The Hacked World Order

Chapter 1

THE HACKED WORLD ORDER

Just as historians consider 1947 as the year that two clear sides in the Cold War emerged, we will look back at the year that stretches roughly from June 2012 to June 2013 as Year Zero in the battle over cyberspace. It was by no means the first year to witness an important cyberattack or massive data breach; those had arguably happened several times before. In the 1990s the United States used cyber weapons against Serbia, and in 2007 hackers stole credit and debit card information from at least 45 million shoppers at T.J.Maxx and Marshalls. In 2008 hackers, suspected to be working with the Russian intelligence services, breached the Pentagon’s classified networks. But it was in 2012 that nation-states around the world visibly reasserted their control over the flow of data and information in search of power, wealth, and influence, finally laying to rest the already battered myth of cyberspace as a digital utopia, free of conventional geopolitics. The assault on this vision was comprehensive, global, and persistent.

The conflict in cyberspace will only become more belligerent, the stakes more consequential. An estimated 75 percent of the world’s population now has access to a mobile phone, and the Internet connects 40 percent of the planet’s population, roughly 2.7 billion people. Information and communications networks are embedded in our political, economic, and social lives. Individuals and civil society now participate in global politics in new ways, but sovereign states can do astonishing and terrifying things that no collection of citizens or subjects can carry out. We will all be caught in the fallout as the great powers, and many of the lesser ones, attack, surveil, influence, steal from, and trade with each other.

YEAR ZERO: A TIMELINE

Year Zero began with a newspaper article. In June 2012, US officials leaked details of a computer attack on Iran’s nuclear program, code-named “Olympic Games,” that had begun under President George W. Bush. For years, the United States had been trying to stop Iran from building a bomb through diplomatic pressure and financial sanctions. Someone, probably the Mossad, Israel’s intelligence agency, had also been assassinating Iranian scientists: a remote-controlled bomb attached to a motorcycle killed Masoud Alimohammadi, a physics professor, just as he stepped outside his home in the north of Tehran. Cyberattacks formed a quieter, much less deadly component of this campaign.

The malware (malicious software) known as Stuxnet, allegedly developed by the United States in cooperation with Israel and first detected in 2010, surreptitiously slowed down and sped up the motors in Iranian centrifuges being used to enrich uranium and opened and closed valves that connected six cascades of centrifuges. Eventually the motors tore themselves apart, and Iran had to replace 1,000 damaged machines. As it was doing its damage, Stuxnet provided false feedback to operators so that they had no idea what was going on. The goal was to make the changes so imperceptible that the Iranians would think the destruction stemmed from bad parts, faulty engineering, incompetence, or all three. Ralph Langner, a German cybersecurity expert who was among the first to decode bits of Stuxnet, estimated that 50 percent of the malware’s development costs went into efforts to hide the attack. One US government official told the New York Times that Stuxnet aimed “to mess with Iran’s best scientific minds” and “make them feel they were stupid.”¹

Although the Iranians admitted some infections of their computer systems, the ultimate strategic effect of the malware on their nuclear program remains unclear. Reza Taghipour, an official in Iran’s Ministry of Communications and Information Technology, downplayed the new weapon: “The effect and damage of this spy worm in government systems is not serious.” Some US government officials claimed that it set Iran’s nuclear program back eighteen months to two years; other technical experts said the attack did little to slow down Iranian efforts and in fact may have sped them up. As the Iranian scientists worked to get the centrifuges running properly, they made improvements in their performance and design that resulted in greater output.²

The time gained from the attacks may have been an important factor in bringing Iran back to the negotiating table and reaching a deal on its nuclear program in July 2015. The delay, even if only amounting to two years, gave the economic sanctions on the country more time to bite. The poisonous code was also useful in persuading Israel not to conduct airstrikes against Iranian facilities. In 2008, Israel reportedly asked the Bush administration for bunker-busting bombs it hoped to use against production and research sites hidden in mountainsides and buried underground. In rejecting the request, President Bush assuaged the Israelis by telling them that he had authorized the Olympic Games mission to sabotage Iran’s nuclear infrastructure.³

Whatever the impact on Iran’s nuclear program, Stuxnet was notable on two fronts. First, it was extremely sophisticated, “unprecedentedly masterful and malicious” in the words of one technical journal. The malware used five “zero days”—that is, unknown software vulnerabilities that allow an attacker to access a computer, router, or server; never having detected these flaws before, developers have zero days to fix or patch them. Zero days are valuable to both attackers and defenders. They can fetch six-figure prices on the black market, and so even an advanced attack deployed by a nation-state will usually use one, maybe two.

