@War: The Rise of the Military-Internet Complex by Shane Harris - A Book Review
Posted on May 12, 2024 • 20 minutes • 4091 words • Other languages: Türkçe
Table of contents
The Book and the Author
The Author, Shane Harris, is a reporter for The Washington Post who covers intelligence and national security issues. In his book, published in 2014, he explains the historical roots of current warfare in cyberspace, which has started to be recognised as the fifth domain in addition to conventional domains: land, naval, air, and space. Due to its nature and asymmetrical imbalances, a relatively low-income country could invest in information technology infrastructure to develop and use its own malicious software and launch various cyber attacks against a high-income country, which may not be possible to face in conventional military warfare.
The political shift from the allocation of sources from counter-terrorism to cyber threats is a crucial turning point for the US and the world. That shift is shown by the author from a political perspective and from the background of the issues. Whether we accept it or not, nation-states are still the main actors in cyberspace. Therefore, there is a rising trend to have power in that domain for political purposes.
I want to quote some citations that caught my attention in that text.
Citations from the book
Now the government was sharing it with companies under strict secrecy rules. The recipients were not to disclose that they’d received the threat signatures, and they were to keep the Pentagon apprised of any incursions into their own networks. (p.14)
In October 2012 then defense secretary Leon Panetta warned that the United States was on the verge of a “cyber Pearl Harbor: an attack that would cause physical destruction and the loss of life, that would paralyze and shock the nation and create a profound new sense of vulnerability.” Five months earlier President Barack Obama wrote in a newspaper editorial that the wars of the future would be fought online, where “an adversary unable to match our military supremacy on the battlefield might seek to exploit our computer vulnerabilities here at home.” (p.14)
The military now calls cyberspace the “fifth domain” of warfare, and it views supremacy there as essential to its mission, just as it is in the other four: land, sea, air, and space. (p.16)
Indeed, cyber warfare—the combination of spying and attack—was instrumental to the American military victory in Iraq in 2007, in ways that have never been fully explained or appreciated. The military, working with US intelligence agencies, used offensive cyber techniques (hacking) to track down people in the physical world and then capture or kill them. (p.16)
Government officials prefer to talk publicly about defense, which is a strategic and a cynical calculation: it’s easier to drum up funds and political support for repelling invaders than it is for building a cyber army to attack and spy on other countries. (p.18)
In the months leading up to the 2003 invasion, military leaders had called off a planned cyber strike on Iraq’s banking system for fear the malware might migrate from Iraqi computer networks to those used by banks in France. … The risk of collateral damage from cyber weapons was great. (p.25)
In exchange for the federal government granting the company a license to operate in the United States, they had to sign a contract that guaranteed US intelligence agencies uninterrupted access to the networks, so that phone calls could be logged and recorded. (p.29)
The stealthiest of all US hackers, they were also the rarest—only a few hundred worked for TAO, and many of them had undergone years of NSA-devised training, sometimes through colleges and universities where the spy agency had helped write the curriculum. (p.36)
Under current law, if the agency wanted to capture a foreign terrorist’s e-mail, it might have to get a warrant if that e-mail was stored on a server located in the United States. (p.40)
Also among the developers was one of the most enigmatic spies of the late twentieth century, a retired air force colonel named Pedro “Pete” Rustan. His storied and secretive career gave some insight into how important the RTRG was to intelligence and military leaders such as Alexander and Petraeus, who believed it would be pivotal to the war in Iraq. (p.47)
In the 1980s, Rustan designed technology to protect air force jets that were hit by lightning. …When Rustan died in 2012, Michael Hayden told the Washington Post, “This is the kind of guy the public never hears about but who is so responsible for keeping Americans safe.” (p.48)
Success may have many fathers, but if one person could claim credit for introducing the senior leaders of the United States government to the concept of cyber warfare, it would be Mike McConnell. (p.52)
That year the secretary of defense ordered all DOD components to start planning for an “information warfare attack” on the networks that the Pentagon used but didn’t actually run, particularly the public telephone network and the Internet, of which the Defense Department was not only an early adopter but the inventor. (p.52)
