16 March 2015

Drawing back the curtain on cyberwar

By Sean Lyngaas 
Mar 13, 2015 

Shane Harris' new book details the turning points and turf battles in federal cybersecurity policy.

Journalist Shane Harris has written a richly detailed, page-turning recent history of the militarization of cyberspace. The combination of thoroughness and accessibility makes "@War: The Rise of the Military-Internet Complex" an important contribution to the ever-changing, seemingly unfathomable field of cybersecurity.

Harris offers an inside account of how, over the course of more than a decade, U.S. military, intelligence and civilian agencies have ramped up their cyber capabilities to try to stay ahead of threats posed by criminal hackers and nation states. But the book does more than chronicle that transformation. It also picks up on the personalities and bureaucratic turf battles behind it and reflects on the broader implications for the security and openness of the Internet.

The book's subtitle is a variant of President Dwight Eisenhower's warning against the potentially outsize influence of industry on U.S. defense policy. The military-Internet complex treats the Web as a battlefield, writes Harris, a senior correspondent at The Daily Beast. That battlefield is full of government and corporate secrets, and it has spawned a lucrative market for protecting them.

FCW readers will appreciate the book's detailing of the interagency tensions that come with grappling with a new domain. The 2009 birth of U.S. Cyber Command under the leadership of the National Security Agency director gave NSA even more clout among agencies in cyberspace. But Jane Holl Lute, who became deputy secretary of the Department of Homeland Security that year, challenged the notion that NSA was uniquely suited to defend civilian cyberspace, Harris writes.

"Pretend the Manhattan phone book is the universe of malware," she is quoted as telling colleagues. "NSA only has about one page of the book."

That turf battle is likely far from settled, and DHS has continued to expand its own cyber-defense capabilities.

Cyberwarfare is not a new concept, but it is a fairly new practice. One of the pivotal moments came in 2007, during the surge of U.S. forces in Iraq, according to Harris. He profiles Bob Stasio, then an Army lieutenant whose signals-intelligence platoon is credited with tracking down hundreds of insurgents. He used cell phone signals to determine insurgents' locations and sent reports back to commanders to correlate the data with a wider view of the battlefield.

Stasio's handiwork was made possible by President George W. Bush's decision to unleash NSA's cyber capabilities, Harris writes. In a May 2007 meeting with then-Director of National Intelligence Mike McConnell, Bush signed off on NSA's use of computer viruses and spyware to penetrate the communication networks of Iraqi insurgents.

That cyber arsenal helped quell the Iraqi insurgency at the time, but it was not without hazards. Collateral damage is as real a possibility in cyberspace as in other types of warfare, and the malware risked infecting the devices of innocent Iraqis and spreading further.

The U.S. military's surge in Iraq allowed NSA to use cyber weapons it had been stockpiling for years, Harris writes, and he describes how NSA buys them from defense contractors that acquire them from third-party vendors. The hoarding of cyber weapons bolsters U.S. offensive capabilities but leaves Internet users in the dark about software and hardware flaws that then remain unpatched.

Harris also details other turning points in federal cybersecurity policy, including Operation Buckshot Yankee, the Pentagon's response to a 2008 breach of its classified systems. One of the most important lines in "@War," however, comes in its preface and is informed by the dogged reporting that gives the book such value. Pushing back against the tendency of government officials to decline to discuss cybersecurity because it pertains to "classified" information, Harris writes, "The public cannot understand these issues, and governments can't make sound law and policy, without candid and frank discussions in the light of day."

If every journalist covering cybersecurity had those words hanging above his or her desk, cyberspace would be less murky. "@War" does use extensive anonymous -- along with many on-the-record -- sources, but Harris explains his criteria for offering anonymity while noting the considerable risk that intelligence sources take in talking to journalists.

The refrain from government officials that classified information gives them a unique ability and privilege to combat cyberthreats needs to be evaluated against public evidence. Harris makes this point by recounting a 2009 meeting between federal officials and security personnel from some of the top U.S. banks. When an FBI official asked how a program to share cyberthreat information between the government and the financial industry was progressing, a bank representative expressed disappointment, Harris writes.

The report the FBI had shared with the banks had drawn on classified information and included threat-signature details, but the banks had already obtained that information by sharing it with one another or buying it from private security firms.

That meeting illustrates a theme that courses through Harris' book: There is no hegemon in cyberspace. The Tor network, a routing tool originally funded by the U.S. government, has thwarted NSA's efforts to identify Internet users. Chinese hackers have dealt costly blows to Internet leviathans such as Google. Cyberspace is as contested as ever. And that's what makes this account of its militarization so important.

About the Author

Sean Lyngaas is a staff writer covering defense, cybersecurity and intelligence issues. Connect with him on Twitter: @snlyngaas.

No comments: