliability but does not define “critical.”
29. Letter from Michael Assante, vice president and chief security officer, North American Electric Reliability Corporation, to industry stakeholders, April 7, 2009.
30. John Markoff, “A Code for Chaos,” New York Times, October 2, 2010, at www.nytimes.com/2010/10/03/weekinreview/03markoff.html?scp=7&sq=stuxnet&st=nyt, accessed October 2, 2010.
31. VirusBlokAda, “Rootkit.TmpHider,” June 17, 2010, at www.anti-virus.by/en/tempo.shtml, accessed December 20, 2010.
32. For the Stuxnet timeline, see Symantec, “W32.Stuxnet Dossier,” version 1.3, November 2010, p. 4, at www.wired.com/images_blogs/threatlevel/2010/11/w32_stuxnet_dossier .pdf, accessed November 30, 2010.
33. Kevin J. O’Brien, “Siemens Alerts Customers to Virus in Its Automation Software,” New York Times, July 22, 2010, at www.nytimes.com/2010/07/23/technology/23iht-siemens .html?scp=2&sq=stuxnet&st=nyt, accessed July 23, 2010.
34. Symantec, “W32.Stuxnet Dossier,” p. 2.
35. David E. Sanger, “Iran Fights Malware Attacking Computers,” New York Times, September 25, 2010, at www.nytimes.com/2010/09/26/world/middleeast/26iran.html?scp=13&sq =stuxnet&st=nyt, accessed September 25, 2010.
36. Symantec, “W32.Stuxnet Dossier,” p. 6.
37. George Kiezer, “Iran Admits Stuxnet Worm Infected PCs at Nuclear Reactor,” Computer- world, September 27, 2010, at www.computerworld.com/s/article/9188147/Iran_admits _Stuxnet_worm_infected_PCs_at_nuclear_reactor, accessed September 27, 2010.
38. William Yong, “Iran Says It Arrested Computer Worm Suspects,” New York Times, October 2, 2010, at www.nytimes.com/2010/10/03/world/middleeast/03iran.html?scp=14&sq =stuxnet&st=nyt, accessed December 20, 2010.
39. William J. Broad and David E. Sanger, “Worm Was Perfect for Sabotaging Centrifuges,” New York Times, November 18, 2010, at www.nytimes.com/2010/11/19/world/middle east/19stuxnet.html?scp=2&sq=stuxnet&st=nyt, accessed November 18, 2010; John Markoff, “Worm Can Deal Double Blow to Nuclear Program,” New York Times, November 19, 2010, at www.nytimes.com/2010/11/20/world/middleeast/20stuxnet.html?scp =3&sq=stuxnet&st=nyt, accessed November 19, 2010.
40. William J. Broad, “Report Suggests Problems With Iran’s Nuclear Effort,” New York Times, November 23, 2010, at www.nytimes.com/2010/11/24/world/middleeast/24nuke.html ?scp=4&sq=stuxnet&st=nyt, accessed November 23, 2010.
41. Symantec, “W32.Stuxnet Dossier,” description of “Attack Scenario,” p. 3.
42. John Markoff and David E. Sanger, “In a Computer Worm, a Possible Biblical Clue,” New York Times, September 29, 2010, at www.nytimes.com/2010/09/30/world/middleeast/30worm.html?scp=6&sq=stuxnet&st=nyt, accessed September 29, 2010.
43. Ibid. Ralph Langner, a German security consultant, originally asserted that Stuxnet had been “‘weaponized’ and designed to attack the Iranian centrifuge array,” and has argued that the malware could have been imported by a Russian engineer, as I speculate.
44. See William J. Broad, John Markoff, and David E. Sanger, “Israeli Test on Worm Called Crucial in Iran Nuclear Delay,” New York Times, January 15, 2011, at www.nytimes.com/2011/01/16/world/middleeast/16stuxnet.html, accessed January 18, 2011. For a technical report on Stuxnet, see Symantec, “W32.Stuxnet Dossier,” February 2011, at www .symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32 _stuxnet_dossier.pdf, accessed March 1, 2011.
45. Brian Krebs, “‘Stuxnet’ Worm Far More Sophisticated than Previously Thought,” Krebs on Security, September 14, 2010, at http://krebsonsecurity.com/2010/09/stuxnet-worm-far -more-sophisticated-than-previously-thought/, accessed September 15, 2010.
46. “Remarks by the President on Securing Our Nation’s Cyber Infrastructure,” May 29, 2009, at www.whitehouse.gov/the_press_office/Remarks-by-the-President-on-Securing-Our-Nations -Cyber-Infrastructure/, accessed July 3, 2010.
47. Sioban Gorman, “Electricity Grid in U.S. Penetrated By Spies,” Wall Street Journal, April 8, 2009, at http://online.wsj.com/article/SB123914805204099085.html, accessed July 3, 2010.
48. Steve Kroft, “Cyber War: Sabotaging the System,” 60 Minutes, November 8, 2009, at www.cbsnews.com/stories/2009/11/06/60minutes/main5555565.shtml, accessed July 3, 2010. One of the Brazilian systems involved denied being attacked and attributed the blackout to dirty equipment. Marcelo Suares, “Brazilian Blackout Traced to Sooty Insulators,” Wired, November 9, 2009, at www.wired.com/threatlevel/2009/11/brazil _blackout/, accessed May 4, 2010. In an example of selective skepticism, some observers took the denial at face value. See, e.g., Ryan Singel, “Richard Clarke’s Cyberwar: File Under Fiction,” Wired, April 22, 2010, at www.wired.com/threatlevel/2010/04/cyber war-richard-clarke/, accessed May 4, 2010.
49. Gorman, “Electricity Grid in U.S.,” April 8, 2009. For a Chinese academic discussion of the feasibility of attacking the U.S. power grid, see Jian-Wei Wang and Li-Li Rong, “Cascade-based Attack Vulnerability on the US Power Grid,” v. 47, Safety Science, (2009): 1332, at www.millennium-ark.net/NEWS/10_Sci_Tech/100323.CH.US.Power.Grid.pdf, accessed November 19, 2010.
50. John P. Avlon, “The Growing Cyber-Threat,” Forbes, October 20, 2009, at www.forbes.com/2009/10/20/digital-warfare-cyber-security-opinions-contributors-john-p-avlon.html, accessed October 20, 2009.
51. “These and other foreign and domestic terrorist groups continue to pursue plans to attack the U.S. directly, likely focusing on prominent government, economic, and infrastructure targets.” “High-Impact, Low-Frequency Report,” p. 29, citing director of National Intelligence, “Annual Threat Assessment,” February 2009.
52. “Blackout Report,” p. 132.
53. “High-Impact, Low-Frequency Report,” pp. 27–28.
54. Weiss, Protecting Industrial Control Systems, p. 107.
55. Ibid., p. 106.
56. Joseph Weiss, “Control Systems Cyber Security—The Current Status of Cyber Security of Critical Infrastructures.” Testimony before the U.S. Senate Committee on Commerce, Science, and Transportation, 111th Cong., 1st sess., March 19, 2009, p. 7, at www.con trolglobal.com/articles/2009/CyberSecurity0903.html, accessed July 8, 2010.
57. Tim Greene, “Experts Hack Power Grid in No Time,” Network World, April 9, 2008, at www.networkworld.com/news/2008/040908-rsa-hack-power-grid.html, accessed April 30, 2009.
58. NERC, “High-Impact, Low-Frequency Report,” p. 30.
59. Ibid., p. 26.
60. Richard A. Clarke and Robert K. Knake, Cyber War: The Next Threat to National Security and What to Do About It (New York: HarperCollins, 2010), pp. 56–57.
61. Weiss, Protecting Industrial Control Systems, p. 88, discussing NERC’s Critical Infrastructure Protection standard 002 (NERC CIP-002).
62. “The Clinton Administration’s Policy on Critical Infrastructure Protection,” Presidential Decision Directive 63, May 22, 1998, at www.fas.org/irp/offdocs/pdd/pdd-63.htm, accessed July 8, 2010.
63. “The National Infrastructure Protection Plan,” approved June 30, 2006, at www.dhs.gov/xprevprot/programs/editorial_0827.shtm, accessed July 8, 2010. For a detailed discussion of public policy on critical infrastructure, see J. D. Moteff, “Critical Infrastructures: Background, Policy, and Implementation,” Congressional Research Service, March 13, 2007, at http://opencrs.com/document/RL30153/, accessed July 8, 2010.
64. U.S. Department of Energy, “DOE Issues National Energy Sector Cyber Organization Notice of Intent,” February 11, 2010, at www.oe.energy.gov/DOE_Issues_Energy_Sec tor_Cyber_Organization_NOI.pdf, accessed July 8, 2010; see “Control System Security,” at www.oe.energy.gov/controlsecurity.htm, accessed July 8, 2010.
65. “High-Impact, Low-Frequency Report,” p. 36.
66. Ibid., pp. 26, 30, where NERC asserts that the system can handle “low and intermediate” threats and ordinary “balancing and regulating.”
67. “High-Impact, Low-Frequency Report,” p. 10.
68. Ibid., pp. 30, 37. According to information supplied by the U.S. Cyber Consequences Unit (which is funded chiefly with federal money), courtesy of its director and chief economist, Scott Borg, most electric generators come from China (where several Western companies have moved production), India, France, Germany, Japan, and Mexico. The only manufacturer of generators with a U.S. plant is GE, which makes a small part of its output in Schenectady, New York, and Greenville, South Carolina. GE also manufacturers generators in Germany and Mexico.
