Dark Territory (21 page)
Authors: Fred Kaplan
As a result of his technical prowess and his ability to speak a common language with the technical personnel, he and his staff devised the conceptual outlines of a new system in a matter of months and launched the first stages of a new program within a year. They called it Turbulence.
Instead of a single, monolithic system that tried to do everything,
Turbulence consisted of nine smaller systems. In part, the various systems served as backups or alternative approaches, in case the others failed or the global technology shifted. More to the point, each of the systems sliced into the network from a different angle. Some pieces intercepted signals from satellites, microwave, and cable communications; others went after cell phones; still others tapped into the Internetâand they went after Internet traffic on the level of data
packets
, the basic unit of the Internet itself, either tracking the packets from their origins or sitting on the backbone of Internet traffic (often
with the cooperation of the major Internet service providers), detecting a target's packet, then alerting the hackers at TAO to take over.
It wasn't just Alexander's technical acumen that made Turbulence possible; it was also the huge advancesâin data processing, storage, and indexingâthat had taken place in just the previous few years. Alexander took over Fort Meade at just the moment when, in the world of computers, his desires converged with reality.
Over the ensuing decade, as Turbulence matured and splintered into specialized programs (with names like Turbine, Turmoil, QuantumTheory, QuantumInsert, and XKeyscore), it evolved into a thoroughly interconnected, truly global system that would make earlier generations of signals intelligence seem clunky by comparison.
Turbulence drew on the same massive databases as Trailblazer; what differed was the processing and sifting of the data, which were far more precise, more tailored to the search for specific information, and more closely shaped to the actual pathwaysâthe packets and streamsâof modern digital communications. And because the intercepts took place within the network, the target could be tracked on the spot, in real time.
In the early stages of Turbulence, a parallel program took off, derived from the same technical concepts, involving some of the same technical staff, but focused on a specific geographical region. It was called the RTRGâfor Real Time Regional Gatewayâand its first mission was to hunt down insurgents in Iraq.
RTRG got under way early in 2007, around the same time that General David Petraeus assumed command of U.S. forces in Iraq and President Bush ordered a “surge” in the number of those forces. Petraeus and Alexander had been friendly for more than thirty years: they'd been classmates at West Point, a source of bonding among Army officers, and they'd renewed their ties years later as brigade commanders at Fort Bragg. When they met again, as Petraeus led the fight in Baghdad, they made a natural team: Petraeus wanted to
win the war through a revival of counterinsurgency techniques, and Alexander was keen to plow NSA resources into helping him.
Roadside bombs were the biggest threat to American soldiers in Iraq. Intelligence on the bombers and their locations flooded into NSA computers, from cell phone intercepts, drone and satellite imagery, and myriad other sources. But it took
sixteen hours
for the data to flow to the Pentagon, then to Fort Meade, then to the tech teams for analysis, then back to the intel centers in Baghdad, then to the soldiers in the fieldâand that was too long: the insurgents had already moved elsewhere.
Alexander proposed cutting out the middlemen and putting NSA equipment and analysts inside Iraq. Petraeus agreed. They first set up shop, a mini-NSA, in a heavily guarded concrete hangar at Balad Air Base, north of Baghdad. After a while, some of the analysts went out on patrol with the troops, collecting and processing data as they moved. Over the next few years, six thousand NSA officials were deployed to Iraq and, later, Afghanistan; twenty-two of them were killed, many of them by roadside bombs while they were out with the troops.
But their efforts had an impact: in the first few months, the lag time between collecting and acting on intelligence was slashed from sixteen hours to
one minute
.
By April, Special Forces were using this cache of intelligence to capture not only insurgents but also their computers; and stored inside those computers were emails, phone numbers, usernames, passwords of other insurgents, including al Qaeda leadersâthe stuff of a modern spymaster's dreams.
