Playing to the Edge: American Intelligence in the Age of Terror
Page 16
US law is pretty clear about the distinction between espionage and war fighting. Spying is controlled by Title 50 of the US Code and overseen by Congress’s intelligence committees. Warfare falls under Title 10 and the Armed Services Committees. The distinction works pretty well in the physical domains, but even there, things get a little muddled with CIA covert action and paramilitary activities.
The distinctions break down entirely in the cyber domain. Take reconnaissance. In physical space it always happens (or should) before someone attempts a kinetic operation. Robert E. Lee sought Jeb Stuart’s counsel. A patrol in today’s army will launch a handheld drone to report on the reverse slope of a ridge before crossing it.
In physical space the reconnaissance is almost always easier than the operation. Learning where the Army of the Potomac might be was hard and dangerous work, but not as hard and dangerous as defeating it. The same with defeating an entrenched enemy squad on the backside of the ridge that your drone just imaged.
Reconnaissance should come first in the cyber domain too. How else would you know what to hit, how, when—without collateral damage?
But here’s the difference. In the cyber domain the reconnaissance is usually a more difficult task than the follow-on operation. It is tougher to penetrate a network and live on it undetected while extracting large volumes of data from it than it is to, digitally speaking, kick in the front door and fry a circuit or two.
Let me go further. An attack on a network to degrade it or destroy information on it is generally a lesser included case of the technology and operational art needed to spy on that same network.
About a year before I got to NSA, Minihan hit upon an ingenious approach to squaring this circle. He launched an enterprise called the Information Operations Technology Center, the IOTC. It was located within the NSA headquarters building, originally lived off NSA dollars and talent, but was officially not part of the agency. It was a joint DOD and Intelligence Community undertaking.
The label Information Operations was broad and gave the center the license to touch on all the IO things you might ever want to do against an adversary: spy on him, corrupt his network or his information, or capture his computers to use them to create physical destruction. NSA could legally only do the first, but since this was a technology rather than an operations center, it was free to develop tools that could be used by others with different authorities. It was an elegant solution that got the toolbox for all kinds of cyber operations filled quickly.
Minihan had gotten a real boost the year before from a DOD exercise called Eligible Receiver. The exercise had been sponsored by General Jack Sheehan, a tough Boston Irish marine who was commander of Atlantic Command in Norfolk. Sheehan had enlisted NSA as his red team for a cyber assault against Department of Defense networks. The results were embarrassingly awful. The red team, without any special information or special tools, penetrated wherever it targeted.
Minihan was eager to lead the remediation, but the military services were pushing back hard against a more powerful role for a defense agency. Their experience was that defense agency growth was usually at the expense of their budget top line. John Hamre, the deputy secretary of defense, finally enlisted DCI George Tenet’s support and then just plain overruled the reflexive service objections to the enterprise.
When I arrived in 1999, the head of IOTC was Bill Marshall, a professorial-looking and exceptionally competent NSA veteran.
By all accounts his most difficult partner wasn’t any of the military services. It was the leadership of the National Security Agency below the eighth floor (where the director’s office was housed). A lot of folks just wanted to do the traditional SIGINT mission; this exotic IO stuff was a costly distraction from an already tough job, and there was fear that IOTC tools in the hands of others would compromise NSA’s fragile end-point operations.
Bill Black, who later became my deputy (chapter 2), was an unabashed advocate for IO being housed at NSA as a natural extension of the SIGINT mission. Bill volunteered himself to Minihan to be his assistant director for information operations. Since the agency couldn’t actually carry out most of what could be called IO, it could fairly be described as an advocacy post, and Black was tireless in his advocacy. The internal NSA opposition to the concept was so strong that Black later retired in disgust.
Disillusioned and frustrated, Black warned Marshall that one way or another, he was bound to fail. If he actually succeeded operationally, NSA seniors would hate him. On the other hand, if he simply failed, he would just be viewed as incompetent.
When Minihan hired Marshall, he told him that everyone believed that the IOTC was only PowerPoint deep in substance. He challenged Marshall to produce real results, to build coalitions across DOD and the IC, and to get the resources he needed to do the job. In return, Minihan promised him top cover against those who would oppose him and try to starve the project.
Marshall was internally very intense and focused, but he moderated that outwardly with a collaborative and communicative spirit. Over time he wore down resistance. He started with a few dozen people, but over three years had grown the IOTC to several hundred. His expanding team doggedly developed, gathered, evaluated, modified, catalogued, and stored tools that might prove useful to defend networks or to spy on an adversary or to deny, degrade, disrupt, or destroy an adversary’s network or information.
As his stack of tools grew, Marshall forced a whole series of legal and doctrinal and organizational questions. You can’t stockpile tools and weapons without compelling DOD lawyers and national policy makers to give you some guidance. And that engendered debate and controversy and forward-leaning thinking. In retrospect, Marshall chalks that up as the center’s most lasting achievement.
The IOTC became the cyber-gathering place where cyber concepts could be defined, discussed, challenged, debated, and tested. Even more important than his growing tool kit, Marshall and his center kept the doctrinal fire (and controversy) of cyber operations alive.
