SPECIAL SERIES:Cybersecurity: The Next Great Battlefield
In this series of articles running from mid-March to July, RealClearPolitics and RealClearDefense take an in-depth look at the intersection of cybersecurity, technology, and warfare in the 21st century.
On the morning of September 11, 2001, Leon Panetta was testifying to a House committee about the health of Earth’s oceans when he was handed a note informing him about the attack on the World Trade Center. The session ended abruptly as people instinctively scrambled for safety, not knowing that passengers on United Airlines flight 93 were taking brave actions that may have saved the U.S. Capitol from becoming a second Ground Zero.
<iframe width="100%" height="166" scrolling="no" frameborder="no" allow="autoplay" src="https://w.soundcloud.com/player/?url=https%3A//api.soundcloud.com/tracks/423891426&color=%23ff5500&auto_play=false&hide_related=false&show_comments=true&show_user=true&show_reposts=false&show_teaser=true"></iframe>
Panetta’s stints as CIA director and secretary of defense were in the future, but he was a prominent former California congressman who’d served as budget director in Bill Clinton’s administration and as White House chief of staff. Still, he was grounded, along with everyone else in the aftermath of 9/11. So he rented a car and headed to California. As he drove, Panetta gradually grew heartened. He marveled at the “God Bless America!” signs he saw in the Midwest and at how the country seemed to be pulling together. By the time he reached his seaside hometown of Monterey, Panetta — a naturally sunny person — had begun to feel hopeful again.
He’s less optimistic today. Partly, his concern is a function of his tenure at the Pentagon and the CIA. In those years, a fear took root, and subsequent events have only made it more acute. He is asked what keeps him awake at night:
“I’ve always worried about the battlefield of the future, which is cyberwar,” he replied. “Just as we used to worry about terrorists getting hold of a nuclear weapon, I worry about our enemies gaining access to a cyberweapon that does as much damage as was done on 9/11.”
Panetta was in charge at the Pentagon in August 2012 when word filtered out of Saudi Arabia that malware had halted operations at Aramco Oil Co. Before it was contained, 30,000 computers had been destroyed. Files disappeared, the stored data on them wiped out, replaced by the image of a burning U.S. flag. It became clear that this was Iran’s handiwork. The virus remained hidden, reappearing again in Saudi Arabia -- and again doing extensive damage --in 2016.
“It isn’t beyond possibility that a Pearl Harbor-type attack can be launched against us from a laptop.”
Neither blood nor oil was spilled in those attacks, but escalation seems the obvious next step. “We live in a world where you don’t need to send B-1 bombers or land troops on the soil of another country to attack them,” Panetta told me this week. “Using that same kind of virus, you can take down the computers that support our electric grid, government systems, transportation systems, financial institutions. It isn’t beyond possibility that a Pearl Harbor-type attack can be launched against us from a laptop.”
Much Worse Than You Think
The first computer hacker, as the term is presently understood, was a Seattle high school student named David Lightman. He started out with small stuff, such as changing the biology grade of a girl he was trying to impress, before graduating to bigger targets — much bigger: David hacked his way into the Department of Defense computer, accessing the nuclear launch codes at NORAD. He nearly started World War III.
Fortunately, David Lightman was a fictional person. He was the lead character, played by Matthew Broderick, in “WarGames,” a riveting 1983 Hollywood thriller with a bracing antiwar message. Among those who watched it was President Reagan, who screened it at Camp David in early June. Reagan liked the film very much and couldn’t get it out of his head. Four days later, he put the question to Gen. John Vessey Jr., chairman of the joint chiefs: “Could something like this really happen?”
Screenwriters Lawrence Lasker and Walter F. Parkes, had done their research and already knew the answer, even if neither the president nor his top military adviser did. Yes, it certainly could happen, they’d been assured by Rand Corp. computer scientist Willis Ware. As recounted in Fred Kaplan’s book “Dark Territory: The Secret History of Cyber War,” Ware told them that the only network computer that is truly secure is one no one could use. Soon, Jack Vessey was relaying similar sentiments to Ronald Reagan. “Mr. President,” he said, “the problem is much worse than you think.”
A succession of U.S. presidents have been told the same thing. So have members of Congress, the nation’s military brass, captains of industry, educators, bankers, and assorted thought leaders. Yet the list of huge hacks and other digital attacks grows, each breach seemingly more alarming than the last. It is a litany of failure.
The first deliberately planted computer malware was the Morris worm, unleashed by a hacker who said he wanted to gauge the size of the fledgling Internet (then called ARPANET). In 1994, Russian hackers -- some experts were still using the MIT-preferred term “crackers” -- siphoned $10 million from Citibank. In March 1997, a teenaged Croatian hacker younger than David Lightman penetrated the computer system of a U.S. Air Force Base on Guam. In 1999, a malware dubbed Melissa by its originator was transmitted through email. Dubbed a “virus,” it was more properly understood to be a “worm.” And the worm was only beginning to turn. It infected some 20 percent of the world’s computers.
