@War: The Rise of the Military-Internet Complex (32 page)

About the only thing that Lockheed can't do—legally—is to break in to other computer systems to gather intelligence. That's still the NSA's domain. But the company has its eyes on the same foreign adversaries as the government. In the NexGen Center's primary command center, clocks on the wall show the time in all the countries where Lockheed has a cyber monitoring station—and also the time in Beijing. The company has collected seven years' worth of information on advanced persistence threat campaigns, and analysts have access to all of it. A huge monitor on the forward wall shows all the campaigns Lockheed is tracking around the world, mostly gleaned from attempted intrusions into its own networks, which include three million Internet addresses at nearly six hundred locations in sixty countries. The bigger a target a company is, the bigger a source for information it becomes. Selling to the government is still the company's primary business, accounting for more than 80 percent of its $47.2 billion in sales in 2012. But in 2011, Lockheed expanded into the commercial sector, Croom says, focusing on technology services for the top 200 of the Fortune 500, with an emphasis on critical-infrastructure operators. And the company wants to open another cyber center in the Middle East to take advantage of a growing regional appetite for network surveillance and security.

 

Lockheed is hardly the only company taking cyber defense into its own hands. Since the attacks on bank websites in 2012, US financial institutions have been setting up their own cyber intelligence units. (Some of them are undoubtedly Lockheed's customers.) Their efforts were under way before the terrifying traffic floods caused so much disruption, and they have accelerated. Today most large banks in the United States employ cyber security personnel trained to detect vulnerabilities in software and network configurations, analyze malware to understand how they work and what they're designed to do, and respond to intrusions. Among the main pools of talent for the banks are the US military and intelligence agencies.

The former chief information security officer for Bank of America was previously a senior technology official in the Office of the Director of National Intelligence who began his career as a cryptologic linguist in the air force. The chief information security officer at Wells Fargo served for twenty years in the navy, including stints as an information warfare officer, and later worked for the FBI. The chief information risk officer for JPMorgan Chase never worked in government, but he worked for a year at SAIC, which is largely supported by intelligence agency contracts and is often called “NSA West.” And he worked for a year at Booz Allen Hamilton, which is one of the top cyber security contractors for the federal government and where former NSA director Mike McConnell hangs his hat.

“Within a couple of years, all the guys in cyber who've got game will be working for the banks. They'll lock down their networks and only share information among themselves,” says a former military intelligence officer who was part of the 2007 cyber offensive in Iraq and later went to work for a large defense contractor.

According to experts, the banks have aggressively hired military and intelligence employees who've been trained in government to the highest standards but who can double or even triple their salaries working in the private sector. Banks are also becoming bigger buyers of zero day vulnerabilities and exploits from private security researchers, which have usually counted the NSA as their biggest customer. A security expert with close ties to sellers of zero day exploits says the banks are amassing cyber weapons in the event that they feel compelled to retaliate against the attackers.
If a “private” cyber war ever breaks out, it will probably be launched by a bank.

But financial services companies aren't the only ones setting up their own defense operations. The list of companies that employ a senior-level information security officer, with an executive title such as vice president or chief, includes Johnson & Johnson, T-Mobile USA, Automated Data Processing (the payroll services company), Coca-Cola, Intel, AstraZeneca, eBay, FedEx, and hundreds more. When companies can't provide adequately for their own defense, they hire outside help, and that segment of the security market is growing. In its 2012 annual report to shareholders, Lockheed Martin said it was “facing increased competition, particularly in information technology and cyber security . . . from non-traditional competitors outside of the aerospace and defense industry.” It was a veiled reference to upstart security companies such as CrowdStrike, Mandiant, and Endgame, which are building their own sources and methods of intelligence collection and analysis.

