@War: The Rise of the Military-Internet Complex (12 page)

The third mission is protecting the United States itself, using what the military calls the Cyber National Mission Force. This force only conducts offensive operations. It would get the call from the president or the secretary of defense if China were trying to disable an electrical power plant or Iran were attempting to alter the databases of major banks or financial transaction systems. The members of the National Mission Force are trained to reroute malicious traffic away from its target, breaking in to networks if necessary, or to strike back at the source and take it offline. It reports to US Cyber Command, which is linked to the National Security Agency and its crack Tailored Access Operations unit. The Cyber National Mission Force represents a tiny portion of the overall military cyber force—probably about 1 percent, though the precise number is classified.

The Pentagon is “at full speed working our way through how the services will implement” the three-tiered structure of US cyber forces, Davis says. Beginning in 2011, the military began conducting regular cyber war games at Nellis Air Force Base, where the pivotal Schriever Wargame took place. Officials have set up joint cyber operations centers in each of the military's combatant commands, which are organized according to regions of the world and are run by a four-star general or admiral. There is now an emergency conference-call system so that in the event of an imminent or ongoing cyber attack on the United States, military, Defense Department, intelligence, and law enforcement officials can be looped in with the president and the National Security Council—constituting a kind of cyber war cabinet—to decide how to respond. A command-and-control system for US cyber attacks is also in place. There is even an emergency communications line from Washington to Moscow, the cyber equivalent of the Cold War red phone.

The core infrastructure for fighting a cyber war has been created. Now the United States is raising an army.

 

To build a cyber force, the military first has to recruit the best warriors. Each branch of the armed forces has developed aptitude tests, molded on those used by corporations, to determine whether someone might be suited to network maintenance and defense or shows promise for the rarer, more sophisticated offensive missions. The service branches are beginning to introduce basic cyber security training for all new officers; in the air force it's already mandatory. And the five military service academies now include cyber warfare as a field of study. Every year since 2000, the best hackers from each academy have competed against one another in a war game sponsored by the NSA. The simulation is meant to pit the schools against one another but also to test their mettle against the government's best cyber warriors.

“We build a network, all from scratch, then defend it against a team from NSA,” says Martin Carlisle, professor of computer science at the Air Force Academy and director of its Center for Cyberspace Research. The battle lasts for two and a half days. In 2013 the academy fielded a team of fifteen computer science and engineering majors who squared off against an NSA “red team,”—war game code for the aggressor—of about thirty military officers, civilians, and contractors from the NSA. The agency's team was not allowed to use any classified hacking techniques, but they ran operations against the cadets that they would likely see if the United States ever fought a cyber war with a foreign military. The NSA red team attempted to get inside the air force network and modify crucial data, so that the cadets could no longer trust its veracity. They launched known computer viruses against the cadets' network and tried to install backdoors in their systems.

The air force won the 2013 competition, its fourth victory since the game began in 2001, and its first consecutive win.

Future air force cyber specialists take special training at Keesler Air Force Base, on the Gulf Coast of Mississippi. Just like pilots have to pass flight school, the would-be cyber warriors have to run a gauntlet before they can wear the cyberspace badge—a pair of silver wings crossed by a lightning bolt centered on a globe.

The next and most important step in the education of cyber warriors is on-the-job training, “where you have your hands on the keyboard,” says Lieutenant General Michael Basla, chief of information dominance and the chief information officer, or CIO, of the air force. Basla's dual titles reflect the air force's approach to its cyber warfare mission. “Information dominance” encompasses propaganda, deception, and computer operations. And a CIO, generally, is the head techie in an organization, responsible for keeping the networks up to date and running. The air force lumps its network maintenance staff with its defenders, as well as those who conduct offense. It's one big techie pool.

About 90 percent of the air force's cyber force (which consisted of approximately 12,600 people in 2013) works on defense. They are guarding networks, patching vulnerabilities, and trying to keep abreast of changes to hardware and software that might create more holes for an intruder to use. Less than 1 percent of all air force cyber warriors are engaged in what Basla calls the “exquisite” work of penetrating an enemy's computer systems.

There are two big reasons for this mismatch. First, offense is a lot harder than defense. The tools and principles to do both are essentially the same in many ways. But asking a defender to go out and break in to a highly protected enemy computer would be like asking an auto mechanic, however talented, to fix the engine on a jet fighter. He may understand the principles of the task, but the application is an order of magnitude more difficult.

The second reason the offense side is so much smaller is that the military has only recently begun to make cyber warfare a priority. Protecting military networks and computers, which have proliferated in the past fifteen years, has long been part of its mission. That emphasis is changing now, as cyber warfare becomes integrated into military doctrine.

But if they ever go to war, US cyber forces will face an adversary just as skilled, and many times larger, than they are.

 

Groups of hackers have been operating in China for more than a decade. Some of their first handiwork was on display in 1999, after US forces inadvertently bombed the Chinese embassy in Yugoslavia during the Kosovo War. Outraged “patriotic hackers” hijacked the websites of the US Departments of Energy and the Interior and the National Park Service. The hackers took down the sites' usual content and replaced it with anti-American messages: “Protest the USA's Nazi action! Protest NATO's brutal action!” The White House also came under a heavy denial-of-service attack, in which an aggressor floods a server with traffic in an attempt to knock it offline. The White House took down its website for three days as a precaution.

