On a eu hier (le 13 juin 2013) quelques échos de la déposition au Congrès du général Alexander, de l’U.S. Army, directeur de la NSA et chef du Cyber Command du Pentagone. Cet homme est donc, à la fois, le chef de l’organe central de Stasi-of-States et chef des forces électroniques et informatiques de cyberguerre. Il y a eu un article d’une considérable importance de James Bamford, sur Wired.com, le 12 juin 2013, qui traite tous ces sujets mais s’attachant particulièrement à la personnalité du général Alexander d’une part, aux arcanes et aux perspectives de la cyberguerre d’autre part. (James Bamford est sans doute, depuis la publication en 1982 de The Puzzle Palace le meilleur spécialiste indépendant de la NSA. Il s’agit plurôt d’un technicien, d’un reporteur hautement qualifié, qui ne porte guère de jugements moraux ou politiques sur la NSA et le contexte qui a toujours accompagné cette organisation.)
• Bamford fait découvrir un Alexander comme un parfait “guerrier technologique et bureaucrate”, fait pour rester assis dans son fauteuil à distance, pour tenir des archives électroniques, pour pousser toujours davantage les avantages budgétaires, bureaucratiques et l’autonomie de la NSA, et évidemment totalement plongé dans le monde de l’informatique. (Voir son surnom Alexander the Geek, avec le mot geek signifiant notamment “dingue d'informatique”.) Alexander est présenté comme une sorte de J. Edgar Hoover de l’ère informatique, mais la comparaison est très approximative. D’une part, il n’a pas la durée de Hoover, qui régna sur le FBI de 1924 à sa mort, au début des années 1970, alors que Alexander part à la retraite l’année prochaine. Par contre, Alexander, tout en disposant des outils en théorie implacable de surveillance intérieure, dispose d’une puissance extérieure (la cyberguerre) que ne possédait pas Hoover. D’autre part, sa personnalité semble beaucoup moins politique, ce qui en fait justement beaucoup plus un exécutant du Système au service d’une puissance considérable, aisément remplaçable par un clone parmi les généraux disponibles, – alors que Hoover assurait un pouvoir personnel et personnalisé sur la durée. Alexander est peut-être politiquement moins puissant que Hoover, mais il assure parfaitement la sécurisation des voies et moyens de développement de la puissance absolument déchaînée du Système, avec l’utilisation des technologies de surveillance et d’agression de l’informatique. Il est complètement une créature du Système, au service du Système, et quasiment interchangeable, et cette situation le différencie de Hoover.
«Inside Fort Meade, Maryland, a top-secret city bustles. Tens of thousands of people move through more than 50 buildings—the city has its own post office, fire department, and police force. But as if designed by Kafka, it sits among a forest of trees, surrounded by electrified fences and heavily armed guards, protected by antitank barriers, monitored by sensitive motion detectors, and watched by rotating cameras. To block any telltale electromagnetic signals from escaping, the inner walls of the buildings are wrapped in protective copper shielding and the one-way windows are embedded with a fine copper mesh.
»This is the undisputed domain of General Keith Alexander, a man few even in Washington would likely recognize. Never before has anyone in America’s intelligence sphere come close to his degree of power, the number of people under his command, the expanse of his rule, the length of his reign, or the depth of his secrecy. A four-star Army general, his authority extends across three domains: He is director of the world’s largest intelligence service, the National Security Agency; chief of the Central Security Service; and commander of the US Cyber Command. As such, he has his own secret military, presiding over the Navy’s 10th Fleet, the 24th Air Force, and the Second Army.
»Alexander runs the nation’s cyberwar efforts, an empire he has built over the past eight years by insisting that the US’s inherent vulnerability to digital attacks requires him to amass more and more authority over the data zipping around the globe. In his telling, the threat is so mind-bogglingly huge that the nation has little option but to eventually put the entire civilian Internet under his protection, requiring tweets and emails to pass through his filters, and putting the kill switch under the government’s forefinger. “What we see is an increasing level of activity on the networks,” he said at a recent security conference in Canada. “I am concerned that this is going to break a threshold where the private sector can no longer handle it and the government is going to have to step in.”
»In its tightly controlled public relations, the NSA has focused attention on the threat of cyberattack against the US—the vulnerability of critical infrastructure like power plants and water systems, the susceptibility of the military’s command and control structure, the dependence of the economy on the Internet’s smooth functioning. Defense against these threats was the paramount mission trumpeted by NSA brass at congressional hearings and hashed over at security conferences.