Conficker, a worm that infiltrated 15 million computers in 2008, turns computers into zombies, deactivates anti-virus programs, and siphons away credit card numbers and the like. It is still infecting an average of 1 million computers a year. Over time, cyber thieves seemingly embarked on a grim competition: The files of Ashley Madison, a website facilitating extramarital affairs, were taken, compromising the privacy of 37 million users; the credit card information of 50 million Home Depot customers was swiped; the medical records of nearly 79 million patients were accessed when the giant health-care insurer Anthem Inc. was hacked; at J.P. Morgan, hackers broke into 76 million personal accounts and 7 million business accounts; cyber thieves obtained the financial information of all 145 million eBay users in 2014; at LinkedIn, 164 million accounts were stolen.
This is only a partial list -- a tiny fraction of the U.S. companies that have been hacked. So, too, were many of the government’s most sensitive agencies, including the State Department, and Washington, D.C.’s Metropolitan Police Department.
Redwood City, Calif.-based cybersecurity expert Oren J. Falkowitz says that the personal information of nearly every American has been breached at some point, many of them more than once. Before launching his own cybersecurity firm, Area 1 Security, Falkowitz spent a decade at the National Security Agency. He gets impatient with those who warn that disaster is just around the corner. He says the crisis is already here.
“The question is: Will we take the necessary actions to get ahead of the next attacks?”
“How could it get much worse?” he asks. “The question is: Will we take the necessary actions to get ahead of the next attacks? Hundreds of billions of dollars have already been siphoned from the economy. The intellectual property of every big company has been accessed and shipped overseas, much of it to China. Our government agencies, including the Department of Defense, State Department, OPM have been breached. The outcomes of our elections have been influenced.”
Defending ourselves requires knowing who is doing these things and how they are doing them. Falkowitz estimates that 95 percent of cyberattacks begin through phishing -- sending innocent-looking emails, texts, or phone messages that induce users to give up personal information, including computer passwords that get the thieves not only into the innards of people’s lives, but their entire company as well.
Who is doing it is often harder to determine. Culprits like the kids in “WarGames” have given way to much more sophisticated and sinister players. This evolution can be viewed through a single name, “Guccifer.” That was the online handle of Romanian hacker Marcel Lazar. A digital enthusiast in his 40s with no formal computer science training, Lazar was frustrated by his inability to get a job. He began obsessively wading through the Internet -- his lawyer called his hacking activity “an addiction” -- but whatever it’s called, it landed him inside Hillary Clinton’s email exchanges – and, eventually, in federal prison.
“The extent of the harm caused by defendant’s conduct is incalculable,” federal prosecutors told the sentencing judge. In hindsight, those prosecutors were clueless. “Incalculable” is a better description of what “Guccifer 2.0” did. That’s the handle of a crew of hackers that breached the Democratic National Committee email system and gave it all to WikiLeaks. U.S. intelligence officials have fingered Guccifer 2.0 as a Russian government operation, something WikiLeaks founder Julian Assange has denied, but whoever stole them, the publication of those emails cost DNC Chairwoman Debbie Wasserman Schultz her job, infuriated supporters of Bernie Sanders, distracted Hillary Clinton, emboldened Donald Trump -- and may have played a role in the outcome of the 2016 election.
The theft of those documents coincided with an organized Russian effort to undermine Americans’ faith in their own elections. That initiative was executed by “Fancy Bear” and “Cozy Bear,” the St. Petersburg troll farms owned by an oligarch close to Russian President Vladimir Putin. Russia’s intelligence services are also considered active hackers, along with murky operators such as “Rasputin,” a Russian-speaking hacker who infiltrated the Federal Election Commission in the autumn of 2016 and subsequently broke into five dozen universities and U.S. government agencies.
When choosing their targets, foreign hackers make little distinction between government, private business, charities, or even individuals. Similarly, it’s hard to categorize the perpetrators. Organizations such as WikiLeaks and Anonymous have political motivations, even if their agenda isn’t clearly defined. Some criminals or gangs use various schemes, such as the notorious Nigerian Internet scam and its many permutations with the sole aim of stealing money. But the overlapping objectives of scammers who hail from regimes hostile to democracy make it difficult to draw fine lines between cybertheft and cyberwarfare.
