August 8, 2022

There’s a reason we believed in the fallacy that a crime could protect us: the crime was a bloody masterpiece.

Starting in 2007, the United States and Israel launched an attack on Iran’s Natanz nuclear power plant, which destroyed around a fifth of Iranian centrifuges. Known as Stuxnet, this attack spread through seven holes in Microsoft and Siemens industrial software known as “zero days”. (Only one was previously announced but never patched). In the short term, Stuxnet was a complete success. It set back Iran’s nuclear ambitions years ago and stopped the Israelis from bombing Natanz and starting World War III. In the long term, it showed allies and opponents what they lacked and changed the digital world order.

In the next ten years an arms race was born.

NSA analysts left the agency to set up cyber weapons factories in Virginia like Vulnerability Research Labs, which sold click-and-shoot tools to American agencies and our closest English-speaking allies at Five Eyes. A contractor, Immunity Inc., founded by a former NSA analyst, started a more slippery slope. First, staff say, trained immunity advisors like Booz Allen, then defense company Raytheon, then the Dutch and Norwegian governments. But soon the Turkish army knocked.

Companies like CyberPoint took it a step further, stationing themselves overseas and sharing the tools and crafts that the UAE would eventually use to turn on its own people. In Europe, Pentagon spyware suppliers like the Hacking Team began selling the same tools to Russia and then Sudan that they were ruthlessly using.

As the market expanded beyond the NSA’s direct control, the agency continued to focus on crime. The NSA knew that the same vulnerabilities it found and exploited elsewhere would one day strike back Americans. The answer to this dilemma was to reduce the American state of emergency to an acronym – NOBUS – which stands for “Nobody But Us”. When the agency found a vulnerability that it believed could only be exploited, it hoarded it.

That strategy was part of what General Paul Nakasone, the current NSA director, and George Washington and Chinese strategist Sun Tzu before him, refer to as “active defense.”

In modern warfare, “active defense” means hacking enemy networks. It is a mutually assured destruction for the digital age: We hacked into the Russian troll networks and their grids as a sign of violence. Iran’s nuclear facilities to take out its centrifuges; and Huawei’s source code to penetrate its customers in Iran, Syria and North Korea for espionage and to set up an early warning system for the NSA to theoretically fend off attacks before they hit.