Top-secret fighter jet designs filched by foreign cyber spies. Oil companies' vital exploration data siphoned from corporate networks. A new, highly potent form of malicious software that can wreck industrial machinery like power generators.
Whether it's cyber spying, identity theft, or cyber sabotage, the drum beat of computer threats has become standard fare in articles, books, and movies. So much so, Americans can barely be bothered to peer up from their iPhones (really hand-held mobile computers) to register shock or astonishment at the latest travesty.
Thousands of stolen secret State Department documents dumped via Wikileaks onto the internet? Google's source code in the hands of Chinese hackers? Twenty terabytes of information – enough to fill a line of moving vans miles long if the data were on paper – stolen by cyber spies from Pentagon networks?
Just another day at the office. And yet we should be paying attention. America has, in its rise to global internet-connected preeminence, become the fattest cyber attack target on the planet with government and corporate networks alike as porous as Swiss cheese to advanced attackers, writes Joel Brenner in his disturbing new book American the Vulnerable: Inside the New Threat Matrix of Digital Espionage, Crime and Warfare.
What he describes is a nation that has, unwittingly, created for itself a digital "glass house" in which virtually all data belonging to individuals, companies, and government can be gotten at one way or the other – by hook or crook, friend or foe.
"The United States cannot defend the electronic networks that control our energy supply, keep aircraft from colliding in midair, clear financial transactions, or make it possible for the president to communicate with his cabinet secretaries," he writes. "We cannot permit this situation to continue and remain in control of our destiny."
Brenner is not the first major voice to sound this warning. Richard Clarke, former counter-terrorism director until 2003 under President Bush, in his 2010 book "Cyber War," warned of a possible electronic sneak attack on the US in which the power grid could be a prime target. He, too, offered a good list of recommendations.
But Brenner's main service is to bring a much needed, recent insider perspective to the cyber-threat debate. Serving as national counterintelligence executive in the office of the National Intelligence Director from 2006-2009, he spent the previous six years as inspector general of the National Security Agency. He knows what he is talking about. We should listen to him. Carefully.
"Operation Aurora didn't just hit Google," he reminds us of the hacker attacks that stole the company's critical source code in late 2009 and early 2010. "It was a coordinated attack on the intellectual property of several thousand companies in the United States and Europe – including Morgan Stanley, Yahoo, Symantec, Adobe, Northrop Grumman, Dow Chemical and many others. Intellectual property is the stuff that makes Google and other firms tick."
So who did it? Brenner says "the operation was approved at high levels of the government of the People's Republic of China" – a member of the Politburo Standing Committee, Li Changchun. How does he know? Ironically enough, Li's role, detailed in secret State Department documents put onto the web by Wikileaks, was then written up by The New York Times. During his days in the intelligence office, Brenner was one of the most bluntly outspoken US officials on the Chinese cyber threat. It is truly ironic that his case is so strengthened by Wikileaks, a vulnerability he decries in the book.
While government officials know something must be done, the US still seems in slow motion, he writes. Even as numbers and sophistication of cyber attacks grow rapidly, defense of the nation's intellectual property in corporate systems, government networks – and even US critical infrastructure like financial, air traffic control, water, and power grid systems – is still far too feeble, he writes.
In a short, but infuriating, chapter called "Dancing in the Dark," Brenner lays out how utilities have connected industrial control systems that regulate the US power grid to the internet to make it marginally easier and cheaper to operate. Unfortunately, that move has granted foreign nations' hackers access to map those systems and position cyber weapons to take down the grid in the event of hostilities.
"Most owners and operators don't want to believe it, even as the evidence of their vulnerability mounts," he writes. "They'd rather dance in the dark, figuratively – and raise the risk that the rest of us will be dancing in the dark, literally."
In another chapter called "June 2017," the author details a plausible future scenario in which a Chinese premier blackmails a US president, knocking out chunks of the North American power grid and threatening wider outages. In the end, a US carrier group fails to come to Taiwan's aid. And this is the real problem – the US may not in the end be overtly wrecked by its cyber vulnerabilities, but it may be weakened into inaction and the status of a global follower, he writes.
"I'm not predicting this scenario, but it's well within the realm of possibility. And we would be foolhardy not to prepare for it," he writes. "With the exception of successful attacks on our electricity grid – and we know the grid is vulnerable – virtually every aspect of this fictional scenario has already happened."
How did we get here? The White House under President Bush began to awaken and move on the cyber threat late in his tenure. President Obama in May unveiled the nation's first new cyber strategy, still mostly on paper. Congress, which could produce helpful legislation, has mostly spent its time holding hearings. The Pentagon's new US Cyber Command has made important steps, yet is still unable to protect privately held domestic critical infrastructure like the power grid. The Department of Homeland Security, scrambling, is trying to enlist NSA help to do that.
Thankfully, Brenner doesn't leave us adrift, offering up a chapter with specific recommendations for a "modest but essential beginning" toward "managing the mess" that US cyber insecurity has become. He also analyzes in detail why inertia has taken hold in government and the private sector exists, and how it could be overcome.
Brenner had both advantages and disadvantages in pulling together so much information and organizing it in a way that paints a cohesive picture of the problem – and solutions. On the one hand, he had a terrific insider's perch, yet he's not permitted by law to reveal classified information. How to avoid jail? Like any good lawyer, he has gone to public sources to document everything with information already in the public domain.
All that research has left "America the Vulnerable" a refreshingly solid piece of research anchored by nearly 40 pages of footnotes. Fortunately, rather than resulting in a turgid prose, the documentation framed by insider perspective and spiced with numerous case examples makes a compelling, readable narrative.
One late chapter on how intelligence services are being impacted is the lone exception to the book's readability, probably appealing mostly to policy wonks or fellow intelligence professionals. Even so, this book – along with Clarke's – should be required reading on Capitol Hill and in the West Wing.
Mark Clayton is a Monitor staff writer.