Inside a darkened conference room in the Miami Beach Holiday Inn, America’s most badass hackers are going to war – working their laptops between swigs of Bawls energy drink as Bassnectar booms in the background. A black guy with a soul patch crashes a power grid in North Korea. A stocky jock beside him storms a database of stolen credit cards in Russia. And a gangly geek in a black T-shirt busts into the Chinese Ministry of Information, represented by a glowing red star on his laptop screen. “Is the data secured?” his buddy asks him. “No,” he replies with a grin. They’re in.
Fortunately for the enemies, however, the attacks aren’t real. They’re part of a war game at HackMiami, a weekend gathering of underground hackers in South Beach. While meatheads and models jog obliviously outside, 150 code warriors hunker inside the hotel for a three-day bender of booze, break-ins and brainstorming. Some are felons. Some are con artists. But they’re all here for the same mission: to show off their skills and perhaps attract the attention of government and corporate recruiters. Scouts are here looking for a new breed of soldier to win the war raging in the online shadows. This explains the balding guy prowling the room with an “I’m Hiring Security Engineers. Interested?” button pinned to his polo shirt.
Hackers like these aren’t the outlaws of the Internet anymore. A 29-year-old who goes by the name th3_e5c@p15t says he’s ready to fight the good fight against the real-life bad guys. “If they topple our government, it could have disastrous results,” he says. “We’d be the front line, and the future of warfare would be us.”
After decades of seeming like a sci-fi fantasy, the cyberwar is on. China, Iran and other countries reportedly have armies of state-sponsored hackers infiltrating our critical infrastructure. The threats are the stuff of a Michael Bay blockbuster: downed power grids, derailed trains, nuclear meltdowns. Or, as then-Defense Secretary Leon Panetta put it last year, a “cyber-Pearl Harbor... an attack that would cause physical destruction and the loss of life, paralyze and shock the nation and create a profound new sense of vulnerability.” In his 2013 State of the Union address, President Obama said that “America must also face the rapidly growing threat from cyberattacks.…We cannot look back years from now and wonder why we did nothing in the face of real threats to our security and our economy.”
The pixelated mushroom cloud first materialized in 2010 with the discovery of Stuxnet, a computer worm said to be designed by the Israeli and U.S. governments, which targeted uranium-enrichment facilities in Iran. Last fall, Iranian hackers reportedly erased 30,000 computers at a Middle Eastern oil company. In February, security researchers released a report that traced what was estimated to be hundreds of terabytes of stolen data from Fortune 500 companies and others by hackers in Shanghai. A leaked report from the Department of Homeland Security in May found “increasing hostility” aimed online against “U.S. critical infrastructure organizations” – power grids, water supplies, banks and so on.
Dave Marcus, director of threat intelligence and advance research at McAfee Federal Advanced Programs Groups, part of McAfee Labs, a leading computer-security firm, says the effects would be devastating. “If you shut off large portions of power, you’re not bringing people back to 1960, you’re bringing them back to 1860,” he says. “Shut off an interconnected society’s power for three weeks in this country, you will have chaos.”
Hence, events like HackMiami, where the competition to hire cyberwarriors is increasingly intense. “There’s too much demand and not enough talent,” says Jeff “The Dark Tangent” Moss, founder of the largest hacker convention, DefCon, held annually in Las Vegas. Despite the threats, a report by the Commission on the Theft of American Intellectual Property, a group comprised of former U.S. government, corporate and academic officials, recently concluded that so far the feds have been “utterly inadequate [in dealing] with the problem.” While Uncle Sam is jockeying for the Internet’s best troops, private security firms are offering way more pay and way less hassle. Charlie Miller, a famous hacker who exposed vulnerabilities in the MacBook Air and iPhone, spent five years with the National Security Agency before joining Twitter’s security team. Earlier this year, the DHS lost four top cybersecurity officials. In April, Peiter “Mudge” Zatko, a renowned member of the pioneering hacker collective Cult of the Dead Cow who was working at the DOD’s Defense Advanced Research Projects Agency, split for Silicon Valley to join his former DARPA boss, Regina Dugan. “Goodbye DARPA,” he tweeted. “Hello Google!”
