“We are dropping cyberbombs. We have never done that before,” or so said the US deputy secretary of defense Robert O. Work last month. He was describing in the most explosive terms yet the new combat operations in the Pentagon’s campaign against ISIS, following previous statements from Secretary of Defense Ash Carter and President Obama. But while the Pentagon may be breaking new ground by publicly discussing a cyber offensive operation, this isn’t the first time it has deployed one. As the journalist Fred Kaplan documents in his recent book, Dark Territory: The Secret History of Cyber War, covert cyber tools have played a part in wars around the world for decades.
Dark Territory traces the beginnings of cyber warfare to the US military’s creation of a digital communication network, ARPANET. This network was the first of its kind, and contained many unintentional but inherent vulnerabilities that would later be passed on to the Internet. As such networks expanded globally, the US pioneered electronic countermeasures designed to intercept, disrupt, or sever communications links. Among the US’ varied targets were the Soviet Union’s command and control networks, Haiti’s air defense system (by way of its commercial phone network) in 1994, and the computers of Iraqi insurgents in 2007, in order to lure them to their deaths. Shadowing each of these actions—and underpinning the whole book—is an early computer scientist’s prescient warning that anything the US does could also happen to the US, where technological networks are more prevalent than anywhere else. The consequences of cyber offensive activities may be difficult to predict or control, with vital infrastructure like power supplies and water treatment plants all possibly at stake.
No stranger to the halls of power, Fred Kaplan has written extensively about military strategy and foreign policy and won a Pulitzer Prize for a Boston Globe piece about nuclear war. But Dark Territory was a new foray into the world of cyber intelligence. In researching the book, he went about “building a pyramid” of insider sources, including six out of eight living NSA directors. He told me one source would vouch for him to another, who might in turn look to the tone of his national security column at Slate for reassurance. Most of these sources demanded anonymity, and their specific contributions are not directly cited. But they must have seen value in his argument that cyber war needs the same public examination as the advent of the atomic bomb, in which a wide range of academic disciplines tried to figure out the meaning of this new weapon.
The book is packed with stories, and when I met Kaplan at 9:30 one morning this spring in his publisher’s office on Sixth Avenue, he sipped a diet coke and responded to many of my questions with anecdotes. One of his favorites is the tale that opens the book, about how the 1983 movie WarGames (in which Matthew Broderick plays a teenage tech prodigy whose hacking exploits almost trigger World War III) captivated Ronald Reagan and led to the first White House policy statement on computer security. He revels in the moments in which films influence or even foretell national policy, finding that 1992’s Sneakers had a similarly outsize impact on the NSA. It remains to be seen if Oliver Stone’s forthcoming biopic of Edward Snowden will have the same effect.
Henry Peck for Guernica Daily
Guernica: Where do you think cyberspace lies? Is it a civilian or military realm?
Fred Kaplan: It’s become hard to distinguish. You now have people in the defense department talking about cyberspace as a domain of battle, along with land, air, space and sea. Internet purists say, we are not a domain, this is a space for free exchange of ideas. But the World Wide Web is not a metaphor, it’s almost an impermeable hole, and they do rustle up against each other.
Guernica: If cyber can be considered a ‘domain of battle’, shouldn’t it also be subjected to the same controls we place on those domains, like the laws of war?
Fred Kaplan: Yes, you’d think. The title of the book, “Dark Territory”, comes from a story that former Secretary of Defense Robert Gates told me. When he first got to the Pentagon, he was getting briefings every day about cyber intrusions. He knew that we were doing the same to other countries, and he told some of his associates that the major cyber powers should get together and work out some rules of the road. Even at the height of the Cold War the Russians and the Americans had some rules, for example, we didn’t kill each other’s spies — which is something. There’s nothing like that in cyberspace. There should be rules that there shouldn’t be cyber-attacks on critical infrastructure: transportation, electric power plants, dams, except maybe in war, and maybe not even then. And then he said, “because we’re wandering in dark territory here.” It’s a term of art in North American railroads to signify stretches of track that are ungoverned by signals. That’s really what it is: there are no rules of the game, there is no ‘cyber convention’ which says here are targets that are not to be meddled with.
Even at the height of the Cold War the Russians and the Americans had some rules, for example, we didn’t kill each other’s spies — which is something. There’s nothing like that in cyberspace.
Guernica: To what extent did the US usher this era of cyber warfare into being?
Fred Kaplan: Well, we have. Would it have happened anyway? Probably, because everybody is engaging in this kind of espionage, and when digital technology comes along, you’re going to switch from radio signals to digital packets [the transition from transmitting signals over the airwaves to sending communications through digital links and networks]. When I was doing the very early stage of research on this [book], I was going over with a guy who was very high in the intelligence world some study that was done in the early 1990s about where we’re vulnerable, and laying out scenarios about what could happen. And he said, you have to realize that we were doing all these scenarios to other nations already, and at some point somebody said, oh—what we’re doing to them they might also do to us someday. So it all started with us. We do Stuxnet [a sophisticated computer virus targeting Iran’s nuclear program in 2009/2010] to the Iranians, where we hacked into the computer systems that controlled the speed at which their centrifuges were spinning, enriching uranium. They found out about it. About a year later, they unleash something that was called the “Shamoon” virus, against the Arab American Oil Company, ARAMCO, melting all 30,000 hard drives and putting up on everybody’s computer screen an image of a burning American flag, just to show us, “oh, we can do this too.”