69. E-mail, Scott Borg to the author, December 27, 2010.
70. Baker, “In the Crossfire,” pp. 1, 4.
71. Ibid., p. 7. Another source, which is also dependent on publicly disclosed events, states that most incidents involve “power and utilities,” followed by petroleum and transportation. Zach Tudor and Mark Fabro, “What Went Wrong? A Study of Actual Industrial Cyber Security Incidents,” SRI International, slide 11, at www.us-cert.gov/control_sys tems/icsjwg/presentations/spring2010/02%20-%20Zach%20Tudor.pdf, accessed April 4, 2011.
72. David Hancock, “Worm-like Infection at CSX Corp. Also Caused Delays for Amtrak,” CBS News, August 21, 2003, at www.cbsnews.com/stories/2003/08/21/tech/main569418 .shtml, accessed November 18, 2010.
73. The report by the inspector general of the Department of Transportation was reported on the Web site of Representative John L. Mica, then the ranking Republican on the U.S. House of Representatives Transportation and Infrastructure Committee, May 6, 2009, at http://republicans.transportation.house.gov/News/PRArticle.aspx?NewsID =596, accessed November 18, 2010.
74. Stewart Baker, Natalia Filipiak, and Katrina Timlin, “ In the Dark,” Center for Strategic and International Studies and McAfee, April 18, 2011, at http://mcafee.com/US/resources/reports/rp-critical-infrastructure-protection.pdf, accessed May 17, 2011; Baker, “In the Crossfire,” p. 7.
75. Ibid., p. 9.
76. Jeanne Meserve, “Sources: Staged Cyber Attack Reveals Vulnerability in Power Grid,” CNN, September 26, 2007, at www.cnn.com/2007/US/09/26/power.at.risk/index.html, accessed July 7, 2007.
77. Gregg Keizer, “Jury Convicts Programmer of Planting Fannie Mae Server Bomb,” Computer-world, October 7, 2010, at www.computerworld.com/s/article/9189939/Jury_convicts _programmer_of_planting_Fannie_Mae_server_bomb, accessed December 16, 2010.
78. U.S. Secret Service and CERT Coordination Center, “Insider Threat Study: Computer System Sabotage in Critical Infrastructure Sectors,” May 2005, p. 3, at www.secretser vice.gov/ntac/its_report_050516.pdf, accessed February 15, 2010. The man who did it was found guilty of one count of denying computer services.
79. Robert McMillan, “Update: Terry Childs Found Guilty,” Infoworld, April 27, 2010, accessed April 29, 2010.
80. Jaikumar Vijayan, “IT Contractor Indicted for Sabotaging Offshore Rig Management System,” Computerworld, March 18, 2009, at www.computerworld.com/s/article/9129933/IT _contractor_indicted_for_sabotaging_offshore_rig_management_system_, accessed March 20, 2009.
81. “Total Gridlock,” Jane’s Intelligence Review, p. 26.
82. Baker, “In the Crossfire,” p. 22.
CHAPTER 6: BETWEEN WAR AND PEACE
1. John P. Sullivan, “Gangs, Hooligans, and Anarchists—The Vanguard of Netwar in the Streets,” in John Arquilla and David Ronfeldt, eds., Networks and Netwars: The Future of Terror, Crime, and Militancy (Arlington, VA: RAND, 2001), quoting Martin van Creveld, The Transformation of War (New York: Free Press, 1991).
2. Richard M. Nixon, The Real Peace (New York: Little, Brown & Co., 1984), p. 104.
3. Timothy L. Thomas, Dragon Bytes: Chinese Information-War Theory and Practice (Ft. Leavenworth, KS: Foreign Military Studies Office, 2004), pp. 44, 45.
4. Mao Tse-tung, “On Protracted War,” Selected Works, v. II (Peking: Foreign Languages Press, May 1938), pp. 156, 186, available at www.marxists.org/reference/archive/mao/selected -works/volume-2/index.htm, accessed April 4, 2011.
5. Qiao Liang and Wang Xiangsui, Unrestricted Warfare (Beijing: PLA Literature and Arts Publishing House, 1999), p. 61.
6. Ibid., p. 4.
7. Ibid., pp. 11–12.
8. Brian Krekel, “Capability of the People’s Republic of China to Conduct Cyber Warfare and Computer Network Exploitation,” prepared for the U.S.-China Economic and Security Review Commission, October 9, 2009, p. 12.
9. Qiao and Wang, Unrestricted Warfare, p. 64.
10. David Briscoe, “Kosovo-Propaganda War,” AP, May 17, 1999.
11. Dorothy E. Denning, “Activism, Hacktivism, and Cyberterrorism: The Internet as a Tool for Influencing Foreign Policy,” in Arquilla and Ronfeldt, eds., Networks and Netwars, pp. 239–40.
12. Ibid., pp. 268–69, citing Rebecca Allison, “Belgrade Hackers Bombard MoD Web site in ‘First’ Internet War,” PA News, March 3, 1999; Dorothy E. Denning, “A View of Cyberterrorism Five Years Later,” chapter 7 in Internet Security: Hacking, Counterhacking, and Society, K. Himma ed. (Sudbury, MA: Jones and Bartlett Publishers, 2007), at www.dtic .mil/cgi-bin/GetTRDoc?AD=ADA484928, p. 7, accessed April 4, 2011.
13. See, e.g., “NATO Bombs Serbian Decoys,” at www.youtube.com/watch?v=1lHyKv4IC3c&has_verified=1, accessed December 22, 2010.
14. The Chinese government was not an entirely disinterested party during the Kosovo conflict. On May 7, 1999, U.S. aircraft bombed the Chinese embassy in Belgrade, killing three PRC nationals and creating an international incident. In China there were mass anti-American demonstrations, followed by back-and-forth electronic attacks between American and Chinese hackers. The U.S. apologized and claimed the bombing was a mistake caused by an out-of-date map, though doubt has been cast on that explanation. The controversy is summarized in Wikipedia, “US bombing of the People’s Republic of China embassy in Belgrade,” at http://en.wikipedia.org/wiki/US_bombing_of_the _People’s_Republic_of_China_embassy_in_Belgrade, accessed July 20, 2010.
15. Timothy M. Thomas, Cyber Silhouettes: Shadows over Information Operations (Ft. Leavenworth, KS: Foreign Military Studies Office, 2005), pp. 133, 135.
16. Ibid., p. 145, quoting Elaine Grossman, “US Commander in Kosovo Sees Low-Tech Threats to High-Tech Warfare,” Inside the Pentagon, September 9, 1999, p. 1.
17. See, e.g., Krekel, “Capability of the PRC to Conduct Cyber Warfare,” p. 11.
18. The quotation is the title of chapter 2 of Qiao and Wang, Unrestricted Warfare.
19. See Qiao and Wang, Unrestricted Warfare, FBIS Editor’s Note, p. 2.
20. Ibid., p. 7.
21. As of this writing the cover can be seen on the Web site of Powell’s Books, at www.pow ells.com/biblio/0971680728?&PID=33157, accessed July 21, 2010. The original En-glish translation, from which I have been quoting, was made by the Foreign Broadcast Information Service, the CIA’s former open-source organization, and is available through Cryptome, at www.cryptome.org/cuw.htm, accessed July 17, 2010. A summary is available through the Federation of American Scientists, at www.fas.org/nuke/guide/china/doctrine/unresw1.htm, accessed July 19, 2010.
22. Qiao and Wang, Unrestricted Warfare, p. 23.
23. Ibid., pp. 6, 136.
24. Ibid. p. 143.
25. Ibid., pp. 168–69. In this view, every action falls into three types: “a pure war action, a nonwar military action, or a nonmilitary war action.”
26. Ibid., p. 2.
27. Ibid., p. 8.
28. Martin Libicki, Cyber Deterrence and Cyber War (Santa Monica, CA: RAND, 2009), p. 1.
29. Ibid., p. 2.
30. As Adda Bozeman, a great scholar of statecraft, put it, “‘peace’ and ‘war’ are conceived as opposites in the West, and in law as well as in religion—quite in counterpoint to non-Western mind-sets in which these concepts interpenetrate.” Adda B. Bozeman, Strategic Intelligence and Statecraft (Washington, DC: Brassey’s, Inc., 1992), p. 12. When war is declared, important international and national legal results follow under American law. In wartime, for example, the president of the United States has vastly increased power over private resources, and insurance policies do not cover damage from acts of war. Since the Korean War, the United States has waged war several times without a formal war declaration (or its equivalent, a congressional authorization to use military force), but the legal consequences of a declaration are significant. Three of the six justices who rejected President Truman’s asserted authority to seize private steel mills in 1950 referred to the lack of a formal state of war. In Korea there was, however, a UN resolution authorizing combat, and it remains in effect. In Vietnam, President Johnson ramped up combat only after obtaining a joint resolution of Congress authorizing the use of conventional military force in Southeast Asia; Pub. Law 88-408, August 7, 1964 (the “Tonkin Bay Resolution”).
31. W. Hays Parks, “National Security Law in Practice: The Department of Defense Law of War Manual,” address to the American Bar Association Standing Committee on Law and National Security, November 18, 2010, available through www.abanet.org/natsecurity/.
32. See, e.g., Dan Kuehl, “From Cyberspace to Cyberpower: Defining the Problem,” paper for the Information Resources Management College/National Defense University [n.d.], p. 14, remarking that “the events in Estonia . . . contributed to the creation of several organizations to support this protection. These included NATO’s Computer Incident Response Capability (NCIRC), the Cyber Defence Management Authority (CDMA), and the NATO Cooperative Cyber Defence Centre of Excellence, to be located in Tallinn, the Estonian capital.”