• • •
FORT MEADE IS about forty minutes from downtown Washington, on a good day (like a Sunday). The relative isolation is nice. It puts you just outside the circle of the capital’s politically charged everyday routine.
The distance also means that you do not routinely get the casual visitor. People coming up the Baltimore-Washington Parkway do it with purpose or not at all.
We worked hard to get as many thought leaders to Fort Meade as we could. We wanted to fill their heads with our thoughts and actions and ambitions in this new domain.
To clarify the discussion, we started talking about something called computer network operations (CNO) and said that you could divide it into three bins: computer network defense (CND), keeping your own networks safe; computer network exploitation (CNE), stealing other people’s data; and computer network attack (CNA), destroying data, networks, or physical objects.*
We then usually dove into computer network defense, or CND, since it was least threatening, least novel, and therefore least controversial.
NSA had had a charter to secure American government communications since almost forever. The old secure phone, the STU-3, was an NSA product. There’s a picture of President Bush on one of them in that Florida classroom on the morning of 9/11.
So CND was a fairly easy role to slip into, at least bureaucratically. About a fifth of NSA’s budget and manpower was already committed to defense. The challenge here was more technical and operational: How do you defend in a domain that we were finding pretty easy to exploit when we played offense?
It was hard. A few weeks before I left NSA in 2005, at the strong insistence of Bill Black (now my deputy), we launched NTOC, the NSA Threat Operations Center. If we were going to be throwing cyber rocks, we had better start protecting our glass house. I called on Bill Marshall again to head it. He began with ten people, no dedicated work space, and no budget. Three years later the center w
as a thriving concern with almost a thousand folks in place.
If it hadn’t been at NSA, the NTOC would have been just another CIRT, a Computer Incident Response Team, combining information assurance technology, network sensors, and internal communications data to map what was happening on a network.
But NTOC was at NSA, so it was hot-wired into a vast global SIGINT system that could send digital scouts out beyond the perimeter to identify activity and threats long before they hit the local firewall. NTOC’s 24/7 operations center monitored the heartbeat of the entire cyber domain and provided early warning to US national security networks.
It was the Information Operations Center I had in San Antonio on a massive regimen of steroids. Predictably, its unique combination of SIGINT and information-security authorities, expertise, and resources aroused bureaucratic suspicion around Washington, so NTOC had to prove itself during skeptical reviews by officials in DOD, the Congress, and the Office of Management and Budget. It passed them all.
More still needs to be done, as there are other unresolved challenges for cyber defense. NSA’s charter is to defend American government secrets. It does not extend to other, unclassified government networks or to the private sector, where an awful lot of American intellectual property, trade information, and critical infrastructure reside. To this day, these networks are not adequately defended. Witness the theft of credit card data from Target and Home Depot or F-35 designs from US government contractors.
The second activity under the broad rubric of computer network operations was what we called computer network exploitation, or CNE. That was the end-point, active-SIGINT, Tailored Access Operations–centered activity already described, and we pretty much had all we needed to thrive, at least in terms of law and policy.
Actually, little noticed (or appreciated) at the time was how easily we transferred our system of governance from the old world to the new. With little debate, we went from a world of letting radio waves serendipitously hit our antennas to what became a digital form of breaking and entering. We were penetrating foreign networks and were saying it was the same thing as scooping up signals from the ether and that the same rules applied. To us it was, and they did, but in retrospect it was a remarkable transition, one that appeared to some to be less innocent and less inevitable when it became the subject of intense public debate in 2013 (chapter 21).
The final category of action under computer network operations was computer network attack, or CNA. This was action designed to disrupt an adversary’s network or, in its most extreme form, take over the network in order to use it to create some level of physical destruction. NSA still had no authority to do that; it was limited to defending American information and stealing other people’s. But we knew that defense, exploitation, and attack were technologically and operationally indistinguishable even though they were separated in legal authority, funding streams, and congressional oversight—all the result of putting new (digital) wine into old (eighteenth-century, actually) bottles. To us, that made as much sense as America having three air forces—one for reconnaissance, another for fighters, and a third for bombers—when it was really all about control of the air.
One of our regular visitors to Fort Meade was General Jim Cartwright, a free-thinking marine aviator who had taken charge of Strategic Command in Omaha in 2004. STRATCOM had been given a dog’s breakfast of additional tasks, with its charter mission of nuclear deterrence declining in importance. Cartwright had to organize the command to deal with global reconnaissance, missile defense, counterproliferation, and space as well as the traditional global strike role.
He also had responsibility for offensive cyber operations, the CNA function that Fort Meade could perform but didn’t have the legal authority to do.
There was no way a single headquarters could master all of STRATCOM’s diverse missions, so Cartwright hit upon the scheme of enlisting the big defense agencies to his cause. Most were already designated “combat support agencies” and most were headed by military officers, so it would be a fairly simple matter to subordinate them to him for specific functions.
