Cyber War: The Next Threat to National Security and What to Do About It
Page 5
By the time George W. Bush was starting his second term, the importance of cyber war to the Pentagon became apparent, as the Air Force, Navy, and intelligence agencies engaged in a bitter struggle to see who would control this new area of warfare. Some advocated the creation of a Unified Command, bringing the units of all three services under one integrated structure. There were already Unified Commands for transportation, strategic nuclear war, and for each of the world’s regions. When it appeared in the early 1980s that there would be a large role for the military in outer space, the Pentagon created a Unified Command for what it then thought of as a new domain for war-fighting, a domain that the United States had to control. U.S. Space Command lasted from 1985 to 2002, by which time it had become clear that neither the U.S. nor any other government had the money to do much in space. Space Command was folded into Strategic Command (STRATCOM), which operates the strategic nuclear forces. STRATCOM, headquartered at a bomber base in Nebraska, was also given the centralized responsibility for cyber war in 2002. The Air Force, however, was set on running the actual war-fighting units. The creation of Air Force Cyber Command and the standing given to cyberspace in the Air Force recruitment ads jarred the other services and many in the Pentagon.
Some were concerned that the Air Force was talking too openly about something they believed should have been kept secret: the mere existence of cyber war capability. Yet there was the civilian Air Force Secretary (a vestigial post from the time before there was a strong civilian Defense Department) saying publicly, “Tell the nation the age of cyber war is here.” There were those damn ads, including one that said, ominously, that in the future a blackout “could be a cyber attack.” Another ad showed the Pentagon and claimed that it was “attacked” millions of times a day in cyberspace, but it was defended by the likes of an Air Force sergeant shown at his keyboard. There were persistent interviews and speeches by Air Force leaders who sounded very aggressive about their intentions. “Our mission is to control cyberspace, both for attacks and defense,” Lieutenant General Robert Elder had admitted. The Director of the Air Force Cyberspace Operations Task Force had been equally candid: “If you are defending in cyberspace, you’re already too late. If you do not dominate in cyberspace, you cannot dominate in other domains. If you are a developed country [and you are attacked in cyberspace], your life comes to a screeching halt.”
By 2008, those in the Pentagon not wearing blue uniforms had become persuaded about the importance of cyber war, but they were also convinced that it should not just be conducted by the Air Force. An integrated multiservice structure was agreed on in principle, but many were reluctant to “make the Space Command mistake again.” They did not want to create a Unified Command for what might prove to be a passing fad, as war fighting in space had been. The compromise was that a multiservice Cyber Command would be created, but it would remain subordinated to STRATCOM, at least on paper. The Air Force would have to stop calling its organization a command and would instead have to be satisfied with a “numbered air force,” their basic organizational unit, like Navy’s numbered fleets. The agreement in principle did not resolve all of the major issues standing in the way of a new command.
The intelligence community had a view. Under the post-9/11 reorganization, there was now a single person in charge of all eighteen U.S. intelligence agencies. In 2008, that man was Mike McConnell. He looked much the part of what he had recently been, a well-to-do businessman often seen in the halls of Wall Street financial institutions. He had come to the intelligence job from the global consulting giant Booz Allen Hamilton. Slightly hunched over and wearing thick glasses, the soft-spoken McConnell had not taken a traditional path to leadership at Booz. For most of his life, he had been in Navy intelligence, retiring as a three-star (or vice) admiral, the man in charge of the world’s premier electronic intelligence organization, the National Security Agency (NSA).
Hearing McConnell, or his successor, Air Force General Ken Minihan, talk about NSA even on an unclassified basis, you begin to understand why they believe re-creating some of its capabilities elsewhere is folly and perhaps impossible. They both speak with real reverence about the decades of experience and expertise NSA has in “doing the impossible” when it comes to electronic espionage. NSA’s involvement in the Internet grew out of its mission to listen to radio signals and telephone calls. The Internet was just another electronic medium. As Internet usage grew, so did intelligence agencies’ interest in it. Populated with Ph.D.s and electrical engineers, NSA quietly became the world’s leading center of cyberspace expertise. Although not authorized to alter data or engage in disruption and damage, NSA thoroughly infiltrated the Internet infrastructure outside of the U.S. to spy on foreign entities.
