Treasury's War Read online

  Perhaps the biggest source of US vulnerability is not in terms of physical resources but rather in virtual systems. As former director of national intelligence Mike McConnell noted before the Senate, “If we were in a cyberwar today, the United States would lose. This is not because we do not have talented people or cutting-edge technology; it is because we are simply the most dependent and the most vulnerable.”56 The Internet contributed an estimated 15 percent to the US GDP between 2004 and 2009, and US companies captured 35 percent of total Internet revenues earned by the top 250 Internet-related companies in the world.57 In a recent speech, General Keith Alexander, the head of the National Security Agency and Cyber Command, pointing to a seventeen-fold increase in attacks against US infrastructure between 2009 and 2011, graded US preparedness to withstand a cyber-attack against its critical network infrastructure as “around a 3” on a 10-point scale.58

  The cyber-domain is the newest “final” frontier of geopolitical competition. The low-grade cyber-battle in which Google and China have engaged, with Google fighting off mass penetrations and theft of its data (including proprietary information as well as information tied to the identities of Chinese dissidents), shows that this is a realm in which state and nonstate actors can intermingle and do battle anonymously or via proxy. In addition, the cyber-realm is one in which infrastructure can be disrupted remotely. The globalized cyber supply chain can be easily manipulated. Since hard drives, chips, and the backbone of the cyber-infrastructure (including the increasing reliance on cloud computing) come from overseas, especially from East Asia, this is a particular concern for the United States.

  Given the criminal opportunities that abound in this world, it is no surprise that cyber-intrusions and attacks are increasing at a devastating rate—with billions of dollars’ worth of intellectual property and value stolen digitally every year. It is estimated that the cost of cyber-crime to the global economy could be more than $1 trillion annually.59 Over the past few years, economic cyber-intrusions and targeted searches and attacks have hit the International Monetary Fund, Lockheed Martin’s information systems (via stolen SecureID data), Google’s mainframes, Sony’s Playstation data, Bank of America, and Citibank. On August 3, 2011, the computer security firm McAfee issued a report revealing the largest “cyber-attack to date,” which had targeted the data and systems of seventy-two organizations and companies around the world for over five years—enabled by an unidentified state actor presumed to be China. According to McAfee’s vice president of threat research, Dmitri Alperovitch, “what is happening to all this data is still largely an open question. However, if even a fraction of it is used to build better competing products or beat a competitor at a key negotiation (due to having stolen the other team’s playbook), the loss represents a massive economic threat.”60

  This McAfee report was preceded by a February 8, 2011, report, also by McAfee, detailing the hacking of several US oil companies from 2008 to 2010—with the cyber-intruders likely coming from China and having found their way into sensitive research and development files. This was the first time that such a massive intrusion and economic espionage operation had been reportedly directed at US oil company computers. US state secrets were not at risk, but valuable economic and oil resource research was. This research was vital to bidding by US oil companies on oil-field rights in Iraq, Sudan, Ghana, and other lucrative sites around the world.61 In the words of General Keith Alexander, cyber-attacks on the United States are resulting in the “greatest transfer of wealth in history.”62

  The Coming Cyber Financial Wars

  The blending of financial and cyber warfare represents the new frontier. Evidence suggests that state-sponsored cyber warfare is intensifying as part of a growing “cyber arms race.”63 The most prominent cyber-battle to date was the use of the Stuxnet virus—believed to have been jointly developed by the United States and Israel—to sabotage Iranian nuclear facilities, and its subsequent “escape” on the Internet.64 But interestingly, the cyber-battles of today are beginning to meld with the strategies and tactics of financial warfare. This is also a theater of battle in which multiple actors can align for a common purpose—combining state and nonstate proxies in the cyber-domain. A recently deployed cyber-weapon clearly illustrates the players, payoffs, and perils of cyber-espionage and warfare through economic and digital means.

  On August 9, 2012, the Moscow-based security firm Kaspersky Lab announced that it had discovered a new “Gauss” virus (named after a file name in its codebase). Kaspersky Lab has historical connections to Russian intelligence and has made a practice of outing and analyzing computer viruses—often using crowdsourcing to help break codes. The Gauss virus had infected approximately 2,500 computers, the majority of which—1,660, to be exact, including 483 in Israel and 261 in the Palestinian territories—are tied to Lebanese banks, with the first attacks going back to at least September 2011. Once the infection took hold, Gauss was capable of capturing and transmitting detailed records of information, such as browser histories, cookies, profiles, and system configurations. Once the virus was discovered, its communications were shut down, but not disabled. Apparently, they are still lying dormant, awaiting activation by an unknown controlling source.

