Dark Territory (43 page)

“tens of thousands of wholly domestic communications”:
Cited in ibid., 141–42.

But to some of the panelists:
This comes from interviews, but the thought is expressed throughout the report, for instance, 61, 76, 113–16, 125.

Morell and the staff . . . concluded:
Ibid., 144–45.

However, in
none
of those fifty-three files:
Ibid., 104; and interviews.

Alexander also revealed:
Ibid., 97; and interviews.

“This is bullshit”:
Stone, “Journeys” lecture, University of Chicago; and interviews.

“reduce the risk”:
President's Review Group, 118. For the other recommendations cited, see 34, 36, 86, 89.

“subvert, undermine, weaken”:
Ibid., 36–37.

Finally, lest anyone interpret the report:
These were Recommendations Nos. 37 through 46. Ibid., 39–42.

On December 13:
White House press spokesman Jay Carney cited the date in his Dec. 16 briefing,
https://www.whitehouse.gov/the-press-office/2013/12/16/daily-briefing-press-secretary-12162013
.

“to promote public trust”:
President's Review Group, 49.

“Although recent disclosures”:
Ibid., 75–76.

“no evidence of illegality”:
Ibid, 76.

“the lurking danger”:
Ibid., 113.

“We cannot discount”:
Ibid., 114.

On December 18:
White House, President's Schedule,
https://www.whitehouse.gov/schedule/president/2013-12-18
.

“We cannot prevent terrorist attacks”:
“Remarks by the President on Review of Signals Intelligence,” Jan. 17, 2014,
https://www.whitehouse.gov/the-press-office/2014/01/17/remarks-president-review-signals-intelligence
.

“in the sense that there's no clear line”:
Liz Gannes, “How Cyber Security Is Like Basketball, According to Barack Obama,”
re/code
, Feb. 14, 2015,
http://recode.net/2015/02/14/how-cyber-security-is-like-basketball-according-to-barack-obama/
.

The questions to be asked:
Michael Daniel, White House cybersecurity chief,
revealed this decision, and outlined these criteria, in his blog of April 28, 2014, headlined “Heartbleed: Understanding When We Disclose Cyber Vulnerabilities,”
https://www.whitehouse.gov/blog/2014/04/28/heartbleed-understanding-when-we-disclose-cyber-vulnerabilities
.

“unprecedented and unwarranted”:
The ruling came in the case of
ACLU v. Clapper
,
http://pdfserver.amlaw.com/nlj/NSA_ca2_20150507.pdf
. A lower court had ruled in favor of Clapper and thus upheld the FISA Court's concept of “relevance” and the legality of NSA bulk collection; the U.S. Court of Appeals for the 2nd Circuit in New York overturned that ruling. I analyzed the ruling and its implications in Fred Kaplan, “Mend It, Don't End It,”
Slate
, May 8, 2015,
http://www.slate.com/articles/news_and_politics/war_stories/2015/05/congress_should_revise_the_patriot_act_s_section_215_the_national_security.html
.

“To be clear”:
Stone published a shortened version of his talk, on the same day, as Geoffrey R. Stone, “What I Told the NSA,”
Huffington Post
, March 31, 2014,
http://www.huffingtonpost.com/geoffrey-r-stone/what-i-told-the-nsa_b_5065447.html
; this account of his speech is based on that article and on interviews.

CHAPTER 15: “WE ARE WANDERING IN DARK TERRITORY”

In the wee hours:
Most of the material on the Vegas hack is from Ben Elgin and Michael Riley, “Now at the Sands Casino: An Iranian Hack in Every Server,”
Bloomberg Businessweek
, Dec. 11, 2014,
http://www.bloomberg.com/bw/articles/2014-12-11/iranian-hackers-hit-sheldon-adelsons-sands-casino-in-las-vegas
; a bit is from interviews.

“Guardians of Peace”:
James Cook, “Sony Hackers Have Over 100 Terabytes of Documents,”
Business Insider
, Dec. 16, 2014; Mark Seal, “An Exclusive Look at Sony's Hacking Saga,”
Vanity Fair
, Feb. 2015; Kevin Mandia, quoted in “The Attack on Sony,”
60 Minutes
, CBS TV, Apr. 12, 2015,
http://www.cbsnews.com/news/north-korean-cyberattack-on-sony-60-minutes/
.