When McConnell left NSA in 1996 for Booz Allen Hamilton, he continued his focus on the Internet, working with leading U.S. companies on their cyber security plans for over a decade. Returning to the spook business in 2007, he tried, as the second-ever Director of National Intelligence, to assert authority over all of the U.S. intelligence agencies, including CIA. In doing so, his longstanding friendship with CIA Director Mike Hayden was damaged. Hayden had also once been Director of NSA, or as they say it in the intelligence community DIRNSA (pronounced “dern-sah”). Hayden remained an active-duty four-star Air Force General much of the time he ran CIA.
Because both Mikes (McConnell and Hayden) had the background of running NSA, they agreed on at least one thing: any new Cyber Command must not try to replicate the capabilities it had taken decades to develop at NSA. If anything were to be done, they and many of the other NSA alumni believed, NSA should just become the new Cyber Command. Their views mattered in the Pentagon, since they were, or had been, senior military officers, and they actually knew something about cyberspace. To counter the “NSA takeover” of Cyber Command, some in the military argued that NSA was really a civilian organization, an intelligence unit, and therefore could not legally fight wars. They talked about “Title 50 versus Title 10” authority, referring to the parts of the U.S. Code that give legal authority and limitations to various government departments and agencies. Such laws can, of course, be changed if they have outlived their utility. Nonetheless, the issue of who would run America’s cyber wars soon became a battle between military and civilian government lawyers.
In any other alignment of leaders, the outcome would likely have been decided in the military’s favor and some new organization would have been built from the ground up, replicating the hacking skills at which NSA was the past master. In 2006, however, the turf-grabbing Secretary of Defense, Donald Rumsfeld, had been replaced after devastating midterm election losses brought on in part by mismanagement of the Iraq War. Rumsfeld’s replacement was the president of Texas A&M University, Robert Gates. At the time of his nomination I had known Bob for the better part of three decades and expected that he would be an unusually good Secretary of Defense. He was not a Pentagon man, had not grown up there. Nor was he a national security novice from industry or academia, the type easily manipulated by experienced Pentagon hands. Bob had been a career CIA officer who worked his way up to CIA Director, stopping off in the White House National Security Council along the way. Gates saw the Cyber Command debate from an intelligence community perspective and, more important, from the unique perch one has at the White House. When you are working directly for whoever the President may be at the time, you suddenly realize that there is a national interest that surpasses the turf concerns of whatever bureaucracy you may have come from. Gates had that broader view, and he was a pragmatist.
What resulted was a compromise in which the Director of NSA would become a four-star general (up from three stars) and would also be the head of U.S. Cyber Command. The Pentagon calls having two jobs being “dual hatted.” For now, at least, Cyber Command would be a “sub-Unified Command” under STRATCOM. The assets of NSA would be available to support U.S. Cyber Command, thus obviating the need for reinventing many wheels. The Air Force, Navy, and Army would
continue to have cyber war units, but they would be run by U.S. Cyber Command. Technically, it would be those war-fighting military units that would actually engage in cyber combat and not the partially civilian intelligence agency that is NSA. While NSA has a lot of expertise in network penetration, under U.S. law (Title 10) the agency is restricted to collecting information and prohibited from war-fighting. Therefore it will have to be military personnel under Title 50 that enter the keystrokes to take down enemy systems. To assist Cyber Command in its defensive role of protecting Defense Department networks, the Pentagon would also co-locate its own Internet service provider at Fort Meade, Maryland, alongside NSA. The Pentagon’s ISP is unlike any other, since it runs two of the largest networks in the world. Called the Defense Information Systems Agency (DISA), it is run by a three-star general. Thus, ninety-two years after it opened as an Army base, home to hundreds of horses, Fort Meade became the heart of America’s defensive and offensive cyber war forces. Defense contractors are building offices nearby in the hopes of sharing in some of the billions of dollars that will be flowing to Fort Meade. Maryland-area universities are already recipients of large research grants from the nearby military campus, referred to throughout Washington simply as “The Fort.”
