National Security

Inside the Black Box

How the NSA is helping companies fight back against Chinese hackers.

For China, U.S. government secrecy has been a boon. Cyber-warfare directed against American companies is reducing the gross domestic product by as much as $100 billion per year, according to a recent National Intelligence Estimate. Because companies are generally reluctant to admit they've been breached and because the National Security Agency, which works with these companies to assess Chinese cyber techniques, is surrounded by a cocoon of secrecy, China has been able to operate with impunity. 

That soon will change. 

In the coming weeks, the NSA, working with a Department of Homeland Security joint task force and the FBI, will release to select American telecommunication companies a wealth of information about China's cyber-espionage program, according to a U.S. intelligence official and two government consultants who work on cyber projects. Included: sophisticated tools that China uses, countermeasures developed by the NSA, and unique signature-detection software that previously had been used only to protect government networks. 

Press reports have indicated that the Obama administration plans to give certain companies a list of domain names China is known to use for network exploitation. But the coming effort is of an entirely different scope. These are American state secrets.

Very little that China does escapes the notice of the NSA, and virtually every technique it uses has been tracked and reverse-engineered. For years, and in secret, the NSA has also used the cover of some American companies -- with their permission -- to poke and prod at the hackers, leading them to respond in ways that reveal patterns and allow the United States to figure out, or "attribute," the precise origin of attacks. The NSA has even designed creative ways to allow subsequent attacks but prevent them from doing any damage. Watching these provoked exploits in real time lets the agency learn how China works.

Now, though, the cumulative effect of Chinese economic warfare -- American companies' proprietary secrets are essentially an open book to them -- has changed the secrecy calculus. An American official who has been read into the classified program -- conducted by cyber-warfare technicians from the Air Force's 315th Network Warfare Squadron and the CIA's secret Technology Management Office -- said that China has become the "Curtis LeMay" of the post-Cold War era: "It is not abiding by the rules of statecraft anymore, and that must change." 

"The Cold War enforced norms, and the Soviets and the U.S. didn't go outside a set of boundaries. But China is going outside those boundaries now. Homeostasis is being upset," the official said.

In essence, the NSA will give American companies the ability to fight back. The idea is two-fold. One: Behavior modification by exposing Chinese tactics, which, in theory, would embarrass the Chinese. Two: This will force China will develop new hacking avenues, but this will take time, giving U.S. companies the chance to catch up.

The NSA could do even more than this. It has some pretty nifty tools to use in terms of protecting cyberspace. In theory, it could probe devices at critical Internet hubs and inspect the patterns of data packets coming into the United States for signs of coordinated attacks. The recently declassified Comprehensive National Cyberspace Initiative describes the government's plan, informally known as Einstein 3, to address the threats to government data that run through private computer networks -- an admission that the NSA will have to perform deep packet inspection on private networks at some point. But, currently, the NSA only does this for a select group of companies that work with the Department of Defense. It is legally prohibited from setting up filters around all of the traffic entry points. 

Government agencies, however, are a different matter. To protect the feds, the NSA provides the Department of Homeland Security with the equipment and personnel to do to the packet inspection. DHS (using NSA personnel) analyzes the patterns, sanitizes the data, and sends the information back to Fort Meade, where the NSA can figure out how to respond to threats discovered. DHS's jurisdiction does not include the military and U.S. intelligence agencies. That's the NSA's province.

The agency has gathered a significant amount of intelligence on the ways sophisticated cyber-actors -- usually nation-states and, more often than not, China -- have written their code. Sometimes the NSA is able, through its collection of signals intelligence, to get advance notice of a major attack on a major company. It has very recently begun sharing this information with the FBI, which in turn shares it (or a sanitized form of it) with the companies that might be affected.

But it has been NSA policy to keep its information private. They're an intelligence agency, after all. They gather information in secret and use it to outfox the enemy. If the NSA were to share with the public what it knows about China's cyber capabilities, for example, then China would know what the NSA knows and would adjust its tactics accordingly, thus potentially rendering the Defense Department's Internet space more vulnerable. But the penetrations have become so frequent and so potentially economically devastating that the government has decided to take that risk.

