But now, in 1996, I was thrust into dealing with and understanding the cyber domain when I took command of the Air Intelligence Agency (AIA) in San Antonio, Texas.
Immediately prior to that, I had been chief of intelligence (J-2) for all US forces in Europe (EUCOM), and at that time we were deeply involved in supporting UN peacekeeping units in the third Balkan war of the twentieth century. I had been an attaché to a Balkan country and spoke a Balkan language (Bulgarian), so I had some understanding of the historic depth of that conflict.
Winston Churchill once wisely observed that “the Balkans produces more history than it can consume.” That certainly matched my experience.
When I left EUCOM and headed to Texas, I was leaving behind knowledge of, and responsibility for, a conflict medieval in its origins and Byzantine (almost literally) in its complexities, to take command of a unit on the cutting edge of a whole new type and domain of warfare.
Thank God I had a great staff in Texas. They began to educate the new guy with the fervor of those attempting a conversion.
And the first article of faith at AIA was simply that cyber was a “domain.”
“You know, General. Land, sea, air, space, cyber.”
Actually, when you convince a GI that something is a domain, a lot of things click. He doesn’t clutter his mind with extraneous concepts like networks, bandwidth, and the like. It’s a domain, an operational environment, and—just like all the other domains—it has its own characteristics. This one is characterized by great speed and great maneuverability, so it favors the offense. It is inherently global. It is inherently strategic.
And, my new staff added, we need to treat it like we treat the other domains. America expects us to operate there. Just like the other domains—air, for example—we’re going to use it for our purposes when we want to and deny its use to others when we choose to.
At least that’s going to be our mission. The language of air dominance and air superiority, which easily tripped off our tongues as airmen, quickly became information dominance and information superiority in our new lexicon.
AIA worked to make this more than just words. The first audience we had to convince was the air force itself. In September 1997 we had the chance to demonstrate what we wanted to do to a gathering of air force three- and four-stars. The chief of staff, General Ron Fogleman, invited me to Scott Air Force Base in Illinois for his semiannual meeting, called Corona Top, to give a presentation about new technologies, new weapons, and new modes of warfare. Fogleman gave us an unprecedented two hours on the agenda.
I would be onstage to give the background to our approach and a touch of the doctrine we were debating, but I would also be connected by video link to my headquarters and operations center in San Antonio. We were going to demonstrate live some of the tools then under development.
We almost met with disaster when a south Texas thunderstorm hit my headquarters on Security Hill just before we were about to begin. Through heroic efforts we came back online just in time, and all the technology worked as briefed. In one example, we remotely disabled some workstations, and in another I demonstrated how we could spoof a radarscope to show one thing while the actual aircraft it was following was doing another.
Not bad. Senior leadership was impressed. No one volunteered any money from his fighter or bomber programs, but they were impressed. At least we had planted a few seeds.
Back in San Antonio we had already retooled our traditional operations center into an Information Operations (IO) Center. There I was routinely briefed on broad indicators of action in the cyber domain, the status of air force networks, the character of attacks against us. We also regularly deployed information warfare support teams to air force tactical units to better prepare them (and to spread the gospel).
These thoughts and actions in San Antonio ultimately had outsize influence. Not much more than a decade later Bob Butler—the talented young lieutenant colonel who headed up my IO center—was now the deputy assistant secretary of defense for cyber policy, and those nascent concepts from San Antonio had pretty much become American military doctrine. Butler worked for Bill Lynn, the deputy secretary of defense, who wrote a seminal piece in Foreign Affairs in the fall of 2010 that brought the concept of the cyber domain and cyber dominance into full public view.
“As a doctrinal matter,” he declared, “the Pentagon has formally recognized cyberspace as a new domain of warfare. Although cyberspace is a man-made domain, it has become just as critical to military operations as land, sea, air, and space. As such, the military must be able to defend and operate within it.” It was as if he had copied our notes from Texas in 1996.
Our ideas had stuck, but in retrospect we had admittedly been living within a unique culture and underappreciated that an entire generation was growing up outside our fence-line thinking of this domain as a global commons, a pristine playground, not a zone of potential conflict where powerful nation-states would want to work their will.
American doctrine doesn’t militarize this domain more than many other nations around the world have, but we certainly have thrown a lot of resources into our efforts, and our natural transparency and casual use of language expose us to charges that we have.
Go back to Lynn’s article. The most telling line in the whole piece was the one at the bottom of the first page: William J. Lynn III is U.S. Deputy Secretary of Defense. The seminal American thought piece on cyber wasn’t written by the deputy attorney general or deputy secretary of state or deputy secretary of commerce or even by the president’s science advisor. It was written by the deputy secretary of defense. People outside this country notice things like that.
So do people inside this country. There was little coordination of Lynn’s 2010 article in the interagency process in Washington. There were a few discussions with cybersecurity czar Howard Schmidt at the White House, but not much beyond that. The Department of Homeland Security, up on Nebraska Avenue, and the Department of State, over on C Street, were as much surprised by the article as some foreign audiences.
