As the lights went out in western Ukraine the day before Christmas Eve 2015, Andy Ozment had a queasy feeling.
The giant screens in the war room just down the hall from his office—in an unmarked Department of Homeland Security building a quick drive over the Potomac River from the White House—indicated that something more nefarious than a winter storm or a blown-up substation had triggered the sudden darkness across a remote corner of the embattled former Soviet republic. The event had all the markings of a sophisticated cyberattack, remote-controlled from someplace far from Ukraine.
It had been less than two years since Vladimir V. Putin had annexed Crimea and declared it would once again be part of Mother Russia. Putin’s tanks and troops—who traded in their uniforms for civilian clothing and became known as the “little green men”—were sowing chaos in the Russian-speaking southeast of Ukraine, and doing what they could to destabilize a new, pro-Western government in Kiev, the capital.
Ozment knew that a Russian cyberattack against Ukrainians, far from the active combat zones, would make sense now, in the middle of the holidays. The electric utility providers were operating with skeleton staffs. To Putin’s secret army of patriotic hackers, Ukraine was a playground and testing ground. What happened there, Ozment often told his staff, was a prelude to what might well happen in the United States. As he regularly reminded them, in the world of cyber conflict, attackers came in five distinct varieties: “vandals, burglars, thugs, spies, and saboteurs.”
“I’m not that worried about the thugs, the vandals, and the burglars,” he would quickly add. It was up to companies and government agencies to guard against the run-of-the-mill bad actors on the Internet. It was the spies—and particularly the saboteurs—who kept him up at night. And the saboteurs who hit Ukraine’s power grid in 2015 were not amateurs. “All the advantages go to the attacker,” Ozment warned. Putin appeared to be making that point in Ukraine.
A bearded computer scientist in his late thirties, Ozment seemed to deliberately cultivate a demeanor suggesting it hadn’t been that long since he graduated from Georgia Tech and that he’d rather be hiking than cracking malware. He lived with his Norwegian wife in a two-story redbrick townhouse in a funky section of Washington, north of the Capitol. He always managed to look like he just walked out of one of the weekend farmers markets in his neighborhood, rather than off the front lines of America’s daily cyberwars. It was an admirable feat, considering he was running the closest thing the US government had to a fire department for cyberattacks. His team in Arlington functioned as the first responders when banks or insurance companies were attacked, utility companies found viruses lurking in their networks and suspected foul play, or incompetent federal agencies—like the Office of Personnel Management—discovered that Chinese intelligence agents were walking off with millions of highly sensitive security-clearance files. In other words, Ozment’s team got called all the time, like an engine company in a neighborhood of arsonists.
Ozment’s cyberwar room—in bureaucratese, the “National Cybersecurity & Communications Integration Center”—looked like a Hollywood set. The screens ran for more than a hundred feet, showing everything from the state of Internet traffic to the operation of power plants. Tickers with news items sped by. The desks in front of the screens were manned by various three-letter agencies in the US government: the Federal Bureau of Investigation, the Central Intelligence Agency, the National Security Agency, the Department of Energy.
At first glance, the room resembled the kind of underground bunker that a previous generation of Americans had manned round the clock, in a mountain near Colorado Springs. But initial impressions were deceiving. The men and women who spent the Cold War glued to their giant screens in Colorado were looking for something that was hard to miss: evidence of nuclear missiles speeding into space, aimed at American cities and silos. If they saw a launch—and there were many false alarms—they knew they had only minutes to confirm the US was under attack and to provide warning to the president, who would have to decide whether to retaliate before the first blast. But there was a certain clarity: At least they could know who launched the missiles, where they came from, and how to retaliate. That clarity created a framework for deterrence.
Ozment’s screens, by contrast, provided proof that in the digital age, deterrence stops at the keyboard. The chaos of the modern Internet played out across screen after screen, often in an incomprehensible jumble. There were innocent service outages and outrageous attacks, yet it was almost impossible to see where any given attack came from. Spoofing the system came naturally to hackers, and masking their location was pretty simple. Even in the case of a big attack, it would take weeks, or months, before a formal intelligence “attribution” would emerge from American intelligence agencies, and even then there might be no certainty about who had instigated the attack. In short, it was nothing like the nuclear age. Analysts could warn the president about what was happening—and Ozment’s team often did—but they could not specify, in real time and with certainty, where an attack was coming from or against whom to retaliate.
The more data that flowed in about what was happening that winter day in Ukraine, the deeper Ozment’s stomach sank. “This was the kind of nightmare we’ve talked about and tried to head off for years,” he recalled later. It was a holiday week, a rare break from the daily string of crises, and Ozment had a few minutes to dwell on a chilling cell-phone video that his colleagues were passing around. Taken in the midst of the Ukraine attack by one of the operators at the beleaguered electricity provider, Kyivoblenergo, it captured the bewilderment and chaos among electric-grid operators as they frantically tried to regain control of their computer systems.
As the video showed, they were helpless. Nothing they clicked had any effect. It was as if their own keyboards and mice were disconnected, and paranormal powers had taken over their controls. Cursors began jumping across the screens at the master control center in Ukraine, driven by a hidden hand. By remote control, the attackers systematically disconnected circuits, deleted backup systems, and shut down substations. Neighborhood by neighborhood, the lights clicked off. “It was jaw-dropping for us,” said Ozment. “The exact scenario we were worried about wasn’t paranoia. It was playing out before our eyes.”
And the hackers had more in store. They had planted a cheap program—malware named “KillDisk”—to wipe out the systems that would otherwise allow the operators to regain control. Then the hackers delivered their finishing touch: they disconnected the backup electrical system in the control room, so that not only were the operators now helpless but they were sitting in darkness. All the Kyivoblenergo workers could do was sit there and curse.
For two decades—since before Ozment began his career in cyber defense—experts had warned that hackers might switch off a nation’s power grid, the first step in taking down an entire country. And for most of that time, everyone seemed certain that when the big strike came, it would take out the power from Boston to Washington, or San Francisco to Los Angeles. “For twenty years we were paranoid about it, but it had never happened,” Ozment recalled.
“Now,” he said, “it was happening.”
It was happening, but on a much broader scale, in ways that Ozment could not yet imagine.
While Ozment struggled to understand the implications of the cyberattack unfolding half a world away in Ukraine, the Russians were already deep into a three-pronged cyberattack on the very ground beneath his feet. The first phase had targeted American nuclear power plants as well as water and electric systems, with the insertion of malicious code that would give Russia the opportunity to sabotage the plants or shut them off at will. The second was focused on the Democratic National Committee, an early victim in a series of escalating attacks ordered, American intelligence agencies later concluded, by Vladimir V. Putin himself. And the third was aimed at the heart of American innovation, Silicon Valley. For a decade the executives of Facebook, Apple, and Google were convinced that the technology that made them billions of dollars would also hasten the spread of democracy around the world. Putin was out to disprove that thesis and show that he could use those same tools to break democracy and enhance his own power.
It added up to a multifaceted attack on America’s infrastructure and institutions, and was remarkable in its scope, startling in its brazenness. Americans were shocked, but Putin’s moves had hardly come out of the blue. They were merely the latest phase of a global battle fought over unseen networks for the better part of a decade—a battle in which America had fired some of the opening shots.