Countdown to Zero Day: Stuxnet and the Launch of the World's First Digital Weapon (31 page)

By the time Bush’s advisers floated the idea of a precision digital weapon aimed at sabotaging Iran’s centrifuges to him, plans for developing such capabilities had already been in the works for a decade, born out of the realization that the military’s own networks were vulnerable to enemy attack.

Academics and military experts had been pondering the concept of cyberwarfare and the potential for digital weaponry even longer than that. As early as 1970, the Defense Science Board had examined the potential military advantages of subverting computer networks to render them unreliable or useless in what was then known as information warfare. Few operations were computerized at the time, however, and the internet didn’t exist, so the theoretical possibilities had to wait for reality to catch up.

It finally did in the ’90s, around the same time the term “cyberwar” was coined in a seminal 1993 RAND article titled “Cyberwar Is Coming!”: “We anticipate that cyberwar may be to the 21st century what
blitzkrieg
was to the 20th century,” John Arquilla and his coauthor wrote at the time.
¹
Arquilla, now a professor at the Naval Postgraduate School in
California and a military consultant, recognized the potential for digital attacks during the first Gulf War when the United States used a special radar system to spot moving targets in Iraq and realized it could easily have been thwarted if the Iraqis found a way to disrupt it. It struck Arquilla that the computerized technologies that made a modern army strong also made it potentially very weak. “What made that thought even more chilling was the notion that this power existed in the hands of a few hackers,” he later said, not just in the hands of government armies. And the disruptive power of these peripheral groups was “growing by leaps and bounds.”
²

The military already had its first taste of their capabilities in the 1980s, when a German named Markus Hess, who was reportedly recruited by the KGB, hacked into hundreds of military systems and research facilities, such as Lawrence Berkeley National Laboratory, in search of intelligence about satellites and the Star Wars defense system.
³
Other scares followed. In 1990 in the run-up to the first Gulf War, Dutch teens broke into nearly three-dozen US military computers seeking information about Patriot missiles, nuclear weapons, and the operation against Iraq. Officials feared the teens planned to sell the intelligence to Iraq. Then in 1994, a sixteen-year-old British hacker, mentored by a twenty-one-year-old in Wales, breached US Air Force systems and used them to hack into a South Korean nuclear research institute, as well as attacking one hundred other victims. With the breach appearing to come from US military computers, it became clear that the potential consequences of such intrusions weren’t limited to intelligence theft. The United States was engaged in delicate nuclear negotiations with North Korea at the time, and the military feared that if the hackers had targeted a facility in North Korea instead, they could have brought the two nations to the brink of battle.
⁴

But connectivity was a double-edged sword. If US systems were vulnerable to attack, so were the systems of adversaries. Although the United States didn’t have the capabilities to pull off such attacks yet, the wheels were being set in motion.

The Air Force was the first to take steps in this direction in 1993, when it transformed its Electronic Warfare Center into the Air Force Information Warfare Center and established, two years later, the 609 Information Warfare Squadron—the military’s first cybercombat unit.
⁵
Located at Shaw Air Force Base in South Carolina, its job was to combine offensive and defensive cyber operations in support of combat commands.
⁶
Offensive operations were largely still academic at this point, so the unit focused mostly on defensive tactics. But the military quickly learned that there were advantages to having defensive and offensive operations intertwined, because in defending its own networks against enemy attack it gained the intelligence and skills needed to hack back. In 1996, the squadron organized a red team/blue team exercise to test the unit’s offensive and defensive skills, and within two hours the red team had seized full control of the blue team’s Air Tasking Order System.

