Authors: Fred Kaplan
“They
exploited
your system,” McConnell said. “What if they'd
destroyed
it?”
“That would have been problematic for me,” Obama replied.
“Imagine,” McConnell went on, warming up to his theme, “that they could destroy our critical infrastructure.”
Obama, seeing where the director was headed, said, as if completing his sentence, “That would be problematic for the nation.”
“
That's
the danger,” McConnell said, and then he stepped into his well-rehearsed summation of the nation's vulnerabilities and the ability of many powers, not just China, to exploit them.
At its conclusion, Obama told McConnell to come see him again in the first week of his presidency.
In fact, McConnell next saw Obama in his transition office, on December 8, midway between his election-night victory and inauguration day. He brought with him his aide, Melissa Hathaway, who briefly outlined the Comprehensive National Cybersecurity
Initiative that she'd written for Bush but that hadn't yet been implemented. Obama told her to start thinking about a sixty-day review of U.S. cyber policy.
The review hit a slight delay. Cyber was hardly the most urgent issue on the new president's agenda. He first ordered another campaign aide, a former CIA analyst named Bruce Riedel, to write a sixty-day review of U.S. policy in Afghanistan. Then there was the matter of solving the banking crash, the collapse of the auto industry, and the worst economic crisis since the Great Depression.
Still, on February 9, just three weeks into his term, not too far behind schedule, Obama publicly announced the sixty-day cyber review and presented Hathaway as its chair.
It took longer than sixty days to completeâit took 109 daysâbut on May 29, she and her interagency group issued their seventy-two-page document, titled
Cyberspace Policy Review: Assuring a Trusted and Resilient Information and Communications Infrastructure
.
It read uncannily like the reports, reviews, and directives that had come before it, and even referred to several of them by name, among them Bush's NSPD-54 and his
National Strategy to Secure Cyberspace
, the Marsh Report, a few Defense Science Board studies, and Senator Nunn's hearings. There was little new to say about the subject; but few of the old things had ever been officially adopted, so no one had heard of themâoutside the coterie of experts who'd been following the cycles for years or decadesâand it was, therefore, no redundancy for Hathaway to re-recite the same old problems and remedies.
Once again, then, there was the preface noting the ubiquity of cyberspace, its “strategic vulnerabilities,” the “great risks” posed to “critical infrastructure” and “sensitive military information.” There was the bit about the “overlapping authorities” among federal agencies, the need for a “national dialogue,” an “action plan” for “information sharing” with “public-private partnerships,” and, finally, the proposed appointment of a “cybersecurity policy official” in the
White Houseâa position that Hathaway assumed she would hold, just as Dick Clarke designated himself the “national coordinator” in a similar document for Bill Clinton.
But from the outset, Hathaway ran into obstacles. White House staffers disdained her as “prickly” and “sharp-elbowed,” diatribes commonly hurled at womenâHathaway was blond, attractive, and barely fortyâfor behavior that would be tolerated as merely aggressive, or even normal, possibly admirable, in men. Hathaway's elbows were certainly less sharp than Clarke's, but Clarke was a master of office politics, cultivating protectors at the highest echelons and allies throughout the bureaucracy. Hathaway had only one protector, Mike McConnell, and when Obama replaced him in the first week of his presidency, she was left with no cover.
There was another problem, one that Clarke had also faced. Hathaway's review noted that private companies owned most of the pathways of cyberspace and thus must
“share the responsibility” for its securityâa line that triggered reflexive fears of government regulation, still the nastiest word in the book among the executives of Silicon Valley. Obama's brash economic adviser, Lawrence Summers, took industry's side in this dispute, insisting that, especially during what had come to be called the Great Recession, the engines of economic growth must not be constrained. (As Clinton's treasury secretary, Summers had been Clarke's bête noire when he tried to push for regulations, as well.)
Between the prominence of economic concerns and her own bureaucratic isolation, Hathaway and her portfolio took a tumble. She was gone by August and sidelined well before then.
