|
|
|
|
by James Bamford from Wired Website
Inside Fort Meade, Maryland, a top-secret city bustles. Tens of thousands of people move through more than 50 buildings - the city has its own post office, fire department, and police force.
But as if designed by Kafka, it sits among a forest of trees, surrounded by electrified fences and heavily armed guards, protected by antitank barriers, monitored by sensitive motion detectors, and watched by rotating cameras.
To block any telltale electromagnetic signals
from escaping, the inner walls of the buildings are wrapped in protective
copper shielding and the one-way windows are embedded with a fine copper
mesh.
Never before has anyone in America’s intelligence sphere come close to his degree of power, the number of people under his command, the expanse of his rule, the length of his reign, or the depth of his secrecy.
A four-star Army general, his authority extends across three domains.
He is,
As such, he has his own secret military, presiding over the Navy’s 10th Fleet, the 24th Air Force, and the Second Army.
Alexander runs the nation’s cyberwar efforts, an empire he has built over the past eight years by insisting that the US’s inherent vulnerability to digital attacks requires him to amass more and more authority over the data zipping around the globe.
In his telling, the threat is so mind-bogglingly huge that the nation has little option but to eventually put the entire civilian Internet under his protection, requiring tweets and emails to pass through his filters, and putting the kill switch under the government’s forefinger.
In its tightly controlled public relations, the NSA has focused attention on the threat of cyberattack against the US:
Defense against these threats was the paramount
mission trumpeted by NSA brass at congressional hearings and hashed over at
security conferences.
Using so-called cyber-kinetic attacks, Alexander and his forces now have the capability to physically destroy an adversary’s equipment and infrastructure, and potentially even to kill.
Alexander - who declined to be interviewed for this article - has concluded that such cyberweapons are as crucial to 21st-century warfare as nuclear arms were in the 20th. And he and his cyberwarriors have already launched their first attack.
The cyberweapon that came to be known as Stuxnet was created and built by the NSA in partnership with the CIA and Israeli intelligence in the mid-2000s. The first known piece of malware designed to destroy physical equipment, Stuxnet was aimed at Iran’s nuclear facility in Natanz.
By surreptitiously taking control of an
industrial control link known as a Scada (Supervisory Control and Data
Acquisition) system, the sophisticated worm was able to damage about a
thousand centrifuges used to enrich nuclear material.
It wasn’t until 2012 that anonymous sources
within the Obama administration took credit for it in interviews with The
New York Times.
The Pentagon has requested $4.7 billion for “cyberspace operations,” even as the budget of the CIA and other intelligence agencies could fall by $4.4 billion. It is pouring millions into cyberdefense contractors.
And more attacks may be planned.
Inside the government, the general is regarded with a mixture of respect and fear, not unlike J. Edgar Hoover, another security figure whose tenure spanned multiple presidencies.
Now 61, Alexander has said he plans to retire in 2014; when he does step down he will leave behind an enduring legacy - a position of far-reaching authority and potentially Strangelovian powers at a time when the distinction between cyberwarfare and conventional warfare is beginning to blur.
A recent Pentagon report made that point in dramatic terms.
It recommended possible deterrents to a cyberattack on the US. Among the options:
His face is anemic, his lips a neutral horizontal line. Bald halfway back, he has hair the color of strong tea that turns gray on the sides, where it is cut close to the skin, more schoolboy than boot camp. For a time he wore large rimless glasses that seemed to swallow his eyes.
Some combat types had a derisive nickname for
him: Alexander the Geek.
It was 1970, Richard Nixon was president, and most of the country had by then begun to see the war in Vietnam as a disaster.
But Alexander had been accepted at West Point, joining a class that included two other future four-star generals, David Petraeus and Martin Dempsey. Alexander would never get the chance to serve in Vietnam.
Just as he stepped off the bus at West Point,
the ground war finally began winding down.
He proved a competent administrator, carrying out assignments and adapting to the rapidly changing high tech environment. Along the way he picked up masters degrees in electronic warfare, physics, national security strategy, and business administration.
As a result, he quickly rose up the military
intelligence ranks, where expertise in advanced technology was at a premium.
In March of that year he told his hometown Syracuse newspaper that his job was to discover threats to the country.
