America Hacks Itself

Posted May 16, 2021

Categories: Articles, Featured, Security


America has a serious infrastructure problem.

Maybe when I say that what comes to mind are all the potholes on your street. Or the dismal state of public transportation in your city. Or crumbling bridges all over the country. But that’s so twentieth century of you.

America’s most urgent infrastructure vulnerability is largely invisible and unlikely to be fixed by the Biden administration’s $2 trillion American Jobs Plan.

I’m thinking about vulnerabilities that lurk in your garage (your car), your house (your computer), and even your pocket (your phone). Like those devices of yours, all connected to the Internet and so hackable, American businesses, hospitals, and public utilities can also be hijacked from a distance thanks to the software that helps run their systems. And don’t think that the U.S. military and even cybersecurity agencies and firms aren’t seriously at risk, too.

Such vulnerabilities stem from bugs in the programs — and sometimes even the hardware — that run our increasingly wired society. Beware “zero-day” exploits — so named because you have zero days to fix them once they’re discovered — that can attract top-dollar investments from corporations, governments, and even black-market operators. Zero days allow backdoor access to iPhones, personal email programs, corporate personnel files, even the computers that run damsvoting systems, and nuclear power plants.

It’s as if all of America were now protected by nothing but a few old padlocks, the keys to which have been made available to anyone with enough money to buy them (or enough ingenuity to make a set for themselves). And as if that weren’t bad enough, it was America that inadvertently made these keys available to allies, adversaries, and potential blackmailers alike.

The recent SolarWinds hack of federal agencies, as well as companies like Microsoft, for which the Biden administration recently sanctioned Russia and expelled several of its embassy staff, is only the latest example of how other countries have been able to hack basic U.S. infrastructure. Such intrusions, which actually date back to the early 2000s, are often still little more than tests, ways of getting a sense of how easy it might be to break into that infrastructure in more serious ways later. Occasionally, however, the intruders do damage by vacuuming up data or wiping out systems, especially if the targets fail to pay cyber-ransoms. More insidiously, hackers can also plant “timebombs” capable of going off at some future moment.

Russia, China, North Korea, and Iran have all hacked into this country’s infrastructure to steal corporate secrets, pilfer personal information, embarrass federal agencies, make money, or influence elections. For its part, the American government is anything but an innocent victim of such acts.  In fact, it was an early pioneer in the field and continues to lead the way in cyberoperations overseas.

This country has a long history of making weapons that have later been used against it. When allies suddenly turn into adversaries like the Iranian government after the Shah was ousted in the 1979 revolution or the mujahideen in Afghanistan after their war against the Red Army ended in 1989, the weapons switch sides, too. In other cases, like the atomic bomb or unmanned aerial vehicles, the know-how behind the latest technological advances inevitably leaks out, triggering an arms race.

In all these years, however, none of those weapons has been used with such devastating effect against the U.S. homeland as the technology of cyberwarfare.

The Worm That Turned

In 2009, the centrifuges capable of refining Iranian uranium to weapons-grade level began to malfunction. At first, the engineers there didn’t pay much attention to the problem. Notoriously finicky, such high-speed centrifuges were subject to frequent breakdowns. The Iranians regularly had to replace as many as one of every 10 of them. This time, however, the number of malfunctions began to multiply and then multiply again, while the computers that controlled the centrifuges started to behave strangely, too.

It was deep into 2010, however, before computer security specialists from Belarus examined the Iranian computers and discovered the explanation for all the malfunctioning. The culprit responsible was a virus, a worm that had managed to burrow deep into the innards of those computers through an astonishing series of zero-day exploits.

That worm, nicknamed Stuxnet, was the first of its kind. Admittedly, computer viruses had been creating havoc almost since the dawn of the information age, but this was something different. Stuxnet could damage not only computers but the machines that they controlled, in this case destroying about 1,000 centrifuges. Developed by U.S. intelligence agencies in cooperation with their Israeli counterparts, Stuxnet would prove to be but the first salvo in a cyberwar that continues to this day.

It didn’t take long before other countries developed their own versions of Stuxnet to exploit the same kind of zero-day vulnerabilities. In her book This Is How They Tell Me the World EndsNew York Times reporter Nicole Perlroth describes in horrifying detail how the new cyber arms race has escalated. It took Iran only three years to retaliate for Stuxnet by introducing malware into Aramco, the Saudi oil company, destroying 30,000 of its computers. In 2014, North Korea executed a similar attack against Sony Pictures in response to a film that imagined the assassination of that country’s leader, Kim Jong-un. Meanwhile, Pelroth reports, Chinese hackers have targeted U.S. firms to harvest intellectual property, ranging from laser technology and high-efficiency gas turbines to the plans for “the next F-35 fighter” and “the formulas for Coca-Cola and Benjamin Moore paint.”

