It began with what seemed like a simple blackout. But something was odd: Cell phones didn't work because the cell towers were also dead—despite their battery backup systems. Then it suddenly became evident that ATMs were out of order not just in Chicago, where the blackout began, but across the nation. When people around the country tried to log in to their bank and brokerage accounts, their screens were frozen.
Then came the deluge—starting with the collapse of the 9-1-1 systems across the country. Emergency call centers were flooded with false alarms—almost all computer-generated, so that dispatchers could not tell real emergencies from the phantoms. Air traffic control systems mysteriously shut down; like the cell towers, they were supposed to have backup systems. There were rumors of oil and gas pipeline shutdowns, but operators were having trouble telling whether the flow had really stopped or their computer links had been severed. If there was any doubt that the country was under attack, it was resolved within the hour, as three-quarters of the American power grid crashed and transformers began to blow up. Though they said nothing publicly, plant operators knew that meant six months of national darkness, save for places with emergency generators.
The president scrambled fighter jets to patrol over American cities, just as Bush had done on 9/11—but there was nothing to see, much less shoot down. Markets around the world first plunged, then closed. If trades couldn't be cleared in the United States, they couldn't happen anywhere else.
Cyber experts had been warning the government for years that the daily barrage of attacks on computers from the Pentagon to Citigroup were likely “probes” looking for weaknesses and vulnerabilities in the nation's computer networks. Now, this seemed like the inevitable follow-on attack. Corporate America was largely unprepared: While virtually all companies had installed protective software against hackers, little had been invested against an attack of this scale, one so sophisticated that it probably required the help or financing of a state. But inside the government's new cyber-security centers in Virginia, analysts knew that it would be harder to trace where the attack had come from than it would be to trace the origins of a terrorist's nuclear bomb. In this attack the timing was exquisite. The crippling of emergency response systems, backup systems, and communications systems was a prelude to the attack on the primary targets: the banks, the markets, and the power plants.* By comparison, the Russian attacks on Estonia in April 2007 and on Georgia in August 2008 were sophomoric pranks.
When the National Security Council met that afternoon in the Situation Room—one of the few places in Washington that still had lights—the president was told he would soon face a choice. Once the National Security Agency narrowed down where the attack originated from, the president would have a few options, all unsatisfactory. He could decide to try to absorb the damage, appealing for swift action from his counterpart in the country where the attack originated, and focus on getting things switched back on as fast as possible. There was a more aggressive option: He could order an American-led cyberattack on the country that was responsible for the devastation, an eye for an eye, a byte for a byte. Or he could initiate a conventional military attack on the country that crippled America, if it appeared the cyber-aggression had state sponsorship.
“Will we ever know for certain who is responsible?” the president asked his national security adviser.
“Probably not, sir,” was the answer. “If it's like the few attacks we've seen before, we'll probably never know for sure.”
IF A MOMENT like this happens on the next president's watch, no one will be able to say the White House wasn't given ample warning. In February 2002, five months after the 9/11 attack, a group of about fifty scientists, engineers, and former intelligence and defense officials sent a letter to President Bush. It was patterned, deliberately and more than a little ostentatiously, after the two-page letter Albert Einstein wrote to “F. D. Roosevelt” on August 2, 1939, warning him for the first time that “it may become possible to set up a nuclear chain reaction in a large mass of uranium” that would lead to the construction of a new generation of bombs. He noted evidence that Hitler might be trying to get there first.
The 2002 letter to President Bush was equally stark. It warned that the next chain reaction he needed to worry about was not at the atomic level. It would start in cyberspace—and America was a wide-open target. “The consequences of successfully exploiting these vulnerabilities,” the letter read, “would be significant damage to the U.S. economy, degraded public trust with concomitant long-term retardation of economic growth, degradation in quality of life, and a severe erosion of the public's confidence that the government can adequately protect their security.” The authors asked for the same kind of response that the Einstein letter generated: a Manhattan Project-type undertaking that would recruit top scientists and require billions of dollars of federal money. The first task would be to sort through the complexities of how to defend against a cyberat-tack that was aimed primarily at such “soft” targets as banks, credit markets, power stations, and cell phone networks—networks the federal government did not own and could not control.
FDR had responded to Einstein right away, but Bush had more immediate threats to worry about. There had just been an anthrax attack. There were rumors of loose nukes. “As far as I can tell, I don't think it was read,” one of the lead authors, O. Sami Saydjari, the president of the Cyber Defense Agency, told me six years later. “I don't think it made his priority list.”
