SHANE HARRIS, CALL YOUR PUBLICIST.
Harris is a persistent and incisive chronicler of the American security state, but there’s a revealing tension between the story he tells and the story his publisher has chosen to market. On its back cover, a review copy of Harris’s new book about the “Military-Internet Complex” describes a tale out of Tom Clancy: “A surprising, page-turning account of how the wars of the future are already being fought today.” In this story of sentinels on the watchtower, Harris “explains what the new cybersecurity regime means for all of us, who spend our daily lives bound to the Internet—and are vulnerable to its dangers.” Bad guys are out to get us, but good guys “patrol cyberspace” to “launch computer virus strikes against enemy targets.” Some miserable Hollywood content manufacturer is going to produce exactly this movie in a year or two, and we’ll be stuck watching Harrison Ford run around a command center in a general’s uniform, shouting gibberish about launching the virus.
But this is not the book Harris has written, or at least not the center of it. Instead, @War is a painful and vitally important account of the quiet, pernicious merger—already well advanced—of state power and corporate interests. It’s hard to read this book without feeling a kind of weary disgust. If the purpose of journalism is to arm citizens with information that they can use to act on the political processes that shape their lives, then journalism may not be what this book provides. It reads, instead, like an account of a fatal illness, diagnosed in time for the patient to arrange hospice care.
It’s not a simple story, so let’s start by working through a single narrative example. In the last half of 2010, Harris writes, WikiLeaks “was preparing to release potentially embarrassing information on Bank of America, including internal records and documents.” While the whistleblower site prepared to dent the image of a private corporation, officials at the Justice Department worked to get ahead of the leaks. Lawyers told lawyers to call lawyers: Federal prosecutors urged the bank’s legal team to reach out to a private-sector law office—the Washington, DC, arm of the megafirm Hunton & Williams—that had assembled “a kind of cyber propaganda operation against opponents of the US Chamber of Commerce.”
But Hunton & Williams wasn’t the actual attack dog; rather, it was a conduit and an organizer, outsourcing the work to a “trio of small tech companies” that mined data and compiled dossiers on business and political enemies. The dossier was the hoped-for end product. “Justice Department officials,” it turns out, “were looking for information they could use to indict WikiLeaks’ founder, Julian Assange.” In other words, federal officials “wanted to outsource part of their investigation” to that group of small companies, in the hope that private efforts could uncover damaging material for use in the courtroom. So they asked BofA to make the arrangements.
To close the circle, the trio of tech companies organized by a Washington law firm and recommended to a bank by the Justice Department included a Silicon Valley start-up called Palantir Technologies, which had strong venture-capital advocates in former Defense Department chairman Richard Perle and former CIA director George Tenet. “Palantir had also had early backing from the CIA’s venture capital group, In-Q-Tel,” Harris writes. Among Palantir’s clients are “the CIA, Special Operations Command, and the US Marine Corps . . . as well as the Defense Intelligence Agency, the National Counterterrorism Center, the Homeland Security Department, and the FBI.”
Try to find the line between the public and private sectors in that tangle of relationships. At this late stage in the emergence of a fully integrated corporate state, the CIA has a venture-capital group. Silicon Valley companies funded by the national-security state now work for the government. And federal agencies collaborate with private firms against organizations that threaten their shared interests. Prosecutors ask a bank to ask a law firm to hire private corporations that employ former government officials and serve government agencies, in order for prosecutors to ply these people for information.
This single incident takes up less than three pages of @War, but it carefully pulls apart a knotted set of relationships at the heart of American power. Harris has told an exceptionally important story here, but not just about surveillance. Consider it a business history of Leviathan, Inc. The structure of the all-seeing state, or of the state that fancies itself all-seeing, is firmly and consciously built on a model of corporate partnership. The private sector and the public sector are complementary enterprises, not opposing forces. The business of America is government; the regulatory entity buys and sells in a warm and ongoing business relationship with the regulated. Hey, what could go wrong?
