MUCH OF the material in this book comes from interviews, all conducted on background, with more than a hundred participants in the story, many of them followed up with email, phone calls, or repeated in-person interviews. (For more about these sources, see the Acknowledgments.) In the Notes that follow, I have not cited sources for material that comes strictly from interviews. For material that comes in part from written sources (books, articles, documents, and so forth) and in part from interviews, I have cited those sources, followed by “and interviews.”
CHAPTER 1: “COULD SOMETHING LIKE THIS REALLY HAPPEN?”
That night’s feature: During his eight years as president, at Camp David and in the White House screening room, Reagan watched 374 movies, an average of nearly one a week, though often more. (“Movies Watched at Camp David and White House,” Aug. 19, 1988, 1st Lady Staff Office Papers, Ronald Reagan Library.) WarGames was an unusual choice; he usually watched adventures, light comedies, or musicals. But one of the film’s screenwriters, Lawrence Lasker, was the son of the actress Jane Greer and the producer Edward Lasker, old friends of Reagan from his days as a Hollywood movie star. Lawrence used his family connections to get a print to the president. (Interviews.)
The following Wednesday morning: Office of the President, Presidential Briefing Papers, Box 31, 06/08/1983 (case file 150708) (1), Ronald Reagan Library; and interviews. This meeting is mentioned in Lou Cannon, President Reagan: The Role of a Lifetime (New York: Simon & Schuster, 1991), 38, but, in addition to getting the date wrong, Cannon depicts it as just another wacky case of Reagan taking movies too seriously; he doesn’t recount the president’s question to Gen. Vessey, nor does he seem aware that the viewing and this subsequent White House meeting had an impact on history. See also Michael Warner, “Cybersecurity: A Pre-history,” Intelligence and National Security, Oct. 2012.
“highly susceptible to interception”: NSDD-145 has since been declassified: http://fas.org/irp/offdocs/nsdd145.htm.
Established in 1952: As later codified in Executive Order 12333, signed by Ronald Reagan on Dec. 4, 1981, the NSA and FBI were barred from undertaking foreign intelligence collection “for the purpose of acquiring information concerning the domestic activities of United States persons,” this last phrase referring to American citizens, legal residents, and corporations (http://www.archives.gov/federal-register/codification/executive-order/12333.html).
In its first three years: Ellen Nakashima, “Pentagon to Boost Cybersecurity Force,” Washington Post, Jan. 27, 2013; and interviews.
In the American Civil War: Edward J. Glantz, “Guide to Civil War Intelligence,” The Intelligencer: Journal of U.S. Intelligence Studies (Winter/Spring 2011), 57; Jason Healey, ed., A Fierce Domain: Conflict in Cyberspace, 1986 to 2012 (Washington, D.C.: Atlantic Council, 2013), 27.
During World War II: See esp. David Kahn, The Codebreakers (New York: Scribner; rev. ed., 1996), Ch. 14.
a man named Donald Latham: Warner, “Cybersecurity: A Pre-history”; and interviews.
In April 1967: Willis H. Ware, Security and Privacy in Computer Systems (Santa Monica: RAND Corporation, P-3544, 1967). This led to a 1970 report by a Defense Science Board task force, known as “the Ware Panel,” Security Controls for Computer Systems (declassified by RAND Corporation as R-609-1, 1979); and interviews.
He well understood: Willis H. Ware, RAND and the Information Evolution: A History in Essays and Vignettes (Santa Monica: RAND Corporation, 2008).
Ware was particularly concerned: Ibid., 152ff.
In 1980, Lawrence Lasker and Walter Parkes: Extra features, WarGames: The 25th Anniversary Edition, Blu-ray disc; and interviews.
The National Security Agency had its roots: See Kahn, The Codebreakers, 352. The stories about the tenth floor of the embassy and Inman’s response to reports of a fire are from interviews. The fact that U.S. intelligence was listening in on Brezhnev’s limo conversations (though not its method) was revealed by Jack Anderson, “CIA Eavesdrops on Kremlin Chiefs,” Washington Post, Sept. 16, 1971. Anderson’s source was a right-wing Senate aide who argued that the transcripts proved the Russians were cheating on the latest nuclear arms control treaty. After Anderson’s story appeared, the Russians started encrypting their phone conversations. The NSA broke the codes. Then the Russians installed more advanced encryption, and that was the end of the operation. (All this backstory is from interviews.)
In his second term as president: Don Oberdorfer, From the Cold War to a New Era (Baltimore: Johns Hopkins University Press, 1998), 67.
When they found out about the microwaves: Associated Press, “Russia Admits Microwaves Shot at US Embassy,” July 26, 1976; “Science: Moscow Microwaves,” Time, Feb. 23, 1976. The news stories note that personnel on the tenth floor were experiencing health problems due to the microwave beams. The stories don’t reveal—probably the reporters didn’t know—the purpose of the beams (they quote embassy officials saying they’re baffled about them) or the activities on the tenth floor.
took to playing Muzak: As a defense reporter for The Boston Globe in the 1980s, I often heard Muzak when I interviewed senior Pentagon officials in their offices. I asked one of them why it was playing. He pointed to his window, which overlooked the Potomac, and said the Russians might be listening with microwave beams.
CHAPTER 2: “IT’S ALL ABOUT THE INFORMATION”
Its number-one mission: Most of this is from interviews, but see also Christopher Ford and David Rosenberg, The Admirals’ Advantage: U.S. Navy Operational Intelligence in World War II and the Cold War (Annapolis: Naval Institute Press, 2005), esp. Ch. 5. (All the material about Desert Storm is from interviews.)
McConnell sat up as he watched: Though Sneakers inspired McConnell to call the concept “information warfare,” the phrase had been used before, first by weapons scientist Thomas P. Rona in a Boeing Company monograph, “Weapon Systems and Information War” (Boeing Aerospace Company, July 1976). Rona was referring not to computers but to technology that theoretically enhanced the capability of certain weapons systems by linking them to intelligence sensors.
“decapitate the enemy’s command structure”: Warner, “Cybersecurity: A Pre-history.”
McConnell pushed hard for the Clipper Chip: Jeffrey R. Yost, “An Interview with Dorothy E. Denning,” OH 424, Computer Security History Project, April 11, 2013, Charles Babbage Institute, University of Minnesota, http://conservancy.umn.edu/bitstream/handle/11299/156519/oh424ded.pdf?sequence=1; and interviews.
CHAPTER 3: A CYBER PEARL HARBOR
“critical national infrastructure”: President Bill Clinton, PDD-39, “U.S. Policy on Counterterrorism,” June 21, 1995, http://fas.org/irp/offdocs/pdd/pdd-39.pdf.
Reno turned the task over: Most of the material on the Critical Infrastructure Working Group comes from interviews with several participants, though some is from Kathi Ann Brown, Critical Path: A Brief History of Critical Infrastructure Protection in the United States (Fairfax, VA: Spectrum Publishing Group, 2006), Chs. 5, 6. All details about briefings and private conversations within the group come from interviews.
“high-tech matters”: Memo, JoAnn Harris, through Deputy Attorney General [Jamie Gorelick] to Attorney General, “Computer Crime Initiative Action Plan,” May 6, 1994; Memo, Deputy Attorney General [Gorelick], “Formation of Information Infrastructure Task Force Coordinating Committee,” July 19, 1994 (provided to author); and interviews.
In recent times: Security in Cyberspace: Hearings Before the Permanent Subcommittee on Investigations of the Comm. on Government Affairs. 104th Cong. (1996). (statement of Jamie Gorelick, Deputy Attorney General of the United States.)
the interagency meetings with Bill Studeman: Studeman’s role on interagency panels comes from Douglas F. Garthoff, Directors of Central Intelligence as Leaders of the U.S. Intelligence Community, 1946–2005 (Washington, D.C.: CIA Center for the Study of Intelligence, 2005), 267. That he and Gorelick met every two weeks was noted in Security in Cyberspace: Hearings Before the Permanent Subcommittee on Investigations of the Comm. on Government Affairs. 104th Cong. (1996). (statement of Jamie Gorelick, Deputy Attorney General of the United States.)
One branch of J Department: “Critical nodes” theory has fallen short in real-life wars. The Air Force attack plan for the 1990–91 Gulf War focused on eighty-four targets as the key “nodes”: destroy those targets, and the regime would collapse like a house of cards. In fact, the war didn’t end until a half million U.S. and allied troops crushed Iraq’s army on the ground. See Michael Gordon and Bernard Trainor, The Generals’ War (New York: Little, Brown, 1995), Ch. 4; Fred Kaplan, Daydream Believers (Hoboken: John Wiley & Sons, 2008), 20–21.
Capping Greene’s briefing, the CIA: Brown, Critical Path, 78; and interviews.
“in light of the breadth”: This language was reproduced in a memorandum from Attorney General to the National Security Council, on March 16, http://fas.org/sgp/othergov/munromem.htm.
One word was floating around: The first use of “cyber war” was probably John Arquilla and David Ronfeldt, Cyberwar Is Coming! (Santa Monica: RAND Corporation, 1993), but their use of the phrase was more like what came to be called “netcentric warfare” or the “revolution in military affairs,” not “cyber war” as it later came to be understood.
“may have experienced as many as 250,000 attacks”: General Accounting Office, “Information Security: Computer Attacks at Department of Defense Pose Increasing Risks” (GAO/AIMD-96-84), May 22, 1996. The report attributes the estimate to a study by the Pentagon’s Defense Information Security Agency.
“Certain national infrastructures”: President Bill Clinton, Executive Order 13010, “Critical Infrastructure Protection,” July 15, 1996, http://fas.org/irp/offdocs/eo13010.htm.
“We have not yet had a terrorist”: Jamie Gorelick, Security in Cyberspace: Hearings Before the Permanent Subcommittee on Investigations of the Comm. on Government Affairs. 104th Cong. (1996) (Statement of Jamie Gorelick, Deputy Attorney General of the United States.)