33. See generally Scott J. Henderson, The Dark Visitor: Inside the World of Chinese Hackers (Fort Leavenworth, KS: Foreign Military Studies Office, 2007), especially p. xiii.
34. Alvin and Heidi Toffler, War and Anti-War: Survival at the Dawn of the 21st Century (Boston: Little, Brown and Co.1993), quoted in Qiao and Wang, Unrestricted Warfare, p. 59, n. 6.
35. Qiao and Wang, Unrestricted Warfare, p. 41.
36. Ibid., p. 43.
37. Ibid., p. 114, quoting a version of Sun Tzu.
38. U.S.-China Economic and Security Review Commission, “2009 Report to Congress,” November 2009, p. 5, at www.uscc.gov/annual_report/2009/annual_report_full_09.pdf, accessed March 4, 2009.
39. Thomas, Dragon Bytes, p. 45, citing Dennis J. Blasko, “Chinese Strategic Thinking: People’s War in the 21st Century,” China Brief, March 18, 2010, at www.jamestown.org/programs/chinabrief/single/?tx_ttnews%5Btt_news%5D=36166&tx_ttnews%5Bback Pid%5D=25&cHash=0fc6f0833f, accessed July 26, 2010.
40. Henderson, Dark Visitor, pp. 127–28, quoting Peng Guangqian and Yao Youzhi, The Science of Military Strategy (Beijing: Military Publishing House, Academy of Military Science of the Chinese People’s Liberation Army, 2005), p. 455.
41. Henderson, Dark Visitor, pp. xiii, 5.
42. Whether the bombing was a mistake, as the United States contends, or whether it was done deliberately because the Chinese embassy was transmitting Yugoslav army communications, is a matter of dispute. See Steven Lee Myers, “Chinese Embassy Bombing: A Wide Net of Blame,” New York Times, April 17, 2000, at http://query.nytimes.com/gst/fullpage.html?res=9801EED91431F934A25757C0A9669C8B63&pagewanted=1, accessed November 18, 2010; John Sweeney et al., “Nato Bombed Chinese Deliberately,” The Guardian, October 17, 1999, at www.guardian.co.uk/world/1999/oct/17/balkans, accessed November 18, 2010.
43. Henderson, Dark Visitor, p. 14.
44. Ibid., pp. 21, 22, 34.
45. Ibid., p. xii, citing Vivien Cui, “‘Godfather’ of Hackers Fights for Web Security,” Hong Kong Sunday Morning Post, May 29, 2005, as translated by FBIS, ref. CPP20050530000043.
46. Motivations for hacking may be changing as China prospers, as this story suggests: “One Beijing hacker says two Chinese officials approached him a couple of years ago requesting ‘help in obtaining classified information’ from foreign governments. He says he refused the ‘assignment,’ but admits he perused a top U.S. general’s personal documents once while scanning for weaknesses in Pentagon information systems ‘for fun.’ The hacker, who requested anonymity to avoid detection, acknowledges that Chinese companies now hire people like him to conduct industrial espionage. ‘It used to be that hackers wouldn’t do that because we all had a sense of social responsibility,’ says the well-groomed thirtysomething, ‘but now people do anything for money.’” Melinda Liu, “High-Tech Hunger,” Newsweek International, January 16, 2006, at www.msnbc.msn .com/id/10756796/site/newsweek, accessed July 22, 2010.
47. U.S.-China, “2009 Economic Report,” p. 175.
48. U.S.-China, “2009 Economic Report,” p. 173, citations omitted, at www.uscc.gov/annual _report/2009/annual_report_full_09.pdf, accessed March 4, 2009.
49. Krekel, “Capability of the PRC,” pp. 33, and 35, citing China’s National Defense in 2004 (Beijing: Information Office of China’s State Council, 2004), at http://english.people daily.com.cn/whitepaper/defense2004/defense2004.html; and China’s National Defense in 2006 (Beijing: Information Office of China’s State Council, 2006), at http://english .peopledaily.com.cn/whitepaper/defense2006/defense2006.html.
50. U.S.-China, “2009 Economic Report,” p. 174.
51. This account is based on Ellen Nakashima, “Diverse Group of Chinese Hackers Wrote Code in Attacks on Google, U.S. Companies,” Washington Post, February 20, 2010, at www.washingtonpost.com/wp-dyn/content/article/2010/02/19/AR2010021902643 .html, accessed February 23, 2010; and Joseph Menn, “US Experts Close in on Google Hackers,” The Financial Times, February 21, 2010, at www.cnn.com/2010/BUSINESS/02/21/google.hackers/index.html, accessed July 27, 2010.
52. Thomas, Dragon Bytes, pp. 52, 81.
53. In examining Chinese doctrine, one must rely on the many publications in official journals, because the PRC does not publish a strategy for computer network operations, whereas the United States does. See, e.g., U.S. Department of Defense, “Information Operations,” Joint Publication 3–13 (Washington, DC: February 2006), at www.c4i.org/jp3 _13.pdf, accessed July 28, 2010.
54. U.S. Department of Defense, Office of Force Transformation, “The Implementation of Network-Centric Warfare,” January 5, 2005, p. 3, at www.au.af.mil/au/awc/awcgate/transformation/oft_implementation_ncw.pdf, accessed November 18, 2010; U.S. Department of Defense, Office of the Secretary of Defense, “Military and Security Developments Involving the People’s Republic of China 2010 Annual Report to Congress,” pursuant to the National Defense Authorization Act for fiscal year 2010, p. 3, www.defense.gov/pubs/pdfs/2010_CMPR_Final.pdf, accessed November 18, 2010.
55. Thomas, Silhouettes, p. 63, quoting U.S. Army Field Manual 3.0.
56. Ibid., p. 24, quoting U.S. Air Force Joint Doctrinal Pub. 2-5, January 2005.
57. Timothy L. Thomas, “Human Network Attacks,” Military Review, September–October 1999, at www.au.af.mil/au/awc/awcgate/fmso/humannet.htm, accessed July 28, 2010.
58. Krekel, “Capability of the PRC,” p. 10.
59. Thomas, Dragon Bytes, pp. 32–33, citing Shen Weiguang, “Checking Information Warfare-Epoch Mission of Intellectual Military,” Liberation Army Daily, February 2, 1999, p. 6, as translated and downloaded from FBIS.
60. Thomas, Dragon Bytes, pp. 15, 39.
61. Ibid., pp. 36–37; see Krekel, “Capability of the PRC,” pp. 26–28.
62. Thomas, Dragon Bytes, p. 14, quoting Yuan Banggen, “On IW Battlefields,” Zhongguo Junshi Kexue, February 20, 1999, pp. 46–51, as translated and downloaded from the FBIS Web site.
63. Krekel, “Capability of the PRC,” p. 15.
64. Qiao and Wang, Unrestricted Warfare, pp. 145–46.
CHAPTER 7: JUNE 2017
1. John Pomfret, “U.S. Takes a Tougher Tone with China,” Washington Post, July 30, 2010, at www.washingtonpost.com/wp-dyn/content/article/2010/07/29/AR2010072906416.html, accessed July 30, 2010.
2. United Nations Office of Legal Affairs, Division for Ocean Affairs and the Law of the Sea, “Oceans and Law of the Sea,” updated November 15, 2010, at www.un.org/Depts/los/reference_files/chronological_lists_of_ratifications.htm#The%20United%20Nations %20Convention%20on%20the%20Law%20of%20the%20Sea, accessed April 5, 2011.
3. United Nations Convention on the Law of the Sea of 10 December 1982, Article 301, at www .un.org/Depts/los/convention_agreements/texts/unclos/closindx.htm, accessed April 6, 2011.
4. The phrase “lawfare,”meaning the use of law as a weapon in pursuit of political or military objectives, was coined by Col. Charles J. Dunlap, Jr., USAF, in “Law and Military Interventions: Preserving Humanitarian Values in 21st Century Conflicts,” prepared for the Humanitarian Challenges in Military Intervention Conference, Carr Center for Human Rights Policy, Kennedy School of Government, Harvard University Washington, D.C., November 29, 2001, at www.duke.edu/~pfeaver/dunlap.pdf, accessed February 27, 2011.
5. Mike McConnell, “Mike McConnell on How to Win the Cyber-War We’re Losing,” Washington Post, February 28, 2010, at www.washingtonpost.com/wp-dyn/content/article/2010/02/25/AR2010022502493.html, accessed February 28, 2010.
6. Ryan Singel, “Cyberwar Hype Intended to Destroy the Open Internet,” Wired, March 1, 2010, at www.wired.com/threatlevel/2010/03/cyber-war-hype/, accessed July 14, 2010.
7. This account is based on Gus W. Weiss, “The Farewell Dossier: Duping the Soviets,” Central Intelligence Agency, updated June 27, 2008, at https://www.cia.gov/library/center-for-the-study-of-intelligence/csi-publications/csi-studies/studies/96unclass/fare well.htm, accessed August 4, 2010; and William Safire, “The Farewell Dossier,” New York Times, February 2, 2004, at www.nytimes.com/2004/02/02/opinion/02SAFI.html, accessed August 4, 2010.
8. Weiss, “The Farewell Dossier.”
9. Safire, “Farewell Dossier.”
10. Sally Adee, “The Hunt for the Kill Switch,” IEEE Spectrum, Web site of the American Institute of Electrical Engineers, May 2008, at http://spectrum.ieee.org/semiconductors/design/the-hunt-for-the-kill-switch/1, accessed August 4, 2010. This is also an excellent account of the complexity of the challenge of policing the supply chain for computer chips.
