Dark Territory (24 page)
Authors: Fred Kaplan
It was the first time ever, as far as anyone knew, that a classified network of the Department of Defense had been hacked.
The intrusion might not have been spotted, except that, a year earlier, when cyber war took off as a worldwide phenomenon, Richard Schaeffer, head of the NSA's Information Assurance Directorateâwhose staff spent their workdays mulling and testing new ways that an outsider might breach its defensesâdreamed up a new tangent. Over the previous decade, the military services and the various joint task forces had done a reasonably good job of protecting the perimeters of their networks. But what if they'd missed something and an adversary was already inside, burrowing, undetected, through thousands or millions of files, copying or corrupting their contents?
Schaeffer assigned his Red Teamâthe same unit that had run the Eligible Receiver exercise back in 1997âto scan the classified networks. This team discovered the beacon. It was attached to a worm that they'd seen a couple years earlier under the rubric agent.btz. It was an elegant device: after penetrating the network and scooping up data, the beacon was programmed to carry it all home. The Office of Tailored Access Operations, the NSA's cyber black-bag shop, had long ago devised a similar tool.
Schaeffer brought the news to Alexander. Within five minutes, the two men and their staffs came up with a solution. The beacon was programmed to go home; so, they said, let's get inside the beacon and reroute it to a different homeâspecifically, an NSA storage bin. The idea seemed promising. Alexander put his technical teams on the task. Within a few hours, they figured out how to design the software. By the following morning, they'd created the program. Then they tested it on a computer at Fort Meade, first injecting the agent.btz worm, then zapping it with the rerouting instruction. The test was a success.
It was two-thirty, Saturday afternoon. In just twenty-four hours, the NSA had invented, built, and verified a solution. They called the operation Buckshot Yankee.
Meanwhile, the analytical branches of the agency were tracing the worm's pathways back to its starting point. They speculated that a U.S. serviceman or woman in Afghanistan had bought a malware-infected thumb drive and inserted it into a secure computer. (A detailed analysis, over the next few months, confirmed this hypothesis.) Thumb drives were widely sold at kiosks in Kabul, including those near NATO's military headquarters. It turned out, Russia had supplied many of these thumb drives, some of them preprogrammed by an intelligence agency, in the hopes that, someday, some American would do whatâit now seemed clearâsome American had actually done.
But all that was detail. The big picture was that, on the Monday morning after the crisis began, Pentagon officials were scrambling to grasp the scope of the problemâwhile, two days earlier, the NSA had solved it.
Admiral Mike Mullen, chairman of the Joint Chiefs of Staff, called an emergency meeting Monday morning to discuss a course of action, only to find that the service chiefs had sent mere colonels to attend. “What are
you
doing here?” he almost hollered. The networks of the nation's active war command had been compromised; it couldn't win battles without confidence in those networks. He needed to talk with the commanders and with the Joint Staff's directors of operations and intelligenceâthat is to say, he needed to talk with three- and four-star generals and admirals.
Later that morning, Mullen arranged a teleconference call with Mike McConnell, Keith Alexander, and General Kevin Chilton, the head of U.S. Strategic Command, which housed Joint Task Force-Global Network Operations, the latest incarnation of the loosely structured bureaus that had first been set up, a decade earlier, as Joint Task Force-Computer Network Defense.
Mullen started off the call with the same question that John Hamre had asked back in 1998, in the wake of Solar Sunrise, the first deep penetration of military networks:
Who's in charge?
For twenty-five years, ever since Ronald Reagan signed the first presidential directive on computer security, the White House, the Pentagon, Congress, Fort Meade, and the various information warfare centers of the military services had been quarreling over that question. Now, General Chilton insisted that, because Strategic Command housed JTF-GNO, he was in charge.
“Then what's the plan?” Mullen asked.
Chilton paused and said, “Tell him, Keith.”
Clearly, StratCom had nothing. No entity, civilian or military, had anythingâany ideas about who'd done this, how to stop it, and
what to do nextâexcept for the agency with most of the money, technology, and talent to deal with such questions: the NSA.
