AMERICA THE VULNERABLE: INSIDE THE NEW THREAT MATRIX OF DIGITAL ESPIONAGE, CRIME, AND WARFARE. Joel Brenner. City: Publisher. 2011. 308 pp. $27.95 hard cover.
How well do you keep a secret? Or rather, how well can you keep a secret in the modern-day “glass house” of social technologies and over-sharing? Further, how well does the US protect our collective secrets?
Joel Brenner’s “America the Vulnerable” describes a world in which secrets are sought and found continuously, and the pirating of intellectual property from both the public and private sectors has become a national security risk.
Beginning some months after 9/11, Brenner worked for ten years as inspector general at the National Security Agency (NSA), which deals with signals intelligence, and as the chief of counterintelligence for the director of National Intelligence. His secret work involved internal investigations and auditing the agency for “fraud, abuse, and just plain inefficiency.”
The work of intelligence agencies has become more difficult than ever with the cultural focus on transparency. The core function of intelligence agencies is the so-called “prevention of surprise”-by assessing and testing the capabilities of competitor nations, and evaluating their future capabilities-and delving into the thinking of the warfighters (particularly the leadership) of these nations.
After all, intentions “can change on a dime.” On the more aggressive end of this preparedness continuum involves the war-gaming and pre-placement of weaponry for tactical advantage in case a hot war breaks out.
The proliferation of vast technologies-satellite, GPS, the WWW and Internet-have enabled people to share information in real-time. The foundational insecurity of the Internet (built by DARPA as a back-up communications tool in case of a nuclear attack) has enabled the outright theft of billions of dollars worth of intellectual property from the US by hostile nation-states-particularly Russia and China. Further, Iranians have been developing capabilities in this area as well. Allies like the French and Israelis have also probed various US systems for sensitive information.
For counter-intelligence, the fact that so much is knowable and findable about others is good. For placing deep cover agents, the over-sharing is bad-because this means much more complexity in creating back-stories.
With the advent of Wikileaks has come wholesale leaks of massive amounts of classified data. Dubai security broke the assassination plot against a Hamas commander in early 2010 by using their extensive closed-circuit camera networks and electronic analysis systems-leaving the elite members of this elite hit team burned. CIA “black site” operations were compromised with amateur observations at various airports of the tail numbers of planes known to be used by that agency.
In the same way people need some privacy to maneuver in their lives, nation-states require some secrecy in order to function effectively. On the personal front, much can be known about people through their Internet profiles.
Data that is anonymized can be reconstructed to individual identification with data aggregators, with only a few pieces of innocuous data needed to track back to an identifiable individual.
“The amount of information available about you is startling: your date of birth, driving record, medical history, credit rating, shopping patterns (including where you shop and what you buy), mortgage and property records, political contributions, vacation patterns (including the route you drive), whether you drive, telephone numbers (even if unlisted), the names of your spouse and children and business partners, your grades in school, your criminal record (if you have one)-and much else besides,” he writes.
The “air gap” that separates sensitive networks from the Internet were breached with a simple technology-thumb drives and memory devices with hidden malware.
Top of the tasking list for such hackers are information about defense technologies and critical infrastructure (electrical grids, bridges, airports, chemical plants, air traffic control, and others).
Senior intelligence officials believe that Russian and Chinese are already inside the US electrical grid and have planted code that could be triggered to shut down various parts of the system if hostilities ramp up in international relations between these players.
The creation and the deployment of the Stuxnet Worm to sabotage centrifuges enriching uranium in Iran was the first time a remote attack was launched through a “supervisory control and data acquisition” (SCADA) system for sabotage. This worm went undiscovered for at least a year. It used four previously unknown (and rare) zero-day exploits. “It spread in several ways and copied and executed itself automatically.
And it hid its own code, so it was invisible. If programmers tried to view all the code on an infected computer, they’d see everything except Stuxnet. It exploited Siemen’s default passwords and reprogrammed the computers. It knew what system the virus was running on, and adjusted accordingly. Peer-to-peer connections enabled it to update itself,” writes Brenner.