As a result of the decision to create U.S. Cyber Command, what had been Air Force Cyber Command became the 24th Air Force, with headquarters at Lackland Air Force Base in Texas. This numbered air force won’t have any aircraft. The mission of the 24th will be to provide “combat-ready forces trained and equipped to conduct sustained cyber operations, fully integrated within air and space operations.” The 24th Air Force will have control of two existing “wings,” the 688th Information Operations Wing, formerly the Air Force Information Operations Center, and the 67th Network Warfare Wing, as well as control of a new wing, the 689th Combat Communications Wing. The 688th IOW, as the Information Operations Wing is known, will act as the Air Force’s “center of excellence” in cyber operations. The 688th will be a forward-looking element with the mission of finding new ways to create an advantage for the U.S. Air Force using cyber weapons. The 67th Wing will have the day-to-day responsibility for defending Air Force networks and for attacking enemy networks. All totaled, the 24th Air Force will comprise some 6,000 to 8,000 military and civilian cyber warriors.
In case the U.S. Air Force is ever given the order to do as one of its ads suggests (“A power blackout is just a blackout. But in the future, it could be a cyber attack.”), the mission will likely fall to the Fighting 67th. Their motto, from pre-cyber days as an aerial reconnaissance outfit, is Lux Ex Tenebris (Light from Darkness). Perhaps they will soon modify it to Tenebra Ex Luce. Despite the demotion of their command, the Air Force lost little of their zeal for cyber war. In the summer of 2009, the head of the U.S. Air Force, General Norton Schwartz, wrote to his officers that “cyberspace is vital to today’s fight and to the future U.S. military advantage [and] it is the intent of the United States Air Force to provide a full spectrum of cyberspace capabilities. Cyberspace is a contested domain, and the fight is on—today.”
Not to be outdone, the U.S. Navy also reorganized. The Chief of Naval Operations, Admiral Gary Roughead (really), gave himself a new Deputy for Information Dominance. It’s not just Roughead and his sailors who are into dominance; the U.S. military in general repeatedly characterizes cyberspace as something to be dominated. It is reminiscent of the Pentagon’s way of speaking of nuclear war in the 1960s. The historian of nuclear strategy Lawrence Freedman noted that William Kaufmann, Henry Kissinger, and other strategists realized that there was a need then “to calm the spirit of offense, potent in Air Force circles…[whose] rhetoric encouraged a view of war that was out-moded and dangerous.” That same sort of macho rhetoric is strong in Air Force cyber war circles today, and apparently in the Navy as well.
Admiral Roughead created not just a Dominance office on the Navy Staff, but a new “war-fighting” command. The 5th Fleet sails the Arab Gulf, the 6th Fleet the Mediterranean, and the 7th the China Sea. To fight cyber war, the U.S. Navy has reactivated its 10th Fleet. Originally, a small organization during World War II that coordinated antisubmarine warfare in the Atlantic, the 10th Fleet was disbanded shortly after victory over Germany in 1945. Then as now, the 10th Fleet was a “paper” or “phantom” fleet that had no ships. It was a land-based organization that filled a necessary coordinating role. Modest in scope and scale, the 10th Fleet in World War II served its limited purpose well with no more than fifty intelligence officers. This time, the Navy has much more ambitious plans for the 10th Fleet. The existing Naval Network Warfare Command, known as NETWARCOM, will continue its operational responsibilities subordinated to the 10th Fleet. Although the Navy has not done the sort of public self-promotion of its cyber warriors that the Air Force has, they insist that they have as much tech savvy as “the fly boys.” Perhaps to prove that point, one Naval officer told me, “You know, the 10th Fleet took a pretty bad licking from the Cardassians in 2374,” thus proving that the current U.S. Navy at least has Trekkies, if perhaps not as many geeks as the Air Force.
