Imagine it's the year 2022. Across the Pacific Ocean, a small country — an American ally — has provoked a big adversary nearby. Call them Red. Red's size and military capabilities are near those of the United States.
Red responds aggressively to its neighbor's provocation. Within days, the big adversary has crippled the smaller country's power grid, communications networks and other infrastructure through cyberwarfare. Then, Red launches a preemptive cyberattack against the small country's big ally: the United States.
If you were the U.S. military, how would you respond?
That was the scenario faced by a group of high-ranking officers huddled together at an Air Force base in Colorado for the 2010 Schriever Wargame.
«It was a really instructive and, I think, very scary war gaming exercise for people in the military,» writer Shane Harris tells NPR's Arun Rath. «The adversary in this game really got the advantage very quickly and won pretty decisively, because the American side really hadn't developed a playbook for how you would go to war between two large militaries in cyberspace.»
Harris recounts that 2010 Schriever Wargame in his new book, @War: The Rise of the Military-Internet Complex.
The book looks cyberspace as war's «fifth domain» (after land, sea, air and space). Harris covers topics like the NSA, the role of cyber warfare in the Iraq troop surge of 2007, China's «rampant» espionage on American corporations — and the U.S. government's strategy of playing the victim.
Harris tells Rath that after that alarming war game, the U.S. military's cyberforces became much more organized and sophisticated — but that China, the real-life country that parallels the imaginary Red, also is believed to have impressive capabilities.
On what Obama might have been told on his first day in office
He actually got a little bit of a taste of this on the campaign, because his campaign email system was hacked, presumably by spies in China.
When he comes in on the first day, what he's presented with is the knowledge that the computers that control portions of the electrical power grid in the United States have been probed by foreign intelligence agencies. He is told that espionage, particularly by China, against American corporations is rampant, and that billions of dollars in intellectual property and in trade secrets are being lost every year. And that basically, there is no really coherent organized system in the U.S. government for how we're going to defend the internet, how we're going to defend the cyberspace and all of the businesses and the people that depend on it.
What he decides to do very early on in the administration is to, in his words, start treating cyberspace as a national asset, a strategic asset, and protecting it as such.
On China's cyberwarfare capabilities
The thing that China has going for it that we do not have is people. The number of people within the People's Liberation Army, within the sort of intelligence apparatus of China, which is a very opaque system in its own right, is believed to be thousands of people, who are basically hired hackers who spend much of their day aggressively trying to penetrate the computer networks of U.S. corporations especially. China is sort of gathering information that they can then pass on to Chinese businesses and corporations that give them a leg up in negotiations and in the global marketplace. They're trying to advance their economy very quickly and stealing information to do it.
Less clear is how sophisticated their sort of military offensive apparatus is compared to ours. For instance, if China ever went to war with us in the South China Sea, let's say, how sophisticated and how good would their hackers be trying to break into our naval systems and confuse our ships? We know less about that but I think the conclusion we have to reach is that because they're having so many more people doing this than we do — I mean, we have a few thousand — that China is a really formidable force. And that makes a lot of sense that they would put so many resources in this. China will never be able to, at least in the near future, challenge us in a conventional military way. They can't go head-to-head with us on land or on the sea. Cyber is a place where they can gain an extraordinary advantage and do a lot of damage.
On the U.S. government positioning itself as a victim
The United States government loves to come out and talk about how relentlessly we're being hacked and how our intellectual property is being stolen from our businesses. And that's true.
But what that covers up is that we are also one of the most aggressive countries going out there breaking into other countries' systems and spying on them. And we are one of the few countries that we know of that has launched offensive operations in cyberspace. We have used computer viruses to break infrastructure, physical things that are connected to computer networks. Very few countries are known to have done that.
I think one of the reasons why U.S. officials have been keen on showing how we're victimized is because they believe that U.S. businesses have not done enough to secure their own computer networks. From the government's perspective, they can't go in and necessarily force those companies (at least not yet) to improve their defenses, so it's been sort of more of a strategic, rhetorical calculation on the part of the government to come out and say, «We're victimized, it's terrible, lots of information is being stolen, and the only way we can stop this is you corporations have to do better security and work with us and let us help you do that.»
So there's a reason why the U.S. has tried to play that victim card so repeatedly: It's because they want to get results from private businesses.
An In-Depth Look At The U.S. Cyber War, The Military Alliance And Its Pitfalls
TERRY GROSS, HOST:
This is FRESH AIR. I'm Terry Gross. Cybersecurity, cyberwar and the rise of the military Internet complex is the subject of the new book «@War» by my guest, Shane Harris. His book reports on how intelligence agencies are working to defend us against cyberattacks. But he also reports on how American intelligence agencies, sometimes with the cooperation of American corporations, are trying to dominate cyberspace and use it to spy on other countries and how those efforts are changing the Internet in fundamental ways and not always for the better. Harris covers intelligence and national security for The Daily Beast and is the author of an earlier book called «The Watchers: The Rise Of America's Surveillance State.» Shane Harris, welcome to FRESH AIR.
SHANE HARRIS: Thank you.
