Copyright 2014 by Shane Harris
All rights reserved
For information about permission to reproduce selections from this book, write to Permissions, Houghton Mifflin Harcourt Publishing Company, 215 Park Avenue South, New York, New York 10003.
www.hmhco.com
Library of Congress Cataloging-in-Publication data is available.
ISBN 978-0-544-25179-3
e ISBN 978-0-544-25044-4
v1.1114
For my husband, Joe de Feo
A Note on Sources
I VE COVERED cyber security and electronic surveillance as a journalist for more than a decade. This book is informed by the more than one thousand interviews Ive conducted over the years with current and former government officials, military personnel, corporate executives and employees, subject matter experts, researchers, and activists. Over the past two years as I was working on this project, I conducted new rounds of interviews with many of these people, who are among my most credible and trusted sources. I also conducted interviews with some sources for the first time. For this book I relied especially on my interviews with current government officials and military personnel whose jobs deal directly with cyber security operations or policies. They are working in the trenches of this evolving terrain, not at its fringes. Im grateful to them for taking the time to speak with me and for confiding in me on a subject that many in government still resist discussing publicly because too much of it touches on classified material and operations.
Many of the people I interviewed agreed to be quoted on the record, and in those cases I have listed their names either in the text or in the endnotes. Others requested that I not identify them by name and, in some cases, that I not identify the agency or company where they work. Its regrettable and frequently unavoidable when reporting on classified matters of national security that journalists cannot more fully identify their sources. I dont believe a single person I interviewed for this book has revealed information to me that would jeopardize national security or put lives at risk. But I granted these peoples requests for two reasons.
First, the information they provided either was essential to the story and couldnt be obtained any other way or it amplified information from other on-the-record sources or documents in the public domain. (And a surprising amount of revealing information about cyber warfare and espionage has been made public or was never classified.) Second, these people spoke to me at significant risk to their professional livelihood and potentially their personal freedom. In discussing cyber warfare and espionage, its often hard for sources to know if theyre revealing classified information or getting close to the line. If the sources who discussed these matters were identified by name, they could lose their top-secret security clearances, which would make them effectively unemployable in their chosen profession of national security.
But these sources also risked criminal prosecution in talking to me. The Obama administration has been historically hostile to government employees who share information with journalists. The Justice Department has prosecuted more people for disclosing classified information than all previous administrations combined. Simply put, it is a dangerous time to talk to journalists. And this risk extends to former government employees and military personnel. Several former intelligence officials have told me that within the past year they were explicitly told by the intelligence agencies where theyre still employed as contractors that they should stop talking to journalists if they want to continue doing business with the government. In cases where I refer to anonymous sources, Ive done my best to explain why those people are credible and authoritative, while honoring my obligation not to reveal information that could identify them.
A significant portion of this book is based on documents in the public domain. These include government reports and presentations; congressional testimony; speeches by senior officials; and an ever-growing and highly detailed body of written analysis by private security researchers. When I began researching this book, a number of colleagues questioned how Id be able to write about a subject as shrouded in official secrecy as cyber security. But I was surprised to learn that a very large amount of revealing and informative unclassified information exists in the public domain. Theres a significant amount of knowledge out there, which tends to undermine the claims by many government officials that this subject is too sensitive to talk about publicly. Im heartened that in the past few years more government officials and military leaders have decided to talk more openly about cyber warfare and espionage. The public cannot understand these issues, and governments cant make sound law and policy, without candid and frank discussion in the light of day.
Prologue
T HE SPIES HAD come without warning. They plied their craft silently, stealing secrets from the worlds most powerful military. They were at work for months before anyone noticed their presence. And when American officials finally detected the thieves, they saw that it was too late. The damage was done.
The intruders had made off with huge amounts of technical and design information about the United States most important new weapon, a next-generation aircraft called the Joint Strike Fighter. It was supposed to be the fighter to end all fighters, which would be flown by every branch of the armed forces and ensure Americas aerial dominance for decades to come. Dubbed the F-35, the jet was the most complex military weapons system ever devised and, with an estimated total price tag of $337 billion, the most expensive.
All signs pointed to Chinas military as the culprit in a series of audacious raids that began in late 2006. It had the motive and the opportunity to steal the F-35s secrets, particularly details about how the fighter evaded enemy radar systems. For decades China had waged an aggressive espionage campaign against the US Armed Forces, its most formidable adversary. Beginning in the late 1970s, Chinese agents working in or visiting American universities, government research labs, and defense contractors made off with design information about weapons systems, including nuclear warheads.
But there was something strange about the Joint Strike Fighter theft. The spies werent taking paper documents out of offices or eavesdropping on engineers in the break room. They were stealing information remotely, via a computer connection. The Joint Strike Fighter program had been hacked.
Computer forensics investigators at the air force, which was in charge of the F-35 program, started looking for the culprits. To understand how the hackers had gotten in, they had to think like them. So they brought in a hacker. He was an exmilitary officer and a veteran of the militarys clandestine cyber campaigns. Hed cut his teeth in some of the armys earliest information-warfare operations in the mid-1990s, the kind designed to get inside an enemys head more than his databases. These were computer-age variants of classic propaganda campaigns; they required military hackers to know how to penetrate an enemys communications systems and transmit messages that looked as if they came from a trusted source. Later the former officers work evolved into going after insurgents and terrorists on the battlefields of Iraq, tracking them down via their cell phones and Internet messages. He was only in his mid-forties, but by the standards of his profession he was an old hand.
This much the air force knew about the Joint Strike Fighter breach: the data hadnt been taken from a military computer. It seemed to have come from a company that was hired to help design and build the aircraft. The spies had made an end run, targeting Defense Department contractors whose computers were full of highly classified information, including some of the same plans for the F-35 that were likely to be found on a military system. It was a shrewd tactic. Contractors are an indispensable part of the American military; without them, planes dont fly, tanks dont roll, and ships arent built and repaired. But their computer systems were generally less defended than the militarys top-secret networks, the most sensitive of which werent even connected to the Internet. The hackers simply found another way in, targeting the firms to which the military outsourced so many of its key operations.
Next page