Dark Territory (37 page)

A month earlier, on March 19, at hearings before the Senate Armed Services Committee, Admiral Rogers expressed the point more directly still, saying that deterring a cyber attack required addressing the question:
“How do we increase our capacity on the offensive side?”

Senator John McCain, the committee's Republican chairman, asked if it was true that the “current level of deterrence is not deterring.”

Rogers replied, “That is true.” More cyber deterrence meant more cyber offensive tools and more officers trained to use them, which meant more money and power for Cyber Command.

But
was
this true? At an earlier hearing, Rogers had made headlines by testifying that China and
“probably one or two other countries” were definitely inside the networks that controlled America's power grids, waterworks, and other critical assets. He didn't say so, but America was also inside the networks that controlled such assets
in those other countries. Would burrowing more deeply deter an attack, or would it only tempt both sides, all sides, to attack the others' networks preemptively, in the event of a crisis, before the other sides attacked their networks first? And once the exchanges got under way, how would anyone keep them from escalating to more damaging cyber strikes or to all-out war?

These were questions that some tried to answer, but no one ever did, during the nuclear debates and gambits of the Cold War. But while nuclear weapons were incomparably more destructive, there were four differences about this new arms race that made it more likely to careen out of control. First, more than two players were involved, a few were unpredictable, and some weren't even nation-states. Second, an attack would be invisible and, at first, hard to trace, boosting the chances of mistakes and miscalculations on the part of the country first hit. Third, a bright, bold firewall separated using nuclear weapons from not using nuclear weapons; the countries that possessed the weapons were constrained from using them, in part, because no one knew how fast and furious the violence would spiral, once the wall came down. By contrast, cyber attacks of one sort or another were commonplace: they erupted more than two hundred times a day, and no one knew—no one had ever declared, no one could predict—where the line between mere nuisance and grave threat might be drawn; and so there was a higher chance that someone would cross the line, perhaps without intending or even knowing it.

Finally, there was the extreme secrecy that enveloped everything about cyber war. Some things about nuclear weapons were secret, too: details about their design, the launch codes, the targeting plans, the total stockpile of nuclear materials. But the basics were well known: their history, how they worked, how many there were, how much destruction they could wreak—enough to facilitate an intelligent conversation, even by people who didn't have Top Secret
security clearances. This was not true of cyber: when Admiral Rogers testified that he wanted to “increase our capacity on the offensive side,” few, if any, of the senators had the slightest idea what he was talking about.

In the five guys report on NSA reform, which President Obama commissioned in 2013 in the wake of the Snowden revelations, the authors acknowledged, even stressed, the need to keep certain sources, methods, and operations highly classified. But they also approvingly quoted a passage from the report by Senator Frank Church, written in the wake of another intelligence scandal—that one, clearly illegal—almost forty years earlier.
“The American public,” he declared, “should know enough about intelligence activities to be able to apply their good sense to the underlying issues of policy and morality.”

This knowledge, which Senator Church called “the key to control,” has been missing from discussions of policy, strategy, and morality in cyber war. We are all wandering in dark territory, most of us only recently, and even now dimly, aware of it.

I
. As a compromise, when Obama issued an executive order imposing new sanctions against North Korea, on January 2, 2015, White House spokesman Josh Earnest pointedly called it
“the first aspect of our response” to the Sony hacking. Listeners could infer from the word “first” that the United States had not shut down North Korea's Internet eleven days earlier. But no official spelled this out explicitly, at least not on the record.

II
. In 2013, two
security researchers—including Charlie Miller, a former employee at the Office of Tailored Access Operations, the NSA's elite hacking unit—hacked into the computer system of a Toyota Prius and a Ford Escape, then disabled the brakes and commandeered the steering wheel while the cars were driven around a parking lot. In that test, they'd wired their laptops to the cars' onboard diagnostic ports, which service centers could access online. Two years later, they took control of a Jeep Cherokee
wirelessly
, after discovering many vulnerabilities in its onboard computers—which they also hacked wirelessly, through the Internet, cellular channels, and satellite data-links—while a writer for
Wired
magazine drove the car down a highway. Fiat Chrysler, the Jeep's manufacturer, recalled 1.4 million vehicles, but Miller made clear that most, maybe all, modern cars were probably vulnerable in similar ways (though none of them were recalled). As with most other devices in life, their most basic functions had been computerized—and the computers hooked up to networks—for the sake of convenience, their manufacturers oblivious to the dangers they were opening up. The signs of a new dimension in the cyber arms race—involving sabotage, mayhem, terrorism, even assassination plots, carried out more invisibly than drone strikes—seemed ominous and almost inevitable.

I
CAME UP
with the idea for this book—the contract was drawn up, the research was begun, the first interviews with sources were conducted—before the world had heard of Edward Snowden; before
metadata
,
PRISM
, and
encryption
entered the banter of common conversation; before cyber attacks—launched by China, Russia, North Korea, Iran, organized crime groups and, yes, the United States government—became the stuff of headline news seemingly every day. My proposal was to write a
history
of what has broadly come to be called “cyber war,” and my interest in the idea grew as the stories piled up about Snowden and the thousands of documents he leaked, because it was clear that few people, even among those who studied the documents closely (I suspect, even among those who wrote about the documents, even Snowden himself) knew that there
was
a history or, if they did, that this history stretched back not a few years but five decades, to the beginnings of the Internet itself.

