The Office of Personnel Management repels 10 million attempted digital intrusions per month—mostly the kinds of port scans and phishing attacks that plague every large-scale Internet presence—so it wasn’t too abnormal to discover that something had gotten lucky and slipped through the agency’s defenses. In March 2014, for example, OPM had detected a breach in which blueprints for its network’s architecture were siphoned away. But in this case, the engineers noticed two unusually frightening details. First, opmsecurity.org had been registered on April 25, 2014, which meant the malware had probably been on OPM’s network for almost a year. Even worse, the domain’s owner was listed as “Steve Rogers”—the scrawny patriot who, according to Marvel Comics lore, used a vial of Super-Soldier Serum to transform himself into Captain America, a member of the Avengers. ... Registering sites in Avengers-themed names is a trademark of a shadowy hacker group believed to have orchestrated some of the most devastating attacks in recent memory. Among them was the infiltration of health insurer Anthem, which resulted in the theft of personal data belonging to nearly 80 million Americans. And though diplomatic sensitivities make US officials reluctant to point fingers, a wealth of evidence ranging from IP addresses to telltale email accounts indicates that these hackers are tied to China, whose military allegedly has a 100,000-strong cyberespionage division. ... To figure out why the hackers had trained their sights on OPM, investigators would have to determine what, if anything, had been stolen from the agency’s network over the preceding year. But first they had to hunt down and eliminate the malware on its network, an archaic monstrosity that consisted of as many as 15,000 individual machines.
As he fielded guilty pleas throughout 2015, Davis thought about how he might offer leniency to the conspiracy’s least culpable members. He could do so only if he knew for sure that the men would never again be tempted by jihadism. To that end, Davis began to research whether there are effective therapies for reforming extremists. He hoped to find a credible way to transform Yusuf and his friends back into the ordinary young men they’d once been. This could spare the youths years behind bars—an act of compassion that would undermine the Islamic State narrative that the West despises its Muslim citizens. ... Davis discovered that numerous nations, from Denmark to Indonesia, have developed methods for nudging young men and women back from the extremist brink—a process known as deradicalization. The judge became intent on starting the first laboratory for deradicalization in the US; he just needed to find an expert he could trust, someone with a proven track record of liberating young minds from violent extremism. ... Koehler’s key finding has been that all extremists, regardless of ideology, develop a sort of tunnel vision as they go through the indoctrination process. ... Koehler sees little point in starting moral or theological arguments with these young people, who are more interested in becoming warriors than debating the finer points of scripture. Instead, he advocates repluralization: the careful reintroduction of problems and solutions into a radicalized person’s life, so that they can no longer devote all their mental energy to stewing over their paranoia. ... Koehler believes that each client needs at least four mentors plus an “intervention coordinator” and that full deradicalization can be achieved only after a matter of years, not months.