The North Koreans hackers who busted into the personnel files of Sony Pictures and distributed them online called themselves “Guardians of Peace.” A more accurate description would have been Guardians of Kim Jong-un, who was clearly not amused by “The Interview,” the Seth Rogen spoof distributed by Sony depicting the assassination of the potentate of Pyongyang. Normally, North Korea’s army of hackers, many of whom are sent abroad to commit their crimes, are busy conducting digital scams that net North Korea hard-to-obtain currency. But they made an exception for Sony.
Likewise, the Chinese are most responsible for stealing proprietary U.S. corporate secrets, an activity that simultaneously helps China’s economy while weakening the U.S. politically.
“This clinic didn’t do anything wrong except annoy us.”
One group that has not been successfully identified, let alone stopped, has perfected a kind of digital hostage-taking that feels to its victims more akin to Mexico-style kidnapping than computer hacking. Calling itself The Dark Overlord, this group specializes in stealing patient records from U.S. medical facilities while freezing the computer capabilities of the hospital or clinic. The data is sold on the black market, or just pushed out on the Internet, sometimes for spite. When they released more than 142,000 patient records of the Tampa Bay Surgery Center, the hackers explained via Twitter, “This clinic didn’t do anything wrong except annoy us.”
Likely, that wasn’t the whole story. Groups such as The Dark Overlord are responsible for a new word in the English language: “ransomware.” And no entity seems too small or too innocent to be caught in its clutches. On Jan. 11, 2017, the directors of Little Red Door, an Indiana nonprofit that provides hospice care and support services to impoverished cancer victims, met for a board meeting. Suddenly, the charity received a ransomware threat from The Dark Overlord. Its hackers had implanted software code that corrupted the hard drives of the facility’s eight computers. When the clinic responded to the threats by saying it ran on a meager budget and that paying ransom would impede its ability to do things like provide gas money for needy cancer patients to make doctors appointments, the hackers were unmoved. They demanded $43,000 in bitcoin, which the clinic couldn’t, and wouldn’t, pay.
Recent gambits by the group have been more threatening, and more sinister. They include freezing the computer systems of small-town U.S. school districts – and threatening to kill students. “The country is under siege right now,” Dr. Jay L. Rosen, CEO of the Tampa clinic, told the Miami Herald. “It’s a horrible situation.”
Counterterrorism expert Richard Clarke, who served in the administrations of both George W. Bush and Barack Obama, has a more succinct description. “This,” he has warned for years, “is war.”
From Bows and Arrows to Mushroom Clouds
John Arquilla is a political scientist, not a computer scientist – a self-described “bombs and bullets guy” -- who knew little about cyber until he was assigned by the Rand Corp. to be a consultant to Gen. Norman Schwarzkopf during Operation Desert Storm. “It became very apparent to me,” he said later, “that our biggest advantage came from what we knew and what our opponent didn’t.”
In 1993, Arquilla and fellow Rand analyst David Ronfeldt co-authored a prescient article with a new phrase: “Cyberwar Is Coming!”
Even 25 years ago, the insight that victory on the battlefield usually goes to the side with the best technology was not new. Although Shakespeare made Henry V famous -- and the young king’s “St. Crispin’s Day Speech” at Agincourt has inspired bands of brother warriors for centuries -- more tangible factors were at work in 1415 when a smaller invading British force annihilated a larger army of French defenders. These included the heavy armor that weighed down French horsemen, a muddy battlefield, and the tight formation of French cavalry. The invaders’ most important asset, however, probably was the English longbow, a lethal weapon employed by well-trained, battle-tested archers. The result was the wholesale slaughter of France’s nobility.
Five-and-a-half centuries later, Britain and France were on the same side -- along with the United States -- in a world war eventually decided by advanced weaponry. In some ways, with his stirring wartime oratory, Franklin D. Roosevelt was the King Henry of his time. Yet, in seven speeches during World War II, FDR singled out U.S. technical capabilities -- “American ingenuity,” he called it -- as the real key to winning the war.
"We cannot afford to fight the war of today or tomorrow with the weapons of yesterday.”
“We have constant need for new types of weapons, for we cannot afford to fight the war of today or tomorrow with the weapons of yesterday,” Roosevelt said on Jan. 6, 1945. “Almost every month finds some new development in electronics which must be put into production in order to maintain our technical superiority … and save lives.”
By then, FDR’s fellow Americans knew all about the P-51 Mustang, Lockheed’s P-38 Lightning (the first twin-engine fighter) and the Grumman F6F-Hellcat with its amazing 19-1 kill ratio. What American’s didn’t know was that in New Mexico, an array of scientists were developing a doomsday weapon that would not only end the war in the Pacific, but change the very calculations of armed conflict.