In 1997 the military conducted a more organized exercise to measure its defensive capabilities against enemy network attacks. The exercise, dubbed “Eligible Receiver,” pitted a red team of NSA hackers against the networks of the US Pacific Command in Hawaii. The team was prohibited from using inside knowledge to conduct the attack or anything but off-the-shelf tools that were available to ordinary hackers. When the attack began, they launched their offensive through a commercial dial-up internet account and barreled straight into the military’s networks with little resistance. The system administrators in Hawaii, who had no advance knowledge of the exercise, spotted only two of the multiple intrusions the
attackers made over the course of ninety days, but even then they thought nothing of the breaches because they resembled the kind of ordinary traffic that administrators expected to see on the network. It wasn’t unlike the attack on Pearl Harbor in 1941, when an alert operator at the Opana Radar Site on the island of Oahu spotted inbound aircraft heading toward the island but didn’t raise an alarm because his superiors believed they were friendlies.

The red-team hackers dropped marker files onto the systems to plant a virtual flag, proving they were there, and also created a number of simulated attacks showing how they could have seized control of power and communications networks in Oahu, Los Angeles, Chicago, and Washington, DC. Had they wanted to, they could have seized control of a system used to command hundreds of thousands of troops or set up “rolling blackouts and other activities that would cause social unrest,” according to Lt. Gen. John H. Campbell, a now-retired Air Force general who headed the Pentagon’s information operations at one time. The exercise “scared the hell out of a lot of folks,” Campbell later said, “because the implications of what this team had been able to do were pretty far-reaching.”
⁷

Afterward, when military leaders were briefed about the exercise, they assumed the red team had used classified tools and techniques for the attack and were surprised to learn that the NSA had used the same techniques any teenage hacker would use.

The next year, in fact, a group of teenagers broke into military networks using the same kinds of low-level techniques, in a case dubbed Operation Solar Sunrise. The intruders, who pilfered sensitive data across five hundred systems, turned out to be two California teens on a digital joyride, egged on by an Israeli hacker named Ehud Tenenbaum. At the time, the DoD was prosecuting two military campaigns, in Bosnia and
Herzegovina and in Iraq. The intrusion, to military leaders, looked a lot like what enemy attackers would do if they were trying to gain a battlefield advantage. Deputy Defense Secretary John Hamre, in fact, thought the attacks “might be the first shots of a genuine cyber war, perhaps by Iraq.”
⁸
It was a real-life
War Games
moment that underscored the difficulty of distinguishing a nation-state attack from teenagers testing their limits. “Everything we learned in Eligible Receiver, we relearned in Solar Sunrise,” Hamre later said of the intrusion. “There’s nothing like a real-world experience to bring the lessons home.”
⁹

The real lesson, though, came afterward when Hamre called a meeting to discuss the intrusion and looked around a room filled with two-dozen people to ask, “Who’s in charge? Who’s responsible for protecting us?” and learned that when it came to cyberattacks, no one apparently was in charge. The shock of this realization led to the creation of the Joint Task Force–Computer Network Defense (JTF-CND) in December 1998, the first military group charged with figuring out how to defend the military’s networks.
¹⁰

The task force, led by Campbell, was a motley group composed of a couple of Air Force and Navy fighter pilots, a Marine officer, some Airborne Rangers, a submarine pilot, intelligence staff, and a few contractors. One officer described them as “some guys in flight jackets …[and] a bunch of civilians with no ties.”
¹¹
Only a few of them were geeks who knew their way around a network. Initially they had no office and no support staff and had to work out of temporary trailers in a parking lot. But eventually the group grew to more than 150 people.

Their mission was to develop doctrines and methods for defending DoD networks against attack, but before they got started, they had two questions for the military brass: Should they develop a NORAD-type structure to defend civilian critical infrastructure as well? And what about offense? “All of us wanted to get into the attack mode,” recalls Marcus Sachs, an Army engineer and one of the task force’s initial members. “Everyone was thinking about the potential for launching digital bullets.… We wanted to go down that road and kind of flush out what would it mean for us to be offensive.”
¹²

It was the era of hacker conferences like Def Con and HOPE, two confabs held in Las Vegas and New York that became popular forums for hackers and researchers to talk about security holes and hacking tools.
¹³
The FBI and intelligence agencies were already lurking undercover at Def Con each year, so Sachs decided to attend as well and had his eyes opened to the possibilities of what the military might do. But the task force was told to slow down, that the military wasn’t ready for offensive operations yet. “The legal questions hadn’t been worked out,” Sachs explains.