Finally, Alexander and McChrystal had the ingredients for the cyber offensive campaign that they'd discussed with John Abizaid four years earlier. The NSA teams at Balad Air Base hoisted their full retinue of tricks and tradecraft. They intercepted insurgents' emails: in some cases, they merely monitored the exchanges to gain new
intelligence; in other cases, they injected malware to shut down insurgents' servers; and in otherâmany otherâcases, they sent phony emails to insurgents, ordering them to meet at a certain time, at a certain location, where U.S. Special Forces would be hiding and waiting to kill them.
In 2007 alone, these sorts of operations, enabled and assisted by the NSA, killed nearly four thousand Iraqi insurgents.
The effect was not decisive, nor was it meant to be: the idea was to provide some breathing space, a zone of security, for Iraq's political factions to settle their quarrels and form a unified state without having to worry about bombs blowing up every day. The problem was that the ruling faction, the Shiite government of Prime Minister Nouri al-Maliki, didn't want to settle its quarrels with rival factions among the Sunnis or Kurds; and so, after the American troops left, the sectarian fighting resumed.
But that pivotal year of 2007 saw a dramatic quelling of violence and the taming, co-optation, or surrender of nearly all the active militias. Petraeus's counterinsurgency strategy had something to do with this, as did Bush's troop surge. But the tactical gains could not have been won without the Real Time Regional Gateway of the NSA.
RTRG wasn't the only innovation that the year saw in cyber offensive warfare.
On September 6, just past midnight, four Israeli F-15 fighter jets flew over an unfinished nuclear reactor in eastern Syria, which was being built with the help of North Korean scientists, and demolished it with a barrage of laser-guided bombs and missiles. Syrian president Bashar al-Assad was so stunned that he issued no public protest: better to pretend nothing happened than to acknowledge such a successful incursion. The Israelis said nothing either.
Assad was baffled. The previous February, his generals had installed new Russian air-defense batteries; the crews had been training ever since, and, owing to tensions on the Golan Heights, they'd been on duty the night of the attack; yet they reported seeing no planes on their radar screens.
The Israelis managed to pull off the attackâcode-named Operation Orchardâbecause, ahead of time, Unit 8200, their secret cyber warfare bureau, had hacked the Syrian air-defense radar system.
They did so with a computer program called Suter, developed by a clandestine U.S. Air Force bureau called Big Safari. Suter didn't disable the radar; instead, it disrupted the data link connecting the radar with the screens of the radar operators. At the same time, Suter hacked into the screens' video signal, so that the Unit 8200 crew could see what the radar operators were seeing. If all was going well, they would see blank screensâand all went well.
It harked back to the campaign waged in the Balkans, ten years earlier, when the Pentagon's J-39 unit, the NSA, and the CIA's Information Operations Center spoofed the Serbian air-defense command by tapping into its communications lines and sending false data to its radar screens. And the Serbian campaign had its roots in the plan dreamed up, five years earlier, by Ken Minihan's demon-dialers at the Air Force Information Warfare Center in San Antonio, to achieve air surprise in the (ultimately aborted) invasion of Haiti by jamming all the island's telephones.
The Serbian and Haitian campaigns were classic cases of information warfare in the pre-digital age, when the armed forces of many nations ran communications through commercial phone lines. Operation Orchard, like the NSA-JSOC operation in Iraq, exploited the growing reliance on computer networks. Haiti and the Balkans were experiments in
proto
-cyber warfare; Operation Orchard and the roundup of jihadists in Iraq marked the start of the real thing.
Four and a half months earlier, on April 27, 2007, riots broke out in Tallinn, the capital of Estonia, the smallest and most Western-leaning of the three former Soviet republics on the Baltic Sea, just south of Finland. Estonians had chafed under Moscow's rule since the beginning of World War II, when the occupation began. When Mikhail Gorbachev took over the Kremlin and loosened his grip almost a half century later, Estonians led the region-wide rebellion for independence that helped usher in the collapse of the Soviet Union. When Vladimir Putin ascended to power at the turn of the twentyfirst century on a wave of resentment and nostalgia for the days of great power, tensions once again sharpened.
