Copyright © 2016 by Adam Segal
Published in the United States by PublicAffairs™, a Member of the Perseus Books Group
All rights reserved
Chapter 1: The Hacked World Order
Just as historians consider 1947 as the year that two clear sides in the Cold War emerged, we will look back at the year that stretches roughly from June 2012 to June 2013 as Year Zero in the battle over cyberspace. It was by no means the first year to witness an important cyberattack or massive data breach; those had arguably happened several times before. In the 1990s the United States used cyber weapons against Serbia, and in 2007 hackers stole credit and debit card information from at least 45 million shoppers at T.J. Maxx and Marshalls. In 2008 hackers, suspected to be working with the Russian intelligence services, breached the Pentagon's classified networks. But it was in 2012 that nation-states around the world visibly reasserted their control over the flow of data and information in search of power, wealth, and influence, finally laying to rest the already battered myth of cyberspace as a digital utopia, free of conventional geopolitics. The assault on this vision was comprehensive, global, and persistent.
The conflict in cyberspace will only become more belligerent, the stakes more consequential. An estimated 75 percent of the world's population now has access to a mobile phone, and the Internet connects 40 percent of the planet's population, roughly 2.7 billion people. Information and communications networks are embedded in our political, economic, and social lives. Individuals and civil society now participate in global politics in new ways, but sovereign states can do astonishing and terrifying things that no collection of citizens or subjects can carry out. We will all be caught in the fallout as the great powers, and many of the lesser ones, attack, surveil, influence, steal from, and trade with each other.
Year Zero: A Timeline
Year Zero began with a newspaper article. In June 2012, US officials leaked details of a computer attack on Iran's nuclear program, codenamed "Olympic Games," that had begun under President George W. Bush. For years, the United States had been trying to stop Iran from building a bomb through diplomatic pressure and financial sanctions. Someone, probably the Mossad, Israel's intelligence agency, had also been assassinating Iranian scientists: a remote-controlled bomb attached to a motorcycle killed Masoud Alimohammadi, a physics professor, just as he stepped outside his home in the north of Tehran. Cyberattacks formed a quieter, much less deadly component of this campaign.
The malware (malicious software) known as Stuxnet, allegedly developed by the United States in cooperation with Israel and first detected in 2010, surreptitiously slowed down and sped up the motors in Iranian centrifuges being used to enrich uranium and opened and closed valves that connected six cascades of centrifuges. Eventually the motors tore themselves apart, and Iran had to replace 1,000 damaged machines. As it was doing its damage, Stuxnet provided false feedback to operators so that they had no idea what was going on. The goal was to make the changes so imperceptible that the Iranians would think the destruction stemmed from bad parts, faulty engineering, incompetence, or all three. Ralph Langner, a German cybersecurity expert who was among the first to decode bits of Stuxnet, estimated that 50 percent of the malware's development costs went into efforts to hide the attack. One US government official told the New York Times that Stuxnet aimed "to mess with Iran's best scientific minds" and "make them feel they were stupid."
Although the Iranians admitted some infections of their computer systems, the ultimate strategic effect of the malware on their nuclear program remains unclear. Reza Taghipour, an official in Iran's Ministry of Communications and Information Technology, downplayed the new weapon: "The effect and damage of this spy worm in government systems is not serious." Some US government officials claimed that it set Iran's nuclear program back eighteen months to two years; other technical experts said the attack did little to slow down Iranian efforts and in fact may have sped them up. As the Iranian scientists worked to get the centrifuges running properly, they made improvements in their performance and design that resulted in greater output.
The time gained from the attacks may have been an important factor in bringing Iran back to the negotiating table and reaching a deal on its nuclear program in July 2015. The delay, even if only amounting to two years, gave the economic sanctions on the country more time to bite. The poisonous code was also useful in persuading Israel not to conduct airstrikes against Iranian facilities. In 2008, Israel reportedly asked the Bush administration for bunker-busting bombs it hoped to use against production and research sites hidden in mountainsides and buried underground. In rejecting the request, President Bush assuaged the Israelis by telling them that he had authorized the Olympic Games mission to sabotage Iran's nuclear infrastructure.
Whatever the impact on Iran's nuclear program, Stuxnet was notable on two fronts. First, it was extremely sophisticated, "unprecedentedly masterful and malicious" in the words of one technical journal. The malware used five "zero days"—that is, unknown software vulnerabilities that allow an attacker to access a computer, router, or server; never having detected these flaws before, developers have zero days to fix or patch them. Zero days are valuable to both attackers and defenders. They can fetch six-figure prices on the black market, and so even an advanced attack deployed by a nation-state will usually use one, maybe two.
In addition, the computers that controlled the centrifuges were not connected to the Internet. Stuxnet had to jump this "air gap" and be delivered into the system, perhaps via a thumb drive or other portable device. In addition, Stuxnet was configured to work only on a specific system. Although the malware spread widely—the total number of infections surpassed 300,000 in more than one hundred countries, including Australia, Brazil, Brunei, China, India, Indonesia, the Netherlands, and even the United States—it would activate only when it saw a configuration of a specific line of Siemens programmable logic controllers, and it would destroy centrifuges only when it saw it was on a computer at Natanz, Iran's primary enrichment facility.
Stuxnet was only one of the sophisticated tools at the United States' and Israel's disposal. Two other programs, Flame and Duqu, appear to have been part of Operation Olympic Games, designed to gather intelligence on computer networks in Iran and other Middle Eastern countries. Flame, for example, searched a computer for keywords on top-secret PDF files, then made and transmitted a summary of the document, all without being detected.
