Dark Territory (41 page)
Authors: Fred Kaplan
The pivotal moment:
The section on Buckshot Yankee comes mainly from interviews, but also from Karl Grindal, “Operation Buckshot Yankee,” in Jason Healey, ed.,
A Fierce Domain: Conflict in Cyberspace 1986 to 2012
(Washington, D.C.: Atlantic Council, 2013); Harris,
@War
, Ch. 9; William J. Lynn III, “Defending a New Domain: The Pentagon's Cyberstrategy,”
Foreign Affairs
, Sept./Oct. 2010.
When he first took the job:
For more on Gates as defense secretary, see Kaplan, “The Professional”; and Kaplan,
The Insurgents: David Petraeus and the Plot to Change the American Way of War
(New York: Simon & Schuster, 2013), Ch. 18.
On June 23, 2009:
U.S. Dept. of Defense, “U.S. Cyber Command Fact Sheet,” May 25, 2010,
http://www2.gwu.edu/~nsarchiv/NSAEBB/NSAEBB424/docs/Cyber-038.pdf
.
On July 7, 2010, Gates had lunch:
This section comes mainly from interviews, though the plan is briefly mentioned, along with the dates of the two meetings, in Robert Gates,
Duty: Memoirs of a Secretary at War
(New York: Alfred A. Knopf, 2014), 450â51.
“war zone”:
This section is based mainly on interviews, though in a Reuters profile, upon her resignation in 2013, Lute said, “The national narrative on
cyber has evolved. It's not a war zone, and we certainly cannot manage it as if it were a war zone. We're not going to manage it as if it were an intelligence program or one big law-enforcement operation.” (Joseph Menn, “Exclusive: Homeland Security Deputy Director to Quit; Defended Civilian Internet Role,” Reuters, April 9, 2013,
http://www.reuters.com/article/2013/04/09/us-usa-homeland-lute-idUSBRE9380DL20130409
.)
In the end, they approved Brown:
The watered-down version of the arrangement, “Memorandum of Agreement Between the Department of Homeland Security and the Department of Defense Regarding Cybersecurity,” signed by Gates on Sept. 24 and by Napolitano on Sept. 27, 2010, can be found at
http://www.defense.gov/news/d20101013moa.pdf
.
CHAPTER 11: “THE WHOLE HAYSTACK”
The hearings led to the passage:
The section of FISA dealing with electronic surveillance is 50 U.S.C. 1802(a).
After the attacks of September 11:
A good summary is Edward C. Liu, “Amendments to the Foreign Intelligence Surveillance Act (FISA) Extended Until June 1, 2015,” Congressional Research Service, June 16, 2011,
https://www.fas.org/sgp/crs/intel/R40138.pdf
.
“badly out of date”:
“The President's Radio Address,” July 28, 2007,
Public Papers of the Presidents of the United States: George W. Bush, 2007, Book II
(Washington, D.C.: US Government. Printing Office, 2007), 1027â28,
http://www.gpo.gov/fdsys/pkg/PPP-2007-book2/html/PPP-2007-book2-doc-pg1027.htm
.
“electronic surveillance of” an American:
Text of the Protect America Act of 2007,
https://www.govtrack.us/congress/bills/110/s1927/text
.
“connect the dots”:
For instance, see
The 9/11 Commission Report
, 408 and passim,
http://www.9-11commission.gov/report/911Report.pdf
.
“the whole haystack”:
The metaphor was first used by a “former intelligence officer” quoted in Ellen Nakashima and Joby Warrick, “For NSA Chief, Terrorist Threat Drives Passion to âCollect It All,'â”
Washington Post
, July 14, 2013. But Alexander was known to use the phrase, too. (Interviews.)
Still, on February 9:
White House press release, Feb. 9, 2009,
http://www.whitehouse.gov/the_press_office/AdvisorsToConductImmediateCyberSecurityReview/
.
It took longer than sixty days:
White House press release, May 29, 2009,
http://www.whitehouse.gov/the-press-office/cybersecurity-event-fact-sheet-and-expected-attendees
.
It read uncannily like:
White House,
Cyberspace Policy Review
,
http://www.whitehouse.gov/assets/documents/Cyberspace_Policy_Review_final.pdf
; quotes come from i, iv, v, vi.
“share the responsibility”:
Ibid., 17.
“this cyber threat”:
White House, “Remarks by the President on Securing the Nation's Cyber Infrastructure,” East Room, May 29, 2009.