GROSS: Let's start with what you describe as the military Internet complex. What is it?
HARRIS: Well, the military Internet complex is an alliance — formal and informal really — between the U.S. military and the intelligence community and principally the National Security Agency — which is our largest intelligence agency — and large American corporations to include defense contractors who work for the government principally and build weapons systems for the government, but also increasingly technology companies like Google and Facebook and Yahoo that are responsible for providing information — information about people in the world — to the intelligence community who own and operate much of the Internet infrastructure in this country and around the world.
And what I mean by this alliance is that it is principally in the business of monitoring computer systems and monitoring the world's networks for threats. And principally in the book, I write about threats from hackers in other countries, but also in the United States. And this alliance has been set up largely for the purposes of defending computer networks in America, but also waging offensive operations on computer networks mainly overseas. It's something that's been done more in the shadows, but this alliance really has forged for the purpose of essentially trying to operate in cyberspace as if it were a battlefield, as if it were on land or in the sea or in the air.
GROSS: So before we get deeper into this relationship between the Internet companies and the military, has that been changed by the Edward Snowden leaks?
HARRIS: I think it has been changed. I think it's actually been strained by the Edward Snowden leaks. Mainly what we're seeing with the strain is in the relationship between government and principally the intelligence agencies and the tech companies like the Googles and the Facebooks and Yahoo. Those companies, we now know from the documents Snowden leaked, had been cooperating with the government in handing over — because they were forced to do so really — large amounts of information about their customers. We've learned a lot more about what the NSA was doing secretly with some of this data and ways that it was even trying to secretly hack into the systems of the companies that it was forcing to hand over data.
GROSS: So let's back up a little bit. When this cooperative relationship was formed between tech companies, defense contractors and the intelligence agencies — you write that the government views protecting whole industries as the best way to protect cyberspace. Why?
HARRIS: Well, the fear that the government has is that what we call critical infrastructure in this country — by which we mean things like our electrical power grid, water treatment facilities, big public utilities, large financial computer systems, the stock exchange, the systems that run large banks — the government fears that those computer systems are vulnerable to hackers and that an intruder could get in and steal data, manipulate data or possibly even damage the physical infrastructure that is connected via the Internet to some of these vulnerable systems.
And so what the government has tried to do is prioritize which industries and which sectors of the economy are the most at risk, and then go to the companies in those industries and try and share information that the intelligence agencies know about hackers with those companies. So, for instance, the government is trying to push information about hackers who were trying to break into banks and to share that with banks so that the banks can then take that data, which is information, by the way, that's gleaned from espionage, from our spies going into foreign computer systems and seeing what other hackers are up to, pushing that information out to the bank so that the banks can in turn take that and incorporate it into their own defensive strategies and better protect themselves.
And so the government has tried to divide up these critical infrastructures and essentially provide information when it can to those businesses so that they can protect themselves and the government does not have to go in and set up its own equipment on those networks to try and defend them for them.
GROSS: What have you found out about what these meetings are like, these secret meetings between, I guess, CEOs of these companies and members of the intelligence community?
HARRIS: They can be very tense and often I think sort of a little spooky and exciting. There's a couple stories that I like particularly that kind of illuminate this. The NSA has been in the practice of granting temporary security clearances, sometimes for as short as one day, to the CEOs of big tech companies. The CEO of Google, Sergey Brin, got one of these at a meeting that was held some years ago. And what it does is it sort of, you know, brings CEOs into the secret tent and says, OK, we're going to show you some stuff about hackers, threats to your networks and other networks in the United States. But you can't tell anyone; it's a secret. Of course if you do divulge the information, we can prosecute you. And I think it sort of has the effect, on the one hand, of making these CEOs feel like they're sort of part of a very important official mission and also scaring them, perhaps, and frightening them into thinking that their networks are very vulnerable and they better do something to protect them because national security is at stake.
There've been also tenser meetings. I write in the book about the former director of the National Security Agency, which is sort of the — the NSA is the center of activity in the government in cybersecurity — this is a man named Keith Alexander who, a number of years ago, went up to New York and met with top executives from a number of big banks and said that the banks were at great risk for being hacked, which, of course, they understood and they knew already. And that what he would like to do would be to come and actually install monitoring equipment on some of their networks to be able to help them fend off hackers. And the executives — I talked to some who were there — thought this was outrageous, the idea that they would allow a spy agency into financial networks and look into the account data of their customers. And they sort of looked at Alexander like, you know, you must be crazy to think that we would ever let you do something like that.
GROSS: And I should point out here that the banking industry has had a lot of cyberattacks — I mean, big problems.
HARRIS: They really have. And it's particularly lately one of the more high-profile ones was there was a major breach of the computer systems at J.P. Morgan. This really — that particular event actually frightened a lot of security people in Washington because the banks have been generally assumed to have the best computer defenses in place because they're dealing with money. I mean, they're dealing with people's account data as well. And I think when hackers got into those J.P. Morgan systems, it really sort of rattled people.