11. Jack Goldsmith, “The New Vulnerability,” The New Republic, June 7, 2010, at www.tnr .com/article/books-and-arts/75262/the-new-vulnerability, accessed July 15, 2010.
12. Richard A. Clarke and Robert K. Knake, Cyber War: The Next Threat to National Security and What to Do About It (New York: HarperCollins, 2010), pp. 9–11.
13. Adee, “The Hunt,” May 2008; Clarke and Knake, Cyber War, pp. 1–8, have an interesting discussion of how the Israelis may have pulled off this feat.
14. Timothy L. Thomas, Dragon Bytes: Chinese Information-War Theory and Practice (Ft. Leavenworth, KS: Foreign Military Studies Office, 2004), p. 45, quoting a lecture to the Chinese National Defense University, “New Situation, New Challenges.”
15. Dorothy E. Denning, “Activism, Hacktivism, and Cyberterrorism: The Internet as a Tool for Influencing Foreign Policy,” in John Arquilla and David Ronfeldt, eds., Networks and Netwars: The Future of Terror, Crime, and Militancy (Arlington, VA: RAND, 2001), p. 267. See also Denning’s “Hacktivism: An Emerging Threat to Diplomacy,” American Foreign Service Association, at www.afsa.org/fsj/sept00/Denning.cfm, accessed August 2, 2010.
16. Stefan Wray, “The Electronic Disturbance Theater and Electronic Civil Disobedience,” Web site under the rubric “Electronic Civil Disobedience,” dated June 17, 1998, at www.thing.net/~rdom/ecd/EDTECD.html, accessed August 2, 2010.
17. Denning, “Activism, Hacktivism,” in Arquilla and Ronfeldt, p. 264.
18. Qiao Liang and Wang Xiangsui, Unrestricted Warfare (Beijing: PLA Literature and Arts Publishing House, 1999), p. 47.
19. John Robb, Brave New War: The Next Stage of Terrorism and the End of Globalization (New York: Wiley, 2007), p. 150–51, citing David Kaplan, “Paying for Terror,” U.S. News & World Report, December 5, 2005. A version of Kaplan’s article posted November 27, 2005, is available at www.usnews.com/usnews/news/articles/051205/5terror_2.htm, accessed April 5, 2011.
20. Phil Williams, “Transnational Criminal Networks,” in Arquilla and Ronfeldt, pp. 64–65.
21. National Intelligence Counsel, Global Trends 2015, December 2000, p. 41, at www.dni .gov/nic/PDF_GIF_global/globaltrend2015.pdf, accessed August 2, 2010. The NIC produces the U.S. intelligence community’s highest level analyses.
22. Global Trends 2025: A Transformed World, November 2008, p. 68, at www.dni.gov/nic/PDF_2025/2025_Global_Trends_Final_Report.pdf, accessed August 2, 2010.
23. The president did not authorize an attack on the Iraqi financial system, however, because of concern that it could not be contained and would spread throughout the world financial system. John Markoff and Thom Shanker, “Halted ’03 Iraq Plan Illustrates U.S. Fear of Cyberwar Risk,” New York Times, August 1, 2009, at www.nytimes.com/2009/08/02/us/politics/02cyber.html?_r=3&partner=rss&emc=rss, accessed November 18, 2010. Cyberweaponry is computer code. It is a form of information, and as we have seen in other contexts, information leaks.
CHAPTER 8
1. Quoted in Suzanne Spaulding, “No More Secrets: Then What?” HuffingtonPost.com, June 24, 2010, at www.huffingtonpost.com/suzanne-e-spaulding/no-more-secrets-then -what_b_623997.html, accessed June 25, 2010.
2. The primary source for this account of the murder of Mahmoud al-Mabhouh is the Dubai police, who released selected video footage of many of the events described here. I have constructed this account based on those videos and on the following secondary sources: Dana Harman, “Dubai Assassination Spotlights Top Cop Skills in a Modern-Day Casablanca,” Christian Science Monitor, March 19, 2010, at www.csmonitor.com/World/Middle-East/2010/0319/Dubai-assassination-spotlights-top-cop-skills-in-a-modern -day-Casablanca, accessed September 12, 2010; Duncan Gardham, “Dubai Hamas Assassination: How It Was Planned,” The Telegraph, February 17, 2010, at www .telegraph.co.uk/news/worldnews/middleeast/dubai/7251960/Dubai-Hamas -assassination-how-it-was-planned.html, accessed September 12, 2010; Nick McDermott and Kate Loveys, “‘Dubai Hit Squad Stole My Identity’: British Man’s Name Used by Assassins Who Executed Senior Hamas Leader,” The Daily Mail, February 16, 2010, at www.dailymail.co.uk/news/worldnews/article-1251260/Mahmoud-Al-Mabhouh-Dubai -assassination-Briton-named-hit-squad-speaks-out.html, accessed September 12, 2010; Robert F. Worth and Isabel Kirshner, “Hamas Official Murdered in Dubai Hotel,” New York Times, January 29, 2010, at www.nytimes.com/2010/01/30/world/middleeast/30dubai.html, accessed September 22, 2010; for video footage, see, e.g., www.youtube .com/watch?v=l9xMkX98VVE, accessed September 11, 2010.
3. This account relies chiefly on: Harman, “Dubai Assassination,” March 19, 2010; Gardham, “Dubai Hamas Assassination,” February 17, 2010; McDermott and Loveys, “‘Dubai Hit Squad,’” Worth and Kirshner, “Hamas Official,” January 29, 2010; for video footage, see www.youtube.com/watch?v=l9xMkX98VVE.
4. Harman, “Dubai Assassination,” March 19, 2010.
5. Paul Lewis, Julian Borger, and Rory McCarthy, “Dubai Murder: Fake Identities, Disguised Faces and a Clinical Assassination,” The Guardian, February 16, 2010, at www.guardian.co .uk/world/2010/feb/16/dubai-murder-fake-identities-hamas, accessed September 12, 2010.
6. “Al Mabhouh Was Sedated Before He Was Killed,” Dubai Police News, February 28, 2010, at www.dubaipolice.gov.ae/dp/english/news/news_show.jsp?Id=857382312&ArticalType =1, accessed September 12, 2010.
7. Harman, “Dubai Assassination,” March 19, 2010.
8. Harman, “Dubai Assassination,” March 19, 2010, citing an undated report in the London-based Arabic daily Al-Hayat.
9. A leaked State Department cable quoted Yuval Diskin, the head of Israel’s internal security service, Shin Bet, saying that Fatah shares with Israel “almost all the intelligence it collects.” Reuters, “Israel: Cable Cites Cooperation Against Hamas,” New York Times, December 21, 2010, at www.nytimes.com/2010/12/21/world/middleeast/21briefs-Israel.html?_r=1&scp=1&sq=Israel:%20Cable%20Cites%20Cooperation&st=cse, accessed December 21, 2010.
10. Al Bawaba News, “Dubai Police Chief Insists Al-Mabhouh Was Betrayed from Within Hamas,” March 4, 2010, at www1.albawaba.com/en/news/dubai-police-chief-insists-Al -Mabhouh-was-betrayed-within-hamas, accessed September 12, 2010.
11. In the plus ça change department, however, the level of hypocrisy in statecraft level of hypocrisy in statecraft remains unchanged. Thus, Britain expelled an Israeli diplomat over the use of forged UK passports in the operation. Ben Quinn, “Israel Diplomat Expelled by Britain over Dubai Assassination Passport Forgery,” Christian Science Monitor, March 23, 2010, at www.csmonitor.com/world/Europe/2010/0323/Israel-diplomat -expelled-by-Britain-over-Dubai-assassination-passport-forgery, accessed April 30, 2011.
12. I owe this phrase to blogger Kevin Lovelace, “The Grim Facebook Future,” posted May 11, 2010, on the Web site Grinding, at http://grinding.be/category/post-privacy/, accessed April 5, 2011.
13. Central Intelligence Agency, “Part II: Selected Venona Messages,” at https://www .cia.gov/library/center-for-the-study-of-intelligence/csi-publications/books-and -monographs/venona-soviet-espionage-and-the-american-response-1939-1957/part2 .htm, accessed September 25, 2010. Decrypted and now declassified, Venona traffic exposed this program. National Security Agency, “Venona Documents,” at www.nsa.gov/public_info/declass/venona/apr_1942.shtml, accessed September 25, 2010. The Soviet, and Russian, practice of using illegals has not ceased, however. Walter Pincus, “Fine Print: Despite Arrests, Russian ‘Illegals’ Won’t Go Away,” Washington Post, July 13, 2010, at www.washingtonpost.com/wp-dyn/content/article/2010/07/12/AR2010071205341.html, accessed September 25, 2010.
14. See Jeffrey Brown, “Justice Department: Russian Intelligence Officers Served as Illegal Agents,” PBS NewsHour, June 28, 2010, at www.pbs.org/newshour/bb/law/jan-june10/spies_06-28.html, accessed September 19, 2010.
15. Christopher Andrew, For the President’s Eyes Only: Secret Intelligence and the American Presidency from Washington to Bush (New York: HarperCollins, 1995), p. 38.
16. “Slim Chance of Finding an Arabic Speaker at the U.S. Embassy in Baghdad,” ABC News, June 20, 2007, at http://blogs.abcnews.com/theblotter/2007/06/slim_chance _of_.html, accessed September 20, 2010.