The riots began when Estonia's president, under pressure from Putin, overruled a law that would have removed all the monuments that had gone up during the years of Soviet occupation, including a giant bronze statue of a Red Army soldier. Thousands of Estonians took to the streets in protest, rushing the bronze statue, trying to topple it themselves, only to be met by the town's ethnic Russians, who fought back, seeing the protest as an insult to the motherland's wartime sacrifices. Police intervened and moved the statue elsewhere, but street fights continued, at which point Putin intervenedânot with troops, as his predecessors might have done, but with an onslaught of ones and zeros.
The 1.3 million citizens of Estonia were among the most digitally advanced on earth, a larger percentage of them hooked up to the Internet and were more reliant on broadband services than those of any other country. The day after the Bronze Night riot, as it was called, they were hit with a massive cyber attack, their networks and servers flooded with so much data that they shut down. And unlike most denial-of-service attacks, which tended to be one-off bits of mischief, this attack persisted and was followed upâin three separate wavesâ
with infections of malware that spread from one computer to another, across the tiny nation, in all spheres of life. For three weeks, sporadically for a whole month, many Estonians were unable to use not just their computers but their telephones, bank accounts, credit cards: everything was hooked up to one network or anotherâthe parliament, the government ministries, mass media, shops, public records, military communicationsâand it all broke down.
As a member of NATO, Estonia requested aid under Article 5 of the North Atlantic Treaty, which pledged each member-state to treat an attack on one as an attack on all. But the allies were skeptical. Was this an
attack
, in that sense? Was it an act of war? The question was left open. No troops were sent.
Nonetheless, Western computer specialists rushed to Estonia's defense at their own initiative, joining and aiding the considerable, skilled white-hat hacker movement inside Estonia. Using a variety of time-honored techniques, they tracked and expelled many of the intruders, softening the effects that would have erupted had the Tallinn government been the only source of resistance and defense.
Kremlin officials denied involvement in the attack, and the Westerners could find no
conclusive
evidence pointing to a single culpritâone reason, among several, for their reluctance to regard the cyber attacks as cause to invoke Article 5. Attributing the source of a cyber attack was an inherently difficult matter, and whoever launched this one had covered his tracks expertly. Still, forensic analysts did trace the malware code to a Cyrillic keyboard; in response, Kremlin authorities arrested a single member of the nationalist youth organization Nashi (the Russian word for “ours”), fined him the equivalent of a thousand dollars, and pronounced the crime solved. But no one believed that a single lowly citizen, or a small private group, could have found, much less hacked, some of the sensitive Estonian sites that had been taken down all at once and for such a long time.
The cyber strikes in Estonia proved to be the dress rehearsal for a coordinated military campaign, a little over a year later, in which Russia launched simultaneous air, ground, naval, and cyber operations against the former Soviet republic of Georgia.
Since the end of the Cold War, tensions had been rife between Moscow and the newly independent Georgian government over the tiny oblasts of South Ossetia and Abkhazia, formally a part of Georgia but dense with ethnic Russians.
On August 1, 2008, Ossetian separatists shelled the Georgian village of Tskhinvali. The night of August 7â8, Georgian soldiers mobilized, suppressing the separatists and recapturing the town in a few hours. The next day, under the pretense of “peace enforcement,” Russian troops and tanks rolled into the village, supported by air strikes and a naval blockade along the coast.
At the precise moment when the tanks and planes crossed the South Ossetian line, fifty-four Georgian websitesârelated to mass media, finance, government ministries, police, and armed forcesâwere hacked and, along with the nation's entire Internet service, rerouted to Russian servers, which shut them down. Georgian citizens couldn't gain access to information about what was happening; Georgian officers had trouble sending orders to their troops; Georgian politicians met long delays when trying to communicate with the rest of the world. As a result, Russian propaganda channels were first to beam Moscow's version of events to the world. It was a classic case of what was once called information warfare or counter command-control warfareâa campaign to confuse, bewilder, or disorient the enemy and thus weaken, delay, or destroy his ability to respond to a military attack.