The NSA directors of the past decade had worked feverishly to keep the business at Fort Meade in the face of competition from the services' scattershot cyber bureausâ“preserving the mystique,” as Bill Perry had described the mission to Ken Minihan. The best way to do this was to make the case, day by day, that NSA was the only place that knew how to do this sort of thing, and that's what Alexander dramatized with Buckshot Yankee.
Bob Gates watched over this contrast between Fort Meade's control and the Pentagon's scramble with a mixture of horror and bemusement. He had been secretary of defense for nearly two years, after a long career in the CIA and a brief spell in the White House of Bush's father, and he continued to marvel at the sheer dysfunction of the Pentagon bureaucracy.
When he first took the job, the military was locked in the grip of two wars, both going badly, yet the building's vast array of senior officers acted as if the world was at peace: they were pushing the same gold-plated weapons, built for some mythic major war of the future, that they'd been pushing since the Cold War, and promoting the same kinds of salute-snapping, card-punching officersâin short, they were doing nothing of any useâuntil he fired a few generals and replaced them with officers who seemed able and willing to help the men and women fighting, dying, and getting hideously injured in the wars that were happening now.
Almost every day since coming to the Pentagon, Gates had heard briefings on the latest attempt, by some serious adversary or mischievous hacker, to penetrate the Defense Department's networks. Here was the really serious breach that many had warned might happen, and, still, everyone was playing bureaucratic games; nobody seemed to recognize the obvious.
Mike McConnell, who'd been friendly with Gates since his time as NSA director, had been repeatedly making the case for a unified Cyber Command, which would supersede all the scattered cyber bureaus, run offensive
and
defensive operations (since they involved the same technology, activities, and skills), and ideally be located at Fort Meade (since that was where the technology, activities, and skills were concentrated). McConnell backed up his argument with a piece of inside knowledge: the NSA didn't like to share intelligence with operational commands; the only way to get it to do so was to fuse the NSA director and the cyber commander into the same person.
Gates had long thought McConnell's idea made sense, and Buckshot Yankee drove the point home.
Another development laced this point with urgency. The clock was ticking on Alexander's tenure at NSA. Most directors had served a three-year term; Alexander had been there for three years and two months. Beyond the math, Gates had heard rumors that Alexander was planning to retire, not just from the agency but also from the Army. Gates thought this would be disastrous: the CIA had recently predicted a major cyber attack in the next two years; here we were, in a crisis of lesser but still serious magnitude, and Alexander was the only official with a grip on what was happening.
The NSA director, by custom, was a three-star general or admiral; the heads of military commands were four-stars. Gates figured that one way to consolidate cyber policy and keep Alexander onboard was to create a new Cyber Command, write its charter so that the commander would also be the NSA director (as McConnell had suggested), and put Alexander in the double-hatted position, thus giving him a fourth starâand at least another three years on the job.
In fact, the rumors of Alexander's imminent departure were untrue. By coincidence, not long before Buckshot Yankee, Alexander
made an appointment for a retirement briefing that generals were required to receive upon earning a third star. Alexander had put off his session for months; these things were usually a waste of time, and he was busy. Finally, the Army personnel command applied pressure, so he went to the next scheduled briefing.
Two days later, he got a call from Gates, wanting to know if rumors of his retirement were true. Alexander assured him they were not. Nonetheless, Gates told him of the plan to get him a fourth star.
It would take several months to line up the pins in the Pentagon, the intelligence community, and the Congress. Meanwhile, an election took place, and a new president, Barack Obama, arrived at the White House. But Gates, who agreed to stay on as defense secretary for at least a year, pushed the idea through.
On June 23, 2009, he signed a memorandum, ordering the creation of U.S. Cyber Command.
During the final year of Bush's presidency and the first few months of Obama's, Gates wrestled with a dilemma. He'd realized for some time that, when it came to cyber security, there was no substitute for Fort Meade. The idea of turning the Department of Homeland Security into an NSA for civilian infrastructure, a notion that some in the White House still harbored, was a pipe dream. DHS didn't have the money, the manpower, or the technical talentâand, realistically, it never would. Yet because NSA was legally (and properly) barred from domestic surveillance,
it
couldn't protect civilian infrastructure, either.
