@War: The Rise of the Military-Internet Complex (34 page)

 

In the wake of the Snowden revelations, Alexander remained defiant. The bad news about weak cyber defenses only bolstered his own argument that the NSA should take a more forceful role protecting the country. At an October 2013 security conference in Washington, DC, sponsored by the military and cyber security contractor Raytheon, Alexander asked for more powers to defend the financial sector, using some questionable technical arguments.
He imagined the NSA having real-time information from the banks so the agency could spot “a cyberpacket that's about to destroy Wall Street” and intercept it like an incoming missile. The term “cyberpacket” had no clear meaning in that context. Presumably Alexander wanted to imply that a sophisticated computer worm or a virus could disrupt financial institutions' computers or the data they house. But the notion that a single packet of data could wipe out Wall Street was absurd. That was like saying a paintball could take out a tank.

The degree to which Alexander was willing to exaggerate the cyber threat and dumb down his own agency's response was a measure of how desperately he wanted public support for his mission, and how threatened he felt. Snowden had helped undermine the case Alexander had been building for years.

FOURTEEN

O
N JANUARY
17, 2014, Barack Obama stood at a lectern in the Great Hall of the Justice Department in Washington to announce his decision on which NSA surveillance and cyber security programs he'd keep and which ones he'd scrap. If America's spies had feared the president would pull them back from the front, they could rest easy after they heard the first words out of his mouth.

Obama began by comparing the employees of the NSA to Paul Revere and the Sons of Liberty, who formed a “secret surveillance committee” to patrol the streets of colonial Boston, “reporting back any signs that the British were preparing raids against America's early patriots.” It was the most full-throated defense of the NSA and US signals intelligence that Obama had ever given. The president had just likened them to the heroes of the American Revolution.

Obama then recounted how spies in balloons had tracked the size of the Confederate army during the Civil War, how code breakers during World War II had provided insights into Japanese war plans, and how “when Patton marched across Europe, intercepted communications helped save the lives of his troops.” It was in that spirit, and in the early days of a new Cold War, that President Harry Truman had created the National Security Agency “to give us insights into the Soviet bloc, and provide our leaders with information they needed to confront aggression and avert catastrophe.”

By the time Obama took the stage, White House officials had already briefed journalists on his intended changes to NSA surveillance. They were minimal. Obama would make some alterations to the controversial program of collating Americans' phone records, namely, storing them somewhere other than in NSA's databases. But he punted to Congress and the attorney general the hard work of figuring out where that storage should be. Eventually, the administration and lawmakers settled on a plan that kept the records with the phone companies but still allowed the NSA access to them for investigative purposes. Obama also afforded some relatively minor privacy protections to foreigners who came under scrutiny from NSA's digital reconnaissance. But by and large, the agency's surveillance powers were left intact.

Obama either rejected or deferred on every substantive recommendation his advisers had given him for reining in the NSA. He had already overruled the proposal to split the leadership of NSA and Cyber Command. Now he dismissed a call by his appointed review panel to strip the agency of its information assurance mission, the work of defending computer systems from cyber attack and exploitation. Had Obama accepted the change, it would have fundamentally altered the NSA's mission, to the point that the organization would be unrecognizable from its previous form.

Obama also rejected the panel's suggestion that he take away the NSA's authority to conduct or assist in operations inside the United States. And the president further rejected calls to make the NSA director a civilian and to subject his nomination to Senate confirmation. NSA director Keith Alexander could rest easy; much of his empire would remain intact, despite the beating he'd taken personally in the press after the Snowden leaks. The general planned to step down in March. To replace him, Obama chose Vice Admiral Michael Rogers, who had been groomed for the job of NSA director and cyber commander. Rogers ran the navy's signals intelligence and its cyber warfare operations. Like Alexander, he was used to wearing two hats.

As for the panel's recommendation that the NSA stop hoarding zero day exploits and undermining encryption standards, Obama said nothing in his speech. A senior administration official later said the president had asked his aides to look into these recommendations and report back to him.
The administration eventually settled on a vague policy that was biased toward disclosing vulnerabilities but keeping secret any information that the government deemed vital to national security. That was a huge exception that could allow the NSA to classify all zero days as essential security tools and keep conducting business as usual. The new policy hardly ended the debate. Effectively, Obama had deferred on this issue as well, and it seemed unlikely that he or his advisers would propose any significant changes.

In practically every way, from operations to personnel, Obama had opted to maintain the status quo. Indeed, his embrace of the historic importance of intelligence to warfare underscored his desire to protect the NSA and keep its mission intact.

The timing of Obama's speech was fitting, if unintentionally so.
On January 17, 1961, exactly fifty-three years earlier, President Dwight Eisenhower had warned in his farewell address to the nation of a “military industrial complex,” whose “total influence—economic, political, even spiritual—is felt in every city, every state house, every office of the federal government.” Eisenhower said the military of the day bore little resemblance to the one in which he served during World War II or that his predecessors in the White House had commanded. “Until the latest of our world conflicts, the United States had no armaments industry,” Eisenhower said, admonishing his fellow citizens to “guard against the acquisition of unwarranted influence, whether sought or unsought,” by an alliance of government and industry, which he saw as a necessary bulwark against the forces of communist tyranny, and yet one that portended “grave implications” if “the potential for the disastrous rise of misplaced power” was not checked. “This conjunction of an immense military establishment and a large arms industry is new in the American experience,” Eisenhower said.