Stuxnet's complexity put it out of the reach of individual hackers and pointed to the involvement of a nation-state intending to do physical damage to a target. This parentage is Stuxnet's second noteworthy characteristic, and it represented a strategic sea change. As Michael V. Hayden, former chief of the Central Intelligence Agency (CIA) put it, "Somebody crossed the Rubicon." Before Stuxnet, computer code had served primarily to steal or destroy data on other computers; now it was causing equipment to malfunction. It was creating physical outcomes. Yet, unlike with conventional or even nuclear weapons, the effects and rules of cyber weapons were largely unknown. There was no understanding of the consequences Stuxnet might unleash, though there was fear that the same type of weapons might eventually target the United States. "If you are in the glass house, you should not be the one initiating throwing rocks at each other," Gregory Rattray, now an information security specialist at JPMorgan Chase, said at a 2012 conference. "We will have rocks come back at us."
Stuxnet made it clear that the United States was committed to developing offensive capabilities. At a time when the rest of the defense budget faced severe cuts, Pentagon officials announced increased funding for the development of cyber capabilities, along with drones and special operations. Ashton Carter, then deputy secretary of defense, told a gathering of cybersecurity experts in San Francisco in February 2012, "No moment in all those [budget] deliberations was it even considered to make cuts in our cyber expenditures . . . ships, planes, ground forces, lots of other things on the cutting room floor; not cyber." The number of cyber warriors assigned to US Cyber Command, the command center for the Pentagon's cyber operations, was quintupled from 900 to 4,900 troops. And in late 2012, the Pentagon unveiled Plan X, an effort to build on programs like Stuxnet and develop the offensive capabilities needed to "dominate the cyber battlespace." Regina Dugan, head of the Defense Advanced Research Projects Agency, laid out a roadmap: "In the coming years we will focus an increasing portion of our cyber research on the investigation of offensive capabilities to address military-specific needs."
Iran did not simply sit back—it hit back with its own cyberattacks. Between September 2012 and June 2013, an activist group called Izz ad-Din al-Qassam Cyber Fighters took credit for roughly two hundred distributed denial-of-service (DDoS) attacks on almost fifty financial institutions, including SunTrust, JPMorgan Chase, CitiGroup, Wells Fargo, U.S. Bancorp, Capital One, PNC, and HSBC. Compared to Stuxnet, DDoS attacks are unsophisticated: they are like protestors blocking access to a government office. Stuxnet was analogous to a Tomahawk cruise missile launched from 1,000 miles away blowing that office up. In a DDoS attack, hackers use thousands of computers or servers to flood a website with so much data that it can no longer respond. Security researcher Graham Cluley put it more colorfully: "It's a bit like 15 fat men trying to get through a revolving door at the same time—nothing can move."
Over time the attacks grew more complex. The amount of data flooding websites grew massively. It cost one bank close to $10 million to get back online. Izz ad-Din alQassam claimed it was acting independently and in retaliation for "Innocence of Muslims," an antiIslam video made by a California resident and uploaded on YouTube, but behind the scenes US government officials and outside experts blamed Iran.
In August 2012, the Shamoon malware struck Saudi Aramco, Riyadh's state oil giant. This was a qualitatively different type of attack, involving the destruction of data. Shamoon corrupted tens of thousands of hard drives and shut down employee e-mail; the company had to replace 30,000 computers in order to rid its networks of the malware. Saudi Aramco supplies about a tenth of the world's oil, but the malware only damaged office computers and did not affect systems involved with technical operations. "All our core operations continued smoothly," CEO Khalid Al-Falih told Saudi government and business officials. The company managed to put its networks back online almost two weeks after the attack. A subsequent attack damaged Rasgas, a joint venture between Qatar Petroleum and ExxonMobil and the second-biggest producer of liquefied natural gas in the world. Again, data was destroyed, but production continued.
As with the attacks on the banks, a proxy was involved. A group calling itself the Cutting Sword of Justice claimed responsibility, but US officials believed Iran was behind the attacks. Not only was there motive, but Iran had a few years earlier announced its intent to develop cyber forces. Hossein Mousavian, a former Iranian diplomat, told an audience at Fordham Law School, "The U.S., or Israel, or the Europeans, or all of them together, started war against Iran. . . . Iran decided to have . . . to establish a cyberarmy, and today, after four or five years, Iran has one of the most powerful cyberarmies in the world."
The Shamoon attack on Saudi Arabia seriously spooked the US government. Secretary of Defense Leon Panetta called it "a significant escalation of the cyber threat." In a speech in October 2012 at the Intrepid Sea, Air, and Space Museum, Panetta warned a group of business executives of a potential "cyber Pearl Harbor." Computer hackers could gain control of "critical switches," he cautioned, and "derail passenger trains, or even more dangerous, derail trains loaded with lethal chemicals. They could contaminate the water supply in major cities, or shut down the power grid across large parts of the country." President Barack Obama echoed this threat in his State of the Union address, stating, "Our enemies are . . . seeking the ability to sabotage our power grid, our financial institutions, and our air traffic control systems."
Ironically, the Shamoon attack showed that Iran was learning from Israel and the United States. In April 2012, an aggressive piece of code, known as Wiper, had attacked the Iranian Oil Ministry and the National Iranian Oil Company and erased hard drives, removing any trace of itself. A year later, General Keith Alexander, director of the National Security Agency (NSA) and commander of US Cyber Command, left Fort Meade for a meeting with his counterpart in the United Kingdom's Government Communications Headquarters (GCHQ). Talking points, prepared for the meeting with Sir Iain Robert Lobban and leaked by former NSA employee Edward Snowden, claimed Iran had "demonstrated a clear ability to learn from the capabilities and actions of others." In other words, Shamoon had been possible in part because of Wiper.
Even as Iran and the United States were trading blows in cyberspace, China-based hackers were continuing a massive cyber theft campaign against technology firms in the United States, Japan, and Europe. For years, Chinese hackers had raided defense contractors and the Pentagon, stealing secrets from dozens of weapons programs, including the Patriot missile system, the F-35 Joint Strike Fighter, and the US Navy's new littoral combat ship. They gradually expanded their attention to technology companies, financial institutions, law firms, think tanks, and the media. In July 2012 General Alexander called these and other economic espionage cyberattacks on American companies the "greatest transfer of wealth in history" and estimated that American companies had lost $250 billion in stolen information and another $114 billion in related expenses.
