[lit-ideas] Misunderstanding The information Age
- From: "M.A. Camp" <macampesq@xxxxxxxxx>
- To: lit-ideas@xxxxxxxxxxxxx
- Date: Sun, 2 Oct 2005 19:33:09 -0500
The Invasion of the Chinese Cyberspies (And the Man Who Tried to Stop Them)
Time ^ <http://www.time.com/time/archive/preview/0,10987,1098961,00.html> |
September 5, 2005 | Nathan Thornburgh
It was another routine night for Shawn Carpenter. After a long day analyzing
computer-network security for Sandia National Laboratories, where much of
the U.S. nuclear arsenal is designed, Carpenter, 36, retreated to his ranch
house in the hills overlooking Albuquerque, N.M., for a quick dinner and an
early bedtime. He set his alarm for 2 a.m. Waking in the dark, he took a
thermos of coffee and a pack of Nicorette gum to the cluster of computer
terminals in his home office. As he had almost every night for the previous
four months, he worked at his secret volunteer job until dawn, not as Shawn
Carpenter, mid-level analyst, but as Spiderman--the apt nickname his
military-intelligence handlers gave him--tirelessly pursuing a group of
suspected Chinese cyberspies all over the world. Inside the machines, on a
mission he believed the U.S. government supported, he clung unseen to the
walls of their chat rooms and servers, secretly recording every move the
snoopers made, passing the information to the Army and later to the FBI.
The hackers he was stalking, part of a cyberespionage ring that federal
investigators code-named Titan Rain, first caught Carpenter's eye a year
earlier when he helped investigate a network break-in at Lockheed Martin in
September 2003. A strikingly similar attack hit Sandia several months later,
but it wasn't until Carpenter compared notes with a counterpart in Army
cyberintelligence that he suspected the scope of the threat. Methodical and
voracious, these hackers wanted all the files they could find, and they were
getting them by penetrating secure computer networks at the country's most
sensitive military bases, defense contractors and aerospace companies.
Carpenter had never seen hackers work so quickly, with such a sense of
purpose. They would commandeer a hidden section of a hard drive, zip up as
many files as possible and immediately transmit the data to way stations in
South Korea, Hong Kong or Taiwan before sending them to mainland China. They
always made a silent escape, wiping their electronic fingerprints clean and
leaving behind an almost undetectable beacon allowing them to re-enter the
machine at will. An entire attack took 10 to 30 minutes. "Most hackers, if
they actually get into a government network, get excited and make mistakes,"
says Carpenter. "Not these guys. They never hit a wrong key."
Goaded by curiosity and a sense that he could help the U.S. defend itself
against a new breed of enemy, Carpenter gave chase to the attackers. He
hopped just as stealthily from computer to computer across the globe,
chasing the spies as they hijacked a web of far-flung computers. Eventually
he followed the trail to its apparent end, in the southern Chinese province
of Guangdong. He found that the attacks emanated from just three Chinese
routers that acted as the first connection point from a local network to the
Internet.
It was a stunning breakthrough. In the world of cyberspying, locating the
attackers' country of origin is rare. China, in particular, is known for
having poorly defended servers that outsiders from around the world
commandeer as their unwitting launchpads. Now Chinese computers appeared to
be the aggressors.
If so, the implications for U.S. security are disturbing. In recent years,
the counterintelligence community has grown increasingly anxious that
Chinese spies are poking into all sorts of American technology to compete
with the U.S. But tracking virtual enemies presents a different kind of
challenge to U.S. spy hunters. Foreign hackers invade a secure network with
a flick of a wrist, but if the feds want to track them back and shut them
down, they have to go through a cumbersome authorization process that can be
as tough as sending covert agents into foreign lands. Adding in extreme
sensitivity to anything involving possible Chinese espionage--remember the
debacle over alleged Los Alamos spy Wen Ho Lee?--and the fear of igniting an
international incident, it's not surprising the U.S. has found it difficult
and delicate to crack these cases.
In Washington, officials are tight-lipped about Titan Rain, insisting all
details of the case are classified. But high-level officials at three
agencies told TIME the penetration is considered serious. A federal
law-enforcement official familiar with the investigation says the FBI is
"aggressively" pursuing the possibility that the Chinese government is
behind the attacks. Yet they all caution that they don't yet know whether
the spying is official, a private-sector job or the work of many
independent, unrelated hands. The law-enforcement source says China has not
been cooperating with U.S. investigations of Titan Rain. China's State
Council Information Office, speaking for the government, told TIME the
charges about cyberspying and Titan Rain are "totally groundless,
irresponsible and unworthy of refute."
Despite the official U.S. silence, several government analysts who protect
the networks at military, nuclear-lab and defense- contractor facilities
tell TIME that Titan Rain is thought to rank among the most pervasive
cyberespionage threats that U.S. computer networks have ever faced. TIME has
obtained documents showing that since 2003, the hackers, eager to access
American know-how, have compromised secure networks ranging from the
Redstone Arsenal military base to NASA to the World Bank. In one case, the
hackers stole flight-planning software from the Army. So far, the files they
have vacuumed up are not classified secrets, but many are sensitive and
subject to strict export-control laws, which means they are strategically
important enough to require U.S. government licenses for foreign use.
Beyond worries about the sheer quantity of stolen data, a Department of
Defense (DOD) alert obtained by TIME raises the concern that Titan Rain
could be a point patrol for more serious assaults that could shut down or
even take over a number of U.S. military networks. Although he would not
comment on Titan Rain specifically, Pentagon spokesman Bryan Whitman says
any attacks on military computers are a concern. "When we have breaches of
our networks, it puts lives at stake," he says. "We take it very seriously."
As cyberspying metastasizes, frustrated network protectors say that the FBI
in particular doesn't have enough top-notch computer gumshoes to track down
the foreign rings and that their hands are often tied by the strict rules of
engagement. That's where independents--some call them vigilantes--like
Carpenter come in. After he made his first discoveries about Titan Rain in
March 2004, he began taking the information to unofficial contacts he had in
Army intelligence. Federal rules prohibit military-intelligence officers
from working with U.S. civilians, however, and by October, the Army passed
Carpenter and his late-night operation to the FBI. He says he was a
confidential informant for the FBI for the next five months. Reports from
his cybersurveillance eventually reached the highest levels of the bureau's
counterintelligence division, which says his work was folded into an
existing task force on the attacks. But his FBI connection didn't help when
his employers at Sandia found out what he was doing. They fired him and
stripped him of his Q clearance, the Department of Energy equivalent of
top-secret clearance. Carpenter's after-hours sleuthing, they said, was an
inappropriate use of confidential information he had gathered at his day
job. Under U.S. law, it is illegal for Americans to hack into foreign
computers.
Carpenter is speaking out about his case, he says, not just because he feels
personally maligned--although he filed suit in New Mexico last week for
defamation and wrongful termination. The FBI has acknowledged working with
him: evidence collected by TIME shows that FBI agents repeatedly assured him
he was providing important information to them. Less clear is whether he was
sleuthing with the tacit consent of the government or operating as a rogue
hacker. At the same time, the bureau was also investigating his actions
before ultimately deciding not to prosecute him. The FBI would not tell TIME
exactly what, if anything, it thought Carpenter had done wrong. Federal
cyberintelligence agents use information from freelance sources like
Carpenter at times but are also extremely leery about doing so, afraid that
the independent trackers may jeopardize investigations by trailing foes too
noisily or, even worse, may be bad guys themselves. When Carpenter deputized
himself to delve into the Titan Rain group, he put his career in jeopardy.
But he remains defiant, saying he's a whistle-blower whose case demonstrates
the need for reforms that would enable the U.S. to respond more effectively
and forcefully against the gathering storm of cyberthreats.
A TIME investigation into the case reveals how the Titan Rain attacks were
uncovered, why they are considered a significant threat now under
investigation by the Pentagon, the FBI and the Department of Homeland
Security and why the U.S. government has yet to stop them.
Carpenter thought he was making progress. When he uncovered the Titan Rain
routers in Guangdong, he carefully installed a homemade bugging code in the
primary router's software. It sent him an e-mail alert at an anonymous
Yahoo! account every time the gang made a move on the Net. Within two weeks,
his Yahoo! account was filled with almost 23,000 messages, one for each
connection the Titan Rain router made in its quest for files. He estimates
there were six to 10 workstations behind each of the three routers, staffed
around the clock. The gang stashed its stolen files in zombie servers in
South Korea, for example, before sending them back to Guangdong. In one,
Carpenter found a stockpile of aerospace documents with hundreds of detailed
schematics about propulsion systems, solar paneling and fuel tanks for the
Mars Reconnaissance Orbiter, the NASA probe launched in August. On the night
he woke at 2, Carpenter copied a huge collection of files that had been
stolen from Redstone Arsenal, home to the Army Aviation and Missile Command.
The attackers had grabbed specs for the aviation-mission-planning system for
Army helicopters, as well as Falconview 3.2, the flight-planning software
used by the Army and Air Force.
Even if official Washington is not certain, Carpenter and other
network-security analysts believe that the attacks are Chinese government
spying. "It's a hard thing to prove," says a network-intrusion-detection
analyst at a major U.S. defense contractor who has been studying Titan Rain
since 2003, "but this has been going on so long and it's so well organized
that the whole thing is state sponsored, I think." When it comes to
advancing their military by stealing data, "the Chinese are more aggressive"
than anyone else, David Szady, head of the FBI's counterintelligence unit,
told TIME earlier this year. "If they can steal it and do it in five years,
why [take longer] to develop it?"