»But there is a flip side to this equation that is rarely mentioned: The military has for years been developing offensive capabilities, giving it the power not just to defend the US but to assail its foes. Using so-called cyber-kinetic attacks, Alexander and his forces now have the capability to physically destroy an adversary’s equipment and infrastructure, and potentially even to kill. Alexander—who declined to be interviewed for this article—has concluded that such cyberweapons are as crucial to 21st-century warfare as nuclear arms were in the 20th. [...]
»Inside the government, the general is regarded with a mixture of respect and fear, not unlike J. Edgar Hoover, another security figure whose tenure spanned multiple presidencies. “We jokingly referred to him as Emperor Alexander—with good cause, because whatever Keith wants, Keith gets,” says one former senior CIA official who agreed to speak on condition of anonymity. “We would sit back literally in awe of what he was able to get from Congress, from the White House, and at the expense of everybody else.”
»Now 61, Alexander has said he plans to retire in 2014; when he does step down he will leave behind an enduring legacy—a position of far-reaching authority and potentially Strangelovian powers at a time when the distinction between cyberwarfare and conventional warfare is beginning to blur. A recent Pentagon report made that point in dramatic terms. It recommended possible deterrents to a cyberattack on the US. Among the options: launching nuclear weapons.
»He may be a four-star Army general, but Alexander more closely resembles a head librarian than George Patton. His face is anemic, his lips a neutral horizontal line. Bald halfway back, he has hair the color of strong tea that turns gray on the sides, where it is cut close to the skin, more schoolboy than boot camp. For a time he wore large rimless glasses that seemed to swallow his eyes. Some combat types had a derisive nickname for him: Alexander the Geek.»
• Se concentrant donc sur l’aspect cyberguerre du couple NSA/Alexander, Bamford décrit l’évolution et l’expansion des opérations de la NSA, notamment au niveau offensif avec l’affaire du virus Stuxnet contre l’Iran. Il décrit comment ce typoe d’opération conduit à des ripostes, et même les nourrit par le fait même («If Stuxnet was the proof of concept, it also proved that one successful cyberattack begets another»). Tout cela déclenche une “escalade” et une “course à l’armement”, – et, dans ce cas comme bien d’autres, les USA portant la responsabilité de la chose, bien entendu... De même, cela conduit la NSA (Alexander) à demander et à obtenir constamment des moyens supplémentaires, avec l'accélération du processus.
«...Sure enough, in August 2012 a devastating virus was unleashed on Saudi Aramco, the giant Saudi state-owned energy company. The malware infected 30,000 computers, erasing three-quarters of the company’s stored data, destroying everything from documents to email to spreadsheets and leaving in their place an image of a burning American flag, according to The New York Times. Just days later, another large cyberattack hit RasGas, the giant Qatari natural gas company. Then a series of denial-of-service attacks took America’s largest financial institutions offline. Experts blamed all of this activity on Iran, which had created its own cyber command in the wake of the US-led attacks. James Clapper, US director of national intelligence, for the first time declared cyberthreats the greatest danger facing the nation, bumping terrorism down to second place. In May, the Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team issued a vague warning that US energy and infrastructure companies should be on the alert for cyberattacks. It was widely reported that this warning came in response to Iranian cyberprobes of industrial control systems. An Iranian diplomat denied any involvement.
»The cat-and-mouse game could escalate. “It’s a trajectory,” says James Lewis, a cybersecurity expert at the Center for Strategic and International Studies. “The general consensus is that a cyber response alone is pretty worthless. And nobody wants a real war.” Under international law, Iran may have the right to self-defense when hit with destructive cyberattacks. William Lynn, deputy secretary of defense, laid claim to the prerogative of self-defense when he outlined the Pentagon’s cyber operations strategy. “The United States reserves the right,” he said, “under the laws of armed conflict, to respond to serious cyberattacks with a proportional and justified military response at the time and place of our choosing.” Leon Panetta, the former CIA chief who had helped launch the Stuxnet offensive, would later point to Iran’s retaliation as a troubling harbinger. “The collective result of these kinds of attacks could be a cyber Pearl Harbor,” he warned in October 2012, toward the end of his tenure as defense secretary, “an attack that would cause physical destruction and the loss of life.” If Stuxnet was the proof of concept, it also proved that one successful cyberattack begets another. For Alexander, this offered the perfect justification for expanding his empire...»
• Dans le cours de son article, Bamfort présente ce qu’il apprécie comme l’avancée décisive en matière de pénétration de l’internet, connue sous le terme conceptuel de “zero-day exploits” et développée par la firme infiniment mystérieuse nommée Endgame Systems. Il s’agit de ce qui semble être présenté comme une clef, ou un processus d’accès universel de l’internet, avec toutes les possibilités d’intervention que cela implique.
