David Gewirtz | BIO
Editor-in-Chief, ZATZ Publishing
AC360° Exclusive Investigation
I had just gotten off the phone with General Wesley Clark. We were talking about the discovery of plans for President Obama’s Marine One helicopter found on a computer network in Iran.
That discovery, we agreed, is alarming evidence that we face a new national security cyber threat - from what has seemed like a simple network for sharing movies and music. And then I also realized it's a threat to you and me as personal computer users.
Remember Napster and the fuss with everyone illegally downloading music? That’s the kind of computer network we're talking about, just a common "peer-to-peer" or P2P network. And this one took the President's copter plans into Iran.
Marine One's plans go to Iran
A Pittsburgh TV station broke the story: A local company called Tiversa, which scans P2P networks for corporate clients, found the chopper plans.
As you might imagine, when plans for the U.S. President's helicopter are found on an Iranian computer, it's catnip for reporters and bloggers.
The press was also having a field day with implications about the President's security. Headlines like "Obama data leaked on net," "Iran leeches Obama's helo plans," and "Obama's copter plans turn up on the Web" were representative of the reporting.
As a cyberterrorism analyst investigating White House tech security, I wanted to get to the bottom of this story: Was the President's security lax or compromised? Was this a real discovery or merely a smart PR ploy by a company wanting press? And just how much of a risk to national security are these computer networks.
What did they actually find?
I needed to know what exactly Tiversa had found. So I met with Tiversa's operations director, Keith Tagliaferri. He told me the file they found was for Marine One’s cockpit electronics update, but otherwise the answers I got were annoyingly vague.
They originally found the plans sometime last summer. They found the plans on some unspecified computer network. The plans have some date on them, but other than being sometime in the last few years, Tiversa won't disclose anything. The plans are for some model of a Marine One helicopter. And the plans originated from some American defense contractor, again unspecified.
The vagueness wasn't helping me feel confident about Tiversa's claims. Tagliaferri said the company trolls private computers all over the world, downloading more than 100,000 private computer files a day, looking for goodies. If Tiversa finds a file that shouldn't be out there, they contact the organization that originated the file and let them know sensitive information was found (and, presumably, offer security services).
President Reagan famously said, "Trust, but verify." With Marine One as the "MacGuffin."
– and President Obama as the fall guy, Tiversa had a juicy headline for the press, but could they be trusted? It was time for some verification.
General Wesley Clark
And that brings us back to General Clark. When I told Tagliaferri his story only raised suspicions, he referred me to Clark, who turns out to be an advisor to Tiversa.
As unimpeachable sources go, U.S. four-star General Wesley Kanne Clark Sr. - honorary Knight Commander of The Most Excellent Order of the British Empire, former NATO Supreme Allied Commander Europe, and recipient of the U.S. Presidential Medal of Freedom - is pretty up there. He was also a Presidential candidate in 2003, but we won't hold that against him.
I had never met General Clark. And when I reached him on a cell phone, I caught him during the half-hour he had to grab lunch (cod and a glass of water) before going into a conference.
Let me first say there's almost nothing more surreal for a computer scientist than having NATO's former Supreme Allied Commander explain P2P networking to you. To his credit, Clark understands this stuff and explains it well, even if that meant his lunch got cold.
And understand it, he should. In the 1990s, he worked on the Department of Defense's Joint Vision 2010, which explores military threats that the United States might face in the year 2010. Joint Vision 2010 includes "full-spectrum dominance," where the military gains control of all the battle spaces, including the "information space," what we think of as cyberspace.
The P2P difference
"Peer-to-peer net is different," Clark told me. "It hasn't received the kind of in-depth studies and work that conventional Internet has received by the government. It's an extraordinarily powerful communications device."
Here's what happens. Someone working for the DoD, or in the field in the military, or for a defense contractor might start working on a project or a paper on a personal computer or a laptop. At that point, the work isn't classified. According to Clark, "Now, that doesn't mean it doesn't contain ideas or information that shouldn't get out - it just means the document hasn't been brought formally into the secrets-keeping government 'classification' system."
A lot of people take their work home or begin projects at home and bring them to work. While they're working at home, they often do their work on a regular computer, which might also be running a peer-to-peer program on it, usually to download music or movies.
But that P2P program also shares what's on the computer with anyone else using the network, opening up a portion of the hard drive for others to see (and, thereby, download files). If you don't configure your P2P program right, or you download one that is purposely misconfigured, anything on your hard drive could be made available to the entire Internet, where it can then get propagated like a nasty flu.
The secret story of the stolen plans
And that's where Tiversa comes in. They're hired by companies to find out if confidential data has been leaked to the Internet. Using keywords, folder names, file names, and so forth, Tiversa scans the Internet, sucking down files (Word docs, PDFs, spreadsheets, e-mail messages, databases) that meet the criteria. When they find a hit on the information they're looking for, they grab everything else that's available for grabbing, usually to analyze later as an aid to plugging their clients' security holes.
This is what happened last summer. According to Tagliaferri, Tiversa was scanning the net looking for a client's data. They found a match here in the U.S. and sucked down all the data they could. Since they weren't looking for plans for Marine One, the data sat in their computers for a few weeks before any of their analysts discovered it.
The document, as it turns out, was on a home computer belonging to an employee at a defense contractor. They "reached out" to that company in order to, as Tagliaferri described it, "let them know we found their sensitive information and return it to them without any fees involved."
In the Marine One breach, the contractor notified the Navy and the White House Military Office, and then they contacted Tiversa. The company says it provided all information, at no cost to the contractor, Navy, or White House.
They then had no further communication with any of the parties involved - until it resurfaced on February 25 at an IP address in Tehran, Iran.
