by Fred Kaplan
In 2004, its second year of operations, the Homeland Security Department, in an outgrowth of one of Dick Clarke’s initiatives, put out a contract for a government-wide intrusion-detection system, called Einstein. But the task proved unwieldy: the largest supercomputer would have had a hard time monitoring the traffic in and out of four thousand entryways to the Internet, and federal agencies weren’t required to install the system in any case.
This mismatch between goals and capabilities set the stage for the new program put in motion by McConnell and Hathaway, which they called the Comprehensive National Cybersecurity Initiative, or CNCI. It called for the creation of a supra-agency that would consolidate the government’s scattered servers into a single “Federal Enterprise Network,” set strict security standards, and whittle down the points of entry to the Internet from over four thousand to just fifty.
That was the goal, anyway.
On January 9, 2008, eight months after McConnell’s big briefing, Bush signed a national security presidential directive, NSPD-54, which cited the dangers posed by America’s cyber vulnerabilities—taking much of its language from a decade of directives and studies—and ordered Hathaway’s plan into action as the remedy.
In the weeks leading up to the directive, McConnell stressed that the plan would be expensive; Bush waved away the warning, saying that he was willing to spend as much money as Franklin Roosevelt had spent on the Manhattan Project. Along with the White House budget office, McConnell drew up a five-year plan amounting to $18 billion. The congressional intelligence committees cut only a small slice, leaving him with $17.3 billion.
Although the plan’s mission was to protect the computer networks of mainly civilian agencies, the entire program—the multibillion-dollar budget, the text of NSPD-54, even the existence of something called the Comprehensive National Cybersecurity Initiative—was stamped Top Secret. Like most matters cyber, it was bound up with the blackout secrecy of the NSA, and this was no coincidence: on paper, the Department of Homeland Security was the initiative’s lead agency, but the NSA was placed in charge of technical support; and since neither Homeland Security nor any other agency had the know-how or resources to do what the president’s directive wanted done, the locus of power, for this program, too, would tilt from the campus on Nebraska Avenue to the sprawling complex at Fort Meade.
Keith Alexander, the director of NSA, was also more adept at budget politics than the managers at Homeland Security. He knew, as Mike Hayden had before him, which legal statutes authorized which sets of activities (Title 50 for intelligence, Title 10 for military operations, Title 18 for criminal probes) and which congressional committees dished out the money for each. So, when the initiative’s $17.3 billion was divvied up among the various agencies, the vast bulk of it went to NSA—which, after all, would be buying and maintaining the hardware, the program’s costliest element. Congress specified that Fort Meade spend its share of the sum on cyber defense. But that term was loosely defined, and the NSA budget was highly classified, so Alexander allocated the funds as he saw fit.
Meanwhile, Homeland Security upgraded Einstein, the inadequate intrusion-detection system, to Einstein 2, which was designed not only to detect malicious activity on a network, but also to send out an automatic alert. And the department started drawing the conceptual blueprints for Einstein 3, which—again, in theory—would automatically repel intruders. The NSA took on these projects as part of its share of the $17.3 billion, integrating them with the massive data-gathering, data-crunching enterprises it had already launched. But soon after joining forces on the Einstein project, Alexander backed out, explaining that the civilian agencies’ requirements and Homeland Security’s approach were incompatible with NSA’s. Einstein’s commercial contractors stayed on, and Homeland Security hired a team of cyber specialists, but, left to themselves, they had to start over; the program bogged down, fell short of its goals, and went into a tailspin.
And so, despite the president’s full commitment and heaps of money, the vulnerability of computers and its implications for national security, economic health, and social cohesion—a topic that had set off intermittent alarm bells through the previous four decades—drifted once again into neglect.
Alexander was still obligated to spend his share of the money on cyber defense, but by this time, Ken Minihan’s epiphany—that cyber offense and cyber defense ran on the same technology, were practically synonymous—had been fully ingrained in Fort Meade thinking.