Saydjari received a standard letter of thanks for corresponding with the White House and an invitation for his panel of experts to review a draft version of the forthcoming 2003 National Strategy to Secure Cyberspace. The experts read the strategy, Saydjari recalled, and concluded, “Nice try.”
“It could probably stop a fourteen-year-old,” he said. “But it's not a national strategy that can be used against the nation's great adversaries.”
Saydjari began appealing to members of Congress, but the subject was too complex, the threat too distant. A smattering of hearings generated little news and did not result in any meaningful legislation. “I would characterize the reception as lukewarm,” Saydjari told me. “Cyber just did not have traction, at least in the administration.”
The few people inside the government who were interested told Saydjari to put up or shut up: to come up with a cyberattack scenario that would be realistic enough to convince the country's leaders that there was a threat out there as big as nuclear and as nasty as anthrax. Saydjari hesitated. “‘We don't think you want us to put this together on an unclassified level,’” he recalled telling administration officials.
“They said, ‘Yes, we do.’”
The result was Dark Angel, the code name for a sophisticated cyberattack scenario drawn up in thirty days by experts from the transportation, electrical, and financial industries, and vetted by others who vouched for its plausibility. Its details were similar to the events outlined at the opening of this chapter, only much worse. Dark Angel assumed three years of preparation by a state or a transnational terrorist group with $500 million to spend. That's serious money, but if the attack was launched with the help of a government, a good deal of the cash would be spent trying to cover their tracks so that it would be hard for the United States to retaliate.
In Dark Angel, the main goal of the attack was to trigger economic collapse. But most immediate damage would be psychological: When the lights go out, the e-mail goes down, and the power stations blow up, panic and fear and looting are sure to follow. Every community in the country is affected, and everyone feels vulnerable. That was the real lesson of the scenario, Saydjari told a congressional panel in April 2007, and it was the real lesson in Estonia and Georgia after they were hit by Russian cyberattacks.
“It would be hubris to think our adversaries don't already have a plan in place that's substantially better than our brief sketch, or that their capabilities to execute such an attack aren't improving,” Saydjari said.1
By then, one of the signatories of the 2002 letter had returned to government and was greeting President Bush in the Oval Office every morning to deliver the 8:00 a.m. intelligence briefing: J. Michael McConnell.
BUSH WAS AWARE of computer threats long before he asked McConnell, in late 2006, to leave his profitable consultancy at Booz Allen, and return to government as director of national intelligence. But Bush rarely thought much about computer technology: He told visitors to the White House residence that he decided to give up e-mailing as soon as he became president; there was no sense in having electronic copies of private presidential musings zipping through the blogosphere, or subpoenaed in a trial. The result was that his familiarity with modern computing was distant, at best. He once told an interviewer that “one of the things I've used on the Google is to pull up maps,” mostly of the Crawford ranch.2 (The use of the definite article “the” left many with the impression that he was not a frequent Googler.) His former aides tell me that his primary cyberspace obsession centered on the rise of jihadist websites, particularly those on which al Qaeda spread its propaganda, sought new recruits, and ran grainy, gruesome videos of American convoys in Iraq as they were blown up by roadside bombs.
“This would drive him up the wall,” one of Bush's Iraq strategists told me. “He'd ask: ‘Why are they using the Internet better than we are? Didn't we invent this thing?’”
Gradually, though, Bush began to discover the world of cyber espionage. The President's Daily Brief, a digest of the most critical intelligence that landed on Bush's desk every morning, often referred to information based on computer intercepts, from the communications of al Qaeda members to the cracking of Iran's nuclear plans to the possibilities of altering information flowing to terror groups. But when McConnell arrived back in Washington, after an absence of a decade, he was shocked by two discoveries. The first was how little had been done to consolidate the eighty or more intelligence databases that sixteen disparate agencies—from the CIA to the Defense Intelligence Agency to the Drug Enforcement Administration—had assembled. (That is beginning to be solved at the new National Counterterrorism Center in the building next to McConnell's own office, all part of a secure new office park built a few miles away from the CIA campus in northern Virginia.) The second was how little had been done to protect the country against cyberattacks, and how little thinking had gone into the strategic implications of engaging the United States in cyberwarfare.
The Pentagon and the CIA were tracking those jihadist websites, of course, building elaborate databases to show who was signing on—and trying to pinpoint where they were located. The NSA had broken new ground intercepting coded e-mails and conversations among young jihadis, even to the point of delving into the “chat” in online video games, where some of them met electronically to exchange messages that they thought would evade detection. But to McConnell, all this was just updating an old art form. “We've been doing this same thing since we were breaking German code” in World War II, McConnell told his colleagues and visitors to his office.