Consider in this same regard the example of Endgame, another private-sector start-up, which sells its services to the National Security Agency (“one of Endgame’s biggest customers”) and “the CIA, Cyber Command, the British intelligence services, and major US corporations.” One of those items doesn’t fit the list, you might think, but you’d be wrong.
Now watch what happens when vigilant government agencies “patrol cyberspace” to protect our privacy. Alongside the NSA, Harris writes, the FBI employs a team of signals-intelligence (SIGINT) operators at the Quantico Marine Corps base in a program called the Data Intercept Technology Unit (DITU). “The DITU intercepts telephone calls and e-mails of terrorists and spies from inside the United States,” Harris writes, but it doesn’t just gather data; it also serves as a conduit: “A fiber-optic connection runs between Quantico and NSA Headquarters, so that the information the DITU collects from companies can be instantly transferred.” And yes, the FBI’s SIGINT operation is being fed customer data directly from American telecom companies—but using the DITU as a channel “gives technology companies the ability to say publicly that they do not provide any information about their customers directly to the NSA. And that’s true. They give it to the DITU, which then passes it to the NSA.”
Here’s the kicker—and as you digest it, try to remain alert for signs of a protective cyberpatrol that shields Americans from snoops and hackers who prowl the Internet: “It’s the DITU’s job to make sure that all American companies are building their networks and software applications in a way that complies with US surveillance law, so they can be easily tapped by government.”
That’s right: The federal government, the chief sentinel of our cybersecurity regime, forbids and labors against excessively tight computer-security measures, because it doesn’t want those doors closed on its snooping. Private-sector executives work with government officials to make sure their networks are sufficiently accessible to the officials who want access. And it’s not just DITU that does this. “Under a secret program called the SIGINT Enabling Project,” Harris writes, the NSA “strikes deals with technology companies to insert backdoors into their commercial products.” Our guardians actively weaken the systems that protect us—so they can protect us. Or if you prefer to use private-sector rhetoric: Businesses take payments from government to make their products worse.
But all of this government surveillance is very much a business, as Harris makes clear time and again. Like the commandos who learn their craft in the military and then retire to sell their services back to the government as contractors, employees of the surveillance state use national-security institutions as trade schools. Major corporations like Google and Twitter hire from the ranks of the NSA, turning public-sector training into private-sector salaries. Employees of the NSA’s elite Tailored Access Operations office “have gone on to work for government contractors, including the software maker SAP and Lockheed Martin, and for brand-name corporations, including Amazon.” Alternatively, government officials will leave their jobs and open their own consulting companies, providing security advice and technical services to corporations on contract.
Again, the effect is to erase boundaries. Say an NSA employee calls a technology executive at a corporation to discuss covert access to customer data—and the person who answers the phone at that private-sector company recently worked down the hall in the same government office. Does the former electronic-surveillance official resist his old colleague’s requests for electronic surveillance of his new employer’s customers? Is their relationship likely to be adversarial, or collegial?
Harris also details how the growing federal cybersecurity empire decides which industries and companies to protect, or to prioritize as clients of government protection. As the 2010 BofA episode shows, big banks rate lots of protection, and the upshot is that some corporations receive a set of services that others don’t. “The government was picking and choosing which kinds of companies would get special protection,” Harris writes, describing one such debate over the operational boundaries of a security effort.
At the core of most of these exotic reinventions of the corporate-government alliance is a simple business proposition: Companies can just collect cash straight from the surveillance state by selling it what it wants. A computer-security vendor, RSA, accepted $10 million from the NSA to install backdoors in an encryption product, for example, while foreign corporations received “tens of millions of dollars annually . . . to give the spy agencies privileged access to their networks and the data coursing through them.” In effect, a company selling you a product or service may regard you as just one customer in the transaction—the government being the other, wealthier customer: You get cell-phone service, and the NSA gets access to your cell phone. And in any scenario where the interests of one bloc of customers clashes with those of another, it’s not hard to imagine whose interests that company would regard as more important.
Working through the many implications of this emerging corporate surveillance state, Harris plausibly warns that we can’t entirely understand the blended entities we’re building. In particular, he argues, cyberwar “is becoming a private affair.” After all, the line between defensive and offensive operations on globally connected computer systems is also blurring, and corporate cybersecurity centers are developing the ability to undertake potential acts of war in a practice known euphemistically as “active defense.” In passive defense, corporate-security employees spot the hacker intruding on their network and shut him out; in active defense, they spot the hacker and provide clients with what they need to hack him back, breaking his tools. It’s the difference between protecting your house with a padlock and protecting it with a shotgun.
As Google fights to secure its products from hackers, Harris writes, the company “is no longer interested just in defending itself from attack.” Rather, Google now collects “zero day” vulnerabilities in technology products for possible use. A zero-day exploit attacks flaws unknown to the product’s makers, and thus leaves them with zero days to prepare a defense. Google’s logic, as Harris explains, is both elegantly simple and dangerous in its implications: “It wants the ability to go after the hackers trying to do it harm. It’s unclear whether Google has launched an offensive cyber attack on its own, but this much is certain: first, having a stockpile of zero day exploits would allow the company to start a private cyber war; and second, that would be illegal.”
There’s another difficulty for companies looking to go on the attack: Some of the hackers who might be targeted in aggressive security operations work for foreign governments. A Chinese-military hacker project “known as Unit 61398,” Harris writes, has been “clearly interested in potential attacks on critical infrastructure,” probing industrial control systems “used to regulate valves and security systems for oil and gas pipeline companies in North America.”
So to review: A private corporation, singled out for a cyberattack by a foreign government, might then respond aggressively on its own initiative, striking back at computer systems overseas and potentially causing harm to the real infrastructure those systems control. In theory, at least, Google has the power to take the United States to war with China.
If the lines between war and corporate security threaten to blur, so do those between corporate security and law enforcement. Microsoft has a Digital Crimes Unit, Harris writes, and it launches raids: For an effort the company code-named Operation b54, targeting a global hacker outfit called Citadel and supported by a court order, “Microsoft’s counter-hacking group eventually went to two Internet hosting facilities, in Pennsylvania and New Jersey, where, accompanied by US marshals, they gathered forensic evidence to attack Citadel’s network of botnets.” Encountering stories like this, a reader wonders if all those former government employees working for private corporations actually notice the difference between their old jobs and their new ones.
It’s perhaps inevitable, amid this promiscuous intermingling of data, software, and security enforcement, that the lines ostensibly demarcating the activities of different government agendas also blur, as competing agencies advance competing projects with wildly divergent effects. For years, Harris writes, the State Department has helped fund a secure routing system called Tor, which “allows people around the world to connect to the Internet anonymously.” State wanted to help “democracy activists and dissidents to evade the surveillance of oppressive regimes”—a reasonable goal accomplished by relatively modest means. While one government department worked to support Tor and build it up, though, “the NSA began trying to undermine the anonymizing features of Tor as early as 2006. And it has kept trying for years.” We have, in effect, two different federal policies on safeguarding anonymity online, each supported by the same treasury.
These stories only scratch the surface of Harris’s deep and careful effort, and @War is an unusually valuable rebuke to the grotesque, BuzzFeed-modeled carcass of American journalism. It’s a pleasant surprise to discover that someone still knows how to write this kind of book and is willing to bother. But what Harris doesn’t offer, and what doesn’t seem to be available, is a set of solutions, a way for ordinary citizens to begin to restrain the ubiquitous surveillance of the late-stage corporate state. If someone who has thought this carefully about the disease can’t offer a cure, it’s hard to see who could.
Chris Bray is the author of A Separate Justice: The History of the American Court Martial, forthcoming from Norton.
