Supported by
By Nicole Perlroth
To pay attention to more audio stories from editors like The New York Times, download Audm for iPhone or Android.
If there was ever a sign that America was wasting the data war on its own warriors, it was the moment one of his own, a young American businessman, saw the emails of the first girl, Michelle Obama, appear on his screen.
For months, David Evenden, a former National Security Agency analyst, wondered what he was doing in Abu Dhabi. He, like two dozen other NSA analysts and entrepreneurs, had been lured to the United Arab Emirates through a Beltway boutique entrepreneur with da to double or even quadruple his wages and promises of a tax-free lifestyle in the luxurious Gulf playground. The paintings would be the same as in the agency , they were told, only on behalf of a close ally. was an herbal extension of the American war on terror.
Evenden began tracking terrorist cells in the Gulf. It was 2014, ISIS had just put the siege in front of Mosul and Tikrit, and Mr. Eveden followed his members as they switched phones and messaging apps. Brutal, however, that was his call, he said. Even, a graduate of theology, he’s a chaplain. He was far from it, but what better way to develop his faith, he thought, than to expel those who, however, were soon assigned a new project: to discover that the Emirati’s neighbor, Qatar, was funding the Muslim Brotherhood. The only way to do that, Mr. Evelyn told his bosses, would be to be hacking Qatar.
“Go ahead, ” he was told. It doesn’t matter if Qatar is also a best friend of the United States or that, once interned in its networks, its bosses show no interest in dating. Before long, his team of the subcontractor, CyberPoint, hacked genuine and perceived Emirati enemies around the world: FIFA football officials, Twitter critics of the monarchy and, on the ground, the Qatari royal family, sought to know where they were flying, who they knew, what they said. He said, everything had cleared up. In the war on terror and the cyber weapons market, you can rationalize almost anything.
All rationalizations were removed the day the girl’s first emails gave the impression on her screen. By the end of 2015, Michelle Obama’s team was giving the finishing touches to the Middle East. Sheikha Moza bint Nasser of Qatar invited Ms. Obama to speak at her annual education summit in Doha, where the first girl would announce her “Let Girls Learn” initiative. Obama and his team were in constant communication with Sheika Moza. And each and every one of the last emails between the first girl, her Royal Highness and her staff, each and every one of the reflections, reservations, changes of direction and non-public security details, were returned to the computers of former NSA analysts in Abu Dhabi. “That’s when I said, “We shouldn’t be doing this, ” he said. “We shouldn’t target those people. “
Evenden and his circle of relatives soon took a flight back. He and the few colleagues who joined him informed the FBI (the firm does not comment on the investigations, but interviews recommend that his CyberPoint review is ongoing). , some workers were frank with Reuters. It was never reported about hacking Sheika Moza’s emails with Mrs. Obama.
Shortly after Evenden moved to the United States, he began answering LinkedIn calls and messages from his former NSA colleagues, still in service, who had won a “really great task offer” from Abu Dhabi and asked for his advice. the calls had a drum sound. ” Don’t go that way,” he pleaded. “It’s not the task you think you’re doing. “
You might think you’re a patriot now, he wanted to warn them, but one day soon you too could wake up and realize that you’re a mercenary in a PC arms race that went extraordinarily wrong.
Three decades ago, the United States spawned, and then cornered, the hacker market, its skills, and its tools, but over the past decade, its leadership has slipped and the pirates themselves have returned to us in boom.
However, no one in government has seriously stopped to recalibrate the strategy, not with Michelle Obama’s emails trapped in the network of an American businessman in 2015, and today, with Russian hackers within our government networks. an uninterrupted and resonant alarm, and we step forward ignoring everything.
Months after Evenden returned home in 2016, the N. S. A. ‘s own piracy team. was hacked through an assailant still unknown. These teams were first taken through North Korea, then through Russia, in the ultimate destructive cyberattack in history.
Over the next 3 years, Iran emerged from a virtual marigot to one of the most prolific cyber weapons in the world. China, after a brief pause, has re-looted American intellectual property. a chain of software sources that has engaged the State Department, the Department of Justice, the Treasury, the Centers for Disease Control, the Department of Energy and its nuclear laboratories, and the Department of Homeland Security. Agency charged with protecting Americans.
We don’t know because of a heroic N. S. A. hack, or intelligence exploitation, but because the government warned through a security company, FireEye, after finding the same Russian hackers on their own systems.
The pride of American exceptionalism, a myth of global subconsistent superiority that is laid bare in the number of deaths by the American pandemic, is what brought us here. We think we can make fun of our enemies. More piracy, more attack, no greater defense, was our reaction to an increasingly virtual global order, even when we became more vulnerable, connecting water treatment facilities, railways, thermostats and insulin pumps to the Web at a rate of 127 new consistent devices. with the second.
