So, life keeps you humble. Sometimes it does so with humor, and sometimes with a jarring sobriety. On May 1, Sue and I left on a weekend trip to Salem, Virginia, to visit our son Andy’s family and watch our youngest grandson play in a soccer tournament. After the tournament, we went to a Class Double-A baseball game. As the game progressed, Sue became very quiet. I asked if she was feeling all right, and she answered that she was very tired, so we left. In the SUV, her conversational responses became less and less coherent. Fortunately, the lead security detail officer happened to be a paramedic and conducted an exam. He found the results were more than a little concerning, so our detail driver flipped on the lights and sirens and we sped to the Salem hospital, where Sue was admitted to the emergency room. I stood and watched as the ER doctor in Salem held a video-teleconference with a neurologist in Houston. Between them, they couldn’t figure out what was happening, but eventually concluded that she was exhibiting strokelike symptoms, but wasn’t suffering a stroke. I mentioned a previous episode she’d had, seven years earlier, in which she’d become quiet and lethargic for a few days, but explained that her current condition was worse by orders of magnitude. We kept watch as over the next few hours Sue fell into a comatose state.
She spent the next three days in a coma in the Salem hospital, and I didn’t leave that room. The security detail officers were saints, going far beyond their job descriptions to care for my family and to keep Stephanie O’Sullivan and the other IC leaders updated. I knew that when it came to running the community, Stephanie was every bit my equal—and then some—and my confidence in her enabled me to focus on Sue, holding her hand and talking to her, and visiting with my kids and grandkids in the hospital room. After three days, we hired an ambulance to drive Sue from Salem to Walter Reed National Military Medical Center in Bethesda. On the ride there, she awoke to a semiconscious state, but was not coherent. At midnight, ODNI’s lead for personal security met us at Walter Reed’s emergency room and helped us settle there. Over the next week or so, Sue gradually returned, although it was six months or more before she felt like herself again. The doctors never really figured out what had gone wrong.
A lot of thoughts passed through my head while I sat in a hospital room holding my wife’s motionless hand in the middle of the night. During our fifty years of marriage, I’d spent all but a few focused on service to the nation. I’d thought of it as selfless, but of course, when I’d returned to lead NIMA fourteen years earlier, it had been over Sue’s objections and because I’d missed the psychic income—which was, in retrospect, a selfish reason. While I’d served our nation, she’d served our family, raising Jen and Andy, maintaining our house and finances, and living life mostly alone and independent. I really hadn’t appreciated the toll those five decades had taken on her. And even without the guilt from recognizing those realities, I had to face the fact that I was seventy-four, and Sue was seventy-one. I suddenly became all too aware of mortality—hers, mine, and others. So, that first night in the Salem hospital, I resolved that whatever Sue’s outcome would be, I would resign as DNI and spend the rest of my time focused on her and our kids and grandkids.
That plan didn’t last long, not because the community wouldn’t have been just fine without me, but because after Sue began to recover, I realized she might not want me quite so attentive to her every need, around the clock. She didn’t know I knew this, but with the security detail and with Andy and Jen, Sue had nicknamed me Huey, because I was always hovering like a helicopter beside her bed. It went unsaid, but I think she was greatly relieved when I went into the office for a few hours on Friday, May 8. So I didn’t resign, but I worked shorter hours for a few weeks, and I came to grips with the reality that I had just twenty months left before I handed off the reins to the next generation, and that, whoever won the election in 2016, I would walk away on January 20, 2017, with no regrets. I envisioned myself sort of tap dancing off stage, preferably to very little fanfare as everyone focused on what was next for our community and nation.
But there were a few things I wanted to do, successes and progress I wanted to make permanent in the time I had left on the job. I started to consider my legacy—not the grade historians might give me on my DNI term paper, but rather the state of the community I’d be leaving behind. I’d stepped into the DNI position honoring the mantra of intelligence integration, and the IC had made very real advances toward achieving that goal since 9/11, which we’d reinforced in the years I’d been DNI. That was one change I wanted to make permanent. With time to reflect, I saw that the second big change we needed to solidify was increased transparency. I’d been saying publicly for nearly two years that transparency was just something we had to achieve, however much it initially felt almost genetically antithetical to me. By May 2015, somewhat to my surprise, I realized that it no longer felt that way to talk publicly about our work.
On May 20, a transparency project we’d been working for four years came to fruition when we released an initial collection of the books, papers, computer files, and documents the special operations team had collected during the Abbottabad raid in 2011, which we had come to refer to as “Bin Laden’s Bookshelf.” The day we published it, I flew to Tampa to address the annual Special Operations Forces Gala. That evening I told those in attendance, “The materials you took in 2011 from bin Laden’s house have been invaluable in our continued fight against al-Qaida, and we’ve come to understand they’re also important to history. I think it’s interesting to see what works influenced him, but those who want to see him as a ‘supervillain’ are going to be disappointed. There was no Sun Tzu, but about half of the thirty-eight full-length English-language books he had—and seems to have read closely—were conspiracy-theory books about the Illuminati and Freemasons. I’m not making that up.”
