@War: The Rise of the Military-Internet Complex (15 page)

The cyber warriors have also racked up victories against terrorist groups, which themselves recognize no borders. The ROC has infiltrated various websites and forums that al-Qaeda operatives use to communicate. One internal communication among ROC hackers claimed that they could infect “pretty much anyone” who visited a particular web forum with a piece of spyware or a virus.

US cyber warriors have scored impressive victories against the remnants of al-Qaeda and its affiliates. In August 2013 a senior airman—the equivalent of an army corporal—at the air force's Seventieth Intelligence, Surveillance and Reconnaissance Wing was sifting through troves of intercepted communications when he noticed what seemed like a suspicious communication. The wing, which reports up to US Cyber Command at Fort Meade, regularly breaks in to other countries' communications networks to steal information about weapons, monitor compliance with treaties, and scramble command-and-control information. But this communication wasn't about a nation-state. The airman, a linguist by training, had spotted information that alerted the military to a “conference call” of al-Qaeda leaders, who were planning an attack.
He alerted his senior officers, who ran the information all the way up the chain of command to President Obama.

The information prompted the State Department to temporarily close embassies in twenty-two countries across the Middle East. The terror alert was one of the biggest in recent memory, and it put the intelligence community, the military, and Americans abroad on heightened alert to the possibility of a major attack targeting US embassies and other government facilities abroad.

The conference call was conducted not via phone but on an encrypted Internet messaging system.
Based on reporting by
The
Daily Beast
, which first broke news of the meeting, as well as statements by a senior air force general, we can conclude that the airman discovered minutes of the meeting, uploaded as text documents to a series of encrypted accounts by an al-Qaeda courier. It now appears that the airman deciphered those documents and translated them, giving the United States the ability to intercept future documents and also locate the courier, who was later arrested by Yemeni authorities with help from the CIA. The courier was carrying a recording of another Internet-hosted meeting of more than twenty senior al-Qaeda leaders around the world.

 

Life on the frontlines of the cyber war has changed America's soldiers and opened their eyes to a world of threats they'd never appreciated. After he returned from Iraq, in 2007, Captain Bob Stasio found himself at lunch one day at the NSA's headquarters in Fort Meade, sitting next to a three-star general.
The room was filled with men and women in uniform, and Stasio listened as one of them read a citation extolling the work that Stasio and his fellow cyber warriors had done in Iraq. How a small, 35-member signals intelligence platoon had made possible the capture of 450 high-value targets—an astonishing number for any outfit, but particularly for one platoon. How the number of attacks dropped 90 percent in less than a year. For their efforts, Stasio and his colleagues were being given the prestigious Director's Award, the highest honor bestowed in signals intelligence. At the time, Stasio's was the smallest unit ever to win it.

As the speaker read Stasio's name and the audience applauded, the three-star general sitting next to him smiled and gave him a gentle nudge. “Good job,” said Keith Alexander, NSA director.

It was just the beginning of their new relationship. Alexander brought Stasio to work for the Commander's Action Group, Alexander's “A-team.” Stasio reported to a senior officer who reported directly to Alexander. Stasio did some of the early work helping to set up the new Cyber Command. In 2009 he took command of a company in charge of army cyber operations at the NSA. He was overseeing seventy soldiers and more advanced and expensive equipment than he'd ever seen in one place. He pulled double duty as a watch officer, in a computer network operations center that he thought resembled the Mission Control room at NASA's Johnson Space Center. Stasio eventually left the army, but he stayed at NSA as a civilian and became the chief of operations at the NSA's Cyber Center.

There Stasio worked in what he describes as “constant crisis mode.” He could see now how military networks were constantly being probed and scanned by hackers looking for a way in. But also how the whole Internet was filled with people trying to steal information, commandeer computers, or damage information networks and the infrastructure attached to them. The job opened Stasio's eyes to a world of threats that, he thought, few people truly appreciated or were prepared to address. Stasio knew the damage that hackers could do—because he'd done it. Sometimes, when he heard a story on the news about a train derailment, he'd wonder,
Did a hacker cause that?

Stasio spent the years to come waiting for a catastrophic cyber attack on the United States. After leaving the NSA he started his own cyber security company, Ronin Analytics, and listened to corporate executives praising their sophisticated cyber defense operations and the resilience of their networks. Swearing that they were well protected. That they were safe.

He'd shake his head and think,
You don't see what I see.

FIVE

T
HE INTERNET WAS
a battlefield. But the enemy was hiding in plain sight. Everywhere Keith Alexander looked in cyberspace, he saw threats. To banks. To the power grid. To military and intelligence computer networks. How would the NSA's cyber warriors ever find them all?

The year after Alexander arrived at the NSA, he warned his staff that “the fight on the network” was coming. The agency had to evolve from its counterterrorism mission, which had been running full steam since after the 9/11 attacks, toward finding and fighting hackers, whether they were working with terrorist organizations, criminal rings, or nations. Alexander sent a memo to NSA personnel assigned to a secret program known as Turbulence. It was an early attempt to monitor hackers and malware around the world using a network of sensors, and in some cases to launch cyber attacks to neutralize a threat. Alexander informed the Turbulence team that there was “nothing more important in this agency” than their work.

To accomplish the mission, the NSA had to become more aggressive about implanting surveillance and monitoring devices on computers around the world. American hackers who had sworn an oath to defend the nation from cyber threats would start to think like their adversaries; they must be cunning and devious. Many of the same tactics they were trying to defend against, they would adopt. The cyber warriors were about to enter a gray zone, where in their quest to secure the Internet they would undermine its very foundations.