That attack required world-class expertise of various types on various technological systems. “Whoever did this had to conduct tests in a closed environment that mirrored the Iranian systems, complete with the same expensive hardware the Iranians were using. In short, this operation cost millions of dollars to pull off, and possibly a year of planning, and it very likely required the collaboration of human and electronic intelligence services,” he writes. This 2010 attack ultimately disabled about a fifth of Iran’s centrifuges.
Yet, even in the face of this recent attack, many firms running SCADA systems “took 331 days on average to implement patches” to update their software systems. A research survey indicated that many felt that the government, insurance, or taxpayers would cover losses in case of a catastrophic attack on their systems. Regulatory agencies in industry are reluctant to take on reliability standards that would add costs.
If major parts of the US electrical grid are taken out, the US could be in for a long wait time because the electronic generators are generally manufactured in India and China. The experts the author cited suggest that the Stuxnet attack would not be a one-off. It is now part of the attack methodology. Indeed, media reports suggest that other versions of Stuxnet have been deployed (as the Duqu Worm).
Worse yet, the military and sensitive offices of government rely on commercial technologies for much of their work. Some of the research that ends up in military applications begins in universities and private companies’ R&D shops. Much sensitive information may be unclassified. Brenner suggests that the US classification process of sensitive technologies has to be more sensitive to recognize when technologies might be weaponized and so need to be classified in the near-future to protect that research. Organizations need to be cautious whom they hire for that work.
In information technology, there are numerous points-of-potential-failure and compromise. Information that is being transferred in the air through wifi may be intercepted and used, even if it is encrypted. Any sort of device or digital file may contain malware, which may deploy programs into a system that lurk and encrypt and exfiltrate files.
Given the global supply chains of goods, any hardware or software may be compromised along the way. Approximately 108 foreign intelligence services target the US. He writes: “Collection by Russia and Cuba is back up to cold war levels. Against economic targets, however, the heaviest foreign human spying comes from Iran and China.”
When Google discovered its source code had been compromised in 2010, it asked the US to help protect it against a nation-state (China)-an unprecedented situation. Google now has to assume that “Chinese authorities are permanently inside its systems,” he writes.
The People’s Liberation Army (PLA) is said to have 30,000 cyberspies who are supported by “more than 150,000 ‘private sector’ cyberexperts ‘whose mission is to steal American military and technological secrets and cause mischief in government and financial services’ according to a press account of a classified FBI account.”
To combat the “artless trust” that the US seems to take to the world, Brenner pushes for a nuanced understanding of the difficult relationship with the PRC, which he terms “difficult, rewarding, profitable, and full of real and potential conflict.” There are mutual economic dependencies on both sides. “Disengagement from China-let alone war-would be a worldwide disaster. Yet conflict is the reality, even in the midst of a mutually advantageous relationship,” he notes.
Brenner cites a work written in 1999 by two PLA colonels about the nature of modern warfare between a lesser power and a unipolar power as one of “unrestricted warfare” with all powers of state drawn into the fight. Here, informational, financial, psychological, and other tools are employed to break the will of the other side to make war and to win their acquiescence to policy stances. During a hot war, the strategy is to confuse the communications by compromising the information assurance of the other side.
The author uses language cautiously in this book; he does not say more or less than what he means. He uses broadly available public information to make his case for greater vigilance and more professional management of information technology systems. He uses a few cleanly etched and plausible scenarios (which often draw from documented singular occurrences which are knit together) to show how information compromises might work and be used in a military confrontation with the US.
At the conclusion of “America the Vulnerable,” Joel Brenner has suggestions for how to shore up cyber security standards through a mix of policies, actions, research, and engineering approaches, for both the public and private sectors. Americans tend to think of war and peace as discrete states, but peace and struggle coexist. The current age is a time of “conflict and symbiosis, struggle and trade…neither war nor peace, and which is both promising and dangerous.”
Threats are materializing at network speed, and the battlespace is everywhere. While many secrets are leaking, the value of the secrets being held is higher than ever, with American predominance and Pax Americana at risk. Brenner observes: “Our adversaries are numerous, and they are deft, swift, and technologically skillful.”
Shalin Hai-Jew works for Kansas State University. She lives in Manhattan.