@War: The Rise of the Military-Internet Complex (11 page)

The companies that operated the networks and the power plants vehemently denied the accusations and pointed to public investigations that concluded the blackouts were triggered by natural causes, including overgrown trees that had shorted out strained power lines. No government official ever offered verifiable evidence that the Chinese were behind the blackouts. But the persistent rumors of the country's involvement were a measure of Washington's paranoia and dread about cyber attacks.

After a possible attack on US power grids, officials' next greatest concern is relentless theft of intellectual property and trade secrets from US companies, particularly by hackers in China. Alexander, who became the Cyber Command chief in 2010, called rampant Chinese industrial espionage “the greatest transfer of wealth in history.” By 2012, Congress finally felt compelled to act. It was six years after lawmakers' own computers were found to have been infected with spyware that was probably implanted by Chinese hackers.
Computers in several committee offices in the House of Representatives also were infected, including those overseeing commerce, transportation and infrastructure, homeland security, and the powerful Ways and Means Committee. The Congressional-Executive Commission on China, which monitors human rights and laws in China, was also hit. Most committee offices were found to have one or two infected computers. The International Relations Committee (now called the Foreign Affairs Committee), which oversees US foreign policy, including negotiations with China, had twenty-five infected computers and one infected server.

In 2012, proposals wound their way through Congress that, among other things, would give the government more authority to gather information about cyber intrusions and reconnaissance of networks from affected companies. The idea was to share information about potential threats but also to force companies to step up their own security. But some companies balked, fearful that the legislation marked a new wave of expensive and intrusive regulation. Companies were also worried that they might get sued by their customers for working with the government. Internet service providers wanted legal assurances that if they transmitted information about attacks in real time to the Defense or Homeland Security Departments, they wouldn't be held liable for any personal data those warnings might contain, such as the identities or Internet addresses of people whose packets had been intercepted or whose computers had been compromised.

The US Chamber of Commerce, a powerful trade association with deep pockets and a history of supporting Republican candidates for office, said legislation would give the government “too much control over what actions the business community could take to protect its computers and networks.”
At a moment when conservative officeholders in particular had been denouncing President Obama's health care law as government intrusion into citizens' private lives, the Chamber became the most vocal opponent of cyber legislation as another example of government excess. GOP lawmakers closed ranks behind them, and any chance for a comprehensive cyber law died.

In lieu of Congress acting, President Obama signed an executive order in February 2013 that made it US policy “to enhance the security and resilience of the Nation's critical infrastructure.” That term,
critical infrastructure
, was intentionally broad, in order to encompass a multitude of businesses and industries. The president defined it as “systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.” By that definition, a power plant was certainly critical. But so was a bank. And a hospital. So were trains, buses, and trucking companies. Was UPS a critical infrastructure? To the extent that businesses depended on shipping and timely delivery of goods and services, maybe it was.

With the executive order, the Obama administration told Congress and businesses that it wasn't going to wait for a new law to extend government influence over the Internet. The order instructed federal agencies to start sharing more cyber threat information with companies; authorized the Commerce Department and the National Institute of Standards and Technology to come up with a “framework” of security standards that companies would be encouraged to adopt; and told the secretary of Homeland Security to draw up a list of critical infrastructures “where a cybersecurity incident could reasonably result in catastrophic regional or national effects.”

The White House was still prepared to fight for a new cyber law. But in the meantime, Obama's order did something profound: it gave the military the green light to prepare for cyber war.

 

Obama's executive order, along with a classified presidential directive signed five months earlier and not released publicly, made it clear that the military had the lead in defending the nation during a cyber attack. Just as the armed forces would swing into action if the United States were invaded by a foreign army, or if missiles were flying toward US cities, the country's cyber forces would get the call to defend against a digital attack—and to retaliate.

The executive order made it easier for the Defense Department to expand its classified threat intelligence sharing program beyond the defense industrial base to more of those “critical infrastructure” sectors that the government would define. And the separate directive, known as PDD-20, spelled out how the military would go to cyber war, under what circumstances, and who may give the orders.

Any cyber strike has to be ordered by the president. But during an emergency the president can designate that authority to the secretary of defense. If a power plant, for instance, were under imminent attack, and there was no time to get the president's approval for defensive actions—which could involve a counterstrike on the source of attack—then the secretary could give the order.

But PDD-20 isn't really about cyber defense. It instructs the military to draw up a list of overseas targets “of national importance,” where it would be easier or more effective for the United States to attack with a cyber weapon than a conventional one. These are the equivalent of Cold War–era, high-priority targets in the Soviet Union, where bombers would drop their payload in the event of a war. PDD-20 does not name individual targets, but those of national importance would naturally be communications systems; command-and-control networks used by military forces; financial networks; air defense and traffic control systems; and critical infrastructures, such as electrical grids. These are the same kinds of targets that a foreign army would draw up on the United States for a cyber war.

The directive also instructs other government departments and agencies, including the State Department, the FBI, the NSA, the Treasury Department, and the Energy Department, to make plans for retaliating against “persistent malicious cyber activity against US Interests” when “network defense or law enforcement measures are insufficient or cannot be put in place in time.” The military would carry out those attacks as well, at the president's instruction.