Yet Obama didn't ignore Hathaway's concerns. On May 29, the same day that she released her review, he spoke for seventeen minutes in the East Room of the White House on cyberspace, its central place in modern life, and
“this cyber threat” as “one of the most serious economic and national security challenges we face as a nation.”
He spoke not just from a script but also from personal experience. Born in 1961, near the end of the baby boom (unlike Bush and Clinton, who were born fifteen years earlier, at the boom's onset), Obama was the first American president who surfed through cyberspace in his daily life. (When the Secret Service demanded that he give up his BlackBerry for security reasons, Obama resisted; as a compromise, the NSA Information Assurance Directorate built him a one-of-a-kind BlackBerry, equipped with state-of-the-art encryption, shielding, and a few other highly classified tricks.) And he was the first president whose campaign records had been hacked by a foreign power. Obama understood the stakes.
But something else stirred his concerns. A few days before inauguration day, President Bush had briefed him on two covert operations that he hoped Obama would continue. One concerned secret drone strikes against al Qaeda militants in Pakistan. The other involved a very tightly held, astonishingly bold cyber offensive campaignâcode-named Operation Olympic Games, later known as Stuxnetâto delay and disable what seemed to be a nuclear weapons program in Iran.
Coming so soon after Mike McConnell's briefing on America's vulnerability to cyber attacks, this disclosure switched on a different light bulb from the one that had flashed in the heads of presidents, senior officials, and advisers who'd been exposed to the subject in the decades before. It was the obverse of the usual lesson: what the enemy might someday do to us, we can now do to the enemy.
I
. In the late 1990s, when he started researching the vulnerability of infrastructure, Richard Clarke learned that 80 percent of global Internet traffic passed through just two
buildings
in the United States: one, called MAE West (MAE standing for Metropolitan Area Exchange), in San Jose, California; the other, MAE East, above a steakhouse in Tysons Corner, Virginia. One night, Clarke took a Secret Service agent to dinner at the steakhouse, after which they took a look at the room upstairs. (He brought the agent along to avoid getting arrested.) They were both shocked at how easily a saboteur could wreak devastating damage.
G
EORGE
W
.
B
USH
personally briefed Barack Obama on Olympic Games, rather than leave the task to an intelligence official, because, like all cyber operations, it required presidential authorization. After his swearing-in, Obama would have to renew the program explicitly or let it die; so Bush made a forceful plea to let it roll forward. The program, he told his successor, could mean the difference between a war with Iran and a chance for peace.
The operation had been set in motion a few years earlier, in 2006, midway through Bush's second term as president, when Iranian scientists were detected installing centrifugesâthe long, silvery paddles that churn uranium gas at supersonic speedsâat a reactor in Natanz. The avowed purpose was to generate electrical power, but if the centrifuges cascaded in large enough quantities for a long enough time, the same process could make the stuff of nuclear weapons.
Vice President Cheney advocated launching air strikes on the Natanz reactor, as did certain Israelis, who viewed the prospect of a
nuclear-armed Iran as an existential threat. Bush might have gone for the idea a few years earlier, but he was tiring of Cheney's relentless hawkishness. Bob Gates, the new defense secretary, had persuaded Bush that going to war against a
third
Muslim country, while the two in Afghanistan and Iraq were still raging, would be bad for national security. And so Bush was looking for a “third option”âsomething in between air strikes and doing nothing.
The answer came from Fort Meadeâor, more precisely, from the decades-long history of studies, simulations, war games, and clandestine real-life excursions in counter-C2 warfare, information warfare, and cyber warfare, whose innovations and operators were now all centered at Fort Meade.
Like most reactors, Natanz operated with remote computer controls, and it was by now widely knownâin a few months, it would be demonstrated with the Aurora Generator Test at the Idaho National Laboratoryâthat these controls could be hacked and manipulated in a cyber attack.
With this in mind, Keith Alexander, the NSA director, proposed launching a cyber attack on the controls of the Natanz reactor.