For its part, the Army’s cyber warriors are mostly contained in the Network Enterprise Technology Command, the 9th Signal Command at Fort Huachuca, Arizona. Members of this unit are assigned to the signal commands in each geographic region of the world. Network warfare units, what the Army calls NetWar units, under the Army’s Intelligence and Security Command, are also forward-deployed to support combat operations alongside traditional intelligence units. They work closely with NSA to deliver intelligence to war fighters on the ground in Iraq and Afghanistan. The Army Global Network Operations and Security Center, known by the awkward acronym A-GNOSC, manages LandWarNet, which is what the Army calls its portion of the Department of Defense’s networks. In July 2008, the Army stood up its first NetWar Battalion. If the Army sounds like the least organized of the services to fight cyber war, that is because it is. After the decision to create Cyber Command was made, the Secretary of Defense mandated the creation of an Army task force to review the Army’s cyber mission and organization to support that mission.
While most people who followed the fight over cyber war in the Pentagon thought NSA won it, former NSA Director Ken Minihan was not satisfied, and that gave me pause. Ken is a friend whom I have known since, as an Air Force three-star general, he took over NSA in 1996. He believes that NSA and the U.S. military’s approach to cyber operations needs to be rethought. The Navy, he thinks, is focused only on other navies. The Air Force is focused on air defense. The Army is hopelessly lost, and the NSA remains at heart an intelligence collection agency. “Not one of these entities is sufficiently focused on foreign counterintelligence in cyberspace, or on gaining hold of foreign critical infrastructure that the U.S. may want to take down without dropping a bomb in the next conflict.” He believes that cyber war planning today lacks a “requirements process,” a national-level planning system to get NSA and other organizations working on the same page. “Right now, they are all focused on doing what they want to do, not what a President may need them to be able to do.”
Minihan and McConnell are both concerned that U.S. Cyber Command cannot defend the United States. “All the offensive cyber capability the U.S. can muster won’t matter if no one is defending the nation from cyber attack,” said McConnell. Cyber Command’s mission is to defend DoD and maybe some other government agencies, but there are no plans or capabilities for it to defend the civilian infrastructure. Both former NSA Directors believe that mission should be handled by the Department of Homeland Security, as in the existing plans; but both men contend that Homeland has no current ability to defend the corporate cyberspace that makes most of the country work. Neither does the Pentagon. As Minihan put it, “Though it is called the ‘Defense’ Department, if called on to defend the U.S. homeland from a cyber attack carried out by a foreign power, your half-trillion-dollar-a-year Defense Department would be useless.”
THE SECRET ATTEMPT AT A STRATE
GY
The perception that cyberspace is a “domain” where fighting takes place, a domain that the U.S. must “dominate,” pervades American military thinking on the subject of cyber war. The secret-level National Military Strategy for Cyber Operations (partially declassified as a result of a Freedom of Information Act request) reveals the military’s attitude toward cyber war, in part because it was written as a document that we, the citizens, were never supposed to see. It is how they talk about it behind the closed doors of the Pentagon. What is striking in the document is not only the acknowledgment that cyber war is real, but the almost reverential way in which it is discussed as the keystone holding up the edifice of modern war-fighting capability. Because there are so few opportunities to hear from the U.S. military on cyber war strategy, it is worth reading closely the secret-level attempt at a cyber war strategy.
The document, signed out under a cover letter from the Secretary of Defense, declares that the goal is “to ensure the US military [has] strategic superiority in cyberspace.” Such superiority is needed to guarantee “freedom of action” for the American military and to “deny the same to our adversaries.” To obtain superiority, the U.S. must attack, the strategy declares. “Offensive capabilities in cyberspace [are needed] to gain and maintain the initiative.” At first read, the strategy sounds like a mission statement with a bit of zealotry thrown in. On closer examination, however, the strategy reflects an understanding of some of the key problems created by cyber war. Speaking to the geography of cyberspace, the strategy implicitly acknowledges the sovereignty issue (“the lack of geopolitical boundaries…allows cyberspace operations to occur nearly anywhere”) as well as the presence of civilian targets (“cyberspace reaches across geopolitical boundaries…and is tightly integrated into the operations of critical infrastructure and the conduct of commerce”). It does not, however, suggest that such civilian targets should be off-limits from U.S. attacks. When it comes to defending U.S. civilian targets, the strategy passes the buck to the Department of Homeland Security.