@War: The Rise of the Military-Internet Complex
Page 5
Sometimes it was easier to shut down a web server than try to track someone through it. On several occasions US hackers disabled the infrastructure that fighters were using to send e-mail and Internet-based communications, forcing them onto the phone network, where they could be more easily tracked.
As the operations picked up pace and began to pay dividends, the NSA called in its most skilled cyber warriors. They worked in a unit called Tailored Access Operations, or TAO. As their name implies, they devised bespoke tools and techniques for breaking in to computers. The stealthiest of all US hackers, they were also the rarest—only a few hundred worked for TAO, and many of them had undergone years of NSA-devised training, sometimes through colleges and universities where the spy agency had helped write the curriculum.
In one successful operation, the TAO hackers set their sights on the Islamic State of Iraq, an insurgent group that had formed in 2004, pledged allegiance to al-Qaeda, and then fallen under its banner. The group fought US soldiers, but it also terrorized and murdered civilians. In 2007 alone this al-Qaeda branch killed two thousand Iraqis and seized control of the Dora neighborhood in southern Baghdad, where it tried to install Islamic law and set up a new “emirate” to govern the people. Local Christians who had lived in Dora for decades fled their homes rather than live under such harsh religious rule. A member of the new emirate knocked on the door of one Christian man and told him that if he wanted to stay, he could pay a tax or convert to Islam. Otherwise, he must abandon his house; the al-Qaeda members offered to help remove his furniture.
TAO hackers zeroed in on the leaders of the al-Qaeda group. Centering their operations in Baghdad, they scooped up e-mail messages that the terrorists had left in draft form in their personal accounts, where they could be picked up by fellow fighters without having to be sent over the Internet. This was a common trick terrorists used to avoid detection. TAO had been on to it for years.
The TAO hackers joined forces with troops on the ground as part of a major offensive, Operation Arrowhead Ripper, that aimed to rout the al-Qaeda branch from neighborhoods in Bequeath, where it had established a foothold. The operation began in June 2007 and included about ten thousand soldiers, the bulk of them from Forward Operating Base Warhorse. The offensive included an Iraqi army brigade and about five hundred police officers. Operations began with a ground and air strike on Baquba. United States–led forces killed nearly two dozen fighters on the first day. Meanwhile, in Anbar Province, troops rounded up six terrorists suspected of being tied to senior al-Qaeda officials. And they apprehended three would-be roadside bombers in Fallujah, as well as three more suspected terrorists in the town of Tarmiyah.
US intelligence had gotten very good at locating these fighters, linking them to al-Qaeda, and understanding how the terrorist group was recruiting and carrying out its attacks.
For TAO, hacking into the communications network of the senior al-Qaeda leaders in Iraq helped break the terrorist group’s hold on the neighborhoods around Baghdad. By one account, it aided US troops in capturing or killing at least ten of those senior leaders from the battlefield. When Arrowhead Ripper concluded in mid-August, Baquba had been reclaimed, and most insurgent activity in the area had ceased. By November, al-Qaeda had left the Dora neighborhood.
The intelligence machine continued to win victories. There were 28 bombings and other attacks by al-Qaeda in Iraq reported in the first six months of 2008, down from 300 such attacks in the previous year. And the number of civilian casualties attributed to the terror group plummeted, from 1,500 in 2007 to 125 in the first half of 2008. A former military intelligence officer likened the cyber assault on the top echelons of al-Qaeda to “cutting the head off a snake.”
“We took operations to get inside the communications systems and the command-and-control structure that allowed terrorists and insurgents to coordinate attacks against US forces,” he said. “That’s the key to any successful operation.”
For the first time in the now four-year-old Iraq War, the United States could point to a strategy that was actually working. The overall success of the surge, which finally allowed US forces to leave Iraq, has been attributed to three major factors by historians and the commanders and soldiers who served there. First, the additional troops on the ground helped to secure the most violent neighborhoods, kill or capture the “irreconcilables,” as Petraeus called them, and protect Iraq’s civilians. The cities became less violent, and the people felt safer and more inclined to help the US occupation. Second, insurgent groups who were outraged by al-Qaeda’s brutal, heavy-handed tactics and the imposition of religious law turned against the terrorists, or were paid by US forces to switch their allegiances and fight with the Americans. This so-called Sunni Awakening included eighty thousand fighters, whose leaders publicly denounced al-Qaeda and credited the US military with trying to improve the lives of Iraqi citizens.
But the third and arguably the most pivotal element of the surge was the series of intelligence operations undertaken by the NSA and soldiers such as Stasio, authorized by Bush in that fateful Oval Office meeting. Former intelligence analysts, military officers, and senior Bush administration officials say that the cyber operations the president authorized opened the door to a new way of obtaining intelligence, and then integrating it into combat operations on the ground. The information about enemy movements and plans that US spies swiped from computers and phones gave troops a road map to find the fighters, sometimes leading right to their doorsteps. This was the most sophisticated global tracking system ever devised, and it worked with lethal efficiency.