Already, his SIGINT teams had discovered vulnerabilities in the computers controlling the reactor and had prowled through their network, scoping out its dimensions, functions, and features, and finding still more vulnerabilities. This was digital age espionage, CNEâComputer Network Exploitationâso it didn't require the president's approval. For the next step, CNA, Computer Network Attack, the commander-in-chief's formal go-ahead would be needed. In preparation for the green light, Alexander laid out the rudiments of a plan.
In their probes, the NSA SIGINT teams had discovered that the software controlling the Natanz centrifuges was designed by Siemens, a large German company that manufactured PLCsâprogrammable logic controllersâfor industrial systems worldwide.
The challenge was to devise a worm that would infect the Natanz system but no other Siemens systems elsewhere, in case the worm spread, as worms sometimes did.
Bush was desperate for some way out; this might be it; there was no harm in trying. So he told Alexander to proceed.
This would be a huge operation, a joint effort by the NSA, CIA, and Israel's cyber war bureau, Unit 8200. Meanwhile, Alexander got the operation going with a simpler trick. The Iranians had installed devices called
uninterruptible power supplies on the generators that pumped electricity into Natanz, to prevent the sorts of spikes or dips in voltage that could damage the spinning centrifuges. It was easy to hack into these supplies. One day, the voltage spiked, and fifty centrifuges exploded. The power supplies had been ordered from Turkey; the Iranians suspected sabotage and turned to another supplier, thinking that would fix the problem. They were right about the sabotage, but not about its source.
Shutting down the reactor by messing with its power supplies was a one-time move. While the Iranians made the fix, the NSA prepared the more durable, devastating potion.
Most of this work was done by the elite hackers in TAO, the Office of Tailored Access Operations, whose technical skills and resources had swelled in the decade since Ken Minihan set aside a corner of the SIGINT Directorate to let a new cadre of computer geeks find their footing. For Olympic Games, they took some of their boldest inventionsâwhich astounded even the most jaded SIGINT veterans who were let in on the secretâand combined them into a single super-worm called Flame.
A multipurpose piece of malware that took up 650,000 lines of code (nearly 4,000 times larger than a typical hacker tool), Flameâonce it infected a computerâcould swipe files, monitor keystrokes and screens, turn on the machine's microphone to record conversations nearby, turn on its Bluetooth function to steal data from most
smart phones within twenty meters, among other tricks, all from NSA command centers across the globe.
To get inside the controls at Natanz, TAO hackers developed malware to exploit five separate vulnerabilities that no one had previously discoveredâfive zero-day exploitsâin the Windows operating system of the Siemens controllers. Exploiting one of these vulnerabilities, in the keyboard file, gave TAO special user privileges throughout a computer's functions. Another allowed access to all the computers that shared an infected printer.
The idea was to hack into the Siemens machines controlling the valves that pumped uranium gas into the centrifuges. Once this was accomplished, TAO would manipulate the valves, turning them way up, overloading the centrifuges, causing them to burst.
It took eight months for the NSA to devise this plan and design the worm to carry it out. Now the worm had to be tested. Keith Alexander and Robert Gates cooked up an experiment, in which the technical side of the intelligence community would construct a cascade of centrifuges, identical to those used at Natanz, and set them up in a large chamber at one of the Department of Energy's weapons labs. The exercise was similar to the Aurora test, which took place around the same time, proving that an electrical generator could be destroyed through strictly cyber means. The Natanz simulation yielded similar results: the centrifuges were sent spinning at five times their normal speed, until they broke apart.
At the next meeting on the subject in the White House Situation Room, the rubble from one of those centrifuges was placed on the table in front of President Bush. He gave the go-ahead to try it out on the real thing.
There was one more challenge: after the Iranians replaced the sabotaged power supplies from Turkey, they took the additional precaution of taking the reactor's computers offline. They knew about the vulnerability of digital controls, and they'd read that surrounding
computers with an air gapâcutting them off from the Internet, making their operations autonomousâwas one way to eliminate the risks: if the system worked on a closed network, if hackers couldn't get into it, they couldn't corrupt, degrade, or destroy it, either.