But just six months later, Alexander and the rest of the American intelligence community suffered a devastating defeat when they were 'surprised' by the attacks on 9/11.
Following the assault, he ordered his Army intercept operators to begin illegally monitoring the phone calls and email of American citizens who had nothing to do with terrorism, including intimate calls between journalists and their spouses.
Congress later gave retroactive immunity to the
telecoms that assisted the government.
Two years later, Rumsfeld appointed Alexander - now a three-star general - director of the NSA, where he oversaw the illegal, warrantless wiretapping program while deceiving members of the House Intelligence Committee.
In a publicly released letter to Alexander shortly after The New York Times exposed the program, US representative Rush Holt, a member of the committee, angrily took him to task for not being forthcoming about the wiretapping:
Alexander also proved to be militant about secrecy.
In 2005 a senior agency employee named Thomas Drake allegedly gave information to The Baltimore Sun showing that a publicly discussed program known as Trailblazer was millions of dollars overbudget, behind schedule, possibly illegal, and a serious threat to privacy.
In response, federal prosecutors charged Drake with 10 felony counts, including retaining classified documents and making false statements.
He faced up to 35 years in prison - despite the fact that all of the information Drake was alleged to have leaked was not only unclassified and already in the public domain but in fact had been placed there by NSA and Pentagon officials themselves.
Note: As a longtime chronicler of the NSA, I served as a consultant for Drake’s defense team.
The investigation went on for four years, after which Drake received no jail time or fine. The judge, Richard D. Bennett, excoriated the prosecutor and NSA officials for dragging their feet.
But while the powers that be were pressing for Drake’s imprisonment, a much more serious challenge was emerging.
Stuxnet, the cyberweapon used to attack the Iranian facility in Natanz, was supposed to be untraceable, leaving no return address should the Iranians discover it. Citing anonymous Obama administration officials, The New York Times reported that the malware began replicating itself and migrating to computers in other countries. Cybersecurity detectives were thus able to detect and analyze it.
By the summer of 2010 some were pointing fingers
at the US.
The Natanz nuclear enrichment plant is a vault of a different kind. Tucked in the shadows of the Karkas Mountains, most of it lies deep underground and surrounded by concrete walls 8 feet thick, with another layer of concrete for added security. Its bulbous concrete roof rests beneath more than 70 feet of packed earth.
Contained within the bombproof structure are
halls the size of soccer pitches, designed to hold thousands of tall, narrow
centrifuges. The machines are linked in long cascades that look like tacky
decorations from a ’70s discotheque.
The operation is so
delicate that the computers controlling the rotors’ movement are isolated
from the Internet by a so-called air gap that prevents exposure to viruses
and other malware.
One of the first steps was to build a map of the
Iranian nuclear facility’s computer networks. A group of hackers known as
Tailored Access Operations - a highly secret organization within the NSA -
took up the challenge.
Armed with that intelligence, so-called network exploitation specialists then developed software implants known as beacons, which worked like surveillance drones, mapping out a blueprint of the network and then secretly communicating the data back to the NSA. (Flame, the complex piece of surveillance malware discovered by Russian cybersecurity experts last year, was likely one such beacon.)
The surveillance drones worked brilliantly. The
NSA was able to extract data about the Iranian networks, listen to and
record conversations through computer microphones, even reach into the
mobile phones of anyone within Bluetooth range of a compromised machine.
According to the senior CIA official, much of this work was outsourced to national labs, notably Sandia in Albuquerque, New Mexico. So by the mid-2000s, the government had developed all the fundamental technology it needed for an attack.
But there was still a major problem:
This is where things get murky.
One possible bread crumb trail leads to an Iranian electronics and computer wholesaler named Ali Ashtari, who later confessed that he was recruited as a spy by the Mossad, Israel’s intelligence service. (Israel denied the claim.)
Ashtari’s principal customers were the procurement officers for some of Iran’s most sensitive organizations, including the intelligence service and the nuclear enrichment plants.
If new computers were needed or routers or switches had to be replaced, Ashtari was the man to see, according to reports from semi-official Iranian news agencies and an account of Ashtari’s trial published by the nonprofit Iran Human Rights Voice.