During Year Zero, I probably received e-mails about twice a month that appeared to come from my boss, Richard Haass, president of the Council on Foreign Relations (CFR). The messages usually contained an attachment and a short message like, "I thought you might be interested in President Obama's schedule for his upcoming trip to Asia." I deleted them straightaway. Immediately erasing e-mails from your boss may not sound like the best way to get ahead professionally, but it was the safest thing to do. Glancing at the sender's e-mail address, I saw that it was something like [email protected] or President [email protected]. Neither of these is Richard's e-mail address.
These e-mails, probably from China-based hackers, are known as spear-phishing attacks. E-mails are made to look like they come from someone you know (hackers may study job titles on your company's website or your social networks on Facebook, LinkedIn, or Twitter) and craft a subject line designed to be of interest to you. The e-mails often arrive in the morning, before you have had your first cup of coffee. Attackers may send one just before a long weekend, knowing the recipient will want to get any work out of the way before leaving the office. Opening an attachment or clicking on a link downloads software that allows attackers to gain control of your computer. They then gradually expand their access and move into different computers and networks, sending files back to computers in China or elsewhere. In some instances, the hackers use the computer's microphone and camera to record entire meetings.
Chinese hackers used this type of attack against the New York Times sometime at the end of 2012 as the paper's journalists were preparing a story on the massive wealth allegedly accumulated by the family of former prime minister Wen Jiabao. The hackers targeted reporters' passwords and accounts. Soon after, Bloomberg, which published a similar story on the wealth of the family of Xi Jinping, China's top leader, admitted that it also had been hacked. In February 2013, Mandiant, a private security company formed by former US Air Force officer Kevin Mandia, published a report naming Unit 61398 of the 3rd Department of the People's Liberation Army as responsible for the attacks on the New York Times and others. In attributing the digital assault, a private company had acted like a national intelligence agency.
The hacking became a major irritant for Washington and Beijing. Not wearing ties and taking a more relaxed attitude toward protocol, Presidents Obama and Xi met for a two-day "shirt sleeve" summit in California in June 2013 in the hope of building a personal relationship and stemming the growing distrust that seemed inevitable between the world's superpower and a rising China. Despite all of the efforts at diplomatic bonhomie, President Obama told Charlie Rose that they had had "a very blunt conversation about cybersecurity" and that he had warned President Xi that hacking could "adversely affect the fundamentals of the US -China relationship." And so, in the twelve months between June 2012 and June 2013 —the period between the first publicly admitted cyberattack by a nation-state and the summit between Obama and Xi—cyberattacks had gone from a discreet and veiled activity to a public strategy with the capacity to upend what many consider the most important bilateral relationship of the twenty-first century. The hacked world order was in full public view.
Year Zero culminated with the revelations of former NSA contractor Edward Snowden. Two days before Presidents Obama and Xi met in Sunnylands, California, the British newspaper the Guardian published the first report on what would be a massive, years-long leak about the National Security Agency and allied surveillance programs. Despite numerous public assurances from officials that the government did not gather information on US citizens, the leaks would expose the collection of American users' cell phone metadata—what number is called, what time the call is made, and the duration of the call, but not the content. Through a program called PRISM, the NSA was able to demand access, under Section 702 of the Foreign Intelligence Surveillance Act (FISA) Amendments Act of 2008, to data of non-US citizens stored at most of the American technology giants, including Google, Apple, Facebook, and Microsoft. This gave the NSA the ability to collect and analyze the e-mails, texts, chats, phone calls, Facebook posts, tweets, and documents of people worldwide. Through a process the NSA calls upstream collection, it taps directly into the cables and networks passing through the United States. Huge amounts of data traveling across AT&T, Verizon, and other networks are copied, and then the data of non-US citizens are selected for analysis based on certain government criteria. But the process of targeting foreign communications results in the incidental collection of the data of ordinary users, which the NSA can store and analyze later.
NSA reportedly spied on adversaries and friends alike, tracking Somali terrorists and breaking into Chinese networks, but also hacking the European Union's offices in New York, Washington, DC, and Brussels, bugging the computer hard drives of the Indian embassies in Washington and New York, and listening to the calls of Brazilian president Dilma Rousseff, German chancellor Angela Merkel, and at least thirty other world leaders.
These leaks unsettled foreign relations and impacted the geopolitics of cyberspace. Tensions between Washington and Moscow grew when Russia granted limited asylum to Snowden after he fled to Sheremetyevo International Airport. The revelations of a widespread American surveillance program vitiated Obama's criticism of Chinese economic espionage. As the state-owned Xinhua news agency put it, the leaks "demonstrate that the United States, which has long been trying to play innocent as a victim of cyber-attacks, has turned out to be the biggest villain in our age." Relations with Germany and Brazil, important partners, soured. President Dilma Rousseff canceled her planned summit with Obama and used her speech to the United Nations General Assembly in September 2013 to rebuke the United States, calling the activities a "grave violation of human rights and of civil liberties."
China, Russia, and a host of developing countries have used the US surveillance programs to buttress their argument that the Internet should be brought under the supervision of the United Nations.
Typically, the United States has promoted itself as the champion and protector of a borderless, global Internet, one that guarantees the right of all people to express themselves freely wherever they are. Not only do the surveillance programs undercut Washington's criticism of authoritarian states, but for Pratap Bhanu Mehta, one of India's most respected commentators, they imply that Washington feels free to "violate the privacy rights of citizens of other countries without just cause."
In the long run, Snowden's revelations may also make the Internet notably less American. There is no escaping demographics. More than 650 million Chinese and 350 million Indians use the Internet, and hundreds of millions will come online in both countries over the next two decades. But the spying revelations have accelerated the desire of others, including US allies, to reduce their dependence on American technology and Internet companies.