In addition, the computers that controlled the centrifuges were not connected to the Internet. Stuxnet had to jump this “air gap” and be delivered into the system, perhaps via a thumb drive or other portable device. In addition, Stuxnet was configured to work only on a specific system. Although the malware spread widely—the total number of infections surpassed 300,000 in more than one hundred countries, including Australia, Brazil, Brunei, China, India, Indonesia, the Netherlands, and even the United States—it would activate only when it saw a configuration of a specific line of Siemens programmable logic controllers, and it would destroy centrifuges only when it saw it was on a computer at Natanz, Iran’s primary enrichment facility.⁴

Stuxnet was only one of the sophisticated tools at the United States’ and Israel’s disposal. Two other programs, Flame and Duqu, appear to have been part of Operation Olympic Games, designed to gather intelligence on computer networks in Iran and other Middle Eastern countries. Flame, for example, searched a computer for keywords on top-secret PDF files, then made and transmitted a summary of the document, all without being detected.

Stuxnet’s complexity put it out of the reach of individual hackers and pointed to the involvement of a nation-state intending to do physical damage to a target. This parentage is Stuxnet’s second noteworthy characteristic, and it represented a strategic sea change. As Michael V. Hayden, former chief of the Central Intelligence Agency (CIA) put it, “Somebody crossed the Rubicon.” Before Stuxnet, computer code had served primarily to steal or destroy data on other computers; now it was causing equipment to malfunction. It was creating physical outcomes. Yet, unlike with conventional or even nuclear weapons, the effects and rules of cyber weapons were largely unknown. There was no understanding of the consequences Stuxnet might unleash, though there was fear that the same type of weapons might eventually target the United States. “If you are in the glass house, you should not be the one initiating throwing rocks at each other,” Gregory Rattray, now an information security specialist at JPMorgan Chase, said at a 2012 conference. “We will have rocks come back at us.”⁵

Stuxnet made it clear that the United States was committed to developing offensive capabilities. At a time when the rest of the defense budget faced severe cuts, Pentagon officials announced increased funding for the development of cyber capabilities, along with drones and special operations. Ashton Carter, then deputy secretary of defense, told a gathering of cybersecurity experts in San Francisco in February 2012, “No moment in all those [budget] deliberations was it even considered to make cuts in our cyber expenditures . . . ships, planes, ground forces, lots of other things on the cutting room floor; not cyber.” The number of cyber warriors assigned to US Cyber Command, the command center for the Pentagon’s cyber operations, was quintupled from 900 to 4,900 troops. And in late 2012, the Pentagon unveiled Plan X, an effort to build on programs like Stuxnet and develop the offensive capabilities needed to “dominate the cyber battlespace.” Regina Dugan, head of the Defense Advanced Research Projects Agency, laid out a roadmap: “In the coming years we will focus an increasing portion of our cyber research on the investigation of offensive capabilities to address military-specific needs.”⁶

Iran did not simply sit back—it hit back with its own cyberattacks. Between September 2012 and June 2013, an activist group called Izz ad-Din al-Qassam Cyber Fighters took credit for roughly two hundred distributed denial-of-service (DDoS) attacks on almost fifty financial institutions, including SunTrust, JPMorgan Chase, CitiGroup, Wells Fargo, U.S. Bancorp, Capital One, PNC, and HSBC. Compared to Stuxnet, DDoS attacks are unsophisticated: they are like protestors blocking access to a government office. Stuxnet was analogous to a Tomahawk cruise missile launched from 1,000 miles away blowing that office up. In a DDoS attack, hackers use thousands of computers or servers to flood a website with so much data that it can no longer respond. Security researcher Graham Cluley put it more colorfully: “It’s a bit like 15 fat men trying to get through a revolving door at the same time—nothing can move.”⁷

Over time the attacks grew more complex. The amount of data flooding websites grew massively. It cost one bank close to $10 million to get back online. Izz ad-Din al-Qassam claimed it was acting independently and in retaliation for “Innocence of Muslims,” an anti-Islam video made by a California resident and uploaded on YouTube, but behind the scenes US government officials and outside experts blamed Iran.

