Playing to the Edge: American Intelligence in the Age of Terror (17 page)

More still needs to be done, as there are other unresolved challenges for cyber defense. NSA’s charter is to defend American government secrets. It does not extend to other, unclassified government networks or to the private sector, where an awful lot of American intellectual property, trade information, and critical infrastructure reside. To this day, these networks are not adequately defended. Witness the theft of credit card data from Target and Home Depot or F-35 designs from US government contractors.

The second activity under the broad rubric of computer network operations was what we called computer network exploitation, or CNE. That was the end-point, active-SIGINT, Tailored Access Operations–centered activity already described, and we pretty much had all we needed to thrive, at least in terms of law and policy.

Actually, little noticed (or appreciated) at the time was how easily we transferred our system of governance from the old world to the new. With little debate, we went from a world of letting radio waves serendipitously hit our antennas to what became a digital form of breaking and entering. We were penetrating foreign networks and were saying it was the same thing as scooping up signals from the ether and that the same rules applied. To us it was, and they did, but in retrospect it was a
remarkable transition, one that appeared to some to be less innocent and less inevitable when it became the subject of intense public debate in 2013 (chapter 21).

The final category of action under computer network operations was computer network attack, or CNA. This was action designed to disrupt an adversary’s network or, in its most extreme form, take over the network in order to use it to create some level of physical destruction. NSA still had no authority to do that; it was limited to defending American information and stealing other people’s. But we knew that defense, exploitation, and attack were technologically and operationally indistinguishable even though they were separated in legal authority, funding streams, and congressional oversight—all the result of putting new (digital) wine into old (eighteenth-century, actually) bottles. To us, that made as much sense as America having three air forces—one for reconnaissance, another for fighters, and a third for bombers—when it was really
all
about control of the air.

One of our regular visitors to Fort Meade was General Jim Cartwright, a free-thinking marine aviator who had taken charge of Strategic Command in Omaha in 2004. STRATCOM had been given a dog’s breakfast of additional tasks, with its charter mission of nuclear deterrence declining in importance. Cartwright had to organize the command to deal with global reconnaissance, missile defense, counterproliferation, and space as well as the traditional global strike role.

He also had responsibility for offensive cyber operations, the CNA function that Fort Meade could perform but didn’t have the legal authority to do.

There was no way a single headquarters could master all of STRATCOM’s diverse missions, so Cartwright hit upon the scheme of enlisting the big defense agencies to his cause. Most were already designated “combat support agencies” and most were headed by military officers, so it would be a fairly simple matter to subordinate them to him for specific functions.

Cartwright and I talked and met often. We agreed that he could devolve his authority and responsibility for cyber attack to Fort Meade and dual-hat me as his action arm under the unwieldy title of commander, Joint Functional Component Command–Network Warfare (JFCC-NW).

We were essentially going to expand the IOTC, rebrand it, and give it operational authority through Cartwright’s position as a combatant commander. The combined team at Fort Meade would access and conduct reconnaissance of a target based on my authorities as DIRNSA and then, on order, could manipulate or destroy the target based on Cartwright’s exercising his combat authority through me.

We were running downhill as we undertook this. Cyber warfare was a hot topic, and there was consensus that we needed to better organize to fight in the domain.

Cartwright wasn’t quite pushing on an open door to get the Joint Chiefs on board, but he was essentially offering NSA’s resources to enhance DOD cyber-combat power at little cost to the services. Unlike their opposition to the IOTC in 1997–1998, this time around they were open to the idea.

The chairman of the Joint Chiefs, air force general Dick Myers, was supportive but wanted some personal assurances. I had known him for several years. Our paths had often crossed, especially when he headed all USAF units in the Pacific and then US Space Command, so it was easy to have a personal session with him to explain what we were up to.

It was a typical military tabletop briefing, a few charts and slides with just the two of us in his office in the E-ring of the Pentagon. When I finished, he simply asked, “Mike, is this going to fix this?”

“Not a chance,” I replied. I assured him that this was the right thing to do now, but added, “We’ll be back again in a couple years. And by then we’ll be screwing this up at a much higher level.”

The irreverence was intended to put down a marker that JFCC-NW was a way station en route to a full-up cyber command.

Our plan did not require congressional approval; it was already within the authority of the secretary of defense to implement. Secretary Rumsfeld bought in, and Cartwright got the president’s OK after a session at the Texas ranch over the Christmas holidays in 2004.

Even without needing legislation, Cartwright and I still briefed Congress. We weren’t dumb, and this wasn’t our first rodeo. We didn’t need to prompt any opposition out of pique.

Our technique was to bring the members into our confidence and our “ask” was to give this unusual relationship of Title 10 (war making) and Title 50 (espionage) authorities a little space and time to mature before we had to explain all the fine print (a lot of which didn’t exactly exist yet).

What we were doing did not fit nicely into the congressional oversight structure. It blended activities, some of which were traditionally overseen by the intelligence committees and some of which were overseen by the Armed Services Committees—and nothing is as jealously guarded on the Hill as jurisdiction.

In fact, what made it attractive to the Joint Chiefs—living off a lot of NSA resources to backstop what were unarguably combat rather than intelligence activities—could potentially torpedo the whole idea with the House and Senate intelligence panels. Congressional committees are as protective of their funding streams as they are of their jurisdiction.

That’s why we took pains to explain ourselves. We appeared together in an informal session before the Senate overseers. Cartwright handled the House side on his own, but made the same arguments.

We did well enough. Congress imposed no roadblocks, and Joint Functional Component Command–Network Warfare (i.e., the nation’s computer network attack force) stood up in January 2005.

I was the first commander, but I didn’t stay very long. A month later the president announced my nomination as the first principal deputy director of National Intelligence, and I was confirmed by the Senate for that job in late April.

But we now had a structure to go along with our vision: a defensive
center in the NSA Threat Operations Center (NTOC), an offensive arm in Joint Functional Component Command–Network Warfare (JFCC-NW), and an ongoing espionage enterprise in Tailored Access Operations (TAO).

All were big, thriving enterprises set up in about a decade—the speed of light by Washington standards.

We also had a vote of confidence from the Joint Chiefs and enough promise that Congress swallowed an unusual command relationship.

 • • • 

A
LL WE NEEDED NOW
were some real weapons.

Despite the cyber domain’s tilt toward the offense, this is still hard work (harder than we sometimes advertised in our enthusiasm). To attack a target, you first have to penetrate it. Access bought with months, if not years, of effort can be lost with a casual upgrade of the targeted system, not even one designed to improve defenses, but merely an administrative upgrade from something 2.0 to something 3.0.

Once in, you need a tailored tool to create the desired effects. Very often this has to be a handcrafted tool for the specific target. It is not the same as cranking out five-hundred-pound bombs and putting them on the shelf with their laser guidance kits.

A lot of the weapons in the IOTC’s toolbox were harvested in the wild from the Web. Tools with a Web history would make attribution an even more difficult challenge if they were ever used. But some of those exploits could be pretty ugly, so they had to be modified to meet our operational and legal requirements.

What we wanted were weapons that met the standards of the laws of armed conflict, weapons that reflected the enduring principles of necessity, distinction, and proportionality. To a first order they had to produce an effect that was predictable and responding to a genuine military need (necessity). Disabling an air defense system (which the Israelis were alleged to have done in 2008 while destroying a Syrian nuclear reactor)
comes to mind. Pounding the Web sites of important banks with massive distributed denial of service attacks so that they cannot be accessed by normal citizens (which the Iranians did to US banks in 2012) does not.

And even when the effects were predictable and legitimate, policy makers wanted to know if you could limit them to the intended target (distinction) and, to the degree you could not, if the desired effect justified the collateral damage (proportionality).

These are time-honored, universal principles for any war maker with a conscience, but in physical space there was often a century or more of experience to fall back on. “A high-explosive warhead of this size hitting at this angle against this type of target will create an area of lethality of this size and shape,” for example. We have even developed an irreverent shorthand for the uneven splotches of red (dead), yellow (maybe), green (safe) in the visual display of such formulas: bug splats.

Now, what does a bug splat look like for a cyber weapon that has never been used in anger and against a unique network that is well, but not perfectly, understood?

In concrete terms, the dialogue in the Situation Room begins with the national security advisor saying something like this:

“So, you’re saying that you can disrupt the power supply to this key military facility.”

“Yes, sir, and through persistent attacks keep it down.”

“Good. Now what else is on that net?”

“Well, sir, we think we can keep the effects confined to a pretty small physical area.”

“How small?”

“Probably thirty to forty square miles.”

“Worst case, how many hospitals in that area?”

“Worst case, four. Maybe five.”

“Do they all have UPS [uninterruptible power supply]?”

“We’re working on that now.”

The national security advisor pauses, seems to reflect, and then moves on by saying, “OK. Get back to me. We’ll take this up again next time.”

And the next time, and the next time, and the next time.

And this meeting is invariably in the Situation Room, not in the Pentagon or at Langley or at some combatant command headquarters. From their inception, cyber weapons have been viewed as “special weapons,” not unlike nuclear devices of an earlier time.

But these weapons are not well understood by the kind of people who get to sit in on meetings in the West Wing, and as of yet there has not been a Herman Kahn (of
On Thermonuclear War
fame) to explain it to them.

To a first order, there is the technical challenge. After a few sentences, the cyber briefer often sounds vaguely like Rain Man to many of the seniors in the room. With a few more sentences, most are convinced that he is.

I recall one cyber op, while I was in government, that went awry—at least from my point of view. In the after-action review it was clear that no two seniors at the final approval session had left the Situation Room thinking they had approved the same operation.

Beyond complexity, developing policy for cyber ops is hampered by excessive secrecy (so says this
intelligence
veteran!). Look at the bloodline. I can think of no other family of weapons so anchored in the espionage services for their development (except perhaps armed drones). And the habitual secrecy of the intelligence services has bled over into cyber ops in a way that has retarded the development—or at least the policy integration—of digital combat power. It is difficult to develop consensus views on things that are largely unknown or compartmented or only rarely discussed by a select few.

I was on a panel at Georgetown University with several prominent cyber experts after I left government. Without any prior coordination, we all commented that cyber secrecy had retarded the development of cyber policy and doctrine. One panelist, Siobhan Gorman, who had covered the NSA beat for the
Baltimore Sun
before moving on to the
Wall Street Journal
, volunteered that counterterrorism data was easier to pry from the government than any form of cyber information.

Technical challenges and policy ambiguities did little to dim the spirit of cyber enthusiasts, though. We truly were like airpower enthusiasts before World War II: “The bomber will always get through!” Like them, however, for a long time we were long on theory and short on practical success.

In 2004 and 2005 I would candidly admit that, to date, we had largely been spray painting virtual graffiti on digital subway cars. We could harass, but we weren’t decisive. An effort right before the invasion of Iraq to e-mail Iraqi officials warning them of their fate and suggesting alternative courses of action seems to have done little more than just annoy them. In another operation, we made Slobodan Milošević’s phone ring incessantly, but there is no evidence that it shortened any aspect of the Balkan conflict.

The dramatic event in the annals of airpower was the sinking of a captured German battleship, the
Ostfriesland
, off Hampton Roads in 1921. The ship was undefended and not under way, but with multiple waves of attacks over two days she was sent to the bottom by land-based bombers. It was not even close to an operational test, but airmen hailed it as the dawn of a new age.