Read @War: The Rise of the Military-Internet Complex Online
Authors: Shane Harris
Tags: #Computers, #Non-Fiction, #Military, #History
Copyright © 2014 by Shane Harris
Â
All rights reserved
Â
For information about permission to reproduce selections from this book, write to Permissions, Houghton Mifflin Harcourt Publishing Company, 215 Park Avenue South, New York, New York 10003.
Â
Â
Library of Congress Cataloging-in-Publication data is available.
ISBN
978-0-544-25179-3
Â
e
ISBN
978-0-544-25044-4
v1.1114
Â
Â
Â
Â
A Note on SourcesFor my husband, Joe de Feo
I'
VE COVERED
cyber security and electronic surveillance as a journalist for more than a decade. This book is informed by the more than one thousand interviews I've conducted over the years with current and former government officials, military personnel, corporate executives and employees, subject matter experts, researchers, and activists. Over the past two years as I was working on this project, I conducted new rounds of interviews with many of these people, who are among my most credible and trusted sources. I also conducted interviews with some sources for the first time. For this book I relied especially on my interviews with current government officials and military personnel whose jobs deal directly with cyber security operations or policies. They are working in the trenches of this evolving terrain, not at its fringes. I'm grateful to them for taking the time to speak with me and for confiding in me on a subject that many in government still resist discussing publicly because too much of it touches on classified material and operations.
Many of the people I interviewed agreed to be quoted on the record, and in those cases I have listed their names either in the text or in the endnotes. Others requested that I not identify them by name and, in some cases, that I not identify the agency or company where they work. It's regrettable and frequently unavoidable when reporting on classified matters of national security that journalists cannot more fully identify their sources. I don't believe a single person I interviewed for this book has revealed information to me that would jeopardize national security or put lives at risk. But I granted these people's requests for two reasons.
First, the information they provided either was essential to the story and couldn't be obtained any other way or it amplified information from other on-the-record sources or documents in the public domain. (And a surprising amount of revealing information about cyber warfare and espionage has been made public or was never classified.) Second, these people spoke to me at significant risk to their professional livelihood and potentially their personal freedom. In discussing cyber warfare and espionage, it's often hard for sources to know if they're revealing classified information or getting close to the line. If the sources who discussed these matters were identified by name, they could lose their top-secret security clearances, which would make them effectively unemployable in their chosen profession of national security.
But these sources also risked criminal prosecution in talking to me. The Obama administration has been historically hostile to government employees who share information with journalists. The Justice Department has prosecuted more people for disclosing classified information than all previous administrations combined. Simply put, it is a dangerous time to talk to journalists. And this risk extends to former government employees and military personnel. Several former intelligence officials have told me that within the past year they were explicitly told by the intelligence agencies where they're still employed as contractors that they should stop talking to journalists if they want to continue doing business with the government. In cases where I refer to anonymous sources, I've done my best to explain why those people are credible and authoritative, while honoring my obligation not to reveal information that could identify them.
A significant portion of this book is based on documents in the public domain. These include government reports and presentations; congressional testimony; speeches by senior officials; and an ever-growing and highly detailed body of written analysis by private security researchers. When I began researching this book, a number of colleagues questioned how I'd be able to write about a subject as shrouded in official secrecy as cyber security. But I was surprised to learn that a very large amount of revealing and informative unclassified information exists in the public domain. There's a significant amount of knowledge out there, which tends to undermine the claims by many government officials that this subject is too sensitive to talk about publicly. I'm heartened that in the past few years more government officials and military leaders have decided to talk more openly about cyber warfare and espionage. The public cannot understand these issues, and governments can't make sound law and policy, without candid and frank discussion in the light of day.
T
HE SPIES HAD
come without warning. They plied their craft silently, stealing secrets from the world's most powerful military. They were at work for months before anyone noticed their presence. And when American officials finally detected the thieves, they saw that it was too late. The damage was done.
The intruders had made off with huge amounts of technical and design information about the United States' most important new weapon, a next-generation aircraft called the Joint Strike Fighter. It was supposed to be the fighter to end all fighters, which would be flown by every branch of the armed forces and ensure America's aerial dominance for decades to come. Dubbed the F-35, the jet was the most complex military weapons system ever devised and, with an estimated total price tag of $337 billion, the most expensive.
All signs pointed to China's military as the culprit in a series of audacious raids that began in late 2006. It had the motive and the opportunity to steal the F-35's secrets, particularly details about how the fighter evaded enemy radar systems. For decades China had waged an aggressive espionage campaign against the US Armed Forces, its most formidable adversary. Beginning in the late 1970s, Chinese agents working in or visiting American universities, government research labs, and defense contractors made off with design information about weapons systems, including nuclear warheads.