The World Order Today
Henry Kissinger, the clarion voice for great power politics, argues in World Order that "cyberspace challenges all historical experience." He later continues, "When individuals of ambiguous affiliation are capable of undertaking actions of increasing ambitions and intrusiveness, the definition of state authority may turn ambiguous." In addition, Kissinger is markedly pessimistic about the impact of the Internet on strategy and decisionmaking; information, in his view, has eclipsed knowledge and wisdom. Previously, leaders had time to reflect and the ability to distinguish between what they could and could not control. Kissinger fears that now all problems are something to research on the web rather than to deliberate over carefully and place within a historical context.
The twenty-firstcentury hacked world order is markedly more complex than that of the burgeoning Cold War in 1947. Then, mountains, rivers, and walls divided friends from enemies. Physical space matters much less in the cyber age, when attackers can act from anywhere with access to a modem or a smartphone. Hackers in Russia can use the Internet to attack neighboring Estonia or the United States nearly 5,000 miles away. For policymakers and the public shortly after the end of World War II, conventional power was relatively easy to chart as a share of world gross domestic product (GDP) and military spending. Now there is an uncertainty about how to measure cyber power. Does economic power stem from producing software, hardware, and content, or can a country specialize in one high-value area? Unlike long-range bombers and missiles, cyber weapons cannot be counted and it is unclear whether it is better to have a large corps of cyber troops or, given the importance of creativity and skill, a smaller number of elite hackers.
During the Cold War, only a few countries had the economic and technological capacity to build nuclear bombs. Even today, only nine countries possess them, and terrorists groups are likely to acquire them only through theft. The general contours and capabilities of each nuclear power's arsenal are well known. Should these weapons ever be used, the attacker's identity would be known before the missiles landed. And the development of so-called secure second-strike capabilities—that is, the ability to respond to a nuclear attack in kind—greatly diminished the incentive to attack first in a crisis. With nuclear parity, neither Washington nor Moscow could launch a nuclear strike without being destroyed in return, or, as the rule went, "whoever shoots first, dies second."
But almost any country as well as skilled hacking groups can launch a digital assault. Admiral Michael Rogers, General Alexander's successor as director of the NSA and head of US Cyber Command, told a House Armed Services subcommittee in March 2015, "We foresee increased tensions in cyberspace. The cyber strife that we see now in several regions will continue and deepen in sophistication and intensity." Approximately twenty-nine countries have formal military or intelligence units dedicated to offensive operations, and forty-nine have purchased off-the-shelf malware; those numbers are increasing every year, though it is difficult to understand the balance of forces and the risk of conflict. As Andre McGregor, a former cyber special agent at the Federal Bureau of Investigation (FBI), says, "With some countries, we're comfortable with knowing what their capabilities are, but with other countries we're still lost."
There may be strong incentives to attack first in a crisis: cyber weapons are "one and done," used once and then they are gone. Once your adversaries see what you can do, they will patch their defenses, or could attack you, making your cyber weapon obsolete before you ever use it. This pressure not to sit on a weapon heightens strategic instability.
The global and interconnected nature of the Internet also means that cyberattacks have the potential to produce unpredicted and inadvertent problems far beyond damage to the intended target. Once set loose, malware can be examined, repurposed, and used by the target or someone else; for instance, hacker websites now make Stuxnet available for download. And unlike nuclear technology, which remained the province of a very small group of scientists and engineers, information and communication technologies are ubiquitous and rapidly changing. Territorial boundaries, once clear and constant, are now relatively less useful markers. The United States and its North Atlantic Treaty Organization (NATO) allies prepared to meet a Soviet tank invasion at the Fulda Gap, a corridor at the border between East and West Germany, but today attackers can route computer attacks through several networks from bases on the other side of the world, inside friendly countries, or even inside the target country.
The most difficult problem is that you may not actually know who is attacking you or what the assailant is planning. Without attribution— without knowing who is behind an attack—it is difficult, if not impossible, to determine whom to punish, which in turn makes it harder to deter an attack in the first place. Cold War stability, however imperfect, expensive, and fragile, rested in part on nuclear deterrence between the superpowers. That stability is eroding. The already high and growing attack levels provide perhaps the clearest evidence that attackers feel like they can operate without consequences.
During the course of an intrusion, attackers can use various tools to hide their identity; they can jump from different computers and route attacks through networks in different countries. They can use widely known and available techniques and malware. Hackers can conduct "false flag" operations, attacks designed to look like they are coming from another group or nation-state. In April 2015, for example, attackers claiming to be from the Islamic State's Cyber Caliphate shut down transmissions from France's TV5 Monde television channel and posted jihadist propaganda on websites. Two months later, French investigators and cybersecurity experts reported that Internet addresses linked to the Cyber Caliphate website and techniques used in the attack pointed to a Russian group as responsible for the attack, though the motive remained elusive.
Moreover, when in a system an attacker's intentions can be opaque. Hackers may be there to steal data, prepare for a destructive assault, or both. Someone defending an oil company may not be able to tell if a hacker is looking for industrial secrets or mapping networks to "prepare the battlefield"—that is, to look for weaknesses that an attacker can later exploit in the event that a conflict breaks out.
Hackers can also turn espionage malware into an attack tool. The malware known as BlackEnergy, for example, has a long history. First designed and used for DDoS attacks by criminals and sold on Russian black markets, it then began downloading plug-ins that would steal passwords and IDs for bank websites. A group of Russian hackers used the malware for espionage directed at NATO, the European Union, Poland, Ukraine, private energy organizations, and European telecommunications companies. Yet they could also reprogram it as an attack tool capable of crippling energy supplies, water-distribution and water-filtration systems, or financial transactions.