As a result, there’s a metawar taking place: one between government and industry to score the country’s toughest geeks – like the ones here this weekend – to join their front lines before it’s too late. “We need hackers,” Janet Napolitano, secretary of the Department of Homeland Security, told Rolling Stone in June, “because this is the fastest-growing and fastest-changing area of threat that we’re confronting.” A month later, however, she announced that she was leaving DHS too – stepping down from her post to head the University of California system.
Hey, dude!” says David Bonvillain. “Let me buy you a mojito!” It’s not even noon at the Holiday Inn bar, but Bonvillain, head of the Denver-based Accuvant LABS, one of the most elite and flashiest computer-security firms, is already working the crowd because, as he puts it, the competition is “feverish.”
A brash, Ferrari-driving 40-year-old who chain-puffs an e-cigarette and is sleeved with tattoos, Bonvillain is among the country’s top hacker scouts. While the feds try to recruit hackers on the glory of public service, Accuvant has honed a sexier pitch. “We built an environment that allows people to legally do the things that would put them in jail,” Bonvillain says, exhaling vapor, “and we have a great time and make a good living doing it.”
Accuvant represents an upside to cyberwar: a booming market. Corporations spent $60 billion worldwide on information-security services last year, according to a report by Gartner, a technology-research firm, and are expected to shell out a whopping $86 billion in 2016. To the consternation of businesses around the world, entrepreneurial hackers hunt for security flaws, then sell the technical info to governments from Russia to North Korea, as well as the National Security Agency here. Google and Microsoft are among those who pony up as well, hoping to improve their products. Technical details on a single vulnerability go for as much as $150,000.
Accuvant specializes in attack and penetration, or “attack and pen” for short, infiltrating their clients’ computer systems to expose and improve weaknesses. Their clients include everyone from banks and hotels to federal agencies, which can pay upward of $100,000 for a single test of their services. To maintain integrity during a penetration test, the client’s underlings aren’t told they’re being targeted. A Minnesota casino hired Accuvant to try to break into its computer room and access its most sensitive data. Not only did the team succeed – convincing workers they were tech-support staff – they walked out the door carrying the casino’s computer servers. They then posed with their bounty by the slot machines, flipping off the camera for a picture they sent to the casino’s boss. Another time, they hacked a Department of Defense contractor by parking a rental car outside a warehouse and scanning the wireless network with laptops and antennas. “It’s sad, honestly, how vulnerable they are,” Bonvillain says.
Accuvant understands the talent better than most, because they rose from the hacker underground themselves. Bonvillain, a metal guitarist who spent a night in jail in high school after getting busted riding his motorcycle over 100 mph, started hacking computers and phone phreaking while at James Madison University in Virginia in the mid-Nineties. “I wanted to break into stuff,” he says. “I thought it was the coolest thing.” Inspired by the movie War Games but eager to stay out of trouble, he eventually put his skills to use as a professional hacker testing security for companies that paid him. “As soon as I found out that information security was actually a job and, even better, a job you could make some good cash at, that was all I wanted to do,” he says.
Jon “Humperdink” Miller, a hulking, goateed 31-year-old in a backward baseball cap and shorts, who, as head of research and development, oversees Accuvant’s military clients, is like a supersmart Chris Farley. He started attending hacker conventions at age 13 and became notorious when he appeared at DefCon with no shirt and a vanity license plate of his nickname around his neck. He jokes that his greatest hacker skill is “drinking,” for which he has an award named after himself at the Vegas confab. When he was in high school in San Diego, he says, he made $80,000 a year doing his own attack-and-pen operations. At 17, the National Security Agency offered him a college education, a company car and a substantial stipend if he agreed to work for them after graduation. But he passed on the offer. “Guys like me refuse to get clearance,” he says, gulping a beer. “You have to be professional. You have to be reserved. Here, like, if you’re a loud asshole and you’re smart, sweet! We know a lot of loud assholes.”