  Gauss’s complexity and sophistication have led Kaspersky’s experts to conclude that the virus is a state-sponsored descendant of Stuxnet, coming from the same “factory.” It is able to track flows of money and tap into infected computers. But it also carries an encrypted “payload” that targets specific systems, much like the Stuxnet virus. Perhaps most revealing is that Gauss shares critical coding and platform features with the Flame virus, another data-mining virus and Stuxnet family member capable of extensive surveillance of infected computers that was discovered on Iranian computers in May 2012. But whereas Flame, which infected only seven hundred computers, cast a wide net toward all types of data, Gauss’s focus is more attenuated, capturing primarily transaction data from a handful of specific Lebanese banks.65 Indeed, unlike typical nonstate cyber-criminal malware, which tends to target a large number of small banks, Gauss targets a small number of large banks.

  Gauss is so complex that Kaspersky has not been able to determine the function of its payload (what it has designated “resource 100”), though the firm suspects that it could trigger the destruction of critical infrastructure or some other high-profile target. For more details, Kaspersky has crowd-sourced the solution, asking freelance hackers to crack the payload encryption and publishing the first 32 bytes of each encrypted section in Gauss to facilitate the process. Previously, Kaspersky successfully used crowd-sourcing to identify the programming language used in the state-sponsored DuQu malware.66

  In light of the target, the claim of state sponsorship makes sense. Lebanon is “something like the Switzerland of the modern Middle East,” wrote Katherine Maher, a digital rights security expert, in The Atlantic. “More than 60 banks manage nearly $120 billion in private deposits in a country of 4.3 million people, and account for roughly 35 percent of the country’s economic activity.” Lebanese banks are among the most secretive in the world, and their opacity has long been a concern for US financial regulators seeking to disrupt money launderers and terrorist financiers. The Lebanese banking system has come under direct fire as a financial way station for Iran, Syria, Hezbollah, and illicit financial flows.67

  With Stuxnet and Flame, the target was a rogue regime’s nuclear program. With Gauss, the target seems to be the banks of an important financial center in the Middle East, where rogue elements leverage the banking facilities. Western states’ interest in Lebanon’s private sector has traditionally focused on “know your customer” and transaction data rules. Gauss now ups the ante with aggressive information collection and destructive payload delivery.68 All of this suggests that states are willing to use cyber-weapons to impact the banking system and to engage in open cyber financial warfare. If Stuxnet and Flame represent the more “conventional” forms of cyber warfare, then Gauss is akin
to financial counterinsurgency: long-term, low-grade, persistent conflict rather than quick, high-profile battles with decisive results. This is a messy process, one with no clear line between enemies and friends or between private and public interests. The process also raises a host of questions about the ethics of cyber warfare and about the overall stability of the global financial system. How does such a financial system go about its business in the shadow of an indecipherable payload that could potentially sabotage the system’s entire infrastructure? Perhaps the very existence and broader awareness of the virus is good enough—with the intended goal simply to engender a loss of faith and confidence in the Beirut financial system. Without trust, no financial center can last.

  Gauss seems to represent the leading edge of cyber financial warfare. This is a type of conflict in which there are no ceasefires, no clear rules, and no uniforms to identify the combatants. What is more, despite the fact that the United States starts with an enormous technological advantage, its size, relative transparency, and legal constraints may place it at a disadvantage on the cyber-battlefield. Indeed, this is a battlefield defined by potential asymmetric power disparities. An individual hacker can emerge as a cyber-power, one whose relative isolation, anonymity, and small footprint is a source of strength.

  The Iranian government has entered the fray in response to the financial assault on its economy and currency. In September 2012, a Middle Eastern hacker group identifying itself as Izz ad-Din al-Qassam Cyber Fighters conducted a massive denial-of-service attack against the electronic banking operations of JP Morgan Chase, Citigroup, PNC Bank, Wells Fargo, US Bancorp, and Bank of America. By increasing fake demands on the banks’ sites at a rate some ten to twenty times higher than average denial-of-service attacks, the new group was able temporarily to suspend access to checking accounts, mortgages, and other bank services. Perhaps more troubling is that the mysterious group warned these financial institutions that an attack was imminent, but the banks proved unable to stop it. Though Izz ad-Din al-Qassam is also the name of the military wing of Hamas, Senator Joseph Lieberman, then chairman of the Homeland Security Committee, argued that the attacks were connected to the Iranian Islamic Revolutionary Guard Corps–Qods Force.69 Major banks, including non-US banks, continue to be attacked by intense denial-of-service operations.

  At the same time, hackers calling themselves the “Cutting Sword of Justice” attacked the computers and control systems of Saudi Arabia’s national oil company, Aramco—which produces a tenth of the world’s oil supply—for weeks. In December 2012, the Saudi government admitted that the virus, dubbed “Shamoon,” had destroyed 30,000 computers and wiped out hard drives, but did not succeed in disrupting production or operations.

  We can expect viruses far more advanced than Gauss or Shamoon to emerge shortly—the methods of cyber-war will continue to evolve rapidly in sophistication. We can also expect the pace of cyber-attacks to pick up. The technology of cyber warfare is evolving at an exponential rate. Also, unlike traditional combat, cyber warfare has few normative restraints to limit its escalation and few controls to counter its proliferation to nonstate actors.