The basic concepts of cyber were still in circulation—Computer Network Attack, Computer Network Defense, and Computer Network Exploitation—but the wild card was, and always had been, exploitation, CNE: the art and science of finding and exploiting vulnerabilities in the adversary’s network, getting inside it, and twisting it around. CNE could be seen, used, and justified as preparation for a future cyber attack or as a form of what strategists had long called “active defense”: penetrating an adversary’s network to see what kinds of attacks he was planning, so that the NSA could devise a way to disrupt, degrade, or defeat them preemptively.
Alexander put out the word that, as in other types of warfare, active defense was essential: some cyber equivalent of the Maginot Line or the Great Wall of China wouldn’t hold in the long run; adversaries would find a way to maneuver around or leap over the barriers. So, in the interagency councils and behind-closed-doors testimony, Alexander made the case that his piece of the Comprehensive National Cybersecurity Initiative should focus on CNE. And of course, once the money was lavished on tools for CNE, they could be programmed for offense and defense, since CNE was an enabler of both. When Alexander penetrated and probed the email and cell phone networks of Iraqi insurgents, that was CNE; when President Bush authorized him to disable and disrupt those networks—to intercept and send false messages that wound up getting insurgents killed—that was CNA, Computer Network Attack. Except for the final step, the decision to attack, CNE and CNA were identical.
Regardless of anyone’s intentions (and Alexander’s intentions were clear), this was the nature of the technology—which made it all the more vital for political leaders to take firm control: to ensure that policy shaped the use of technology, not the other way around. Yet, just as cyber tools were melding into weapons of war, and as computer networks were controlling nearly every facet of daily life, the power shifted subtly, then suddenly, to the technology’s masters at Fort Meade.
* * *
The pivotal moment in this shift occurred at NSA headquarters on Friday, October 24, 2008. At two-thirty that afternoon, a team of SIGINT analysts noticed something strange going on in the networks of U.S. Central Command, the headquarters running the wars in Afghanistan and Iraq.
A beacon was emitting a signal, and it seemed to be coming from inside CentCom’s classified computers. This was not only strange, it was supposedly impossible: the military’s classified networks weren’t connected to the public Internet; the two were separated by an “air gap,” which, everyone said, couldn’t be crossed by the wiliest hacker. And yet, somehow, someone had made the leap and injected a few lines of malicious code—that was the only plausible source of the beacon—into one of the military’s most secure lines of communication.
It was the first time ever, as far as anyone knew, that a classified network of the Department of Defense had been hacked.
The intrusion might not have been spotted, except that, a year earlier, when cyber war took off as a worldwide phenomenon, Richard Schaeffer, head of the NSA’s Information Assurance Directorate—whose staff spent their workdays mulling and testing new ways that an outsider might breach its defenses—dreamed up a new tangent. Over the previous decade, the military services and the various joint task forces had done a reasonably good job of protecting the perimeters of their networks. But what if they’d missed something and an adversary was already inside, burrowing, undetected, through thousands or millions of files, copying or corrupting their contents?
Schaeffer assigned his Red
Team—the same unit that had run the Eligible Receiver exercise back in 1997—to scan the classified networks. This team discovered the beacon. It was attached to a worm that they’d seen a couple years earlier under the rubric agent.btz. It was an elegant device: after penetrating the network and scooping up data, the beacon was programmed to carry it all home. The Office of Tailored Access Operations, the NSA’s cyber black-bag shop, had long ago devised a similar tool.
Schaeffer brought the news to Alexander. Within five minutes, the two men and their staffs came up with a solution. The beacon was programmed to go home; so, they said, let’s get inside the beacon and reroute it to a different home—specifically, an NSA storage bin. The idea seemed promising. Alexander put his technical teams on the task. Within a few hours, they figured out how to design the software. By the following morning, they’d created the program. Then they tested it on a computer at Fort Meade, first injecting the agent.btz worm, then zapping it with the rerouting instruction. The test was a success.
It was two-thirty, Saturday afternoon. In just twenty-four hours, the NSA had invented, built, and verified a solution. They called the operation Buckshot Yankee.