Even when an attack can be traced back to a country, there is usually uncertainty about its ultimate origin: Was it launched by individuals at the instigation and support of their home government, entirely on their own, or for other criminal third parties? A senior intelligence officer told me, "There is lots of overlap between state and criminal hackers, and what hackers do at home when the work day is done is often the same as what they did for their day job." The fog of digital conflict is thick, and political leaders, in the heat of the moment, could finger the wrong perpetrators, respond disproportionately, and exacerbate a crisis.
Mistaken attribution can inflame already tense geopolitical standoffs. During the summer of 2014, sophisticated hackers broke into the networks of JPMorgan Chase and a dozen other financial institutions. They stole name, address, and e-mail data—but not credit card numbers—for about 83 million US households and small businesses. The scale of the breach was shocking enough, but the attacks further heightened the sense of vulnerability since the financial sector was widely assumed to be the most prepared for cyberattacks. Financial institutions already spend hundreds of millions of dollars on defense and have the most developed mechanism for cooperation and sharing threat information, the Financial Services—Information Sharing and Analysis Center.
The difficulty of attribution was of heightened political importance given the timing of the attacks. The United States and its partners had recently tightened sanctions aimed at crippling Russian companies following Moscow's seizure of Crimea and support for rebels in the eastern part of Ukraine. When asked by President Obama about the attacks, senior government officials reportedly could not answer the question "Is this plain old theft, or is Putin retaliating?"
Although he claimed to have no knowledge of the attack, former NSA head Keith Alexander publicly speculated that the Kremlin had ordered the attacks: "How would you shake the United States back? Attack a bank in cyberspace. If it was them, they just sent a real message: 'You're vulnerable.'" In contrast, Joseph M. Demarest, assistant director of the FBI Cyber Division, while still uncertain about whether the hackers were agents of a government, criminals, or some combination of the two, said, "There's no indication that [the attacks came] as a result of the sanctions." In the end, despite all the speculation, the hacks do not seem to be government sponsored. Law enforcement announced in March 2015 that it would soon indict the people behind the JPMorgan Chase hack and that they were "gettable," meaning that they were in a country with which the United States has an extradition treaty. Russia is not one of those countries, and in July 2015 authorities arrested four people in Israel and Florida for a complex securities-fraud scheme.
While the hacked world order is a break from the past, nation-states have not shaken off all the constraints of historical experience. Elements of the old statecraft remain. Technological sophistication, wealth, and size still matter. New technologies and techniques are, for example, making attack attribution more possible. The White House was adamant that North Korea was behind the December 2014 computer attack on Sony because of the forensic work of US cybersecurity companies and data collected by the intelligence agencies through "technical means." Documents released by Snowden show that the NSA has successfully placed code and monitoring devices in chips, routers, servers, and computers across the globe, giving the agency sweeping views of traffic on the Internet, including on Chinese and Korean computers. Attribution remains a relatively slow, deliberate process, but hackers can no longer assume that they will escape eventual detection and that attacks will not ultimately be ascribed to them.
Nation-states have regrouped to address the diffusion of power that has accompanied the proliferation of communication technologies and the expansion of cyberspace. New trade pacts with Europe (the Transatlantic Trade and Investment Partnership) and Asia (the Trans-Pacific Partnership) include provisions to remove barriers to the cross-border flow of data, prevent the forced localization of data, and reduce taxes on digital services. The United States has made cybersecurity an increasingly important part of its defense treaties with Japan and NATO, and Beijing and Moscow have signed a nonaggression pact with each other in cyberspace. The tools of trade agreements and alliances have been remade for the hacked world order.
The Pervasive Influence of Cyber Conflict
While often cloaked in secrecy, the maneuvering of states in cyberspace has a direct impact on all of our lives. The long-term effects of how states react to Year Zero will be pervasive. The impact of the Cold War on individuals went beyond the threat of nuclear war, although this alone was certainly consequential enough. The struggle resulted in new relationships between individuals and the state as the two sides created extensive, powerful bureaucracies to compete with each other. The National Security Act of 1947, for example, created the Department of the Air Force, the National Security Council, and the Central Intelligence Agency, as well as the Joint Chiefs of Staff and the position of secretary of defense. The National Aeronautics and Space Administration, the National Science Foundation, and the US Atomic Energy Commission were established to promote scientific competition and economic growth. President Harry S. Truman formally established the National Security Agency in 1952, although it was unknown to the public and referred to within the intelligence community as "No Such Agency." The responsibilities and authorities of the Department of Justice, the Department of Defense, and the intelligence community developed over a time when there was a clearer distinction between internal threats and those that came from "over there" and between criminal and military activity. The demands of digital conflicts are remaking these institutional assumptions. New bureaucracies are created; new authorities are defined, taken, and abused. In the process, the balance between public and private authority, production and power, and transparency and privacy are transformed.
Policymakers and the public have hundreds of years' experience with the deployment, use, and destruction created by conventional weapons. Traditional war is, in military jargon, primarily kinetic. The point is to kill people and blow things up. While cyberattacks are often framed as part of "cyber wars" by the media, you cannot hold territory in cyberspace, no one has ever died directly from an attack, and the danger of widespread physical destruction remains hypothetical. Russia and China might be able to launch an assault on the power grid, but they are also highly unlikely to do so unless they first perceive their vital interests to be under threat. Beijing and Moscow certainly know that Washington would respond with its own cyber weapons or with more conventional military force. Moreover, given the interdependence of the two economies, Chinese leaders would have to be fairly desperate to create economic chaos without high assurance that it would not blow back on China.
As cyberattacks typically pose risks to the integrity of complex systems, they represent a less dramatic but more pervasive threat than the destruction caused by a tank, destroyer, or fighter jet; they tend to wreak less physical destruction and more psychological and social havoc. By changing data, sometimes subtly, sometimes in the open, cyber weapons deceive, confuse, and surprise. They heighten uncertainty about what type of damage they may cause; the uncertainty itself may be the most potent weapon. And cyberattacks often exist in and amplify the space between war and peace. They are used by states, and non-state actors, to coerce, influence, and damage despite there being no formally or legally declared conflict.