  The Gauss incident highlights the vulnerability that is found in fragile financial markets. Regulators cannot keep up with the pace of growth taking place in the speed, level of anonymity, and volume of trading. In what is described as a “race to zero,” trading is moving faster and faster—and further away from the gaze and capacity of national regulators. According to trade negotiator Harald Malmgren and Mark Stys, it has gone “from trading in milliseconds (thousandths of a second) a couple of years ago to trading in microseconds (millionths of a second) now, and for cutting edge traders, pursuit in trading in picoseconds (trillionths of a second).”70 High-frequency trading firms “represent approximately 2% of the 20,000 or so trading firms operating in the U.S. markets . . . [but] account for 73% of all U.S. equity trading volume,” according to one trading technology consultant.71 During the “Flash Crash” episode of 2010, a trading algorithm dumped 75,000 futures contracts valued at $4.1 billion on the market in a twenty-minute period. The losses were staggering, causing a 600-point fall in the Dow and erasing $862 billion from the value of equities before an automatic circuit breaker paused trading.72

  Though the mass volume of such trading provides a buffer against manipulation, the sheer speed and anonymity of the cross-border trading across asset classes increase the risks and the potential for markets to be manipulated and cornered by savvy criminal and nefarious actors—for profit or other purposes.73 The World Economic Forum’s Global Risks 2008 report highlighted the paradox that inheres in the international financial system: “While the financial system has been made more efficient and stable in normal times, it is now also more prone to excessive instability in really bad times,” the report said. “But changes in the financial markets, while providing many benefits, have also created new and unforeseen risks which may be more susceptible to exogenous shocks (such as geopolitical risk) or internal factors (such as speculative bubbles).”74

  Such manipulation or shaping of markets could be amplified by the flows of information so readily available via the Internet and twenty-four-hour business channels around the world. The anonymity and speed of trade, combined with lax US laws and regulatory oversight on beneficial ownership of companies and controlling interests of offshore investment funds, adds to the potential that criminals and nefarious actors could use the US financial system not only to launder proceeds but to manipulate, corner, or extort via market control or penetration. The estimated amount of laundered funds that make their way through US banks ranges conservatively between $250 billion and $500 billion a year.75 Some estimates suggest that the numbers are even higher, reaching into the trillion-dollar range. Thus, strategies to manipulate markets could focus principally on shaping the perception of the markets and then leveraging the market swings to profit or destroy value. It is in part for this reason that the Securities and Exchange Commission (SEC) put new regulations in place to prevent uncovered short selling such as that seen during the financial crisis of 2008.76

  The coming financial battles may find their most serious theater and articulation in cyberspace, with the vulnerability of the financial sector and the international system of trading and commerce potentially at risk.

  Preparing for the Coming Financial Wars

  The United States faces direct challenges to its economic predominance and financial influence, and it is unprepared to defend itself from the looming external threats and internal vulnerabilities. Yet it should not imitate state authoritarian models in its structures and systems, nor should it seek to retreat from the world or globalization for fear of deepening dependencies. Instead, the United States must recognize this new global ecosystem and take full advantage of the opportunities that abound.

  The United States can strengthen its security by reconceptualizing and defending its economic health and power. Though ensuring that America’s fiscal house is in order will be important—as Admiral Mike Mullen, former chairman of the Joint Chiefs of Staff, has stated, “the most significant threat to our national security is our debt”77—that is not all that needs to be done. And economic health means more than ensuring that American companies (especially in key manufacturing sectors) and workers can be competitive in the global marketplace—though that is also imperative. What is needed is a strategic framework that accounts for the emerging economic security environment of the twenty-first century. The United States needs to redesign how it thinks about, treats, and addresses national economic security to prepare for the coming financial wars.

  Redefining National Economic Security

  The first task is to define national economic security—tying economic vulnerabilities and opportunities together to account for new geopolitical realities. Past definitions describe the obvious reality that a country’s economic strength and influence form a fundamental part of the nation’s geopolitical standing and power. These definitions hav
e also focused on more specific threats and risks the United States faces to its economy and the dollar from competitor states and nefarious networks.78 Yet in light of the growing overlap between classic national security vulnerabilities and economic and commercial interests and influence, past definitions are insufficient. A working definition might be as follows:

  National economic security in the twenty-first century is the ability of the United States to project its power and influence through economic, financial, and commercial means and defend against systemic and specific risks and threats derived from America’s economic vulnerabilities.

  This holistic articulation of national economic security requires a recognition that in an age of globalization, free flow of information, and digital dependencies, the economic and national security spheres overlap more than ever before. National economic security must encompass a wide spectrum of activities and policies, ranging from macrolevel factors, such as national debt and GDP, to specific threats with economic repercussions, such as terrorist attacks on Wall Street or against US ports. It entails obvious defense-related and economic risks, including cyber-defense and supply-chain vulnerabilities, but also includes systemic threats to the financial system, market manipulation, long-term cyber-espionage and cyber-attacks, and resource access and investment reach in critical markets.