America’s programs in this realm: There were only a few slipups in revealing the existence of a cyber offensive program, and they were little noticed. In May 1995, Emmett Paige, assistant secretary of defense for command, control, communications, and intelligence, said at a conference at the National Defense University, “We have an offensive [cyber] capability, but we can’t discuss it. . . . You’d feel good about it if you knew about it.” The next month, Navy Captain William Gravell, director of the Joint Staff’s information warfare group, said at a conference in Arlington, “We are at the first stage of a comprehensive effort [in information warfare]. . . . What we have been doing up to now is building some very powerful offensive systems.” As for now, he added, “there is no current policy in these matters.” That would remain true for many years after. Both remarks were quoted in Neil Munro, “Pentagon Developing Cyberspace Weapons,” Washington Technology, June 22, 1995—with no follow-up in any mass media, http://washingtontechnology.com/Articles/1995/06/22/Pentagon-Developing-Cyberspace-Weapons.aspx.
Marsh and the commissioners first convened: Brown, Critical Path, 93. The rest of the material on the commission comes from interviews.
“Just as the terrible long-range weapons”: White House, Critical Foundations: Protecting America’s Infrastructures: The Report of the President’s Commission on Critical Infrastructure Protection, Oct. 1997, http://fas.org/sgp/library/pccip.pdf.
“a serious threat to communications infrastructure”: Commission on Engineering and Technical Systems, National Research Council, Growing Vulnerability of the Public Switched Networks: Implications for National Security Emergency Preparedness (Washington, D.C.: National Academy Press, 1989), 9.
“The modern thief”: Commission on Engineering and Technical Systems, National Research Council, Computers at Risk: Safe Computing in the Information Age (Washington, D.C.: National Academy Press, 1991), 7.
“increasing dependency”: Report of the Defense Science Board Task Force on Information Warfare-Defense (Washington, D.C.: Office of the Undersecretary of Defense [Acquisition and Technology], 1996). Quotes are from Duane Andrews, cover letter to Craig Fields, Nov. 27, 1996.
“In our efforts to battle”: Transcript, President Bill Clinton, Address to Naval Academy, Annapolis, MD, May 22, 1998, http://www.cnn.com/ALLPOLITICS/1998/05/22/clinton.academy/transcript.html.
CHAPTER 4: ELIGIBLE RECEIVER
On June 9, 1997: Most of the material on Eligible Receiver comes from interviews with participants, but some also comes from these printed sources: Brig. Gen. Bruce Wright, “Eligible Receiver 97,” PowerPoint briefing, n.d. (declassified; obtained from the Cyber Conflict Studies Association); Dillon Zhou, “Findings on Past US Cyber Exercises for ‘Cyber Exercises: Yesterday, Today and Tomorrow’ ” (Washington, D.C.: Cyber Conflict Studies Association, March 2012); Warner, “Cybersecurity: A Pre-history.”
The first nightmare case: For more on the Morris Worm, see Cliff Stoll, The Cuckoo’s Egg (New York: Doubleday, 1989), 385ff; Mark W. Eichin and Jon A. Rochlis, “With Microscope and Tweezers: An Analysis of the Internet Virus of November 1988” (MIT, Feb. 9, 1989), presented at the 1989 IEEE Symposium on Research in Security and Privacy, http://www.utdallas.edu/~edsha/UGsecurity/internet-worm-MIT.pdf.
Todd Heberlein’s innovation: Richard Bejtlich, The Practice of Network Security Monitoring (San Francisco: No Starch Press, 2013), esp. the foreword (by Todd Heberlein) and Ch. 1; Richard Bejtlich, TAO Security blog, “Network Security Monitoring History,” April 11, 2007, http://taosecurity.blogspot.com/2007/04/network-security-monitoring-history.html; and interviews. Bejtlich, who was an officer at the Air Force Information Warfare Center, later became chief security officer at Mandiant, one of the leading private cyber security firms. The founding president, Kevin Mandia, rose through Air Force ranks as a cyber crime specialist at the Office of Special Investigations; during that time, he frequently visited AFIWC, where he learned of—and was greatly influenced by—its network security monitoring system.
A junior officer: That was Bejtlich. See a version of his review at http://www.amazon.com/review/RLLSEQRTT5DIF.
“banner warning”: Letter, Robert S. Mueller III, Assistant Attorney General, Criminal Division, to James H. Burrows, Director, Computer Systems Laboratory, National Institute of Standards and Technology, Department of Commerce, Oct. 7, 1992, http://www.netsq.com/Documents_html/DOJ_1992_letter/.
by the time he left the Pentagon: Bejtlich, “Network Security Monitoring History.”
These systems had to clear a high bar: In the 1980s, the Information Assurance Directorate’s Computer Security Center wrote a series of manuals, setting the standards for “trusted computer systems.” The manuals were called the “Rainbow Series,” for the bright colors of their covers. The key book was the first one, the so-called Orange Book, “Trusted Computer Systems Evaluation Criteria,” published in 1983. Most of the work was done by the Center’s director, Roger Schell, who, a decade earlier, had helped the intelligence community penetrate adversary communications systems and thus knew that U.S. systems would soon be vulnerable too.
On February 16, 1997: CJCS Instruction No. 3510.01, “No-Notice Interoperability Exercise (NIEX) Program,” quoted in Zhou, “Findings on Past US Cyber Exercises for ‘Cyber Exercises: Yesterday, Today and Tomorrow.’ ”
The game laid out a three-phase scenario: Wright, “Eligible Receiver 97,” PowerPoint briefing, The rest of the section is based on interviews with participants.
The person answering the phone: Matt Devost of the Coalition Vulnerability Assessment Team had experienced similar problems when he tried to find the American commander’s computer password during one of the five eyes nations’ war games. First, he unleashed a widely available software program that, in roughly one second’s time, tried out every word in the dictionary with variations. Then he phoned the commander’s office, said he was with a group that wanted him to come speak, and asked for a biographical summary. He used the information on that sheet to generate new passwords, and broke through with “Rutgers” (where the commander’s son was going to college) followed by a two-digit number.
it only briefly alluded to: White House, Critical Foundations: Protecting America’s Infrastructures: The Report of the President’s Commission on Critical Infrastructure Protection, Oct. 1997, 8, http://fas.org/irp/offdocs/nsdd145.htm.
CHAPTER 5: SOLAR SUNRISE, MOONLIGHT MAZE
On February 3, 1998: The tale of Solar Sunrise comes mainly from interviews but also from Richard Power, “Joy Riders: Mischief That Leads to Mayhem,” InforMIT, Oct. 30, 2000, http://www.informit.com/articles/article.aspx?p=19603&seqNum=4; Solar Sunrise: Dawn of a New Threat, FBI training video, www.wired.com/2008/09/video-solar-sun/; Michael Warner, “Cybersecurity: A Pre-history;” and sources cited below.
“the first shots”: Bradley Graham, “US Studies a New Threat: Cyber Attack,” Washington Post, May 24, 1998.
“concern that the intrusions”: FBI, Memo, NID/CID to all field agents, Feb. 9, 1998 (declassified, obtained from the Cyber Conflict Studies Association).
“going to retire”: Power, “Joy Riders.”
“the most organized”: Rajiv Chandrasekaran and Elizabeth Corcoran, “Teens Suspected of Breaking into U.S. Computers,” Washington Post, Feb. 28, 1998.
Israeli police arrested Tenenbaum: Dan Reed and David L. Wilson, “Whiz-Kid Hacker Caught,” San Jose Mercury News, March 19, 1998, http://web.archive.org/web/20001007150311/http://www.mercurycenter.com/archives/reprints/hacker110698.htm; Ofri Ilany, “Israeli Hacker Said Behind Global Ring That Stole Millions,” Haaretz, Oct. 6, 2008, http://www.haaretz.com/print-edition/news/israeli-hacker-said-behind-global-ring-that-stole-millions-1.255053.
“not more than the typical hack”: FBI, Memo, [sender and recipient redacted], “Multiple Intrusions at DoD Facilities,” Feb. 12, 1998 (obtained from the Cyber Conflict Studies Association files).
“Who’s in charge?”: “Lessons from Our Cyber Past—The First Military Cyber Units,” symposium transcript, Atlantic Council, March 5, 2012, http://www.atlanticcouncil.org/news/transcripts/transcript-lessons-from-our-cyber-past-the-first-military-cyber-units.
“responsible for coordinating”: Maj. Gen. John H. Campbell, PowerPoint presentation, United States Attorneys’ National Conference, June 21, 2000.
Meanwhile, the FBI was probing all leads: See the many FBI memos, to and from various field offices, in the declassified documents obtained by the Cyber Conflict Studies Association.
5.5 gigabytes of data: The figure of 5.5 gigabytes comes from Maj. Gen. John H. Campbell, PowerPoint briefing on computer network defense, United States Attorneys’ National Conference, June 21, 2000.
Days later, the news leaked to the press: “Cyber War Underway on Pentagon Computers—Major Attack Through Russia,” CNN, March 5, 1999; Barbara Starr, “Pentagon Cyber-War Attack Mounted Through Russia,” ABC News, March 5, 1999, http://www.rense.com/politics2/cyberwar.htm.
They flew to Moscow on April 2: Declassified FBI memos, in the files of the Cyber Conflict Studies Association, mention the trip: for instance, FBI, Memo, from NatSec, “Moonlight Maze,” March 31, 1999; FBI, Memo (names redacted), Secret/NoForn, “Moonlight Maze Coordinating Group,” April 15, 1999. The rest of the material comes from interviews. (The April 15 memo also mentions that Justice and Defense Department officials, including Michael Vatis and Soup Campbell, briefed key members of House and Senate Intelligence Committees on Feb. 21, 1999, and that the first public mention of Moonlight Maze was made by John Hamre on March 5, 1999, one year after the first intrusions.)