To push the issue to the next level, McConnell quickly hired some of the staff at Booz Allen who had put together studies of the vulnerabilities of major financial institutions, the first step in getting hundreds of millions of dollars in contracts to plug those gaps. Soon they were developing similar studies of the federal government's vulnerabilities, trying to cut down on the number of “portals” through which invaders could enter federal computer systems. Melissa Hathaway, one of McConnell's hires, came up with some scary examples of actual attacks, including the moment in 2006 when “a disgruntled Navy contractor inserted malicious code into five computers at the Navy's European Planning and Operations Command” in Naples, Italy, and knocked two computers out of action. Had the other three been disabled, she reported, the networks that track U.S. and NATO ships in the Mediterranean would have been blinded. She raised the question of whether an adversary could “insert erroneous data that would cause weapons, early warning systems, and other elements of national security to fail” at a critical moment. And, with an eye on Chinese firms—especially companies like Huawei, which makes network control equipment to compete with American firms like Cisco—she asked, “What if malicious code were secretly installed during the manufacture or shipping of computer equipment, to be activated at some future date? How would we even know what threats we face?”3
What Hathaway was saying in public was a much watered-down version of what her boss was saying in private. “The Chinese are just having us for lunch right now,” McConnell would tell visitors to the sprawling new intelligence campus in Virginia. “We're going to have to rethink this partnership thing,” he would argue, because “they're also leaving little telltale capabilities back in our systems. So if we ever do have a little dustup, they can remotely turn them on.” The Chinese, of course, are convinced we are doing the same to them.
IN HIS PRESENTATIONS to the administration about cyber threats, McConnell usually started by reaching for a poster-size map of the flow of Internet traffic around the world. (He kept the map leaned up against the wall by the conference table in his office.) It showed a huge bulge in the middle, where the United States was. The message was clear: For good and ill, America is the world's biggest switching center for Internet traffic.
A few years ago, Michael Hayden, the director of the CIA, liked to say that the fact that the United States was the giant stationmas-ter of the Internet was “our home-field advantage.” When a terrorist in Iraq wanted to e-mail his buddy in Waziristan, or an Iranian nuclear engineer had a question for a physicist in Stuttgart, there was a good chance the communication was passing—unbeknownst to the sender and receiver—through a server in the American Midwest. Time and again, that fact gave America's spies access to all kinds of vital data, and McConnell and Hayden often used this map in presentations on Capitol Hill to make their argument in favor of the need for greater latitude as they rewrote the 1978 Foreign Intelligence Surveillance Act, or FISA, which governs the tapping of any “wired” communications—voice or computer—by citizens or foreigners inside the United States. A version of the same map had been part of the administration's effort to convince the Times not to reveal that the president had ordered Hayden and other top intelligence officials, in the weeks after 9/11, to ignore the law, circumvent the FISA court, and tap in to communications that flowed through the United States or involved American citizens. The paper, and soon the rest of the world, called that order the administration's “warrantless wiretapping” program. The president, arguing that he was acting within his powers as commander in chief, quickly came up with a different name to sell the effort: the “Terrorist Surveillance Program.”
Eventually, the law was rewritten, in a compromise that many Democrats—including Barack Obama—signed on to. Warrants would no longer be required for purely foreign communications passing through the United States. But Americans—no matter where they were in the world, at home or abroad—would be protected. If an American was a participant in the intercepted conversation, there would have to be a warrant. The rewritten law took domestic wiretapping off the table as a political issue before the 2008 elections.
But even before the law was changed, McConnell was using his map for a different purpose: to demonstrate America's growing vulnerability to cyberattacks. The same technology that gave us home-field advantage, he argued, made us far more vulnerable to having our field destroyed—or at least put out of action for months.
In a meeting with many members of the Cabinet in May 2007, McConnell finally raised the issue with Bush. With Henry Paulson, the new Treasury secretary, and Michael Chertoff, the secretary of Homeland Security, at his side, he described how a country or a sophisticated terror group could attack many government agencies and shut down much of the private sector—the markets, the banks, the power stations. Then he got to his punch line. “If the 9/11 perpetrators had attacked one single bank in the United States and damaged it to the point that it couldn't recover data, that they didn't know what they had, it would have had an order of magnitude greater impact on the global economy” than the attacks on the Pentagon and World Trade Center.
That got Bush's attention. McConnell later told visitors that the president looked at him like he “had two heads.”
