Read Cybersecurity and Cyberwar Online
Authors: Peter W. Singer Allan Friedman,Allan Friedman
(12:26:09 PM) bradass87:
lets just say *someone* i know intimately well, has been penetrating US classified networks, mining data like the ones described ⦠and been transferring that data from the classified networks over the “air gap” onto a commercial network computer ⦠sorting the data, compressing it, encrypting it, and uploading it to a crazy white haired aussie who can't seem to stay in one country very long =L â¦
(12:31:43 PM) bradass87:
crazy white haired dude = Julian Assange
(12:33:05 PM) bradass87:
in other words â¦
ive made a huge mess
.
This exchange on AOL Instant Messenger launched one of the biggest incidents in cyber history. WikiLeaks not only changed the way the world thinks about diplomatic secrets, but also became a focal point for understanding how radically cyberspace has changed our relationship with data and access.
In 2006, the website WikiLeaks was launched with the goal of “
exposing corruption and abuse
around the world.” With an agenda
that scholars call “radical transparency,” the concept was to reform powerful actors' behavior by exposing documented
evidence of their wrongdoing online
. Led by the now-iconic “crazy white haired dude,” Australian Julian Assange, it used the Wikipedia model of an “open-source, democratic intelligence agency,” where activists from around the world could upload information and share it through a central but communally archived repository.
The group quickly gained a reputation for “releasing information relating to a range of very different countries, and to potential
corruption, malfeasance, or ineptitude
.” Early projects exposed alleged wrongdoings by Kenyan politicians, Church of Scientology lawyers, and international trade negotiators. It soon won accolades from anticensorship and human rights organizations.
In turn, the dangers of radical transparency quickly became apparent to organizations that depended on secrecy. In a 2008 report, the Pentagon noted, “WikiLeaks.org represents a potential force protection, counterintelligence, OPSEC and INFOSEC
threat to the U.S. Army
.” (Ironically, we only know about this classified assessment because WikiLeaks itself published it in 2010.)
The Pentagon's prescience was remarkable, as the website was poised to publish a massive cache of documents that ranged from diplomatic cables to memos and videos directly related to the US military's war efforts in Iraq and Afghanistan. This story's beginning goes back to “bradass87,” the online handle of Bradley Manning, born in 1987.
Bradley Manning was a private first class in the US Army, and not a terribly happy one. As he described in instant messages sent to another hacker turned journalist, “im an army intelligence analyst, deployed to eastern baghdad, pending discharge for âadjustment disorder' in lieu of â
gender identity disorder
.'”
Later investigations found that Manning fit in poorly with other soldiers and that he had already been reprimanded for disclosing too much information in video messages to his friends and family that he posted to YouTube. In fact, he almost wasn't deployed to Iraq because his superiors had described him as a “
risk to himself and possibly others
.” But the need for intelligence workers in the field was too great, and he was sent to the war zone.
While Manning was trained to handle classified information, he was not an analyst. Instead, his job was “to make sure that other intelligence
analysts in his group had access to
everything that they were entitled to see
.” His position thus gave him access to a huge range of data streams from across the government's computer networks.
After growing increasingly distraught about the war, a reaction likely compounded by his personal troubles, Manning decided that “
Information has to be free
.” While the Department of Defense had banned USB storage devices for fear of malware and had tried to “air gap” the secure networks from the Internet, they did not close off writable CD drives. Manning would bring in CDs with music on them and then
overwrite the music
with file upon file of classified data. As he wrote, “I listened and lip-synced to Lady Gaga's Telephone while exfiltratrating [
sic
] possibly the largest data spillage in
american history
.”
In April 2010, WikiLeaks published a provocatively titled video, “Collateral Murder,” depicting an edited, annotated video from a US Army Apache attack helicopter firing on civilians in Iraq, including two Reuters reporters. WikiLeaks followed this up in July and October 2010 by releasing immense troves of classified documents relating to the wars in Afghanistan and Iraq.