Within the U.S. military, Titan Rain is raising alarms. A November 2003
government alert obtained by TIME details what a source close to the
investigation says was an early indication of Titan Rain's ability to cause
widespread havoc. Hundreds of Defense Department computer systems had been
penetrated by an insidious program known as a "trojan," the alert warned.
"These compromises ... allow an unknown adversary not only control over the
DOD hosts, but also the capability to use the DOD hosts in malicious
activity. The potential also exists for the perpetrator to potentially shut
down each host." The attacks were also stinging allies, including Britain,
Canada, Australia and New Zealand, where an unprecedented string of public
alerts issued in June 2005, two U.S. network-intrusion analysts tell TIME,
also referred to Titan Rain--related activity. "These electronic attacks
have been under way for a significant period of time, with a recent increase
in sophistication," warned Britain's National Infrastructure Security
Co-Ordination Center.
Titan Rain presents a severe test for the patchwork of agencies digging into
the problem. Both the cybercrime and counterintelligence divisions of the
FBI are investigating, the law-enforcement source tells TIME. But while the
FBI has a solid track record cajoling foreign governments into cooperating
in catching garden-variety hackers, the source says that China is not
cooperating with the U.S. on Titan Rain. The FBI would need high-level
diplomatic and Department of Justice authorization to do what Carpenter did
in sneaking into foreign computers. The military would have more flexibility
in hacking back against the Chinese, says a former high-ranking
Administration official, under a protocol called "preparation of the
battlefield." But if any U.S. agency got caught, it could spark an
international incident.
That's why Carpenter felt he could be useful to the FBI. Frustrated in
gathering cyberinfo, some agencies have in the past turned a blind eye to
free-lancers--or even encouraged them--to do the job. After he hooked up
with the FBI, Carpenter was assured by the agents assigned to him that he
had done important and justified work in tracking Titan Rain attackers.
Within a couple of weeks, FBI agents asked him to stop sleuthing while they
got more authorization, but they still showered him with praise over the
next four months as he fed them technical analyses of what he had found
earlier. "This could very well impact national security at the highest
levels," Albuquerque field agent Christine Paz told him during one of their
many information-gathering sessions in Carpenter's home. His other main FBI
contact, special agent David Raymond, chimed in: "You're very important to
us," Raymond said. "I've got eight open cases throughout the United States
that your information is going to. And that's a lot." And in a letter
obtained by TIME, the FBI's Szady responded to a Senate investigator's
inquiry about Carpenter, saying, "The [FBI] is aggressively pursuing the
investigative leads provided by Mr. Carpenter."
Given such assurances, Carpenter was surprised when, in March 2005, his FBI
handlers stopped communicating with him altogether. Now the federal
law-enforcement source tells TIME that the bureau was actually investigating
Carpenter while it was working with him. Agents are supposed to check out
their informants, and intruding into foreign computers is illegal,
regardless of intent. But two sources familiar with Carpenter's story say
there is a gray area in cybersecurity, and Carpenter apparently felt he had
been unofficially encouraged by the military and, at least initially, by the
FBI. Although the U.S. Attorney declined to pursue charges against him,
Carpenter feels betrayed. "It's just ridiculous. I was tracking real bad
guys," he says. "But they are so afraid of taking risks that they wasted all
this time investigating me instead of going after Titan Rain." Worse, he
adds, they never asked for the passwords and other tools that could enable
them to pick up the investigative trail at the Guangdong router.
Carpenter was even more dismayed to find that his work with the FBI had got
him in trouble at Sandia. He says that when he first started tracking Titan
Rain to chase down Sandia's attackers, he told his superiors that he thought
he should share his findings with the Army, since it had been repeatedly hit
by Titan Rain as well. A March 2004 Sandia memo that Carpenter gave TIME
shows that he and his colleagues had been told to think like "World Class
Hackers" and to retrieve tools that other attackers had used against Sandia.
That's why Carpenter did not expect the answer he claims he got from his
bosses in response to Titan Rain: Not only should he not be trailing Titan
Rain but he was also expressly forbidden to share what he had learned with
anyone.
As a Navy veteran whose wife is a major in the Army Reserve, Carpenter felt
he could not accept that injunction. After several weeks of angry
meetings--including one in which Carpenter says Sandia counterintelligence
chief Bruce Held fumed that Carpenter should have been "decapitated" or "at
least left my office bloody" for having disobeyed his bosses--he was fired.
Citing Carpenter's civil lawsuit, Sandia was reluctant to discuss specifics
but responded to TIME with a statement: "Sandia does its work in the
national interest lawfully. When people step beyond clear boundaries in a
national security setting, there are consequences."
Carpenter says he has honored the FBI's request to stop following the
attackers. But he can't get Titan Rain out of his mind. Although he was
recently hired as a network-security analyst for another federal contractor
and his security clearance has been restored, "I'm not sleeping well," he
says. "I know the Titan Rain group is out there working, now more than
ever."
--
Cheers,
M.A. Camp, Esq.
Other related posts:
