Authors: Fred Kaplan
The room turned quiet. What was McConnell going to say now? He hadn't planned on the prospect, but it seemed an ideal moment to make the pitch that he'd taken this job to deliver. He switched gears and revved up the spiel.
Mr. President, he began, we come to talk with you about cyber
offense
because we need your permission to carry out those operations. But we don't talk with you much about cyber
defense
.
Bush looked at McConnell quizzically. He'd been briefed on the subject before, most fully when Richard Clarke wrote his
National Strategy to Secure Cyberspace
, but that was four years earlier, and a lot of crises had erupted since; cyber had never been more than a sporadic blip on his radar screen.
McConnell swiftly recited the talking points from two decades of analysesâthe vulnerability of computer systems, their growing use in all aspects of American life, the graphic illustration supplied by the Aurora Generator Test, which had taken place just two months earlier. Then he raised the stakes, stating his case in the most urgent terms he could muster: those nineteen terrorists who mounted the 9/11 attackâif they'd been
cyber
smart, McConnell said, if they'd hacked into the servers of one major bank in New York City and contaminated its files, they could have inflicted more economic damage than they'd done by taking down the Twin Towers.
Bush turned to Henry Paulson, his treasury secretary. “Is this true, Hank?” he asked.
McConnell had discussed this very point with Paulson in a private meeting a week earlier. “Yes, Mr. President,” he replied from the back of the room. The banking system relied on confidence, which an attack of this sort could severely damage.
Bush was furious. He got up and walked around the room. McConnell had put him in a spot, spelling out a threat and describing it as greater than
the
threat weighing on his and every other American's mind for the past five and a half yearsâthe threat of another 9/11. And he'd done this in front of his most senior security advisers. Bush couldn't just let it pass.
“McConnell,” he said, “
you
raised this problem. You've got thirty days to solve it.”
It was a tall order: thirty days to solve a problem that had been kicking around for forty years. But at least he'd seized the president's attention. It was during precisely such momentsârare in the annals of this historyâthat leaps of progress in policy had been plotted: Ronald Reagan's innocent question after watching
WarGames
(“could something like this really happen?”) led to the first presidential directive on computer security; Bill Clinton's crisis mentality in the wake of the Oklahoma City bombing spurred the vast stream of studies, working groups, and, at last, real institutional changes that turned cyber security into a mainstream public issue. Now, McConnell hoped, Bush's pique might unleash the next new wave of change.
McConnell had been surveying the landscape since returning to government, and he was shocked how little progress had been made in the decade that he'd been out of public life. The Pentagon and the military services had plugged a lot of the holes in their networks, butâdespite the commissions, simulations, congressional hearings, and even the presidential decrees that Dick Clarke had written for
Clinton and Bushâconditions elsewhere in government, and still more so in the private sector, were no different, no less vulnerable to cyber attacks.
The reasons for this rut were also the same: private companies didn't want to spend the money on cyber security, and they resisted all regulations to make them do so; meanwhile, federal agencies lacked the talent or resources to do the job, except for the NSA, which had neither the legal authority nor the desire.
Entities had been created during the most recent spate of interest, during Clarke's reign as cyber coordinator under Clinton and the first two years of Bush, most notably the interagency Cyber Council and the ISACsâInformation Sharing and Analysis Centersâthat paired government experts with the private owners of companies involved in critical infrastructure (finance, electrical power, transportation, and so forth). But most of those projects stalled after Clarke resigned four years earlier. Now, with Bush's marching orders in hand, McConnell set out to bulk up these entities or create new ones, this time backed by serious money.
McConnell delegated the task to an interagency cyber task force, run by one of his assistants, Melissa Hathaway, the former director of an information operations unit at Booz Allen, whom he'd brought with him to be his chief cyber aide at the National Intelligence Directorate.