He not only had access to some of Iran’s most sensitive locations, his company had become an electronics purchasing agent for the intelligence, defense, and nuclear development departments.
This would have given Mossad enormous
opportunities to place worms, back doors, and other malware into the
equipment in a wide variety of facilities. Although the Iranians have never
explicitly acknowledged it, it stands to reason that this could have been
one of the ways Stuxnet got across the air gap.
He may have let down his guard.
In 2006, according to Iran Human Rights Voice,
Ashtari was quietly arrested at a travel agency after returning from another
trip out of the country.
But he was not Israel’s only alleged spy in Iran, and others may also have helped enable malware transfer.
Less then two weeks after Ashtari’s execution, the Iranian government arrested three more men, charging them with spying for Israel.
And on December 13, 2008, Ali-Akbar Siadat, another importer of electronic goods, was arrested as a spy for the Mossad, according to Iran’s official Islamic Republic News Agency.
Unlike Ashtari, who said he had operated alone, Siadat was accused of heading a nationwide spy network employing numerous Iranian agents. But despite their energetic counterintelligence work, the Iranians would not realize for another year and a half that a cyberweapon was targeting their nuclear centrifuges.
Once they did, it was only a matter of time
until they responded.
Just days later, another large cyberattack hit RasGas, the giant Qatari natural gas company. Then a series of denial-of-service attacks took America’s largest financial institutions offline.
Experts blamed all of this activity on Iran, which had created its own cyber command in the wake of the US-led attacks.
James Clapper, US director of national intelligence, for the first time declared cyberthreats the greatest danger facing the nation, bumping terrorism down to second place. In May, the Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team issued a vague warning that US energy and infrastructure companies should be on the alert for cyberattacks.
It was widely reported that this warning came
in response to Iranian cyberprobes of industrial control systems.
An Iranian diplomat denied any involvement.
Under international law, Iran may have the right to self-defense when hit with destructive cyberattacks.
William Lynn, deputy secretary of defense, laid claim to the prerogative of self-defense when he outlined the Pentagon’s cyber operations strategy.
Leon Panetta, the former CIA chief who had helped launch the Stuxnet offensive, would later point to Iran’s retaliation as a troubling harbinger.
If Stuxnet was the proof of concept, it also
proved that one successful cyberattack begets another. For Alexander, this
offered the perfect justification for expanding his empire.
In May 2010, a little more than a year after President Obama took office and only weeks before Stuxnet became public, a new organization to exercise American rule over the increasingly militarized Internet became operational: the US Cyber Command.
Keith Alexander, newly promoted to four-star general, was put in charge of it.
The forces under his command were now truly formidable - his untold thousands of NSA spies, as well as 14,000 incoming Cyber Command personnel, including Navy, Army, and Air Force troops.
Helping Alexander organize and dominate this new arena would be his fellow plebes from West Point’s class of 1974:
Indeed, dominance has long been their watchword.
Alexander’s Navy calls itself the Information Dominance Corps. In 2007, the then secretary of the Air Force pledged to “dominate cyberspace” just as “today, we dominate air and space.”
And Alexander’s Army warned,
The Army is reportedly treating digital weapons
as another form of offensive capability, providing frontline troops with the
option of requesting “cyber fire support” from Cyber Command in the same way
they request air and artillery support.
Thousands of hard-hatted construction workers will soon begin erecting cranes, driving backhoes, and emptying cement trucks as they expand the boundaries of NSA’s secret city eastward, increasing its already enormous size by a third.
In May, work began on a $3.2 billion facility housed at Fort Meade in Maryland.
Known as Site M, the 227-acre complex includes its own 150-megawatt power substation, 14 administrative buildings, 10 parking garages, and chiller and boiler plants. The server building will have 90,000 square feet of raised floor - handy for supercomputers - yet hold only 50 people.
Meanwhile, the 531,000-square-foot operations center will house more than 1,300 people. In all, the buildings will have a footprint of 1.8 million square feet. Even more ambitious plans, known as Phase II and III, are on the drawing board.
Stretching over the next 16 years, they would quadruple the footprint to 5.8 million square feet, enough for nearly 60 buildings and 40 parking garages, costing $5.2 billion and accommodating 11,000 more cyberwarriors.
In April, as part of its 2014 budget request,
the Pentagon asked Congress for $4.7 billion for increased “cyberspace
operations,” nearly $1 billion more than the 2013 allocation. At the same
time, budgets for the CIA and other intelligence agencies were cut by almost
the same amount, $4.4 billion. A portion of the money going to Alexander
will be used to create 13 cyberattack teams.
With those conflicts now mostly in the rearview
mirror, they are looking to Alexander as a kind of savior. After all, the US
spends about $30 billion annually on cybersecurity goods and services.
And at consulting firm Booz Allen Hamilton, where former NSA director Mike McConnell was hired to lead the cyber effort, the company announced a “cyber-solutions network” that linked together nine cyber-focused facilities. Not to be outdone, Boeing built a new Cyber Engagement Center.
Leaving nothing to chance, it also hired retired
Army major general Barbara Fast, an old friend of Alexander’s, to run
the operation. (She has since moved on.)
Consulting and engineering firms such as Invertix and Parsons are among dozens posting online want ads for “computer network exploitation specialists.”
And many other companies, some unidentified, are seeking computer and network attackers.
Another, from Sunera, a Tampa, Florida, company,
said it was hunting for “attack and penetration consultants.”
Established in Atlanta in 2008, Endgame is transparently antitransparent.
True to form, the company declined Wired’s
interview requests.
Like safecrackers listening to the click of tumblers through a stethoscope, the “vulnerability researchers” use an extensive array of digital tools to search for hidden weaknesses in commonly used programs and systems, such as Windows and Internet Explorer.
And since no one else has ever discovered these
unseen cracks, the manufacturers have never developed patches for them. Thus, in the parlance of the trade, these vulnerabilities are known as “zero-day exploits,” because it has been zero days since they have been uncovered and fixed. They are the Achilles’ heel of the security business, says a former senior intelligence official involved with cyberwarfare.
Those seeking to break into networks and
computers are willing to pay millions of dollars to obtain them.
Dubbed Bonesaw, the map displays the geolocation and digital address of basically every device connected to the Internet around the world, providing what’s called network situational awareness.
The client locates a region on the password-protected web-based map, then picks a country and city - say, Beijing, China. Next the client types in the name of the target organization, such as the Ministry of Public Security’s No. 3 Research Institute, which is responsible for computer security - or simply enters its address, 6 Zhengyi Road.
The map will then display what software is running on the computers inside the facility, what types of malware some may contain, and a menu of custom-designed exploits that can be used to secretly gain entry.
It can also pinpoint those devices infected with
malware, such as the
Conficker worm, as well as networks turned
into botnets and zombies - the equivalent of a back door left open.
But such access doesn’t come cheap. One leaked
report indicated that annual subscriptions could run as high as $2.5 million
for 25 zero-day exploits.
The question is, who else is on the secretive company’s client list?
Because there is as of yet no oversight or regulation of the cyberweapons trade, companies in the cyber-industrial complex are free to sell to whomever they wish.
Thus, in their willingness to pay top dollar for more and better zero-day exploits, the spy agencies are helping drive a lucrative, dangerous, and unregulated cyber arms race, one that has developed its own gray and black markets.
The companies trading in this arena can sell their wares to the highest bidder - be they frontmen for criminal hacking groups or terrorist organizations or countries that bankroll terrorists, such as Iran.
Ironically, having helped create the market in
zero-day exploits and then having launched the world into the era of
cyberwar, Alexander now says the possibility of zero-day exploits falling
into the wrong hands is his “greatest worry.”
In May, Alexander discovered that four months earlier someone, or some group or nation, had secretly hacked into a restricted US government database known as the National Inventory of Dams. Maintained by the Army Corps of Engineers, it lists the vulnerabilities for the nation’s dams, including an estimate of the number of people who might be killed should one of them fail.
Meanwhile, the 2013 “Report Card for America’s Infrastructure” gave the US a 'D' on its maintenance of dams. There are 13,991 dams in the US that are classified as high-hazard, the report said.
A high-hazard dam is defined as one whose failure would cause loss of life.
He made his comments in September 2011.
|