Companies find themselves at the dawn of a new era in private cyber security. “We've already got the cyber equivalent of the Pinkerton Guards,” says Mark Weatherford, the former top cyber security official at the Homeland Security Department.
Like many security experts, Weatherford worries that some firms aren't solely devoted to defense, and that they'll cross the line into hacking back in order to repel spies and attackers. He draws a distinction between hacking back and making it more difficult for an intruder to steal data from a target's network. Planting honeypots, or even tricking intruders into bringing malware-laden documents back onto their own systems, is arguably still on the defensive side of the line. “But actually reaching into that network, attacking it, that's a bridge I don't want to cross,” he says.

Within a few years Weatherford expects to see more companies develop the capability to filter traffic on behalf of their customers, effectively becoming cyber sentries. That model is already taking shape through the government's program of passing classified threat signatures to Internet service providers. Part of Obama's 2013 executive order to beef up critical-infrastructure security calls on the government to “provide guidance” to companies on what commercially available products and services they could buy that meet approved standards for defense. It's another example of the government fueling the growth of private cyber security, a trend that's probably unavoidable and maybe even preferable to the government monopolizing this realm.

“The government will never be as responsive as the private sector,” Weatherford says. Businesses may be better off fending for themselves.

 

As companies take up the mantle of national cyber defense, they're influencing the course of US government policy. On February 18, 2013, the computer security firm Mandiant released an unprecedented report about Chinese cyber spying that publicly named the People's Liberation Army as the source of pervasive and relentless espionage against the United States.
That was a direct accusation that no government official had been willing to make on record. Mandiant's report was extraordinarily detailed. It gave the physical address where the hackers were located. It even included a photo of their office, a beige twelve-story building in the Pudong New Area of Shanghai. Based on the size of the building—more than 130,000 square feet—as well as public statements from Chinese officials, Mandiant estimated that hundreds and perhaps thousands of people worked there.

Mandiant focused on just one group out of the approximately twenty it had been following for years. The hackers were housed within China's equivalent of the National Security Agency. Dubbed APT1 by Mandiant, the hackers worked in the Second Bureau of the People's Liberation Army General Staff Department's Third Department, more commonly known by a numerical designation, 61398. The General Staff Department is analogous to the US Joint Chiefs of Staff, and the Third Department handles signals intelligence and computer attack and exploitation. Mandiant called APT1 “one of the most persistent of China's cyber threat actors.”

Mandiant, a company that had been founded less than ten years earlier by an ex–air force computer-forensics expert, had just set off a bomb in one of the most delicate and thorny areas of US foreign policy. The report was greeted as a revelation. Not just because it named Chinese hackers so specifically—something no investigators, private or governmental, had been willing to do—but also because the information was so precise. The report ran seventy-four pages. It illuminated a vast infrastructure of spying, comprising 937 servers, or “listening applications,” hosted on 849 distinct Internet addresses, the majority of them registered to organizations in China but more than 100 in the United States. The investigators found websites that the hackers had set up to look like legitimate news sites, such as
CNN.com
, but that were actually used in coordination with APT's intrusions. Mandiant named individual hackers, including one who went by the handle Ugly Gorilla, and who had years earlier identified himself in an online chat about Chinese cyber warfare with a leading computer science professor who wrote a seminal book on China's “network warfare.” Mandiant used forensic evidence to link certain hackers to one another and was confident that some of them not only knew one another personally but probably worked in the same office. The report even gave lessons in Chinese hacker slang, such as “meat chicken,” which meant an infected computer.

Mandiant also concluded that the Chinese cyber force was “directly supported by linguists, open source researchers, malware authors,” and “industry experts.” There was likely a staff that purchased and maintained computer equipment, as well as people to handle finances, facility management, and logistics and shipping. In other words, it was a highly organized bureaucracy, not unlike a US government agency.