At the NSA, whose dual project is to gather intelligence around the world and protect American secrets, the attack overshadowed the defense a long time ago. For every hundred cyberwars who run in attack, searching for and storing gaps in the future generation. exploited for espionage or preparation on the battlefield: there was only one lone analyst game defense to close them.
America remains the world’s ultimate complex cyber superpower, but the harsh truth, which intelligence officials don’t need to discuss, is that it’s also the ultimate and vulnerable. Few things in the cybersecurity industry have a worse reputation than Alarmism. There is even an acronym for this: “FUD”, short for “fear, uncertainty and doubt”.
When Leon Panetta, then Secretary of Defense, warned of an upcoming “Cyber Pearl Harbor” in 2012, he fired as a FUD feeder. Pearl Harbor’s cyber analogy is, in fact, imperfect: the U. S. government has not noticed the arrival of Japanese bombers, even though it has realized that the virtual equivalent has come for decades.
And the prospect of a calamitous attack — a fatal explosion in a chemical plant set in motion through vulnerable software, for example — is a distraction from the scenario we’re already on. Everything being taken has already been intercepted: our non-public data, our intellectual property, voter lists, medical records, even our own cyberweapest.
Right now, we’re being hacked from so many sides that it’s become practically to follow, let alone inform the average American reader that he’s looking to master a largely invisible risk that lives in code, written in a language that we’ll never fully understand.
This risk is too far away to be fought, but the answers have been around for decades: Americans have just made the decision that access and convenience, and in the case of governments, the odds of espionage, were a value in leaving windows open when we would all have been better. to hit them.
“The fatal flaw of the NSA is that it became smarter than everyone else,” Peter Neumann, a computer scientist and cybersecurity scholar, told me. “In the race to blow up everything and everything we could, we painted ourselves in a dead end. “
There is an explanation for why we believed in the mistake that an offense can simply protect us: offense is a bloody masterpiece.
In 2007, the United States, along with Israel, launched an attack on the Natanz nuclear facility in Iran, which destroyed about one-fifth of Iran’s centrifuges. This attack, known as Stuxnet, opened seven holes, called “zero days,” in commercial Microsoft and Siemens software. (Only one had already been revealed, but never corrected). In the short term, Stuxnet was a resounding success. He pushed back Iran’s nuclear ambitions years ago and prevented the Israelis from bombing Natanz and triggering World War II. In the long run, this showed allies and adversaries what they lacked and replaced the virtual global order.
In the decade that followed, an arms race was born.
N. S. A. Analysts left the firm to initiate cyber weapons, such as Vulnerability Research Labs in Virginia, which sold click-and-shoot equipment to U. S. agencies and our closest English-speaking allies Five Eyes. An entrepreneur, Immunity Inc. , founded through a former NSA analyst, has embarked on a more slippery slope. First, employees say, Immunity-trained experts like Booz Allen, then defense contractor Raytheon, then the Dutch and Norwegian governments, but soon the Turkish army came here to attack.
Companies like CyberPoint have worked harder to publish abroad, share equipment and production that would eventually oppose their own people. In Europe, Pentagon spyware vendors, such as Hacking Team, began exchanging those same computers with Russia and then Sudan, which used them mercilessly.
As the market grew out of direct control of the N. S. A. , the company targeted the offensive. He knew that the same vulnerabilities he discovered and exploited elsewhere would one day be Americans. His response to this dilemma was to reduce American exceptionalism to an acronym, NOBUS, which means “No one but us. “If the company discovered a vulnerability, it believed it was the only one that could exploit it, it would retain it.
This strategy component of what General Paul Nakasone, the current director of the N. S. A. , and George Washington and Chinese strataman Sun Tzu before him, describe him as “active defense. “
In the fashion war, “active defense” is like hacking enemy networks. This is a mutually confident destruction for the virtual age: we have hacked Russia’s troll networks and their network as a show of strength; Iran’s nuclear facilities, to remove their centrifuges; and Huawei’s source code, to penetrate its consumers in Iran, Syria and North Korea, for espionage and to establish an early precautionary formula for the N. S. A. , in theory, to prevent attacks before they occur.
When we heard about the openings in the systems that govern the virtual world, we didn’t automatically move them to the patch marks, we kept them vulnerable in case the FBI needed a terrorist’s iPhone or Cyber Command had an explanation as to why we would one day register an e-weapon on the Iranian network.
There have been big gains, of course, many other people will never know, however, you just have to take a look at the attacks of the last five years to see that the “active defense” and the NOBUS do not work very well.
At a N. S. A. commemoration in 2012, an analyst warned him, “Router hacking has been a deal for us and our Five Eyes partners for some time, yet it is transparent that other states are honing their skills and joining the scene. “
Only when NSA teams were hacked in 2017 and then used against us, as we can see how damaged the compensation between attack and defense had become. The firm had maintained a critical vulnerability at Microsoft for more than five years. , ceding it to Microsoft after the NSA was hacked.