GROSS: So getting back to the military Internet complex, this seemingly cooperative relationship between private industry and the intelligence agency, you write that the NSA has helped companies find weaknesses in their products that leave them vulnerable to cyberattacks. But at the same time, the NSA has sometimes paid companies not to fix some of those vulnerabilities. What's that about?
HARRIS: This really gets to the heart of — there are two conflicting missions within the NSA. On the one hand, the NSA's mission is to protect information and protect computer networks so that the data — and in many cases the government secrets inside official networks — can't be stolen. On the other hand, the NSA is a spying agency. Its job is to go out and try and break into computer systems in other countries and steal information about our adversaries.
The technology that the NSA is spying on is largely commercial technology. So, you know, we use Microsoft in this country for our operating systems in millions of computers. People use it in other countries as well. There's telecommunications equipment that's sold in this country that's also used in foreign countries that we're trying to spy on. So this sort of off-the-shelf technology is something that the NSA wants to know how to be able to manipulate and get into. If it finds ways into that technology that are not widely known that sort of are hidden flaws and vulnerabilities that it could take advantage of to spy on it, it doesn't necessarily want that information to be put out there because if that hole were patched, the NSA couldn't get into it.
So there's this conflicting mission of on the one hand, the NSA trying to ramp up cybersecurity and defend information, on the other hand, trying to keep computer systems around the world just weak enough, at least maybe in the places that they know about, so that they can manipulate them and perhaps have, you know, exclusive or kind of privileged access to them when they want them. Those two missions are very much at conflict with each other.
GROSS: Yeah, and in addition to the NSA preserving some of those vulnerabilities so it can get access to information, there are other possible consequences of leaving those vulnerabilities. What are those consequences?
HARRIS: Well, one is that the NSA won't be the only one that finds out about the vulnerability. So there was a case number of years ago that I think illustrates this point pretty compellingly. There was a standard that was being developed for encryption technology in the United States. And encryption is just the — it's a way of scrambling data so that if I send you an email and we're sending it to each other encrypted, only you and I can unscramble it because we have the keys to decipher the encryption.
The NSA got involved with the writing of an encryption standard that eventually was widely used in a commercial product. And it inserted weaknesses into that recipe, if you like, that only it knew about — or that only the NSA thought that they knew about. That encryption was then pushed out with this — kind of this weakness in it. Pretty soon after it went on the market, smart technologists started looking at this algorithm and saying there's something wrong with this. There are flaws here that don't make any sense. And it wasn't widely known outside that community, but a smart hacker in another country could catch on to that and see that the algorithm had a weakness and also exploit that as well. So NSA weakening this encryption algorithm ostensibly to make sure that it had the ability to decipher messages of what it would say are the bad guys — if it ever needed to do that because the bad guys could be using this encryption just the same way you and I might — ended up weakening it in a way that those bad — those other bad guys could've found out about it. I think that's a good example of how, by weakening something in the name of security, the NSA is also undermining the very security of that technology and putting all of us at greater risk.
GROSS: If you're just joining us, my guest is Shane Harris, author of the new book «@ War: The Rise Of The Military-Internet Complex.» And he covers intelligence and national security for The Daily Beast. Let's take a short break, then we'll talk some more.
GROSS: This is FRESH AIR. And if you're just joining us, my guest is Shane Harris, author of the new book «@War: The Rise Of The Military-Internet Complex.» And he recently moved to The Daily Beast where he's now a senior writer covering intelligence and national security.
Do internet companies as well as companies that rely on huge computer network systems like the banking industry — do they feel they need the NSA to warn them about cyber threats and to help them when they are under attack?
HARRIS: Increasingly they do not feel like they need the NSA's help. And this is something that actually surprised me a lot when I started researching the book. I think seven or eight years ago, if you'd gone to some of these companies and — they would have been — many of them would've been very new companies at the time — they would have been very surprised to find out how pervasive, for instance, cyber espionage by China against U.S. corporations is. They would have been, I think, a lot — very nervous about financial crime and financial computer hacking that's emanating largely from Russia.
In that time period, though, in the past five, six, seven years, they've gotten a lot smarter about detecting these threats. I tell one story in the book where a senior FBI official who was responsible for cybersecurity issues for the Bureau wanted to have a meeting with a number of bank executives and say, OK, we are going to basically open the file to you guys and be good partners here and show you all of the different criminal rings and hacker groups and schemes that we're tracking right now that we see targeting the banking industry — your industry. And effectively the banks looked at this and said, this is great, but we already knew almost all of this because they had started to open their own cybersecurity divisions. They're hiring outside consultants. They're just getting much better at monitoring their own networks.
One company I write about also near the end of the book is a company called Lockheed Martin, which is a big defense contractor. Eight years ago, they were a target of a major hack by China. And that event was one thing that actually started setting off alarm bells in the Pentagon and leading to more of this cooperation between government and industry over hackers. Today Lockheed Martin will say that they are tracking as many different hacker groups as the NSA is. They've become almost like an intelligence organization in their own right.
GROSS: Is there a revolving door for cybersecurity experts between the intelligence agencies and corporations?