CHAPTER 6: THE COORDINATOR MEETS MUDGE
The collective had started: The section on Mudge and the L0pht comes mainly from interviews, though also from Bruce Gottlieb, “HacK, CouNterHaCk,” New York Times, Oct. 3, 1999; Michael Fitzgerald, “L0pht in Transition,” CSO, April 17, 2007, http://www.csoonline.com/article/2121870/network-security/lopht-in-transition.html; “Legacy of the L0pht,” IT Security Guru, http://itsecurityguru.org/gurus/legacy-l0pht/#.VGE-CIvF_QU. Clarke later wrote a novel, Breakpoint (New York: G. P. Putnam’s Sons, 2007), in which one of the main characters, “Soxster,” is based on Mudge; and a hacker underground called “the Dugout” is modeled on the L0pht.
He’d been a hacker: His guitar playing at Berklee comes from Mark Small, “Other Paths: Some High-Achieving Alumni Have Chosen Career Paths That Have Led Them to Surprising Places,” Berklee, Fall 2007, http://www.berklee.edu/bt/192/other_paths.html.
He and the other L0pht denizens: The hearing can be seen on YouTube, http://www.youtube.com/watch?v=VVJldn_MmMY.
Three days after Mudge’s testimony: Bill Clinton, Presidential Decision Directive/NSC-63, “Critical Infrastructure Protection,” May 22, 1998, http://fas.org/irp/offdocs/pdd/pdd-63.htm.
FIDNET, as he called it: John Markoff, “U.S. Drawing Plan That Will Monitor Computer Systems,” New York Times, July 28, 1999; and interviews.
“Orwellian”: Tim Weiner, “Author of Computer Surveillance Plan Tries to Ease Fears,” New York Times, Aug. 16, 1999; and interviews.
“While the President and Congress can order”: Bill Clinton, National Plan for Information Systems Protection, Jan. 7, 2000, http://cryptome.org/cybersec-plan.htm.
Still, Clarke persuaded the president to hold a summit: Most of this comes from interviews, but see also Gene Spafford, “Infosecurity Summit at the White House,” Feb. 2000, http://spaf.cerias.purdue.edu/usgov/pres.html; CNN, Morning News, Feb. 15, 2000, http://transcripts.cnn.com/TRANSCRIPTS/0002/15/mn.10.html; Ricardo Alonso-Zaldivar and Eric Lichtblau, “High-Tech Industry Plans to Unite Against Hackers,” Los Angeles Times, Feb. 16, 2000.
A few weeks earlier, Mudge had gone legit: Kevin Ferguson, “A Short, Strange Trip from Hackers to Entrepreneurs,” Businessweek Online Frontier, March 2, 2000, http://www.businessweek.com/smallbiz/0003/ep000302.htm?scriptframed.
CHAPTER 7: DENY, EXPLOIT, CORRUPT, DESTROY
“the first of its kind”: U.S. Air Force, 609 IWS: A Brief History, Oct 1995–Jun 1999, https://securitycritics.org/wp-content/uploads/2006/03/hist-609.pdf.
“any action to deny, exploit”: U.S. Air Force, Cornerstones of Information Warfare, April 4, 1997, www.dtic.mil/cgi-bin/GetTRDoc?AD=ADA323807/.
J-39 got its first taste of action: On Operation Tango (though not J-39’s role), see Richard H. Curtiss, “As U.S. Shifts in Bosnia, NATO Gets Serious About War Criminals,” Christian Science Monitor, July 18, 1997; and interviews.
more than thirty thousand NATO troops: NATO, “History of the NATO-led Stabilisation Force (SFOR) in Bosnia and Herzegovina,” http://www.nato.int/sfor/docu/d981116a.htm.
“at once a great success”: Admiral James O. Ellis, “A View from the Top,” PowerPoint presentation, n.d., http://www.slideserve.com/nili/a-view-from-the-top-admiral-james-o-ellis-u-s-navy-commander-in-chief-u-s-naval-forces-europe-commander-allied.
CHAPTER 8: TAILORED ACCESS
In the summer of 1998: The Air Force tried to take ownership of Joint Task Force-Computer Network Defense, arguing that its Information Warfare Center had unique resources and experience for the job, but Art Money and John Hamre thought it needed to be an organization that either included all services or transcended them. (Interviews.)
So, on April 1, 2000: U.S. Space Command, “JTF-GNO History—The Early Years of Cyber Defense,” Sept. 2010; and interviews.
A systematic thinker who liked: GEDA is cited by Richard Bejtlich, “Thoughts on Military Service,” TAO Security blog, Aug. 3, 2006, http://taosecurity.blogspot.com/2006/08/thoughts-on-military-service.html; and interviews.
Suddenly, if just to stake a claim: William M. Arkin, “A Mouse That Roars?,” Washington Post, June 7, 1999; Andrew Marshall, “CIA Plan to Topple Milosevic ‘Absurd,’ ” The Independent, July 8, 1999; and interviews.
To keep NSA at the center of this universe: NSA/CSS, Transition 2001, Dec. 2000, http://www2.gwu.edu/~nsarchiv/NSAEBB/NSAEBB24/nsa25.pdf; George Tenet, CIA Director, testimony, Senate Select Committee on Government Affairs, June 24, 1998, https://www.cia.gov/news-information/speeches-testimony/1998/dci_testimony_062498.html; Arkin, “A Mouse That Roars?”; and interviews.
The report was written by the Technical Advisory Group: Much of the section on TAG comes from interviews; the TAG report is mentioned in Douglas F. Garthoff, Directors of Central Intelligence as Leaders of the U.S. Intelligence Community, 1946–2005 (Washington, D.C.: CIA Center for the Study of Intelligence, 2005), 273.
The Senate committee took his report very seriously: Senate Select Committee on Intelligence, Authorizing Appropriations for Fiscal Year 2001 for the Intelligence Activities of the United States Government, Senate Rept. 106-279, 106th Congress, May 4, 2000, https://www.congress.gov/congressional-report/106th-congress/senate-report/279/1; and interviews.
“poorly communicated mission”: NSA/CSS, External Team Report: A Management Review for the Director, NSA, Oct. 22, 1999, http://fas.org/irp/nsa/106handbk.pdf; and interviews.
“is a misaligned organization”: NSA/CSS, “New Enterprise Team (NETeam) Recommendations: The Director’s Work Plan for Change,” Oct. 1, 1999, http://cryptome.org/nsa-reorg-net.htm.
On November 15, he inaugurated: Seymour M. Hersh, “The Intelligence Gap,” The New Yorker, Dec. 6, 1999; and interviews.
The NSA’s main computer system crashed: “US Intelligence Computer Crashes for Nearly 3 Days,” CNN.com, Jan. 29, 2000, http://edition.cnn.com/2000/US/01/29/nsa.computer/; and interviews.
He called the new program Trailblazer: NSA Press Release, “National Security Agency Awards Concept Studies for Trailblazer,” April 2, 2001, https://www.nsa.gov/public_info/press_room/2001/trailblazer.shtml; Alice Lipowicz, “Trailblazer Loses Its Way,” Washington Technology, Sept. 10, 2005, https://washingtontechnology.com/articles/2005/09/10/trailblazer-loses-its-way.aspx.
SAIC was particularly intertwined: Siobhan Gorman, “Little-Known Contractor Has Close Ties with Staff of NSA,” Baltimore Sun, Jan. 29, 2006, http://articles.baltimoresun.com/2006-01-29/news/0601290158_1_saic-information-technology-intelligence-experts; “Search Top Secret America’s Database of Private Spooks,” Wired, July 19, 2010, http://www.wired.com/2010/07/search-through-top-secret-americas-network-of-private-spooks/.
In the coming years, TAO’s ranks would swell: “Inside TAO: Documents Reveal Top NSA Hacking Unit,” Der Spiegel, Dec. 29, 2013, http://www.spiegel.de/international/world/the-nsa-uses-powerful-toolbox-in-effort-to-spy-on-global-networks-a-940969.html.
These devices—their workings: Matthew M. Aid, “Inside the NSA’s Ultra-Secret China Hacking Group,” Foreign Policy, June 10, 2013.
One device, called LoudAuto: The names of these programs come from a fifty-eight-page TAO catalogue of tools and techniques, among the many documents leaked by former NSA contractor Edward Snowden. No U.S. newspaper or magazine reprinted the list (the reporters and editors working the story considered it genuinely damaging to national security), but Der Spiegel did, in its entirety (Jacob Appelbaum, Judith Horchert, and Christian Stöcker, “Shopping for Spy Gear: Catalog Advertises NSA Toolbox,” Dec. 29, 2013), and computer security analyst Bruce Schneier subsequently reprinted each item, one day at a time, on his blog.
As hackers and spies discovered vulnerabilities: “Inside TAO.”
In the ensuing decade, private companies: For more on zero-day exploits, see Neal Ungerleider, “How Spies, Hackers, and the Government Bolster a Booming Software Exploit Market,” Fast Company, May 1, 2013; Nicole Perlroth and David E. Sanger, “Nations Buying as Hackers Sell Flaws in Computer Code,” New York Times, July 13, 2013; Kim Zetter, Countdown to Zero Day: Stuxnet and the Launch of the World’s First Digital Weapon (New York: Crown, 2014). Specific stories come from interviews.
During the first few months of Bush’s term: Richard A. Clarke, Against All Enemies (New York: Free Press, 2004); Steve Coll, Ghost Wars: The Secret History of the CIA, Afghanistan, and Bin Laden, from the Soviet Invasion to September 10, 2001 (New York: Penguin, 2004), 435.