The details in the Mandiant report were of a kind one normally expects to find in a classified government intelligence document. That was another reason it was so significant. The report showed that private investigators could collect and analyze information as effectively as a government spy agency, if not more so. That was partly a testament to Mandiant's technical prowess. But it also revealed something about the nature of cyberspace. In an uncontrolled environment, in which hackers can move about on a collective, networked infrastructure, there really are no secrets. With enough training and the right tools, a private sleuth can track a hacker as well as a government spy or a military operative can. Mandiant's report not only blew the lid off China's cyber spying, it belied the notion that only the government was prepared to do battle in cyberspace.

The effects of Mandiant's report were swift and far-reaching. Chinese officials issued their usual denials, calling allegations of government-directed espionage unfounded. Less than a month later, the US national security adviser, Tom Donilon, put Beijing on notice in a major speech, in which he called Chinese cyber espionage “a growing challenge to our economic relationship with China” and a “key point of concern and discussion with China at all levels of government.”
There'd been closed-door talks between both sides, in which US officials demanded that China stop its aggressive operations. Now those discussions were out in the open. Donilon's remarks were the first public statement by a White House official directed at Chinese cyber spying. The problem had “moved to the forefront of [the administration's] agenda,” Donilon said, calling for action by the Chinese government to address “the urgency and scope of this problem and the risk it poses—to international trade, to the reputation of Chinese industry, and to our overall relations.” That was the first time the Americans had demanded China to address cyber espionage. “Beijing should take serious steps to investigate and put a stop to these activities,” Donilon said, and “engage with us in a constructive direct dialogue to establish acceptable norms of behavior in cyberspace.”

The Obama administration had finally thrown down the gauntlet. And Mandiant helped them do it. As with Google's revelation about Chinese spying after the Aurora operation, senior US officials had an opening to talk about a problem that had been quietly vexing them for years. Mandiant's report provided them with a detailed and, most important, an unclassified document from which to draw specific allegations. The government would never have been so bold as to come out with such a report.

 

Mandiant's findings landed with a shock. But the report's publication was a carefully crafted event, played for maximum media attention and coordinated with the government. As early as October 2012, after years of collecting information on Chinese spies, Mandiant executives considered writing a public report about its findings. “We decided it was an interesting idea, and we should go forward,” says Dan McWhorter, Mandiant's managing director in charge of threat intelligence.
But the company initially figured it would write a short brief, nothing like the seventy-four-page indictment it eventually issued. That plan began to change in November, after Mandiant got a call from the
New York Times.
Not from a reporter asking for an expert comment on a story. This was a call for help. The
Times
believed it had been hacked, and it wanted Mandiant to investigate.

Mandiant's forensic analysts found that Chinese spies had overrun the newspaper's networks and were spying on more than sixty employees, including a reporter in China working on an exposé of political corruption and influence at the highest levels of the government.
The spies tried to mask their identities by routing traffic through hijacked computers at US universities in North Carolina, New Mexico, Arizona, and Wisconsin, a technique Mandiant had seen in other espionage campaigns it traced to China. The spies gained access to a computer on the
Times
's network, and they were eventually able to steal passwords and get access to fifty-three employees' personal computers, most of them outside the newsroom. The hackers were part of a group that Mandiant had already been tracking, which the company dubbed APT Number 12. From the
Times
, they apparently wanted more details about a lengthy article the paper was planning to run on Chinese prime minister Wen Jiabao's relatives, and how they used their political connections to make billions of dollars in shadowy business deals. Mandiant had also found evidence that Chinese spies stole information from more than thirty journalists and executives at other Western news outlets, including their e-mails, contact information for sources, and files. What's more, the spies had gone after specific journalists again and again. At the
Times
, it was later revealed, the spies built custom malware to break in to the e-mail account of Jim Yardley, then the paper's South Asia bureau chief, who worked in India and had previously run the Beijing bureau. They also targeted David Barboza, the Shanghai bureau chief, who wrote the article on Prime Minister Wen, for which he later won the Pulitzer Prize. The
Washington Post
and the
Wall Street Journal
had also been penetrated by Chinese cyber spies, subsequent investigations showed.