Cartwright and I talked and met often. We agreed that he could devolve his authority and responsibility for cyber attack to Fort Meade and dual-hat me as his action arm under the unwieldy title of commander, Joint Functional Component Command–Network Warfare (JFCC-NW).
We were essentially going to expand the IOTC, rebrand it, and give it operational authority through Cartwright’s position as a combatant commander. The combined team at Fort Meade would access and conduct reconnaissance of a target based on my authorities as DIRNSA and then, on order, could manipulate or destroy the target based on Cartwright’s exercising his combat authority through me.
We were running downhill as we undertook this. Cyber warfare was a hot topic, and there was consensus that we needed to better organize to fight in the domain.
Cartwright wasn’t quite pushing on an open door to get the Joint Chiefs on board, but he was essentially offering NSA’s resources to enhance DOD cyber-combat power at little cost to the services. Unlike their opposition to the IOTC in 1997–1998, this time around they were open to the idea.
The chairman of the Joint Chiefs, air force general Dick Myers, was supportive but wanted some personal assurances. I had known him for several years. Our paths had often crossed, especially when he headed all USAF units in the Pacific and then US Space Command, so it was easy to have a personal session with him to explain what we were up to.
It was a typical military tabletop briefing, a few charts and slides with just the two of us in his office in the E-ring of the Pentagon. When I finished, he simply asked, “Mike, is this going to fix this?”
“Not a chance,” I replied. I assured him that this was the right thing to do now, but added, “We’ll be back again in a couple years. And by then we’ll be screwing this up at a much higher level.”
The irreverence was intended to put down a marker that JFCC-NW was a way station en route to a full-up cyber command.
Our plan did not require congressional approval; it was already within the authority of the secretary of defense to implement. Secretary Rumsfeld bought in, and Cartwright got the president’s OK after a session at the Texas ranch over the Christmas holidays in 2004.
Even without needing legislation, Cartwright and I still briefed Congress. We weren’t dumb, and this wasn’t our first rodeo. We didn’t need to prompt any opposition out of pique.
Our technique was to bring the members into our confidence and our “ask” was to give this unusual relationship of Title 10 (war making) and Title 50 (espionage) authorities a little space and time to mature before we had to explain all the fine print (a lot of which didn’t exactly exist yet).
What we were doing did not fit nicely into the congressional oversight structure. It blended activities, some of which were traditionally overseen by the intelligence committees and some of which were overseen by the Armed Services Committees—and nothing is as jealously guarded on the Hill as jurisdiction.
In fact, what made it attractive to the Joint Chiefs—living off a lot of NSA resources to backstop what were unarguably combat rather than intelligence activities—could potentially torpedo the whole idea with the House and Senate intelligence panels. Congressional committees are as protective of their funding streams as they are of their jurisdiction.
That’s why we took pains to explain ourselves. We appeared together in an informal session before the Senate overseers. Cartwright handled the House side on his own, but made the same arguments.
We did well enough. Congress imposed no roadblocks, and Joint Functional Component Command–Network Warfare (i.e., the nation’s computer network attack force) stood up in January 2005.
I was the first commander, but I didn’t stay very long. A month later the president announced my nomination as the first principal deputy director of National Intelligence, and I was confirmed
by the Senate for that job in late April.
But we now had a structure to go along with our vision: a defensive center in the NSA Threat Operations Center (NTOC), an offensive arm in Joint Functional Component Command–Network Warfare (JFCC-NW), and an ongoing espionage enterprise in Tailored Access Operations (TAO).
All were big, thriving enterprises set up in about a decade—the speed of light by Washington standards.
We also had a vote of confidence from the Joint Chiefs and enough promise that Congress swallowed an unusual command relationship.
• • •
ALL WE NEEDED NOW were some real weapons.
Despite the cyber domain’s tilt toward the offense, this is still hard work (harder than we sometimes advertised in our enthusiasm). To attack a target, you first have to penetrate it. Access bought with months, if not years, of effort can be lost with a casual upgrade of the targeted system, not even one designed to improve defenses, but merely an administrative upgrade from something 2.0 to something 3.0.
Once in, you need a tailored tool to create the desired effects. Very often this has to be a handcrafted tool for the specific target. It is not the same as cranking out five-hundred-pound bombs and putting them on the shelf with their laser guidance kits.
A lot of the weapons in the IOTC’s toolbox were harvested in the wild from the Web. Tools with a Web history would make attribution an even more difficult challenge if they were ever used. But some of those exploits could be pretty ugly, so they had to be modified to meet our operational and legal requirements.
What we wanted were weapons that met the standards of the laws of armed conflict, weapons that reflected the enduring principles of necessity, distinction, and proportionality. To a first order they had to produce an effect that was predictable and responding to a genuine military need (necessity). Disabling an air defense system (which the Israelis were alleged to have done in 2008 while destroying a Syrian nuclear reactor) comes to mind. Pounding the Web sites of important banks with massive distributed denial of service attacks so that they cannot be accessed by normal citizens (which the Iranians did to US banks in 2012) does not.