This book can be seen as the third in a series of books that I've written about the interplay of politics, ideas, and personalities in modern war. The first,
The Wizards of Armageddon
(1983), was about the think-tank intellectuals who invented nuclear strategy and wove its tenets into official policy. The second,
The Insurgents
(2013), was about the intellectual Army officers who revived counterinsurgency doctrine and tried to apply it to the wars in Iraq and Afghanistan. Now,
Dark Territory
traces the players, ideas, and technology of the looming cyber wars.

On all three books, I've had the great fortune of working with Alice Mayhew, the legendary editor at Simon & Schuster, and it's to her that I owe their existence. The seeds of this book were planted during a conversation in her office either in December 2012 or January 2013 (just before
or just after publication of
The Insurgents
), when, trying to nudge me into writing another book, Alice asked what the next big topic in military matters was likely to be. I vaguely replied that this “cyber” business might get serious. She asked me more questions; I answered them as fully as I could (I didn't really know a lot about the subject at the time). By the time the meeting ended, I was committed to looking into a book about cyber war—first, to see if there was a story there, a story with characters and a narrative pulse. It turned out, there was.

I thank Alice for prodding me in this direction and for asking other pointed questions at every step along the way. I thank the entire S&S team on the project: Stuart Roberts, Jackie Seow, Jonathan Evans, Maureen Cole, Larry Hughes, Ellen Sasahara, Devan Norman, and, especially, the publisher, Jonathan Karp. I thank Fred Chase for scrupulous copyediting. I thank Alex Carp and Julie Tate for diligent fact-checking (though I bear total responsibility for any errors that remain).

Additional support came from the Council on Foreign Relations, where I was the Edward R. Murrow press fellow during the year when I did much of the book's research. I thank, in particular, the fellowship's leaders, Janine Hill, Victoria Alekhine, and, my energetic assistant during the year, Aliya Medetbekova, as well as the Council's many fellows, staff specialists, and visiting speakers with whom I had spirited conversations. (I should stress that neither the Council nor anyone at the Council had any role whatsoever in the book itself, beyond providing me a nice office, stipend, and administrative assistance.)

In the course of my research, I interviewed more than one hundred people who played a role in this story, many of them several times, with follow-ups in email and phone calls. They ranged from cabinet secretaries, generals, and admirals (including six directors of the National Security Agency) to technical specialists in the hidden corridors of the security bureaucracy (not just the NSA), as well as officers, officials, aides, and analysts at every echelon in between. All of these interviews were conducted in confidence; most of the sources agreed to talk with me only under those conditions, though I should note that almost all of the book's facts (and, when it comes to historically new disclosures,
all
the facts) come from at least two sources in positions to know. I thank all of these people: this book would not exist without you.

I also thank Michael Warner, the official historian of U.S. Cyber Command, and Jason Healey and Karl Grindal of the Cyber Conflict Studies Association, whose symposiums and collections of declassified documents were instrumental in persuading me, at an early phase of the project, that there
was
a story, a history, to be told here.

This is my fifth book in thirty-three years, and they've all been guided into daylight by Rafe Sagalyn, my literary agent, who has stood by throughout as taskmaster, counselor, and friend. I thank him once again, as well as his patient assistants, Brandon Coward and Jake DeBache.

Finally, I am grateful to my friends and family for their encouragement in so many ways. I especially thank my mother Ruth Kaplan Pollack, who has always been there with support of various kinds; my wife, Brooke Gladstone, who has loomed as my best friend, life's love, and moral compass since we were both barely out of our teens; and our daughters, Sophie and Maxine, whose integrity and passion continue to astonish me.

© CAROL DRONSFIELD

Fred Kaplan
writes the “War Stories” column for
Slate
. A former Pulitzer Prize-winning reporter for the
Boston Globe
, he is the author of four previous books,
The Insurgents: David Petraeus and the Plot to Change the American Way of War
(which was a Pulitzer Prize finalist),
1959: The Year Everything Changed
,
Daydream Believers: How a Few Grand Ideas Wrecked American Power
, and
The Wizards of Armageddon
(which won the Washington Monthly Political Book of the Year Award). He has a PhD in political science from MIT. He lives in Brooklyn with his wife, Brooke Gladstone.

MEET THE AUTHORS, WATCH VIDEOS AND MORE AT

SimonandSchuster.com

authors.simonandschuster.com/Fred-Kaplan

ALSO BY FRED KAPLAN

The Insurgents: David Petraeus and the Plot to Change the American Way of War

1959: The Year Everything Changed

Daydream Believers: How a Few Grand Ideas Wrecked American Power

The Wizards of Armageddon

M
UCH OF
the material in this book comes from interviews, all conducted on background, with more than a hundred participants in the story, many of them followed up with email, phone calls, or repeated in-person interviews. (For more about these sources, see the Acknowledgments.) In the Notes that follow, I have not cited sources for material that comes strictly from interviews. For material that comes in part from written sources (books, articles, documents, and so forth) and in part from interviews, I have cited those sources, followed by “and interviews.”