Table of Contents
For Victoria
INTRODUCTION
HOW DID THE Chinese manage to remotely download up to twenty terabytes of information from the Defense Departmentequal to about 20 percent of all the data in the Library of Congress? And why dont we know exactly what they took? How did WikiLeaks get its hands on classified diplomatic cables, and why hasnt the U.S. government been able to shut it down? How did the specifications for the avionics and armor on the presidents helicopter end up in Tehran, and what has that got to do with the theft of Supreme Court Justice Stephen Breyers private data from his investment adviser? The answers to these questions reveal alarming threats to our personal, corporate, and national security that come from a new type of espionage and from the sudden transparency that electronic connectivity has brought to all aspects of our lives. Your difficulties with electronic privacy, the electronic theft of Americas cutting-edge technology, and the governments loss of state secrets are a lot more alike than you know.
I spent most of the first decade of the twenty-first century working at the heart of the U.S. governments efforts to thwart spying and terrorism against us, first as inspector general of the National Security Agency, and then as chief of counterintelligence for the director of National Intelligence. As I carried out these assignments, I saw plenty of the old-fashioned kind of espionage, but I also witnessed the dramatic rise of a new kind of spying that exploits digital technology itself, and the fact that we have all come to rely so thoroughly on that technology.
During my tenure in government I came to understand how steeply new technology has tipped the balance in favor of thosefrom freelance hackers to Russian mobsters to terrorists to states like China and Iranwho want to learn the secrets we keep, whether for national, corporate, or personal security. Much of my understanding arose from classified work that I cannot discuss here or anywhere. But I can share the insights I gleaned about this new form of espionage: how it works; what the biggest and most vulnerable targets are; who does it best; as well as what it means for the future of warfare, intelligence, market competition, and society at large. I also came to understand what we canand cannotdo to counter this flood of espionage.
The truth I saw was brutal and intense: Electronic thieves are stripping us blind. Im not just talking about the pirating of DVDs and movies in Asia or somebody ripping off your Social Security number. Thats bad enough, but its worse than that. Technologies that cost millions or billions to develop are being bled out of our corporate laboratories via the Internet; or theyre slipping out after hours on thumb drives, walking onto airplanes bound for foreign ports, and reentering the country as finished products developed by foreign entrepreneurs. In effect, were buying back our own technology. Other Western firms, meanwhile, are bleeding trade secrets, engineering designs, know-how, and other intellectual property through electronic leakage. In the public sector, sensitive diplomatic cables are suddenly splashed across the headlines worldwide. The same organizations that broadcast those cables gleefully distribute lists of critical infrastructureairports, bridges, chemical plantsthat are the most vulnerable to attack. And as I describe in the pages that follow, were losing strategically sensitive data about aircraft and ship design, radars, and other defense technology, as well as information about auto manufacturing, engineering designs, and other commercial innovations. This theft contributes to the tidal flow of capital from West to East that threatens our prosperity, and it could in wartime cost many American lives.
This kind of theft is targeted and systematic. The U.S. Navy spent about $5 billion to develop a quiet electric drive for its submarines and ships so theyd be silent and hard to track. Chinese spies stole it. The navy spent billions more to develop new radar for their top-of-the-line Aegis Cruiser. Chinese spies stole that, too. The electronic intelligence services of the Chinese and the Russians are working us overtaking advantage of our porous networks and indifference to security to steal billions of dollars worth of military and commercial secrets. Some of our allies, like the French and the Israelis, have tried it too.
Pentagon information systems have been under attack since at least 1998. In August 2006, Major General William Lord of the air force let the public in on the secret when he mentioned that massive heist of up to twenty terabytes. To carry this volume of documents in paper form, youd need a line of moving vans stretching from the Pentagon to the Chinese freighters docked in Baltimore harbor fifty miles away. If the Chinese tried to do that, wed have the National Guard out in fifteen minutes. But when they did it electronically, hardly anyone noticed. As it happens, the data were stolen from the Pentagons unclassified networks, but those networks hold lots of sensitive informationincluding the names and private identifying information of every man and woman in the U.S. armed forces.
It would be a serious mistake to think that the difference between classified and unclassified is the difference between important and unimportant, or sensitive and nonsensitive. Lots of information is sensitive but not classified, especially when it relates to technology and personnel. According to the air forces General Lord, when the Chinese pulled off this heist, they were looking for your identity so they can get into the network as you. General Lord did not reveal what is perhaps even more troubling: We dont know exactly what data were taken because the Defense Department doesnt bother to encrypt this kind of data. They thought it was too much trouble. But the Chinese, on their way out the electronic door, did encrypt it. Too much trouble? They didnt think so.
According to the Government Accountability Office, the number of unauthorized accesses or installations of malicious software on U.S. government computers increased by 650 percent since 2006. The trend is disquieting, and the official data almost certainly undercounts the problem.
And this trend is hardly limited to the public sector. To give just one example of the magnitude of threat aimed at private companies: A sophisticated team of hackers broke into a Royal Bank of Scotland payroll system in late 2008 and stole information that let them counterfeit credit balances on ATM cards. They then mounted a coordinated attack on 139 ATMs in the United States, Canada, Russia, and China that netted about $9 million in thirty minutes. If this were a traditional bank robbery, it would rank as one of the largest in history. Chinese and Russian cyberoperators have made advanced, persistent intrusions into the networks of other banks tooto what end, we dont yet know. This kind of intrusion infects a system with malicious code thats difficultsometimes even impossibleto wipe out, because it continually changes to evade detection. It opens electronic trapdoors so that outsiders can bypass the systems security, and if one door is nailed shut, the code automatically opens another one. We dont even know whos doing this. This point will come up again and again throughout this book, because our inability to figure out whos responsible for illegal behavior on our electronic networks is a fundamental reason why we cant safeguard our personal data, corporate intellectual property, or national defense secrets.
