And even when the effects were predictable and legitimate, policy makers wanted to know if you could limit them to the intended target (distinction) and, to the degree you could not, if the desired effect justified the collateral damage (proportionality).
These are time-honored, universal principles for any war maker with a conscience, but in physical space there was often a century or more of experience to fall back on. “A high-explosive warhead of this size hitting at this angle against this type of target will create an area of lethality of this size and shape,” for example. We have even developed an irreverent shorthand for the uneven splotches of red (dead), yellow (maybe), green (safe) in the visual display of such formulas: bug splats.
Now, what does a bug splat look like for a cyber weapon that has never been used in anger and against a unique network that is well, but not perfectly, understood?
In concrete terms, the dialogue in the Situation Room begins with the national security advisor saying something like this:
“So, you’re saying that you can disrupt the power supply to this key military facility.”
“Yes, sir, and through persistent attacks keep it down.”
“Good. Now what else is on that net?”
“Well, sir, we think we can keep the effects confined to a pretty small physical area.”
“How small?”
“Probably thirty to forty square miles.”
“Worst case, how many hospitals in that area?”
“Worst case, four. Maybe five.”
“Do they all have UPS [uninterruptible power supply]?”
“We’re working on that now.”
The national security advisor pauses, seems to reflect, and then moves on by saying, “OK. Get back to me. We’ll take this up again next time.”
And the next time, and the next time, and the next time.
And this meeting is invariably in the Situation Room, not in the Pentagon or at Langley or at some combatant command headquarters. From their inception, cyber weapons have been viewed as “special weapons,” not unlike nuclear devices of an earlier time.
But these weapons are not well understood by the kind of people who get to sit in on meetings in the West Wing, and as of yet there has not been a Herman Kahn (of On Thermonuclear War fame) to explain it to them.
To a first order, there is the technical challenge. After a few sentences, the cyber briefer often sounds vaguely like Rain Man to many of the seniors in the room. With a few more sentences, most are convinced that he is.
I recall one cyber op, while I was in government, that went awry—at least from my point of view. In the after-action review it was clear that no two seniors at the final approval session had left the Situation Room thinking they had approved the same operation.
Beyond complexity, developing policy for cyber ops is hampered by excessive secrecy (so says this intelligence veteran!). Look at the bloodline. I can think of no other family of weapons so anchored in the espionage services for their development (except perhaps armed drones). And the habitual secrecy of the intelligence services has bled over into cyber ops in a way that has retarded the development—or at least the policy integration—of digital combat power. It is difficult to develop consensus views on things that are largely unknown or compartmented or only rarely discussed by a select few.
I was on a panel at Georgetown University with several prominent cyber experts after I left government. Without any prior coordination, we all commented that cyber secrecy had retarded the development of cyber policy and doctrine. One panelist, Siobhan Gorman, who had covered the NSA beat for the Baltimore Sun before moving on to the Wall Street Journal, volunteered that counterterrorism data was easier to pry from the government than any form of cyber information.
Technical challenges and policy ambiguities did little to dim the spirit of cyber enthusiasts, though. We truly were like airpower enthusiasts before World War II: “The bomber will always get through!” Like them, however, for a long time we were long on theory and short on practical success.
In 2004 and 2005 I would candidly admit that, to date, we had largely been spray painting virtual graffiti on digital subway cars. We could harass, but we weren’t decisive. An effort right before the invasion of Iraq to e-mail Iraqi officials warning them of their fate and suggesting alternative courses of action seems to have done little more than just annoy them. In another operation, we made Slobodan Milošević’s phone ring incessantly, but there is no evidence that it shortened any aspect of the Balkan conflict.
The dramatic event in the annals of airpower was the sinking of a captured German battleship, the Ostfriesland, off Hampton Roads in 1921. The ship was undefended and not under way, but with multiple waves of attacks over two days she was sent to the bottom by land-based bombers. It was not even close to an operational test, but airmen hailed it as the dawn of a new age.
I reminded our cyber warriors that as staged as the Ostfriesland event had been for Billy Mitchell’s biplanes, we were even less convincing. We hadn’t yet come close to sinking the Ostfriesland.
America’s cyber warriors kept trying, though, perhaps at times a little too hard.
With wars under way in Iraq and Afghanistan and globally against terrorist networks, the Joint Chiefs had issued a standing execute order (EXORD) authorizing action to counter adversary use of the Internet. It went by the unwieldy acronym CAUI (pronounced “cow-ee”). On the surface it appeared like broad authority, but it was actually quite limited, since it required specific, senior-level permission to undertake any operation that wasn’t merely tactical in its conduct and very local in its effects.
In the run-up to one of the 9/11 anniversaries, it was proposed that broad CAUI authorities be used to block a video that Osama bin Laden had prepared to mark the occasion. His purpose was to taunt us and demonstrate that we couldn’t dilute his propaganda. Ours was to visibly frustrate his timetable to get his message online in time for the anniversary. That wasn’t really a strategic effect, but it was attractive enough to be approved at a Deputies Committee meeting.
