Dark Territory (34 page)

This last idea led, three months later, to a new White House policy barring the use of a zero-day exploit, unless the NSA made a compelling case that the pros outweighed the cons. And the final verdict on its case would be decided not by the NSA director but by the cabinet secretaries in the NSC and, ultimately, by the president.
This was potentially a very big deal. Whether it would really limit the practice—whether it amounted to a political check or a rubber stamp—was another matter.
^I

Finally, Obama spoke of the most controversial program, the bulk collection of telephone metadata under Section 215 of the Patriot Act. First, as an immediate step, he ordered the NSA to restrict its data searches to two hops, down from its previously allowed limit of three. (Though potentially significant, this had little real impact, as the NSA almost never took three hops.) Second, and more significant, he endorsed the proposal to
store
the metadata with a private entity and to allow NSA access only after a FISA Court order.

These endorsements seemed doomed, though, because any changes in the storage of metadata or in the composition of the FISA Court would have to be voted on by Congress. Under ordinary conditions, Congress—especially this Republican-controlled Congress—wouldn't schedule such a vote: its leaders had no desire to change the operations of the intelligence agencies or to do much of anything that President Obama wanted them to do.

But these weren't ordinary conditions. The USA Patriot Act had been passed by Congress, under great pressure, in the immediate aftermath of the September 11 attacks: the bill came to the floor hot off the printing presses; almost no one had time to read it. In exchange for their haste in passing it, key Democratic legislators insisted, over intense opposition by the Bush White House, that a
sunset clause—an expiration date—be written into certain parts of the law (including Section 215, which allowed the NSA to collect and store metadata), so that Congress could extend its provisions, or let them lapse, at a time allowing more deliberation.

In 2011, when those provisions had last been set to expire, Congress voted to extend them until June 2015. In the interim four years, three things happened. First, and pivotally, came Edward Snowden's disclosures about the extent of NSA domestic surveillance. Second, the five guys report concluded that this metadata hadn't nabbed a single terrorist and recommended several reforms to reduce the potential for abuse.

Third, on May 7, just weeks before the next expiration date, the U.S. 2nd Circuit Court of Appeals ruled that Section 215 of the Patriot Act did not in fact authorize anything so broad as the NSA's bulk metadata collection program—that the program was, in fact, illegal. Section 215 permitted the government to intercept and store data that had “relevance” to an “investigation” of a terrorist plot or group. The NSA reasoned that, in tracing the links of a terrorist conspiracy, it was impossible to know what was relevant—who the actors were—ahead of time, so it was best to create an archive of calls that could be plowed through in retrospect; it was necessary, by this logic, to collect
everything
because anything
might
prove relevant; to find a needle in a haystack, you needed access to “the whole haystack.” The FISA Court had long ago accepted the NSA's logic, but now the 2nd Circuit Court rejected it as
“unprecedented and unwarranted.” In the court case that culminated in the ruling, the Justice Department (which was defending the NSA position) likened the metadata collection program to the broad subpoena powers of a grand jury. But the court jeered at the analogy: grand juries, it noted, are “bounded by the facts” of a particular investigation and “by a finite time limitation,” whereas the NSA metadata program required “that the phone companies turn over records on an ‘ongoing daily basis'—with no foreseeable end
point, no requirement of relevance to any particular set of facts, and no limitations as to subject matter or individuals covered.”

The judges declined to rule on the program's constitutionality; they even allowed that Congress could authorize the metadata program, if it chose to do so explicitly. And so it was up to Congress—and its members couldn't evade the moment of truth. Owing to the sunset clause, the House and Senate
had
to take a vote on Section 215, one way or the other; if they didn't, the metadata program would expire by default.