Sony had been hacked before:
Keith Stuart and Charles Arthur, “PlayStation Network Hack,”
The Guardian
, April 27, 2011; Jason Schreier, “Sony Hacked Again: 25 Million Entertainment Users' Info at Risk,”
Wired.com
, May 2, 2011,
http://www.wired.com/2011/05/sony-online-entertainment-hack/
.

The cost, in business lost:
Jason Schreier, “Sony Estimates $171 Million Loss
from PSN Hack,”
Wired.com
, May 23, 2011,
http://www.wired.com/2011/05/sony-psn-hack-losses/
.

So the lessons learned in one realm:
John Gaudiosi, “Why Sony Didn't Learn from Its 2011 Hack,”
Fortune.com
, Dec. 24, 2014,
http://fortune.com/2014/12/24/why-sony-didnt-learn-from-its-2011-hack/
.

“DarkSeoul”:
Brandon Bailey and Youkyung Lee, “Experts Cite Similarities Between Sony Hack and 2013 South Korean Hacks,” Associated Press, Dec. 4, 2014,
http://globalnews.ca/news/1707716/experts-cite-similarities-between-sony-hack-and-2013-south-korean-hacks/
.

“mercilessly destroy”:
David Tweed, “North Korea to ‘Mercilessly' Destroy Makers of Rogen Film,”
BloombergBusiness
, June 26, 2014,
http://www.bloomberg.com/news/articles/2014-06-26/north-korea-to-mercilessly-destroy-makers-of-seth-rogan-film
.

In public, officials said:
“The Attack on Sony,”
60 Minutes
; “NSA Chief Says Sony Attack Traced to North Korea After Software Analysis,” Reuters, Feb. 19, 2015, http://www.nytimes.com/reuters/2015/02/19/technology/19reuters-nsa-northkorea-sony.html?_r=0.

But the real reason:
David E. Sanger and Martin Fackler, “NSA Breached North Korean Network Before Sony Attack, Officials Say,”
New York Times
, Jan. 18, 2015; and interviews.

“made a mistake”:
“Remarks by the President in Year-End Press Conference,” White House, Dec. 19, 2014,
https://www.whitehouse.gov/the-press-office/2014/12/19/remarks-president-year-end-press-conference
.

“not just an attack”:
Statement by Secretary Johnson on Cyber Attack on Sony Pictures Entertainment, Department of Homeland Security, Dec. 19, 2014,
http://www.dhs.gov/news/2014/12/19/statement-secretary-johnson-cyber-attack-sony-pictures-entertainment
.

On December 22:
Nicole Perlroth and David E. Sanger, “North Korea Loses Its Link to the Internet,”
New York Times
, Dec. 22, 2014. That the U.S. government did not launch the attack comes from interviews.

“the first aspect of our response”:
Statement by the Press Secretary on the Executive Order “Imposing Additional Sanctions with Respect to North Korea,” White House, Jan. 2, 2015,
https://www.whitehouse.gov/the-press-office/2015/01/02/statement-press-secretary-executive-order-entitled-imposing-additional-sanctions-respect-north-korea
. The backstory on the pointed wording comes from interviews.

Those who heard Gates's pitch:
In President Obama's PPD-20, “U.S. Cyber Operations Policy,” one of the directives, apparently inspired by Gates's idea, reads as follows: “In coordination with the Secretaries of Defense and
Homeland Security, the AG, the DNI, and others as appropriate, shall continue to lead efforts to establish an international consensus around norms of behavior in cyberspace to reduce the likelihood of and deter actions by other nations that would require the United States Government to resort to” cyber offensive operations. In a follow-on memo, summarizing actions that the designated departments had taken so far, the addendum to this one reads: “Action: [Department of] State; ongoing”—signifying, in other words, no progress (
http://fas.org/irp/offdocs/ppd/ppd-20.pdf
).

In 2014, there were almost:
The precise numbers for 2014 were 79,790 breaches, with 2,122 confirmed data losses; for 2013, 63,437 breaches, with 1,367 losses. Espionage was the motive for 18 percent of the breaches; of those, 27.4 percent were directed at manufacturers, 20.2 percent at government agencies. Verizon,
2014 Data Breach Investigations Report
, April 2015, esp. introduction, 32, 52, file:///Users/fred/Downloads/rp_Verizon-DBIR-2014_en_xg%20(3).pdf. For 2013 data: Verizon,
2013 Data Breach Investigations Report
, April 2014, file:///Users/fred/Downloads/rp_data-breach-investigations-report-2013_en_xg.pdf.