To say there was public interest in Bin Laden’s Bookshelf would be an understatement. We got as much web traffic in two days—750,000 site visits and 2 million page views—as our website had received in all of 2013 and 2014 put together. For a while afterward, if someone ran a Google search for “bin Laden,” dni.gov was the number-two search result, behind only Wikipedia. Over the rest of my time in office, we continued to update the bookshelf as we cleared documents for public release, and while there was always a group of conspiracy-minded people out there (including a few members of Congress) who believed that we were keeping the “good stuff,” we weren’t holding back anything of legitimate public interest, unless there were valid concerns with protecting intelligence sources and methods. Another group of like-minded people did figure out what we were holding back, and they continually submitted Freedom of Information Act requests for any pornography collected in Abbottabad. We declined those requests.
Thanks to our Tumblr site—IC on the Record—and to Bin Laden’s Bookshelf, our transparency initiatives were running smoothly. Stephanie O’Sullivan and our IC deputies committee were driving intelligence integration, pushing to shift control of the IC ITE initiative away from the information technology leaders to the intelligence mission leaders. As a young engineer, early in her career, she’d spent her free time working as the pit crew chief in an amateur auto racing circuit and had a knack for relating the IC mission to that hobby. During that spring of 2015, she told an audience of collection and analysis leaders that the new IT systems coming out through IC ITE were like a finely tuned race car built by the IT engineers. She challenged them to rethink business applications, rather than just methods for sending emails faster: “If you keep doing the same old things with the brand-new system, that’s like saying you really like the new racing car we built for you, but it’s too fast, and you’re only comfortable driving it if we put on a thirty-five-miles-per-hour governor. Don’t do that. Take your game up a notch, or better yet, a whole bunch of notches at once. You have a chance to completely change how you do business.”
Given these successes, I naturally began to expect something to go wrong, fitting the pattern of my first
five years as DNI. What I didn’t expect was to uncover a massive foreign intelligence operation aimed at the people of the IC.
As far back as March 2014, we knew that Chinese hackers were trying to penetrate the Office of Personnel Management, which recruits and manages the 2 million or so employees of the federal workforce, or to hack into the companies it had contracted with to perform security-clearance investigations. OPM believed it had fended off every cyber assault, but in 2015 we found out that wasn’t remotely true. While running new software designed to detect intrusions, OPM discovered that they were compromised, and then slowly uncovered just how bad the intrusion was. On June 4, OPM announced that the names, birth dates, home addresses, and social security numbers of 4.2 million current and former federal employees had been stolen. As OPM was sending out notifications to those who were affected, it found another—much worse—intrusion: someone had accessed and exfiltrated 19.7 million security clearance applications. Not only was the applicant information stolen, but the applications themselves revealed information about 1.8 million nonapplicants referenced in the applications, mostly family members. Even worse, they got transcripts of interviews conducted by background investigators, along with the usernames and passwords that applicants had used to fill out forms online, and 5.6 million fingerprint files.
We all but knew from the start that Chinese intelligence was responsible for the theft, and the counterintelligence implications were staggering, not just from what they had, but from what they didn’t have. OPM didn’t conduct security clearance investigations for all of the IC elements, and whoever had the wherewithal to penetrate its systems would certainly know which agencies and departments OPM conducted investigations for and which they didn’t. They could therefore also start making assumptions about cover for cleared people whose files they didn’t have.
Congress fumed—at me and anyone else who came to testify about the “OPM hack.” During a town hall, I noted for the ODNI staff: “I’ve spent some time up on the Hill talking about the breaches and cyber threats in general. I’ve heard a lot of outrage over the loss of information and over our apparent lack of response. On the Hill, ‘outrage’ is now used as a verb. I can even conjugate it: ‘I outrage.’ ‘You outrage.’ ‘He/she/they outrage.’” In closed briefings Congress demanded I commit to a proportional cyber response against China, which was just ridiculous on a number of levels. First, any response was a policy decision, and I’d made it clear for the previous five years that I don’t get involved in those. Second, reciprocity and collateral damage in cyberspace are very difficult to control. NSA and Cyber Command, both still under Admiral Mike Rogers’s leadership, had tremendous capabilities, and we felt it was reasonable—but not certain—that if we did decide to attack someone, we would affect only the systems we specifically targeted. But no one else in the world could reasonably be that confident about their abilities, and the infrastructure for the internet was largely independent of international boundaries. So if we attacked someone in cyberspace and they returned fire, Cyber Command and even DOD and the IC might have some level of protection and defense, but the New York Stock Exchange or telecommunications in Eastern Europe or a power grid in Central America might well be taken offline. No one could predict the unintended consequences and potential damage such an assault might cause.
I was particularly attuned to these second- and third-order vulnerabilities because of a discussion at a Principals Committee meeting during President Obama’s first term about retaliating for cyber intrusions into Wall Street. After several secretaries shared hawkish opinions, Treasury Secretary Tim Geithner, who by any measure should have been the most aggrieved person in the room, asked a simple question: “Does anyone here know what would happen if there was a serious cyberattack on our financial institutions? Because I don’t.” That ended the discussion.