Guernica: Then does the responsibility lie with the US to set the precedent, establish the law and norms? Why haven’t we made more progress — or do we get the cyberspace we deserve?
Fred Kaplan: There have been some very preliminary discussions about maybe creating a forum to talk about this problem. And that’s just with the Chinese. I mean, are we going to be able to do that with the Russians? Now you’ve got Iran, the Syrian Electronic Army, North Korea — a serious dialogue about this with North Korea? There are about twenty countries whose militaries have explicit cyber units in them. A lot of people can do this. North Koreans, they don’t have a lot of people doing it, but they have contractors in Singapore and Thailand, the organization that’s been called “Dark Seoul”, that do it for them. It’s not rocket science. It’s not uranium enrichment. It’s something that the best people doing it didn’t go learn how to do in college. They invented it. And it’s out there now.
Guernica: Right, and it will only grow. Despite the difficulty of measuring physical damage, if cyber operations are considered to fall within the realm of armed conflict, can you apply existing international humanitarian law, such as the Geneva Conventions?
Fred Kaplan: Well, I don’t think anything has been done with cyber tools so far that violates the Geneva Convention. Even meddling with Iranian centrifuges.
Guernica: Then have any cyber wars technically happened?
Fred Kaplan: It depends how you define the term. Let me give you an example: during the Iraq war, in 2007, the tide of war started turning in the US and Iraqi government’s direction. And you know, it’s been thought that part of this was due to the troop surge, part of it was due to General Petreaus and his new counter insurgency strategy, but it turns out that cyber also played a role. The NSA over a period of years sent 6,000 of their own analysts to the battlefield. 22 NSA analysts were killed doing some of these operations, involving capturing insurgent computers, hacking into them, finding the passwords, finding email lists, figuring out their language, working with linguists to learn how to speak in their terms. And they would send out phony emails to the list of insurgents, saying, “let’s meet at such and such a place tomorrow at three o’clock.” When they all assembled there, there’d be special operations forces waiting for them and they killed them. The year 2007, about 4,000 insurgents were killed in this manner. That’s cyberwar. Did cyber weapons kill people? Maybe. It certainly assisted in tracking them down and luring them to a place where they could be killed. It was part of the war, these were combatants fighting, it wasn’t luring innocent men, women and children.
Guernica: What is there to prevent this practice from inflicting civilian damage?
Fred Kaplan: It does interfere with the civilian economy. Russians recently shut down electricity in Western Ukraine. Why did they do that? Because the Ukrainian government was shutting off the power supply to the Crimea. What do you know, it turns out that a lot of the power from Crimea comes through Ukraine, because they are part of Ukraine. And that’s where the danger comes in. With nuclear weapons, there’s a very bold red line between using nukes and not using nukes. People have been tempted at times to use really small nukes for some momentary, military advantage, but they haven’t because they know where this could escalate. With cyber-attacks, there are cyber-attacks of one sort or another going on all the time. Where is this line between nuisance and severe danger to national security? No one has defined it. Different countries might define it in different ways. What was the first time that a president of the United States said, we are going to retaliate to this cyber-attack? It was when North Korea hacked into Sony Pictures. Now who would have predicted that! Each country doesn’t know how the other categorizes different kinds of attacks. A bank gets attacked — is that a danger to national security? No. What if five banks, what if six, what if ten banks get attacked all at once? What if power were shut down in New York City? Is that ConEd’s problem, or is that a national security problem to be responded to? Nobody knows. You kind of know that if I invade a country, they’re going to fight back. If I launch a nuclear weapon on a country, they’re going to retaliate. If I launch a major cyber attack on something, what happens? It’s going on all the time and we don’t know when we’re rubbing up against each other’s vital interests.
With cyber-attacks, there are cyber-attacks of one sort or another going on all the time. Where is this line between nuisance and severe danger to national security?
Guernica: But there have been efforts. The Tallinn Manual, the academic-led study on the international law applicable to cyber warfare, is noticeably absent from your book.
Fred Kaplan: Well, you’re right. I probably should have done something on that. It doesn’t have quite the same force as international law. There’s a story that’s not in my book, where somebody in the Clinton administration proposed a covert operation, and the White House counsel said, ‘well, this violates international law’. And Vice President Gore — this is early on in the Clinton administration, he was mainly the guy dealing with international stuff — said, well of course it violates international law, that’s why it’s a covert operation. That’s why all cyber offensive operations, of which there have been many from our side, are top secret special action projects — because, if anyone ever looked at what they did, they might violate international law. So the Tallinn agreement is there, and it’s a nice thing to have, but whether people pay attention to it in a crunch is another matter.