They pushed back. Within six months of Lynn’s article, Jane Holl Lute, the deputy secretary of Homeland Security, coauthored a piece in Wired that proclaimed, “Cyberspace is not a war zone.” Rather, she wrote, “cyberspace is fundamentally a civilian space—a neighborhood, a library, a marketplace, a schoolyard, a workshop—and a new, exciting age in human experience, exploration and development.”
Michele Markoff, the deputy coordinator for cyber issues at the Department of State, would tell anyone who would listen that our emphasis on a new domain that was (allegedly) severable from the physical realities that comprised it (servers, for example, had to be somewhere in physical space) was making her work very difficult.
Markoff was tirelessly trying to create international norms for cyber behavior. DOD’s construct of a separate domain tended to mute the traditional principles and responsibilities of sovereignty, and it wasn’t helping. From Markoff’s point of view, DOD was actually focusing on a physical object, say a server in Malaysia, not on some abstract node in a near-mythical new universe.
Audiences also had to notice a section in Lynn’s piece entitled “Leveraging Dominance,” as well as his wonderfully alliterative and somewhat ominous description of something he called active defense: “part sensor, part sentry, part sharpshooter.” You can imagine how that last word was read in many foreign capitals.
The debate continues today. Not long ago, I was sitting in front of a Skype screen in Colorado arguing via video link with author Jim Bamford, who has made a living writing unauthorized books about NSA. One of my distant NSA predecessors, Linc Faurer, wanted to have him arrested over his first opus, The Puzzle Palace, when it hit the streets in 1982.
I tried to more productively cultivate Bamford two decades later when I was director, even inviting him to dinner and allowing him to have a book signing in NSA’s National Cryptologic Museum
. It didn’t work. When the Terrorist Surveillance Program was made public in late 2005 (see chapter 5), he joined an ACLU lawsuit against NSA.*
The Skype debate was for a TV trade audience in Beverly Hills on behalf of PBS hyping an upcoming NOVA special on NSA. Bamford was a coproducer and was arguing that America had tragically militarized the cyber domain through actions like Stuxnet, which he described as an American cyber attack on the Iranian nuclear facility at Natanz. America’s intemperate behavior, he claimed, had legitimized Iranian responses against the giant oil company Saudi Aramco and against American banks. The Internet was now a free-fire zone, and it was our fault.
I responded by defaulting to my “land, sea, air, space, cyber” construct. “The cyber domain wasn’t the only global commons on the list,” I said. “The maritime domain had been such for eons. And no one objected to the existence of navies. In fact, a good case could be made that navies were essential to keeping that commons common.”
I could have added that the cyber domain has never been a digital Eden. It was always Mogadishu. The president of Estonia, Toomas Hendrik Ilves, knows something about this. His country’s Internet collapsed in 2007 under attack by “patriotic Russian hackers” (read criminal gangs repaying a debt to the Russian state for the freedom of action they enjoy there) after Tallinn tried to move a Red Army memorial from downtown to the suburbs.
President Ilves has a wonderful way of capturing all this. He says that, lacking a Lockean social contract in the cyber domain, what we have is an almost purely Hobbesian universe, a universe where Hobbes’s description of ungoverned life as “poor, nasty, brutish and short” really applies. There is simply no rule of law there.
I have often compared the current evolution of cyberspace to the last great age of globalization, the centuries of European discovery. That era, for all its accomplishments, jammed together the good and the bad and the weak and the strong in ways that had never been experienced before. What the Europeans got out of it was land, wealth, tobacco, and syphilis. Much of the rest of the world got exploitation of entire populations, global piracy, and the global slave trade. We are in a somewhat analogous condition now except that today’s connectivity isn’t at ten knots with a favoring wind. It’s at 186,000 miles per second. It didn’t take Stuxnet to make the cyber domain a very dangerous place.
• • •
THESE DEBATES were all in the future when I arrived at NSA in March 1999. I had had only eighteen months in San Antonio, but the people there were cutting edge and the education they gave me was invaluable when I got to Fort Meade.
And it was invaluable right from the beginning. Keep in mind the purpose of the National Security Agency. NSA’s job was all about communications. Historically that was electronic data in motion: global high-frequency communications, shorter-range microwave signals, photons and electrons moving along a cable.
Agencies like CIA handled other materials—human sources, purloined documents, pilfered codes—more or less physical data sitting at rest.
The division of labor was clear. Electronic data in motion—NSA. Physical data at rest—CIA. But the new digital domain had created a different state of nature: electronic data at rest.
It’s easy to forget how novel this really was. Since Marconi we had been turning physical data into an electronic form only to move it. I still remember my days at a fighter wing in Korea as recently as the 1980s where, to send a message, we would type it out with something called an OCR (optical character recognition) typewriter and walk it across the street to the communications center, where it would be scanned, turned into electrons, and transmitted to Washington. Once it arrived there, the electrons would be converted back to a printed page that was thrown into a pigeonhole, where it awaited a clerk to come pick it up.
That now sounds archaic, and it is inexplicable to our children. By the late 1990s we were all moving data routinely (like e-mails) that would never exist as anything but electrons, and we were all storing data in electronic form, much of which—documents, spreadsheets, files, notes—would never be electronically transmitted.