By then, it was too late. Companies, schools and hospitals had not yet plugged the gap when North Korea used it to attack a month later, or even two months later, when Russia put it in a cyberattack that decimated vaccine materials at Merck, it charged FedEx $400 million and prevented doctors from accessing patient records. In total, this incident cost victims about $10 billion in damage.
Following the 2017 maneuvers, General Michael Hayden, former director of the NSA, and one of his top fervent supporters, was exceptionally speechless. “I can’t keep a signature that has hard equipment if you can’t shield them and keep them in your own hands,” he said.
To see how we got hit here, facing one expanding attack after another, and how we can simply fight our own way, it’s helpful to go back to the Russian attack that put us on this offensive path.
That year 1983, staff at the U. S. Embassy in Moscow came to know that everything they said and did was captured through the Soviets, suspected a mole, and without the recommendation of the French, who had discovered a mistake in their teletypes, they might never have discovered that the mole was on their machines.
In 1984, President Ronald Reagan approved a classified project, code-coded Gunman, to locate and eliminate all Soviet insects in the embassy apparatus. It took a hundred days to bring the last device back to Fort Meade and almost a hundred more days to figure it out. the ultimate complicated feat the firm has ever seen.
At the back of an embassy typewriter was a tiny magnetometer, a device that measures the slightest disturbance of Earth’s magnetic field. He had recorded the mechanical power of each of the typed shots and had transmitted the effects by radio to a Soviet listening unit, hidden in The Embassy Chimney. When Gunman finished and more implants were discovered, it was clear that the Soviets had been extracting American secrets from our typewriters for eight years.
“It was our big call for attention, ” said James R. Gosler, the godfather of american cyber warfare. ” Or we’d still be those damn typewriters. “
If only one technologist can be identified for inciting America to fight, catch up, and take the lead as the world’s most complex virtual superpower, that’s Mr. Gosler. turn of the century to call the father of American cybercrime. No one hesitated, “Jim Gosler. “
In Mr. Gosler’s lexicon, BG – Before Gunman – and AG. BG, “Americans were fundamentally ignorant,” he told me. We were on earth.
AG, we hacked with a virtual pulse.
During his long career at Sandia National Laboratories, N. S. A. , and then C. I. A. , M. Gosler’s project is to draw the government’s attention to the vulnerabilities of microchips, code and software that leak into our lives.
He does not talk about any of the classified systems he was aware of, but during his tenure he helped create a taxonomy of adversaries that could simply exploit those vulnerabilities and led groups of American analysts and spies to make sure the United States was at the top.
But each and every calorie spent in America on the attack has been at the expense of the defense and, over the decades, that commitment has corroded Mr Gosler. Finding Gunman on those typewriters had been a feat. Fighter jets or even the mid-range high-end car, which now has over a hundred million lines of code?Good luck.
This is necessarily the complicated scenario facing the United States now that it tracks all the latest vectors and backdoors used in the recent SolarWinds attack, dubbed after the Russians used SolarWinds, a Texas company that sells network software to government agencies and network operators. and more than 400 of the Fortune 500, as a conduit.
Sometimes we respond to attacks with accusations, sanctions or cyberattacks on our part. President Biden added $10 billion in cybersecurity budget to his proposal to repair Covid-19 and said Thursday that the United States is “launching an urgent initiative” on cybersecurity, for “America’s preparation and resilience in cyberspace. “
But locating each and every Russian backdoor can take months or even years, and getting out of our existing mess will involve a whining selection to avoid leaving us vulnerable.
For people, this means making life less convenient. It does not forget to activate passwords and software updates, it activates two-factor authentication, does not click on malicious links. For businesses, this requires testing code as engineers write it, not after it’s in the hands of consumers. We’ll have to climb pits around the crown jewels: use hand-marked paper ballots, remove the controls that govern our nuclear power plants, our medical devices, and air traffic from everything else.
For the government, perhaps, a simple starting point is to identify transparent regulations that save it from the NSA, such as Mr. NS’s former employer. Even make the dirty paintings for other governments where the regulations that govern our own spy do so. do not apply Y is the best time to close all doors and windows that have never been open.
Jim Gosler has worked for decades to keep Americans and our secrets safe, to make sure we never know how close we are to catastrophic cyberattack. Now that the country has scenarios it has long feared, it realizes that the way forward is to perceive how much we are already in danger.
“Gunman hasn’t had an effect on the average American where he sits, but SolarWinds is approaching,” Gosler said. “It’s so ubiquitous. This is a step between SolarWinds and the force grid. American can’t feel that way?
Nicole Perlroth, cybersecurity reporter for The Times, is the one in the upcoming e-book “That’s How the World Ends,” adapted from this article.
Commercial