17. See Kelly Jackson Higgins, “‘Robin Sage’ Profile Duped Military Intelligence, IT Security Pros,” Dark Reading, July 6, 2010, at www.darkreading.com/insider-threat/167801100/security/privacy/225702468/index.html, accessed July 14, 2010.
18. Zeljka Zorz, “Russian Hacker Offers 1.5m Facebook Credentials for Sale,” Help Net Security, April 23, 2010, at www.net-security.org/secworld.php?id=9186, accessed April 23, 2010.
19. See, e.g., “Real Time Satellite Tracking,” N2YO.com, at www.n2yo.com/?s=31140, accessed September 20, 2010.
20. See, e.g., the Web site Airliners.Net, at www.airliners.net/search/photo.search?cnsearch =33010/1037&distinct_entry=true, accessed September 16, 2010.
21. See, e.g., “Aircraft Registration Database Lookup,” Airframes.org, at www.airframes.org/reg/n126ch, accessed September 16, 2010. The database includes past as well as current registration information.
22. Paul T. Colgan, “No Landing Permission Needed for US Military Jet,” Sunday Business Post (Dublin), October 17, 2004, at http://archives.tcm.ie/businesspost/2004/10/17/story265175049.asp, accessed September 16, 2010.
23. Intellectual Capital Group, “Gulfstream N379P becomes N8068V: The Price of Carelessness with Flight Logs, or Notoriety, or Just Business Practice,” November 4, 2004, at http://spaces.icgpartners.com/index2.asp?nguid=53D0DFB7D3B64B39BE2316DF CB79707E, accessed September 16, 2010.
24. Stephen Grey, “US Accused of ‘Torture Flights,’” The Sunday Times (London), November 14, 2004, at www.timesonline.co.uk/tol/news/world/article390989.ece, accessed September 16, 2010.
25. Tom Hundley, “Remote Polish Airstrip Holds Clues to Secret CIA Flights,” Chicago Tribune, February 6, 2007, pp. 1, 14, at http://articles.chicagotribune.com/2007-02-06/news/0702060187_1_cia-flights-poland-and-romania-detention-centers, accessed September 16, 2010.
26. WikiLeaks, “WikiLeaks Submission,” at http://wikileaks.org/wiki/WikiLeaks:Submissions, accessed September 23, 2010.
27. Joby Warrick, “WikiLeaks Works to Expose Government Secrets, But Web Site’s Sources Are a Mystery,” Washington Post, May 19, 2010, at www.washingtonpost.com/wp-dyn/content/article/2010/05/19/AR2010051905333.html, accessed September 21, 2010.
28. This last epithet was thrown at WikiLeaks’s founder by Tunku Varadarajan, “Blogs & Stories: What Does Julian Assange Want?” TheDailyBeast, July 28, 2010, at www.thedailybeast.com/blogs-and-stories/2010-07-28/wikileaks-founder-julian -assange-is-a-criminal/, accessed September 23, 2010.
29. “For an organization dedicated to exposing secrets, WikiLeaks keeps a close hold on its own affairs. Its Web site doesn’t list a street address or phone number, or the names of key officers. Officially, it has no employees, headquarters or even a post office box.” Warrick, “WikiLeaks Works,” May 19, 2010.
30. Ellen Nakashima and Joby Warwick, “Wikileaks Takes New Approach in Latest Release of Documents,” Washington Post, July 26, 2010, at www.washingtonpost.com/wp-dyn/content/article/2010/07/25/AR2010072503356.html, accessed September 21, 2010.
31. For interesting commentary by an experienced military video analyst on the video and WikiLeaks’s presentation of it, see the blog A Look Inside, at http://blog.ajmartinez.com/2010/04/05/wikileaks-collateral-murder/, accessed September 21, 2010.
32. Raffi Khatchadourian, “No Secrets,” The New Yorker, June 7, 2010, at www.newyorker .com/reporting/2010/06/07/100607fa_fact_khatchadourian, accessed September 20, 2010.
33. WikiLeaks, http://wikileaks.org/wiki/Afghan_War_Diary_2004-2010, July 5, 2010, ac-cessed September 22, 2010.
34. Nakashima and Warwick, “Wikileaks Takes New Approach,” July 26, 2010.
35. Khatchadourian, “No Secrets,” June 7, 2010.
36. John F. Burns and Ravi Somaiya, “WikiLeaks Founder on the Run, Trailed by Notoriety,” New York Times, October 23, 2010, at www.nytimes.com/2010/10/24/world/24assange .html, accessed October 23, 2010.
37. Quoted in “WikiLeaks ‘Bastards,’” Wall Street Journal, July 29, 2010, at http://online.wsj.com/article/SB10001424052748703940904575395500694117006.html, accessed September 20, 2010.
38. Burns and Samaiya, “WikiLeaks Founder on the Run,” October 23, 2010.
39. “Reporters Without Borders, an international press freedom organisation, regrets the incredible irresponsibility you showed when posting your article ‘Afghan War Diary 2004–2010’ on the Wikileaks Web site on 25 July together with 92,000 leaked documents disclosing the names of Afghans who have provided information to the international military coalition that has been in Afghanistan since 2001.” Open Letter to Assange, August 12, 2010, at http://en.rsf.org/united-states-open-letter-to-wikileaks -founder-12-08-2010,38130.html, accessed September 22, 2010.
40. “WikiLeaks ‘Bastards,’” July 29, 2010.
41. Khatchadourian, “No Secrets,” June 7, 2010.
42. “WikiLeaks ‘Bastards,’” July 29, 2010.
43. Varadarajan in “What Does Julian Assange Want?” July 28, 2010.
44. Khatchadourian, “No Secrets,” June 7, 2010.
45. John F. Burns and Ravi Somaiya, “WikiLeaks Founder on the Run, Trailed by Notoriety,” New York Times, October 23, 2010, at www.nytimes.com/2010/10/24/world/24assange .html, accessed October 23, 2010.
46. The evidence was sufficient for a British court to order his extradition to Sweden to face the charges. As of this writing, that order is on appeal. Michael Holden, “WikiLeaks’ Assange Appeals against UK Extradition,” Reuters, March 3, 2011, at www.reuters.com/article/2011/03/03/us-britain-assange-appeal-idUSTRE7222LH20110303, accessed March 22, 2011.
47. Kim Zetter, “WikiLeaks Releases Secret List of Critical Infrastructure Sites,” Wired, December 6, 2010, at www.wired.com/threatlevel/2010/12/critical-infrastructures -cable/, accessed December 7, 2010.
48. Raw Story, “WikiLeaks Accuses US of ‘Financial Warfare,’” October 14, 2010, at www .rawstory.com/rs/2010/10/wikileaks-us-financial-warfare/, accessed December 23, 2010; Robert Mackey, “PayPal Suspends WikiLeaks Account,” New York Times, December 3, 2010, at http://thelede.blogs.nytimes.com/2010/12/04/paypal-suspends-wikileaks -account/?scp=1&sq=wikileaks%20paypal&st=cse, accessed December 3, 2010; Robert Mackey, “WikiLeaks Founder’s Statement from Prison,” New York Times, December 14, 2010, at http://thelede.blogs.nytimes.com/2010/12/14/wikileaks-founders-statement -from-prison/?scp=3&sq=wikileaks%20paypal&st=cse, accessed December 23, 2010.
49. Miguel Helft, “Why Apple Removed a WikiLeaks App From Its Store,” New York Times, December 21, 2010, at http://bits.blogs.nytimes.com/2010/12/21/why-apple-removed -wikileaks-app-from-its-store/?scp=9&sq=wikileaks%20paypal&st=cse, accessed December 23, 2010.
50. For an image of the Anonymous threat against PayPal, see the undated posting at https://uloadr.com/u/4.png, accessed March 29, 2011. For accounts of Anonymous’s activities in December 2010, see Cassell Bryan-Low and Sven Grundberg, “Hackers Rise for WikiLeaks,” Wall Street Journal, December 8, 2010, at http://online.wsj.com/article/SB10001424052748703493504576007182352309942.html, accessed March 29, 2011; Daniel Tencer, “Hackers Take Down Website of Bank that Froze WikiLeaks Funds,” Raw Story, December 6, 2010, at www.rawstory.com/rs/2010/12/06/hackers-website -bank-froze-wikileaks-funds/, accessed March 29, 2011.
51. WikiLeaks, “About WikiLeaks,” at www.wikileaks.org/wiki/Wikileaks:About#What_is_WikiLeaks.3F_How_does_WikiLeaks_operate.3F, accessed September 21, 2010.
52. Ibid. “WikiLeaks believes that the best way to truly determine if a story is authentic, is not just our expertise, but to provide the full source document to the broader community—and particularly the community of interest around the document.”
53. Ibid.
54. WikiLeaks criticizes corporations on many grounds. Here are the first two: “1. The right to vote does not exist except for share holders (analogous to land owners) and even there voting power is in proportion to ownership. 2. All power issues from a central committee.” This sounds like a New Left manifesto of 1968.
55. Khatchadourian, “No Secrets,” June 7, 2010.
56. Jack Goldsmith and Tim Wu, Who Controls the Internet: Illusions of a Borderless World (New York: Oxford University Press, 2006).
57. The orders in Bank Julius Baer & Co., Ltd. v. WikiLeaks, case no. CV08-0824 JSW (N.D. Cal., issued February 15, 2008), are available through Citizen Media Law Project, at www.citme dialaw.org/threats/julius-baer-bank-and-trust-v-wikileaks, accessed September 23, 2010.