In August 2012, the Shamoon malware struck Saudi Aramco, Riyadh’s state oil giant. This was a qualitatively different type of attack, involving the destruction of data. Shamoon corrupted tens of thousands of hard drives and shut down employee e-mail; the company had to replace 30,000 computers in order to rid its networks of the malware. Saudi Aramco supplies about a tenth of the world’s oil, but the malware only damaged office computers and did not affect systems involved with technical operations. “All our core operations continued smoothly,” CEO Khalid Al-Falih told Saudi government and business officials. The company managed to put its networks back online almost two weeks after the attack. A subsequent attack damaged Rasgas, a joint venture between Qatar Petroleum and ExxonMobil and the second-biggest producer of liquefied natural gas in the world. Again, data was destroyed, but production continued.⁸

As with the attacks on the banks, a proxy was involved. A group calling itself the Cutting Sword of Justice claimed responsibility, but US officials believed Iran was behind the attacks. Not only was there motive, but Iran had a few years earlier announced its intent to develop cyber forces. Hossein Mousavian, a former Iranian diplomat, told an audience at Fordham Law School, “The U.S., or Israel, or the Europeans, or all of them together, started war against Iran. . . . Iran decided to have . . . to establish a cyberarmy, and today, after four or five years, Iran has one of the most powerful cyberarmies in the world.”⁹

The Shamoon attack on Saudi Arabia seriously spooked the US government. Secretary of Defense Leon Panetta called it “a significant escalation of the cyber threat.” In a speech in October 2012 at the Intrepid Sea, Air, and Space Museum, Panetta warned a group of business executives of a potential “cyber Pearl Harbor.” Computer hackers could gain control of “critical switches,” he cautioned, and “derail passenger trains, or even more dangerous, derail trains loaded with lethal chemicals. They could contaminate the water supply in major cities, or shut down the power grid across large parts of the country.” President Barack Obama echoed this threat in his State of the Union address, stating, “Our enemies are . . . seeking the ability to sabotage our power grid, our financial institutions, and our air traffic control systems.”¹⁰

Ironically, the Shamoon attack showed that Iran was learning from Israel and the United States. In April 2012, an aggressive piece of code, known as Wiper, had attacked the Iranian Oil Ministry and the National Iranian Oil Company and erased hard drives, removing any trace of itself. A year later, General Keith Alexander, director of the National Security Agency (NSA) and commander of US Cyber Command, left Fort Meade for a meeting with his counterpart in the United Kingdom’s Government Communications Headquarters (GCHQ). Talking points, prepared for the meeting with Sir Iain Robert Lobban and leaked by former NSA employee Edward Snowden, claimed Iran had “demonstrated a clear ability to learn from the capabilities and actions of others.” In other words, Shamoon had been possible in part because of Wiper.¹¹

Even as Iran and the United States were trading blows in cyberspace, China-based hackers were continuing a massive cyber theft campaign against technology firms in the United States, Japan, and Europe. For years, Chinese hackers had raided defense contractors and the Pentagon, stealing secrets from dozens of weapons programs, including the Patriot missile system, the F-35 Joint Strike Fighter, and the US Navy’s new littoral combat ship. They gradually expanded their attention to technology companies, financial institutions, law firms, think tanks, and the media. In July 2012 General Alexander called these and other economic espionage cyberattacks on American companies the “greatest transfer of wealth in history” and estimated that American companies had lost $250 billion in stolen information and another $114 billion in related expenses.¹²

During Year Zero, I probably received e-mails about twice a month that appeared to come from my boss, Richard Haass, president of the Council on Foreign Relations (CFR). The messages usually contained an attachment and a short message like, “I thought you might be interested in President Obama’s schedule for his upcoming trip to Asia.” I deleted them straightaway. Immediately erasing e-mails from your boss may not sound like the best way to get ahead professionally, but it was the safest thing to do. Glancing at the sender’s e-mail address, I saw that it was something like Hass.Richard@yahoo.com or President CFR@gmail.com. Neither of these is Richard’s e-mail address.

These e-mails, probably from China-based hackers, are known as spear-phishing attacks. E-mails are made to look like they come from someone you know (hackers may study job titles on your company’s website or your social networks on Facebook, LinkedIn, or Twitter) and craft a subject line designed to be of interest to you. The e-mails often arrive in the morning, before you have had your first cup of coffee. Attackers may send one just before a long weekend, knowing the recipient will want to get any work out of the way before leaving the office. Opening an attachment or clicking on a link downloads software that allows attackers to gain control of your computer. They then gradually expand their access and move into different computers and networks, sending files back to computers in China or elsewhere. In some instances, the hackers use the computer’s microphone and camera to record entire meetings.