Petraeus credited this new cyber warfare “with being a prime reason for the significant progress made by US troops” in the surge, which lasted into the summer of 2008, “directly enabling the removal of almost 4,000 insurgents from the battlefield.” The tide of the war in Iraq finally turned in the United States’ favor. The intelligence operations, which were later exported to Afghanistan, “saved US and allied lives by helping to identify and neutralize extremist threats across the breadth of both battlefields.” Later the NSA integrated the techniques it had developed on the battlefield into its other intelligence operations used to track terrorists, spies, and hackers around the world. That alliance between the spy agency and the military, forged in Iraq, would forever change the way America fights wars.
TWO
RTRG
THE 2007 SURGE marked the first time US military and intelligence agencies tested the theories of cyber war on the battlefield. But the lethally efficient system they set up in Iraq was born of an earlier battle, and one of the darkest periods in the NSA’s history.
On September 11, 2001, Lieutenant General Michael Hayden, then NSA director, had been at work for two hours when he got a call telling him that a plane had crashed into one of the Twin Towers in New York. A few minutes later a second plane hit. Hayden called his wife, Jeanine, asked her to track down their three children, and then prepared for a lockdown of the agency’s 350-acre campus at Fort Meade, Maryland, about twenty-five miles outside downtown Washington.
Hayden ordered all nonessential personnel to evacuate. Guards carrying machine guns and directing bomb-sniffing dogs fanned out. Near the top floor of a high-rise, workers in the agency’s counterterrorist center started tacking blackout curtains to their windows. The NSA’s headquarters had moved from Washington to its present location in 1957, because the fort was far enough outside the city to survive the blast of a nuclear explosion. No one had imagined that terrorists might attack it with commercial airliners.
Hayden went first to the counterterrorist center, where he found employees in tears. It was clear to everyone that the NSA had missed some very important signals in the terrorist “chatter” that its vast network of global data interceptors was so good at snatching up. The agency had electronic ears on its targets, but it failed to understand their true intentions. Investigators would later discover that on September 10, 2001, the NSA had intercepted a phone conversation from a kno
wn terrorist, warning in Arabic that “tomorrow is zero hour.” It sat in the agency’s databases, untranslated into English, until September 12.
Hayden’s immediate concern was stopping any follow-up attacks. On September 14 he approved “targeting,” or electronic monitoring, of communication links between the United States and foreign countries where terrorists were known to be operating—principally Afghanistan, where al-Qaeda had a sanctuary, thanks to the theocratic Taliban regime. The NSA was to look for telephone numbers associated with terrorists. In practice, that meant that any telephone number in Afghanistan that contacted a number in the United States was presumed to have foreign intelligence value, and therefore could be monitored. But when it came to spying on numbers in the United States, Hayden was more circumspect. Only preapproved telephone numbers were allowed to be monitored on communications links that originated inside the United States. Hayden knew that the NSA was prohibited from spying inside the country. But, as he later recalled, he made a “tactical decision” to use his existing authority to monitor foreign intelligence, albeit more aggressively than before. Hayden reasoned that so long as one end of the communication was outside the United States and involved foreign terrorist groups, it was fair game. The nation was in crisis, and at the time no one would have begrudged him a more expansive view of his agency’s mandate. The NSA’s general counsel determined that Hayden’s orders were legal.
But almost as soon as the NSA started spying on new targets, Hayden and his staff discovered what they thought were significant limitations on the agency’s ability to cast a wider surveillance net and ensure it was doing all it could to prevent another attack. The White House wanted to know what more the NSA could do. So, Hayden asked his senior managers and the NSA’s signals intelligence experts, what would they put on their wish list?
For starters, they said, there was a huge so-called international gap. The NSA was monitoring foreign threats. The FBI handled domestic ones. But no agency was following the foreign threats as they came into the United States. In part that was to prevent US intelligence agencies from spying on Americans. But that sensible prohibition, enshrined in more than two decades of law and regulation, now seemed like a suicide pact.
The NSA also wanted to tweak the existing rules so they could intercept communications that transited the United States as they traveled from one foreign country to another. Under current law, if the agency wanted to capture a foreign terrorist’s e-mail, it might have to get a warrant if that e-mail was stored on a server located in the United States. This was obviously foreign intelligence, it just happened to move over a fiber-optic cable or end up in a corporate database on US soil. NSA staffers argued that the agency should be allowed to grab that without asking for permission from a court, just as it could legally do if the message were stored on a server in a foreign country.
But the NSA also wanted to analyze more domestic communications. The staff proposed an idea first conceived in 1999, in preparation for the threat of terrorist attacks during millennium celebrations. The agency wanted to conduct “contact chaining” on US phone numbers. This was a painstaking process of figuring out who someone had called, who those people had called, who they had called, and so on, all based on analyzing phone records. The NSA wouldn’t see the names associated with those phone numbers, but they believed the contact chain would help identify people of interest in a possible terrorist network. The Justice Department had ruled at the time that even monitoring this so-called metadata required a warrant, because the data was associated with people presumed to be Americans or legal residents. Now the NSA wanted to start contact chaining on phone numbers in the United States to see who was in contact with terrorists—whether they were abroad or already here. Hayden himself pointed out to administration officials that metadata wasn’t considered “content” under US law, and therefore wasn’t subject to the Fourth Amendment’s prohibition on warrantless surveillance. Indeed, the US Supreme Court had ruled in 1979 that the government didn’t need a warrant to capture a phone number, because a person voluntarily gave up the privacy of that information the moment he dialed the number and it was recorded by the phone company.