In this altered climate, the Republican leaders couldn't muster majority support to sustain the status quo. Moderates in Congress drafted a bill called the USA Freedom Act, which would keep metadata stored with the telecom companies and allow the NSA access only to narrowly specified pieces of it, and only after obtaining a FISA Court order to do so. The new law would also require the FISA Court to appoint a civil-liberties advocate to argue, on occasion, against NSA requests; and it would require periodic reviews to declassify at least portions of FISA Court rulings. The House passed the reform bill by a wide majority; the Senate, after much resistance by the Republican leadership, had no choice but to pass it as well.

Against all odds, owing to the one bit of farsighted caution in a law passed in 2001 amid the panic of a national emergency, Congress approved the main reforms of NSA practices, as recommended by President Obama's commission—and by President Obama himself.

The measures wouldn't change much about cyber espionage, cyber war, or the long reach of the NSA, to say nothing of its foreign counterparts. For all the political storms that it stirred, the bulk collection of domestic metadata comprised a tiny portion of the agency's activities. But the reforms would block a tempting path to potential abuse, and they added an extra layer of control, albeit a thin one, on the agency's power—and its technologies' inclination—to intrude into everyday life.

On March 31, two and a half months after Obama's speech at the Justice Department, in which he called for those reforms, Geoffrey Stone delivered a speech at Fort Meade. The NSA staff had asked him to recount his work on the Review Group and to reflect on the ideas and lessons he'd taken away.

Stone started off by noting that, as a civil libertarian, he'd approached the NSA with great skepticism, but was quickly impressed by its “high degree of integrity” and “deep commitment to the rule of law.” The agency made mistakes, of course, but they were just that—mistakes, not intentional acts of illegality. It wasn't a rogue agency; it was doing what its political masters wanted and what the courts allowed, and, while reforms were necessary, its activities were generally lawful.

His speech lavished praise a little while longer on the agency and its employees, but then it took a sharp turn.
“To be clear,” he emphasized, “I am not saying that citizens should
trust
the NSA.” The agency needed to be held up to “constant and rigorous review.” Its work was “important to the safety of the nation,” but, by nature, it posed “grave dangers” to American values.

“I found, to my surprise, that the NSA deserves the respect and appreciation of the American people,” he summed up. “But it should never, ever, be trusted.”

I
. 
The questions to be asked, in considering whether to exploit a zero-day vulnerability, were these: To what extent is the vulnerable system used in the critical infrastructure; in other words, does the vulnerability, if left unpatched, pose significant risk to our own society? If an adversary or criminal group knew about the vulnerability, how much harm could it inflict? How likely is it that we would know if someone else exploited it? How badly do we need the intelligence we think we can get from exploiting it? Are there other ways to get the intelligence? Could we exploit the vulnerability for a short period of time before disclosing and patching it?

I
N
the wee hours of Monday, February 10, 2014, four weeks after President Obama's speech at the Justice Department on NSA reform, hackers launched a massive cyber attack against the Las Vegas Sands Corporation, owner of the Venetian and Palazzo hotel-casinos on the Vegas Strip and a sister resort, the Sands, in Bethlehem, Pennsylvania.

The assault destroyed the hard drives in thousands of servers, PCs, and laptops, though not before stealing thousands of customers' credit-card charges as well as the names and Social Security numbers of company employees.

Cyber specialists traced the attack to the Islamic Republic of Iran.

The previous October, Sheldon Adelson, the ardently pro-Israel, right-wing billionaire who owned 52 percent of Las Vegas Sands stock, had spoken on a panel at Yeshiva University in New York. At one point, he was asked about the Obama administration's ongoing nuclear negotiations with Iran.

“What I would say,” he replied, “is, ‘Listen. You see that desert out there? I want to show you something.' ” Then, Adelson said, he would drop a nuclear bomb on the spot. The blast “doesn't hurt a soul,” he went on, “maybe a couple of rattlesnakes or a scorpion or whatever.” But it does lay down a warning: “You want to be wiped out?” he said he'd tell the mullahs. “Go ahead and take a tough position” at those talks.

Adelson's monologue went viral on YouTube. Two weeks later, the Ayatollah Ali Khamenei, Iran's supreme leader, fumed that America “should slap these prating people” and “crush their mouths.”