«One of the most secretive of these contractors is Endgame Systems, a startup backed by VCs including Kleiner Perkins Caufield & Byers, Bessemer Venture Partners, and Paladin Capital Group. Established in Atlanta in 2008, Endgame is transparently antitransparent. “We’ve been very careful not to have a public face on our company,” former vice president John M. Farrell wrote to a business associate in an email that appeared in a WikiLeaks dump. “We don’t ever want to see our name in a press release,” added founder Christopher Rouland. True to form, the company declined wired’s interview requests.
»Perhaps for good reason: According to news reports, Endgame is developing ways to break into Internet-connected devices through chinks in their antivirus armor. Like safecrackers listening to the click of tumblers through a stethoscope, the “vulnerability researchers” use an extensive array of digital tools to search for hidden weaknesses in commonly used programs and systems, such as Windows and Internet Explorer. And since no one else has ever discovered these unseen cracks, the manufacturers have never developed patches for them.
»Thus, in the parlance of the trade, these vulnerabilities are known as “zero-day exploits,” because it has been zero days since they have been uncovered and fixed. They are the Achilles’ heel of the security business, says a former senior intelligence official involved with cyberwarfare. Those seeking to break into networks and computers are willing to pay millions of dollars to obtain them...»
• Dans sa conclusion, Bamfort présente la situation actuelle, où rien n’est assuré, où la super-arme de Endgame peut aussi bien être acquise commercialement par des clients non-US, y compris des États. Bamfort précise qu’il y a de fortes chances que cela soit apprécié, par les autorités US, comme “un acte de guerre”... Ainsi vivons-nous, dans ce domaine qui est la contrepartie extérieure de la structure Stasi-of-America, dans une situation de tension grandissante et de constante menace de déstabilisation. La progression du Stasi-of-America pour soi-disant protéger les USA de cela, conduit en fait à renforcer cette tension et les menaces de déstabilisation. Le monde post-9/11 qui est constamment mis en place et en cours de développement à la fois, constitue un cauchemar kafkaïesque, sous l’œil mécanique du général Alexander.
«Bonesaw also contains targeting data on US allies, and it is soon to be upgraded with a new version codenamed Velocity, according to C4ISR Journal. It will allow Endgame’s clients to observe in real time as hardware and software connected to the Internet around the world is added, removed, or changed. But such access doesn’t come cheap. One leaked report indicated that annual subscriptions could run as high as $2.5 million for 25 zero-day exploits.
»The buying and using of such a subscription by nation-states could be seen as an act of war. “If you are engaged in reconnaissance on an adversary’s systems, you are laying the electronic battlefield and preparing to use it,” wrote Mike Jacobs, a former NSA director for information assurance, in a McAfee report on cyberwarfare. “In my opinion, these activities constitute acts of war, or at least a prelude to future acts of war.” The question is, who else is on the secretive company’s client list? Because there is as of yet no oversight or regulation of the cyberweapons trade, companies in the cyber-industrial complex are free to sell to whomever they wish. “It should be illegal,” says the former senior intelligence official involved in cyberwarfare. “I knew about Endgame when I was in intelligence. The intelligence community didn’t like it, but they’re the largest consumer of that business.”
»Thus, in their willingness to pay top dollar for more and better zero-day exploits, the spy agencies are helping drive a lucrative, dangerous, and unregulated cyber arms race, one that has developed its own gray and black markets. The companies trading in this arena can sell their wares to the highest bidder—be they frontmen for criminal hacking groups or terrorist organizations or countries that bankroll terrorists, such as Iran. Ironically, having helped create the market in zero-day exploits and then having launched the world into the era of cyberwar, Alexander now says the possibility of zero-day exploits falling into the wrong hands is his “greatest worry.”
»He has reason to be concerned. In May, Alexander discovered that four months earlier someone, or some group or nation, had secretly hacked into a restricted US government database known as the National Inventory of Dams. Maintained by the Army Corps of Engineers, it lists the vulnerabilities for the nation’s dams, including an estimate of the number of people who might be killed should one of them fail. Meanwhile, the 2013 “Report Card for America’s Infrastructure” gave the US a D on its maintenance of dams. There are 13,991 dams in the US that are classified as high-hazard, the report said. A high-hazard dam is defined as one whose failure would cause loss of life. “That’s our concern about what’s coming in cyberspace—a destructive element. It is a question of time,” Alexander said in a talk to a group involved in information operations and cyberwarfare, noting that estimates put the time frame of an attack within two to five years. He made his comments in September 2011.»