Intelligence operatives wish to protect their sources and methods,” wrote one anonymous NSA author. (p.53)
But when the NSA tapped that equipment for foreign intelligence purposes, it shouldn’t need a warrant, he argued—it wasn’t spying on any Americans, after all. (p.55)
In August 2007, Democrats, who believed they’d been backed into a corner by McConnell and the White House, reluctantly signed on to the bill. Just over a month later the NSA ramped up a new collection system, called Prism, which obtained large numbers of e-mails and other Internet communications from US companies. (p.56)
Later, in a private meeting with Bush, Obama learned that the president had authorized a covert set of cyber attacks on an Iranian nuclear facility, using the computer worm that later came to be known as Stuxnet. (p.57)
Researchers generally credit Stuxnet with destroying one thousand centrifuges between 2009 and 2010. This was only about 20 percent of the total number operating at the plant, and the Iranians had more centrifuges in reserve to replace the damaged equipment. But Obama administration officials have said that Stuxnet set back Iran’s weapons program by up to two years. That’s precious and valuable time if, as appears to be the case, Stuxnet was designed to forestall a war, not to start one. (p.58)
Obama didn’t say that foreign hackers had actually turned off the lights in the United States. But privately, some intelligence officials claimed that Chinese hackers were responsible for two major blackouts, in 2003 and 2008. The first blackout was the largest in North American history, covering a 93,000-square-mile area including Michigan, Ohio, New York, and parts of Canada. An estimated 50 million people were affected. The ensuing panic was so severe that President Bush addressed the nation to assure people the lights would come back on. Within twenty-four hours, power was mostly restored. (p.63)
Alexander, who became the Cyber Command chief in 2010, called rampant Chinese industrial espionage “the greatest transfer of wealth in history.” (p.64)
A virus or worm designed to attack a power plant in Iran must not be allowed to destroy a plant in China. “We don’t want to start World War III,” says Ann Barron-DiCamillo, a senior official at the Homeland Security Department who works with the Defense Department to coordinate responses to cyber attacks in the United States. (p.67)
The military has three principal cyber war missions. The first mission, and the largest force, runs and defends the military’s networks around the world. (p.67) The second of the military’s cyber missions is supporting the armed forces in combat. (p.69) The third mission is protecting the United States itself, using what the military calls the Cyber National Mission Force. (p.70)
The protection forces would really earn their stripes in the event of a full-scale war, when a US adversary would bring out its most sophisticated cyber weapons and best warriors in order to disable the military’s command-and-control networks or corrupt information inside them. (p.68)
About 90 percent of the air force’s cyber force (which consisted of approximately 12,600 people in 2013) works on defense. (p.72)
First, offense is a lot harder than defense. The tools and principles to do both are essentially the same in many ways. But asking a defender to go out and break in to a highly protected. (p.72)
Joe Stewart, director of malware research at Dell SecureWorks, has tracked twenty-four thousand Internet domains that he believes Chinese cyber spies have either rented or hacked and use as bases of operations against the US government and American companies, he told Bloomberg Businessweek in 2013. (p.74)
Encrypted information is harder to read, but not impossible. Part of the NSA’s mission, after all, is code breaking, and it’s been the best in the business for more than sixty years. (p.80)
US intelligence officials and some lawmakers have suspected for years that Huawei is a proxy for the Chinese military and intelligence services. (p.80)
Intelligence agencies, under US law, are allowed to engage in covert operations that violate other countries’ laws and sovereignty and are designed to obscure the United States government’s involvement. (p.84)
NIST works through an open, transparent process, which allows experts to review the standard and submit comments. That’s one reason its endorsement carries such weight. (p.96)
Compromising the number generator, in a way that only the NSA knew, would undermine the entire encryption standard. (p.96)
When news of the NSA’s efforts broke in 2013, in documents released by Edward Snowden, RSA and NIST both distanced themselves from the spy agency—but neither claimed that the backdoor hadn’t been installed. (p.97)
Many observers have speculated that the existing technique was disfavored by NSA because it was, in fact, more secure than the NSA-proposed algorithm. (p.99)
Today the NSA is widely believed by security experts and government officials to be the single largest procurer of zero day exploits, many of which it buys in a shadowy online bazaar of freelance hackers and corporate middlemen. (p.101)
Raytheon and Harris Corporation are two major players in the zero day market. They also design traditional weapons systems for the military and are two of the best-established and largest Pentagon contractors. (p.101)
The ingenious ability to suss out such an obscure, barely discernible flaw is what separates good hackers from great ones and leads to the discovery of zero days. (p.102)
And more complicated exploits, such as those that rely on flaws in the internal mechanics of a piece of hardware, can cost millions. Those exploits are so expensive because they target the engineering of the machine itself, which cannot be patched in the way software can, with new lines of code. (p.102)
The NSA has stored more than two thousand zero day exploits for potential use against Chinese systems alone, according to a former high-ranking government official who was told about the cache in a classified meeting with NSA officials. (p.102)
…computer worm, which the United States built in conjunction with Israel to disable the Iranian nuclear facility, contained four zero day exploits, which is itself a lot for one attack. A collection of two thousand zero day exploits is the cyber equivalent of a nuclear arsenal. (p.103)
Vupen admits that it has no way of ensuring that those who buy its zero day subscription plan or choose a weapon from its catalog won’t turn around and give it to people Vupen might never sell to directly. (p.104)
But if there is ever a cyber attack on the United States that results in significant physical damage, or causes widespread panic—or deaths—the agency will be called to account for its failure to prevent that disaster. (p.104)
We don’t sell weapons, we sell information,” the founders of exploit seller ReVuln told a reporter for Reuters, when he asked whether the company would be troubled if some of their programs were used in attacks that destroyed systems or caused people to die. (p.105)
Charlie Miller, a former NSA employee famous for finding hard-to-detect bugs in Apple products, including the MacBook Air and the iPhone, went to work for Twitter. (p. 107)
Google employees say their biggest competition on the zero day gray market is the NSA. It’s buying up zero days faster than anyone else, and paying top dollar. (p.108)
For $1.5 million, customers have access to a database that shows the physical location and Internet addresses of hundreds of millions of vulnerable computers around the world. (p.109)
Bonesaw is the ability to map basically every device connected to the Internet and what hardware and software it is,” an Endgame employee told a reporter. (p.109)
And to the extent that Chinese cyber spies are supported by the Chinese military, an American firm could end up launching a private cyber war against a sovereign government. (p.111)
Fick wrote a memoir of his combat experience and was profiled in another book, Generation Kill, which was made into a miniseries for HBO. (p.112)
Even Microsoft’s lawyers, who included a former US attorney, acknowledged that they’d never considered using alleged violations of common law to obtain permission for a cyber attack. (p.123)
A former NSA official says that in his estimation, the best private security firms today are run by former “siginters,” and are using not just electronic intelligence but also human sources. (p.125)
…all the things that Conlon was trained to do for the NSA, he can now do for corporations. (p.126)
In 2013 the network-equipment giant Cisco agreed to buy Sourcefire for $2.7 billion in cash, in a transaction that reflected what the New York Times called “the growing fervor” for companies that defend other companies from cyber attacks and espionage. After the acquisition was announced, a former military intelligence officer said he was astounded that Cisco had paid so much money for a company whose flagship product is built on an open-source intrusion detection system called Snort, which anyone can use. (p.126)
One in particular—the phrase or series of letters and numbers that the victim used to start an encryption program called Pretty Good Privacy. (p.127)
Data Intercept Technology Unit, but insiders refer to it as the DITU (pronounced “DIH-too.”) It’s the FBI’s equivalent of the NSA, a signals intelligence operation that has barely been covered in the press and mentioned in congressional testimony only a few times in the past fifteen years. (p.127)
For instance, on behalf of the NSA, it worked with Microsoft to ensure that a new feature in Outlook that allowed users to create e-mail aliases would not pose an obstacle to surveillance. The arrangement helped the government circumvent Microsoft’s encryption and ensure that Outlook messages could be read by government analysts. (p.129)
Normally, it’s the FBI’s job to collect evidence for use in criminal prosecutions. But when it comes to cyber security, the FBI has moved away from that law enforcement mission and is acting more like an intelligence agency. It’s less concerned with taking hackers to court than in forecasting and deterring future attacks. (p.130)