On the day of the 9/11 attacks: Robin Wright, “Top Focus Before 9/11 Wasn’t on Terrorism,” Washington Post, April 1, 2004.
Rice let him draft: Executive Order 13226—President’s Council of Advisors on Science and Technology, Sept. 30, 2001, http://www.gpo.gov/fdsys/pkg/WCPD-2001-10-08/pdf/WCPD-2001-10-08-Pg1399.pdf; background, town halls, etc. come from interviews.
As it turned out, the final draft: President George W. Bush, The National Strategy to Secure Cyberspace, Feb. 2003, https://www.us-cert.gov/sites/default/files/publications/cyberspace_strategy.pdf.
CHAPTER 9: CYBER WARS
When General John Abizaid: For more on Abizaid and the Iraq War, see Fred Kaplan, The Insurgents: David Petraeus and the Plot to Change the American Way of War (New York: Simon & Schuster, 2013), esp. 182; the rest of this section comes from interviews.
Meanwhile, Secretary of Defense Donald Rumsfeld: See ibid., Ch. 4.
Seventeen years had passed: https://www.nsa.gov/about/leadership/former_directors.shtml.
That same month, Rumsfeld signed: Dana Priest and William Arkin, Top Secret America: The Rise of the New American Security State (New York: Little, Brown, 2011), 236.
A few years earlier, when Alexander: The section on the Alexander-Hayden feud and James Heath’s experiment at Fort Belvoir comes from interviews. Some material on Heath also comes from Shane Harris, “The Cowboy of the NSA,” Foreign Policy, Sept. 2013; and Shane Harris, The Watchers: The Rise of America’s Surveillance State (New York: Penguin, 2010), 99, 135. Some have reported that Alexander designed the Information Dominance Center’s command post to look like the captain’s deck on Star Trek, but in fact it was set up not by Alexander or even by Noonan, but rather by Noonan’s predecessor, Major General John Thomas. (Ryan Gallagher, “Inside the U.S. Army’s Secretive Star Trek Surveillance Lair,” Slate, Sept. 18, 2013, http://www.slate.com/blogs/future_tense/2013/09/18/surveilliance_and_spying_does_the_army_have_a_star_trek_lair.html; and interviews.)
But Alexander won over Rumsfeld: Most of this comes from interviews, but the transfer of data in June 2001 is also noted in Keith Alexander, classified testimony before House Permanent Select Committee on Intelligence, Nov. 14, 2001, reprinted in U.S. Army Intelligence and Security Command, Annual Command History, Fiscal Year 2001, Sept. 30, 2002 (declassified through Freedom of Information Act).
Ironically, while complaining: For details on Stellar Wind, see Barton Gellman, “U.S. Surveillance Architecture Includes Collection of Revealing Internet, Phone Metadata,” Washington Post, June 15, 2013, and, attached on the Post website, the top secret draft of an inspector general’s report on the program, http://apps.washingtonpost.com/g/page/world/national-security-agency-inspector-general-draft-report/277/.
Trailblazer had consumed $1.2 billion: Siobhan Gorman, “System Error,” Baltimore Sun, Jan. 29, 2006, http://articles.baltimoresun.com/2006-01-29/news/0601280286_1_intelligence-experts-11-intelligence-trailblazer; Alice Lipowicz, “Trailblazer Loses Its Way,” Washington Technology, Sept. 10, 2005, http://washingtontechnology.com/articles/2005/09/10/trailblazer-loses-its-way.aspx; and interviews.
Turbulence consisted of nine smaller systems: Robert Sesek, “Unraveling NSA’s Turbulence Programs,” Sept. 15, 2014, https://robert.sesek.com/2014/9/unraveling_nsa_s_turbulence_programs.html; and interviews.
RTRG got under way: This comes mainly from interviews, but also from Bob Woodward, Obama’s Wars (New York: Simon & Schuster, 2010), 10; Ellen Nakashima and Joby Warrick, “For NSA Chief, Terrorist Threat Drives Passion to ‘Collect It All,’ ” Washington Post, July 14, 2013; Shane Harris, @War: The Rise of the Military-Internet Complex (New York: Houghton Mifflin Harcourt, 2014), Ch. 2.
In 2007 alone, these sorts of operations: “General Keith Alexander Reveals Cybersecurity Strategies and the Need to Secure the Infrastructure,” Gartner Security and Risk Management Summit, June 23–26, 2014, http://blogs.gartner.com/security-summit/announcements/general-keith-alexander-reveals-cybersecurity-strategies-and-the-need-to-secure-the-infrastructure/; and interviews.
The effect was not decisive: For more on this point, see Kaplan, The Insurgents, esp. Ch. 19.
On September 6: David A. Fulghum, “Why Syria’s Air Defenses Failed to Detect Israelis,” Aviation Week & Space Technology, Nov. 12, 2013; Erich Follath and Holger Stark, “The Story of ‘Operation Orchard’: How Israel Destroyed Syria’s Al Kibar Nuclear Reactor,” Der Spiegel, Nov. 2, 2009, http://www.spiegel.de/international/world/the-story-of-operation-orchard-how-israel-destroyed-syria-s-al-kibar-nuclear-reactor-a-658663.html; Richard A. Clarke and Robert A. Knake, Cyber War (New York: HarperCollins, 2010), 1–8; Robin Wright, “N. Koreans Taped at Syrian Reactor,” Washington Post, April 24, 2008; “CIA Footage in Full,” BBC News, April 24, 2008, http://news.bbc.co.uk/2/hi/7366235.stm; and interviews.
They did so with a computer program called Suter: Fulghum, “Why Syria’s Air Defenses Failed to Detect Israelis”; and interviews. There was some controversy over whether the target was really a nuclear reactor, but in retrospect the evidence seems indisputable. Among other things, the International Atomic Energy Agency found, in soil samples it collected around the bombed reactor, “a significant number of anthropogenic natural uranium particles (i.e., produced as a result of chemical processing).” (Follath and Stark, “The Story of ‘Operation Orchard.’ ”)
Four and a half months earlier: “War in the Fifth Domain,” The Economist, July 1, 2010, http://www.economist.com/node/16478792; Andreas Schmidt, “The Estonian Cyberattacks,” in Jason Healey, ed., A Fierce Domain, 174–93; Clarke and Knake, Cyber War, 12–16.
On August 1, 2008, Ossetian separatists: U.S. Cyber Consequences Unit, Overview by the US-CCU of the Cyber Campaign Against Georgia in August of 2008 (Aug. 2009), http://www.registan.net/wp-content/uploads/2009/08/US-CCU-Georgia-Cyber-Campaign-Overview.pdf; Andreas Hagen, “The Russo-Georgian War, 2008,” in Healey, ed., A Fierce Domain, 194–204; Government of Georgia, Ministry of Foreign Affairs, Russian Invasion of Georgia: Russian Cyberwar on Georgia (Nov. 10, 2008), http://www.mfa.gov.ge/files/556_10535_798405_Annex87_CyberAttacks.pdf.
On March 4, 2007, the Department of Energy: The background of the test comes from interviews. See also “Mouse Click Could Plunge City into Darkness, Experts Say,” CNN, Sept. 27, 2007, http://www.cnn.com/2007/US/09/27/power.at.risk/index.html; Kim Zetter, Countdown to Zero Day: Stuxnet and the Launch of the World’s First Digital Weapon (New York: Crown, 2014), Ch. 9.
Almost instantly, the generator shook: For the video, see https://www.youtube.com/watch?v=fJyWngDco3g.
In 2000, a disgruntled former worker: Zetter, Countdown to Zero Day, 135ff.
CHAPTER 10: BUCKSHOT YANKEE
When the position was created: Fred Kaplan, “The Professional,” New York Times Magazine, Feb. 10, 2008.
So McConnell’s briefing: The date of the meeting comes from “NSC 05/16/2007-Cyber Terror” folder, NSC Meetings series, National Security Council-Records and Access Management Collection, George W. Bush Presidential Library (folder obtained through Freedom of Information Act). The substance of the meeting (which was not declassified) comes from interviews.
Bush quickly got the idea: This is based on interviews, though it’s also covered in Shane Harris, @War: The Rise of the Military-Internet Complex (New York: Houghton Mifflin Harcourt, 2014), Ch. 2.
But the task proved unwieldy: William Jackson, “DHS Coming Up Short on Einstein Deployment,” GCN, May 13, 2003, http://gcn.com/articles/2013/05/13/dhs-einstein-deployment.aspx; and interviews.
On January 9, 2008: President George W. Bush, National Security Presidential Directive (NSPD) 54, “Cyber Security Policy,” Jan. 8, 2008, http://www.fas.org/irp/offdocs/nspd/nspd-54.pdf. The background comes from interviews.
Meanwhile, Homeland Security upgraded Einstein: Steven M. Bellovin et al., “Can It Really Work? Problems with Extending Einstein 3 to Critical Infrastructure,” Harvard National Security Journal, Vol. 3, Jan. 2011, http://harvardnsj.org/wp-content/uploads/2012/01/Vol.-3_Bellovin_Bradner_Diffie_Landau_Rexford.pdf; and interviews.
Alexander put out the word: Alexander cited the “Maginot Line” analogy many times; see for instance, “Defenses Against Hackers Are Like the ‘Maginot Line,’ NSA Chief Says,” Blog, WSJ Tech, Jan. 13, 2012, http://blogs.wsj.com/digits/2012/01/13/u-s-business-defenses-against-hackers-are-like-the-maginot-line-nsa-chief-says/; and interviews.
The pivotal moment: The section on Buckshot Yankee comes mainly from interviews, but also from Karl Grindal, “Operation Buckshot Yankee,” in Jason Healey, ed., A Fierce Domain: Conflict in Cyberspace 1986 to 2012 (Washington, D.C.: Atlantic Council, 2013); Harris, @War, Ch. 9; William J. Lynn III, “Defending a New Domain: The Pentagon’s Cyberstrategy,” Foreign Affairs, Sept./Oct. 2010.