Chinese hackers used this type of attack against the New York Times sometime at the end of 2012 as the paper’s journalists were preparing a story on the massive wealth allegedly accumulated by the family of former prime minister Wen Jiabao. The hackers targeted reporters’ passwords and accounts. Soon after, Bloomberg, which published a similar story on the wealth of the family of Xi Jinping, China’s top leader, admitted that it also had been hacked. In February 2013, Mandiant, a private security company formed by former US Air Force officer Kevin Mandia, published a report naming Unit 61398 of the 3rd Department of the People’s Liberation Army as responsible for the attacks on the New York Times and others. In attributing the digital assault, a private company had acted like a national intelligence agency.¹³

The hacking became a major irritant for Washington and Beijing. Not wearing ties and taking a more relaxed attitude toward protocol, Presidents Obama and Xi met for a two-day “shirt sleeve” summit in California in June 2013 in the hope of building a personal relationship and stemming the growing distrust that seemed inevitable between the world’s superpower and a rising China. Despite all of the efforts at diplomatic bonhomie, President Obama told Charlie Rose that they had had “a very blunt conversation about cybersecurity” and that he had warned President Xi that hacking could “adversely affect the fundamentals of the US-China relationship.” And so, in the twelve months between June 2012 and June 2013—the period between the first publicly admitted cyberattack by a nation-state and the summit between Obama and Xi—cyberattacks had gone from a discreet and veiled activity to a public strategy with the capacity to upend what many consider the most important bilateral relationship of the twenty-first century. The hacked world order was in full public view.¹⁴

Year Zero culminated with the revelations of former NSA contractor Edward Snowden. Two days before Presidents Obama and Xi met in Sunnylands, California, the British newspaper the Guardian published the first report on what would be a massive, years-long leak about the National Security Agency and allied surveillance programs. Despite numerous public assurances from officials that the government did not gather information on US citizens, the leaks would expose the collection of American users’ cell phone metadata—what number is called, what time the call is made, and the duration of the call, but not the content. Through a program called PRISM, the NSA was able to demand access, under Section 702 of the Foreign Intelligence Surveillance Act (FISA) Amendments Act of 2008, to data of non-US citizens stored at most of the American technology giants, including Google, Apple, Facebook, and Microsoft. This gave the NSA the ability to collect and analyze the e-mails, texts, chats, phone calls, Facebook posts, tweets, and documents of people worldwide. Through a process the NSA calls upstream collection, it taps directly into the cables and networks passing through the United States. Huge amounts of data traveling across AT&T, Verizon, and other networks are copied, and then the data of non-US citizens are selected for analysis based on certain government criteria. But the process of targeting foreign communications results in the incidental collection of the data of ordinary users, which the NSA can store and analyze later.

NSA reportedly spied on adversaries and friends alike, tracking Somali terrorists and breaking into Chinese networks, but also hacking the European Union’s offices in New York, Washington, DC, and Brussels, bugging the computer hard drives of the Indian embassies in Washington and New York, and listening to the calls of Brazilian president Dilma Rousseff, German chancellor Angela Merkel, and at least thirty other world leaders.

These leaks unsettled foreign relations and impacted the geopolitics of cyberspace. Tensions between Washington and Moscow grew when Russia granted limited asylum to Snowden after he fled to Sheremetyevo International Airport. The revelations of a widespread American surveillance program vitiated Obama’s criticism of Chinese economic espionage. As the state-owned Xinhua news agency put it, the leaks “demonstrate that the United States, which has long been trying to play innocent as a victim of cyber-attacks, has turned out to be the biggest villain in our age.” Relations with Germany and Brazil, important partners, soured. President Dilma Rousseff canceled her planned summit with Obama and used her speech to the United Nations General Assembly in September 2013 to rebuke the United States, calling the activities a “grave violation of human rights and of civil liberties.”¹⁵

China, Russia, and a host of developing countries have used the US surveillance programs to buttress their argument that the Internet should be brought under the supervision of the United Nations. Typically, the United States has promoted itself as the champion and protector of a borderless, global Internet, one that guarantees the right of all people to express themselves freely wherever they are. Not only do the surveillance programs undercut Washington’s criticism of authoritarian states, but for Pratap Bhanu Mehta, one of India’s most respected commentators, they imply that Washington feels free to “violate the privacy rights of citizens of other countries without just cause.”¹⁶

In the long run, Snowden’s revelations may also make the Internet notably less American. There is no escaping demographics. More than 650 million Chinese and 350 million Indians use the Internet, and hundreds of millions will come online in both countries over the next two decades. But the spying revelations have accelerated the desire of others, including US allies, to reduce their dependence on American technology and Internet companies.