When information comes from FISA, it’s not being used in a criminal prosecution. So, why are we collecting it? I scratch my head at that,” the senior law enforcement official says. “At some point, we’re no longer driving an investigation. We’re just collecting intelligence.” Put another way, the FBI is spying. (p.132)
And the bureau infiltrated the computers of the hacker collective Anonymous, found its target lists, and warned the people on them. (p.133)
Does any of this intelligence actually stop attacks from happening? “I definitely saw prevention,” the former official says, in the form of software patches applied, particular IP addresses blocked from connecting to corporate computer networks, or improvements in basic security practices such as using longer or harder-to-guess passwords, which even sophisticated companies sometimes fail to do. (p.133)
In early December 2011, George Friedman, CEO of the private intelligence company Stratfor, got a call from Fred Burton, his senior vice president for intelligence and a former counterterrorism specialist with the State Department. Burton told Friedman that the company’s website had been hacked, and that credit card information for subscribers to its various reports about world affairs and international relations had been stolen. Those numbers had not been encrypted, a basic security measure the company had failed to take. The next morning, according to an account Friedman later wrote, he met with an agent from the FBI, “who made clear that there was an ongoing investigation and asked for our cooperation.” (p.134)
Stratfor employs former government personnel, but it’s a private company that generates reports and analysis not unlike many consulting firms or even news organizations. (p.135)
The bureau told Monsegur to persuade Hammond and his fellow hackers that they should transfer information from Stratfor to another computer, which was secretly under the FBI’s control. (p.135)
The Buckshot Yankee operation became the catalyst for establishing US Cyber Command, a single entity that oversaw all of the military’s efforts to defend against virtual attacks on their systems, and to initiate their own. (p.150)
That would be in keeping with Alexander’s pattern of trying to frighten government officials about the cyber threat, and then assure them he was the one who could keep the bogeymen at bay. (p.152)
A generation ago, spies had to rifle through people’s garbage and trail them on the street to get those details. (p.155)
At NSA the plan became known as Tranche 2. Operators of “critical infrastructure”—which could be broadly defined to include electrical companies, nuclear power plant operators, banks, software manufacturers, transportation and logistics companies, even hospitals and medical device suppliers, whose equipment could be hacked remotely—would be required by law or regulation to submit the traffic to and from their networks for scanning by an Internet service provider. The provider would use the signatures supplied by the NSA to look for malware or signs of a cyber campaign by a foreign government. (p.157)
In the summer 2009, Pentagon officials drafted an “execute order” that would allow the military to launch a counterstrike on computers sending malicious traffic not just to a military system but also against privately owned critical-infrastructure facilities, such as electrical power stations. (p.158)
Alexander even invoked the Maginot Line, the long stretch of concrete fortifications France built along its border with Germany in the 1930s, suggesting that the United States risked being overrun if it focused its defense purely on strategy and underestimated the cunning of their enemies. (The Nazis overcame the line by going around it, a move the French hadn’t planned for, and ultimately conquered the country in six weeks.) (p.162)
After Google’s declaration, it was easier for other companies to admit they’d been infiltrated by hackers. After all, if it happened to Google, it could happen to anyone. (p.171)
Shortly after the China revelation, the government gave Sergey Brin, Google’s cofounder, a temporary security clearance that allowed him to attend a classified briefing about the campaign against his company. Government analysts had concluded that the intrusion was directed by a unit of the People’s Liberation Army. (p.174)
“I personally know of one CEO for whom [a private NSA threat briefing] was a life-changing experience,” Richard Bejtlich, Mandiant’s chief security officer, told NPR. “General Alexander sat him down and told him what was going on. This particular CEO, in my opinion, should have known about [threats to his company] but did not, and now it has colored everything about the way he thinks about this problem.” (p.177)