The former was clearly a communication (electronic data in motion) but the latter, well, that was something new. To NSA it was electronic and hence fair game. To CIA it wasn’t moving and hence was equally fair game.
This bureaucratic issue didn’t end up in a death match across the Potomac between the two agencies. President Bush settled it in a memorandum after 9/11 declaring it fair game for both agencies, with NSA treating it in accordance with SIGINT rules and CIA handling it like HUMINT.
But the fact that it was an issue at all says a little about American intelligence bureaucracy and a lot more about how disruptive the digital age was for American intelligence.
At NSA we had to develop a whole new language. We were moving to active SIGINT, commuting to the target and extracting information from it, rather than hoping for a transmission we could intercept in traditional passive SIGINT. This was all about going to the end point, the targeted network, rather than trying to work the midpoint of a communication with a well-placed antenna or cable access.
We also knew that if we did this even half well, it would be the golden age of signals intelligence, since mankind was storing and moving more and more data in digital form with each passing day.
That was the good news, and at the turn of the century we were all-in trying to retool our infrastructure for the new era. But that was going to be difficult. Money was tight.
I tried to disinvest about $200 million a year from ongoing collection to invest in what we needed to work the end point, and I heard about it from all over Washington. No one was willing to surrender any current take for future capability. Someone went to the mat about degrading coverage of Nigerian organized crime, for God’s sake.
We did what we could. In the last days of 2000, as we were rewiring the entire agency’s organizational chart (see chapter 2), we set up an enterprise called TAO, Tailored Access Operations, in the newly formed SIGINT Directorate (SID). We had toyed with some boutique end-point efforts before, but this was different. This was going to be industrial strength. We actually divided up SID into end-point and midpoint boxes, the better to measure and meter the growth of the former, even if it had to be at the expense of the latter.
As it turned out, it didn’t. The terrorist attack less than nine months later ensured a steady stream of additional human and material resources across the agency. And, even in a period of generalized growth, TAO became the fastest-growing part of NSA post-9/11, bar none.
TAO’s growth also benefited from the bursting of the dot-com bubble and the massive surge of patriotism after the 9/11 terrorist attacks. Talk about the best and the brightest: we got an incredible cohort of young, technically talented, innovative, and adventurous new SIGINTers. We hired several thousand people in the four years after 9/11; their average age was thirty-one, well below the agency average at that time. It wasn’t lost on any of the new recruits that we were offering them the opportunity to legally do stuff that would be felonies in any other venue. We effected a generational change in our workforce in a matter of a few years.
Our new cohort had one hell of an attitude. One veteran confided to me that they had a “no target impossible to penetrate” mentality and, from the beginning, bypassed low-hanging fruit to attack the hardest targets.
Some of these took years to penetrate. Grant’s capture of Vicksburg is still cited at the war colleges as the classic example of the indirect approach; unable to take the city from the Mississippi River side, Grant mounted a months-long campaign from the landward side before the Gibraltar of the Confederacy fell. When the war colleges are allowed to teach how TAO gained some accesses, TAO’s efforts will parallel the strategic lessons of Grant—patience, indirection, and persistence—in the curriculum.
Other nations’ security services were trying to work the end point, but none of them were embedde
d in a SIGINT system as global as NSA’s. Traditional passive SIGINT often holds the key to active SIGINT’s success—mapping networks, communications paths, and in general providing the kind of detailed information that is essential to success.
We also had a great supporter in DCI George Tenet, who repeated, mantra-like, “SIGINT enabling HUMINT, HUMINT enabling SIGINT.” Some targets thought that they were permanently isolated from the World Wide Web. That wasn’t always true, thanks to HUMINT enabling.
Of course, we also worked to create our own remote accesses, using a variety of techniques, like tempting targets to click on a link in an innocent-looking e-mail. At home we were all complaining about the emergence of spam on our networks. At work, we willingly hid in the growing global flow as we targeted specific networks.
It was a good thing that we were getting our game on. Turns out that we had underestimated how much al-Qaeda was using the Web. Pre-TAO, we hadn’t seen much al-Qaeda activity there and so assumed that there wasn’t much. There was. As US forces rolled up hard drives in Afghanistan and as we inspected pocket litter (the generic term for stuff found on or near a detainee) from al-Qaeda takedowns globally, we began to harvest Internet addresses and identities that allowed us to eventually turn al-Qaeda’s use of the Web into one of our best counterterrorism tools.
TAO was becoming a gateway to great intelligence. And to other things too.
My predecessor at NSA was Ken Minihan. Ken had also been one of my predecessors in Texas, and a lot of what I had learned there was actually started and nurtured by him. I had been proselytized and converted by his disciples.
Although Ken and I were career intelligence officers and pushed end-point collection hard, neither of us was limiting his thinking to just espionage. We saw cyber as a domain of real conflict and believed that NSA could add a lot to American power there, beyond just spying, but the agency was constrained. It could legally manipulate a target only to cover its tracks or break the target’s encryption. Anything beyond that wasn’t in the mission or charter, a flaw we worked to correct.
Playing to the Edge: American Intelligence in the Age of Terror Page 15