Bonvillain balks over security clearance too. “If you’ve smoked pot more than six times, you can’t join the FBI,” he says. “When they interviewed me, I asked, ‘In one day?’” The drug test is no small issue. A three-year no-use policy eliminates a huge slice of the young hackers coming out of school into the workforce. “That disqualifies a bunch of people that would be perfectly skilled and trustworthy,” says Moss, “just because they smoked pot in college.”
Attracting and keeping cyberwarriors is as much about marketing a lifestyle as it is offering big bucks. (The money is good, though, with salaries for top contractors at firms like Accuvant easily topping $200,000 a year.) “Look at Alex,” Bonvillain says, pointing at Accuvant’s head of security architecture, Alex Kah, a tatted-up Kentuckian with a slacker drawl. “Could you imagine him trying to go into the NSA with ‘Louisville’ tattooed across his neck?” Accuvant hires electronic-music duo the Crystal Method for its parties and makes the hippest swag in the business: bootleg Adidas tracksuits, stickers and T-shirts modeled after Iron Maiden’s “The Trooper.” To score one notorious hacker, they agreed to buy him his own gold-plated, $1,000 espresso machine. “The reason we’re successful is because we market this like a metal band,” Bonvillain says.
And they’re fired up by the enemy. Humperdink grows red in the face when he starts ranting about how China gives a pass to its rogue army of hackers. “If you’re a lone Chinese hacker not employed by the Chinese and you want to hack Charles Schwab, go for it,” Humperdink says. “Consequence-free. Do whatever you want. You’re fighting the great Satan. They’re completely covert about operational security. They don’t talk about active hacks against the U.S. That’s completely off the record. That shit happens every day.”
Their outrage makes them even more patriotic. Humperdink comes from a family of Marines and law enforcement. Bonvillain draws inspiration from his dad, a retired lieutenant colonel in the Army, who now works as an intelligence officer for the Defense Intelligence Agency – serving posts in the Balkans, Afghanistan and Iraq – and has been nominated for the counterintelligence’s hall of fame. “I’m deeply patriotic,” Bonvillain says. It’s the same blend of working-class blues and American pride that fueled the old military. “Every serious hacker that I know came from very, very blue-collar or underprivileged backgrounds,” he says. “It made them hungry. They’re willing to do whatever it takes.”
Scenario: Hackers use a computer worm to take command of controls at a nuclear power plant, causing a Chernobyl-style meltdown.
Reality: Stuxnet, which targeted a uranium-enrichment facility in Iran in 2010, proved this possible. Though Iran has not confirmed whether the worm successfully damaged the centrifuges, one Iranian scientist later reported that a hack forced computers to play AC/DC’s “Thunderstruck” at full volume on random machines in the middle of the night – just to drive them nuts.
Scenario: A worker at a power plant clicks on an e-mail link, unleashing malicious software, which crashes electricity for an entire city.
Reality: A 2013 congressional report on Electric Grid Vulnerability found more than a dozen of utilities report “daily,” “constant,” or “frequent” attempted cyberattacks on their systems – one utility reported 10,000 in a month. “We know that foreign cyberactors are probing America’s critical infrastructure networks,” then-Defense Secretary Leon Panetta said in October 2012. “They are targeting the computer control systems that operate chemical, electricity and water plants and those that guide transportation throughout the country.... We also know that they are seeking to create advanced tools to attack these systems and cause panic, destruction and even the loss of life.”
Scenario: Hackers take over train systems, derailing locomotives across America.
Reality: In 2008, a 14-year-old boy in Poland proved how easy this is to do. He built a device to control track points in the city of Lodz, causing four trams to jump tracks. "He treated it like any other schoolboy might a giant train set,” police said, “but it was lucky nobody was killed.” In December 2011, a rail company in the Pacific Northwest was attacked by hackers who disrupted train signals for two days. "Cyberattacks were not a major concern to most rail operators” until this time, the TSA stated in an internal memo obtained by Nextgov.com. “The conclusion that rail was [affected] by a cyberattack is very serious."
Scenario: Attackers hack into a water utility system, shutting off the water supply for an entire city.
Reality: In 2011, hackers breached a water plant in Springfield, Illinois, toggling the system on and off until one water pump burned out completely. Later that year, a hacker claimed to have used a simple three-character password to access the infrastructure system for South Houston – posting screenshots online to prove it. "I'm sorry this ain't a tale of advanced persistent threats and stuff,” he said, “but frankly most compromises I've seen have been a result of gross stupidity, not incredible technical skill on the part of the attacker. Sorry to disappoint."
Scenario: Phone systems get disabled. Missile launches can’t be monitored. Radio distress signals go unnoticed.
Reality: In 2011, the annual report of the U.S.-China Economic and Security Review Commission revealed that two U.S. government satellites had been hacked in 2007 and 2008 by hackers believed to be in China. “Such interference has the potential to pose numerous threats, particularly if achieved against satellites with more sensitive functions,” according to the report. “Access to a satellite‘s controls could allow an attacker to damage or destroy the satellite.”
Scenario: Hackers take over social media, posting messages from news organizations on Twitter, Instagram and Facebook saying that Obama has been assassinated – causing Wall Street investors to panic and sell off their goods.
Reality: Something like this happened for real in April, when hackers hijacked the Associated Press Twitter feed, posting the phony message "Breaking: Two Explosions in the White House and Barack Obama is injured." A group called the Syrian Electronic Army took credit for the hack, which caused a momentary $200 billion drop in the Dow.
To get a sense of just how weak our cyberdefenses are, I take a trip with Jayson Street, Chief Chaos Coordinator for another firm, Krypton Security, into the basement of a hotel in South Beach. We breeze past an open door with a taped sign that reads, “Doors must be closed at all times!!!” This is where the brains of the building live – the computer network, the alarm system, the hard drives of credit-card numbers – but, as Street tells a brawny security guard, he’s here on the job, “doing a Wi-Fi assessment.” Street, a paunchy, 45-year-old Oklahoman in a black T-shirt and jeans, flashes the hulk some indecipherable graphs on his tablet and says, “We’re good,” as he continues into another restricted room.
The doors aren’t locked. No one seems to be monitoring the security cameras. The wires for the burglar-alarm system are exposed, ready for an intruder to snip. We make our way to the unmanned computer room, where, in seconds, Street could install malware to swipe every credit-card number coming through the system if he wanted to. “They’re like every other hotel I’ve tried to go into,” he tells me. “They fail.”
Government agencies and corporations fly Street around the world to see if he can bullshit his way into their most sensitive data centers. He has scammed his way into a bank in Beirut, a financial center across from Ground Zero, a state treasury department. He usually records his infiltrations on a spy watch, a 16-gigabyte HD video recorder with infrared lights, then turns over the footage to his clients. When I ask Street the tricks of his trade, he tells me there are two keys to stealing data in person: act like you’re supposed to be there and carry a tablet PC, which convinces victims he’s a tech-support worker. “People see this thing,” he says, waving his tablet, “and think it’s magical.”
Street, who has authored a book about security flaws called Dissecting the Hack, is a highly sought-after speaker at hacker conventions from ones in China to this weekend’s in Miami, and has consulting gigs in Cyprus, Jamaica and Germany. “I am not an American hacker,” he says. “I am not a Oklahoma City hacker. I am a hacker. I don’t care what country you’re from. If you’re trying to defend yourself and you’re trying to work to better protect your company or your country, I’m all for it. I’m here trying to help secure the Internet.”
But there’s one job he’ll never take: working for the feds. “The American government has to understand that to get someone who thinks outside the box to work for you, you can’t immediately put them in a box,” he says. “And that’s the problem.”
Street is among the many who cite the legacy of the late hacktivist Aaron Swartz as a cautionary tale. A research fellow at Harvard, Swartz accessed the MIT computer system and downloaded millions of academic-journal articles. He was charged with violating the Computer Fraud and Abuse Act and, facing decades in prison and $1 million in fines, committed suicide in January. “The government says, ‘Hey, we really need your help, can you hack for us?’” Street says of Swartz. “And then, on the other hand, it’s like ‘Oh, you’re a hacker, you’re going to jail! We’re going to hound you until you kill yourself.’”
Gregory “Mobman” Hanis kicks back with his laptop on a florally upholstered couch in the Holiday Inn lobby, ready to annihilate another 45 million people. He’s not doing it in warfare, though: He’s hacking Candy Crush Saga, the most popular game on Facebook. As rows of sparkly treats fill his screen, he opens a second window, which contains a program he wrote. With a few deft strokes, he casually cranks his Candy Crush score to 10 million, earning the high score and swiftly crushing the dreams of players who devote hours a day – not to mention real money, which they use to buy extra lives – to the game. “It’s literally taking candy from babies,” he says, with a sigh.
There’s a reason he sounds so weary. Mobman is a 32-year-old wizard who can hack just about anything but has to settle for a job as a network admin for an online-poker company. That’s because he’s a convicted felon, a black hat who, because of one major fuck-up as a teen, can’t get hired directly by the feds or most private companies. His story represents another hitch in the cyber-recruitment race: the brilliant hackers who’ve crossed the line earlier in life. “I’ve been in there. I know it, and I’ve done it,” he says. “That’s what you would get from me.”
Like Street and the others, Mobman fits Bonvillain’s bill of being damaged and hungry. The son of a U.S. Marshall mother and an absentee father, he got A’s in schoolwork but F’s in conduct. “I was bored,” he says. “They didn’t push me.” Instead he pushed himself, writing a program that let him cheat in his favorite game, Ultima Online. Mobman just wanted to steal virtual weapons and gold to get an edge. But when the program, Sub7, leaked onto the Net, black hats around the world discovered it could be used to steal all kinds of things, including AOL accounts and credit-card numbers. Sub7, the first hacking tool of its kind, went viral. “I was like, ‘Holy shit,’” he recalls, “‘I’m gonna get in trouble.’”
Sub7 itself wasn’t illegal; it was the criminal use of it that was a problem. But in 1999, when Mobman was 19, after getting pissed at AT&T for refusing to fix his overcharged cellphone bill, he hacked into the company to change it himself. Instead, he says, he accidentally took down the entire AT&T network in California and Nevada for almost two days. (An AT&T spokesperson won’t confirm or deny the attack.)
After pleading to a charge of “modification of intellectual property,” Mobman spent seven months in jail awaiting trial before receiving five years' probation – and then spent months living on the streets after his mom refused to take him back in. The experience left him changed and determined to put his skills to good use. “That’s why I want a job,” he tells me. “So I can do it legally.”
The federal cyberforces, though, generally don’t hire felons. But private contractors like Accuvant are technically free to employ whomever they want. “For me – it depends on the felony :),” Bonvillain writes me in an e-mail. “There was a day (10 years back or so) that such a conviction would have prevented his employment. Today, that’s not as strict of an unwritten rule.” Though a felon would have trouble getting security clearance for more hands-on jobs, he could still contribute as part of the security team.
For now, this leaves guys like Mobman to hustle work on the private side, which he’s busy doing here this weekend. To help amp up his image, Mobman has been conducting his own security research at home, sometimes involving a bit of hacking. He gives companies the opportunity to fix bugs, then posts his findings in white papers online. One was about how hacking a single computer could take the entire country of Australia offline. Another one detailed security holes in the popular Web-page-programming software Joomla. However, a few days after he posted the former, he got a letter from the Department of Homeland Security. They weren’t impressed. They were informing him they’d taken the paper down.
The Biggest Military Hack Ever
For about a year, a single hacker had access to dozens of computers within the U.S. Army, Navy, Air Force, NASA and the Department of Defense. The hacker turned out to be Gary McKinnon, a man in London, later diagnosed with Aspergers, who claimed that he was merely looking for evidence of UFO technology. No matter, McKinnon’s hack exposed the absurd vulnerability of our military systems, which he accessed because they had miserably poor password protection. United States attorney Paul McNulty called McKinnon’s feat "the biggest military computer hack of all time."
The cyberwar with China began with Titan Rain, the U.S.’s code name for a series of attacks on government agency computers at the Defense Department, Homeland Security, as well as the State and Energy departments. "This is an ongoing, organized attempt to siphon off information from our unclassified systems,” one U.S. official said. A 2007 Pentagon report concluded that the People’s Liberation Army was stepping up its cybergame. "The PLA has established information warfare units to develop viruses to attack enemy computer systems and networks, and tactics and measures to protect friendly computer systems and networks," the report revealed. “In 2005, the PLA began to incorporate offensive [operations], primarily as first strikes against enemy networks."
After the Estonian government dismantled a Soviet World War II memorial, all hell broke loose online. Banks, news media and even government websites crashed in the wake of the most crippling cyberattack a country has ever seen. For the U.S., it was a foreboding sign of hackers’ brutally effective tools like denial-of-service attacks and botnets. Nashi, a young activist group supported by the Kremlin, later claimed responsibility, which the Kremlin denies. The hack showed how one lone hacker has the power to take down a country’s critical infrastructure with relative ease. Live Free or Die Hard turned from a fantasy scenario to a looming reality.
When YouTube pulled down a leaked Tom Cruise video hyping the Church of Scientology, it unleashed the wrath of the hacker collective Anonymous. The group attacked Scientology websites and rallied protests of the church via social media. Over the next several years, Anonymous became a potent political force. During 2011's Arab Spring, the group launched Operation Tunisia to fight against government surveillance. The next year, Anons claimed to have attacked 650 websites in Israel after the country’s latest actions in the Gaza Strip.
Power Grids and Fighter Jets
Current and former U.S. officials revealed to The Wall Street Journal that Chinese and Russian spies hacked our critical infrastructure, including power grids. One official said that the intruders had not yet sought to destroy these systems, but had left behind software programs that would enable them to do so at the flick of a switch. “If we go to war with them,” he warned, “they will try to turn them on." Department of Homeland Security head Janet Napolitano said that “the vulnerability is something [we] have known about for years.” Reports also implicated China for hacking into the plans for the Pentagon's $300 billion Joint Strike Fighter project. The Chinese Embassy responded in a statement that China "opposes and forbids all forms of cybercrimes” and called the reports “a product of the Cold War mentality…fabricated to fan up China threat sensations."
After sanctions were imposed on North Korea following nuclear tests in late May, the U.S. and South Korea faced days of sustained cyberattacks. In the U.S., computers at agencies including the Defense Department, the Treasury Department, the Secret Service, the State Department, the Federal Trade Commission and the Federal Aviation Administration were subjected to denial-of-service attacks, along with tens of thousands of computers in South Korea, according to that country’s National Intelligence Service. Though North Korea was suspected of having orchestrated the attacks, the source remains unknown.
Google was attacked by hackers in China. Dubbed Operation Aurora, after the type of application the hackers used, the massive case of cyberespionage was later attributed to the Chinese government, with U.S. companies including Adobe, Symantec, Northrop Grumman, Morgan Stanley and Yahoo falling victim. U.S. government officials later said that the hackers breached a secret database with what the Washington Post called “years’ worth of information about U.S. surveillance targets,” specifically Chinese spies being monitored in the United States.
Cyberwar entered a dangerous new era with Stuxnet, a computer worm said to have been created by the U.S. and Israel that attacked a uranium-enrichment plant in Iran. By compromising the industrial systems-operation software, Stuxnet was capable of spying on and controlling the computers, as well as destroying centrifuges. Stuxnet, which could be installed on infected thumb drives, spread out of control to at least five other countries, including the U.S. Defense Secretary Leon Panetta warned of a possible “cyber Pearl Harbor.”
Operation Shady RAT
McAfee, the security-research firm, uncovered a massive five-year wave of hacker attacks against governments, nonprofits and corporations around the world. Called Shady RAT, for the remote-access tool used by the infiltrators, the breaches hit over 70 organizations including government agencies in the U.S., Taiwan, Canada, and India, as well as the International Olympic Committee and several defense contractors. McAfee attributed the attacks to a single state actor, though didn’t name the country, which some sources believe to be China. "This is the biggest transfer of wealth in terms of intellectual property in history,” a McAfee exec said at the time. “The scale at which this is occurring is really, really frightening.”