But there was something strange about the Joint Strike Fighter theft. The spies weren't taking paper documents out of offices or eavesdropping on engineers in the break room. They were stealing information remotely, via a computer connection. The Joint Strike Fighter program had been hacked.
Computer forensics investigators at the air force, which was in charge of the F-35 program, started looking for the culprits. To understand how the hackers had gotten in, they had to think like them. So they brought in a hacker. He was an exâmilitary officer and a veteran of the military's clandestine cyber campaigns.
He'd cut his teeth in some of the army's earliest information-warfare operations in the mid-1990s, the kind designed to get inside an enemy's head more than his databases. These were computer-age variants of classic propaganda campaigns; they required military hackers to know how to penetrate an enemy's communications systems and transmit messages that looked as if they came from a trusted source. Later the former officer's work evolved into going after insurgents and terrorists on the battlefields of Iraq, tracking them down via their cell phones and Internet messages. He was only in his mid-forties, but by the standards of his profession he was an old hand.
This much the air force knew about the Joint Strike Fighter breach: the data hadn't been taken from a military computer. It seemed to have come from a company that was hired to help design and build the aircraft. The spies had made an end run, targeting Defense Department contractors whose computers were full of highly classified information, including some of the same plans for the F-35 that were likely to be found on a military system. It was a shrewd tactic. Contractors are an indispensable part of the American military; without them, planes don't fly, tanks don't roll, and ships aren't built and repaired. But their computer systems were generally less defended than the military's top-secret networks, the most sensitive of which weren't even connected to the Internet. The hackers simply found another way in, targeting the firms to which the military outsourced so many of its key operations.
The air force investigators weren't sure which company was the source of the breach. It could be Lockheed Martin, the lead contractor on the F-35 program, or its two main subcontractors, Northrop Grumman and BAE Systems, or any one of the more than one thousand other firms and suppliers hired to work on the jet's many mechanical systems or its elaborate electronics. About 7.5 million lines of software code helped run the aircraft itselfâmore than three times the number in the service's current top-of-the-line fighter.
Another 15 million lines of code ran the jet's logistics, training, and other support systems. For a spy, this was what the military would call a “target-rich environment.” Anywhere he looked he might find secrets about the aircraft's navigation systems, its onboard sensors and surveillance equipment, and its weaponry.
The logical place to start the investigation was with Lockheed Martin, the primary contractor. Its own computers held vital information about the aircraft, but perhaps more important, it was in charge of the many subcontractors to whom various aspects of the F-35's development had been farmed out. But when the air force's hacker showed up at a Lockheed office to start his investigation, he was met not by fellow techies or military officers overseeing the F-35's construction. He was greeted by the company's lawyers.
The hacker requested a laptop. “Why do you need that?” the lawyers asked. He explained that he had to look at Lockheed's internal computer networks, for starters. Also, he wanted to know what software and applications a typical Lockheed employee's laptop was running. They might have flaws in software code or “backdoors,” which allow a user (including a legitimate one, such as a systems administrator) to bypass normal security controls, like a user log-in and password screen, and gain access to the machine. An intruder could have used these access points to gain a foothold inside the company's electronic infrastructure. All the spy needed was a way in, a place to set up a digital beachhead and conduct operations.
The lawyers gave the hacker a laptop fresh out of the box; it had never been connected to a Lockheed network. It had never been touched by a Lockheed employeeâother than an attorney. The hacker protested. This was like being asked to figure out how a house was burgled without being allowed to inspect the crime scene.
Why would Lockheed, which stood to make billions building the Joint Strike Fighter, not do everything it could to help find the spies? Maybe because a thorough investigation might reveal how poorly defended the company's networks were. Investigators might even find evidence of other breaches, on other military programs. Word that it had been infiltrated by spies who'd never set foot on company property could hardly help its business. Lockheed was the single-largest provider of goods and services to the US government. In 2006 it held at least $33.5 billion in contracts, more than 80 percent of which were with the Defense Department.
And those figures don't include secret work for intelligence agencies, which surely totaled billions more. Lockheed couldn't afford to be seen as a poor steward of the government's most precious secretsâindeed, no defense contractor could. Lockheed was also a publicly traded company. Presumably, shareholders would react negatively to news that it couldn't protect the information at the core of its multibillion-dollar business.
Unsurprisingly, the hacker found nothing useful on the laptop. The top air force generals charged with seeing the Joint Strike Fighter to completion were furious about the breach, and they demanded that Lockheed, and all the other contractors involved, cooperate fully with the investigation. As they saw it, these companies didn't just work for the government. They were effectively part of the government, sustained by taxpayer dollars and entrusted with top-secret work. The air force expanded its investigation, and over the next several months the hacker and his colleagues scrutinized Lockheed's networks and those of other contractors working on the program.