Then Bush looked at Paulson. “Is this right, Hank?” he asked. Paulson did not hesitate. “It was what kept me up at night when I was chairman at Goldman Sachs. It was my greatest single worry, because everything's based on confidence.”
A year later, of course, Paulson confronted such a crisis of confidence in the markets and stepped in to save Bear Stearns from collapse, the first of a series of bailouts. Inside the government, McConnell kept citing the Bear Stearns example. Here was a company whose own mistakes brought it down, he said. But look at the ripple effect—and think about what would happen if a cyberattack created twenty Bear Stearns-like crises, or two hundred, at once.
WHEN MCCONNELL explained the threats he was worried about to Bush or other members of the national security team, he often grabbed a piece of paper and drew a little chart—to show what the intelligence community already does and what it needs to learn to do.
On the far left, he created a category called COMMS for “communications.” This was the old-fashioned stuff—tapping in to calls, e-mails, ATM transactions, online video games. The intelligence community spends billions of dollars a year on these tactics, and they've gotten better and better: If you sit in a “forward operating post” in Afghanistan, on the screens in front of the commanders there are often transcripts running—translated into English—of nearly real-time cell-phone conversations happening in the outskirts of Kandahar. It would look great in a James Bond movie, but it's essentially old-style wiretapping, improved and sped up to deal with the world of al Qaeda.
McConnell's next category was labeled EXPLOIT. By the time of the first Persian Gulf War, he would explain to Bush and others, the exploitation of intercepted messages had turned into a fine art. “‘Wow, look what we can do,’” McConnell would tell them. “‘We can attack. We can turn off their air defense system remotely!’”
The Persian Gulf War was before the Internet explosion, before an American president could turn to “the Google,” and before America's challengers had the sophistication to launch cyberat-tacks on the United States. So the last two boxes on McConnell's chart for Bush read ATTACK and DEFEND. This was his pitch about the future of cyberwarfare—and it was jammed with thorny decisions that President Obama will likely have to confront.
Naturally, the U.S. government doesn't talk much about the scenarios in which we attack other countries in cyberspace, especially because we are still more vulnerable than our adversaries. Yet inside the intelligence agencies and the Pentagon, offensive capabilities are a subject of regular, impassioned debate.
Unfortunately, most of that debate during the Bush administration—at least at senior levels—focused on the turf war, not the strategy. Everyone agreed that America has to be able to wage cyber-war. But who gets to command the fight? The military or the computer geeks at the National Security Agency?
McConnell quickly found himself enmeshed in this internecine battle. The Pentagon insisted that since cyberwar was still war by other means, it must be within its territory. The Department of Homeland Security said that it didn't want to play offense. But when it came to protecting domestic banks, financial institutions, 9-1-1 systems, and power grids—where 95 percent of the targets exist—well, that's where Congress put DHS in charge. The National Security Agency, McConnell's old shop, said cyberwar is all about code-breaking and code-making and electronic surveillance and penetrating other nations’ computer systems. Since the NSA is the repository of that particular expertise, everyone else should stand aside and leave this to the professionals. Everyone was spending their days arguing about who was in charge. “You could never get a holistic approach,” McConnell complained.
In typical Bush administration fashion, no one was openly debating the big questions. The first was obvious: If a cyberwar breaks out, is offense the best defense? And if so, should part of that strategy be preemptive war—the theory Bush promulgated in the 2002 National Security Strategy and that he later discredited in Iraq in 2003?
The argument for preemption in cyberwarfare is simple: By the time a sophisticated cyberattack happens, it's probably too late to defend against it effectively. We can build better network filters and early warning devices and add new firewalls around the computers that keep America humming. But in cyberwar, attackers have almost all of the advantages. They get to pick from thousands of possible attacks. Defenders have to protect against everything, including attacks they can't imagine.
In March 2007, just before McConnell's meeting with Bush, researchers at the Idaho National Laboratory launched an experimental cyberattack on a power station—just to see what damage they could do. It turned out they could do a lot, and in September 2007, a previously classified video made its way to CNN. It showed what happened when the power station's big diesel generator was deliberately driven out of kilter. It started shaking and smoking, and then it stopped. Permanently.