THE WORLD ORDER TODAY

Henry Kissinger, the clarion voice for great power politics, argues in World Order that “cyberspace challenges all historical experience.” He later continues, “When individuals of ambiguous affiliation are capable of undertaking actions of increasing ambitions and intrusiveness, the definition of state authority may turn ambiguous.” In addition, Kissinger is markedly pessimistic about the impact of the Internet on strategy and decisionmaking; information, in his view, has eclipsed knowledge and wisdom. Previously, leaders had time to reflect and the ability to distinguish between what they could and could not control. Kissinger fears that now all problems are something to research on the web rather than to deliberate over carefully and place within a historical context.¹⁷

The twenty-first-century hacked world order is markedly more complex than that of the burgeoning Cold War in 1947. Then, mountains, rivers, and walls divided friends from enemies. Physical space matters much less in the cyber age, when attackers can act from anywhere with access to a modem or a smartphone. Hackers in Russia can use the Internet to attack neighboring Estonia or the United States nearly 5,000 miles away. For policymakers and the public shortly after the end of World War II, conventional power was relatively easy to chart as a share of world gross domestic product (GDP) and military spending. Now there is an uncertainty about how to measure cyber power. Does economic power stem from producing software, hardware, and content, or can a country specialize in one high-value area? Unlike long-range bombers and missiles, cyber weapons cannot be counted and it is unclear whether it is better to have a large corps of cyber troops or, given the importance of creativity and skill, a smaller number of elite hackers.

During the Cold War, only a few countries had the economic and technological capacity to build nuclear bombs. Even today, only nine countries possess them, and terrorists groups are likely to acquire them only through theft. The general contours and capabilities of each nuclear power’s arsenal are well known. Should these weapons ever be used, the attacker’s identity would be known before the missiles landed. And the development of so-called secure second-strike capabilities—that is, the ability to respond to a nuclear attack in kind—greatly diminished the incentive to attack first in a crisis. With nuclear parity, neither Washington nor Moscow could launch a nuclear strike without being destroyed in return, or, as the rule went, “whoever shoots first, dies second.”

But almost any country as well as skilled hacking groups can launch a digital assault. Admiral Michael Rogers, General Alexander’s successor as director of the NSA and head of US Cyber Command, told a House Armed Services subcommittee in March 2015, “We foresee increased tensions in cyberspace. The cyber strife that we see now in several regions will continue and deepen in sophistication and intensity.” Approximately twenty-nine countries have formal military or intelligence units dedicated to offensive operations, and forty-nine have purchased off-the-shelf malware; those numbers are increasing every year, though it is difficult to understand the balance of forces and the risk of conflict. As Andre McGregor, a former cyber special agent at the Federal Bureau of Investigation (FBI), says, “With some countries, we’re comfortable with knowing what their capabilities are, but with other countries we’re still lost.”¹⁸

There may be strong incentives to attack first in a crisis: cyber weapons are “one and done,” used once and then they are gone. Once your adversaries see what you can do, they will patch their defenses, or could attack you, making your cyber weapon obsolete before you ever use it. This pressure not to sit on a weapon heightens strategic instability.

The global and interconnected nature of the Internet also means that cyberattacks have the potential to produce unpredicted and inadvertent problems far beyond damage to the intended target. Once set loose, malware can be examined, repurposed, and used by the target or someone else; for instance, hacker websites now make Stuxnet available for download. And unlike nuclear technology, which remained the province of a very small group of scientists and engineers, information and communication technologies are ubiquitous and rapidly changing. Territorial boundaries, once clear and constant, are now relatively less useful markers. The United States and its North Atlantic Treaty Organization (NATO) allies prepared to meet a Soviet tank invasion at the Fulda Gap, a corridor at the border between East and West Germany, but today attackers can route computer attacks through several networks from bases on the other side of the world, inside friendly countries, or even inside the target country.