While Manning had originally wanted to remain anonymous, as was the WikiLeaks model, his facilitator, Assange, instead sought to achieve maximum publicity. The video was first displayed at a news conference at the National Press Club in Washington, DC. For the classified documents, Assange worked with the
New York Times
, the
Guardian
, and
Der Spiegel
to verify, analyze, and present the documents to the public. Unsurprisingly, US officials condemned the release of these documents in strong language and began to hunt down the source of the leaks.
Just a few months later, WikiLeaks dropped another virtual bomb. In what became known as “Cablegate,” Manning had also passed on 251,287 State Department cables written by 271 American embassies and consulates in 180 countries, dating from December 1966 to February 2010. Much of the communication was boring stuff, but there were also a number of embarrassing secrets, from what American ambassadors really thought about their counterparts to the fact that the United States had secretly eavesdropped on the UN Secretary General in the lead up to the Iraq war. Amusingly, the US government then ordered federal employees and contractors not to
read the secret State Department documents posted online, which the
New York Times
described as “a classic case of
shutting the barn door
after the horse has left.”
Originally, WikiLeaks relied on media sources like the
Guardian, El PaÃs
, and
Le Monde
to publish the cables, which they did at a relative trickle. The media focused on what they thought was most newsworthy and edited the content wherever it might endanger someone inadvertently revealed in the cables, such as a secret informant. Only a hundred or so were released at a time, a tiny fraction of the stolen documents. A few months later, however, the password to the full data set was “accidentally” released (reporters from the
Guardian
and Assange each blame the other). With the site now accessible, WikiLeaks decided to publish the whole treasure trove of secret information, unredacted.
The leaking of documents was roundly condemned, and WikiLeaks was accused of putting people at risk, and not just American officials. In China, for instance, nationalist groups began an “online witch hunt,” threatening violence against any Chinese
dissident listed in the cables
as meeting with the US embassy.
At this point, WikiLeaks became more than just a nuisance to those in power. According to the US Director of National Intelligence, the leaks risked “major impacts on our national security,” and a senator
called for Assange to be tried
for espionage. Others sought to downplay the impact. As then Secretary of Defense Gates put it, “Is this embarrassing? Yes. Is it awkward? Yes. Consequences for U.S. foreign policy?
I think fairly modest
.”
In either case, the heat was turned up on the organization and its key players. Assange's personal Swiss bank account was closed on the grounds that he had falsely claimed to live in Geneva upon opening the account. Even more damaging, Swedish prosecutors issued a warrant for Assange for sexual assault. After fighting and losing a legal battle for extradition, Assange sought asylum at the Ecuadorian embassy in London, where he remains at the time of this book's publication.
In another illustration of how the cyber world intersects with the real world, the online group was also pressured via the online financial front. PayPal announced that it would no longer allow individuals to send money to WikiLeaks's account, citing a letter from the US government declaring WikiLeaks's engagement in illegal behavior.
MasterCard and Visa followed suit, making it much harder for sympathizers around the world to contribute to the legal and technical defense of the website.
Despite this pressure, the WikiLeaks organization survived. The leaked documents are still available around the Web on dozens of mirror websites to anyone who wants to see them (aside from federal employees), while the group has popped up in subsequent scandals from the NSA domestic spying revelations to the Syria Files, a release of over two million e-mails from the Syrian regime, including personal e-mails from Bashar al-Assad. More importantly, WikiLeaks's model has proved powerful, inspiring copycat attempts like Local Leaks, a website associated with Anonymous. Local Leaks came to prominence in 2012, when it posted evidence of a brutal sexual assault by
prominent high school football players
in an Ohio town.
As for Manning, his role was revealed by the very same person he shared his supposedly secret Internet chat with. A hacker named Adrian Lamo had told Manning, “I'm a journalist and a minister. You can pick either, and treat this as a confession or an interview (never to be published) & enjoy a
modicum of legal protection
.” Instead, Lamo turned Manning in to the FBI. Manning was subsequently court martialed for data theft and espionage and sentenced to thirty-five years in military prison.
