Playing to the Edge: American Intelligence in the Age of Terror (16 page)

That was the good news, and at the turn of the century we were all-in trying to retool our infrastructure for the new era. But that was going to be difficult. Money was tight.

I tried to disinvest about $200 million a year from ongoing collection to invest in what we needed to work the end point, and I heard about it from all over Washington. No one was willing to surrender any current take for future capability. Someone went to the mat about degrading coverage of Nigerian organized crime, for God’s sake.

We did what we could. In the last days of 2000, as we were rewiring the entire agency’s organizational chart (see chapter 2), we set up an enterprise called TAO, Tailored Access Operations, in the newly formed SIGINT Directorate (SID). We had toyed with some boutique end-point efforts before, but this was different. This was going to be industrial strength. We actually divided up SID into end-point and midpoint boxes, the better to measure and meter the growth of the former, even if it had to be at the expense of the latter.

As it turned out, it didn’t. The terrorist attack less than nine months later ensured a steady stream of additional human and material resources across the agency. And, even in a period of generalized growth, TAO became the fastest-growing part of NSA post-9/11, bar none.

TAO’s growth also benefited from the bursting of the dot-com bubble and the massive surge of patriotism after the 9/11 terrorist attacks. Talk
about the best and the brightest: we got an incredible cohort of young, technically talented, innovative, and adventurous new SIGINTers. We hired several thousand people in the four years after 9/11; their average age was thirty-one, well below the agency average at that time. It wasn’t lost on any of the new recruits that we were offering them the opportunity to legally do stuff that would be felonies in any other venue. We effected a generational change in our workforce in a matter of a few years.

Our new cohort had one hell of an attitude. One veteran confided to me that they had a “no target impossible to penetrate” mentality and, from the beginning, bypassed low-hanging fruit to attack the hardest targets.

Some of these took years to penetrate. Grant’s capture of Vicksburg is still cited at the war colleges as the classic example of the indirect approach; unable to take the city from the Mississippi River side, Grant mounted a months-long campaign from the landward side before the Gibraltar of the Confederacy fell. When the war colleges are allowed to teach how TAO gained some accesses, TAO’s efforts will parallel the strategic lessons of Grant—patience, indirection, and persistence—in the curriculum.

Other nations’ security services were trying to work the end point, but none of them were embedded in a SIGINT system as global as NSA’s. Traditional passive SIGINT often holds the key to active SIGINT’s success—mapping networks, communications paths, and in general providing the kind of detailed information that is essential to success.

We also had a great supporter in DCI George Tenet, who repeated, mantra-like, “SIGINT enabling HUMINT, HUMINT enabling SIGINT.” Some targets thought that they were permanently isolated from the World Wide Web. That wasn’t always true, thanks to HUMINT enabling.

Of course, we also worked to create our own
remote
accesses, using a variety of techniques, like tempting targets to click on a link in an innocent-looking e-mail. At home we were all complaining about the emergence of spam on our networks. At work, we willingly hid in the growing global flow as we targeted specific networks.

It was a good thing that we were getting our game on. Turns out that we had underestimated how much al-Qaeda was using the Web. Pre-TAO, we hadn’t seen much al-Qaeda activity there and so assumed that there wasn’t much. There was. As US forces rolled up hard drives in Afghanistan and as we inspected pocket litter (the generic term for stuff found on or near a detainee) from al-Qaeda takedowns globally, we began to harvest Internet addresses and identities that allowed us to eventually turn al-Qaeda’s use of the Web into one of our best counterterrorism tools.

TAO was becoming a gateway to great intelligence. And to other things too.

My predecessor at NSA was Ken Minihan. Ken had also been one of my predecessors in Texas, and a lot of what I had learned there was actually started and nurtured by him. I had been proselytized and converted by his disciples.