The next step may be letting the NSA conduct deep-packet monitoring of private networks. It's undeniable that Congress and the public probably wouldn't be comfortable knowing that the NSA has its hardware at the gateways to the Internet. And yet there may be no other workable way to detect and defeat major attacks. Thanks to powerful technology lobbies, Congress is debating a bill that would give the private sector the tools to defend itself, and it has been slowly peeling back the degree of necessary government intervention. As it stands, DHS lacks the resources to secure the dot-com top-level domain even if it wanted to. It competes for engineering minds with the NSA and with private industry; the former has more cachet and the latter has better pay.

Some private-sector companies are good corporate citizens and spend money and time to secure their networks. But many don't. It's costly, both in terms of buying the protection systems necessary to make sure critical systems don't fail and also in terms of the interaction between the average employee and the software. Security and efficiency diverge, at least in the short run.

If the NSA were simply to share with the private sector en masse the signatures its intelligence collection obtains about potential cyber-attacks, cybersecurity could measurably improve in the near term. But outside the companies who regularly do business with the intelligence community and the military, few firms have people with the clearances required by the NSA to distribute threat information. (Under the new initiative, the NSA's intelligence will be filtered through the FBI and DHS.)

Also, because the NSA's reputation has been tarnished by its participation in warrantless surveillance, and because telecoms are wary of cooperating with the NSA beyond the scope of the law, companies are afraid to even admit that they've asked the agency for technical advice. As a senior executive at Google -- which asked the NSA to help contain an outbreak of Chinese network exploitation in 2008 -- admitted to me, "People don't really trust the NSA, and it will raise suspicions that we're letting them look at their search data, and other things. It's not in our interest."

But it was in their interest to work with the agency -- and in the months ahead the NSA is betting that will be true of many others.

Chung Sung-Jun/Getty Images


Why Being So Right Feels So Bad

Why did it take the State Department 10 years and billions of dollars to figure out that Iraq reconstruction was a massive failure?

I was right. When they print the next edition of my book, I'm going to change the title from We Meant Well to I Told You So.

I spent a year in Iraq as a U.S. Foreign Service officer, leading two of the then-vaunted Provincial Reconstruction Teams. We were charged with nothing less than winning the war for America by rebuilding Iraq's infrastructure, creating a functioning democracy and stable economy, and thus ensuring Iraq would be an ally of the United States in the war on terror. As it became more and more apparent to me over the course of my time in Iraq that we were accomplishing none of those goals (while simultaneously wasting incredible amounts of money), I was compelled to tell the American people what I saw. It would be both a lesson for history and a warning about similar efforts already under way in Afghanistan. I wrote a book and lost my career of 24 years at the State Department as a result.

When, in 2010, I sent the first draft of We Meant Well, about the waste, fraud, mismanagement, and utter stupidity surrounding the Iraq reconstruction efforts, to my editor, I remember her saying, "You know the book itself won't come out for close to a year, and if things turn around in Iraq in the meantime, that will make you look wrong." I told her not to worry.

When the book did come out in September 2011, most of the interviewers I met with threw in skeptical comments: "Well, maybe it will work out like in Japan," they said, or "It's too early to tell." When I met with staffers from the Senate Foreign Relations Committee in 2012, they said, "We'd like to believe you, but everything that State tells us contradicts your thesis that the money spent was just a big waste." Foreign Policy felt the need to run an angry rebuttal ("The greatest assets in many respects were our 'clients,' the Iraqi ministers, provincial officials, and local residents who were active and engaged at every level") to an excerpt from my book.

Well, now it's official. Although it took 10 years for the report to come out, according to the Special Inspector General for Iraq Reconstruction (SIGIR), "$60 billion in American taxpayer funds later, Iraq is still so unstable and broken that even its leaders question whether U.S. efforts to rebuild the war-torn nation were worth the cost."

Prime Minister Nouri al-Maliki said "that $55 billion could have brought great change in Iraq," but the positive effects of those funds were too often "lost."

Iraqi parliament speaker Osama al-Nujaifi, the country's top Sunni official, told auditors that the rebuilding efforts did not "achieve the purpose for which it was launched. Rather, it had unfavorable outcomes in general."

There "was usually a Plan A but never a Plan B," said Kurdish official Qubad Talabani, son of Iraqi President Jalal Talabani.

Shiite, Sunni, Kurd. Trust me, about the only thing everybody agrees on is the United States spent a bundle of money. According to the Associated Press, to date the United States has spent more than $60 billion in reconstruction grants on Iraq. That works out to about $15 million a day. Overall, including all military and diplomatic costs and other aid, the United States has spent at least $767 billion since the U.S.-led invasion began. Some funds are still being spent on ongoing projects.