In the end, those who wished to set information free are themselves no longer free. Others may be deterred by what has happened to this episode's main characters, or heartened by their enduring impact.
We were at a meeting of Washington, DC, government officials and business leaders. A so-called consultant in cybersecurity (at least that's what his website said, and who are we to question the Internet?) spent half his presentation talking up the massive boogeyman of cyber danger that loomed for us all, repeatedly mentioning the new specter of “APTs.” But fortunately, he spent the second half of his talk explaining how all that was needed to deter such threats was to be “good enough.” He made a joke that it was like the two friends chased by a bear. As one told the other, “I don't have to outrun the bear, just you.” As long as you made sure
your defenses were slightly better than the next guy's, he explained, the cyberattackers would give up and quickly move on. And, lo and behold, his firm had a generic package for sale that would satisfy all our cybersecurity needs. The presentation was slick, effective ⦠and wrong.
APTs are “advanced persistent threats,” a phenomenon that has gained more and more notoriety in recent years (Google reports the term as being used some 10 million times by 2013) but is still poorly understood. It illustrates the challenge in the policy world of calling attention to very real emerging challenges in cyberspace but also avoiding overreaction, hype, and hysteria.
If cybersecurity threats were movies, an advanced persistent threat would be the
Ocean's 11
of the field. It's not that APTs star handsome actors like George Clooney or Brad Pitt; indeed, they are more likely to be run by their polar opposites, clad in T-shirts instead of Armani suits. Like the high-profile heists in the movie, however, APTs have a level of planning that sets them apart from other cyberthreats. They are the work of a team that combines organization, intelligence, complexity, and patience. And as with the movie, they are quickly followed by sequels. No one knows how many APTs are out there in the world, but one cybersecurity firm CEO told us how, “Five years ago, I would get very excited, and very proud, if we found signs of an APT inside a client's networks. It was something that might happen once every few months. Now, we're
finding them once a day
.”
An APT starts with a specific target. The team knows what it wants and who it is going after to get it. APT targets have ranged from military jet designs to oil company trade secrets. So while many of us would like to think that we are important enough to be targeted by an APT, the reality is that most of us don't rise to that level. But if you do, well, watch out; locking your windows like everyone else in the neighborhood probably isn't going to be enough. The bear in the sales guy's story actually doesn't care how fast your friend runs; it just wants to take a bite out of you.
The hallmark of an APT is its coordinated team of specialized experts, who each take on different roles. Much like a robber “casing” a bank or a spy observing a military base, a surveillance team engages in what is known as “target development,” learning everything it can about the person or organization it is going after along with key vulnerabilities. In this effort, online search tools and social
networking have been a godsend to the attackers. Want to steal a widget and therefore need to know who the vice president of product development is? In the past, you might have sent James Bond to seduce the receptionist in human resources and then sneak into her files while she was sleeping off a night of shaken martinis and sex. Now, it's more boring. Just type the name into an Internet search engine and you can get everything from that executive's resume to the name of her daughter's pet iguana. As cybersecurity expert Gary McGraw notes, “
The most impressive tool
in the attackers' arsenal is Google.”
It is this phase that also differentiates the attacks as “persistent.” The reconnaissance and preparations can take months. The teams are not just trying to understand the organization of the target but also its key concerns and even tendencies. One APT, for example, was casing a major technology firm headquartered in Minnesota. Team members eventually figured out that the best way to crack the system was to wait until a major blizzard. Then they sent a fake e-mail about the firm changing its snow day policy; in Minnesota, this was something that everyone from the CEO on down cared about. Another effort, which American national security officials have blamed on Chinese intelligence and military units, gathered details not only on targets' key friends and associates but even what farewell they typically used to sign off their e-mails (e.g., “All the best” vs. “Best regards” vs. “
Keep on Trucking
”) to mimic it for a spear phishing attack vector.