There was another reason for caution, however. A cyberweapon was the “type of weapon that you fire and it doesn’t die. Somebody can pick it up and fire it right back at you,” Sachs says. “That was a very strong motivator to not do this.”

What Sachs didn’t know at the time was that the previous year, the secretary of defense had already given the NSA authority to begin developing computer network attack (CNA) techniques, a task the spy agency embraced as an extension of its existing electronic warfare duties, which included jamming enemy radar systems and taking out communication channels.
¹⁴
The NSA believed its technical geniuses could play a critical role on the emerging digital battlefield as well.

The advantages of digital combat over kinetic warfare were clear, the NSA wrote in an internal newsletter in 1997.
¹⁵
In an age of televised warfare, when images of body bags brought the stark realities of war back to the homefront, cyberwarfare offered an antiseptic alternative that the public could more easily embrace. But there were other advantages too, the report noted: the low cost of entry to conduct such campaigns; a “flexible base of deployment,” where being “in range” of a target wasn’t a necessity; and a diverse and ever-expanding set of targets as more and more critical systems became computerized.

The spy agency, in fact, was already contemplating, a decade before Stuxnet, the offensive opportunities presented by the world’s growing reliance on computerized control systems in critical infrastructure. Another article in the same newsletter proposed building a road map to track the technologies that were already on the shelves, as well as those that were still “a twinkle in some engineer’s eye,” in order to develop attack capabilities against them.
¹⁶
The newsletter also suggested compiling a list of public hacking tools already available for use—viruses, worms, logic bombs, Trojan horses, and back doors. These powerful tools “if effectively executed,” the author noted, “[could be] extremely destructive to any society’s information infrastructure.”
¹⁷
That included, however, US infrastructure. “So … before you get too excited about this ‘target-rich environment,’ ” the newsletter cautioned the agency’s would-be cyberwarriors, “remember, General Custer was in a target-rich environment too!”
¹⁸

Despite obvious interest in pursuing digital attacks, however, the legal issues continued to confound. In the spring of 1999, as NATO forces were raining bombs onto Yugoslavia, the Air Force Association convened a closed-door symposium in Texas to ponder the capabilities of what was still referred to as “information warfare.” Gen. John Jumper, commander of US Air Forces in Europe, told the gathering that while information warfare conjured images of seizing an enemy’s “sacred infrastructure,” the military was not there yet. Cyberweapons were still largely laboratory fare, and the only information warfare being waged at that point was between the lawyers, policymakers, and military leaders in Washington who were still arguing over the value and legality of network attacks.
¹⁹
Jumper told the gathering, “I picture myself around that same targeting table where you have the fighter pilot, the bomber pilot, the special operations people and the information warriors. As you go down the target list, each one takes a turn raising his or her hand saying, ‘I can take that target.’ When you get to the info warrior, the info warrior says, ‘I can take the target, but first I have to go back to Washington and get a [presidential] finding.”
²⁰

Something began to change in 2000, however, when the Pentagon’s network defense task force was suddenly told to add offensive operations to its mission and to develop a doctrine for their use. The change in focus also led to a name change. Instead of Joint Task Force–Computer Network Defense, they were now to be called Joint Task Force–Computer Network Operations. The change was subtle to avoid attracting attention, Sachs says, but internally it signaled the military’s readiness to begin seriously planning offensive operations.

The questions the task force now had to ponder were many. Was an offensive network attack a military action or a covert operation? What
were the parameters for conducting such attacks? Taking out computerized communication systems seemed like an obvious mission for an offensive operation, but what about sabotaging the computer controls of a weapons system to misdirect its aim or cause it to misfire?
²¹
And who should be responsible for conducting such operations? Until then, if the Air Force needed an enemy’s radar system taken out, it worked jointly with the NSA’s electronic warfare team. But the NSA was an intelligence outfit whose primary job was intercepting communications. Taking out the computers that controlled an artillery system seemed more the territory of combat units.