Although Ken and I were career intelligence officers and pushed end-point collection hard, neither of us was limiting his thinking to just espionage. We saw cyber as a domain of real conflict and believed that NSA could add a lot to American power there, beyond just spying, but the agency was constrained. It could legally manipulate a target only to cover its tracks or break the target’s encryption. Anything beyond that wasn’t in the mission or charter, a flaw we worked to correct.

US law is pretty clear about the distinction between espionage and war fighting. Spying is controlled by Title 50 of the US Code and overseen by Congress’s intelligence committees. Warfare falls under Title 10 and the Armed Services Committees. The distinction works pretty well in the physical domains, but even there, things get a little muddled with CIA covert action and paramilitary activities.

The distinctions break down entirely in the cyber domain. Take reconnaissance. In physical space it always happens (or should) before someone attempts a kinetic operation. Robert E. Lee sought Jeb Stuart’s counsel. A patrol in today’s army will launch a handheld drone to report on the reverse slope of a ridge before crossing it.

In physical space the reconnaissance is almost always easier than the operation. Learning where the Army of the Potomac might be was hard and dangerous work, but not as hard and dangerous as defeating it. The same with defeating an entrenched enemy squad on the backside of the ridge that your drone just imaged.

Reconnaissance should come first in the cyber domain too. How else would you know what to hit, how, when—without collateral damage?

But here’s the difference. In the cyber domain the reconnaissance is usually a more difficult task than the follow-on operation. It is tougher to penetrate a network and live on it undetected while extracting large volumes of data from it than it is to, digitally speaking, kick in the front door and fry a circuit or two.

Let me go further. An attack on a network to degrade it or destroy information on it is generally a lesser included case of the technology and operational art needed to spy on that same network.

About a year before I got to NSA, Minihan hit upon an ingenious approach to squaring this circle. He launched an enterprise called the Information Operations Technology Center, the IOTC. It was located within the NSA headquarters building, originally lived off NSA dollars and talent, but was officially not part of the agency. It was a joint DOD and Intelligence Community undertaking.

The label Information Operations was broad and gave the center the license to touch on all the IO things you might ever want to do against an adversary: spy on him, corrupt his network or his information, or capture his computers to use them to create physical destruction. NSA could legally only do the first, but since this was a technology rather than an operations center, it was free to develop tools that could be used by others with different authorities. It was an elegant solution that got the toolbox for all kinds of cyber operations filled quickly.

Minihan had gotten a real boost the year before from a DOD exercise called Eligible Receiver. The exercise had been sponsored by General Jack Sheehan, a tough Boston Irish marine who was commander of Atlantic
Command in Norfolk. Sheehan had enlisted NSA as his red team for a cyber assault against Department of Defense networks. The results were embarrassingly awful. The red team, without any special information or special tools, penetrated wherever it targeted.

Minihan was eager to lead the remediation, but the military services were pushing back hard against a more powerful role for a defense agency. Their experience was that defense agency growth was usually at the expense of their budget top line. John Hamre, the deputy secretary of defense, finally enlisted DCI George Tenet’s support and then just plain overruled the reflexive service objections to the enterprise.

When I arrived in 1999, the head of IOTC was Bill Marshall, a professorial-looking and exceptionally competent NSA veteran.

By all accounts his most difficult partner wasn’t any of the military services. It was the leadership of the National Security Agency below the eighth floor (where the director’s office was housed). A lot of folks just wanted to do the traditional SIGINT mission; this exotic IO stuff was a costly distraction from an already tough job, and there was fear that IOTC tools in the hands of others would compromise NSA’s fragile end-point operations.

Bill Black, who later became my deputy (chapter 2), was an unabashed advocate for IO being housed at NSA as a natural extension of the SIGINT mission. Bill volunteered himself to Minihan to be his assistant director for information operations. Since the agency couldn’t actually carry out most of what could be called IO, it could fairly be described as an advocacy post, and Black was tireless in his advocacy. The internal NSA opposition to the concept was so strong that Black later retired in disgust.