U.S. Weapons Plans Hacked
In a report prepared for the Pentagon, the Defense Science Board found that hackers from China had accessed plans for more than two dozen of the U.S.’s most advance weapons systems. The targets included the Patriot missile system, Aegis ballistic-missile-defense system, Black Hawk choppers and the $1.4 trillion F-35 Joint Strike Fighter, the costliest fighter jet ever made. “When I look at the theft of intellectual property to the tune of $1 trillion,” said Texas Rep. Michael McCaul, “that’s a serious economic issue for the United States.” A Chinese Foreign Ministry spokesman responded by saying that “China pays high attention to the cybersecurity issue and is firmly opposed to all forms of hacker attacks.”
Iran Hacks U.S. Energy Companies
Hackers, with the support of the Iranian government, were exposed for targeting oil and gas companies in the U.S. "This is representative of stepped-up cyberactivity by the Iranian regime. The more they do this, the more our concerns grow," one U.S. official said. "What they have done so far has certainly been noticed, and they should be cautious."
U.S. Goes on the Cyberoffensive
An unpublished presidential directive from Obama leaked, showing that the U.S. is going on the cyber offense. “Offensive Cyber Effects Operations,” the report stated, “can offer unique and unconventional capabilities to advance U.S. national objectives around the world with little or no warning to the adversary or target and with potential effects ranging from subtle to severely damaging.” Among other things, the report authorized cyberwar attacks when “U.S. national interests and equities” were at stake, but also left room for “anticipatory action” just in case. Adding fuel to the fire, National Security Agency leaker Edward Snowden claimed that the U.S. has already hacked thousands of targets, including computers in China.
Cyberwar, like any war, never rests. Neither does the simulated one taking place at HackMiami, where co-founder Rod Soto, a 38-year-old computer-security specialist from the area, is running a cyberwar game. Though the consequences of their hacking are fake, the technology they’re breaking is real. They actually are hacking Fedora, an operating system used by computers in China, infiltrating Zeus, a malicious “botnet” army of computers, and commandeering North Korean industrial controls for power-plant systems. It’s just that everything’s simulated and run on a closed network, so as not to inadvertently start World War III. The purpose of this event, besides the recruiting going on, is to teach the hackers how to find vulnerabilities in other nation’s machines. “It gives you the blueprint and the knowledge if you ever want to attack them,” Soto says.
So far, the truth about the extent of the U.S.’s offensive attacks against other countries has been shadowy at best. There’s Stuxnet, which has yet to be officially attributed to the U.S. (or Israel), and NSA leaker Edward Snowden’s recent claim the U.S. has launched widespread cyberattacks against China. Beyond that, the closest we’ve come was Hillary Clinton’s admission last year of a State Department attack on an Al Qaeda propaganda site in Yemen.
The tensions around this topic are partly because the laws governing cyberwar are still being determined. As Rear Adm. Margaret Klein, chief of staff of Cyber Command, the Ft. Meade-based defense center for U.S. military networks, put it last year, “Attorneys and scholars face a variety of complex legal issues arising around the use of this new technology.” But experts are pushing for more offensive measures regardless. The Commission on the Theft of American Intellectual Property concluded that “new options need to be considered.” It seems our government is already heeding the call.
A June leak of a presidential directive from Obama, which had been issued in October, reveals that the U.S. is, at the very least, getting its cyberwarriors in line. In addition to calling for a list of international targets, the directive argued that “Offensive Cyber Effects Operations... can offer unique and unconventional capabilities to advance U.S. national objectives around the world with little or no warning to the adversary or target and with potential effects ranging from subtle to severely damaging.”
But while the government remains quiet about the existence or extent of their offensive measures, hackers and contractors I spoke with are, albeit cautiously, more forthcoming. HackMiami organizers James Ball and Alex Heid, security specialists for a major financial company they prefer not to name so as not to anger their bosses, say they have based this weekend’s cyberwar simulation on real-life hacks they conducted on their own of terrorist networks and organized-crime groups. Ball infiltrated an Al Qaeda forum online and posted the archives on his site, TerroristMedia.com. Heid became notorious for hacking the stealthy Zeus botnet in Russia.
But the government hires private contractors to do such attacks on its behalf as well. The cyberwar underworld is rife with contractors who fashion themselves to be “the Blackwater of the Internet,” as Heid puts it, “information mercenaries…private sector guys who are going on the offensive, but you don’t hear about it.” At least not usually.
