This Is How They Tell Me the World Ends: The Cyberweapons Arms Race

Perlroth describes James R. Gosler as the architect of American cyberwarfare. He worked for various government intelligence agencies between 1979 and 2013 but was unable to share much about his decades-long, highly decorated career due to the top-secret nature of his work. He is, however, a legend in the field of information security for his work on establishing the CIA and NSA’s information security capabilities, which went from nonexistent to globally dominant on his watch. Perlroth characterizes him as an exceptionally skilled hacker who was unmatched in the NSA during his tenure for his ability to create, conceal, and weaponize vulnerabilities in even very simple computer programs. 

Gosler recognized the practical impossibility of securing the massively complex programs on which digital infrastructure and important computer systems relied, and he developed systems to exploit vulnerabilities in such systems for the purposes of intelligence-gathering. He also developed—and possibly implemented—plans to infiltrate the global manufacturing and supply chain of computer hardware components, in order to plant NSA bugs at the most fundamental levels of commercial devices. He admits that in the early 21st century, particularly following the 9/11 terrorist attacks, US intelligence agencies began hacking any and all devices that they could access so as to cast a wide net for data collection. The digital revolution provided the means and opportunity to collect unprecedented quantities of communications data from Americans and foreign citizens, as well as specific targets such as diplomats, officials, and journalists.

In the early 2000s, the NSA began a major recruitment drive aimed at attracting hackers to work for its TAO (Tailored Access Operations) team. They began a project known as TIA (Total Information Awareness), which aimed to pair cyberespionage tools with conventional spying methods in order to learn every possible detail about suspected terrorists and potential threats to national security. The Patriot Act was used to justify the commandeering of phone records, as well as the invasion of privacy of millions of American citizens. The period in which the USA conducted the so-called “War on Terror” was a golden age for digital spying, as America enjoyed practically uncontested domination of the cyber sphere amid the launching of new commercial sources of digital information such as Facebook and smartphones. However, the NSA’s fatal flaw, developed during this period, was the assumption that they were smarter and better-equipped than all of their rivals. The fact was that if the NSA could hack a system, then it was possible for another hacker to do so as well. Thus began a cyber arms race that continues to the present day.

In 2008, the United States crossed the figurative point of no return by using a cyberweapon against a rival nation. During the 2000s, Iran was dedicating significant resources to developing a nuclear program. Given the hostility between the two nations, Iran’s endeavor ran counter to US wishes and interests, posing a major perceived threat to Israel, a US ally. In order to dissuade the Israeli military from conducting a full-on bombing campaign against Iranian nuclear testing sites (an act of outright war that could escalate into a devastating conflict), the United States instead proposed using cyberweapons to sabotage computers at the nuclear base. (The specific cyberweapon employed was known as Stuxnet—a chain of zero-day exploits in Microsoft programs). This project was code-named Olympic Games. The chain of exploits (called a worm), was implanted in the sealed system of the nuclear facility via a tainted USB drive. Once it had invaded the system, the worm would cause nuclear reactors to spin too quickly for a period of time during which their sensors would continue to show normal readings. As a result, research was stalled and key equipment damaged. Ultimately, this project successfully prevented the progression of Iran’s nuclear program. However, Iranian analysts eventually discovered the existence of the bug, and in 2010, Stuxnet escaped from the closed system of the nuclear site and began infecting thousands of systems across the internet. The target of the NSA-designed bug was very specifically intended to only target systems with the specifications of the Iranian nuclear testing facilities, so the bug didn’t damage the other systems that it infected. However, its components—including the mechanisms by which it penetrated those systems—could be used more generally by hackers to pursue all sorts of unsavory motives. Stuxnet was clearly the product of sophisticated state-sponsored cyber-research facilities and hacking teams. The media focused initially on Israel and their intelligence agency, Mossad, as the likely culprits, but it soon became clear to the public that the United States and its NSA were also involved.

As the world became increasingly digitized over the following years, the amount of information available for digital harvesting only grew. The NSA continued to focus investments in offensive capabilities and neglected defensive systems even as Russian agencies began hacking American systems. In 2008, five former NSA hackers set up a private cyberweapon development company called VRL (Vulnerability Research Labs), which was paid enormous sums by government agencies to develop sophisticated hacking tools. The NSA’s policy on which zero-days to report to manufacturers for patching and which to stockpile was guided by the NOBUS (Nobody But Us) principle, which proposed giving developers the low-hanging fruit that other less-advanced states could access, while holding onto more sophisticated hacks that they believed to be unavailable to rival agencies. By 2012, however, this justification proved increasingly thin as the cyber capabilities of foreign nations continued to close the gap with those of the United States.