When he first took the job: For more on Gates as defense secretary, see Kaplan, “The Professional”; and Kaplan, The Insurgents: David Petraeus and the Plot to Change the American Way of War (New York: Simon & Schuster, 2013), Ch. 18.
On June 23, 2009: U.S. Dept. of Defense, “U.S. Cyber Command Fact Sheet,” May 25, 2010, http://www2.gwu.edu/~nsarchiv/NSAEBB/NSAEBB424/docs/Cyber-038.pdf.
On July 7, 2010, Gates had lunch: This section comes mainly from interviews, though the plan is briefly mentioned, along with the dates of the two meetings, in Robert Gates, Duty: Memoirs of a Secretary at War (New York: Alfred A. Knopf, 2014), 450–51.
“war zone”: This section is based mainly on interviews, though in a Reuters profile, upon her resignation in 2013, Lute said, “The national narrative on cyber has evolved. It’s not a war zone, and we certainly cannot manage it as if it were a war zone. We’re not going to manage it as if it were an intelligence program or one big law-enforcement operation.” (Joseph Menn, “Exclusive: Homeland Security Deputy Director to Quit; Defended Civilian Internet Role,” Reuters, April 9, 2013, http://www.reuters.com/article/2013/04/09/us-usa-homeland-lute-idUSBRE9380DL20130409.)
In the end, they approved Brown: The watered-down version of the arrangement, “Memorandum of Agreement Between the Department of Homeland Security and the Department of Defense Regarding Cybersecurity,” signed by Gates on Sept. 24 and by Napolitano on Sept. 27, 2010, can be found at http://www.defense.gov/news/d20101013moa.pdf.
CHAPTER 11: “THE WHOLE HAYSTACK”
The hearings led to the passage: The section of FISA dealing with electronic surveillance is 50 U.S.C. 1802(a).
After the attacks of September 11: A good summary is Edward C. Liu, “Amendments to the Foreign Intelligence Surveillance Act (FISA) Extended Until June 1, 2015,” Congressional Research Service, June 16, 2011, https://www.fas.org/sgp/crs/intel/R40138.pdf.
“badly out of date”: “The President’s Radio Address,” July 28, 2007, Public Papers of the Presidents of the United States: George W. Bush, 2007, Book II (Washington, D.C.: US Government. Printing Office, 2007), 1027–28, http://www.gpo.gov/fdsys/pkg/PPP-2007-book2/html/PPP-2007-book2-doc-pg1027.htm.
“electronic surveillance of” an American: Text of the Protect America Act of 2007, https://www.govtrack.us/congress/bills/110/s1927/text.
“connect the dots”: For instance, see The 9/11 Commission Report, 408 and passim, http://www.9-11commission.gov/report/911Report.pdf.
“the whole haystack”: The metaphor was first used by a “former intelligence officer” quoted in Ellen Nakashima and Joby Warrick, “For NSA Chief, Terrorist Threat Drives Passion to ‘Collect It All,’ ” Washington Post, July 14, 2013. But Alexander was known to use the phrase, too. (Interviews.)
Still, on February 9: White House press release, Feb. 9, 2009, http://www.whitehouse.gov/the_press_office/AdvisorsToConductImmediateCyberSecurityReview/.
It took longer than sixty days: White House press release, May 29, 2009, http://www.whitehouse.gov/the-press-office/cybersecurity-event-fact-sheet-and-expected-attendees.
It read uncannily like: White House, Cyberspace Policy Review, http://www.whitehouse.gov/assets/documents/Cyberspace_Policy_Review_final.pdf; quotes come from i, iv, v, vi.
“share the responsibility”: Ibid., 17.
“this cyber threat”: White House, “Remarks by the President on Securing the Nation’s Cyber Infrastructure,” East Room, May 29, 2009.
CHAPTER 12: “SOMEBODY HAS CROSSED THE RUBICON”
George W. Bush personally briefed: David Sanger, Confront and Conceal (New York: Crown, 2012), xii, 190, 200–203.
The operation had been set in motion: Ibid., 191–93.
In their probes: Ibid., 196ff; Kim Zetter, Countdown to Zero Day: Stuxnet and the Launch of the World’s First Digital Weapon (New York: Crown, 2014), Ch. 1.
This would be a huge operation: Ellen Nakashima and Joby Warrick, “Stuxnet Was Work of U.S. and Israeli Experts, Officials Say,” Washington Post, June 2, 2012.
uninterruptible power supplies: Zetter, Countdown to Zero Day, 200–201.
A multipurpose piece of malware: Ibid., 276–79. Much of Zetter’s information comes from the computer virus specialists at Symantec and Kaspersky Lab who discovered Stuxnet. A typical malicious code took up, on average, about 175 lines. (Interviews.)
To get inside the controls: Ibid., 90, 279.
It took eight months: Sanger, Confront and Conceal, 193.
At the next meeting: Ibid., xii.
There was one more challenge: Ibid., 194–96; and interviews. It has not yet been revealed who installed the malware-loaded thumb drives on the Iranian computers. Some speculate that it was an Israeli agent working at Natanz, some that a foreign agent (possibly with the CIA’s Information Operations Center) infiltrated the facility, some say that contaminated thumb drives were spread around the area until someone unwittingly inserted one into a computer.
Not only would the malware: Zetter, Countdown to Zero Day, 61, 117, 123.
Once in the White House: Ibid., 202.
but this particular worm was programmed: Ibid., 28.
Obama phoned Bush to tell him: In his memoir, Duty (New York: Alfred A. Knopf, 2014), 303, Robert Gates writes that “about three weeks after” Obama’s inauguration, “I called Bush 43 to tell him that we had had a significant success in a covert program he cared about a lot.” Soon after, “Obama told me he was going to call Bush and tell him about the covert success.” Gates doesn’t say that the classified program was Stuxnet, but it’s clear from the context—and from other sections of the book where he mentions a classified program related to Iran (190–91) and denounces the leak (328)—that it is.
In March, the NSA shifted its approach: Zetter, Countdown to Zero Day, 303.
The normal speed: David Albright, Paul Brannan, and Christina Walrond, “ISIS Reports: Stuxnet Malware and Natanz” (Washington, D.C.: Institute for Science and International Security), Feb. 15, 2011, http://isis-online.org/uploads/isis-reports/documents/stuxnet_update_15Feb2011.pdf.
They’d experienced technical problems: An unclassified version of a 2007 National Intelligence Estimate noted that Iran was experiencing “significant technical problems operating” centrifuges (“Key Judgments from a National Intelligence Estimate on Iran’s Nuclear Activity,” reprinted in New York Times, Dec. 4, 2007); this was well before Stuxnet was activated.
By the start of 2010: Zetter, Countdown to Zero Day, 1–3. Similar estimates are in Albright et al., “ISIS Reports: Stuxnet Malware and Natanz.”
President Obama—who’d been briefed: During briefings on Olympic Games, large foldout maps of the Natanz reactor were spread across the Situation Room (Sanger, Confront and Conceal, 201).
Almost at once: Michael Joseph Gross, “A Declaration of Cyber-War,” Vanity Fair, February 28, 2011. For more details, see Nicholas Falliere, Liam O. Murchu, and Eric Chien, “Symantec Security Response: W32.Stuxnet Dossier,” https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_stuxnet_dossier.pdf; David Kushner, “The Real Story of Stuxnet,” IEEE Spectrum, Feb. 26, 2013, http://spectrum.ieee.org/telecom/security/the-real-story-of-stuxnet; Eugene Kaspersky, “The Man Who Found Stuxnet—Sergey Ulasen in the Spotlight,” Nota Bene, Nov. 2, 2011, http://eugene.kaspersky.com/2011/11/02/the-man-who-found-stuxnet-sergey-ulasen-in-the-spotlight/.
Microsoft issued an advisory: “Microsoft Security Bulletin MS10—046—Critical: Vulnerability in Windows Shell Could Allow Remote Execution,” Aug. 2, 2010 (updated Aug. 24, 2010), https://technet.microsoft.com/en-us/library/security/ms10-046.aspx; Zetter, Countdown to Zero Day, 279.
By August, Symantec had uncovered: Nicolas Falliere, “Stuxnet Introduces the First Known Rootkit for Industrial Control Systems,” Symantec Security Response Blog, Aug. 6, 2010, http://www.symantec.com/connect/blogs/stuxnet-introduces-first-known-rootkit-scada-devices.
In September, a German security researcher: Sanger, Confront and Conceal, 205–6; Joseph Gross, “A Declaration of Cyber-War.”
At that point, some of the American software sleuths: Zetter, Countdown to Zero Day, 187–89; and interviews.
When Obama learned: Ibid., 357.
The postmortem indicated: David Sanger, “Obama Order Sped Up Wave of Cyberattacks Against Iran,” New York Times, June 1, 2012.
“offensive capabilities in cyber space”: Quoted in Richard A. Clarke and Robert K. Knake, Cyber War (New York: HarperCollins, 2010), 44–47.
“cyber-offensive teams”: Zachary Fryer-Biggs, “U.S. Sharpens Tone on Cyber Attacks from China,” DefenseNews, March 18, 2013, http://mobile.defensenews.com/article/303180021; and interviews.
In Obama’s first year as president: Choe Sang-Hun and John Markoff, “Cyberattacks Jam Government and Commercial Web Sites in U.S. and South Korea,” New York Times, July 18, 2009; Clarke and Knake, Cyber War, 23–30.
A year and a half later: Zetter, Countdown to Zero Day, 276–79.
Four months after that: “Nicole Perlroth, “In Cyberattack on Saudi Firm, U.S. Sees Iran Firing Back,” New York Times, Oct. 23, 2013.