58. Jaikumar Vijayan, “Rights Groups Seek Court OK to Intervene in Wikileaks Case,” New York Times, February 28, 2008, at www.nytimes.com/idg/IDG_002570DE00740E18002573FD005AB476.html?ref=technology, accessed September 23, 2010.
59. See, e.g., Dan Goodin, “Wikileaks Judge Gets Pirate Bay Treatment,” The Register, February 21, 2008, at www.theregister.co.uk/2008/02/21/wikileaks_bulletproof_hosting/page2 .html, accessed September 23, 2010, who noted that the judge’s “lack of internet savvy was in further evidence when he directed that a copy of his order be e-mailed to Wiki-leaks within 24 hours of the issuance of his order. The only problem there was that the suspending of Wikileaks.org prevented the organization’s e-mail system from working.”
60. David F. Gallagher, “WikiLeaks Has a Friend in Sweden,” New York Times, February 20, 2008, at http://bits.blogs.nytimes.com/2008/02/20/wikileaks-site-has-a-friend-in-sweden/, accessed September 23, 2010.
61. “Welcome to PRQ!” at http://prq.se/?intl=1, accessed September 22, 2010.
62. See also Khatchadourian, “No Secrets,” June 7, 2010.
63. WikiLeaks, “WikiLeaks Mirrors,” at http://213.251.145.96/mirrors.html, accessed December 6, 2010. Later that month a Google search indicated the site was “not found, overloaded or other issues.”
64. Goodin, “Wikileaks Judge Gets Pirate Bay Treatment,” February 21, 2008.
65. The documents are posted on WikiLeaks, “Bank Julius Baer: Grand Larceny via Grand Cayman,” at http://wikileaks.org/wiki/Bank_Julius_Baer:_Grand_Larceny_via_Grand _Cayman, accessed September 23, 2010.
66. Eight charges have been brought in military court against Private Manning alleging espionage and computer fraud under 18 U.S.C. §§793(e) and 1030(a)(1) and (a)(2). The charge sheet is available at http://boingboing.net/images/xeni/100705-Manning-Charge -Sheet.pdf, accessed December 24, 2010.
67. Khatchadourian, “No Secrets,” June 7, 2010.
68. The cable in question appears to be available at http://history-political.blogspot.com/2010/02/classified-cable-from-us-embassy.html, dated January 13, 2010, accessed November 19, 2010, dealing with Iceland’s economic and financial crisis.
CHAPTER 9: THINKING ABOUT INTELLIGENCE
1. CIA Web site at https://www.cia.gov/offices-of-cia/index.html, accessed October 3, 2010. The NSA’s principal directorates are Information Assurance (network defense), Signals Intelligence (collecting “communications, radars, and weapons systems used by our adversaries,” which is to say, electronic theft), and Research. NSA Web site at www.nsa .gov/, and www.nsa.gov/sigint/index.shtml, both accessed October 3, 2010.
2. “Counterintelligence means information gathered and activities conducted to identify, deceive, exploit, disrupt, or protect against espionage, other intelligence activities, sabotage, or assassinations conducted for or on behalf of foreign powers, organizations, or persons, or their agents, or international terrorist organizations or activities.” Executive Order 12,333, as amended most recently in 2008, §3.5(a).
3. In contrast to a covert operation, a clandestine operation is one whose existence is intended to remain secret.
4. For two valuable and wide-ranging views of the challenges facing the intelligence agencies—but which do not deal broadly with the transparency issue—see Jennifer E. Sims and Burton Gerber, eds., Transforming U.S. Intelligence (Washington, DC: Georgetown University Press, 2005); and by the same editors, Vaults, Mirrors and Masks: Rediscovering U.S. Counterintelligence (Washington, DC: Georgetown University Press, 2009).
5. In some such cases, classification may still be warranted to protect sources or methods, but in the case posited—where others can obtain the information as easily as the government—the source or method may have become superfluous.
6. Richard K. Betts, Enemies of Intelligence: Knowledge and Power in American National Security (New York: Columbia University Press, 2007), p. 157.
7. According to legend, on the basis of this information Rothschild bought huge quantities of long-depressed British consols (government bonds), making a fortune on information he alone possessed, while his bearish colleagues in the exchange still feared defeat at Napoleon’s hands. In fact Rothschild did not begin buying consols until July 20, more than a month after the battle. Niall Ferguson, The Ascent of Money: A Financial History of the World (London: Penguin Press, 2008), pp. 78–85.
8. OMB Circular A-76, Attachment D, ¶ B.4.b.6.
9. According to its Web site, the Secret Service was created in 1865 and did not begin to provide security for the president until after the assassination of President McKinley in 1901: www.secretservice.gov/history.shtml, accessed December 26, 2010.
10. James Mackay, Allan Pinkerton: The First Private Eye (New York: John Wiley & Sons, 1996), pp. 80, 108–10, 155.
11. Ward Churchill, “The Trajectory of Political Policing in the United States, 1870 to the Present,” [n.d.], notes 13–14, citing Max Lowenthal, The Federal Bureau of Investigation (New York: William Sloan Assoc., 1950), pp. 6–10.
12. Theodore M. Becker, “The Place of Private Police in Society: An Area of Research for the Social Sciences,” v. 21, 3 Social Problems (1974): 438.
13. See, e.g., ibid., p. 441.
14. Kline v. 1500 Massachusetts Avenue Apartment Corporation, 439 F.2d 477 (D.C. Cir. 1970). See 43 A.L.R. 5th 207 (landlord’s liability for failure to protect tenant from criminal acts of third person).
15. Becker, “Private Police,” p. 443, 444, n. 5. Becker notes that Pinkerton began with ten employees in Chicago in 1850 to protect railroad property.
16. The regulations recognize that an activity may be already carried on privately yet may classify that activity as inherently governmental anyway. One of the nondeterminative factors is “Whether the activity in question is already being performed by the private sector.” Federal Acquisition Regulations, subpart 7.3, § 7.302; Office of Management and Budget, circular A-76, attachment D. Either this is illogical or it implies a judgment about the power of government rather than the nature of the activity.
17. “IBM Commercial: The Road: Intelligent Data Management and Analysis for a Smarter Planet,” YouTube.com, at www.youtube.com/watch?v=F8EjUYpqCvw, accessed September 15, 2010.
18. U.S. Air Force, College of Aerospace Doctrine, Research and Education, Air and Space Power Course, at www.iwar.org.uk/military/resources/aspc/text/pow/s_p.htm, accessed October 22, 2010.
19. Leaking is often the product of widespread dissent, or a response to dissent, as occurred when the invasion of Iraq in 2004 produced no evidence of weapons of mass destruction. See, e.g., David E. Sanger and David Johnston, “Bush Ordered Declassifiction, Official Says,” New York Times, April 10, 2006, at www.nytimes.com/2006/04/10/washington/10leak.html?ex=1302321600&en=a822dffc46e8662d&ei=5090&partner =rssuserland&emc=rss, accessed October 21, 2010. Daniel Ellsberg’s leaking in 1971 of United States–Vietnam Relations, 1945–1967: A Study Prepared by the Department of Defense, better known as The Pentagon Papers, remains the most stunning and consequential example of large-scale leaking—including the WikiLeaks disclosures in 2010—but it involved a special study rather than a National Intelligence Estimate.
20. Bob Woodward, Obama’s Wars (New York: Simon & Schuster, 2010), p. 53.
21. Jane Perlez, “Pakistan Aims Offensive at a Militant Stronghold,” New York Times, October 17, 2009, at www.nytimes.com/2009/10/18/world/asia/18pstan.html?hp, last visited October 18, 2009.
22. “Scenarios: Alternative Futures the IC Could Face,” Quadrennial Intelligence Community Review, January 2009, at www.fas.org/irp/dni/qicr.pdf, accessed October 5, 2010, pp. 3, 9. This most recent effort looks forward to 2025 and explores four different strategic developments, each of which involves a disruptive sea change in global relations. What’s missing from this review, however, is an examination of how these or any other futuristic scenarios are likely to affect the intelligence business itself. One of the few comments on that topic in the entire Quadrennial Review is the assumption that in 2025 “[c]lassified working environments will remain the norm.” Is this right? Or more to the point, which part of this complex business did the authors of the review have in mind when they made that assumption?
23. The objection to using foreign contractors will be that they may be influenced by their nation’s intelligence services—but so what? Long-term projections don’t deal in facts; they propose imaginative future possibilities.
24. The Intelligence Authorization Act for Fiscal Year 1993 included the Intelligence Organization Act and was based on the Senate version of the National Security Act of 1992, S. 2198. The House version (H.R. 4165) provided for an open source office. That office was not included in the final bill.
25. National Commission on Terrorist Attacks Upon the United States, Final Report (New York: W.W. Norton, [2004]), p. 413.
26. Commission on the Intelligence Capabilities of the United States Regarding Weapons of Mass Destruction, Report (Washington: USGPO, 2005), pp. 395–96.
27. ODNI “ODNI Announces Establishment of Open Source Center,” News Release No. 6-05, November 8, 2005. One of the Open Source Center’s valuable services is World News Connection. It carries translated news from 1,750 news sources in 130 countries. Barry Newman, “Today’s News, Brought to You by Your Friends at the CIA,” Wall Street Journal, February 28, 2011, at http://online.wsj.com/article/SB10001424052748704629004576136381178584352.html, accessed February 28, 2011.
28. I have omitted from this list of regrettable characteristics the many constraints on communications that are typical of intelligence agencies. They are difficult to adjust to, but in a secret environment most of these constraints are necessary.