Soon after, the hackers went to work on Adelson's company. On January 8, they tried to break into the Sands Bethlehem server, probing the perimeters for weak spots. On the twenty-first, and again on the twenty-sixth, they activated password-cracking software, trying out millions of letter-and-number combinations, almost instantaneously, to hack into the company's Virtual Private Network, which employees used at home or on the road.

Finally, on February 1, they found a weakness in the server of a Bethlehem company that tested new pages for the casino's website. Using a tool called Mimikatz, which extracted all of a server's recent records, the hackers found the login and password of a Sands systems engineer who'd just been in Bethlehem on a business trip. Using his credentials, they strolled into the Vegas-based servers, probed their pathways, and inserted a malware program, consisting of just 150 lines of code, that wiped out the data stored on every computer and server, then filled the spaces with a random stream of zeroes and ones, to make restoring the data nearly impossible.

Then they started to download really sensitive data: the IT passwords and encryption keys, which could take them into the mainframe computer, and, potentially more damaging, the files on high-rolling customers—“the whales,” as casino owners called them.
Just in time, Sands executives shut off the company's link to the Internet.

Still, the next day, the hackers found another way back in and defaced the company's website with a message: “Encouraging the Use of Weapons of Mass Destruction UNDER ANY CONDITION Is a Crime.” Then they shut down a few hundred more computers that hadn't been disabled the first time around.

After the storm passed, the casino's cyber security staff estimated that the Iranians had destroyed twenty thousand computers, which would cost at least $40 million to replace.

It was a typical, if somewhat sophisticated, cyber attack for the second decade of the twenty-first century. Yet there was one thing odd about these hackers: anyone breaking into the servers of a Las Vegas resort hotel casino could have made off with deep pools of cash—but these hackers didn't take a dime. Their sole aim was to punish Sheldon Adelson for his crude comments about nuking Iran: they launched a cyber attack not to steal money or state secrets, but to influence a powerful man's political speech.

It was a new dimension, a new era, of cyber warfare.

Another notable feature, which the Sands executives picked up on after the fact: the Iranians were able to unleash such a destructive attack, after making such extensive preparations, without arousing notice, because the company's cyber security staff consisted of just five people.

Las Vegas Sands—one of the largest resort conglomerates in the world, with forty thousand employees and assets exceeding $20 billion—wasn't ready to deal with the old era of cyber war, much less the new one.

At first, not wanting to scare off customers, the executives tried to cover up just how badly the hack had hurt them, issuing a press release commenting only on their website's defacement. The hackers
struck back, posting a video on YouTube showing a computer screen with what seemed like thousands of the Sands' files and folders, including passwords and casino credit records, underscored with a text box reading, “Do you really think that only your mail server has been taken down?!! Like hell it has!!”

The FBI took down the video within a few hours, and the company managed to quash much further exposure, until close to the end of the year, when
Bloomberg Businessweek
published a long story detailing the full scope of the attack and its damage. But the piece drew little notice because, two weeks earlier, a similar, though far more devastating attack hit the publicity-drenched world of Hollywood, specifically one of its major studios—Sony Pictures Entertainment.

On Monday morning, November 24, a gang of hackers calling themselves
“Guardians of Peace” hacked into Sony Pictures' network, destroying three thousand computers and eight hundred servers, carting off more than one hundred terabytes of data—much of which was soon sent to, and gleefully reprinted by, the tabloid, then the mainstream, press—including executives' salaries, emails, digital copies of unreleased films, and the Social Security numbers of 47,000 actors, contractors, and employees.

Sony had been hacked before, twice in 2011 alone: one of the attacks shut down its PlayStation network for twenty-three days after purloining data from 77 million accounts; the other stole data from 25 million viewers of Sony Online Entertainment, including twelve thousand credit card numbers.
The cost, in business lost and damages repaired, came to about $170 million.