“demonstrated a clear ability”: “Iran—Current Topics, Interaction with GCHQ: Director’s Talking Points,” April 2013, quoted and linked in Glenn Greenwald, “NSA Claims Iran Learned from Western Cyberattacks,” The Intercept, Feb. 10, 2015, https://firstlook.org/theintercept/2015/02/10/nsa-iran-developing-sophisticated-cyber-attacks-learning-attacks/. The document comes from the cache leaked by Edward Snowden. The essential point is confirmed by interviews.
At what point, he asked: Gates, Duty, 451; and interviews.
“Previous cyber-attacks had effects”: Sanger, Confront and Conceal, 200.
“Trilateral Memorandum of Agreement”: The memorandum of agreement is mentioned in a footnote in Barack Obama, Presidential Policy Directive, PPD-20, “U.S. Cyber Operations Policy,” Oct. 2012, https://www.fas.org/irp/offdocs/ppd/ppd-20.pdf. PPD-20 is among the documents leaked by Edward Snowden.
An action report on the directive: This is noted in boldfaced brackets in the copy of the document that Snowden leaked.
“You can’t have something that’s a secret”: Andrea Shalal-Esa, “Ex-U.S. General Urges Frank Talk on Cyber Weapons,” Reuters, Nov. 6, 2011, http://www.reuters.com/article/2011/11/06/us-cyber-cartwright-idUSTRE7A514C20111106.
“the authority to develop”: William B. Black Jr., “Thinking Out Loud About Cyberspace,” Cryptolog, Spring 1997 (declassified Oct. 2012), http://cryptome.org/2013/03/cryptolog_135.pdf. Black’s precise title at the NSA was special assistant to the director for information warfare.
CHAPTER 13: SHADY RATS
“rebalancing its global posture”: Thomas Donilon, speech, Asia Society, New York City, March 11, 2013, http://asiasociety.org/new-york/complete-transcript-thomas-donilon-asia-society-new-york.
Then on February 18, Mandiant: Mandiant, APT1: Exposing One of China’s Cyber Espionage Units, Feb. 18, 2013, http://intelreport.mandiant.com/Mandiant_APT1_Report.pdf.
The Times ran a long front-page story: David Sanger, David Barboza, and Nicole Perlroth, “Chinese Army Unit Is Seen as Tied to Hacking Against U.S.,” New York Times, Feb. 18, 2013. The Chinese response (“irresponsible,” “unprofessional,” etc.) is quoted in the same article.
As early as 2001: Nathan Thornburgh, “The Invasion of the Chinese Cyberspies (And the Man Who Tried to Stop Them),” Time, Sept. 5, 2005; Adam Segal, “From Titan Rain to Byzantine Hades: Chinese Cyber Espionage,” in Jason Healey, ed., A Fierce Domain: Conflict in Cyberspace, 1986–2012 (Washington, D.C.: Atlantic Council/Cyber Conflict Studies Association, 2013), 165–93; and interviews.
“information confrontation”: Bryan Krekel, Patton Adams, and George Bakos, Occupying the Information High Ground, Prepared for the U.S.-China Economic and Security Review Commission (Northrop Grumman Corporation, March 7, 2012), 9–11. http://www2.gwu.edu/~nsarchiv/NSAEBB/NSAEBB424/docs/Cyber-066.pdf
By the end of the decade: Ibid., 24–28, 40, 45–46; and interviews.
he had written his doctoral dissertation: It was published as Gregory J. Rattray, Strategic Warfare in Cyberspace (Cambridge: MIT Press, 2001); the rest of this section is from interviews.
The typical Chinese hack started off: Dmitri Alperovitch, McAfee White Paper, “Revealed: Operation Shady RAT,” n.d., http://www.mcafee.com/us/resources/white-papers/wp-operation-shady-rat.pdf; Ellen Nakashima, “Report on ‘Operation Shady RAT’ Identifies Widespread Cyber-Spying,” Washington Post, Aug. 3, 2011; Michael Joseph Gross, “Exclusive: Operation Shady RAT—Unprecedented Cyber-espionage Campaign and Intellectual-Property Bonanza,” Vanity Fair, Sept. 2011; Segal, “From Titan Rain to Byzantine Hades: Chinese Cyber Espionage,” 168.
On June 6, The Washington Post and The Guardian: “Verizon Forced to Hand Over Telephone Data—Full Court Ruling,” The Guardian, June 5, 2013, accompanying Glenn Greenwald, “NSA Collecting Phone Records of Millions of Verizon Customers Daily,” The Guardian, June 6, 2013; “NSA Slides Explain the Prism Data-Collection Program,” Washington Post, June 6, 2013, which accompanied Barton Gellman and Laura Poitras, “U.S., British Intelligence Mining Data from Nine U.S. Internet Companies in Broad Secret Program,” Washington Post, June 7, 2013; Glenn Greenwald and Ewen MacAskill, “NSA Prism Program Taps in to User Data of Apple, Google, and others,” The Guardian, June 7, 2013. The Guardian and the Post, which both had Snowden documents, were locked in a fierce competition over who could publish first. The Guardian’s Verizon story went online June 5, then appeared in its print edition June 6. The first Post story went online June 6, then in print June 7. For a list of all the Post’s Snowden-based stories, see http://dewitt.sanford.duke.edu/gellmanarticles/.
These were the first of many stories: For the journalists’ accounts of their encounters with Snowden, see “Live Chat: NSA Surveillance: Q&A with Reporter Barton Gellman,” July 15, 2014, http://live.washingtonpost.com/nsa-surveillance-bart-gellman.html; and Laura Poitras’s documentary film, CitizenFour, 2014. For critical views of Snowden, see Fred Kaplan, “Why Snowden Won’t (and Shouldn’t) Get Clemency,” Slate, Jan. 3, 2014, http://www.slate.com/articles/news_and_politics/war_stories/2014/01/edward_snowden_doesn_t_deserve_clemency_the_nsa_leaker_hasn_t_proved_he.html; Mark Hosenball, “NSA Memo Confirms Snowden Scammed Passwords from Colleagues,” Reuters, Feb. 13, 2014, http://www.reuters.com/article/2014/02/13/us-usa-security-idUSBREA1C1MR20140213; George Packer, “The Errors of Edward Snowden and Glenn Greenwald,” Prospect, May 22, 2014, http://www.prospectmagazine.co.uk/features/the-errors-of-edward-snowden-and-glenn-greenwald.
From that point on, the Chinese retort: At a later summit, in September 2015, Obama and Xi agreed not to “conduct or knowingly support” cyber theft of “intellectual property” with the “intent of providing competitive advantage to companies or commercial sectors.” The language was loose: “knowingly support” would still allow “tolerate,” and an action’s “intent” can be briskly denied. In any case, the U.S. doesn’t conduct this type of cyber theft (it doesn’t need Chinese trade secrets), and Xi still (absurdly) denies government involvement. And the agreement doesn’t cover other forms of cyber attacks or cyber espionage, not least because the U.S. engages in them, too. Still, the deal did set up a hotline and a process for investigating malicious cyber activities. It could enable deeper cooperation down the road. White House, “Fact Sheet: President Xi Jinping’s State Visit to the United States,” Sept. 25, 2015, https://www.whitehouse.gov/the-press-office/2015/09/25/fact-sheet-president-xi-jinpings-state-visit-united-states.
One week after the failed summit: Lana Lam and Stephen Chen, “Exclusive: Snowden Reveals More US Cyberspying Details,” South China Morning Post, June 22, 2013, http://www.scmp.com/news/hong-kong/article/1266777/exclusive-snowden-safe-hong-kong-more-us-cyberspying-details-revealed?page=all.
Soon came newspaper stories: For summary, see Kaplan, “Why Snowden Won’t (and Shouldn’t) Get Clemency.”
Fort Meade’s crown jewels: Jacob Appelbaum, Judith Horchert, and Christian Stocker, “Shopping for Spy Gear: Catalog Advertises NSA Toolbox,” Der Spiegel, Dec. 29, 2013, http://www.spiegel.de/international/world/the-nsa-uses-powerful-toolbox-in-effort-to-spy-on-global-networks-a-940969.html.
Under the surveillance system described: The potential extent of surveillance, covered by three hops, is most clearly explained in Liberty and Security in a Changing World: Report and Recommendations of the President’s Review Group on Intelligence and Communication Technologies (White House, Dec. 12, 2013), 103, https://www.google.com/webhp?sourceid=chrome-instant&ion=1&espv=2&ie=UTF-8#q=%22liberty%20and%20security%22%20clarke.
Following this disclosure: For instance, General Keith Alexander, testimony, House Permanent Select Committee on Intelligence, June 18, 2013, http://icontherecord.tumblr.com/post/57812486681/hearing-of-the-house-permanent-select-committee-on.
“Does the NSA collect”: Transcribed in Glenn Kessler, “James Clapper’s ‘Least Untruthful’ Statement to the Senate,” http://www.washingtonpost.com/blogs/fact-checker/post/james-clappers-least-untruthful-statement-to-thesenate/2013/06/11/e50677a8-d2d8-11e2-a73e-826d299ff459_blog.html.
The day before, he’d given Clapper’s office: Senator Ron Wyden, press release, June 11, 2013, http://www.wyden.senate.gov/news/press-releases/wyden-statement-responding-to-director-clappers-statements-about-collection-on-americans.
“I thought, though, in retrospect”: Andrea Mitchell, interview with General James Clapper, NBC-TV, June 9, 2013.
“besmirching the reputation”: Steven Burke, “Cisco Senior VP: NSA Revelations Besmirched Reputation of US Companies,” CRN News, Jan. 17, 2014, http://www.crn.com/news/security/240165497/cisco-senior-vp-nsa-revelations-besmirched-reputation-of-us-companies.htm?cid=rssFeed.
