Age of the cyber spy

By Adam Lusher and Tim Shipman

At first the air force administrator just thought it was strange.

”Checking the computer systems, he found a file listing user names and passwords. He deleted it and forgot it.

Until it happened again. A similar file re-appeared, within days, in the same system, at Wright-Patterson Air Force Base in Ohio.

“With a lot of help,” says a US security source, “He discovered that someone had put a programme copying the first 120 characters of every transaction through that base. So it was sending everyone’s login details to… someone.”

“We did some more digging,” the source adds, “We found over half a million compromised computer accounts across the US. These guys were going after Wright-Patterson, which was developing stealth technology, the Naval Research Centre, all the research facilities.

“We chased them for over a year. We used the FBI, the secret service, computer crime squads.

We never found them. Who do I think it was? Officially? Not a clue. Unofficially? It was state-sponsored.”

The Wright-Patterson administrator, working when the Internet was still relatively young in the early 1990s, had stumbled upon a whole new dimension to warfare: cyberoperations.

This breaks down into two categories: cyberespionage, in which the spies are not humans, but hacked computers; an the more openly aggressive field of cyberwarfare, in which “logic bombs” are used to hit military communications computers, rendering adversaries “deaf, dumb and blind”.

A terrorist might target the underbelly of a superpower’s civilian infrastructure, hacking into power and even hospital networks to create a cocktail of chaos.

Even a cursory check leaves the strong impression that the Ohio administrator’s experience was just the start.

In March 2002, nearly a decade after that first attack on Wright-Patterson, the base was bombarded by 125,000 attempts to hack into its systems. On a single Friday.

A little noticed Parliamentary answer last year revealed that a total of 225 British Ministry of Defence computers were feared to have been infected by 104 different malicious programmes in 2004 and 2005. A US defence official told The Sunday Telegraph bluntly: “They are waging a constant hidden campaign. It’s a battle every day.”

Some analysts go even further, warning of a revolution in warfare comparable to the advent of atomic weapons.

They have called — urgently — for a new Manhattan Project to ensure the Western world is defended.

Last week, they claim, the British public received its wake-up call. Reports claimed that Chinese hackers, some believed to be from the People’s Liberation Army (PLA), had hit the Foreign Office computer network. Up to ten Whitehall departments were allegedly being targeted for state secrets.

US officials were quoted as confirming that in June there had been a “detected penetration” in the Pentagon.

According to one quoted source, there was “a very high level of confidence… tending towards certainty” of PLA responsibility. The US codename for the alleged Chinese attacks emerged: “Titan Rain”. Vehement official Chinese denials followed.

British intelligence sources, however, told The Sunday Telegraph that the suspected Chinese infiltrations are sophisticated and serious. “The classified networks are reasonably secure,” said one former British intelligence officer, “But lots of smaller suppliers and subcontractors are naïve about what the Chinese, in particular, will do.

“In some companies they can probably read what they like, perhaps giving them information to crack more classified systems.”

“We haven’t got the people to monitor what they are doing,” he admitted, “Because we’re so focused on the war on terror.”

If China is doing anything, however, she is hardly alone. Claims of 120 nations conducting cyberoperations were, sources hinted, an underestimate.

Indeed, one British security source revealed a new country may be entering the field: Iran.

As British military commanders spoke of fighting a proxy war with Iran in Basra, the source said: “People are concerned about Iranian activity on the Internet, although they don’t know how much of it is state sponsored.

“There have been a number of efforts against defence websites and British commercial concerns connected to the national infrastructure.”

An Iranian Foreign Ministry spokesman denied his country had been involved in anything like cyberespionage and suggested it may have be the victim of Western governments’ “black propaganda”: “usually such baseless stories show only aggressive approaches aimed at falsifying Western public opinion’s perception of the stance of the Islamic Republic of Iran.”

It might, anyway, be naive to expect too vociferous a British response.

In the 1990s, at about the same time that the Wright-Patterson administrator discovered the harsh realities of cyberespionage, our US security source spoke to an altogether friendlier group.