CHAPTER 12: “SOMEBODY HAS CROSSED THE RUBICON”
George W. Bush personally briefed:
David Sanger,
Confront and Conceal
(New York: Crown, 2012), xii, 190, 200â203.
The operation had been set in motion:
Ibid., 191â93.
In their probes:
Ibid., 196ff; Kim Zetter,
Countdown to Zero Day: Stuxnet and the Launch of the World's First Digital Weapon
(New York: Crown, 2014), Ch. 1.
This would be a huge operation:
Ellen Nakashima and Joby Warrick, “Stuxnet Was Work of U.S. and Israeli Experts, Officials Say,”
Washington Post
, June 2, 2012.
uninterruptible power supplies:
Zetter,
Countdown to Zero Day
, 200â201.
A multipurpose piece of malware:
Ibid., 276â79. Much of Zetter's information comes from the computer virus specialists at Symantec and Kaspersky Lab who discovered Stuxnet. A typical malicious code took up, on average, about 175 lines. (Interviews.)
To get inside the controls:
Ibid., 90, 279.
It took eight months:
Sanger,
Confront and Conceal
, 193.
At the next meeting:
Ibid., xii.
There was one more challenge:
Ibid., 194â96; and interviews. It has not yet been revealed who installed the malware-loaded thumb drives on the Iranian computers. Some speculate that it was an Israeli agent working at Natanz, some that a foreign agent (possibly with the CIA's Information Operations Center) infiltrated the facility, some say that contaminated thumb drives were spread around the area until someone unwittingly inserted one into a computer.
Not only would the malware:
Zetter,
Countdown to Zero Day
, 61, 117, 123.
Once in the White House:
Ibid., 202.
but this particular worm was programmed:
Ibid., 28.
Obama phoned Bush to tell him:
In his memoir,
Duty
(New York: Alfred A. Knopf, 2014), 303, Robert Gates writes that “about three weeks after” Obama's inauguration, “I called Bush 43 to tell him that we had had a
significant success in a covert program he cared about a lot.” Soon after, “Obama told me he was going to call Bush and tell him about the covert success.” Gates doesn't say that the classified program was Stuxnet, but it's clear from the contextâand from other sections of the book where he mentions a classified program related to Iran (190â91) and denounces the leak (328)âthat it is.
In March, the NSA shifted its approach:
Zetter,
Countdown to Zero Day
, 303.
The normal speed:
David Albright, Paul Brannan, and Christina Walrond, “ISIS Reports: Stuxnet Malware and Natanz” (Washington, D.C.: Institute for Science and International Security), Feb. 15, 2011,
http://isis-online.org/uploads/isis-reports/documents/stuxnet_update_15Feb2011.pdf
.
They'd experienced technical problems:
An unclassified version of a 2007 National Intelligence Estimate noted that Iran was experiencing “significant technical problems operating” centrifuges (“Key Judgments from a National Intelligence Estimate on Iran's Nuclear Activity,” reprinted in
New York Times
, Dec. 4, 2007); this was well before Stuxnet was activated.
By the start of 2010:
Zetter
, Countdown to Zero Day
, 1â3. Similar estimates are in Albright et al., “ISIS Reports: Stuxnet Malware and Natanz.”
President Obamaâwho'd been briefed:
During briefings on Olympic Games, large foldout maps of the Natanz reactor were spread across the Situation Room (Sanger,
Confront and Conceal
, 201).
Almost at once:
Michael Joseph Gross, “A Declaration of Cyber-War,”
Vanity Fair
, February 28, 2011. For more details, see Nicholas Falliere, Liam O. Murchu, and Eric Chien, “Symantec Security Response: W32.Stuxnet Dossier,”
https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_stuxnet_dossier.pdf
; David Kushner, “The Real Story of Stuxnet,”
IEEE Spectrum
, Feb. 26, 2013,
http://spectrum.ieee.org/telecom/security/the-real-story-of-stuxnet
; Eugene Kaspersky, “The Man Who Found StuxnetâSergey Ulasen in the Spotlight,”
Nota Bene
, Nov. 2, 2011,
http://eugene.kaspersky.com/2011/11/02/the-man-who-found-stuxnet-sergey-ulasen-in-the-spotlight/
.
Microsoft issued an advisory:
“Microsoft Security Bulletin MS10â046âCritical: Vulnerability in Windows Shell Could Allow Remote Execution,” Aug. 2, 2010 (updated Aug. 24, 2010),
https://technet.microsoft.com/en-us/library/security/ms10-046.aspx
; Zetter,
Countdown to Zero Day
, 279.
By August, Symantec had uncovered:
Nicolas Falliere, “Stuxnet Introduces the First Known Rootkit for Industrial Control Systems,” Symantec Security Response Blog, Aug. 6, 2010,
http://www.symantec.com/connect/blogs/stuxnet-introduces-first-known-rootkit-scada-devices
.
In September, a German security researcher:
Sanger,
Confront and Conceal
, 205â6; Joseph Gross, “A Declaration of Cyber-War.”
At that point, some of the American software sleuths:
Zetter,
Countdown to Zero Day,
187â89; and interviews.
When Obama learned:
Ibid., 357.
The postmortem indicated:
David Sanger, “Obama Order Sped Up Wave of Cyberattacks Against Iran,”
New York Times
, June 1, 2012.
“offensive capabilities in cyber space”:
Quoted in Richard A. Clarke and Robert K. Knake,
Cyber War
(New York: HarperCollins, 2010), 44â47.
“cyber-offensive teams”:
Zachary Fryer-Biggs, “U.S. Sharpens Tone on Cyber Attacks from China,”
DefenseNews
, March 18, 2013,
http://mobile.defensenews.com/article/303180021
; and interviews.
In Obama's first year as president:
Choe Sang-Hun and John Markoff, “Cyberattacks Jam Government and Commercial Web Sites in U.S. and South Korea,”
New York Times
, July 18, 2009; Clarke and Knake,
Cyber War
, 23â30.
A year and a half later:
Zetter,
Countdown to Zero Day
, 276â79.
Four months after that:
“Nicole Perlroth, “In Cyberattack on Saudi Firm, U.S. Sees Iran Firing Back,”
New York Times
, Oct. 23, 2013.
“demonstrated a clear ability”:
“IranâCurrent Topics, Interaction with GCHQ: Director's Talking Points,” April 2013, quoted and linked in Glenn Greenwald, “NSA Claims Iran Learned from Western Cyberattacks,”
The Intercept
, Feb. 10, 2015,
https://firstlook.org/theintercept/2015/02/10/nsa-iran-developing-sophisticated-cyber-attacks-learning-attacks
/. The document comes from the cache leaked by Edward Snowden. The essential point is confirmed by interviews.
At what point, he asked:
Gates,
Duty
, 451; and interviews.
“Previous cyber-attacks had effects”:
Sanger,
Confront and Conceal
, 200.
“Trilateral Memorandum of Agreement”:
The memorandum of agreement is mentioned in a footnote in Barack Obama, Presidential Policy Directive, PPD-20, “U.S. Cyber Operations Policy,” Oct. 2012,
https://www.fas.org/irp/offdocs/ppd/ppd-20.pdf
. PPD-20 is among the documents leaked by Edward Snowden.
An action report on the directive:
This is noted in boldfaced brackets in the copy of the document that Snowden leaked.
“You can't have something that's a secret”:
Andrea Shalal-Esa, “Ex-U.S. General Urges Frank Talk on Cyber Weapons,” Reuters, Nov. 6, 2011,
http://www.reuters.com/article/2011/11/06/us-cyber-cartwright-idUSTRE7A514C20111106
.
“the authority to develop”:
William B. Black Jr., “Thinking Out Loud About Cyberspace,”
Cryptolog
, Spring 1997 (declassified Oct. 2012),
http://cryptome.org/2013/03/cryptolog_135.pdf
. Black's precise title at the NSA was special assistant to the director for information warfare.
CHAPTER 13: SHADY RATS
“rebalancing its global posture”:
Thomas Donilon, speech, Asia Society, New York City, March 11, 2013,
http://asiasociety.org/new-york/complete-transcript-thomas-donilon-asia-society-new-york
.
Then on February 18, Mandiant:
Mandiant,
APT1: Exposing One of China's Cyber Espionage Units
, Feb. 18, 2013,
http://intelreport.mandiant.com/Mandiant_APT1_Report.pdf
.
The
Times
ran a long front-page story:
David Sanger, David Barboza, and Nicole Perlroth, “Chinese Army Unit Is Seen as Tied to Hacking Against U.S.,”
New York Times
, Feb. 18, 2013. The Chinese response (“irresponsible,” “unprofessional,” etc.) is quoted in the same article.