On July 7, 2010, Gates had lunch at the Pentagon with Janet Napolitano, the secretary of homeland security, to propose a way out of the thicket. The idea was this: she would appoint a second deputy director of the NSA (Gates would have to name the person formally,
but it would be her pick); in the event of a threat to the nation's critical infrastructure, this new deputy could draw on the technical resources of the NSA while invoking the legal authority of DHS.
Napolitano liked the idea. At a subsequent meeting, they drew up a memorandum of understanding on this arrangement, which included a set of firewalls to protect privacy and civil liberties. General Alexander, whom they consulted, gave it his blessings. On July 27, less than three weeks after their initial lunch, Gates and Napolitano took the idea to President Obama. He had no objections and passed it on to Thomas Donilon, his national security adviser, who vetted the idea with an interagency panel of the National Security Council.
Everything seemed on course. Gates and Napolitano left the details to their underlings and went back to more urgent business.
Over the next few months, the arrangement unraveled.
Before delegating the matter, Napolitano selected her candidate for the cyber deputy directorâa two-star admiral named Michael Brown, who was her department's deputy assistant secretary for cyber security. Brown seemed ideal for the job. He'd studied math and cryptology at the Naval Academy, worked on SIGINT teams at the NSA, and, in the late 1990s, moved over to the Pentagon as one of the charter analystsâdealing with the Solar Sunrise and Moonlight Maze hacksâat Joint Task Force-Computer Network Defense. When Mike McConnell convinced President Bush to spend $18 billion on cyber security, he asked Brown to go work at the Department of Homeland Security, to help protect civilian networks in the same way that he'd helped protect military networks. For the next two years, that's what Brown tried to do, expanding the DHS cyber staff from twenty-eight people to roughly four hundred and turning its computer emergency response team into a vaguely functional organization. If there was someone who could merge the cultures of NSA and DHS, it was likely to be Mike Brown.
For that reason, though, he ran into obstacles at every step. Napolitano's deputy, Jane Holl Luteâa lawyer, former assistant secretary-general for peacekeeping support at the United Nations, and an Army veteran in signals intelligenceâwas deeply suspicious of NSA and resistant to any plan that would give the agency any power in domestic matters or that might turn the Internet into a
“war zone.” The same was true of the White House cyber security adviser, Howard Schmidt, who winced at those who described cyberspace as a “domain,” in the same sense that Air Force and Navy officers described the skies and oceans as “domains” for military operations. Brown's rank as a naval officer, his background in cryptology, and his experience with the NSA suggested that this joint endeavor would be far from an equal partnershipâthat Fort Meade would run the show.
There was also resistance among the department deputies in the National Security Council, some of whom were peeved that this deal had gone down without their consultation.
In the end, they approved Brown as “cybersecurity coordinator,” but they wouldn't let him be a deputy director of the NSA; they wouldn't give him the legal authority he'd need to do the job that Gates and Napolitano had envisioned.
It was reminiscent, though few remembered so far back, of the dispute more than a quarter century earlier, in 1984, when civil liberties advocates in Congress resisted the planâlaid out in President Reagan's directive, NSDD-145âto put standards for computer security in the hands of a committee run by the director of the NSA.
The staff meetings between DHS and NSA practically seethed with tension. The Gates-Napolitano plan called for each agency to send ten analysts to the other's headquarters as a sort of cultural exchange. Early on, Fort Meade sent its tenânine from NSA, one from Cyber Commandâbut DHS was slow to reciprocate. Part of the problem was simple logistics. Twenty-five thousand people worked at NSA; trading ten of them required scant sacrifice. But
DHS had only a few hundred cyber specialists; rather than transferring any, Lute decided to hire ten new people, a process that involved juggling the budget, vetting security clearancesâin short, time: lots of time. Well before all ten came onboard, the arrangement sputtered, its wheels grinding nearly to a halt.