Pandora’s box
There is a reason why we believe in the fallacy that the offense could keep us safe: the offense was a bloody masterpiece.
As of 2007, the United States, with Israel, carried out an attack on the Iranian nuclear facility at Natanz that destroyed about a fifth of Iranian centrifuges. This attack, known as Stuxnet, spread through seven holes, known as “zero days”, in industrial software from Microsoft and Siemens. (Only one has been released previously, but has never been corrected). In the short term, Stuxnet was a resounding success. This delayed Iran’s nuclear ambitions and prevented Israelis from bombing Natanz and unleashing World War III. In the long run, it showed allies and opponents what they were missing and changed the digital world order.
In the following decade, an arms race was born.
NSA analysts left the agency to open cyber weapon factories, such as Vulnerability Research Labs in Virginia, which sold click-and-shoot tools to US agencies and our closest English-speaking allies, Five Eyes. A contractor, Immunity Inc., founded by a former NSA analyst, embarked on a more slippery slope. First, officials say, Immunity trained consultants like Booz Allen, then defense contractor Raytheon, then the Dutch and Norwegian governments. But the Turkish army soon came to beat.
Companies like CyberPoint have taken this a step further by positioning themselves abroad, sharing the tools and skills that the UAE would eventually turn to its own people. In Europe, Pentagon spyware vendors such as the Hacking Team started marketing these same tools to Russia and then to Sudan, which used them relentlessly.
As the market expanded beyond the NSA’s direct control, the agency’s focus remained on the attack. The NSA knew that the same vulnerabilities it was encountering and exploiting elsewhere would, one day, hit Americans. His answer to this dilemma was to reduce American exceptionalism to an acronym – NOBUS – which means “Nobody But Us”. If the agency found a vulnerability that it believed it could only exploit, it would accumulate it.
This strategy was part of what General Paul Nakasone, the current director of the NSA – and George Washington and Chinese strategist Sun Tzu before him – calls “active defense”.
In modern warfare, “active defense” is tantamount to hacking enemy networks. It is a mutually guaranteed destruction for the digital age: we have invaded Russia’s troll networks and their grid as a show of strength; Iran’s nuclear facilities to remove its centrifuges; and Huawei’s source code, to penetrate its customers in Iran, Syria and North Korea, for espionage and to establish an early warning system for the NSA, in theory, to prevent attacks before they get it right.