In April 2013, the Syrian Electronic Army (SEA), a group of hackers that supports the regime of Bashar al-Assad, took over the Associated Press's Twitter account and sent a fake message about a bomb attack on President Obama, causing the Dow Jones Industrial Average to plunge 146 points in a few seconds and erasing $136 billion in market value. The market quickly bounced back, but the hack demonstrated the power exerted by destabilizing extremely complex systems—high-frequency trading programs that make trades based on keywords within milliseconds. The Associated Press was not the first or the last media organization to get hacked; the SEA attacked CBS, NPR, the BBC, the Washington Post, the Onion, and the New York Times in retaliation for what it calls one-sided coverage of the Syrian civil war. Taking over a social media account is not a complex hack, but it was effective in undermining trust in information systems at the local, national, and international levels.
With the shift away from purely military targets, the battle over cyberspace is remaking the division between the public and the private, between what we expect the government to do and what remains the responsibility of companies, public organizations, and individuals. A defining characteristic of a modern state is a near monopoly on security and foreign policy. Yet for the last three decades, the assumption has been made by both the technological community and the US government that the private sector should take the lead in cyberspace. Even bureaucratic language drawn from an Obama administration document on cybersecurity admitted that the private sector "designs, builds, owns, and operates most of the digital infrastructure."
The stark division between public and private was temporary, if not illusionary, as was the idea that the two were separable when it comes to cyberspace. The year spanning June 2012 to June 2013 destroyed the illusion. Almost everything the United States does in cyberspace requires a blurring of the line between public and private. Private firms own the networks necessary for attacking and defending the telecommunications, energy, and financial sectors. More than 90 percent of American military and intelligence communications travel over privately owned backbone telecommunications networks. Many of the most talented programmers are in the private sector or academia, and private companies develop both attack malware and defenses against such programs. In the face of relentless and seemingly unstoppable theft of intellectual property, some have suggested that companies be allowed to "hack back"—that is, to hack the hackers. In fact, in one survey, more than one-third of respondents admitted that they had already done so, even though it is illegal.
Diplomacy is undergoing a similar transformation to warfare. As is now well known, a number of technologically enabled individuals can disrupt the carefully choreographed diplomacy of states. WikiLeaks, a website that hosts classified and other secret materials, posted thousands of State Department cables leaked by Chelsea Manning in 2010. The Edward Snowden disclosures undermined US strategy in cyberspace and forced Washington to justify and explain its intelligence collection practices to Berlin, Tokyo, Brasilia, and other close partners.
Indeed, privately owned platforms and technologically savvy civil society groups are often central to achieving or blocking diplomatic initiatives. Under Hillary Clinton, the State Department adopted an Internet agenda built on four freedoms: the freedom of expression and religion online, as well as the freedom to access the Internet and thereby to connect to websites and other people. While US government officials pursue these rights at the United Nations and other international institutions, the State Department also relies on private groups to develop software that allows users in Beijing, Tehran, and other locales around the world to avoid censorship. At the same time, sales by technology companies like BlueCoat of surveillance and filtering equipment to Bahrain and Syria can undermine the State Department's Internet freedom agenda, as might corporate decisions like Apple's discontinuation of OpenDoor, an app that allowed Internet users to circumvent China's so-called Great Firewall.
In part, the changing economic base of power and influence drives this blending of the public and private. For the last 250 years, the material source of power was manufacturing. In his "Report on Manufactures," Alexander Hamilton urged Congress to help build a strong manufacturing base so that the United States could become "independent of foreign nations for military and other essential supplies" and trade with Europe on equal terms. By the middle of the last century, there was little doubt the United States had fulfilled Hamilton's dream. In the first year of World War II, the United States produced 18,466 aircraft; by 1944, 96,270 had rolled off the lines. Educational policy, tax incentives, and investments in transportation and other infrastructure all served to support factories at home. US diplomats roamed the world promoting the General Agreement on Tariffs and Trade, as well as its successor, the World Trade Organization, and countless bilateral agreements to encourage the (relatively) free flow of goods, services, and people.
Cyber power has a different source and requires different subsidies, incentives, and support. In the first decade of this century, Israel, a small economy of a little more than 7 million people, sparked a disproportionately large number of successful technology companies. It has more companies listed on the NASDAQ than any country outside the United States, more than China, Europe, India, Japan, and Korea combined. Amazon, Dell, Intel, Microsoft, Google, Cisco, and other technology giants have important research and development centers in Haifa, Herzliya, and Tel Aviv. Israel has benefited from a handful of world-class universities and the immigration of a large number of Jewish Russian scientists and engineers into the country. However, much of the energy and knowledge that drove Israel to become a "start-up nation" came from the military. Almost every non-Arab citizen serves in the Israel Defense Forces (IDF), and veterans of Unit 8200, the IDF equivalent of the NSA, have founded a high number of technology firms. Shvat Shaked and Saar Wilf, for example, took their experience tracking terrorists and turned it into Fraud Sciences—a company, eventually sold to PayPal, that identified online criminals and prevented fraud.
Israeli prime minister Benjamin Netanyahu is applying this model of innovation and entrepreneurship to cybersecurity. "Although the field is not precise . . . we must enter it . . . and become a world cyberpower," Netanyahu told participants in a 2011 conference in Tel Aviv. "This is possible. We're no longer crawling, we're walking, and soon we will be running forward." Netanyahu's efforts have included the establishment of a new National Cyber Defense Authority with a budget of over $500 million and the creation of a cyber threat research cluster in the desert city of Beersheba. The cluster encompasses branches of Unit 8200, Israel's computer emergency response team, private companies, multinational firms, and BenGurion University, the first university in the country with a graduate program in cybersecurity. While still in the early stages, the programs look promising. By the end of 2014, eight Israeli cybersecurity companies had been sold for almost $700 million, and Israel accounted for 13 percent of new global research and development in cybersecurity.