Over the years, Russia has become especially adept at the new technology. Kremlin-directed hackers interfered in Ukraine’s presidential election in 2014 in an effort to advance a far-right fringe candidate. The next year, they shut down Ukraine’s power grid for six hours. In the freezing cold of December 2016, they turned off the heat and power in Kyiv, that country’s capital. And it wasn’t just Ukraine either. Russian hackers paralyzed Estonia, interfered in England’s Brexit referendum, and nearly shut down the safety controls of a Saudi oil company.

Then Russia started to apply everything it learned from these efforts to the task of penetrating U.S. networks. In the lead-up to the 2016 elections, Russian hackers weaponized information stolen from Democratic Party operative John Podesta and wormed their way into state-level electoral systems. Later, they launched ransomware attacks against U.S. towns and cities, hacked into American hospitals, and even got inside the Wolf Creek nuclear power plant in Kansas. “The Russians,” Pelroth writes, “were mapping out the plant’s networks for a future attack.”

The United States did not sit idly by watching such incursions. The National Security Agency (NSA) broke into Chinese companies like Huawei, as well as their customers in countries like Cuba and Syria. With a plan nicknamed Nitro Zeus, the U.S. was prepared to take down key elements of Iran’s infrastructure if the negotiations around a nuclear deal failed. In response to the Sony hack, Washington orchestrated a 10-hour Internet outage in North Korea.

As the leaks from whistleblower Edward Snowden revealed in 2013, the NSA had set up full-spectrum surveillance through various communications networks, even hacking into the private phones of leaders around the world like Germany’s Angela Merkel. By 2019, having boosted its annual budget to nearly $10 billion and created 133 Cyber Mission teams with a staff of 6,000, the Pentagon’s Cyber Command was planting malware in Russia’s energy grid and plotting other mischief.

Unbeknownst to Snowden or anyone else at the time, the NSA was also stockpiling a treasure trove of zero-day exploits for potential use against a range of targets. At first glance, this might seem like the cyber-equivalent of setting up a network of silos filled with ICBMs to maintain a rough system of deterrence. The best defense, according to the hawk’s catechism, is always an arsenal of offensive weapons.

But then the NSA got hacked.

In 2017, an outfit called the Shadow Brokers leaked 20 of the agency’s most powerful zero-day exploits. That May, WannaCry ransomware attacks suddenly began to strike targets as varied as British hospitals, Indian airlines, Chinese gas stations, and electrical utilities around the United States. The perpetrators were likely North Korean, but the code, as it happened, originated with the NSA, and the bill for the damages came to $4 billion.

Not to be outdone, Russian hackers turned two of the NSA zero-day exploits into a virus called NotPetya, which caused even more damage. Initially intended to devastate Ukraine, that malware spread quickly around the world, causing at least $10 billion in damages by briefly shutting down companies like Merck, Maersk, FedEx, and in an example of second-order blowback, the Russian oil giant Rosneft as well.

Sadly enough, in 2021, as Kim Zetter has written in Countdown to Zero Day, “[C]yberweapons can be easily obtained on underground markets or, depending on the complexity of the system being targeted, custom-built from scratch by a skilled teenage coder.” Such weapons then ricochet around the world before, more often than not, they return to sender.

Sooner or later, cyber-chickens always come home to roost.

Trump Makes Things Worse

Donald Trump notoriously dismissed Russian interference in the 2016 elections. His aides didn’t even bother bringing up additional examples of Russian cyber-meddling because the president just wasn’t interested. In 2018, he even eliminated the position of national cybersecurity coordinator, which helped National Security Advisor John Bolton consolidate his own power within the administration. Later, Trump would fire Christopher Krebs, who was in charge of protecting elections from cyberattacks, for validating the integrity of the 2020 presidential elections.

The SolarWinds attack at the end of last year highlighted the continued weakness of this country’s cybersecurity policy and Trump’s own denialism. Confronted with evidence from his intelligence agencies of Russian involvement, the president continued to insist that the perpetrators were Chinese.

The far right, for partisan reasons, abetted his denialism. Strangely enough, commentators on the left similarly attempted to debunk the idea that Russians were involved in the Podesta hack, 2016 election interference, and other intrusions, despite overwhelming evidence presented in the Mueller reportthe Senate Intelligence Committee findings, and even from Russian sources.

But this denialism of the right and the left obscures a more important Trump administration failure. It made no attempt to work with Russia and China to orchestrate a truce in escalating global cyber-tensions.

Chastened by the original Stuxnet attack on Iran, the Putin government had actually proposed on several occasions that the international community should draw up a treaty to ban computer warfare and that Moscow and Washington should also sort out something similar bilaterally. The Obama administration ignored such overtures, not wanting to constrain the national security state’s ability to launch offensive cyber-operations, which the Pentagon euphemistically likes to label a “defend forward” strategy.

In the Trump years, even as he was pulling the U.S. out of one arms control deal after another with the Russians, The Donald was emphasizing his superb rapport with Putin. Instead of repeatedly covering for the Russian president — whatever his mix of personal, financial, and political reasons for doing so — Trump could have deployed his over-hyped art-of-the-deal skills to revive Putin’s own proposals for a cyber-truce.

With China, the Trump administration committed a more serious error.

Stung by a series of Chinese cyber-thefts, not just of intellectual property but of millions of the security-clearance files of federal employees, the Obama administration reached an agreement with Beijing in 2015 to stop mutual espionage in cyberspace. “We have agreed that neither the U.S. [n]or the Chinese government will conduct or knowingly support cyber-enabled theft of intellectual property, including trade secrets or other confidential business information for commercial advantage,” Obama said then. “We’ll work together and with other nations to promote other rules of the road.”

In the wake of that agreement, Chinese intrusions in U.S. infrastructure dropped by an astonishing 90%. Then Trump took office and began to impose tariffs on Chinese goods. That trade war with Beijing would devastate American farmers and manufacturers, while padding the bills of American consumers, even as the president made it ever more difficult for Chinese firms to buy American products and technology. Not surprisingly, China once again turned to its hackers to acquire the know-how it could no longer get legitimately. In 2017, those hackers also siphoned off the personal information of nearly half of all Americans through a breach in the Equifax credit reporting agency.

As part of his determination to destroy everything that Obama achieved, of course, Trump completely ignored that administration’s 2015 agreement with Beijing.

Head for the Bunkers?

Larry Hall once worked for the Defense Department. Now, he’s selling luxury apartments in a former nuclear missile silo in the middle of Kansas. It burrows 15 stories into the ground and he calls it Survival Condo. The smallest units go for $1.5 million and the complex features a gym, swimming pool, and shooting range in its deep underground communal space.

When asked why he’d built Survival Condo, Hall replied, “You don’t want to know.”

Perhaps he was worried about a future nuclear exchange, another even more devastating pandemic, or the steady ratcheting up of the climate crisis. Those, however, are well-known doomsday scenarios and he was evidently alluding to a threat to which most Americans remain oblivious. What the Survival Condo website emphasizes is living through five years “completely off-grid,” suggesting a fear that the whole U.S. infrastructure could be taken down via a massive hack.

And it’s true that modern life as most of us know it has become increasingly tied up with the so-called Internet of Things, or IoT. By 2023, it’s estimated that every person on Earth will have, on average, 3.6 networked devices. Short of moving to a big hole in the ground in Kansas and living completely off the grid, it will be difficult indeed to extricate yourself from the consequences of a truly coordinated attack on such an IoT.

A mixture of short-sighted government action — as well as inaction — and a laissez-faire approach to markets have led to the present impasse. The U.S. government has refused to put anything but the most minimal controls on the development of spyware, has done little to engage the rest of the world in regulating hostile activities in cyberspace, and continues to believe that its “defend forward” strategy will be capable of protecting U.S. assets. (Dream on, national security state!)

Plugging the holes in the IoT dike is guaranteed to be an inadequate solution. Building a better dike might be a marginally better approach, but a truly more sensible option would be to address the underlying problem of the surging threat. Like the current efforts to control the spread of nuclear material, a non-proliferation approach to cyberweapons requires international cooperation across ideological lines.

It’s not too late. But to prevent a rush to the bunkers will take a concerted effort by the major players — the United States, Russia, and China — to recognize that cyberwar would, at best, produce the most pyrrhic of victories. If they don’t work together to protect the cyber-commons, the digital highway will, at the very least, continue to be plagued by potholes, broken guardrails, and improvised explosive devices whose detonations threaten to disrupt all our lives.

TomDispatch, April 28, 2021

Leave a comment

Your email address will not be published. Required fields are marked *