As the NSA's cyber warriors scanned the horizon for threats, they realized that certain key attributes of cyberspace would become impediments to their mission. So they decided to remove those obstacles. Among the first they set their sights on was a popular routing system, called Tor, that allows people around the world to connect to the Internet anonymously. Tor isn't a criminal enterprise, nor is it run by enemies of the United States. It was actually developed by the US Naval Research Laboratory in 2002, and it's used today by democracy activists and dissidents to evade the surveillance of oppressive regimes. But it's also favored by malicious hackers, spies, and crooks who use it to shield their location when conducting operations. Tor also provides an avenue to darker corners of the Internet, where people anonymously buy and sell illicit goods and services, including drugs, weapons, computer viruses, and hacking services, even murder-for-hire.

Anonymity is the bane of NSA's cyber war operations. The hackers can't hit a target if they don't know where it is. So it was hardly surprising that the NSA began trying to undermine the anonymizing features of Tor as early as 2006.
And it has kept trying for years.

Users of Tor, which stands for “The Onion Router,” download a free piece of software to their computer. Say a user wants to anonymously connect to a website. The software automatically directs him through a network of thousands of relay points, run mostly by volunteers. Traffic inside Tor is encrypted as it passes through various layers of the network—hence the onion metaphor. Once the user connects to the site, his data has been encrypted so many times, and he's been bounced around so many different relay points, that it's nearly impossible to know where he's located. Anyone can use Tor—drug traffickers, child pornographers, hackers, terrorists, and spies, all of whom have found it a viable means for achieving anonymity online and evading detection by law enforcement and intelligence agencies.

For six days in February 2012, the NSA joined forces with its British counterpart, the Government Communications Headquarters, and set up eleven “relays” in the Tor system. A relay, also known as a router or node, receives and directs traffic in a system. The government-installed relays were dubbed Freedomnet.

Trying to set up a spying station in Tor seemed like a better alternative than attacking the Tor nodes outright and taking them offline—although the NSA hackers considered that, according to a top-secret briefing document. They decided against it, since they couldn't always be sure whether a node was in the United States or abroad, and attacking equipment inside the United States posed a host of legal problems. Removing the nodes was also a foolhardy endeavor, since there are thousands of relays in Tor, and they could be brought back up in different locations. So, the NSA attempted to identify users once they were inside the network by tricking them into using its relay points. The NSA hackers also sent potential Tor users spear-phishing e-mails, messages that were designed to look as if they came from a trusted source—a friend, or someone in the users' contacts list—but that actually contained a virus or a link that would take the victim to a website where spyware was implanted.

The hackers also considered trying to “disrupt” the Tor system, according the briefing document titled “Tor Stinks.”
Maybe slow it down, or “set up a lot of really slow Tor nodes (advertised as high bandwidth) to degrade the overall stability of the network.” They contemplated making it harder or “painful” for someone to connect to Tor. The NSA would be like a gremlin, mischievously futzing with the machine.

The agency also tried to attack Tor users from outside the network, infecting or “tagging” computers with a kind of electronic marker as they went in and out of Tor. The NSA's hackers looked for different avenues to break in to computers that might be using the network—or might not. Once, they discovered a particular weak spot in a version of the Internet browser Firefox, which made it easier to tag computers using that browser. Never mind that the same weakness, if left unprotected, could be used to harm people who'd never heard of Tor and had no desire to cover their online footprints.

 

The NSA's anti-Tor campaign was exposed in 2013, through top-secret documents leaked by Edward Snowden. Those documents also revealed that the campaign was largely a failure. The NSA identified or located only a few dozen people using Tor. That was a testament to how well Tor worked. But the NSA's attacks were still a measure of just how far the agency would go to get an advantage over its adversaries, regardless of the costs. Given that the NSA can't always know the location of computers using Tor, it was almost certainly infecting computers used by Americans. Tor estimates that about four hundred thousand users are connecting directly to the system in the United States.

The NSA's tactics also put it at odds with US foreign policy. Over the past few years the State Department has given millions of dollars to support Tor and has encouraged its use by activists and dissidents abroad, including rebels in Syria fighting a grueling civil war to overthrow the strongman Bashar al-Assad. The NSA knew that the State Department was promoting Tor, and it attacked Tor anyway. The United States now has two competing and directly opposed policies: trying to prop up Tor and at the same time tearing it down.

Former NSA director Michael Hayden put the dilemma in particularly blunt, NSA-centered terms. “The Secretary of State is laundering money through NGOs to populate software throughout the Arab world to prevent the people in the Arab street from being tracked by their government,” he said in 2012 at a Washington think tank, before NSA's operations against Tor were disclosed. “So on the one hand we're fighting anonymity, on the other hand we're chucking products out there to protect anonymity on the net.”

US efforts to promote democracy and free access to the Internet are set back as a result of NSA's actions. “The United States government is incredibly large with lots of diverse programs . . . and the employees shouldn't all get lumped together as aligned with the NSA's view of the world,” says Dan Meredith, director of Radio Free Asia's Open Technology Fund, a private nonprofit that has received an annual grant from the United States for Internet anticensorship projects, including work with Tor. “You'll try to explain that to activists in Sudan, but they don't always take it that way. Sometimes I'll spend fifteen minutes with people trying to convince them that I'm not [a spy].”

 

The NSA doesn't work alone to undermine the Internet's key security and privacy pillars. Under a secret program called the SIGINT Enabling Project, it strikes deals with technology companies to insert backdoors into their commercial products.
Congress allocated $250 million for the project in 2013. Working in conjunction with the FBI, the NSA got inside knowledge about a feature in Microsoft's e-mail product, Outlook, that could have created obstacles to surveillance if left unaddressed.
The agency also got access to Skype Internet phone calls and chats as well as Microsoft's cloud storage service, SkyDrive, so that NSA analysts could read people's messages before they were encrypted.