“They were British military. An offensive programme is taking place in the UK. The existence of any such programme anywhere is classified, but the Brits have it, the French have it, the US has it.”

He explained his British contacts were interested in disabling a putative enemy’s computers. This is cyberwarfare.

Cyberespionage was more delicate.

“There are white operations. A tremendous amount of publicly available information can be gathered from the Internet if you know how.

“Then there are black operations, where you are covertly and illegally trying to access somebody’s computer. No-one admits to that.

“I would just like to think that an organisation as respected as Britain’s is doing something that every other intelligence service in the world is doing.”

The US has, uniquely, been relatively open about its interest in the cyberoperations, dropping hints that these are not solely defensive, and announcing the creation of a new “cyber command”, to become fully operational by October 2009.

Dr Lani Kass, the director of the Air Force Cyberspace Task Force, explained: “Cyberspace is a domain, just like air, space, land and sea. It allows us to help find, fix and finish the targets we’re after.” Cyber Command’s apparent novelty may disguise the (potentially reassuring) possibility that rival nations have, in fact, learned the art of cyberwarfare from us.

At the time of the first Gulf War, rumours abounded of American and British hacking, even the insertion of viruses into Iraqi command and control computers.

The US source, with more than two decades of senior experience in US defence institutions, confirmed: “I won’t go into specifics, but it happened. “And when the Iraqi command and control system collapsed in 2003 — do you think that was achieved solely by bombing?”

It has now emerged that by 1995 a Chinese major general was writing a paper noting the use of computer viruses in the first Gulf War.

“Our sights,” he declared, “Must not be fixed on the firepower warfare of the industrial age. They must be trained on the information warfare of the information age.”

What worries many analysts, however, is not the infiltrations that have been detected, but the sleepers: the malicious software sitting unnoticed, waiting to give a remote user access when the time comes.

In testimony to a Congressional committee last April, Sami Saydjari, a former Department of Defense executive, warned: “Such weapons may well be deployed already and we wouldn’t know it.”

He explained his vision of a massive strategic cyberoffensive, where an undetected adversary patiently compromises key computer after key computer, until ready to attack.

“Imagine the lights in this room suddenly go out. We venture into the streets. The power is out as far as the eye can see. The streets are jammed because the traffic lights are out. Day turns to night, but the power hasn’t returned. TV stations aren’t broadcasting. People begin to panic. Our national grid, telecommunications, and financial systems won’t be back for months. We’ve gone from a superpower to a third-world nation practically overnight.”

It sounds, perhaps, like science fiction.

Some analysts, however, suggest examining events in Estonia this spring.

First, ethnic Russians clashed with Estonian police, causing Vladimir Putin to express “serious concern”, after the authorities removed a Soviet war memorial.

Then, on April 27, computer attacks started swamping Estonian telephone exchanges, banks and government departments. Nato observers were sent, Putin’s government denied any involvement, and it remains possible that it was the work of patriotic, civilian Russian hackers.

It did, however, demonstrate the possibilities.

“We are several orders of magnitude below the level of countermeasures we need,” insisted Mr Saydjari last week. In a globalised economy, for example, an attack on the British banking system would quickly affect the rest of the world.

“In 1939 Einstein felt duty-bound to warn President Roosevelt of a strategic threat from nuclear weapons. Now, again, we need a high-priority government programme on the order of the Manhattan Project.” Whether this is merely alarmist, or realistic, time, unfortunately, may tell.

Asked about the level of sleeper penetration of key computer networks, however, the US source simply admitted: “It terrifies me.”

In Britain, meanwhile, officials remain confident, publicly at least.

A GCHQ spokeswoman explained protection came from the National Infrastructure Security Co-ordination Centre, part of MI5. “We can’t comment on the details, but the UK is prepared,” she insisted.

It was when we asked further — about Britain’s possible offensive cyberoperations — that we perhaps discovered how those in the field may have been working, and may continue working, for years. “I think,” she said, “We have reached the extent of helpfulness here.”