The same model of private-sector, government, and university interaction was responsible for the emergence of Hewlett-Packard, Google, and other US tech giants and, as a result, for a huge amount of US power and international influence. US companies not only developed and sold the computers, servers, software, and routers on which the Internet runs but also became part of what the Harvard political scientist Joseph Nye calls America's soft power, its ability to influence and attract through ideas, institutions, and culture rather than to coerce through force. The rest of the world loved the products, story, and energy of Silicon Valley.
The exposure of NSA surveillance and espionage programs is reconfiguring the interdependence between Silicon Valley and Washington. The double helix that bound them together is being unzipped and its components cut and shuffled. The enzyme activating this process is the global market. US technology companies have billions of customers outside the United States. Greater China, for example, accounted for about $16 billion in revenue for Apple, out of total revenues of $74.6 billion during the first quarter of 2015. "It's an incredible market," said Apple's CEO Tim Cook. "People love Apple products. And we are going to do our best to serve the market." In 2014, Google earned 58 percent of its revenues outside the United States; Facebook, 55 percent; Intel, in 2015, earned over 80 percent abroad. American companies are now more willing to stand up to Washington and to align with the interests of global customers.
Multinational companies and globalization are, of course, not new. GM, Procter & Gamble (P&G), and Coca-Cola are global companies, but their relationships with their customers are relatively limited and transactional. They market and sell a product. P&G wants to know how often people in Caracas wash their hair with Pantene but is unlikely to have information about where Caraqueños go after getting out of the shower, how long they are stuck in traffic, and what they think of a new Italian restaurant.
The technology companies' missions have been much more expansive—Facebook wants to connect the world; Google, to bring order to the world's information—and so these companies have a more complicated, intense personal relationship to their customers that, if they have their way, will extend over years and into almost every aspect of users' lives. Integrating the data from searches, the Android smartphone operating system, and the traffic app Waze, Google knows all of the above information as well as whether a given Caraqueño compared Pantene to Unilever's Suave, if he or she looked up other restaurants before deciding on the Italian one, and quite possibly who the evening's date is—if the Caraqueño did a Google search on that individual.
This means that governments in a number of regions around the world are looking at Google, Facebook, Twitter, and other large US technology companies less as beacons of innovation and invention and more as the handmaidens of the NSA, monopolists, or both. The global technology companies undermine nation-states' conceptions of territoriality. Any change Facebook makes to its privacy settings affects over a billion people around the globe. These decisions get made in Menlo Park, without the input of policymakers in Brasilia or Jakarta, even though they affect tens of millions of Brazilian and Indonesian citizens.
In the abstract, almost everyone agrees that the free flow of data, like more open trade, is good for the economy. According to a 2011 McKinsey study of thirteen countries (the Group of Eight plus Brazil, China, India, South Korea, and Sweden), the Internet has accounted for 3.4 percent of GDP and 7 percent of growth in these countries over the past fifteen years. McKinsey also predicts that by 2025 the potential global economic impact of the Internet of Things will be $2.7 trillion to $6.2 trillion annually and of cloud computing—massive amounts of data stored not on your own device but on remote servers—$1.7 trillion to $6.2 trillion.
But no one lives in the abstract, and the push to impose digital sovereignty is spreading. "Digital sovereignty" is an evocative if vague term that harkens back to twentieth-century conceptions of regulation and state control. It represents the old world imposing itself on the hacked world. Nearly every node of the Internet is located within the territory of a sovereign nation and therefore falls under its laws and jurisdictions. Countries can arrest, intimidate, and beat individual users, try to route all e-mail within their territory, pressure companies to maintain data servers locally, arrest technology company employees, or force companies to submit to security inspections and provide access to source code if they want to sell in domestic markets. For some, digital sovereignty is synonymous with the de-Americanization of the Internet. One French Foreign Ministry official described the US technology companies to me as "the gatekeepers of the digital economy, absorbing the value and ensuring European companies act as subcontractors."
With the combination of massive amounts of data and the growing ability to monitor individuals—on the web, via mobile phones, through closed circuit cameras—we appear to be sliding into a "surveillance society." The question we have to face is, by whom do we want to be surveilled: a government, a corporation, a hacker? There are no limits to our technology. John Villasenor, an electrical engineer at the University of California, Los Angeles, argues that because costs for computer data storage keep plunging, it will be feasible "to record and store everything that can be recorded about what everyone in a country says or does."
The capabilities to collect information have expanded as the potential targets have proliferated. During the Cold War, there was a limited number of secrets, a finite number of Chinese and Soviet diplomats or naval bases. Today, terrorist networks, lone wolves, and anonymous groups of political hackers are unseen and diffuse. The fear is that they can be anywhere, and so national security agencies have an almost boundless ambition and desire to gather all data available. As Deputy Attorney General James Cole has said, "If you're looking for the needle in a haystack, you have to have the haystack."
In addition, defending complex systems from computer attacks requires ever-growing volumes of data. The interconnection of communications, financial, energy, health, transportation, and other vital networks creates more possibilities for failure and more points vulnerable to attack. The defender cannot be every where but wants to see more data to predict where the attacker might be. As computer security expert Dan Geer put it in a speech at the 2014 RSA cybersecurity conference, "As society becomes more interdependent within itself, the more it must rely on prediction based on data collected in broad ways, not in targeted ways. That is surveillance."
The United States has incomparable resources, but it may never be as strong in cyberspace as it is today. Cyber power may be a particularly ephemeral form of power. New technology competitors are arising, friends and allies hold different visions of how to manage the Internet, and the gap between the interests of global Internet and technology companies and Washington is growing. Individual users may come to depend more on their own technological prowess to defend themselves from malware than on law enforcement agencies. The global, open Internet, a wellspring of US economic, political, and military power, is fragmenting.
