Dark Territory (18 page)

But the NSA needed a bigger breakthrough still: it needed tools and techniques to intercept signals, not only as they flowed through the digital network but also at their source. The biggest information warfare campaign to date, in the Balkans, had involved hacking into Belgrade's
telephone
system. Earlier that decade, in the Gulf War, when Saddam Hussein's generals sent orders through fiber-optic cable, the Pentagon's Joint Intelligence Committee—which relied heavily on NSA personnel and technology—figured out how to blow up the cable links, forcing Saddam to switch to microwave.
The NSA knew how to intercept microwaves, but it didn't yet know how to intercept the data rushing through fiber optics. That's what the agency now needed to do.

In their report to Hayden, the aerospace executives recommended that the SIGINT and Information Assurance Directorates “work very closely,” since their two missions were “rapidly becoming two sides of the same coin.”

For years, Information Assurance, located in an annex near Baltimore-Washington International Airport, a half hour's drive from Fort Meade, had been testing and fixing software used by the U.S. military—probing for vulnerabilities that the enemy could exploit. Now one of the main roles of the SIGINT crews, in the heart of the agency's headquarters, was to find and exploit vulnerabilities in the
adversaries'
software. Since people (and military establishments) around the world were using the same Western software, the Information Assurance specialists possessed knowledge that would be valuable to the SIGINT crews. At the same time, the SIGINT crews had knowledge about adversaries' networks—what they were doing, what kinds of attacks they were planning and testing—that would be valuable to the Information Assurance specialists. Sharing this knowledge, on the offense and the defense, required mixing the agency's two distinct cultures.

Inman and McConnell had taken steps toward this integration. Minihan had started to tear down the wall, moving a few people from the annex to headquarters and vice versa. Hayden now widened Minihan's wedge, moving more people back and forth, to gain insights about the security of their own operations.

Another issue that needed to be untangled was the division of labor within the intelligence community, especially between the NSA and the CIA. In the old days, this division was clear: if information moved, the NSA would intercept it; if it stood still, the CIA would send a spy to nab it. NSA intercepted electrons whooshing
through the air or over phone lines; CIA stole documents sitting on a desk or in a vault. The line had been sharply drawn for decades. But in the digital age, the line grew fuzzy. Where did computers stand in relation to this line? They stored data on floppy disks and hard drives, which were stationary; but they also sent bits and bytes through cyberspace. Either way, the information was the same, so who should get it: Langley or Fort Meade?

The logical answer was both. But pulling off that feat would require a fusion with little legal or bureaucratic precedent. The two spy agencies had collaborated on the occasional project over the years, but this would involve an institutional melding of missions and functions. To do its part, each agency would have to create a new entity—or to beef up, and reorient, an existing one.

As it happened, a framework for this fusion already existed. The CIA had created the Information Operations Center during the Belgrade operation, to plant devices on Serbian communications systems, which the NSA could then intercept; this center would be Langley's contribution to the new joint effort. Fort Meade's would be the third box on the new SIGINT organizational chart—“tailored access.”

Minihan had coined the phrase. During his tenure as director, he pooled a couple dozen of the most creative SIGINT operators into their own corner on the main floor and gave them that mission. What CIA black-bag operatives had long been doing in the physical world, the tailored access crew would now do in cyberspace, sometimes in tandem with the black-baggers, if the latter were needed—as they had been in Belgrade—to install some device on a crucial piece of hardware.

The setup transformed the concept of signals intelligence, the NSA's stock in trade. SIGINT had long been defined as passively collecting stray electrons in the ether; now, it would also involve actively breaking and entering into digital machines and networks.

Minihan had wanted to expand the tailored access shop into an A Group of the digital era, but he ran out of time. When Hayden launched his reorganization, he took the baton and turned it into a distinct, elite organization—the Office of Tailored Access Operations, or TAO.