HARRIS: There's a very big revolving door, and it's constantly spinning. You see it at really almost all different levels. I mean, I've talked to people who went to college and studied computer science on scholarships that were paid for by the National Security Agency. They got out of college. They did an obligatory four-year working stint with the NSA, and then they left to go out to California and start private cybersecurity companies in Silicon Valley.
You see it at very high senior levels. I mean, the individual who runs the cybersecurity business for Lockheed Martin, this huge corporation, is a former military officer. The former director of the NSA, Keith Alexander, a few months ago started his own private cybersecurity consulting business, for which he is reportedly charging clients anywhere from $600,000 to $1 million a month.
HARRIS: Yeah, it's an astonishing number, to basically provide them with the expertise and the technology based on that expertise to defend their networks against hackers, against foreign threats.
GROSS: So if your company's large computer network is being hacked, say, by Chinese hackers, what if the government is behind it and you — your company wants to fight back? That would mean your company is fighting against a country, which gets into really odd territory and really new territory. What law or regulations, guidelines, whatever address that?
HARRIS: Well, right now if you are — let's take a bank. And you find out that your networks are being penetrated or hackers in China are trying to break in. It is illegal under U.S. law for that bank to hack back against the source of the intrusion, to try and take those computers off-line, or to break into those computers to find out what information they may have stolen.
There is a significant debate going on right now, largely among national security lawyers, about whether the law needs to be changed to allow companies to do that hack-back in some way. The fear here is that if you loosen those restrictions that what will happen is that you'll get into a situation where a bank suddenly gets into a cyberwar with an nation state and then things could spiral out of control very quickly. The companies will say, we are under relentless assault from these foreign hacker groups. If the government is not going to step in and address that — by which we mean go out and get those guys, arrest them, take their computers off-line — then what are we as these companies supposed to do? And they all ask. And I think they have a legitimate concern here.
Are we supposed to just sit here and take it and just try and build higher walls and better defenses? You know, people draw an analogy to the principle of self-defense. I mean, if someone breaks into your home and tries to rob you, the law does make room for you to defend yourself in your own home. So a lot of these companies are asking, why, if someone is breaking into my computer network and stealing my property, why should I have to just sit there and take it? Why can't I take some sort of retaliatory response?
GROSS: What's one of the worst cyberattacks against, you know, a vast computer network in the U.S., a cyberattack launched from another country?
HARRIS: Probably some of the worst if we're measuring them in terms of damage done might be some of the recent attacks on big retailers like Target and Home Depot, which ended up stealing millions of people's credit card information and debit card information. Now, that's bad in terms of the number of people affected, but what we see there, too, is that the banks are able to, I think, recover from that pretty quickly. So if your credit was compromised then, you know, you're not really going to suffer from that. I mean, if there are fraudulent charges that are made to your account, the banks cannot hold you liable for them. And you're going to kind of go on about your life and get a new credit card.
I think, you know, where we've seen the much more damaging ones though is when you're talking about attacks by — particularly by China and the Chinese military — aimed at American corporations and stealing their commercial data and their proprietary trade secrets. So there was a fairly famous case that has actually been made public now because there's an indictment in it where the Chinese government hacked into a company called SolarWorld. SolarWorld makes solar panels, cells and related equipment — and was just robbing the company blind of its proprietary information, its pricing information and using that to then give to Chinese competitors so that they would have a leg up on SolarWorld in negotiations. So that was one way where it's been really damaging.
You know, another actually, really is — curiously doesn't involve a foreign hacker. The FBI, a number of years ago, was launching a sting operation against a pretty famous hacker group called Anonymous, which had decided that they were going to go after a company based in Texas called Stratfor. Stratfor is basically a publishing company. It writes really detailed analyses about geopolitics. And the Anonymous hackers believed that Stratfor was sort of a quasi-government agency and aligned with the CIA. So they started stealing information from it. And the FBI was watching this happen and notified Stratfor and said, listen, we've got this situation under control. We can see that they're inside your networks. Let us handle this. We want to gather information about what they're doing. Well, the hackers ultimately made off with and destroyed a huge amount of the company's material, these analyses that it sells. It's a subscription-based company. And it really financially wrecked the company. So that was another instance where, you know, on a small scale because it was just this one organization, but it demonstrates that if somebody wants to get inside your network and steal or destroy your property that you really rely upon to run your business, they can do tremendous damage.
GROSS: Shane Harris will be back in the second half of the show. His new book is called «@War: The Rise Of The Military-Internet Complex.» I'm Terry Gross, and this is FRESH AIR.
GROSS: This is FRESH AIR. I'm Terry Gross, back with Shane Harris, who is now senior correspondent for The Daily Beast, covering intelligence and national security. He's the author of the new book «@War: The Rise Of The Military-Internet Complex.» It's about cyberwar, cybersecurity and electronic surveillance. Another thing you write about is how the NSA has installed malware into tens of thousands of computers and servers around the world. How does it do it? Why does it do it?
HARRIS: Well, it has a system that is referred to in some of these classified documents we've seen — there's something called turbine, which — basically, they've developed ways to go out onto networks all around the world and detect what operating systems computers are running. And if there's a known vulnerability in that operating system, the NSA can essentially inject that computer with a piece of malicious software that can allow it to monitor the computer — in some cases, take it over.