The plan called for denying al-Qaeda access to Web sites that it intended to use for distribution. Some could be controlled cooperatively. Others had to be taken down.
Among the latter was a site controlled by a counterterrorism partner in the Middle East. It was a pretty vile site, the better to attract genuine jihadists to it, and the debate over taking it down reflected a perennial question for us. Did we want to take jihadists on in the cyber domain, or was it better to just monitor them there to better attack them in physical space? The traditional answer was the latter; in this case we were going with the former.
The attack was quite successful. The site went down hard. The 9/11 anniversary passed without a bin Laden release, but before there were any celebrations, my own regional experts were all over me complaining about the impact on our CT partner. The partner knew they were being attacked and were sure they knew who was doing it. And every time they rebuilt their site, down it would go again.
No one thought we could keep the video off the Web forever. There were just too many sites that could be used. It was time to stop this.
Over our objections, though, the attack persisted, so I called Jim Cartwright, now vice chairman of the Joint Chiefs of Staff. Jim seemed to understand the dilemma: we had achieved a tactical success, but now were threatening an important strategic relationship.
Cartwright approved my calling my counterpart and promising that the attacks would stop within twenty-four hours. I did so on a Saturday morning, confident that this would end by Sunday.
It didn’t. I still can’t explain why. Billy Mitchell had broken some prearranged ground rules to demonstrate his point with the Ostfriesland. That really angered the navy. Now it seemed that we were doing the same thing here except that this time we were disappointing, angering, and almost betraying a partner, one
who put great stock in personal relationships and trust. I broke ranks and confessed to the partner that we did not support the continued action, but were powerless to stop it.
Later, at my request, Jim Cartwright also apologized personally to our ally in my office.
For my part I requested some private time with Steve Hadley, the national security advisor. “Steve,” I began, “there is no need for CIA to attend future meetings on proposed cyber operations. Until we get a governance structure that is more sophisticated and sensitive than this last ‘fire and forget’ drill, we’ll just mail it in. Put us down as opposed.”
Steve was taken aback. The anger was a little out of character for me, he said. And he was probably remembering that I was JFCC-NW’s first commander. Just shows how mad we were.
To be clear, it wasn’t that we at CIA were ideologically opposed to cyber ops. Quite the opposite. We even had our own cyber force, the Information Operations Center (IOC), chartered to conduct full-spectrum cyber operations, sharpen cyber tradecraft, protect agency systems, and enhance CIA’s cyber analysis. George Tenet had launched the IOC, and it grew steadily under him, Porter Goss, and me.
CIA didn’t try to replicate or try to compete with NSA or JFCC-NW. When asked about it, I explained that the IOC was a lot like Marine Corps aviation, while NSA was an awful lot like America’s air force.
Marine Corps aviation is an integral part of the marines’ air-ground team. It doesn’t try to match the US Air Force; it simply provides airpower to support the marines’ historic missions. The IOC develops cyber power so that the agency can perform its traditional missions too.
In aviation, it is important that both the marines and the air force are on the same air-tasking order. Otherwise, you could have fratricide.
The same is true for the IOC and NSA in the cyber domain. Each has to be aware of the other’s actions, and those actions have to be de-conflicted. That actually works pretty well. There is plenty of work to go around.
• • •
I LEFT GOVERNMENT in February 2009. A few months later the secretary of defense directed STRATCOM to plan for a new cyber command. In May 2010 JFCC-NW went the way of IOTC, and US Cyber Command stood up at Fort Meade, just the way Minihan and I and scores of others had envisioned more than a decade before. Keith Alexander, the DIRNSA, got a fourth star and became the new commander.
Keith eventually stayed at NSA for a total of eight years. Combined with my six, that was nearly a decade and a half of fairly consistent vision. That is a very unusual phenomenon within the federal government.
Alexander continued the tradition of aggressively proselytizing the cyber mission. From the outside it looked from time to time like he had overachieved and was getting out in front of the administration’s more cautious cyber headlights. There were reports of his going downtown for meetings with Howard Schmidt, the cyber czar, and even being taken to the woodshed by John Brennan, the president’s homeland security advisor.
By mid-2010, though, a little more than a year after I left government, there was little doubt that cyber weapons had come of age. Someone, almost certainly a nation-state (since this was something too hard to do from your garage) used a cyber weapon that was popularly labeled Stuxnet to disable about a thousand centrifuges at the Iranian nuclear facility at Natanz.
For someone of my background, that was almost an unalloyed good. It set the Iranian program back some six to twelve months, according to estimates.
But let me describe that achievement in just a slightly different way. Someone had just used a weapon composed of ones and zeros, during a time of peace, to destroy what another nation could only describe as critical infrastructure.