The successful detonation of the bomb took place at a remote test site that Robert J. Oppenheimer, the director of the Los Alamos laboratory, had named “Trinity.” Fittingly, it was located at the end of a road called Jornada del Muerto -- “Route of the Dead Man.” Later, Oppenheimer would write that what came to him as he saw the flash of light and the mushroom cloud he’d helped create were words from the Bhagavad Gita: "Now I am become Death, the destroyer of worlds.”
It’s possible those lines did occur to him: One of the subjects he studied at Harvard was Hindu thought. But that day, according to others who were there (including his own brother), what Oppenheimer said was: “It works.”
The (Cyber) Shots Heard ’Round the World
If Ronald Reagan worried that technology could help accidentally start a nuclear war, succeeding presidents and U.S. allies -- one in particular -- have employed cyber measures as a way of preventing such a conflagration.
In 2006 and 2007, Israeli and American cyberwarriors began developing malware designed to damage Iran’s nuclear program. Approved by the Bush administration, the worm dubbed Stuxnet was somehow introduced by the CIA and Israeli intelligence into the computer systems at Iran’s Natanz nuclear facility. Two iterations of Stuxnet -- the second approved by the Obama administration -- took years to do their work, which was to make centrifuges spin too fast until they destroyed themselves.
But was Stuxnet really the first example of cyberwar?
A few minutes before midnight on Sept. 5, 2007, eight Israeli fighter jets -- four F-15s and four F-16s -- took off from Israeli Air Force bases. Their target was a secret complex called Al Kibar in the Syrian desert. There, North Korean workers were helping the Assad regime build a plutonium nuclear reactor, for which the only practical use was to produce an atomic bomb.
This project put both countries, Syria and North Korea, in violation of various treaties and agreements. It also scared the hell out of officials in Washington and Tel Aviv. But as Defense Secretary Robert Gates quipped to George W. Bush, only half in jest, “Every administration gets one preemptive war against a Muslim country.” If Assad’s attempts to acquire an atomic weapon were to be thwarted, Israel was going to have to do it alone.
The Israeli mission that night went off perfectly. But a strange thing happened that night: Syria’s vaunted air defense system, purchased from Russia, never alerted anyone to the presence of those noisy F-15s and F-16s. Syria didn’t know what had happened until Al Kibar was destroyed. Richard Clarke, the former White House National Security Adviser, begins his 2010 book, “Cyber War: The Next Threat to National Security and What to Do About,” with a riveting account of this event.
If the Syrians were caught by surprise -- and Kremlin officials who received angry phone calls from Damascus the next day were nonplused -- cyber experts around the world were not. “This was how war would be fought in the Information Age,” Clarke wrote.
But not the only way. Four months earlier, Russia had launched its own cyberattack, using a different method, against neighboring Estonia. The small Baltic nation hadn’t done anything as brazen as start a nuclear program. It had merely moved a statue of a World War II Red Army soldier to a less conspicuous location. Yet the Russian response was a major cyberattack that lasted weeks. Email systems and online services of Estonian media outlets, banks, and government offices were overwhelmed by massive waves of spam and other Internet traffic. Newspapers and television stations were essentially disabled, banks couldn’t make financial transactions, and government officials couldn’t communicate.
The Kremlin would use similar tactics the following year in neighboring Georgia, which it invaded, and later in Ukraine. By the time Fancy Bear and Cozy Bear were unleashed against the United States in 2015 and 2016, the Russians had benefited from nearly a decade of practice.
"This is the new battle space, and the U.S. is losing. We are way behind.”
Those who have examined these tactics believe it’s too myopic to frame the Russian cyberattacks as solely -- or even primarily -- an effort to help Donald Trump and hurt Hillary Clinton. To Arizona State University professor Joel Garreau, the cyber crimes and online propaganda fed to the world by Russia and other nefarious actors, including ISIS, constitute not only an attack on democracy but an attack on the foundations that make democracy possible: namely, reasoned debate, even reason itself. It’s an attack, Garreau believes, on the Enlightenment. “This is the new battle space, and the U.S. is losing,” he said. “We are way behind.”
To try and alter that equation, Garreau and ASU engineering professor Braden Allenby launched ASU’s Weaponized Narrative Initiative, a project that tries to show Americans the gravity of the threat and figure out what we can do about it.
“America, like most great empires, was born of the storms, mountains, and challenges of its frontiers,” Allenby told me this week. “Today, however, cyber is our frontier: It teems with its own dragons, and whether they will incinerate us, or whether we can slay them and continue to prosper, has yet to become clear.”
How do we combat the array of cyberthreats? Leon Panetta repeats the question I ask him, and pauses for a moment before answering. “The Russians have given us a wake-up call,” he says. “Whether we listen to that call will determine whether we have a future in the 21st century.”
Carl M. Cannon is the Washington Bureau Chief for RealClearPolitics. Reach him on Twitter @CarlCannon.