And why it's doing this in foreign countries is because it wants to sort of have these little access points or these sort of, you know, toe holds into computers around the world in countries that it wants to monitor, that it wants to be able to get inside of their government agencies or their corporations. So the NSA does — you know, it's a spy — it's an intelligence agency. It spies on other government. It spies on companies in other countries. And essentially, all of these infections, if you like, are sort of like little watchtowers or little listening posts that it's installing all around the world.
Once inside a computer system, though, to spy on it, it's not that much of a leap to do something to actually try and damage the computer itself, damage the data inside of it. Or if it's a computer that's connected to, let's say, a piece of physical infrastructure, like a power generator or a turbine in an electrical station, to actually cause that physical — that actual device connected to it to behave erratically and possibly to break. So all of these different points that the NSA has installed are for the purposes of monitoring and, if necessary, actually attacking and potentially causing physical damage via a cyberattack.
GROSS: Are the flaws that you're describing that are built into certain computers that are exported from United States — are those flaws built in by the NSA, or are those flaws that the NSA knows about that the NSA wants maintained? Like, I don't know how much agency the NSA has in this.
HARRIS: Right. Principally, what we're talking about in these cases are flaws that the agency has discovered. So in these infected computers around the world, these are particular flaws in the software or the operating systems of computers that the NSA knows about. And the ones that it's most interested in are the ones that only the NSA knows about.
So there's something called a zero-day. A zero-day is a flaw in software or an operating system that is only known to the individual who discovered it. And effectively, there is no patch or defense for it. So if you were to try to exploit that vulnerability today, the program — the person who designed the system would have zero days to defend against it. There are researchers — hackers — who scour technology all around the world looking for these vulnerabilities. And they're really quite prized because it's not an easy thing to find a flaw that hasn't been discovered and patched before.
The NSA actually purchases this information from private hackers and is the single-largest purchaser, in fact — that we know of — of these zero-day flaws. And it does this because it wants to find those hidden, secret ways into computer systems and to keep that information to itself, which makes a lot of sense if you're looking at it from the NSA's perspective. If their job is to try and find novel and clandestine ways into computer systems, it wants to find back doors and cracks in the system that are known only to it because once that information gets out that, system can be patched. And then the NSA — then the doors close to the NSA.
GROSS: Can the NSA be sure, after buying zero-day information, that it's the only agency that knows about that flaw? Do they buy exclusive rights to the zero-day information because if they don't, it's not really a zero-day thing anymore because more people know about it?
HARRIS: Correct. And I don't think that they can know for sure. And I think that they presume that a lot of the information that they buy is perishable — that eventually it might be discovered before the NSA even chooses to act on the flaw. So could just be something that they have the bank, and then if, you know, two or three more people find out about it, we'll scratch it off the list. It's not really proprietary to us anymore.
There's sort of a gray market for this information. You know, if you knew how to get there, you can actually go online and contact a hacker on the deep web or the dark web, if you like, and find somebody who sells this kind of information. I think that there are some market forces at play here — such that if you are a known seller of zero-day flaws, you're probably not going to get much repeat business if you're found to be selling those flaws to multiple customers. But the NSA knows that this information is really quite perishable. It's one of the reasons why it stockpiles so much of it because you — you know, if you have 2,000 known flaws, you know, a percentage of those might be no longer exploitable only to you, you know, three months from now.
GROSS: While we're on the subject of all this, the military has been hacked. What's one of the worst hacks that the military has faced?
HARRIS: Probably the worst one that they faced was about five or six years ago. There was a really unsettling event that — this was in 2000 — actually, 2008, this was. There was a classified computer network used by U.S. Central Command, which is responsible for military operations in Iraq and Afghanistan. And one day — it was a Friday, I believe — the people who monitor this network started noticing that there was a piece of software inside the network — a piece of malware — that wasn't supposed to be there. And it was actually sending out a beacon, which meant that it was this device inside the network, and it was trying to reach out and contact some other computer somewhere in the world on the Internet.
And this frightened people in the military quite a bit because the network that this malware was inside is not actually connected to Internet. It's such a secret and sensitive network that it is, as they say, air-gapped. It's separated physically from the rest of the Internet. So how in the world did that get in there?
The general theory now is that probably there was a soldier in Iraq or Afghanistan who inserted a thumb drive — one of those little USB sticks — that he may have picked up someplace, put it into a computer. And it had this malware on it, and it got loose inside of the network. This was an event that really frightened a lot of people in the military. The White House was made aware of it because it demonstrated that even if you have a network that is not physically connected to the Internet, there is still potentially a way for an adversary to infect that network.
It's not clear whether or not — if, in fact, it was spread by a USB — whether this was a foreign intelligence agency that, you know, planted it on this person or threw it in a parking lot, and somebody picked it up. But it demonstrated there was a way to get into these networks, even if you do everything physically possible to try to make them safe. That was probably one of the — in a military system, one of the worst instances. It did not end up compromising military operations, and no classified information was stolen. But it was a real wake-up call to people in the Pentagon.