Some of this loss of power is unavoidable, the result of demographics as the center of gravity for Internet users shifts rapidly from the developed to the developing world. As with many transnational challenges, there will be much that the United States cannot control, and new challenges will emerge from the spaces beyond the range of US regulations, norms, and influence. Some of the diminishment of power stems from the logic of international politics, from competitors that seek to balance US power. And some of it is self-inflicted; the United States pursued data and information in service of defending itself from terrorist attacks but at the expense of other diplomatic, economic, and national security interests.
Policymakers have been slow to understand the fallout from and significance of Year Zero. This myopia is partly the result of American Internet exceptionalism, a sense that the United States has a unique, beneficent role in cyberspace. This was not an outlandish view, given the United States' history in creating the Internet and overseeing its global expansion. But this exceptionalism not only led to an exaggerated sense of US power and influence but also blinded decisionmakers as to how other countries defined their own interests and interpreted US actions.
It also left policymakers ill prepared for the technology community's reaction to the Snowden disclosures. As story after story emerged alleging that the NSA undermined encryption, hacked into cables carrying the data of US companies, placed implants and beacons in servers and routers, and generally weakened internet security, Washington struggled to find its feet. Most of the national security justifications offered for the intelligence agency's actions, such as breaking up terrorist plots, seemed unsubstantiated or rang hollow. Policymakers failed to comprehend the depth of Silicon Valley's anger. As one cybersecurity entrepreneur based in Santa Clara told me, "I cannot overstate the loss of trust. You have today large, publicly traded companies that do not even want to take a meeting with people in the administration. They think there is nothing to be gained."
There has always been a cultural clash between the technology and foreign policy crowds, between readers of Wired and Foreign Affairs. Many of the readers of Wired embraced the ideas that "information wants to be free" and that computer technologies would radically empower individuals and make the world a better place. "The Internet," the lawyer and activist Jennifer Granick told the audience at a 2015 hacker conference, "would place our reading, our associations, and our thoughts outside of government control." Granick continued, "The Internet would not just enable communication, but would do so in a decentralized, radically democratic way. Power to the people, not to the governments or companies that run the pipes."
While foreign policy elites were also awed by the ability of the Internet to change the world, they saw it, like so many other spaces, as an arena for regulation, contention, and conflict. They were more likely to think about national advantage and relative gain. They preferred "cyber" as a descriptor over "digital," "connected," or "wired," a prefix off-putting to the Wired crowd. As Granick put it, "When I hear 'cyber' I hear shorthand for military domination of the Internet, as General Michael Hayden, former NSA and CIA head, has said—ensuring U.S. access and denying access to our enemies. Security for me, but not for thee."
There was, however, a small space where the ideas and interests of the technology and foreign policy communities overlapped. Wired readers agreed with the Foreign Affairs crowd that Silicon Valley and Washington should work together to advocate for free speech and open access, reduce international trade barriers, and promote the promises of the information technology revolution globally. This narrow alliance is now on shaky grounds, and those who want to preserve it, or even reinvigorate it, face growing skepticism from inside their own ranks.
While it should continue to promote and espouse the virtues of an open, global, and secure Internet, the United States must prepare for a more likely future—a highly contested, nationally divided cyberspace. Brazil, China, Russia, and others have different visions of the preferred structure and legitimate uses of cyberspace, and chapter two describes both the sources of power in the digital age and the emerging patterns of statecraft—how nation-states get power and what they think they should do with it once they have it. States are confronted with a number of decisions in cyberspace: Should cyberattacks be limited and precise, or disruptive and widely used? Is influence best exerted through counter-narratives or mass disinformation? Is the model for innovation the one developed in Silicon Valley, or does it require more government intervention and direction? The answers to these questions are rooted in history, ideology, and strategic challenges, and they will shape the hacked world order.
The next six chapters are a short history of how these ideas have been put into action; they recount two decades of disruption, destruction, theft, trade, and influence in cyberspace. Chapter three covers disruption and the political uses of cyberattacks, primarily by Russia but also by North Korea. Chapter four looks at a more destructive future, attacks designed to cause physical damage or death, and what can be done to prevent the outbreak of cyber conflict and limit the fallout from it. Chapter five delves into the most prevalent forms of cyberattacks—cyber espionage and the theft of secrets for political and military gain as well as economic benefit. Chapter six looks at how cyber espionage, and NSA surveillance in particular, spilled over into and became intertwined with the desire in Europe to protect user privacy and create competitors to US technology giants. Chapter seven begins with the Twitter war between Israel and Hamas, and then moves on to Chinese and Russian trolls and the online battle against the Islamic State. Brazil's Internet culture and efforts to reform the global governance of the Internet is the centerpiece of chapter eight.
The challenges of the hacked world order are both familiar—other states will pursue policies that limit US power and influence—and unconventional—new actors may exploit unexpected and unknown vulnerabilities in networks to wreak damage and destruction. Policymakers will lose their sense of strategic stability, predictability, and control while gaining new tools of coercion and a wider legitimacy for digital policy.
In order to address the challenges, the United States must at least accomplish three things: enhance defense at home, create a working truce between the government and the private sector, and build a coalition of like-minded countries in the international sphere. Washington will have to funnel new money to research, development, and innovation in cybersecurity; forge agreements with the private sector on the sharing of data; and, with its friends in Europe and Asia, clearly define what behaviors are acceptable in cyberspace and how it plans to respond if lines are crossed. The United States will have to be more limited in its ambitions but more assertive in their pursuit.
The hacked world order will come with social, security, and economic costs. But if it succeeds, the United States can help shape a future in cyberspace that is, if not entirely pacific, marked by continued innovation and the relatively free flow of information in many parts of the world.