In June 2015, I was the Principals Committee member whose equities had been most injured and, like Geithner had been, was most opposed to an aggressive response. In fact, I was much less “outraged” by the Chinese intrusion than almost anyone else, a fact that caused a bit of a stir on June 25 when I publicly discussed the case. After I gave the closing keynote speech at the 2015 GEOINT Symposium, Jim Sciutto of CNN moderated the question-and-answer session that followed. When Jim began the discussion by asking me about the OPM cyber theft, I answered candidly, “You know, on one hand, please don’t take this the wrong way, you have to, kind of, salute the Chinese for what they did. If we had the opportunity to do that, I don’t think we’d hesitate for a minute.” There was a brief pause before Jim gave me an out from being the first government official—without asking for anonymity—to blame China. He asked, “Just to be clear, are you identifying China as the perpetrator behind the OPM attack?” There was some nervous laughter in the crowd. I couched my answer just a little, “Well, I mean, that’s the leading suspect.”
My security detail drove me from the DC convention center to the White House for back-to-back national security meetings, first with the president, and then another without him. When I returned to the office, I learned that I’d caused a kerfuffle. Apparently, as I’d been naming China the “leading suspect,” OPM director Katherine Archuleta had been declining to attribute the attack in testimony before the Senate Armed Services Committee, a discrepancy Congress and the media picked up on. I was honestly surprised that my remarks had made the news, as no one at the White House had been upset about them, including the president. More to the point, I told my staff that we would have looked silly if everyone in Washington was anonymously saying that China did it, if everyone knew China did it, but I wouldn’t go on record acknowledging that fact.
More to the point—and maybe this was me being naïve as to what the news cycle cared about—I hadn’t thought naming and shaming China would be the controversial part of my comments. To me, the important point—which wasn’t quickly picked up on—was that I’d said China had hurt us dearly, but that it hadn’t done anything outside the bounds of what nation-states do when conducting espionage. They’d exploited a vulnerability in a way not fundamentally different from how, at the age of twelve, I had “hacked” the Philadelphia Police Department. The Philadelphia PD hadn’t intended to let me listen in to their conversations in 1953, just as OPM hadn’t intended to let China gain access to everyone’s security clearance paperwork in 2015. This wasn’t just an idle, academic observation. In NSC meetings that summer, I got more involved with policy decisions than I typically would have, arguing that if we responded, we needed to treat what China had done as an act of cyber espionage, not cyber warfare. I warned that how we responded would set a precedent that might come back to haunt us if we ever took a similar opportunity to collect on someone else. In the end, we didn’t do much beyond making the symbolic gestures that typically take place after one nation discovers it’s been successfully spied on.
For the affected security-clearance holders, the fact that it was Chinese intelligence that had stolen their information was—truthfully—both good news and bad. The good news was that Chinese intelligence was not likely to sell their personal information on the black market, so the employees were less likely to become victims of identity theft than if cyber criminals had perpetrated this breach. The bad news was that elements of Chinese intelligence suddenly had a large body of information they could potentially exploit to compromise our employees professionally or to gain access to the agencies or companies for whom they worked.
The theft did get intelligence leaders to consider what else cyber actors could do to and with our information. As I continued to proselytize the four commandments of cybersecurity, I explained three different ways that that information could be affected. First and most obviously, cyber spies, criminals, and terrorist entities all try to steal our data, undermining confidentiality, so that we can’t trust that any information is private. Second, when we’re the target of denial-of-service operations or someone breaks into our system and deletes
data, we’re prevented from accessing our own information, undermining availability. The hacker group Anonymous seemed to enjoy shutting down government websites by flooding them with automated web traffic. We put safety systems in place to counter this, including some that act like circuit breakers, so that if there’s a sudden surge in traffic, the program takes the site off-line. When we published Bin Laden’s Bookshelf, we had to warn our cybersecurity officers ahead of time to disable the circuit breakers, because we anticipated a sudden rise in traffic that would otherwise have indicated a denial-of-service attack.
But there was a third potential way to exploit data we hadn’t yet seen used. I had started warning public groups that in the future cyber operations would attempt to manipulate information to compromise its integrity. In other words, an offensive cyber organization with the skills, technology, and persistence of the Chinese could change our data itself, without doing anything as noticeable as exfiltrating it or blocking our access to it. I urged people to imagine the chaos that could have resulted if the Chinese had actually changed people’s security-clearance background investigation results. What if a hostile party altered the specs for the construction of an aircraft or spacecraft? How would making even subtle changes to data affect our defense industry, financial sector, or medical record-keepers?
Not only were our vulnerabilities growing, but in some ways, our opportunities were shrinking. As a second- or third-order effect of Snowden’s leaks, encryption technologies sold by commercial industry were proliferating, and even relatively low-tech terrorist organizations like the Islamic State had learned they could frustrate US intelligence surveillance with encryption applications for sale online. As someone who values privacy, I understood and appreciated making encryption accessible to the private citizens of the world. At the same time, as President Obama said in January:
Facts and Fears Page 38