GROSS: I think ever since the Edward Snowden leaks, a lot of Americans have been very suspicious of the NSA. But you write in the book, the NSA is not the enemy. Are there things you want to remind Americans of that the NSA is doing that is really very important to our security as individuals and as a nation?
HARRIS: Yes. I mean, the NSA is the biggest source of expertise in the government right now of people who know how to defend computer networks and are very good at that job. And that's a vitally important mission. We depend upon — we — citizens of the United States depend upon the Defense Department to protect us from foreign invaders. We would never imagine that if, you know, enemy planes were flying over the United States and dropping bombs, that the military would not respond to that. And within that context, the NSA does play a role for helping to defend computer networks in the United States. And we should be glad that we have that expertise there.
But what I argue is that the NSA has tried to take on, I think, too vast and too pervasive of a role and has fundamentally, in many ways, weakened all of our security, which I write a lot about in the book. In this desire to protect us, there's kind of a conflicting mission there. But we should understand that, I mean, ultimately, I think, you know, the agency is, I think, filled with good, very smart people who believe that they have a very important mission to help defend our networks.
What we need to do is sort of — is put the right constraints on the agency and the — and define more clearly what that agency's roles actually are because, heretofore, I think they've largely been made to — left to make those decisions on their own. And I think, arguably, the NSA has accrued too much power and too much authority over that vital mission. But, you know, we should remember that they're — effectively, I think that they're there to try and help. And we need good laws and good regulations and more transparency to understand how we can best use the expertise of the NSA and make sure that that authority and that power is not abused.
GROSS: If you're just joining us, my guest is Shane Harris. He's the author of the new book «@War: The Rise Of The Military-Internet Complex,» and he covers intelligence for The Daily Beast. Let's take a short break, then we'll talk some more. This is FRESH AIR.
GROSS: This is FRESH AIR. And if you're just joining us, my guest is Shane Harris, author of the new book «@War: The Rise Of The Military-Internet Complex.» And he covers cybersecurity and national intelligence for The Daily Beast. Let's talk about how cyberwar played a part in the war in Iraq — techniques that hadn't been used before. What were some of those techniques?
HARRIS: Well, in 2007, people will recall that the so-called surge began — the Iraq troop surge in which tens of thousands of more combat forces were put into Iraq. A little-noticed part of that military strategy was that the NSA developed a way to collect every electronic communication that was moving through Iraq — every cell phone call, every text message, every email that was sent. And they did this by physically tapping into, principally, the cellular phone networks in Iraq, which were really ballooning and blossoming at that time, and basically collect every piece of communication. And what they were trying to do here and what they did quite successfully was to hack into the cell phones and the computers that were used by insurgent fighters and members of al-Qaida in Iraq, which, of course, morphed later into the group ISIS that the U.S. is fighting in Iraq and Syria now.
The NSA's sort of elite hackers found ways to break into those phones, listen to the conversations. They sent fake text messages to some fighters, posing as their fellow fighters, telling them to go to a certain location to go plant a bomb. And when they got there, American troops were waiting for them. They found out ways to track people's cell phones even when they were turned off, using cell phones as sort of a tracking beacon so that it could figure out — if they knew a particular fighter or a bomb maker, they could follow him to where he was hiding out. They could round up his associates. The NSA actually infiltrated online websites — these forums that are used by jihadists — and planted malicious software in them so that when some of the people going to that site would go and would click on certain documents or read certain pages, their machines would become infected and that would allow the NSA to sort of hone in on them. And the agency gave all of this intelligence that it was generating to combat soldiers on the ground, particularly with the — what's called the Joint Special Operations Command, which are sort of the elite commandos in Iraq. And this sort of amazing, real-time cycle of intelligence began to take hold, whereby the NSA, which had basically hacked into the entire network infrastructure of Iraq, was able to gather information, send out fake information, send out malware and then physically locate where these fighters were and understand how their networks were arranged. So who was in charge? Who was the chief bomb maker? Who were people taking orders from? And feed that information to the troops on the ground, who then either went and captured those individuals or killed them. And a number of people I interviewed for the book — and even David Petraeus, who was the commander of ground forces in Iraq — has said this publicly. Credit that intelligence operation — that cyber operation — with being a deciding factor in turning around the tide of the war in favor of the American forces during the surge. It's credited with removing from the battlefield, either because they were captured or killed, at least 4,000 fighters and ultimately lead to us being able to dismantle al-Qaida in Iraq and at least for that period in time, you know, I think was arguably a U.S. military victory.
GROSS: So what happens when an enemy could do the same thing against us?
HARRIS: They would be able to find out where our forces are. And they would be able to find out how we're communicating. And that's something that the military is very concerned about. We are not the only country that has these kinds of capabilities. We have vast capabilities and they're quite extensive, but the governments of Russia, of China — Israel has really sophisticated cyber capabilities. What the military worries about now is that if we ever go into a conventional war with another country — let's pick China, which is an improbable event, but let's say we were at war with China. They would be trying to hack in our systems, too. They would be trying to manipulate our communications. They would be trying to disable our infrastructure.