It began, even under his expansion, as a small outfit: a few dozen computer programmers who had to pass an absurdly difficult exam to get in. The organization soon grew into an elite corps as secretive and walled off from the rest of the NSA as the NSA was from the rest of the defense establishment. Located in a separate wing of Fort Meade, it was the subject of whispered rumors, but little solid knowledge, even among those with otherwise high security clearances. Anyone seeking entrance into its lair had to get by an armed guard, a cipher-locked door, and a retinal scanner.

In the coming years, TAO's ranks would swell to six hundred “intercept operators” at Fort Meade, plus another four hundred or more at NSA outlets—Remote Operations Centers, they were called—in Wahiawa, Hawaii; Fort Gordon, Georgia; Buckley Air Force Base, near Denver; and the Texas Cryptology Center, in San Antonio.

TAO's mission, and informal motto, was “getting the ungettable,” specifically getting the ungettable stuff that the agency's political masters wanted. If the president wanted to know what a terrorist leader was thinking and doing, TAO would track his computer, hack into its hard drive, retrieve its files, and intercept its email—sometimes purely through cyberspace (especially in the early days, it was easy to break a target's password, if he'd inscribed a password at all), sometimes with the help of CIA spies or special-ops shadow soldiers, who'd lay their hands on the computer and insert a thumb drive loaded with malware or attach a device that a TAO specialist would home in on.

These devices—their workings and their existence—were so secret that most of them were designed and built inside the NSA: the
software by its Data Network Technologies Branch, the techniques by its Telecommunications Network Technologies Branch, and the customized computer terminals and monitors by its Mission Infrastructure Technologies Branch.

Early on, TAO hacked into computers in fairly simple ways: phishing for passwords (one such program tried out every word in the dictionary, along with variations and numbers, in a fraction of a second) or sending emails with alluring attachments, which would download malware when opened. Once, some analysts from the Pentagon's Joint Task Force-Computer Network Operations were invited to Fort Meade for a look at TAO's bag of tricks. The analysts laughed: this wasn't much different from the software they'd seen at the latest DEF CON Hacking Conference; some of it seemed to be repackaged versions of the same software.

Gradually, though, the TAO teams sharpened their skills and their arsenal. Obscure points of entry were discovered in servers, routers, workstations, handsets, phone switches, even firewalls (which, ironically, were supposed to keep hackers out), as well as in the software that programmed, and the networks that connected, this equipment. And as their game evolved, their devices and programs came to resemble something out of the most exotic James Bond movie.
One device, called LoudAuto, activated a laptop's microphone and monitored the conversations of anyone in its vicinity. HowlerMonkey extracted and transmitted files via radio signals, even if the computer wasn't hooked up to the Internet. MonkeyCalendar tracked a cell phone's location and conveyed the information through a text message. NightStand was a portable wireless system that loaded a computer with malware from several miles away. RageMaster tapped into a computer's video signal, so a TAO technician could see what was on its screen and thus watch what the person being targeted was watching.

But as TAO matured, so did its targets, who figured out ways to
detect and block intruders—just as the Pentagon and the Air Force had figured out ways, in the previous decade, to detect and block intrusions from adversaries, cyber criminals, and mischief-makers.
As hackers and spies discovered vulnerabilities in computer software and hardware, the manufacturers worked hard to patch the holes—which prodded hackers and spies to search for new vulnerabilities, and on the race spiraled.

As this race between hacking and patching intensified, practitioners of both arts, worldwide, came to place an enormous value on “zero-day vulnerabilities”—holes that no one had yet discovered, much less patched.
In the ensuing decade, private companies would spring up that, in some cases, made small fortunes by finding zero-day vulnerabilities and selling their discoveries to governments, spies, and criminals of disparate motives and nationalities. This hunt for zero-days preoccupied some of the craftiest mathematical minds in the NSA and other cyber outfits, in the United States and abroad.

Once, in the late 1990s, Richard Bejtlich, a computer network defense analyst at Kelly Air Force Base discovered a zero-day vulnerability—a rare find—in a router made by Cisco. He phoned a Cisco technical rep and informed him of the problem, which the rep then quickly fixed.