29. I believe the CIA official whose epigraph begins chapter 8, Don Burke, is well aware of this and that he was exaggerating to make a point. For more on this issue, see “No More Secrets: National Security Strategies for a Transparent World,” report on a workshop convened by Suzanne Spaulding and sponsored by the American Bar Association Standing Committee on Law and National Security, the Office of the National Counterintelligence Executive, and the National Strategy Forum, Washington, D.C., January 10, 2010, at http://nationalstrategy.com/Portals/0/Conference%20Reports/No%20More %20Secrets%20Conference%20Report.pdf, accessed April 6, 2011.
30. I have heard this proverb attributed to Cardinal Richelieu, who combined the functions of prime minister and intelligence chief for Louis XIV of France, but can find no basis for that or any other attribution.
31. U.S. Senate Subcommittee on Reorganization of the Committee on Government Operations Commission on Government Security. Hearings on S.J. Res. 21, a Joint Resolution to Establish a Commission on Government Security, 84th Cong., 1st sess., March 15, 1955, p. 467. Bundy, who was then the dean of the Harvard University Faculty of Arts and Sciences, was quoting a colleague, Dan Van Vleck.
CHAPTER 10: MANAGING THE MESS
1. President George H. W. Bush, National Security Directive 42, July 5, 1990, redacted for public release, April 1, 1992, at www.fas.org/irp/offdocs/nsd/nsd_42.htm, accessed June 1, 2010. The following year the National Research Council warned that the nation “depends on computers [for] power delivery, communications, aviation, and financial services” and said plainly that these systems were “vulnerable . . . to deliberate attack.” It added, “The modern thief can steal more with a computer than with a gun” and that “tomorrow’s terrorist may be able to do more damage with a keyboard than with a bomb.” National Research Council, Computers at Risk: Safe Computing in the Information Age (Washington, D.C.: National Academy Press, 1991).
2. Preface to “Cyberspace Policy Review: Assuring a Trusted and Resilient Information and Communications Infrastructure,” May 2009, at www.whitehouse.gov/assets/documents/Cyberspace_Policy_Review_final.pdf, accessed January 6, 2010.
3. Presidential Decision Directive 63, May 22, 1998, at www.fas.org/irp/offdocs/pdd/pdd -63.htm.
4. The White House, “The National Strategy to Secure Cyberspace,” February 2003, at www .us-cert.gov/reading_room/cyberspace_strategy.pdf, accessed April 5, 2011.
5. National Security Telecommunications Advisory Committee, “An Assessment of the Risk to the Cybersecurity of the Public Network,” August 2009, p. ES-1. This document is not classified but it is not disseminated electronically.
6. Bill Gertz, “2008 Intrusion of Networks Spurred Combined Units,” Washington Times, June 3, 2010, at www.washingtontimes.com/news/2010/jun/3/2008-intrusion-of-networks -spurred-combined-units/. Debora Plunkett, head of the NSA’s Information Assurance Directorate, said that even the NSA works on the assumption that its systems have been penetrated by sophisticated adversaries. Jim Wolf, “U.S. Code-Cracking Agency Works as if Compromised,” Reuters, December 16, 2010, at www.reuters.com/article/idUS TRE6BF6BZ20101217, accessed December 17, 2010.
7. The White House, “Cyberspace Policy Review: Assuring a Trusted and Resilient Information and Communications Infrastructure,” May 29, 2009. The principal author of this review was Melissa Hathaway, who served ably under President George W. Bush as well as President Obama.
8. For the full text of the proposal and a section-by-section analysis, see the White House Web site at www.whitehouse.gov/omb/legislative_letters, accessed May 22, 2011. The proposal would strengthen the Federal Information Security Management Act, known as FISMA, which federal agencies must comply with, but FISMA represents the lowest common denominator of cybersecurity.
9. USCYBERCOM is technically a subcommand under U.S. Strategic Command, but it enjoys considerable independence.
10. For a remarkably candid assessment of cybervulnerabilities and proposals for dealing with them, see William J. Lynn III, “Defending a New Domain,” Foreign Affairs, September/ October 2010, p. 97, at www.foreignaffairs.com/articles/66552/william-j-lynn-iii/defending-a -new-domain, accessed February 20, 2011.
11. Whether this capability will extend to preemptive cyberoperations is legally as well as operationally complex. See Ellen Nakashima, “U.S. Eyes Preemptive Cyer-Defense Strategy,” Washington Post, August 29, 2010, at www.washingtonpost.com/wp-dyn/content/article/2010/08/28/AR2010082803312.html, accessed August 31, 2010.
12. The rationale for this strategy is elaborated in Herbert Lin, “Offensive Aspects of Cyber-security and Related Concerns,” a paper from TTI Vanguard’s Cybersecurity Conference, Washington, D.C., May 6–7, 2010.
13. At the Battle of Vicksburg in 1863, for example, Lieutenant General Ulysses Grant was able to secure the cooperation of the navy for operations on the Mississippi only through his personal relations with Acting Rear Adm. David Dixon Porter. “I had no more authority to command Porter than he had to command me.” Ulysses S. Grant, Memoirs and Selected Letters: Personal Memoirs of U.S. Grant, Selected Letters 1839–1865 (New York: Library of America, 1990), p. 306.
14. James R. Locher III, Victory on the Potomac: The Goldwater-Nichols Act Unifies the Pentagon (College Station, TX: Texas A&M University Press, 2002), p. 16.
15. Ibid., p. 17.
16. Ibid., p. 18.
17. Ibid., pp. 20–21. President Roosevelt tried to achieve better cooperation by creating the Joint Chiefs of Staff in 1942, but the chiefs were dominated by their separate services and could take no position without unanimity.
18. See, e.g., John Barry, “Deplaned,” Newsweek, June 6, 2008, discussing the firing of the air force secretary, at www.newsweek.com/2008/06/05/deplaned.html, accessed January 9, 2010.
19. Locher, Victory on the Potomac, chapter 7 and pp. 45–48.
20. For the well-told story of this profoundly significant reform by the man with a ringside seat, see Locher, Victory on the Potomac. Goldwater-Nichols also turned the Joint Chiefs into a purely advisory body and took them out of the chain of command.
21. Locher, Victory on the Potomac, p. 450, quoting General John Wickham, USA.
22. For an account of how the federal emergency and disaster system (created two years before Katrina) is intended to work, see The Federal Response to Hurricane Katrina: Lessons Learned (February 23, 2006), pp. 11–19, prepared under the direction of former assistant to the president for homeland security and counterterrorism, Frances Fragos Townsend.
23. Government Accountability Office, “Opportunities to Reduce Potential Duplication in Government Programs, Save Tax Dollars, and Enhance Revenue,” GAO Report GAO-11-318SP, March 2011, at www.gao.gov/new.items/d11318sp.pdf, accessed March 1, 2011.
24. The American fondness for the czar analogy is curious. As former CIA director James Woolsey likes to say, five hundred years of rigidity and stupidity followed by seventy-plus years of Bolshevism is not a governance model worth emulating.
25. In 1944, President Roosevelt established the State-War-Navy Coordinating Committee. It worked poorly because action required unanimity.
26. National Security Act of 1947, Pub. L. no. 80-253, § 101 (a), 61 Stat. 496(1947) (my italics). For a concise and valuable study of the NSC, see Cody M. Brown, The National Security Council: A Legal History of the President’s Most Powerful Advisors (Washington, D.C.: Project on National Security Reform, 2008). When the NSC was originally proposed, constitutional objections were raised against any suggestion that it have directive power, on the ground that it would diminish the president’s constitutional powers. Ibid., p. 3. It is difficult to understand how creating a more powerful presidential staff would diminish the president’s power. The real objection to such a step is that it would diminish the power of the cabinet secretaries. Art. II, Sec. 2 of the Constitution assumes the existence of executive departments but does not specify their respective powers.
27. Executive Order 13,228, October 8, 2001, at http://frwebgate.access.gpo.gov/cgi-bin/get doc.cgi?dbname=2001_register&docid=fr10oc01-144.pdf, accessed March 30, 2011.
28. “[C]ompromise is the soul of interagency discussion. The process is designed to force agencies to make more and more compromises as disputes move up the ladder from assistant to deputy to secretary.” Stewart Baker, Skating on Stilts: Why We Aren’t Stopping Tomorrow’s Terrorism (Stanford: Hoover Institution Press, 2010), p. 128. This volume is the inside story of how that process really works. See also Roger Z. George and Harvey Rishikof, The National Security Enterprise: Navigating the Labyrinth (Washington, D.C.: Georgetown University Press, 2011), Part I: “The Interagency Process.”
29. National Commission on Terrorist Attacks Upon the United States, Final Report (New York: W. W. Norton, [2004] ), p. 419, stating: “So long as oversight is governed by current congressional rules and resolutions, we believe the American people will not get the security they want and need. . . . Few things are more difficult to change in Washington than congressional committee jurisdiction and prerogatives. The American people may have to insist that these changes occur, or they may well not happen.” NOTE: see ch. 9, n. 25 for previous cite to this document.
30. The NSA is not the only home of world-class cyberexperts in the federal government, but it has by far the largest group of them. Its red teams use only open-source tools when testing systems and not their own specially engineered, classified tools.
31. The mismatch also has a budgetary aspect, and I’m not speaking only of the fact that the resources devoted to network security have been inadequate. As it stands, the NSA’s budget for red teaming is in the Defense ISSP, or Information Systems Security Program. Not surprisingly, DoD wants the defense red-teaming budget applied to DoD systems. Whether NSA red teams test nondefense systems (they may do so now only with permission) or whether that function moves to the Department of Homeland Security is not important. But the budget must be aligned with the scope of the problem, and the function must be exercised without permission from the officials responsible for the system.