And the reason that so many countries are developing these cyber capabilities, one big reason is that they know that they cannot challenge us in a conventional military setting. China is — does not have a Navy that can go head-to-head with ours. What they can do and is much easier to do is build a cyber capability that they could use if we were ever to get into a conflict.
GROSS: Are you assuming that we're using cyber capabilities against ISIS now? Because ISIS has really been relying on social media and the Internet for its propaganda, including its beheading videos.
HARRIS: Right. They've made great use of social media for recruitment and to spread their message out. ISIS is actually a fascinating case — and I've actually been looking into this and interviewing people in government in the past few days about it. ISIS has actually proven to be quite resilient to our cyber efforts. And the reason for that is that they have avoided using cell phones, radios, satellite phones. They've been very careful about when they post messages to Twitter to strip out the information that shows the geographic location where a photo was taken or a tweet was sent. They have figured out, in many ways, how we spy and how we monitor — or at least have assumed generally that we do make a great effort to spy on our adversaries' communications.
And it's worth remembering, too, that ISIS is the successor group to al-Qaida in Iraq, which is the group that we so effectively attacked using these cyber capabilities. So ISIS has really gone to school on U.S. cyberwarfare and is proving — actually, a number of officials of told me in the past two days, very difficult to track and to target with airstrikes because they're staying off the grid. They know that once they communicate with these digital and electronic technologies, they put themselves at greater risk of being discovered. So they've really taken steps to try and limit the amount — the degree to which they are communicating with each other. And it's making it harder to target them.
GROSS: But it does disable their ability to communicate?
HARRIS: Exactly. And that's the flip side of it.
GROSS: Looking on the bright side.
HARRIS: On the bright side, exactly. (Laughter) It's harder, you know, just to imagine trying to go through your day without sending email and without being able to use the phone. So this is actually a situation that Osama bin Laden, I think, faced when he was hiding out in Abbottabad, in a house that did not have any connection to the Internet. There was no Internet service there. He had to rely on human couriers. And it's still not clear exactly how ISIS is communicating. But what we're hearing from intelligence officials is that, you know, they are limiting the way that they communicate. That certainly, though, is going to have — put constraints on what they're able to do. So there is a positive benefit to that.
GROSS: So, you know, we've been talking about hacking and stuff. We just — we recently learned that the National Oceanic and Atmospheric Administration, NOAA, which includes the National Weather Service, was hacked by China. Why would that be a target? Why is that a target?
HARRIS: I think, in this case, because NOAA relies on information from sophisticated imaging satellites and weather satellites, that getting into NOAA would be a way of learning more about what our satellite technology is. That's one possibility. Also what we've seen is a pattern of hackers, perhaps, trying to get a foothold in one government agency and to try to use that as a launching point often into another agency that might be harder to get in through the front door of that organization. So it could be that the hackers wanted to get in to steal passwords and other credentials of NOAA employees, to then perhaps maybe imitate them and try and send communications to someone at another government agency, posing as this NOAA employee and trick them into downloading a piece of malware.
The thing that's fascinating and sort of confounding about Chinese cyber espionage is that it is so broad and so pervasive that I almost find myself thinking, what target haven't they tried to hit? And one of the reasons why I think the Chinese, in particular, are able to do this is they have just devoted so much manpower, so much human power. Thousands and thousands of hackers are believed to be just sort of spending their days in rotating shifts trying to hack into all manner of U.S. companies, government agencies. I do think it's sort of really a coup when someone gets into a government agency because they might have secret information and they're generally believed to be more well-protected, although, I think clearly, NOAA was not. But I think that China is looking for just as much intelligence as it can possibly gather about U.S. corporations and the U.S. government. And so I guess in a way, why not NOAA?
GROSS: Well, Shane Harris, thank you so much for talking with us.
HARRIS: Thanks, Terry. It was a real pleasure.
GROSS: Shane Harris is the author of the new book «@War: The Rise Of The Military-Internet Complex.» And he's senior correspondent for The Daily Beast, covering intelligence and national security. Coming up, David Bianculli reviews the new DVD release of the «Batman» TV series from the '60s, which has never been available on home video before. This is FRESH AIR.
Bob Stasio never planned to become a cyber warrior. After he graduated high school, Stasio enrolled at the University at Buffalo and entered the ROTC program. He majored in mathematical physics, studying mind-bending theories of quantum mechanics and partial differential equations. The university, eager to graduate students steeped in the hard sciences, waived the major components of his core curriculum requirements, including English. Stasio never wrote a paper in his entire college career.
Stasio arrived at Fort Lewis, Washington, in 2004, when he was twenty-two years old. His new brigade intelligence officer took one look at the second lieutenant's résumé, saw the background in math and physics, and told Stasio, «You're going to the SIGINT platoon.»
SIGINT, or signals intelligence, is the capture and analysis of electronic communications. Like all branches of intelligence, it's a blend of science and art, but it's heavy on the science. The brigade intelligence officer had worked at the National Security Agency and recognized that Stasio's physics training would come in handy, because so much of SIGINT involves the technical collection of radio signals, fiber-optic transmissions, and Internet packets.