For all the items on the wish list, the NSA believed that current surveillance law was insufficient because it hadn’t kept up with technological change. When the legislation governing intelligence operations against Americans, the Foreign Intelligence Surveillance Act, was signed into law in 1978, there was no data-mining software to allow contact chaining. There was no global communications network using US soil as a transit point. And there was no threat of international terrorism inside the United States. Now the obvious next move for the administration was asking Congress to change the law, to allow the NSA to do many of the things that Hayden and his staff were certain needed to be done.
President Bush’s advisers, however, were in no mood to seek Congress’s permission for intelligence activities that they believed were within his discretion. Vice President Cheney, in particular, was loath to allow lawmakers to start directing NSA operations against al-Qaeda. The White House was also concerned that a public debate about changes in surveillance law would tip off terrorists to what the NSA was doing to track them.
Cheney took Hayden’s list of ideas and, working with the NSA director and other White House staff, came up with a plan to give the agency broad new authorities under executive order. The task of writing up the order itself fell to David Addington, Cheney’s legal counsel and his right-hand man in the White House. The NSA would now be allowed to monitor communications inside the United States, so long as one end of that communication was outside the country and the communication was reasonably believed to be associated with terrorism. The NSA would not have to seek permission from a court to monitor individual phone numbers or e-mails, a legal process that historically had taken four to six weeks. Now it could engage in hot pursuit of as many communications as it pleased, so long as they fit within the boundaries of the executive order—and the NSA’s computer systems could process them all.
Bush signed the order on October 4, 2001.
The NSA was going to war, and it set to work right away on its new campaign. A twenty-four-hour watch center was set up, called the Metadata Analysis Center, or MAC. It was situated in the Signals Intelligence Directorate, the part of the NSA that steals or intercepts digital communications. A group of experienced NSA analysts and engineers were put on the new team; they all had to sign nondisclosure agreements. They were given office space. And the program was given a code name, or “security compartment”: Starburst. A new name, Stellar Wind, would come a few weeks later, on October 31, 2001. The program also got a hefty dose of new hardware: fifty computer servers to store and process all the new data Starburst collected. The agency didn’t want a record of it suddenly buying a lot of new equipment. So officials asked a server vendor to divert a shipment intended for another recipient to the NSA instead, and to tell no one. The servers arrived at Fort Meade under police escort on October 13.
Hayden told the new Starburst team members during meetings on October 6 and 7 that the emergency, warrantless collection of communications involving people in the United States was temporary. But that was belied by the program’s $25 million budget, a large amount of money to spend on a program that was only supposed to last thirty days.
Nearly ninety NSA employees were cleared for access within the first week of the program’s operations. Two staffers in the NSA’s Office of General Counsel reviewed the program—after Bush signed the order—and determined that it was legal. The office didn’t document its opinions or legal rationale.
By October 7, three days after Bush had signed the order, the MAC was running twenty-four hours a day, seven days a week, crunching metadata sucked up by NSA’s electronic filters. Twenty analysts and software developers worked in three shifts. Many of the MAC employees had manually built call chains of Russian intelligence targets during the Cold War. Now this process was being automated and applied to
al-Qaeda and its affiliates, its financial and political supporters, and would-be recruits.
The contact chain of an individual target could stretch into the millions of people if an analyst wanted to look at every single person in that target’s contact list, along with all their contacts. The analysts called each link in the chain a “hop.” Following one hop to the next, to see who might be connected to the original target, was reminiscent of the game Six Degrees of Kevin Bacon, in which players try to connect the prolific actor to some other actor who appeared in one of his films or TV shows. Hayden got a briefing from the MAC once a week, and his deputy got one every night, a measure of its supreme importance in the new intelligence war on terrorism.
The MAC had other partners at the NSA and outside the secret confines of Fort Meade. The spy agency set up a counterterrorism “product line” to send specific tasks to the MAC and conduct analysis of what was found in the contact chains. The FBI and the CIA got involved, providing leads to the MAC, which conducted contact chaining inside the United States. Telephone and Internet companies also started sending the NSA content—the recorded words of a phone call or the written text of an e-mail or Internet communication. The task of collecting this data, which was in the hands of corporations, was managed by the NSA’s Special Source Operations group, its primary liaison and conduit to the telecommunications companies, Internet service and communications providers, and other companies that moved and stored the information that the NSA wanted. The agency set up equipment at the companies’ physical facilities and installed surveillance devices on computers and networks that they controlled. One crucial participant, AT&T, which managed huge swaths of the telecom network, had a secure facility not far from the NSA’s Fort Meade headquarters where it had historically provided mostly foreign communications for the intelligence agency. The company also allowed the government to install monitoring equipment at an office in San Francisco as part of the new domestic collection regime.