32. Tom Gjelton, “Cyberwarrior Shortage Threatens U.S. Security,” NPR, July 19, 2010, at www.npr.org/templates/story/story.php?storyId=128574055, accessed July 19, 2010.
33. Bureau of National Affairs, “New Defense Authorization Bill Excludes Key Cyber Provisions,” Electronic Commerce & Law Report, December 21, 2010, at www.npr.org/ templates/story/story.php?storyId=128574055, accessed January 3, 2011.
34. The Supreme Court understands the risk of creating rigid legal standards in this fast-moving field—but only by a vote of 5–4. City of Ontario v. Quon, 130 S.Ct. 2619, 2629 (2010) (opinion by Justice Kennedy), at www.texascityattorneys.org/2010speakerpapers/fall-OntariovQuon-case-SGladsone.pdf, accessed April 5, 2011.
The judiciary risks error by elaborating too fully on the Fourth Amendment implications of emerging technology before its role in society has become clear. . . . Prudence counsels caution before the facts in the instant case are used to establish far-reaching premises that define the existence, and extent, of privacy expectations enjoyed by employees when using employer-provided communication devices.
35. J. Alex Halderman, “To Strengthen Security, Change Developers’ Incentives,” IEEE Security and Privacy, March/April 2010, p. 79.
36. For a succinct description of how the OMB works, see Gordon Adams, “The Office of Management and Budget: The President’s Policy Tool,” in Roger Z. George and Harvey Rishikof, The National Security Enterprise: Navigating the Labyrinth (Washington, D.C.: Georgetown University Press, 2011).
37. J. Livingood, N. Mody, and M. O’Reirdan, “Recommendations for the Remediation of Bots in ISP Networks,” draft no. 10, December 2, 2010, p. 7, available on the Web site of the Internet Engineering Task Force (IETF) at http://tools.ietf.org/html/draft-oreirdan-mody-bot-remediation-10, accessed January 9, 2010. The IETF is an activity of the International Society, is a nonprofit organization founded in 1992 to provide leadership in Internet related standards, education, and policy.
38. Jack Rosenberger, “How Top ISPs Could Reduce Spam,” Communications of the ACM, August 2010, p. 13, at http://mags.acm.org/communications/201008/?CFID=4949264&CFTOKEN=36226451#pg15, accessed January 9, 2010.
39. Robert McMillan, “Court Order Helps Microsoft Tear Down Waledac Botnet,” Computerworld, February 25, 2010, at www.computerworld.com/s/article/9162158/Court_order _helps_Microsoft_tear_down_Waledac_botnet, accessed December 13, 2010.
40. 18 U.S.C. §2511.
41. The two ISPs I know of that offer “walled garden” services are Comcast and Cox Communications. See Lolita C. Baldor, “Internet Security Plan Under Review Would Alert Users to Hacker Takeover,” Washington Post, October 18, 2010, at www.washingtonpost.com/wp-dyn/content/article/2010/10/18/AR2010101800243.html, accessed October 26, 2010.
42. The technical issues involved in disclosure and notice to customers are discussed in Livingood et al., “Recommendations for the Remediation of Bots in ISP Networks.”
43. For a discussion of such a project at Microsoft, see James Larus and Galen Hunt, “The Singularity System,” Communications of the ACM, August 2010, p. 72, at http://mags .acm.org/communications/201008/?CFID=4949264&CFTOKEN=36226451#pg74, accessed January 9, 2010.
44. See “A Virtual Counter-Revolution,” The Economist, September 2, 2010, at www.econo mist.com/node/16941635, accessed April 30, 2011.
45. For a learned and engaging statement of another point of view, as well as a superb account of the fundamental technological issues in the development of the Internet, see Jonathan Zittrain, The Future of the Internet and How to Stop It (New Haven: Yale University Press, 2008).
46. U.S. Department of Energy, Office of Inspector General, “Federal Energy Regulatory Commission’s Monitoring of Power Grid Cyber Security,” report no. DOE/IG-0846, January 2011, p. 2.
47. Improving attribution alone will not solve our cyberinsecurity, however. See David D. Clark and Susan Landau, “The Problem Isn’t Attribution; It’s Multi-Stage Attacks,” [2011], research paper available at http://conferences.sigcomm.org/co-next/2010/Work shops/REARCH/ReArch_papers/11-Clark.pdf, accessed January 10, 2011.
48. James R. Gosler, “The Digital Dimension,” in J. E. Sims and B. Gerber, eds., Transforming U.S. Intelligence (Washington, D.C.: Georgetown University Press, 2005), pp. 96, 104.
49. Ibid., p. 105, text at n. 24, quoting Michael Wynne, acting undersecretary of defense for acquisition, technology, and logistics, “Memorandum for the Chairman, Defense Science Board, Terms of Reference,” Defense Science Board Task Force on High Performance Microchip Supply, December 18, 2003.
50. The reverse is also true. For example, the iPhone is assembled in China. Its components and labor have a value of about $179. Our trade statistics assume that the entire device is made in China, even though its components come from Japan, Germany, South Korea, the United States, and various other countries. The Chinese contribution to the value of the device is about $6.50. Andrew Batson, “Not Really ‘Made in China,’” Wall Street Journal, December 16, 2010, at http://online.wsj.com/article/SB10001424052748704828104576021142902413796.html?mod=WSJ_Tech_LEADTop, accessed December 16, 2010.
51. Joseph Markowitz, “The Enemy Is Us,” in papers from the TTI Vanguard Cybersecurity Conference, Washington, DC, May 6–7, 2010.
52. Stewart Baker et al., “In the Crossfire: Critical Infrastructure in the Age of Cyber War,” Center for Strategic and International Studies and McAfee, [January 28, 2010], p. 19, at http://img.en25.com/Web/McAfee/NA_CIP_RPT_REG_2840.pdf. See also Paul Kurtz et al., “Virtual Criminology Report 2009: Virtually Here: The Age of Cyber Warfare,” McAfee and Good Harbor Consulting, 2009, p. 17, at http://iom.invensys.com/EN/pdfLibrary/McAfee/WP_McAfee_Virtual_Criminology_Report_2009_03-10.pdf.
53. My pessimistic view about the ability of authoritarian regimes to exert some degree of control over networks is shared by Eric Schmidt and Jared Cohen of Google. See their “The Digital Disruption: Connectivity and the Diffusion of Power,” Foreign Affairs, November/December 2010, p.81, at www.foreignaffairs.com/articles/66781/eric-schmidt-and -jared-cohen/the-digital-disruption, accessed January 9, 2010.
54. James Glanz and John Markoff, “Egypt Leaders Found ‘Off’ Switch for Internet,” New York Times, February 15, 2011, at www.nytimes.com/2011/02/16/technology/16internet .html, accessed February 15, 2011.
55. Help Net Security, “73% of Organizations Hacked in the Last 2 Years,” February 8, 2011, at www.net-security.org/secworld.php?id=10550, accessed February 10, 2011.
56. Help Net Security, “Half of IT Professionals Leave Mobile Security to Chance,” June 22, 2010, at www.net-security.org/secworld.php?id=9453, accessed June 22, 2010.
57. Mobile voice security, or rather insecurity, is another growing problem. When I joined the NSA in 2002 there were very few organizations in the world capable of systematically intercepting this kind of communication. That capability is now available for a few thousand dollars. But most people don’t know that and continue to believe incorrectly that they can communicate securely on mobile phones.
58. This technology is commercially available. See, e.g., the Web site of Mobile Armor, Inc., a division of Trend Micro Incorporated, at www.mobilearmor.com/solutions/ usb-encryption.html, accessed April 5, 2011.
59. “Imperva: Survey Finds Most Employees Will Leave with Company Data,” Global Security Mag, November 2010, at www.globalsecuritymag.com/Imperva-Survey-finds-most ,20101122,20732.html, accessed December 16, 2010. See also “Industrial Espionage Escalates as 60 Per Cent of Redundant Workers Take Data,” PublicTechnology.net (UK), December 29, 2008, at www.publictechnology.net/content/18397, accessed February 15, 2010.
60. Op. cit., chapter 9, note 31.
61. Between 2002 and 2006, for instance, 478 laptops were lost or stolen from the IRS, 112 of them containing sensitive taxpayer information. Privacy Rights Clearinghouse, at www .privacyrights.org, accessed September 24, 2008.
62. Verizon, “2008 Data Breach Investigations Report,” p. 15, fig. 12, at www.verizonbusiness .com/resources/security/databreachreport.pdf, accessed April 5, 2011, analyzing more than five hundred cases.
63. Robert McMillan, “How to Steal Corporate Secrets in 20 Minutes: Ask,” Computerworld, July 30, 2010, at www.networkworld.com/news/2010/073110-how-to-steal-corporate -secrets.html, accessed August 2, 2010. Under the contest’s ground rules, the identity of the companies was not reported.
64. See Joel F. Brenner, “Information Oversight: Practical Lessons from Foreign Intelligence,” Lecture no. 851, Heritage Foundation, September 39, 2004, at www.heritage.org/Research/Lecture/Information-Oversight-Practical-Lessons-from-Foreign-Intelligence, accessed November 29, 2010.
65. Web site of the national counterintelligence executive, at www.ncix.gov/publications/reports/traveltips.pdf, accessed February 20, 2011.