Protecting the civilian side of government from cyber attacks was new terrain. Fifteen years earlier, when the military services began to confront the problem, the first step they took was to equip their computers with intrusion-detection systems. So, as a first step, Hathaway's task force calculated what it would take to detect intrusions of
civilian
networks. The requirements turned out to be massive. When the tech crew at Kelly Air Force Base started monitoring computer networks in the mid-1990s, all of the Air Force servers, across the nation, had about one hundred points of access to the Internet.
Now, the myriad agencies and departments of the entire federal government had 4,300 access points.
More than this, the job of securing these points was assigned, by statute, to the Department of Homeland Security, a mongrel organization slapped together from twenty-two agencies, once under the auspices of eight separate departments. The idea had been to take all the agencies with even the slightest responsibility for protecting the nation from terrorist attacks and to consolidate them into a single, strong cabinet department. But in fact, the move only dispersed power, overloading the department's secretary with a portfolio much too large for any one person to manage and burying once-vibrant organizationsâsuch as the Pentagon's National Communications System, which ran the alert programs for attacks of all sorts, including cyber attacksâin the dunes of a remote bureaucracy. The department was remote physically as well as politically, its headquarters crammed into a small campus on Nebraska Avenue in far Northwest Washington, five miles from the White Houseâthe same campus where the NSA had stuck its Information Security Directorate until the late 1960s, when it was moved to the airport annex a half hour's drive (somewhat closer than Nebraska Avenue's hour-long trek) from Fort Meade.
In 2004, its second year of operations, the Homeland Security Department, in an outgrowth of one of Dick Clarke's initiatives, put out a contract for a government-wide intrusion-detection system, called Einstein.
But the task proved unwieldy: the largest supercomputer would have had a hard time monitoring the traffic in and out of four thousand entryways to the Internet, and federal agencies weren't
required
to install the system in any case.
This mismatch between goals and capabilities set the stage for the new program put in motion by McConnell and Hathaway, which they called the Comprehensive National Cybersecurity Initiative, or CNCI. It called for the creation of a supra-agency that would
consolidate the government's scattered servers into a single “Federal Enterprise Network,” set strict security standards, and whittle down the points of entry to the Internet from over four thousand to just fifty.
That was the goal, anyway.
On January 9, 2008, eight months after McConnell's big briefing, Bush signed a national security presidential directive, NSPD-54, which cited the dangers posed by America's cyber vulnerabilitiesâtaking much of its language from a decade of directives and studiesâand ordered Hathaway's plan into action as the remedy.
In the weeks leading up to the directive, McConnell stressed that the plan would be expensive; Bush waved away the warning, saying that he was willing to spend as much money as Franklin Roosevelt had spent on the Manhattan Project. Along with the White House budget office, McConnell drew up a five-year plan amounting to $18 billion. The congressional intelligence committees cut only a small slice, leaving him with $17.3 billion.
Although the plan's mission was to protect the computer networks of mainly civilian agencies, the entire programâthe multibillion-dollar budget, the text of NSPD-54, even the existence of something called the Comprehensive National Cybersecurity Initiativeâwas stamped Top Secret. Like most matters cyber, it was bound up with the blackout secrecy of the NSA, and this was no coincidence: on paper, the Department of Homeland Security was the initiative's lead agency, but the NSA was placed in charge of technical support; and since neither Homeland Security nor any other agency had the know-how or resources to
do
what the president's directive wanted done, the locus of power, for this program, too, would tilt from the campus on Nebraska Avenue to the sprawling complex at Fort Meade.
Keith Alexander, the director of NSA, was also more adept at budget politics than the managers at Homeland Security. He knew, as Mike Hayden had before him, which legal statutes authorized
which sets of activities (Title 50 for intelligence, Title 10 for military operations, Title 18 for criminal probes) and which congressional committees dished out the money for each. So, when the initiative's $17.3 billion was divvied up among the various agencies, the vast bulk of it went to NSAâwhich, after all, would be buying and maintaining the hardware, the program's costliest element. Congress specified that Fort Meade spend its share of the sum on cyber defense. But that term was loosely defined, and the NSA budget was highly classified, so Alexander allocated the funds as he saw fit.