Stasio's military training in college focused on how to use a rifle and lead a squad. But he had spent six months learning the basics of intelligence gathering and analysis at the army's intelligence school at Fort Huachuca, Arizona. When he came to Fort Lewis, Stasio was assigned to a Stryker brigade, a mechanized force designed to be light on its feet, capable of deploying into combat in just a few days. It was Stasio's job to locate the enemy on the battlefield by tracking his communications signals. And he was also supposed to divine his adversary's intentions by eavesdropping on the orders a commander gave to troops, or listening for the air strike that a platoon leader was calling in from behind the lines. Stasio would join the Fourth Brigade, Second Infantry Division, «the Raiders,» and deploy to Iraq. He'd be working with a team of linguists, who would be essential, since Stasio didn't speak Arabic. But when it came time to meet them, Stasio started to worry: nearly all of the linguists spoke only English and Korean.
The army had designed its signals intelligence system for the Cold War. Thousands of troops still served on the Korean Peninsula. They were still trained in how to fight a land battle with North Korean forces, in which the physics of SIGINT — locating tanks and troops — would be central to the mission. But the Raiders were going off to fight a network of Iraqi insurgents, volunteer jihadists, and terrorists. These guys didn't drive tanks. They didn't organize themselves according to a military hierarchy. And of course, they didn't speak Korean.
Stasio decided that his intelligence training would be mostly useless in Iraq, where the US occupation was coming unglued. Army casualties were mounting, the result of a well-orchestrated campaign of roadside bombings by insurgents. The soldiers who didn't die in these attacks were coming home with limbs missing, or with severe brain injuries that would impair them physically and emotionally for the rest of their lives. SIGINT wasn't preventing these attacks. Indeed, it was hardly being used at all. In October 2004 the military's top signals intelligence officer estimated that as much as 90 percent of all information in Iraq was being supplied by a network of human spies and informants — and they weren't helping the Americans reduce the bombing attacks and insurgent strikes.
Stasio read as much as he could about insurgencies, noting in particular how they organized themselves using a network model, with many independent nodes of people working in teams, separate from a central controller. This was the opposite design of a vertical, military bureaucracy, with orders filtering down from the top through several layers of officers. In principle, the intelligence discipline in which Stasio was trained should still work. He was expected to locate his enemy using electronic signals and figure out his next move. But the tools the army had supplied to do this were ill suited to the shadowy, urban battlefields of Iraq. The Raiders used a collection «platform» known as the Prophet system, a rugged truck affixed with a tall, roof-mounted radio antenna about the size of a streetlamp. The older officers in the brigade liked the Prophet because it told them what enemy forces were in their immediate area of operations. It was a tactical device, and they controlled it, driving it to wherever they wanted to collect intelligence.
But the Prophet was designed to collect radio waves, and on a wide-open and relatively flat area of battle. Stasio knew that the enemy fighters in Iraq were communicating using cell phones and e-mail and through videos they'd posted on the Internet. They were moving in small groups through the dense concrete maze of Baghdad and other crowded Iraqi cities. The Prophet wasn't the most useful tool. Indeed, when Stasio finally got to Iraq, he saw that the military intelligence units that had come before him were using the Prophet not to collect signals but to transport food and other supplies around the base.
There was another reason the old-timers liked the Prophet — it was theirs. They could drive it wherever they wanted. They had control over the collection and analysis of intelligence. Stasio thought that his more senior officers generally distrusted intel that came from back in the States, frequently from Washington, DC, and the national intelligence agencies such as the CIA and the NSA, which, from the battlefield, looked like big, lumbering bureaucracies filled with software engineers and computer geeks who were too removed from the on-the-ground tactical needs of forces in Iraq.
But Stasio knew the national agencies, and in particular the NSA, had something he needed: data. Namely, servers full of electronic communications and signals collected by the agency's listening posts around the world. Stasio thought that if he could tap into SIGINT from Iraq, he might be able to understand something about the size and shape of the insurgent networks by piecing together their communications records. This was painstaking work, and it would require hours sitting in front of a computer, probably in some air-conditioned trailer, not driving a Prophet through dusty streets. Stasio was a fan of the HBO series The Wire, and he was particularly fond of one character, Lester, who uncovers a network of drug dealers in Baltimore by tracking their cell phone calls. Stasio wanted to do the same thing in Iraq.
He pleaded with his brigade intelligence officer at Fort Lewis: instead of sending him out to the rifle range to practice infantry techniques and study the bulky Prophet, let him and a few of his fellow intelligence officers spend time in the state-of-the-art intelligence facility on the base, learning how to use software for diagramming networks and digesting Internet and cell phone traffic. These tools had been largely overlooked by tactical military intelligence units, Stasio argued. But they could be enormously helpful in Iraq.
The officer agreed.
Excerpted from @WAR: The Rise of the Military-Internet Complex by Shane Harris. Copyright 2014 by Shane Harris.