WASHINGTON—If you weren’t paying attention last week, you might have missed the news that Chinese hackers have accessed blueprints of our most advanced military weapons and communications systems, including Patriot missile technology, the V22 Osprey, the Aegis Ballistic Defense System, and the Navy’s Littoral Combat Ship. This epic fail of our so-called “cyber security” efforts was reported quietly in the mainstream news and met with mild indignation among the Beltway Bubble’s punditry set.
Talk about a sleeper story — if all this is true then it isn’t a breach, it’s an invasion. And if we’re going to call this a “war,” well, it’s another one we’re well on the way to losing, despite the tens of billions of dollars the taxpayers have put into the waging.
For his part, President Barack Obama will “raise the issue” of cyber security with his Chinese counterpart Xi Jinping when they meet this week in California. We are sure Xi Jinping is shaking in his boots.
Not surprisingly, administration officials quickly downplayed Wednesday’s Washington Post story, which reprinted key elements in the confidential version of a report issued in January by the Pentagon-appointed Defense Science Board (DSB). Pentagon spokesman George Little and “other defense officials,” according to a subsequent Reuters account, downplayed the WaPo piece as old news.
Perhaps, seeing that a simple Google search finds that the Chinese cyber assault on our military secrets has been an open secret in Washington for years. But that doesn’t make the news any more outrageous. The Washington Post story helpfully packages together the drip, drip of these bodacious incursions, plus a heck of a lot we did not know about before. Read here for a list of the hacked systems and technologies and tell me it’s not somewhat staggering in its implications. Just think, the U.S. is spending upwards of $1.5 trillion on the boondoggle F-35 and the Chinese might already be cloning it!
It all begs the question: what have we been doing all these years besides bleeding the treasury and rearranging deck chairs on the Titanic? We got the War on Drugs, the wars in Iraq and Afghanistan, too. Are we really going to add another money pit to the list of failures and respond with a collective sign of passive resignation? All signs point “yes.”
It’s clear that the defense contracting community shares quite a bit of the responsibility here. Goliaths like Lockheed Martin, Boeing, Northrop Grumman, Raytheon, etc., not only build the weapons and develop the technology, but they hold hundreds of contracts and sub-contracts to provide cyber security services to the federal government, including every branch of the military and the National Security Agency (NSA) and CIA, too. Take a look at The Washington Post’s “Top Secret America” series from a few years back — 143 private companies were involved in cyber security for the feds in 2010, in addition to hundreds contracting directly with agencies and departments. Many of the big boys have offices stationed right near or at the NSA headquarters in Fort Meade, Maryland, and all over the Washington, D.C. metro area.
Yet news items over the last several years indicate that defense contractors can’t keep their own barn doors closed, leaving trillions of dollars worth of secrets open for the taking. Much of the problem has been the corporate world’s tendency to hide and deny its vulnerabilities, including security breaches, in order to present a rosier picture to their shareholders. Add that to the federal government’s tendency to over-classify and not share anything, and you have a recipe for the proverbial barrel of fish at which the Chinese are shooting, quite effectively, it seems.
In a 2011 Vanity Fair feature wryly entitled “Enter the Cyber Dragon,” writer Michael J. Gross paints a fairly un-funny portrait of the relentless attacks by the Chinese on both government and non-government entities in the U.S. One source he quotes called it a “low-level Cold War” between the two countries, yet from the sound of it — Gross describes major hacks against top U.S. defense contractors and private companies, including Internet giant Google, dating back to 2005 — America sounds like the oft-battered underdog, hardly scrappy, and always on the defense.
Nevertheless, defense sources are always declaring new cyber security strategies (we must take that literally, because there were several old ones, at least coming from the White House, beginning in the Clinton Administration), each time attempting to make it sound more like a ground war, which, despite a decade of real ground wars with clearly mixed results, is still supposed to conjure up something akin to Greatest Generation bravado.
“If you shut down our power grid, maybe we will put a missile down one of your smokestacks,” said one military official to the Wall Street Journal in 2011, as the Pentagon released portions of a classified report that indicated the military was ready to consider certain cyber breaches an act of physical war.
The Pentagon has been talking pretty tough, but it’s clear they have a lot to be nervous about. In a confidential report that the security firm McAfee shared with Gross, it was revealed that over a five-year period, a “single adversary” had penetrated the networks of more than 70 major organizations (including government agencies and corporations) representing 30 different industries across the globe. Some two-thirds were based in the United States. When Gross asked McAfee if China was the “single adversary,” the security giant declined to speculate but simply said, “If others want to draw that conclusion, I would certainly not discourage them.”
Clearly, if you look at the case of the Stuxnet virus, which the U.S. engineered with Israel to attack Iran’s nuclear program beginning in the Bush Administration, the U.S. has the motivation and ability to go on the offensive, but it’s frankly appalling that after all the taxpayer money funneled into these agencies, not to mention all the contracts for cyber security the government gives the private sector, it is no closer to straddling the defense side of this problem than they were in say, 2009.