On average, the hackers stayed inside:
Cybersecurity: The Evolving Nature of Cyber Threats Facing the Private Sector,
Before the Subcommittee on Information Technology, 114th Cong. (2015). (Statement of Richard Bejtlich, FireEye Inc.)
http://oversight.house.gov/wp-content/uploads/2015/03/3-18-2015-IT-Hearing-on-Cybersecurity-Bejtlich-FireEye.pdf
.

In 2013, two security researchers:
Andy Greenberg, “Hackers Remotely Kill a Jeep on the Highway—With Me in It,”
Wired
, July 21, 2015,
http://www.wired.com/2015/07/hackers-remotely-kill-jeep-highway/
. A team of university researchers spelled out this vulnerability still earlier, in Stephen Checkoway, et al., “Comprehensive Experimental Analyses of Automotive Attack Surfaces,”
http://www.autosec.org/pubs/cars-usenixsec2011.pdf
. The 2013 experiment by Charlie Miller and his colleague, Chris Velasek, was designed to test that paper's proposition.

“Nothing in this order”:
President Barack Obama, Executive Order—Improving Critical Infrastructure Cybersecurity, Feb. 12, 2013,
https://www.whitehouse.gov/the-press-office/2013/02/12/executive-order-improving-critical-infrastructure-cybersecurity
.

“disrupting or completely beating”:
Department of Defense, Defense Science Board, Task Force Report,
Resilient Military Systems and the Advanced Cyber Threat
, Jan. 13, 2013, cover memo and executive summary, 1,
http://www.acq.osd.mil/dsb/reports/ResilientMilitarySystems.CyberThreat.pdf
.

Some of the task force members:
Ibid., Appendix 2; “time machine” comes from interviews.

“The network connectivity”:
Ibid., Executive Summary, 15.

“built on inherently insecure architectures”:
Ibid., cover memo, 1, 31.

“With present capabilities”:
Ibid.

“Thus far the chief purpose”:
Bernard Brodie,
The Absolute Weapon
(New York: Harcourt Brace, 1946), 73–74, 76. For more on Brodie, and the subject generally, see Fred Kaplan,
The Wizards of Armageddon
(New York: Simon & Schuster, 1983).

“Define and develop enduring”:
Barack Obama, White House, “The Comprehensive National Cybersecurity Initiative,”
https://www.whitehouse.gov/issues/foreign-policy/cybersecurity/national-initiative
.

“It took decades”:
Department of Defense, Defense Science Board, Task Force Report,
Resilient Military Systems and the Advanced Cyber Threat
, 51. Actually, in the mid-1990s, the RAND Corporation did conduct a series of war games that simulated threats and responses in cyber warfare; several included upper-midlevel Pentagon officials and White House aides as players, but no insiders took them seriously; the games came just a little bit too early to have impact. The games were summarized in Roger C. Molander, Andrew S. Riddile, Peter A. Wilson,
Strategic Information Warfare: A New Face of War
(Washington, D.C.: RAND Corporation, 1996). The dearth of impact comes from interviews.The presented a ninety-page paper, explaining how they did the hack (and spelling out disturbing implications), at the August 2015 Black Hat conference in Las Vegas (Remote Exploitation of an Unaltered Passenger Vehicle,” illmatics.com//remote7.20Car7.20Hacking.pdf).

“to consider the requirements”:
Undersecretary of Defense (Acquisition, Technology, and Logistics), Memorandum for Chairman, Defense Science Board, “Terms of Reference—Defense Science Board Task Force on Cyber Deterrence,” Oct. 9, 2014,
http://www.acq.osd.mil/dsb/tors/TOR-2014-10-09-Cyber_Deterrence.pdf
. The date of the first session and the names of the task force members come from interviews.

In 2011, when Robert Gates realized:
The directive is summarized, though obliquely, in Department of Defense,
Department of Defense Strategy for Operating in Cyberspace
, July 2011,
http://www.defense.gov/news/d20110714cyber.pdf
; see also Aliya Sternstein, “Military Cyber Strike Teams Will Soon Guard Private Networks,”
NextGov.com
, March 21, 2013,
http://www.nextgov.com/cybersecurity/cybersecurity-report/2013/03/military-cyber-strike-teams-will-soon-guard-private-networks/62010/
; and interviews.

“biggest focus”:
Quoted in Cheryl Pellerin, “Rogers: Cybercom Defending
Networks, Nation,”
DoD News
, Aug. 18, 2014,
http://www.defense.gov/news/newsarticle.aspx?id=122949
.