America Hacks the Planet

Somewhere between the breathless reporting on China’s state-sponsored hacking offensive, the perceived threat of hackers from former Soviet republics, and the “hacktivist” activities of amorphous bodies like Anonymous and Wikileaks, we seem to have forgotten something about the U.S.: Washington has long been a leader, if not the undisputed master, in espionage and counter-intelligence. That prowess doesn’t end at the door of cyberspace.

Remember: the U.S. isn’t just the birthplace of Silicon Valley, the NSA and the movie Hackers. It’s the country with a nearly $60 billion black ops budget – a number that, even amidst a spending crisis, rose 3% from 2011 and will hold steady in 2012.

Of course, the accepted message that the U.S. isn’t prepared for cyber-attack despite regarding online attacks as acts of war, true and important though it may be, serves the interests of a wide American cyber offensive that stretches from public and diplomatic relations to highly secret infiltration missions. While the media and punditocracy have been fretting over the sad state of the U.S. cyber defenses, look closer and you can find signs that suggest its cyber offense has been quietly growing.

What do we actually know? That we can’t know just how much the government knows. But while U.S. cyber operations remain a closely guarded secret, a few recent indicators have offered a slightly crisper picture. Government-paid hackers – eagerly plucked from “the underground” by the military and the NSA – are currently breaking into, stealing information from, and even sabotaging foreign computer systems, much like legions of U.S. spies did in meatspace during the Cold War.

Outside of Chinese state media, it’s hard to find much mainstream concern about the threat of U.S. hack attacks. An early 2010 survey (pdf) of cybersecurity experts and information executives found the United States to be the biggest perceived threat. When 600 experts were asked which country causes “most concern” as a source of attacks on their country or business sector, the United States won out, with 36 percent. China followed closely at 33 percent, and Russia was the third bogeyman, with 12 percent.

But today, Russia and China are the major culprits, the domain of “hacker armies” that, at any given moment, are ransacking thousands of foreign computer systems, capable of perpetrating “our next Pearl Harbor” (if they haven’t already). A similar (but not perfectly comparable) survey (pdf) conducted in 2011 showed a shift. China led by far at 30 percent, compared to Russia at 16 and the United States at 12 percent.

Why the reversal in a year when many widely suspect the United States successfully used a piece of malicious code to severely, and potentially catastrophically, damage an Iranian nuclear facility? Speaking in Aspen, Former CIA Director Michael Hayden said the Iran attack, called Stuxnet after the name of the malware the did the deed, was a legion crossing the rubicon: “Someone just conducted a cyberattack [on] another nation’s critical infrastructure.” [video]

In Pentagon-speak, an attack creating physical damage in another state’s critical infrastructure is a big freaking deal. This is the stuff of “cyber war,” and it’s what keeps Cold War, counterterrorism, and national security veterans like Richard Clarke on high alert, sounding the alarm in private and in public for years.

Clarke’s flag-raising book — Cyber War — is designed to make us worried that the United States is desperately vulnerable to state- and industry-sponsored cyber intrusions designed to steal information, create damage, and prepare for a wider conflict. At a few moments, however, Clarke admits the United States is no innocent, offering rare frank insights into ongoing U.S. cyber offensives.

“The ways in which the U.S. and Russia now engage in cyber espionage are usually undetectable,” he writes (p. 235). Indeed, someone like Clarke who has been a national security official and enjoys high clearance can get interviewees to speak directly: “Hell, the U.S. government does [number withheld] penetrations of foreign networks every month,” an unidentified intelligence official says on page 123. “We never get caught. If we are not getting caught, what aren’t we catching when we’re guarding our own?”

The United States, this official suggests, is actively exploiting vulnerable computer networks and “critical infrastructure” in other countries. (In the United States itself, disturbingly perhaps, government systems are subject to preemptive intrusions by hackers from the NSA’s “Red Team”—in addition of course to distant intruders.) If Clarke is to be believed in raising the alarm in the United States, pretty much every computer network is vulnerable. “[number withheld]” is probably a large number.

So why has the United States lost out to China and Russia in the perceived cyber threat? Is it that the experts and executives surveyed by the security firm McAfee and the Center for Strategic and International Studies are biased? Do they know something the rest of us don’t about a particular American sense of propriety and responsibility? Or are they simply influenced by the all-too-easy “China threat” narrative, one that revives a sense of Cold War vulnerability?

Some commentators have been hard on Clarke’s book. Wired writes that it should be “filed under fiction.” Claims of exaggeration are well taken, and the text can read a bit like a wonky version of Live Free or Die Hard, but the message that states are putting serious effort into messing with each other’s computers is inescapable. The trouble is that real scenarios (instead of Clarke’s thought experiments) are generally classified.

“You have to be very careful about what you say in this area,” a “top cyberwarrior” told Time in 2010. “But you can tell there’s something going on because the services are putting their money there and contractors are going after it in a big way.”

Now if only we could have an informed discussion about all of this hacker havoc outside the classified realm. It doesn’t help much that it’s particularly easy, and dangerous, to confuse cyber espionage and cyberwar, as Seymour Hersh pointed out last year. Meanwhile, “cyberwar” brings to mind the old military paradigms of secret warfare and territorial domination, which isn’t very helpful for clarifying a new kind of threat. Combat by computer isn’t simply a matter of destroying the other sides’ computers until they’ve got none left or they turn off their Internet. The stakes are different, and more complicated.

Plus, absent clear legal parameters or review, cyber fights could lead to physical casualties (Stuxnet threatened Iran’s nuclear infrastructure) and rapid, dangerous escalations, the sort of which are still creepily hard to imagine. That might explain why the Air Force recently instituted a legal review process for "any device or software payload intended to disrupt, deny, degrade, negate, impair or destroy adversarial computer systems, data, activities or capabilities.”

Then again, this is a form of “war” built on secrecy, and knowing too much could put us at risk. The prospect of losing their cover is so spooky to the spooks, their silence speaks volumes. In January, senators on the Armed Services Committee complained they had been kept in the dark about the Pentagon’s black cyber ops. The Pentagon, for instance, only rarely even acknowledges the existence of offensive cyber capabilities. Check the Department of Defense Strategy for Operating in Cyberspace (pdf), released in unclassified form last month, for any mention of offensive cyber warfare. You won’t find one.

• The Biggest Hack Ever, or How I Learned To Live With Asymmetric Cold War