In 2009, the Pentagon established U.S. Cyber Army Command, a unified subcommand with representatives from each of the Armed Forces dedicated especially to cyber warfare and defense. It was given a four-star general, Gen. Keith Alexander, who also heads the National Security Agency (NSA). Ironically, after he took over the NSA from Director Michael Hayden in 2005, Alexander continued to run the NSA’s warrantless domestic wiretapping program — now the snoop is trying to figure out how not to get snooped.
“I believe the fix is in — we’re moving in the right direction,” Brigadier Gen. Steven Smith boasted to the National Cyber Defense Summit in late 2009. “It’s going to be a most interesting time to be in the cyber business in the US military.” Yeah, especially if you were one of the Beltway sellswords lining up at the trough. But even analysts at the time were skeptical about the “right direction” part: “Some policymakers seem to want to apply traditional solutions to a non-traditional threat,” one private contractor told this writer at the time. “The zeal for enterprise solutions in an effort to gain insight and efficiencies seems to come at the risk of developing a sort of ‘Cyber Maginot Line,’” he said
Since then, each of the Armed forces, NSA, DARPA, the Department of Homeland Security, CIA, DIA and dozens of other agencies and departments have joined a host of quasi-government advisory committees, commissions and panels, like the DSB, to tackle the issue of cyber security every day. Sadly, if one considers the breaches, it is looking more like the French Maginot Line, not to mention one of the greatest federal boondoggles of our young century, with the taxpayer at the losing end of the bargain, as usual.
Let’s take a look at the outlays for this “war.” In April, when President Obama announced his federal budget, he declared cyber security a key priority and asked for $4.7 billion to wage it — $800 million more than current levels. That would include $44 million for a new DHS cyber security initiative in which private companies like AT&T and Raytheon get money and access to classified government security information with which they will not only beef up their own security systems but farm out security services to other companies. So far, top companies that we know have experienced serious security leaks — like Raytheon, Northrop Grumman and Lockheed — have signed onto this program and are benefiting from it.
In addition, DHS is asking for $200 million for federal network security efforts in Fiscal Year 2014, $400 million for its National Cybersecurity Protection System, also known as EINSTEIN, $102 million for its US-CERT (Computer Emergency Readiness Teams), which are supposed to detect and respond to attacks, $70 million for cybersecurity research and development, plus more for investigating cyber crimes.
DARPA (Defense Advanced Research Projects Agency) has been getting a ton of taxpayer money, too, and like NSA’s program and others, much of its programs are secret. We do have a sense of some of the appropriations, though. In the Fiscal Year 2014 request, there is $267 million clearly specified for over a dozen non-classified cyber-related projects. But that’s only DARPA. The Pentagon is spending billions elsewhere, including $1.3 billion for “training of cyber analysts” (FY 2012), and a $17 billion “push for a National Cyber Range” to “test out cyberattacks and defenses,” according to Wired’s reporting in 2011. A Google search shows that the Army awarded Lockheed $80 million over five years to continue building that range in November 2012.
Putting all that money in perspective can be dizzying. But so is this picture: as fast as the money is poured into the sieve, just as much seems to be cascading out the other side. In other words, Google U.S. “cyber security” and “falling behind” and you get over 200,000 hits and the distinct impression that, like every other bloated government bureaucracy, money doesn’t not equal success.
But what’s the solution? Some say passing tougher policies like CISPA, which carries with it all sorts of terrible privacy ramifications for Americans (the feds will be picking our pockets and snooping in our emails) would help. Still others — like the indomitable neoconservative Charles Krauthammer — say an offensive blitz is the way to go. “I think we really have to unleash the beast here and to counter attack,” with “units that operate in the government, who will launch cyber attacks against the Chinese, as a deterrent,” he said, calling U.S. efforts so far “passive.” National Review’s editor-at-large Jonah Goldberg goes one step further on the same program, suggesting we should “issue letters of marque” to hackers, much like America did with 19th century privateers, and “unleash them” on the Chinese, who “are a bunch of kleptocratic thugs.”
But not everyone sees this “failing war” as simple as all that. Gordon Adams, an old school federal numbers cruncher, reminds us that it wasn’t so long ago that the government built up its weapons budget on the warning the U.S. was “falling behind” the Soviet Union. It turned out to be a lot of smoke and mirrors and a huge cash cow for the defense industry.
“Throughout the Cold War, ‘falling behind’ was the boilerplate justification for higher defense budgets. As [Secretary of Defense Caspar] Weinberger once said at a press conference on the budget, ‘the defense budget is written in Moscow, not Washington,’” Adams told Antiwar.com in a recent email exchange. He said the chances that this struggle against cyber espionage will ever be won are slim, considering that hackers will always find away around new safeguards.
“To me, (it’s) important to recognize that it’s an arms race and the reality is that we are deeply into it.”
After six trillion in Iraq and Afghanistan, that’s all we need. But if Adams is right, that makes Obama’s expected confrontation with Xi Jinping over cyber-espionage this week and in a planned meeting in July pretty perfunctory, and frankly pointless. What an apt word.
Follow Vlahos on Twitter @KelleyBVlahos