I hate to say I told you so -- but I told you so. SIGIR, if you're out there, perhaps it would have been better to agree to meet with me back in 2009. I could have saved you some time and money. SIGIR, like everything else associated with the Iraq reconstruction, was expensive. The inspectors cost taxpayers $16 million this year, a bargain compared with the $30 million a year they used up during the war era itself. 

We all know that we study history to avoid repeating the mistakes of the past, so with the dreadful example of Iraq now clear, we can draw from it to avoid repeating the errors in Afghanistan. In fact, speaking of book titles, my volume on the Iraq failures was originally supposed to be called Lessons for Afghanistan from the Reconstruction of Iraq, before the editor thankfully nudged me toward the snarkier We Meant Well.

And yet … and yet … only the day before the SIGIR report on Iraq was issued, this magazine ran a long piece by Peter Bergen titled "What Went Right." The piece talks about al Qaeda on the run from Afghanistan (without mentioning how well the franchises in Iraq and North Africa are doing), cites gains in cell-phone usage (without discussing how much is due to billions of U.S. aid dollars dumped on the local markets), talks about how the Taliban have been vanquished (without understanding an insurgency avoids head-on clashes just before the other guys pack up and go home), and describes aspects of Kabul as "thriving" (based most likely on a conversation with some taxi driver). Incredulously, Bergen writes, "U.S. and other NATO forces have taken care to ensure that their soldiers do not contribute to the civilian death toll. Indeed, some American cities are today more violent than Afghanistan. In New Orleans, residents are now around six times more likely to be murdered than Afghan civilians are to be killed in the war" and concludes, "Maybe, not too long from now, a new generation of guidebooks will again be raving about the joys of springtime in the Hindu Kush."

Quite sadly, one only need change "Afghanistan" to "Iraq" in the article, and it could have been published in 2010, right down to the last line about tourists: The United States spent millions of dollars building tourist infrastructure around Iraq's ancient archaeological sites for naught. It idiotically helped sponsor the "Iraq Tourism Week" expo in Baghdad in 2009.

Meanwhile, the Special Inspector General for Afghanistan Reconstruction (SIGAR) has been issuing its own reports, saying among other things that "a significant portion" of the U.S. government's $400 million investment in large infrastructure projects in fiscal year 2011 alone may have been wasted because of poor planning. In an episode that could have come straight out of my book -- except that it took place years later in Afghanistan -- SIGAR released an inspection of the Imam Sahib Border Police company headquarters in Kunduz province, Afghanistan. The $7.3 million facility was built to hold 175 people, "yet only 12 were on site and no one was aware of any plans to move additional personnel to the facility. The personnel did not have keys to many of the buildings and most of the facility appeared to be unused. Additionally, there is no contract or plan to train personnel in the operations and maintenance of the facility raising questions about its sustainability." There are many, many more examples.

In asking why such mistakes are being repeated, one need only look at the people involved: A large percentage of the State Department personnel on the ground in Afghanistan are veterans of the Iraq reconstruction, as are the soldiers reconstructing alongside them. The same two U.S. Ambassadors (Zalmay Khalilzad and Ryan Crocker) ran both embassies at different times. Most of the lame and unskilled hirelings who worked with me in Iraq moved over to identical roles in Afghanistan, and even one of my old bosses found work in Afghanistan after retirement from State. On the macro level, the same massive contracting firms and security mercenaries continue to make bank. The fat paychecks help keep everyone looking the other way about "progress" and thus on-message.

Despite SIGAR finding that "delays, cost overruns, and poor construction of infrastructure projects … resulted in lost opportunities and in incalculable waste," the United States and its allies have already committed to $16 billion in economic aid to Afghanistan over the next four years. Costs for maintaining Afghan security forces are expected to come to over $4 billion per year.

There is a pop-psychology definition of mental illness that applies here: doing the same thing over and over expecting different results. And there's something grim about this. So while it feels good today to know I was right -- the reconstruction of Iraq I participated in is now unambiguously acknowledged as the failure I said it was years ago -- it still feels bad knowing someone else will need to write an article just like this in a few years, when we tally up the losses in Afghanistan.

Spencer Platt/Getty Images