Guernica: Do you have a sense of the NSA’s ratio between offensive and defensive programs?
Fred Kaplan: The ratio will always favor the offense. Here’s why: the NSA is mainly brilliant mathematicians, coming up with algorithms and solutions to problems, and for many years, the assumption was we will find a formula for which we can create the ultimate black box, that nobody can get in to. And they thought they had an answer when they figured out all you have to do when you have a computer is take it off the Internet so nobody can get in, an “air gap,” they called it. But then they figured out how to skip over the air gap, with things like thumb drives with malware on them. And it was about eight years ago that they realized: “you know, there is no ultimate solution to this problem. It doesn’t mean that you shouldn’t keep trying to build better locks, but if somebody really wants to get in, and knows how, and has the resources of a nation state, they’re going to get in.”
But then they figured, “well, how do we defend?” And that’s when things got kind of dangerous, because, what’s the best way to guard against an attack? Well, we need to get inside the other guys’ networks to see what they’re doing, to see whether they’re planning an attack. And so they came up with three acronyms for different kinds of activity. There was CND, Computer Network Defense; there was CNA, Computer Network Attack; but in the middle there was something called CNE, Computer Network Exploitation, and that is getting inside the other networks, it’s cyber espionage. But that is only one step away from Computer Network Attack. Everybody is crawling into everybody’s networks, and for good reason: we just want to see what you’re doing! In some ways it’s no different from having spies, and there’s nothing prohibitive about having spies, it’s an ancient tradition between states and in some ways it’s good — if you’re not planning an attack, maybe it’s good to have these guys crawling around to show that. But it’s different in this case because it would be as if each spy was armed with a small nuclear warhead. You don’t even need to bring in a new crew, it’s the same guys doing it, it’s the same technology, it’s the same skill set.
So when they created US Cyber Command, they decided to have the same Four Star General as the Commander of Cyber Command and the Director of the NSA, and it’s all at Fort Meade, and it’s all involving the same people. They have links with all the combatant commands and they also have a centralized part of cyber command that protects the nation. Now how do they protect the nation? They can’t sit on everybody’s networks, so protecting the nation means getting inside other countries’ networks to see when they might be planning an attack. It’s offensive by nature. It’s all been done in great secrecy, and we have this enormous cyber command, we have these combatant plans, we have war plans for cyber war, but nobody has even figured out the definition of cyber deterrence. They’ve got this whole machinery for cyber war, and yet the foundations of policy, strategy, even tactics, is still very vague. So you have the technology driving where we’re going, not policy driving the technology.
Everybody is crawling into everybody’s networks, and for good reason: we just want to see what you’re doing! In some ways it’s no different from having spies, and there’s nothing prohibitive about having spies, it’s an ancient tradition between states and in some ways it’s good — if you’re not planning an attack, maybe it’s good to have these guys crawling around to show that.
Guernica: This has been a recurring theme in the past three years with regards to encryption, public data collection, and surveillance tools. Policy has been unable to keep up with technological advances.
Fred Kaplan: The problem is that people don’t know this stuff. When the bomb went off in Hiroshima in 1945, almost right away there were economists, social scientists, political scientists, physicists — not military people with high clearances — trying to figure out, how does this alter the nature of warfare, how does this alter the nature of international relations, what does nuclear war mean, what does nuclear deterrence mean? And there were some things that were secret about the bomb, but its effects, how it worked, how many weapons other countries could build given how much uranium stockpiles they had, that was all out there in the open. And so, a civilian economist at the Rand Corporation, for example, was maybe even more suited to figuring this out, and they had a big impact.
In cyber, it’s all been so secret, that people who might have a broader wisdom on these issues have been left out of the loop. Obama has actually made himself fairly conversant in these issues, but until recently presidents didn’t even know how to use computers. And so you have all of this [cyber war technology] developing at a very sophisticated level on a parallel track that people who are actually making policy, are just now barely beginning to be aware of.
Guernica: But there are also non-state actors who haven’t gone through years of schooling or professional training to participate in this realm. What are the implications of citizens being able to reach similar levels of technical understanding as government operators?
Fred Kaplan: There is this guy Richard Clarke, who did counter-terrorism under Clinton and has become fairly well known since. And he got into cyber because he was introduced to this gang of five computer geeks in Boston who called themselves the “L0pht.” Their leader was a guy named Peter Zatko, who calls himself Mudge, and they had this vast array of computer equipment which they had refurbished on the second floor of a warehouse in Boston. They had figured out and designed programs for hacking into any password, any operating system, doing the kinds of things that up until then it had been thought that only a nation state could do. And this changed the whole threat profile. It was thought, “Jesus Christ, if these guys were terrorists, they would be cyber terrorists.” At least right now, with groups like ISIS and Al-Qaida, it’s believed that they don’t yet have the capability or the know-how, or the money to pay people with the capability and know-how to use cyber to do what they want to do. As you can imagine, if you’re a terrorist and want to wreak havoc, there’s a lot you can do in the cyber world. But it could happen in the future. There are movies about this, right…