Disillusioned and frustrated, Black warned Marshall that one way or another, he was bound to fail. If he actually succeeded operationally, NSA seniors would hate him. On the other hand, if he simply failed, he would just be viewed as incompetent.

When Minihan hired Marshall, he told him that everyone believed
that the IOTC was only PowerPoint deep in substance. He challenged Marshall to produce real results, to build coalitions across DOD and the IC, and to get the resources he needed to do the job. In return, Minihan promised him top cover against those who would oppose him and try to starve the project.

Marshall was internally very intense and focused, but he moderated that outwardly with a collaborative and communicative spirit. Over time he wore down resistance. He started with a few dozen people, but over three years had grown the IOTC to several hundred. His expanding team doggedly developed, gathered, evaluated, modified, catalogued, and stored tools that might prove useful to defend networks or to spy on an adversary or to deny, degrade, disrupt, or destroy an adversary’s network or information.

As his stack of tools grew, Marshall forced a whole series of legal and doctrinal and organizational questions. You can’t stockpile tools and weapons without compelling DOD lawyers and national policy makers to give you some guidance. And that engendered debate and controversy and forward-leaning thinking. In retrospect, Marshall chalks that up as the center’s most lasting achievement.

The IOTC became the cyber-gathering place where cyber concepts could be defined, discussed, challenged, debated, and tested. Even more important than his growing tool kit, Marshall and his center kept the doctrinal fire (and controversy) of cyber operations alive.

 • • • 

F
ORT
M
EADE
IS
about forty minutes from downtown Washington, on a good day (like a Sunday). The relative isolation is nice. It puts you just outside the circle of the capital’s politically charged everyday routine.

The distance also means that you do not routinely get the casual visitor. People coming up the Baltimore-Washington Parkway do it with purpose or not at all.

We worked hard to get as many thought leaders to Fort Meade as we could. We wanted to fill their heads with our thoughts and actions and ambitions in this new domain.

To clarify the discussion, we started talking about something called computer network operations (CNO) and said that you could divide it into three bins: computer network defense (CND), keeping your own networks safe; computer network exploitation (CNE), stealing other people’s data; and computer network attack (CNA), destroying data, networks, or physical objects.
*

We then usually dove into computer network defense, or CND, since it was least threatening, least novel, and therefore least controversial.

NSA had had a charter to secure American government communications since almost forever. The old secure phone, the STU-3, was an NSA product. There’s a picture of President Bush on one of them in that Florida classroom on the morning of 9/11.

So CND was a fairly easy role to slip into, at least bureaucratically. About a fifth of NSA’s budget and manpower was already committed to defense. The challenge here was more technical and operational: How do you defend in a domain that we were finding pretty easy to exploit when we played offense?

It was hard. A few weeks before I left NSA in 2005, at the strong insistence of Bill Black (now my deputy), we launched NTOC, the NSA Threat Operations Center. If we were going to be throwing cyber rocks, we had better start protecting our glass house. I called on Bill Marshall again to head it. He began with ten people, no dedicated work space, and no budget. Three years later the center was a thriving concern with almost a thousand folks in place.

If it hadn’t been at NSA, the NTOC would have been just another CIRT, a Computer Incident Response Team, combining information
assurance technology, network sensors, and internal communications data to map what was happening on a network.

But NTOC was at NSA, so it was hot-wired into a vast global SIGINT system that could send digital scouts out beyond the perimeter to identify activity and threats long before they hit the local firewall. NTOC’s 24/7 operations center monitored the heartbeat of the entire cyber domain and provided early warning to US national security networks.

It was the Information Operations Center I had in San Antonio on a massive regimen of steroids. Predictably, its unique combination of SIGINT and information-security authorities, expertise, and resources aroused bureaucratic suspicion around Washington, so NTOC had to prove itself during skeptical reviews by officials in DOD, the Congress, and the Office of Management and Budget. It passed them all.