Today these Chinese hacker groups, who were once motivated by their sense of national pride and opposition to foreign military action, are taking their orders from China's military and intelligence leaders. They weren't conscripted so much as brought under the banner of the People's Liberation Army, which has both clandestinely supported their work and officially ignored their existence. Lately that work consists mostly of stealing information. Chinese hackers have penetrated or tried to compromise classified computer systems of every department and agency of the federal government. They have broken in to countless corporate databases to steal trade secrets. Just like the hackers who broke in to US defense contractors in 2007, they are looking for any piece of information—however big or small—that will give China a military or economic edge and advance the country's global strategy.

The Chinese hackers are skilled and relentless. They are also shameless. They've taken far fewer precautions than their American adversaries to cover their tracks. In part this is because they know the US government has been loath to call out one of its most important trading partners and lenders as the source of a global espionage campaign. But the Chinese also view cyber espionage and warfare as a set of tactics that helps them compete against more advanced economies, militaries, and intelligence organizations. They have little compunction about breaking in to competitors' systems because they know it's one of the few capabilities they have to gain some advantage over their adversaries. China has no blue-water navy capable of doing battle on the world's oceans. But it does have a cyber force that can wreak havoc on US targets from the other side of the planet.

Chinese cyber forces, along with their counterparts in Russia, have designed technologies to hack into US military aircraft. The Chinese in particular have developed a method for inserting computer viruses through the air into three models of planes that the air force uses for reconnaissance and surveillance. The attack is launched via the electromagnetic spectrum and targets the onboard surveillance systems that emit a signal.
It's an ingenious tactic, and a potentially devastating one: such a strike could disrupt the aircrafts' controls and cause them to crash.

But these advances were predictable. For centuries the Chinese have employed a strategy of asymmetry, overwhelming a larger enemy by attacking his weaknesses with basic weapons. Cyber espionage and warfare are just the latest examples in a long and, for the Chinese, proud tradition.

To speak of the Chinese hackers as a group is a bit of misnomer. They don't operate entirely as a collective, and how they're organized is still a mystery—unlike the Americans, the Chinese don't publicize their cyber warfare hierarchy and command structure. But for the purposes of developing countermeasures, US security officials often view the hackers as one entity, because they are united by a set of characteristics—national pride, the belief in economic espionage as a tool for national advancement, and a strategy of asymmetric force. American security experts have given the Chinese cyber horde a name—the advanced persistent threat, or APT. It is responsible for a global spread of malware that has infected or attempted to infect every computer system of consequence in the United States, US officials say. Any American company operating abroad doing business with or in China or with any of its competitors can safely assume that it has been a target. Many of them don't even know that. On average, at least a month passes before most companies ever learn they have an intruder on their networks.

The precise number of Chinese cyber warriors is not known, but experts uniformly agree on two things: it is very large, likely in the tens of thousands, and unlike those in the United States, the Chinese cyber warriors are mostly focused on offense.

Joe Stewart, director of malware research at Dell SecureWorks, has tracked twenty-four thousand Internet domains that he believes Chinese cyber spies have either rented or hacked and use as bases of operations against the US government and American companies, he told
Bloomberg Businessweek
in 2013. The precise number of hackers is hard to gauge, but Stewart identified three hundred types of malware and hacking techniques that the Chinese used, double the number he saw in 2012. “There is a tremendous amount of manpower being thrown at this from their side.”

In 2013 the computer security research firm Mandiant released a groundbreaking report that identified and gave the location of one suspected APT group, known as Unit 61398—a Chinese military cover name—based in Shanghai. One of its main centers of operations is a twelve-story, 130,000-square-foot building capable of holding as many as two thousand people. The security company studied Unit 61398 going back to 2006 and discovered it had broken in to the systems of nearly 150 “victims.” Mandiant judged the unit to be one of the most prolific cyber spying outfits in China. And other computer security experts linked the group to an incursion in 2012 on the networks of the Canadian arm of Telvent, which designs industrial control software used to regulate valves and security systems for oil and gas pipeline companies in North America. Telvent has acknowledged that the intruders stole project files. Hackers could use those to map out the networks of oil and gas companies and find their weaknesses.

Unit 61398 was formidable, and clearly interested in potential attacks on critical infrastructure. But it was just one of twenty hacker groups that Mandiant was tracking. Chinese hackers in general are mostly engaged in espionage. But it would be easy for its members to switch into cyber warfare mode and start taking down systems, corrupting data and information, or launching malware against critical infrastructure, such as power plants and communications facilities. If each of those twenty groups was just half as large as Unit 61398, the Chinese APT would consist of more than twenty thousand people.

 

The United States has a long way to go to match the size of China's cyber force. In 2013 there were only about three hundred people working for Tailored Access Operations, the NSA's elite hacker core. The US Cyber Command, which is responsible for coordinating all the cyber components of the military services, employed only about nine hundred people total in 2013, including administrators and officers who aren't actively engaged in hacking. The Defense Department plans to grow the ranks to six thousand by the end of 2016. If the Chinese military stopped growing its cyber forces today, it would still be at least five times larger than the Americans'.

To expand the US cyber force, commanders plan to retrain network defenders to be warriors. In the air force, for instance, the vast majority of the cyber staff are support staff and systems administrators—its version of the help desk.

But they're all the air force has got for now. There are no plans to add new cyber positions. Indeed, the overall active-duty air force is the smallest it has ever been, and it will shrink even more, owing to mandatory spending cuts that were enacted in 2013. US Cyber Command, which oversees all military cyber operations, also plans to pull from the ranks of support staff. Officials want to automate much of the military's IT support functions, theoretically freeing those personnel for offensive operations.