Meanwhile, Homeland Security upgraded Einstein, the inadequate intrusion-detection system, to Einstein 2, which was designed not only to detect malicious activity on a network, but also to send out an automatic alert. And the department started drawing the conceptual blueprints for Einstein 3, whichâagain, in theoryâwould automatically repel intruders. The NSA took on these projects as part of its share of the $17.3 billion, integrating them with the massive data-gathering, data-crunching enterprises it had already launched. But soon after joining forces on the Einstein project, Alexander backed out, explaining that the civilian agencies' requirements and Homeland Security's approach were incompatible with NSA's. Einstein's commercial contractors stayed on, and Homeland Security hired a team of cyber specialists, but, left to themselves, they had to start over; the program bogged down, fell short of its goals, and went into a tailspin.
And so, despite the president's full commitment and heaps of money, the vulnerability of computers and its implications for national security, economic health, and social cohesionâa topic that had set off intermittent alarm bells through the previous four decadesâdrifted once again into neglect.
Alexander was still obligated to spend his share of the money on cyber defense, but by this time, Ken Minihan's epiphanyâthat
cyber offense and cyber defense ran on the same technology, were practically synonymousâhad been fully ingrained in Fort Meade thinking.
The basic concepts of cyber were still in circulationâComputer Network
Attack
, Computer Network
Defense
, and Computer Network
Exploitation
âbut the wild card was, and always had been,
exploitation
, CN
E
: the art and science of finding and exploiting vulnerabilities in the adversary's network, getting inside it, and twisting it around. CNE could be seen, used, and justified as preparation for a future cyber attack
or
as a form of what strategists had long called “active defense”: penetrating an adversary's network to see what kinds of attacks he was planning, so that the NSA could devise a way to disrupt, degrade, or defeat them preemptively.
Alexander put out the word that, as in other types of warfare, active defense was essential: some cyber equivalent of the Maginot Line or the Great Wall of China wouldn't hold in the long run; adversaries would find a way to maneuver around or leap over the barriers. So, in the interagency councils and behind-closed-doors testimony, Alexander made the case that his piece of the Comprehensive National Cybersecurity Initiative should focus on CNE. And of course, once the money was lavished on tools for CNE, they could be programmed for offense
and
defense, since CNE was an enabler of both. When Alexander penetrated and probed the email and cell phone networks of Iraqi insurgents, that was CNE; when President Bush authorized him to disable and disrupt those networksâto intercept and send false messages that wound up getting insurgents killedâthat was CNA, Computer Network Attack. Except for the final step, the decision to attack, CNE and CNA were identical.
Regardless of anyone's intentions (and Alexander's intentions were clear), this was the nature of the technologyâwhich made it all the more vital for
political
leaders to take firm control: to ensure that policy shaped the use of technology, not the other way around.
Yet, just as cyber tools were melding into weapons of war, and as computer networks were controlling nearly every facet of daily life, the power shifted subtly, then suddenly, to the technology's masters at Fort Meade.
The pivotal moment in this shift occurred at NSA headquarters on Friday, October 24, 2008. At two-thirty that afternoon, a team of SIGINT analysts noticed something strange going on in the networks of U.S. Central Command, the headquarters running the wars in Afghanistan and Iraq.
A beacon was emitting a signal, and it seemed to be coming from inside CentCom's
classified
computers. This was not only strange, it was supposedly impossible: the military's classified networks weren't connected to the public Internet; the two were separated by an “air gap,” which, everyone said, couldn't be crossed by the wiliest hacker. And yet, somehow, someone had made the leap and injected a few lines of malicious codeâthat was the only plausible source of the beaconâinto one of the military's most secure lines of communication.