A couple days later, proud of his prowess and good deed, Bejtlich told the story to an analyst on the offensive side of Kelly. The analyst wasn't pleased. Staring daggers at Bejtlich, he muttered, “Why didn't you tell
us
?”

The implication was clear: if Bejtlich had told the offensive analysts about the flaw, they could have exploited it to hack foreign networks that used the Cisco server. Now it was too late; thanks to Bejtlich's phone call, the hole was patched, the portal was closed.

As the NSA put more emphasis on finding and exploiting vulnerabilities, a new category of cyber operations came into prominence. Before, there was CND
(Computer Network
Defense
) and CNA (Computer Network
Attack
); now there was also CNE (Computer Network
Exploitation
).

CNE was an ambiguous enterprise, legally and operationally, and Hayden—who was sensitive to legal niceties and the precise wiggle room they allowed—knew it. The term's technical meaning was straightforward: the use of computers to
exploit
the vulnerabilities of an adversary's networks—to get inside those networks, in order to gain more intelligence about them. But there were two ways of looking at CNE. It could be the front line of Computer Network Defense, on the logic that the best way to defend a network was to learn an adversary's plans for attack—which required getting inside his network. Or, CNE could be the gateway for Computer Network Attack—getting inside the enemy's network in order to map its passageways and mark its weak points, to “prepare the battlefield” (as commanders of older eras would put it) for an American offensive, in the event of war.
^I

The concept of CNE fed perfectly into Hayden's desire to fuse cyber offense and cyber defense, to make them indistinguishable. And while Hayden may have articulated the concept in a manner that suited his agenda, he didn't invent it; rather, it reflected an intrinsic aspect of modern computer networks themselves.

In one sense, CNE wasn't so different from intelligence gathering of earlier eras. During the Cold War, American spy planes penetrated the Russian border in order to force Soviet officers to turn on their radar and thus reveal information about their air-defense systems. Submarine crews would tap into underwater cables near Russian ports to intercept communications, and discover patterns, of Soviet naval operations. This, too, had a dual purpose: to bolster defenses
against possible Soviet aggression; and to prepare the battlefield (or airspace and oceans) for an American offensive.

But in another sense, CNE was a completely different enterprise: it exposed all society to the risks and perils of military ventures in a way that could not have been imagined a few decades earlier. When officials in the Air Force or the NSA neglected to let Microsoft (or Cisco, Google, Intel, or any number of other firms) know about vulnerabilities in its software, when they left a hole unplugged so they could exploit the vulnerability in a Russian, Chinese, Iranian, or some other adversary's computer system, they also left American citizens open to the same exploitations—whether by wayward intelligence agencies or by cyber criminals, foreign spies, or terrorists who happened to learn about the unplugged hole, too.

This was a new tension in American life: not only between individual liberty and national security (that one had always been around, to varying degrees) but also between different layers and concepts of security. In the process of keeping military networks more secure from attack, the cyber warriors were making civilian and commercial networks
less
secure from the same kinds of attack.

These tensions, and the issues they raised, went beyond the mandate of national security bureaucracies; only political leaders could untangle them. As the twenty-first century approached, the Clinton administration—mainly at the feverish prodding of Dick Clarke—had started to grasp the subject's complexities. There was the Marsh Report, followed by PDD-63, the
National Plan for Information Systems Protection
, and the creation of Information Sharing and Analysis Centers, forums in which the government and private companies could jointly devise ways to secure their assets from cyber attacks.

Then came the election of November 2000, and, as often happens when the White House changes party, all this momentum ground to a halt. When George W. Bush and his aides came to power on January 20, 2001, the contempt they harbored for their predecessors
seethed with more venom than usual, owing to the sex scandal and impeachment that tarnished Clinton's second term, compounded by the bitter aftermath of the election against his vice president, Al Gore, which ended in Bush's victory only after the Supreme Court halted a recount in Florida.