When the fact of the attack became public, I commented that—although this did not compare in any way in destructive power—it felt to me a little bit like August 1945. Mankind had unsheathed a new kind of weapon. Someone had crossed the Rubicon. A legion was now permanently on the other side of the river.
We were in a new military age. What had been concept and anticipation only two decades earlier in Texas was now reality.
I had been a part of it. Probably pushed some of it along. Certainly got a chance to be present at some important milestones and decisions.
And now I knew that we would all have to live with the consequences.
NINE
IS THIS REALLY NECESSARY?
THE ODNI, 2005–2006 AND BEYOND
The modern American intelligence community traces its roots to Pearl Harbor. Everything since that attack has been designed to prevent strategic surprise. We were surprised on September 11. People wanted to know why.
Everyone had a view, including a commission headed by former Indiana congressman Lee Hamilton and former New Jersey governor Tom Kean. They launched their work with a congressional mandate in November 2002 and were clever enough not to drop their report or its recommendations until July 2004, as the presidential campaign was getting into full swing.
The recommendations amounted to a major restructuring of American intelligence even as, that summer, the intelligence community was waging a relentless and largely successful global war against al-Qaeda; the intelligence community’s analysis that post-invasion Iraq would be inherently unstable was proving spot-on; and a CIA officer, Steve Kappes, was running back-channel communications that would eventually convince the Libyans to abandon their nuclear and chemical weapons programs.
There were few in the intelligence community at the time who thought that restructuring was a good idea. I certainly did not. Operational tempo was extremely high, and we all knew that this would be a time and energy sink. But we also knew that we had not prevented the horror of 9/11. The American people had forgiven us for getting some things wrong, but they and their representatives in Congress wanted to see some visible change.
Candidate John Kerry endorsed the findings of the 9/11 Commission within hours of their release, certainly before he had read them. President Bush waited a decent interval and then followed a few days later.
Following the elections, Congress returned to Washington and to the question of intelligence reform with rare energy.
For many of us in the business it seemed that the Hill had sprouted 535 intelligence experts, practically overnight. John McLaughlin, acting DCI while the law was being debated, used to liken discussions at both ends of Pennsylvania Avenue to being on a hospital gurney, with a lot of people in white smocks poking at you, with nary a medical degree in sight.
It’s hard for Congress to legislate better analysis or more aggressive collection or more foolproof covert operations. Choices are limited. Congress can move money (it had already given us a lot), it can add people (we were recruiting at record rates), and it can restructure organizational charts and strengthen authorities.
In adopting many of the Kean-Hamilton recommendations in the Intelligence Reform and Terrorism Prevention Act of 2004, Congress decided to restructure the intelligence community and strengthen authorities. Once you cut through the empty and emotionally charged criticisms of “Cold War mentalities,” “stovepipes,”* and “bureaucratic turf,” it was clear that the Hill was trying to recalibrate the critical balance that any complex organization has to manage—the balance between freedom of action for the parts and unity of effort for the whole. Too little autonomy for the parts leads to inaction, inflexibility, hesitation, and lost opportunities. Too little unity of effort means that individual agency achievement is not synchronized, harmonized, exploited, or leveraged.
They were going to strengthen the center of the community and create more centripetal forces at the expense of centrifugal ones. They were also going to relocate and rename the center. The director of Central Intelligence (DCI) would become the director of National Intelligence (DNI), and whatever else he might be, he would not be the head of CIA. He would not even be allowed to have his offices at Langley.
The d
iagnosis that we needed more “glue” was only partly right. When it came to integration and synchronization, we got plenty of criticism, usually about as sophisticated as “You guys are all screwed up.” But a line I never heard following that one was “So you need to be more like the ——.” Because there wasn’t a country to fill in that blank that made the sentence true. Even if we might need more integration, and we did, on 9/10 the American IC was already the most integrated intelligence community on the planet.
DCI George Tenet was actually a powerful figure. As director of NSA, I was called and directed to act by George more than any combination of people in the Department of Defense or anywhere else in government, for that matter. George had the ear of the president, with whom he met six days a week. He had an outsize personality and a work ethic to match. He also headed up CIA, and that “C” still stood for Central.
When George called me, he would usually begin the conversation with, “Mike, my guys were just in here,” and usually end it with “and here’s what I want you to do.” And the antecedent of George’s “guys” in these conversations was not his relatively small Community Management Staff, but rather his operational, analytical, and technical folks from CIA proper. In other words, in terms of creating unity of effort and operational cohesion, the strongest “glue” we had was the fact that the head of the community (the DCI) also headed up its most operationally relevant agency (CIA).
And Tenet wasn’t alone. Charlie Allen had nearly a half century of CIA experience and had touched all the agency’s sensitive operations during that span. Based on my observations, he never slept. He was George’s chief of collection for the entire intelligence community, and he conducted the collection orchestra like a maestro.
Playing to the Edge: American Intelligence in the Age of Terror Page 17