And so is the conjunction of that military establishment with a large Internet technology industry. Until recently, there was no cyber arms industry in the United States. The armed forces didn't view the Internet as a battlefield. Corporations didn't sell protection from spies and hackers. Barack Obama presided over the rise and rapid expansion of an alliance between big military and big business. But unlike Dwight Eisenhower, he sees little cause for dread and foreboding.

 

Eisenhower died eight years after his prescient speech. He correctly predicted the emergence of the military-industrial complex, but even he might not have imagined a day when the market value of top defense contractors exceeds the gross domestic product of many countries and the US Armed Forces rely on contractors to build their weapons, transport soldiers to battle, and even feed them in the war zone. The military-Internet complex will also dramatically change the nature of war and more broadly of cyberspace itself. What will the next decade look like?

For starters, governments won't be the dominant actors, at least not from day to day. That's a fundamental shift in the balance of power since Eisenhower's time, and suggests that his warning has gone unheeded. National governments will set policies and enact laws and regulate security standards that banks, public utilities, and other critical infrastructure will honor (perhaps in the breach). And they will raise cyber armies that train to fight on networks and will eventually become integrated into the full arsenal of national military might. If China, Iran, or another hostile nation ever launches a major attack on a US electrical plant or a bank, the military will respond, both in cyberspace and offline. An attack that causes widespread panic, disruption, or loss of life will be met with resounding force.

But the day-to-day work of defending critical facilities will be the job of corporations, who will perform the task as well if not better than government. Lockheed Martin and its ilk will create a new business in scanning traffic and applying their proprietary methods for detecting malware and hacker activity—methods that will be based on the real-time intelligence they collect from their own, vast global information networks, as well as those of their customers. It will be a kind of crowdsourcing. Similarly, companies such as CrowdStrike and the newly merged Mandiant and FireEye will promise to protect their customers' networks from prospective threats, the same way we expect security guards to keep intruders out of our homes and office buildings, not just to investigate the invasion after it happens.

The military-Internet complex is like its industrial predecessor insofar as the government has always outsourced national security to some degree. The military doesn't build weapons and defenses, it pays companies to do that, and it has since the founding of the republic. But the government has always had a monopoly on the use of force. And that's where the military-Internet complex takes a screaming turn off the road of history. Corporations' intelligence-gathering capabilities are as good if not better than the government's. They are designing threat signatures and discovering zero days, and they employ them for their own purposes. For all the emerging, menacing power that Eisenhower saw in the military-industrial complex, he didn't predict that corporations would compete with government in the conduct of hostilities.

The market is ripe for sophisticated and reliable cyber security technologies and tactics. With every revelation of a high-profile data breach, particularly those like the Target credit and debit card theft in 2013 that affected nearly a third of the US population and captured headlines for weeks, more companies will become desperate to prevent losses. Federal authorities notified more than three thousand companies in 2013 that their networks had been hacked—a huge number, but likely only a small fraction of the real total. Those were just the intrusions that the government had noticed or been tipped to by security companies. The owners of critical infrastructure are in an especially precarious position. In December 2013, Ernest Moniz, the secretary of energy, said that the majority of “cyberattacks” in the United States that year had been directed at energy infrastructure, which includes the companies that own and operate the electrical grid and that control oil and natural gas production and distribution.
So far, those attacks have consisted of attempted intrusions into the networks that run energy facilities or the computers in their owners' corporate offices. But, Moniz said, “there's no question” that the United States will suffer a major attack that threatens to bring down part of the power grid. “There is certainly not an ‘if' when it comes to cyberattacks. I am not willing to concede on bringing the grid down. But that's the race we are in to try to shore up our defenses. . . . We have a lot of work to do.”

The government is certainly in that race, and there are things it can do to help companies keep up: share more specific, useful intelligence about where the threats are coming from; pressure Internet service providers to deny access to known hostile sources; and ultimately take offensive measures to repel an imminent attack, if it can be detected. Not all of these solutions would require new legislation. An administration could take them on as a matter of executive policy. But energy companies, just like companies that are less central to a functioning economy, would still be largely on their own when it comes to fending off the intruders who are at their gates every day, threatening to breach their defenses. There are simply too many networks spread out over too big a geographic area for the government to protect them all, even if Keith Alexander's master plan of installing a sensor in every bank's network came to pass.

The adversaries aren't relenting. From September 2013 to March 2014 there were more than three hundred denial-of-service attacks against banks, like the ones attributed to Iran that crashed websites and ignited so much panic in the financial sector. The government is well aware of the attacks—the three hundred figure came from the NSA, which tracks them.
If companies are going to protect themselves, they'll have to share some information with the government about what's happening on their networks. But they have a bigger incentive to take their security into their own hands and defend themselves.

Eventually, strong security will be a selling point, a feature that banks, Internet service providers, and other companies that handle personal information use to lure customers, the same way that automakers promote airbags and antilock brakes. In fact, it's already happening. American Express, which has long sold itself not so much as a credit card but as a members-only club whose annual fee affords particular benefits (status, higher spending limits), launched a series of television and web ads in 2013 touting its “intelligent security” system, which sends alerts to customers' mobile phones the moment Amex spots a suspicious charge that might indicate fraud. One ad shows a trim, well-dressed city dweller walking beneath surveillance cameras, past the security guards in his elegant apartment lobby, and next to speeding police cars as a narrator asks, “But who looks after us online, where we spend more than two hundred billion dollars a year?” Answer: American Express does, with an algorithm that learns your personal spending patterns and spots anomalies. (The narrator, incidentally, is actress Claire Danes, who plays a CIA agent obsessed with stopping another terrorist attack in the United States in the Showtime series
Homeland
.)