This, though, answers one of my original questions: was the President's security lax or compromised? Clearly the answer was no. The document was discovered online before he won the election.
Even so, was the President at risk because the document was leaked online?
That's what I asked General Clark. He said, "Any President is always is at risk. That's why we have the Secret Service." He didn't know if this particular document caused a security problem, but he did say, "The cumulative leakage of documents onto the Internet does increase the risk for the Executive Branch."
This I know. There are a couple of chapters about this problem in my recent book.
I also was curious if Clark thought the document would affect the President's security if the administration went forward with its planned $11B purchase of 28 new helicopters to replace the aging Marine One fleet. He told me this document was, "Not for the new helicopters."
Just how much of a risk to national security is P2P?
The P2P programs that live on many home computers are viral: They're designed to spread files to as wide a number of PCs as possible to reduce the download burden from any one computer, in effect sharing the work and reducing the bandwidth needed for any one file.
P2P programs are constantly uploading what's on your computer to the Internet worldwide. The uploaded files are then shared among all the other users on the network, making it extremely difficult to stamp out all the copies of those files and prevent them from being shared. It's like a digital version of Whack-A-Mole.
In the case of the Marine One plans, an employee was probably downloading music or movies onto his computer while also working on the government documents. He probably set his shared directory incorrectly and his documents were sucked up into net, along with his shared music.
There's another, scarier version of this. As General Clark told me, "A lot of people would have paid a lot of money during the Cold War for stuff like this." Spying is a lot easier. If all you have to do is open your computer to a P2P network, the old days of dead drops and spycraft have been changed forever.
Whether that employee was leaking secret documents to foreign governments or trying to snag a free copy of Britney Spear's latest single, you and I will never know. But what eventually happened was that even though the documents were no longer being shared by this employee, they had already been sent to other peers (or their computers, anyway) around the world.
And, on February 25, one such PC belonged to an identity thief operating a personal computer in Iran. Most identity thieves will download stolen data, but not make it available for the world to see. Instead, they sell it.
Tagliaferri said the Iranian PC user not only had Marine One plans and documents that matched Tiversa's scan criteria, he also was an "information concentrator," sharing user names, passwords, credit cards, and so forth. And the company is pretty sure this person is not a teenager because he did not have a single MP3 or video.
Instead, it's likely he fell victim to a P2P feature called "viral redistribution." Developers of file sharing programs like to force anyone who downloads a file (that could be you) to then share the file. By intent, this causes popular files to spread on the network like a pandemic.
These computer networks can hurt you, too
And here's an important security note about P2P's that Tagliaferri shared with me: "It is also important to note that the file is shared regardless of the folder location after its been downloaded."
"Most file sharing users, including the criminals, do not recognize that this feature is actively highlighting them as criminals. This feature is the reason that federal and state law enforcement officials are able to catch child pornographers on file sharing networks, where mere possession is a felony," he said.
And that helps showcase that the P2P risk isn't just about military contractors and national security. These programs can upload whatever they find on your computer and share them with everyone. They can upload your banking information, your medical history, everything you've got in My Documents, your passwords, your credit card numbers, and even that embarrassing love letter to the hottie working Thursday nights at the local Taco Bell.
Oh, and what about Tiversa? After raising serious suspicions, they turn out to be one of the good guys in this on-going and global high-tech security battle. Yes, they're mucking around in computers that don't belong to them. Even though that information is technically public since its being shared by a P2P program, the computer owners might not be aware of that fact - and downloading PC owners' files could, potentially, open a legal can of worms for Tiversa.
Also, they're not digging around looking for music or movies so they can sue kids and grandmothers. Instead, they're doing their best to protect the content of their clients from being spread across the open file sharing networks. And they didn't issue a news release about this. The company did a briefing of a technical capability to an industry analyst intended for private subscribers. That report got out, and Tiversa's been answering questions ever since.
And to be fair, Tagliaferri also couldn't talk about specifics because the company is engaged in a federal investigation of the breach and they're extremely limited as to what he could and could not report publicly at this point. They are, however, seriously concerned about just how dangerous these computer networks can be, since they see the shocking results daily.
As I recently wrote in Counterterrorism Magazine, "Like most issues of cyber-security, the problem is that the underlying technology is too wildly complex for most consumers to grasp with any depth, availability of the technology is too wide, too cheap, and too embedded in the fabric of society to be successfully controlled by any governing body, and security threats seem too far-fetched to be worth the extra effort and care understanding would require."
And that ultimately is risk of P2P.
When the plans to Marine One surface in Iran, we begin to pay attention. But government is still not handling the problem as well as it could. General Clark told me, "Government looks at each incident as a separate incident. They're not planning a systemic response."
President Bush once said Iran would be dangerous if they had nuclear weapons. The Iranian government may or may not have nukes. But given how common P2P usage is, it's a fair bet that some Iranian teenager has blueprints to one or more of our most dangerous weapons.
You can't turn off the Internet or take everyone's laptop away. On one side you have the entire might of the United States government. On the other, you have teenagers and the Internet. And after investigating this story, I'm not sure which I'd want to place my bet on.
Editor’s note: David Gewirtz is Editor-in-Chief, ZATZ Magazines, including OutlookPower Magazine. He is a leading Presidential scholar specializing in White House email. He is a member of FBI InfraGard, the Cyberterrorism Advisor for the International Association for Counterterrorism & Security Professionals, a columnist for The Journal of Counterterrorism and Homeland Security, and has been a guest commentator for the Nieman Watchdog of the Nieman Foundation for Journalism at Harvard University. He is a faculty member at the University of California, Berkeley extension, a recipient of the Sigma Xi Research Award in Engineering and was a candidate for the 2008 Pulitzer Prize in Letters.