Merkel was outraged: Philip Oltermann, “Germany Opens Inquiry into Claims NSA Tapped Angela Merkel’s Phone,” The Guardian, June 4, 2014.
There was more than a trace: Anthony Faiola, “Germans, Still Outraged by NSA Spying, Learn Their Country May Have Helped,” Washington Post, May 1, 2015; Reuters, “Germany Gives Huge Amount of Phone, Text Data to US: Report,” http://www.nytimes.com/reuters/2015/05/12/world/europe/12reuters-germany-spying.html.
CHAPTER 14: “THE FIVE GUYS REPORT”
“a high-level group”: President Obama, press conference, Aug. 9, 2013, https://www.whitehouse.gov/the-press-Noffice/2013/08/09/remarks-president-press-conference.
That same day: “Administration White Paper: Bulk Collection of Telephony Metadata Under Section 215 of the USA Patriot Act,” Aug. 9, 2013, http://www.publicrecordmedia.com/wp-content/uploads/2013/08/EOP2013_pd_001.pdf; “The National Security Agency: Missions, Authorities, Oversight and Partnerships,” Aug. 9, 2013, https://www.nsa.gov/public_info/_files/speeches_testimonies/2013_08_09_the_nsa_story.pdf.
Sunstein had written an academic paper in 2008: Cass R. Sunstein and Adrian Vermeule, “Conspiracy Theories” (Harvard Public Law Working Paper No. 08-03; University of Chicago Public Law Working Paper No. 199), Jan. 15, 2008, http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1084585.
The other Chicagoan, Geoffrey Stone: See esp. Geoffrey R. Stone, Perilous Times: Free Speech in Wartime from the Sedition Act of 1798 to the War on Terrorism (New York: W. W. Norton, 2006); Geoffrey Stone, Top Secret: When Our Government Keeps Us in the Dark (New York: Rowman & Littlefield, 2007).
Peter Swire: peterswire.net; and interviews.
“To the loved ones”: Transcript, Richard A. Clarke, testimony, 9/11 Commission, March 24, 2004, http://www.cnn.com/TRANSCRIPTS/0403/28/le.00.html.
a segment on CBS TV’s 60 Minutes: “The CBS 60 Minutes Richard Clarke Interview,” http://able2know.org/topic/20967-1.
Published in April 2010: For examples of criticism, see Ryan Singel, “Richard Clarke’s Cyber War: File Under Fiction,” Wired, April 22, 2010.
“Cyber-war, cyber-this”: Jeff Stein, “Book Review: ‘Cyber War’ by Richard Clarke,” Washington Post, May 23, 2010.
On August 27: http://www.dni.gov/index.php/intelligence-community/review-group; the substance of the meeting comes from interviews.
The next morning: The date of the first meeting at Fort Meade comes from a highly entertaining video of Geoffrey Stone delivering the “Journeys” lecture at the University of Chicago, sometime in 2014, http://chicagohumanities.org/events/2014/journeys/geoffrey-stone-on-the-nsa; substance of the session comes from that video and interviews.
In Cyber War, he’d criticized: Richard A. Clarke and Robert K. Knake, Cyber War (New York: HarperCollins, 2010), passim, esp. 44ff.
Stone was no admirer of Snowden: “Is Edward Snowden a Hero? A Debate with Journalist Chris Hedges and Law Scholar Geoffrey Stone,” Democracy Now, June 12, 2013, http://www.democracynow.org/2013/6/12/is_edward_snowden_a_hero_a.; and interviews.
Moreover, if the metadata revealed: The figure of twenty-two NSA officials comes from the White House, Liberty and Security in a Changing World: Report and Recommendations of the President’s Review Group on Intelligence and Communication Technologies, Dec. 12, 2013 (hereinafter cited as “President’s Review Group”), 98, https://www.nsa.gov/civil_liberties/_files/liberty_security_prgfinalreport.pdf; the rest of this section, unless otherwise noted, comes from interviews.
second hop: A clear discussion of hops can be found in ibid., 102–3.
For all of 2012: The numbers—288, 12, and 0—are cited in ibid., 104.
“Uh, hello?”: Geoffrey Stone, interview, NBC News, “Information Clearing House,” Dec. 20, 2013, http://www.informationclearinghouse.info/article37174.htm; and interviews.
It concerned the program known as PRISM: This was the first news leak from Snowden, who had not yet come out as the source. See Barton Gellman and Laura Poitras, “U.S., British Intelligence Mining Data from Nine U.S. Internet Companies in Broad Secret Program,” Washington Post, June 7, 2013; the discussion at Fort Meade comes from interviews.
“the most significant tool”: Quoted in Jack Bouboushian, “Feds Ponder Risk in Preserving Spying Data,” Courthouse News Service, June 6, 2014, http://www.courthousenews.com/2014/06/06/68528.htm. The same language was later used in the NSA’s Aug. 9 release on its missions and authorities (see above), as well as in a joint statement on Aug. 22, 2013 by the NSA and the Office of the Director of National Intelligence, http://www.dni.gov/index.php/newsroom/press-releases/191-press-releases-2013/917-joint-statement-nsa-and-office-of-the-director-of-national-intelligence.
General Alexander had publicly claimed: NBC News, June 27, 2013, http://usnews.nbcnews.com/_news/2013/06/27/19175466-nsa-chief-says-surveillance-programs-helped-foil-54-plots; and interviews.
“selectors”. . . “foreignness” . . . 52 percent: This was also cited in Gellman and Poitras, “U.S., British Intelligence Mining Data from Nine U.S. Internet Companies in Broad Secret Program.”
Each year the agency’s director: President’s Review Group, 138.
“tens of thousands of wholly domestic communications”: Cited in ibid., 141–42.
But to some of the panelists: This comes from interviews, but the thought is expressed throughout the report, for instance, 61, 76, 113–16, 125.
Morell and the staff . . . concluded: Ibid., 144–45.
However, in none of those fifty-three files: Ibid., 104; and interviews.
Alexander also revealed: Ibid., 97; and interviews.
“This is bullshit”: Stone, “Journeys” lecture, University of Chicago; and interviews.
“reduce the risk”: President’s Review Group, 118. For the other recommendations cited, see 34, 36, 86, 89.
“subvert, undermine, weaken”: Ibid., 36–37.
Finally, lest anyone interpret the report: These were Recommendations Nos. 37 through 46. Ibid., 39–42.
On December 13: White House press spokesman Jay Carney cited the date in his Dec. 16 briefing, https://www.whitehouse.gov/the-press-office/2013/12/16/daily-briefing-press-secretary-12162013.
“to promote public trust”: President’s Review Group, 49.
“Although recent disclosures”: Ibid., 75–76.
“no evidence of illegality”: Ibid, 76.
“the lurking danger”: Ibid., 113.
“We cannot discount”: Ibid., 114.
On December 18: White House, President’s Schedule, https://www.whitehouse.gov/schedule/president/2013-12-18.
“We cannot prevent terrorist attacks”: “Remarks by the President on Review of Signals Intelligence,” Jan. 17, 2014, https://www.whitehouse.gov/the-press-office/2014/01/17/remarks-president-review-signals-intelligence.
“in the sense that there’s no clear line”: Liz Gannes, “How Cyber Security Is Like Basketball, According to Barack Obama,” re/code, Feb. 14, 2015, http://recode.net/2015/02/14/how-cyber-security-is-like-basketball-according-to-barack-obama/.
The questions to be asked: Michael Daniel, White House cybersecurity chief, revealed this decision, and outlined these criteria, in his blog of April 28, 2014, headlined “Heartbleed: Understanding When We Disclose Cyber Vulnerabilities,” https://www.whitehouse.gov/blog/2014/04/28/heartbleed-understanding-when-we-disclose-cyber-vulnerabilities.
“unprecedented and unwarranted”: The ruling came in the case of ACLU v. Clapper, http://pdfserver.amlaw.com/nlj/NSA_ca2_20150507.pdf. A lower court had ruled in favor of Clapper and thus upheld the FISA Court’s concept of “relevance” and the legality of NSA bulk collection; the U.S. Court of Appeals for the 2nd Circuit in New York overturned that ruling. I analyzed the ruling and its implications in Fred Kaplan, “Mend It, Don’t End It,” Slate, May 8, 2015, http://www.slate.com/articles/news_and_politics/war_stories/2015/05/congress_should_revise_the_patriot_act_s_section_215_the_national_security.html.
“To be clear”: Stone published a shortened version of his talk, on the same day, as Geoffrey R. Stone, “What I Told the NSA,” Huffington Post, March 31, 2014, http://www.huffingtonpost.com/geoffrey-r-stone/what-i-told-the-nsa_b_5065447.html; this account of his speech is based on that article and on interviews.
CHAPTER 15: “WE ARE WANDERING IN DARK TERRITORY”
In the wee hours: Most of the material on the Vegas hack is from Ben Elgin and Michael Riley, “Now at the Sands Casino: An Iranian Hack in Every Server,” Bloomberg Businessweek, Dec. 11, 2014, http://www.bloomberg.com/bw/articles/2014-12-11/iranian-hackers-hit-sheldon-adelsons-sands-casino-in-las-vegas; a bit is from interviews.
“Guardians of Peace”: James Cook, “Sony Hackers Have Over 100 Terabytes of Documents,” Business Insider, Dec. 16, 2014; Mark Seal, “An Exclusive Look at Sony’s Hacking Saga,” Vanity Fair, Feb. 2015; Kevin Mandia, quoted in “The Attack on Sony,” 60 Minutes, CBS TV, Apr. 12, 2015, http://www.cbsnews.com/news/north-korean-cyberattack-on-sony-60-minutes/.
Sony had been hacked before: Keith Stuart and Charles Arthur, “PlayStation Network Hack,” The Guardian, April 27, 2011; Jason Schreier, “Sony Hacked Again: 25 Million Entertainment Users’ Info at Risk,” Wired.com, May 2, 2011, http://www.wired.com/2011/05/sony-online-entertainment-hack/.