The NSA helps the companies find weaknesses in their products. But it also pays the companies not to fix some of them. Those weak spots give the agency an entry point for spying or attacking foreign governments that install the products in their intelligence agencies, their militaries, and their critical infrastructure. Microsoft, for instance, shares zero day vulnerabilities in its products with the NSA before releasing a public alert or a software patch, according to the company and US officials. Cisco, one of the world’s top network equipment makers, leaves backdoors in its routers so they can be monitored by US agencies, according to a cyber security professional who trains NSA employees in defensive techniques. (p.178)
Companies that promise to disclose holes in their products only to the spy agencies are paid for their silence, say experts and officials who are familiar with the arrangements. (p.178)
The department has made the schedule and agendas of some of these meetings public, but it doesn’t disclose the names of companies that participated or many details about what they discussed. (p.179)
Again, the company refused. It took another ten years and the sale of the company, but Qwest’s networks are now a part of the NSA’s extended security apparatus. (p.181)
But at the height of the Cold War, the CIA allegedly installed malicious software in equipment used on a Siberian pipeline that exploded in 1982. (p. 183)
Companies would be encouraged to adopt security standards and practices developed by the National Institute of Standards and Technology, which consulted with a broad range of industry experts and the intelligence agencies. (p.185)
Shell, Schlumberger, and other major companies have sent their employees fake spear-phishing e-mails with pictures of cute cats and other enticements. (p.186)
…in order to attack a facility, the intruder needs to map it out and understand its weak spots. (p.186)
In 2009, American oil companies were hit by a wave of cyber intrusions that stole information on oil deposits the companies had discovered around the world, according to the security firm McAfee. (p.188)
By one estimate, the flow was several times larger than what Russia had directed at computers in Estonia in 2007, an attack that ground the country’s electronic infrastructure to a halt and was generally regarded as among the most devastating on record. (p.189)
…the attackers, who called themselves the Izz ad-Din al-Qassam Brigades, kept coming at the banks and adding new targets. And they continued their work into the next year. In 2013 the NSA identified approximately two hundred additional bank website attacks emanating from the same group. (p.190)
The NSA officials told the executives they were stockpiling cyber weapons, primarily thousands of zero day exploits, to use during a national emergency or if the country ever went to war. “Once we use one of them, we can never use it again,” an official explained, according to a senior financial executive who participated in the meeting. “You really want us to waste these weapons just because your websites are down?” (p.192)
But many cyber security experts, including those who work for Lockheed’s competitors, say it marked a turning point in the evolution of cyber defense when the company unveiled the concept in 2011. (p.195)
All the data is stored for a year, and any information related to malicious activity is kept indefinitely. Lockheed has effectively built a library of hacker history from which it can draw when studying new intrusions. (p.196)
The details in the Mandiant report were of a kind one normally expects to find in a classified government intelligence document. That was another reason it was so significant. The report showed that private investigators could collect and analyze information as effectively as a government spy agency, if not more so. (p.200)
Whereas Mandiant specialized in investigating cyber intrusions, FireEye aimed to prevent them. Its technology pulls aside incoming traffic on a network into a virtual cage and examines it for any signs of malware before deciding whether to let it pass. (p.204)
the NSA, which wanted to protect computers from Wall Street to the water company, couldn’t keep a twenty-nine-year-old contractor from making off with the blueprints to its global surveillance system. (p.206)
Security in cyberspace won’t be your right. It will be your privilege. (p.219)
When people talk about a right to privacy online, do they really mean a right to remain anonymous? To be unrecognizable to the surveillance state? From the government’s perspective, that immediately makes one suspect. (p.219)
It should be in charge of integrating cyber warfare into the armed forces’ doctrine—just as every modern military in the world undoubtedly will. A future president may elect to separate the leadership of the NSA and Cyber Command, which would go a long way toward maintaining a competent and accountable cyber force. (p.221)
Conclusion
Lastly, I’d like to thank Mr. Harris for his informative and insightful work. I think state actors are the main powers in that field, and their policies and approaches can not be ignored. Suppose there is a risk to national security. In that case, nation-state actors show their response in every aspect of politics and warfare. That book should help to understand the United States’ evolution of cyber warfare policy and strategy.
‘@War’ can be ordered on Amazon.