More on this book
Community
Kindle Notes & Highlights
Read between
January 16 - March 17, 2024
Years later, Daniel still winced at just how close American officials had come that night to retaliating. “It was a critical lesson that in cyber, the first assessment is almost always wrong.”
In Washington the attack paralyzed U.S. officials, who had yet to formulate a clear strategy for containing the growing cyber threat from Iran, let alone how to respond when private American companies were caught in the crossfire. They were finding it hard enough to protect their own systems from attacks.
The Sony attack, like the attack on Sands before it, was also a strike on free speech. If Americans were no longer at liberty to put out bad movies, make bad jokes, or share their darkest thoughts without the threat of a cyberattack that cost them millions of dollars’ or leaked their email for all to see, this would inevitably lead to an erosion in free speech, perhaps not all at once but little by little, bit by bit.
“It was the old people-in-glass-houses problem,” a senior Obama official told me. The NSA’s bread and butter was hacking foreign agencies and officials. China’s breach of OPM was essentially a countermeasure. “There was an inherent tension between protecting the private sector, the personal data of our citizens, and the interests of our intelligence community, which was directing the same kind of campaigns. But the real killer was commercial espionage.”
The Chinese cyberattacks on American businesses had to stop, Obama told Xi. If they didn’t, the United States had the next round of indictments ready to go and would move to sanctions. Xi agreed, but everyone in the room knew that by then, China had already collected enough U.S. intellectual property to last it well into the next decade. Chinese hackers had taken everything from the designs for the next F-35 fighter jet to the Google code, the U.S. smart grid, and the formulas for Coca-Cola and Benjamin Moore paint.
But then came Trump, who turned the table over with tariffs and the trade war. If it weren’t for that, some officials told me, Chinese industrial cyberattacks might have slowed to a trickle. But the cynics saw it differently. The agreement had always been a con job, they said. Xi was just biding his time.
The computer systems that powered the grid were designed long before cyberattacks became the norm; they were built for access, not security.
For years the military and intelligence officials warned Congress that a foreign nation or rogue hacker could exploit software holes and access points to take down the substations that power Silicon Valley, the NASDAQ, or a swing county’s voting systems on Election Day.
Intelligence officials had warned Congress, time and time again, that a carefully orchestrated cyberattack on the American grid could unleash outages for at least months, if not years.
Fear, uncertainty, and doubt were so common a scourge in the cybersecurity industry that hackers had shortened it to a code—FUD.
I didn’t know whether to regret that we had not listened more carefully or to be furious that the cybersecurity industry’s marketing tactics had made it all too easy for Americans to tune the real threats out.
This variant of BlackEnergy was not designed to bring websites to a halt or steal bank credentials; it was an advanced nation-state espionage tool that could extract screenshots, record keystrokes, and pilfer files and encryption keys off victims’ computers. And it was no mystery who was behind it: BlackEnergy’s file commands were all written in Russian.
It was an act of unprecedented digital cruelty, but the Russians stopped just short of taking lives.
This was Putin’s way of signaling the United States. If Washington intervened further in Ukraine, if it pulled off a Stuxnet-like attack in Russia, they would take us down. Our grid was no less vulnerable than Ukraine’s; the only difference is we were far more connected, far more dependent, and in far greater denial.
Printed in giant font on the office door were the following words: I GET TIRED OF COMING UP WITH LAST-MINUTE DESPERATE SOLUTIONS TO IMPOSSIBLE PROBLEMS CREATED BY OTHER #@% PEOPLE. I recognized the quote from the 1992 film Under Siege.
I’d always imagined the White House would have some advanced, real-time map of cyberattacks, denoted in red blips, sailing toward the White House from decoy servers around the globe, and a team of responders waiting to zap them in real time. Nope. When it came to defense, the nation with the most advanced hacking capabilities in the world was reduced to a printout, like the rest of us.
Russians put up Black Lives Matter pages and Instagram accounts with names like Woke Blacks that tried to convince African Americans, a crucial Clinton demographic, to stay home on Election Day. “Hatred for Trump is misleading the people and forcing Blacks to vote Killary,” their message read. “We cannot resort to the lesser of two devils. Then we’d surely be better off without voting AT ALL.”