“It was done by a bunch of kids in the critical infrastructure section of DHS,” an intelligence official said to me. “Whatever next set of players come in here have to understand that.” People started crunching the numbers. By one estimate, if one third of the country lost power for three months, the economic price tag would be about $700 billion—the size of your ordinary, once-in-a-century Wall Street bailout.4
McConnell persuaded Bush to start up a five-year program, rumored to cost more than $15 billion, called the Comprehensive National Cyber-Security Initiative. Like its price tag, the details are classified, so no one can assess whether it matches the challenge or is largely a boon for a new generation of defense contractors. It's not the only classified part of the great new cyberwar games. On January 8, 2008, Bush approved a presidential directive designed to be the guiding document in cyber defense and offense for the United States. Unfortunately, because it was never published in open literature, the private sector—where 95 percent of the targets are located and defended—has little idea what it says; only at the end of the administration did McConnell and Hathaway and others begin to hold private briefings for American businesses. But it's all reminiscent of Bush's “declaratory policy” for nuclear terrorism: At home, no one is quite certain what the defensive plan is; abroad, adversaries are not warned about the devastating response if they get caught launching an attack.
Congress passed Bush's request for the $15 billion cyber-security initiative in September 2008, just as Wall Street was melting down. It would have gone through even without the freezing of credit markets, but the crisis didn't hurt, especially after McConnell told members of Congress that “the ability to threaten the U.S. money supply is the equivalent of today's nuclear weapon.” A few months before, he might have been viewed as hyping the threat. No more. Congress had seen its first financial mushroom cloud.
But the question that Bush never discussed with Congress, at least in the open, centered on preemption—a word he could not utter in public after Iraq. Secretly, he had already authorized at least two preemptive cyberattacks. In the months leading up to the March 2003 invasion of Iraq, cyberwarfare experts waged an e-mail assault against Iraq's leadership, urging them to break away from Saddam Hussein's government.5 The move was a relatively benign form of information warfare. But to reach the right audience, the United States infiltrated Iraqi networks, not only siphoning off information but also manipulating the flow of information to key Iraqi officials.
Then, a few years later, came a more devastating cyberattack— against al Qaeda in Mesopotamia, the al Qaeda affiliate that had moved into Iraq to take on the Americans.
The officials I interviewed were reluctant to discuss the attack in detail, for fear of revealing their capabilities. But this one seemed to involve the alteration of data and databases on a computer used by al Qaeda operatives and its associates. That manipulation, in turn, helped lure them into a trap. It worked, and those militants won't be building any new databases.
Of course, making the decision to launch a cyberstrike against al Qaeda is easy—it would have a hard time striking back from the un-wired corners of Pakistan. Making the decision to do the same against China or Russia is a whole different matter. There, a preemptive strike—even against a rogue programmer or terror group or business—would carry many risks, including the likelihood that the confrontation could escalate, quickly, into a traditional war.
Bush administration officials say that his January 8, 2008, cyber-war strategy did not deal with “first use” or attack capabilities. But at the end of their time in office, some inside the Bush administration began to consider some preemptive-strike scenarios, just to think through the possibilities. The most common concerned China. Suppose the National Security Agency, poking around in China's computer systems, detected a cyberattack in the making. If they got inside the Chinese computer systems, they could watch, silently, as Chinese computer hackers—maybe members of the People's Liberation Army, maybe just talented twenty-year-olds—put together an ingenious attack to bring down American financial networks. Then commanders would have to make the same decision that George Washington had to make when scouts reported that they had seen Redcoats massing, or that Eisenhower had to make after U-2s saw the Soviet Union's missiles being deployed. Do you attack first? Do you prepare yourself but let the other side fire the first shot?
The less aggressive answer, already kicked around inside the NSA and the Pentagon, would be to exploit the intelligence to design “inoculations” that would protect both private and public computers in the United States—a sort of anticipatory form of virus protection. Sounds like a great idea, if it works. That strategy, of course, depends on perfect intelligence gathering. And, as with flu shots, there's no guarantee it will work against the next strain of the virus.
McConnell and his aides began to debate whether the United States should be ready to do far more. If authorized by the president, should the U.S. government be ready to disable another nation's computer networks before they disable ours? How would you prepare for “escalation,” cyber-style? If we take out Gazprom's networks, do they take out Citigroup's? And is it possible to deter some countries with the knowledge that to take out our financial system is to gravely harm their own? As one senior intelligence official said to me, if the cash registers at Wal-Mart flip off, it's only a matter of time before China's exports take a hit. If the markets freeze up, it's going to be hard for the Chinese finance ministry to sell off their American treasury bills. “They're deterred,” one top official insisted when I asked about Chinese cyberattacks. “It's the rest of the world I worry about.”
* Like the nuclear scenario, this one is based on an exercise in September 2002, by a panel of experts that attempted to outline a cyberattack that would trigger panic, disorder, and economic collapse. The scenario was called Dark Angel and was widely circulated, in unclassified form, around the government.