PDD-20 is seen by military commanders and civilians as the rules of the road for cyber war, a crucial document that spells out lines of authority and command, responsibilities, and broad principles. It says the United States will conduct cyber warfare consistent with the international law of armed conflict: strikes must be designed to cause minimal collateral damage and must be waged in proportion to the threat or the attack on the United States. The military must also be cautious not to disrupt or destroy networks that may be connected to the ones they're targeting. A virus or worm designed to attack a power plant in Iran must not be allowed to destroy a plant in China. “We don't want to start World War III,” says Ann Barron-DiCamillo, a senior official at the Homeland Security Department who works with the Defense Department to coordinate responses to cyber attacks in the United States.

As important as these rules are, PDD-20 does something more fundamental to the way the United States will fight wars in the future: it elevates cyber operations to the status of traditional combat, and instructs the armed forces to integrate offensive cyber warfare “with other US offensive capabilities,” on land, in the air, at sea, and in space.

 

The military has three principal cyber war missions, and three kinds of forces with which to conduct them.

The first mission, and the largest force, runs and defends the military's networks around the world—everywhere from the battlefields of Iraq and Afghanistan to the waters of the Pacific, where the combined forces of the army, navy, air force, and marines would be the first line of attack in any war with China. These “cyber protection forces,” as the military calls them, try to keep foreign adversaries and hackers out of those military networks. Attempted intrusions occur several thousands of times a day, but these are mostly automated probes, not really attacks, and they can be fended off with automated software. The Defense Department also limits the number of points where its networks connect to the public Internet, which helps fortify the military's defenses. Filters scan every piece of information that moves through those points, looking for worms, viruses, and other indicators of an attempted intrusion, such as traffic coming from Internet addresses suspected of being used by foreign militaries and intelligence services.

This is everyday defense. The protection forces would really earn their stripes in the event of a full-scale war, when a US adversary would bring out its most sophisticated cyber weapons and best warriors in order to disable the military's command-and-control networks or corrupt information inside them. These cyber strikes might happen before the first exchange of gunfire, as a prelude to more traditional combat, or as part of an active “kinetic” operation. For instance, during the war in the Balkans in the 1990s, US hackers penetrated Bosnian air defense systems and tricked controllers into thinking that invading aircraft were coming from one direction, when really they were coming from another.

The military's defense mission is constrained by the fact that it doesn't actually own and operate most of its network infrastructure: 99 percent of the electricity and 90 percent of the voice-communications services the military uses come from privately owned cables, routers, and other infrastructure. Protecting the military's networks “is not getting any easier because of our reliance on key networks and systems that are not directly under DOD's control,” says Major General John Davis, the Pentagon's military cyber security adviser.

So, the cyber protection forces have created “hunt teams” that work with the cyber spies at the NSA and the Defense Intelligence Agency to find potential threats in military networks before they strike. As part of those efforts, the military has access to a database containing dossiers on every known hacker in China, according to an official with a Pentagon contractor that provides tracking services. The dossier notes which kinds of malware the hacker likes to use, what systems he has been known to target, and where he is believed to be operating. In some cases the dossier also includes a photograph, obtained by intelligence operatives in China or purchased through private intelligence companies whose employees follow hackers on the ground. By knowing who the hackers are, the military can raise defenses against their preferred targets. But it can also attempt to lure the hacker into a system with false or misleading information, known as a honeypot, and then track his movements in a controlled environment. The longer he stays inside, trying to steal what he believes to be important documents, the longer the US spies can study his craft and develop ways to counter it.

An NSA unit known as the Transgression Branch specializes in this kind of track-the-hacker work and takes things one step further.
The branch watches a hacker break into another country's computer system, then follows him inside. In a 2010 operation called Ironavenger, the Transgression Branch saw e-mails containing malware being sent to a government office in a hostile country—one that the NSA wanted to know more about. Upon further inspection, the branch discovered that the malware was coming from a US ally, whose own intelligence service was trying to break in. The Americans let their allies do the hard work and watched silently as they scooped up passwords and sensitive documents from the adversary's system. The Americans saw everything the allies saw and got some inside knowledge about how they spied.

The second of the military's cyber missions is supporting the armed forces in combat. These are the cyber warriors fighting alongside their traditionally armed compatriots. They comprise teams that conduct defense and offense, and they are spread out across the armed forces. Each one has a separate focus, depending on its branch of service. For instance, the air force is training its cyber warriors to hack into enemy air defense and traffic control systems, while the army is focused on land operations, penetrating command-and-control systems of artillery, for instance.

In a remarkable shift from the earlier days of cyber war, cyber attacks in battle no longer require the approval of the president in every instance.
According to the Joint Chiefs of Staff's official guidance on targeting, much of the decision making about who and what to attack is up to the head of US Cyber Command. “Targeting for cyberspace generally follows the processes and procedures used for traditional targeting,” the guidance states. In other words, the military now thinks cyber weapons are not so different from missiles, bombs, and bullets. Military commanders are cautioned to remember “the unique nature of cyberspace as compared to the traditional physical domains”—that is, the possibility that a cyber weapon could cause widespread collateral damage.

The skills of these support teams are overlapping, which means that in future wars, an army hacker could hop over to an air force mission with little trouble. During the Iraq War, army operators cracked the cell phones of insurgents and sent them misleading messages, because the army was on the ground fighting the insurgents. But air force cyber warriors also have the skills to conduct that kind of deception operation, and there's no reason they couldn't step in if the army was tied up fighting other battles. Likewise, a navy cyber warrior, who is trained to hack the navigation systems of an enemy submarine or fry a ship's radar, could wreak havoc on a commercial telecom network.