Companies like Accuvant are capable of creating custom software that can enter outside systems and gather intelligence or even shut down a server, for which they get can paid up to $1 million. For example, Humperdink says, they would be able to unleash an attack to take a country like China completely offline. “We could stop their cyberwarfare program,” he says. “Five years ago, I remember the North Koreans were doing missile testing, right? If [the U.S. government] came to a company like us and said, ‘Here’s $15 million,’ we could turn a North Korean missile into a brick. If you came to us with $20 million and said, ‘We wanna disable every computer there in Iran, and they’d have to replace them’ – not a problem.” For added flair, each program Accuvant sells gets its own cyberpunk handle – like Purple Mantis – and is delivered on a jet-black thumb drive inside a custom case with the name laser-etched on a plaque.
“So how many offensive plays are going on now?” I ask.
“A lot,” Bonvillain says.
“More than people would realize?”
“Yes,” he replies.
Then Bonvillain falls silent. He puffs his e-cigarette, considering a more diplomatic response. “The U.S. government,” he says, “is great at hiding everything they do.”
To see what the front line of cyberwar really looks like, I visit the National Cybersecurity and Communications Integration Center in Arlington, Virginia, the Department of Homeland Security’s mission control. It’s one of our most important hubs in digital warfare, alongside the FBI and NSA. A wall of video screens show online the attacks on the IRS and NASA – both agencies were compromised by a Distributed Denial of Service Attack, a technique that floods a site with access requests, slowing or downing it completely.
The four-year-old NCCIC – employees pronounce it “enkick” – is the country’s nerve center for online threats. Twenty-four hours a day, teams drawn from a pool of 500 DHS cyberpersonnel sit at the ready in this sprawling, windowless command cave. Flickering diagrams on the front wall track the dangers in real time: traffic anomalies at federal agencies, cyberalert levels for each state’s website, a map of our country’s telecommunications system (“There’s no cyber without fiber!” a steely engineer tells me).
Fortunately, at the moment, the threat against the IRS and NASA proves to be relatively harmless. However, the number of cyberincidents is on the rise. Fiscal year 2012 saw 190,000; this year’s number is already over 214,000.
Overhauling the feds’ image to lure young tech talent has become a major priority. In a way, it’s akin to the shift in Silicon Valley – away from the business suits of IBM to the Adidas sandals of today. The National Science Foundation now offers a CyberCorps Scholarship for Service program that places winning students in government agencies. The DHS is among the sponsors of the invite-only “Cyber Camps,” which hold hacking contests for prospective employees. Aside from the “sense of duty” and high-level security clearance that NCCIC director Larry Zelvin tells me lures his team away from fat paydays elsewhere, the power of being inside the government system is the greatest perk. “You just don’t get that in a corporation,” he says.
Last year, the DHS assembled a cyberskills task force, which drew from hacker hubs including Facebook and DefCon, to recommend changes in their recruiting. To get the estimated 600 more hackers the DHS needs, the report concluded, the agency should “focus more attention and resources on…‘branding’ of cybersecurity positions,” including “cool jobs.”
Napolitano says that “the money and the culture” are the chief obstacles the Department of Homeland Security runs into when recruiting hackers to join. “We don’t require our folks to wear a coat and tie,” she says, “and I’m not interested in the precise hours they work as much as I’m interested in getting the work done” – but she stops short of saying hackers can work from home in Teenage Mutant Ninja Turtle pajamas.
But maybe if you’re young and brilliant and looking for online action, there’s something undeniable about working for the biggest, baddest government on the planet. Sitting here under the dormant red warning lights, there’s a sense of being at the center of the matrix – and this is plenty tantalizing for some, including th3_e5c@p15t, winner of the cyberwar contest back at HackMiami. With his skills, he can write his own ticket, which he hopes to cash in with the feds. He says he wants to be as close to the front line as he can get: “I see it as a righteous cause.”
Rolling Stone contributing editor David Kushner is the author of “Jacked: The Outlaw Story of Grand Theft Auto.”