Americans would only catch a shimmer of the Russians operation in June 2016, when they hacked the Democratic National Committee.
In the back and forth, Americans had lost sight of where these leaks were coming from.
Russian hackers would not necessarily even need to compromise the voting machines themselves; it would be far easier, and less visible, to simply digitally disenfranchise thousands of voters in traditionally blue urban counties in purple states.
Mitch McConnell, the Senate majority leader, made it clear that he would not sign onto any bipartisan statement blaming the Russians; he dismissed the intelligence, admonished officials for playing into what he wrote off as Democrats’ spin, and refused to warn Americans about efforts to undermine the 2016 election.
The numbers show that, in fact, Trump not only lost the popular vote by three million votes but received a smaller share of the vote than Al Gore, John Kerry, and Mitt Romney in their losing campaigns. It wasn’t so much that Trump won in 2016 as that Clinton lost.
But we’ll likely never know how much Russia’s daily barrage of anti-Clinton memes, simulated rallies, and bots kept would-be Clinton voters at home or created such a dark cloud over her candidacy that it pushed them to vote third-party.
And speaking of burning, when the Trump administration finally ordered Russia to close its San Francisco consulate nine months later, conspicuous plumes of black smoke started pouring out of the building’s chimney on moving day. Inside, the Russians were burning who-knows-what. Locals gathered on the sidewalk to gawk; the fire department was called to investigate; local environmental officials sent an inspector. A local news reporter approached a Russian man and woman exiting the building to inquire about the burning. With acrid black smoke billowing all around them, the woman replied: “There
...more
For years U.S. officials agonized that the nation’s own cyber operations—the Stuxnet strikes—would inspire its enemies to develop their own. That one day, with enough money and training, they might catch up. Now America’s own hacking tools were hanging out there on the open web, free for anyone to pick up and fire back at us. Back at Fort Meade, the spies began to sweat.
He always thought that if someone outed him like this, the agency would have his back. But since the Shadow Brokers post, he hadn’t gotten so much as a phone call. “That feels like a betrayal,” he said. “I was targeted by the Shadow Brokers because of that work. I do not feel my government has my back.”
The NSA, meanwhile, had been shaken to its core. The agency regarded as the world’s leader in breaking into foreign computer networks had failed to protect its own. And just when it thought things couldn’t get any worse, it turned out that the Shadow Brokers had saved the best tools for last.
The WannaCry attacks appeared to have been planned in such haste that some questioned whether North Korea’s hackers had accidentally let their attack code escape before it was ready. Or perhaps they had simply been testing their tools, clueless to the potency of their newfound NSA weapon. Whatever the explanation, they not only failed to generate income or cover their tracks but also managed to piss off their biggest backer and benefactor, China. China’s addiction to bootlegged software left its systems among the hardest hit.
The Russian attack, insurers concluded, qualified as an act of war; while no lives were lost directly that June, it was a demonstration of how a stolen NSA weapon and some cleanly written code could do as much damage as a hostile military force.
Two years later, Ukraine was still picking through the rubble. “The question we should all be asking ourselves,” he continued, “is what they will do next.”
Smith pointed to the nonstop cyberattacks. Data breaches had become so commonplace that we now accepted them as our way of life. Hardly a news cycle went by when we did not hear of some new hack. We were all inured to what happened next: an offer of a year’s worth of free credit monitoring, a weak public apology from a CEO. If the breach was really terrible, he or she might get fired; but more often than not, after a temporary dip in stock price, we all moved on.
“It’s clear where the world is going,” Smith told the crowd of diplomats. “We’re entering a world where every thermostat, every electrical heater, every air conditioner, every power plant, every medical device, every hospital, every traffic light, every automobile will be connected to the internet. Think about what it will mean for the world when those devices are the subject of attack.”