The cost, in business lost: Jason Schreier, “Sony Estimates $171 Million Loss from PSN Hack,” Wired.com, May 23, 2011, http://www.wired.com/2011/05/sony-psn-hack-losses/.
So the lessons learned in one realm: John Gaudiosi, “Why Sony Didn’t Learn from Its 2011 Hack,” Fortune.com, Dec. 24, 2014, http://fortune.com/2014/12/24/why-sony-didnt-learn-from-its-2011-hack/.
“DarkSeoul”: Brandon Bailey and Youkyung Lee, “Experts Cite Similarities Between Sony Hack and 2013 South Korean Hacks,” Associated Press, Dec. 4, 2014, http://globalnews.ca/news/1707716/experts-cite-similarities-between-sony-hack-and-2013-south-korean-hacks/.
“mercilessly destroy”: David Tweed, “North Korea to ‘Mercilessly’ Destroy Makers of Rogen Film,” BloombergBusiness, June 26, 2014, http://www.bloomberg.com/news/articles/2014-06-26/north-korea-to-mercilessly-destroy-makers-of-seth-rogan-film.
In public, officials said: “The Attack on Sony,” 60 Minutes; “NSA Chief Says Sony Attack Traced to North Korea After Software Analysis,” Reuters, Feb. 19, 2015, http://www.nytimes.com/reuters/2015/02/19/technology/19reuters-nsa-northkorea-sony.html?_r=0.
But the real reason: David E. Sanger and Martin Fackler, “NSA Breached North Korean Network Before Sony Attack, Officials Say,” New York Times, Jan. 18, 2015; and interviews.
“made a mistake”: “Remarks by the President in Year-End Press Conference,” White House, Dec. 19, 2014, https://www.whitehouse.gov/the-press-office/2014/12/19/remarks-president-year-end-press-conference.
“not just an attack”: Statement by Secretary Johnson on Cyber Attack on Sony Pictures Entertainment, Department of Homeland Security, Dec. 19, 2014, http://www.dhs.gov/news/2014/12/19/statement-secretary-johnson-cyber-attack-sony-pictures-entertainment.
On December 22: Nicole Perlroth and David E. Sanger, “North Korea Loses Its Link to the Internet,” New York Times, Dec. 22, 2014. That the U.S. government did not launch the attack comes from interviews.
“the first aspect of our response”: Statement by the Press Secretary on the Executive Order “Imposing Additional Sanctions with Respect to North Korea,” White House, Jan. 2, 2015, https://www.whitehouse.gov/the-press-office/2015/01/02/statement-press-secretary-executive-order-entitled-imposing-additional-sanctions-respect-north-korea. The backstory on the pointed wording comes from interviews.
Those who heard Gates’s pitch: In President Obama’s PPD-20, “U.S. Cyber Operations Policy,” one of the directives, apparently inspired by Gates’s idea, reads as follows: “In coordination with the Secretaries of Defense and Homeland Security, the AG, the DNI, and others as appropriate, shall continue to lead efforts to establish an international consensus around norms of behavior in cyberspace to reduce the likelihood of and deter actions by other nations that would require the United States Government to resort to” cyber offensive operations. In a follow-on memo, summarizing actions that the designated departments had taken so far, the addendum to this one reads: “Action: [Department of] State; ongoing”—signifying, in other words, no progress (http://fas.org/irp/offdocs/ppd/ppd-20.pdf).
In 2014, there were almost: The precise numbers for 2014 were 79,790 breaches, with 2,122 confirmed data losses; for 2013, 63,437 breaches, with 1,367 losses. Espionage was the motive for 18 percent of the breaches; of those, 27.4 percent were directed at manufacturers, 20.2 percent at government agencies. Verizon, 2014 Data Breach Investigations Report, April 2015, esp. introduction, 32, 52, file:///Users/fred/Downloads/rp_Verizon-DBIR-2014_en_xg%20(3).pdf. For 2013 data: Verizon, 2013 Data Breach Investigations Report, April 2014, file:///Users/fred/Downloads/rp_data-breach-investigations-report-2013_en_xg.pdf.
On average, the hackers stayed inside: Cybersecurity: The Evolving Nature of Cyber Threats Facing the Private Sector, Before the Subcommittee on Information Technology, 114th Cong. (2015). (Statement of Richard Bejtlich, FireEye Inc.) http://oversight.house.gov/wp-content/uploads/2015/03/3-18-2015-IT-Hearing-on-Cybersecurity-Bejtlich-FireEye.pdf.
In 2013, two security researchers: Andy Greenberg, “Hackers Remotely Kill a Jeep on the Highway—With Me in It,” Wired, July 21, 2015, http://www.wired.com/2015/07/hackers-remotely-kill-jeep-highway/. A team of university researchers spelled out this vulnerability still earlier, in Stephen Checkoway, et al., “Comprehensive Experimental Analyses of Automotive Attack Surfaces,” http://www.autosec.org/pubs/cars-usenixsec2011.pdf. The 2013 experiment by Charlie Miller and his colleague, Chris Velasek, was designed to test that paper’s proposition.
“Nothing in this order”: President Barack Obama, Executive Order—Improving Critical Infrastructure Cybersecurity, Feb. 12, 2013, https://www.whitehouse.gov/the-press-office/2013/02/12/executive-order-improving-critical-infrastructure-cybersecurity.
“disrupting or completely beating”: Department of Defense, Defense Science Board, Task Force Report, Resilient Military Systems and the Advanced Cyber Threat, Jan. 13, 2013, cover memo and executive summary, 1, http://www.acq.osd.mil/dsb/reports/ResilientMilitarySystems.CyberThreat.pdf.
Some of the task force members: Ibid., Appendix 2; “time machine” comes from interviews.
“The network connectivity”: Ibid., Executive Summary, 15.
“built on inherently insecure architectures”: Ibid., cover memo, 1, 31.
“With present capabilities”: Ibid.
“Thus far the chief purpose”: Bernard Brodie, The Absolute Weapon (New York: Harcourt Brace, 1946), 73–74, 76. For more on Brodie, and the subject generally, see Fred Kaplan, The Wizards of Armageddon (New York: Simon & Schuster, 1983).
“Define and develop enduring”: Barack Obama, White House, “The Comprehensive National Cybersecurity Initiative,” https://www.whitehouse.gov/issues/foreign-policy/cybersecurity/national-initiative.
“It took decades”: Department of Defense, Defense Science Board, Task Force Report, Resilient Military Systems and the Advanced Cyber Threat, 51. Actually, in the mid-1990s, the RAND Corporation did conduct a series of war games that simulated threats and responses in cyber warfare; several included upper-midlevel Pentagon officials and White House aides as players, but no insiders took them seriously; the games came just a little bit too early to have impact. The games were summarized in Roger C. Molander, Andrew S. Riddile, Peter A. Wilson, Strategic Information Warfare: A New Face of War (Washington, D.C.: RAND Corporation, 1996). The dearth of impact comes from interviews.The presented a ninety-page paper, explaining how they did the hack (and spelling out disturbing implications), at the August 2015 Black Hat conference in Las Vegas (Remote Exploitation of an Unaltered Passenger Vehicle,” illmatics.com//remote7.20Car7.20Hacking.pdf).
“to consider the requirements”: Undersecretary of Defense (Acquisition, Technology, and Logistics), Memorandum for Chairman, Defense Science Board, “Terms of Reference—Defense Science Board Task Force on Cyber Deterrence,” Oct. 9, 2014, http://www.acq.osd.mil/dsb/tors/TOR-2014-10-09-Cyber_Deterrence.pdf. The date of the first session and the names of the task force members come from interviews.
In 2011, when Robert Gates realized: The directive is summarized, though obliquely, in Department of Defense, Department of Defense Strategy for Operating in Cyberspace, July 2011, http://www.defense.gov/news/d20110714cyber.pdf; see also Aliya Sternstein, “Military Cyber Strike Teams Will Soon Guard Private Networks,” NextGov.com, March 21, 2013, http://www.nextgov.com/cybersecurity/cybersecurity-report/2013/03/military-cyber-strike-teams-will-soon-guard-private-networks/62010/; and interviews.
“biggest focus”: Quoted in Cheryl Pellerin, “Rogers: Cybercom Defending Networks, Nation,” DoD News, Aug. 18, 2014, http://www.defense.gov/news/newsarticle.aspx?id=122949.
“with other government agencies”: Department of Defense, The Department of Defense Cyber Strategy, April 2015; quotes on 5, 14, emphasis added; see also 6, http://www.defense.gov/home/features/2015/0415_cyber-strategy/Final_2015_DoD_CYBER_STRATEGY_for_web.pdf. The document clarified that the government would be responsible for deterring and possibly responding only to cyber attacks “of significant consequence,” which, it added, “may include loss of life, significant damage to property, serious adverse U.S. foreign policy consequences, or serious economic impact on the United States.” The terms “significant” and “serious” remained undefined—Robert Gates’s question, nine years earlier, of what kind of cyber attack constitutes an act of war remained unanswered—but the finesse reflected an understanding that all such questions are ultimately political, to be decided by political leaders. It also reflected the inescapable fact that this was not just dark but untrod territory.
“How do we increase”: Ellen Nakashima, “Cyber Chief: Efforts to Deter Attacks Against the US Are Not Working,” Washington Post, March 19, 2015.
“probably one or two”: Patricia Zengerle, “NSA Chief Warns Chinese Cyber Attack Could Shut U.S. Infrastructure,” Reuters, Nov. 21, 2014, http://www.reuters.com/article/2014/11/21/usa-security-nsa-idUSL2N0TB0IX20141121.
“The American public”: Liberty and Security in a Changing World: President’s Review Group, 62.