For years the United States had failed to engage in these discussions, in large part because it was the world’s supreme cyber superpower, with offensive capabilities it assumed would take adversaries years, decades even, to develop. But the theft of its tools, and the WannaCry and NotPetya attacks, made clear that the gap was closing. Scores of new nation-states were moving into this invisible battlespace. The United States had, for two decades, been laying the groundwork for cyberwar, and it was now American businesses, infrastructure, and civilians who were bearing the brunt of its
...more
Under Trump, things unraveled much more quickly, in a dimension few Americans could truly grasp. The agreement Obama had reached with Xi Jinping to cease industrial espionage ended the day Trump kicked off his trade war with China. Trump’s abandonment of the Iran nuclear deal—the only thing keeping Iran’s hackers on good behavior—unleashed more Iranian cyberattacks on American interests than ever before. The Kremlin—which had yet to feel much of any pain for its 2016 election interference or its hacks on the Ukraine and U.S. grids—never stopped hacking our election systems, our discourse or
...more
Then I asked him point-blank what responsibility his agency bore for WannaCry, NotPetya, and the attacks now roiling American towns and cities, to which the admiral leaned back and crossed his arms. “If Toyota makes pickup trucks and someone takes a pickup truck, welds an explosive device onto the front, crashes it through a perimeter and into a crowd of people, is that Toyota’s responsibility?” I couldn’t tell if he was being pedantic or if he expected an answer. But then he’d answered it himself. “The NSA wrote an exploit that was never designed to do what was done.” It was the first time
...more
“These exploits are developed and kept secret by governments for the express purpose of using them as weapons or espionage tools. They’re inherently dangerous. When someone takes that, they’re not strapping a bomb to it. It’s already a bomb.”
Symantec’s discovery was clear evidence that even when the NSA used its tools in stealth, there were no guarantees that our adversaries wouldn’t detect them and—like a gunslinger who grabs an enemy’s rifle and starts firing away—turn them back on us. It was another sign that NOBUS—the presumption that “nobody but us” had the sophistication to find and exploit zero-days—was an arrogant one. Not only that, it was obsolete.
but because we had grossly underestimated our enemies.
siphoned cargo ships worth of American intellectual property back to China for Beijing’s state-owned enterprises to rip off.
three years since Xi signed the deal, he had consolidated PLA hacking divisions under a new Strategic Support Force, similar to the Pentagon’s own Cyber Command, and moved much of the country’s hacking operations away from the PLA’s scattershot hacking units to the stealthier and more strategic Ministry of State Security.
Many were not surprised that China would test these tools on its own people first. The question was: How long before Beijing aimed these capabilities at Americans directly?
What the security community witnessed that summer was, in effect, mutually assured destruction in real time.
In fact, Trump said he would welcome interference. Asked point-blank in June 2019 whether he would accept damaging information from a foreign government on an opponent in the future, Trump responded: “I think I’d take it.” And a few weeks later, there were Trump and Putin making light of it all. Asked whether he would tell Putin not to interfere in 2020, Trump had mock-scolded his buddy. “Don’t meddle in the election, President,” he told Putin, wagging his finger with a smile. As for the journalists doing the questioning that day, “Get rid of them,” Trump told Putin, whose tenure oversaw the
...more
Our candidate is chaos.”
With Americans more divided than at any time in recent history, Russia’s trolls and state news outlets found it far more efficient to amplify American-made disinformation than create their own.
With each new campaign, it got harder to pinpoint where exactly American-made disinformation ended and Russia’s active measures began. We had become Putin’s “useful idiots.” And so long as Americans were tangled up in our own infighting, Putin could maneuver the world unchecked.
“The mantra of Russian active measures is this: ‘Win through force of politics rather than the politics of force,’ ” is how Clint Watts, a former FBI agent who specializes in Russian disinformation, explained it to me. “What that means is go into your adversary and tie them up in politics to the point where they are in such disarray that you are free to do what you will.”
For years the United States had been among the stealthiest players in the digital realm, but now we were making a show of our power, letting Russia know that if they dared flip the switch here, we would reciprocate.
The truth is, I do not know if or when we will see the kind of cyber-enabled boom I have been warned about for years. But the analogy to Pearl Harbor is a deeply flawed one. America didn’t see that attack coming; we’ve seen the cyber equivalent coming for a decade. What we are experiencing instead is not one attack but a plague, invisible to the naked eye, that ripples across our country at an extraordinary rate, reaching ever deeper into our infrastructure, our democracy, our elections, our freedom, our privacy, and our psyche, with no end in sight.
American computers are attacked every thirty-nine seconds. Only when there are highly visible mishaps do we pause for reflection.