Meanwhile, the analytical branches of the agency were tracing the worm’s pathways back to its starting point. They speculated that a U.S. serviceman or woman in Afghanistan had bought a malware-infected thumb drive and inserted it into a secure computer. (A detailed analysis, over the next few months, confirmed this hypothesis.) Thumb drives were widely sold at kiosks in Kabul, including those near NATO’s military headquarters. It turned out, Russia had supplied many of these thumb drives, some of them preprogrammed by an intelligence agency, in the hopes that, someday, some American would do what—it now seemed clear—some American had actually done.
But all that was detail. The big picture was that, on the Monday morning after the crisis began, Pentagon officials were scrambling to grasp the scope of the problem—while, two days earlier, the NSA had solved it.
Admiral Mike Mullen, chairman of the Joint Chiefs of Staff, called an emergency meeting Monday morning to discuss a course of action, only to find that the service chiefs had sent mere colonels to attend. “What are you doing here?” he almost hollered. The networks of the nation’s active war command had been compromised; it couldn’t win battles without confidence in those networks. He needed to talk with the commanders and with the Joint Staff’s directors of operations and intelligence—that is to say, he needed to talk with three- and four-star generals and admirals.
Later that morning, Mullen arranged a teleconference call with Mike McConnell, Keith Alexander, and General Kevin Chilton, the head of U.S. Strategic Command, which housed Joint Task Force-Global Network Operations, the latest incarnation of the loosely structured bureaus that had first been set up, a decade earlier, as Joint Task Force-Computer Network Defense.
Mullen started off the call with the same question that John Hamre had asked back in 1998, in the wake of Solar Sunrise, the first deep penetration of military networks: Who’s in charge?
For twenty-five years, ever since Ronald Reagan signed the first presidential directive on computer security, the White House, the Pentagon, Congress, Fort Meade, and the various information warfare centers of the military services had been quarreling over that question. Now, General Chilton insisted that, because Strategic Command housed JTF-GNO, he was in charge.
“Then what’s the plan?” Mullen asked.
Chilton paused and said, “Tell him, Keith.”
Clearly, StratCom had nothing. No entity, civilian or military, had anything—any ideas about who’d done this, how to stop it, and what to do next—except for the agency with most of the money, technology, and talent to deal with such questions: the NSA.
The NSA directors of the past decade had worked feverishly to keep the business at Fort Meade in the face of competition from the services’ scattershot cyber bureaus—“preserving the mystique,” as Bill Perry had described the mission to Ken Minihan. The best way to do this was to make the case, day by day, that NSA was the only place that knew how to do this sort of thing, and that’s what Alexander dramatized with Buckshot Yankee.
Bob Gates watched over this contrast between Fort Meade’s control and the Pentagon’s scramble with a mixture of horror and bemusement. He had been secretary of defense for nearly two years, after a long career in the CIA and a brief spell in the White House of Bush’s father, and he continued to marvel at the sheer dysfunction of the Pentagon bureaucracy. When he first took the job, the military was locked in the grip of two wars, both going badly, yet the building’s vast array of senior officers acted as if the world was at peace: they were pushing the same gold-plated weapons, built for some mythic major war of the future, that they’d been pushing since the Cold War, and promoting the same kinds of salute-snapping, card-punching officers—in short, they were doing nothing of any use—until he fired a few generals and replaced them with officers who seemed able and willing to help the men and women fighting, dying, and getting hideously injured in the wars that were happening now.
Almost every day since coming to the Pentagon, Gates had heard briefings on the latest attempt, by some serious adversary or mischievous hacker, to penetrate the Defense Department’s networks. Here was the really serious breach that many had warned might happen, and, still, everyone was playing bureaucratic games; nobody seemed to recognize the obvious.
Mike McConnell, who’d been friendly with Gates since his time as NSA director, had been repeatedly making the case for a unified Cyber Command, which would supersede all the scattered cyber bureaus, run offensive and defensive operations (since they involved the same technology, activities, and skills), and ideally be located at Fort Meade (since that was where the technology, activities, and skills were concentrated). McConnell backed up his argument with a piece of inside knowledge: the NSA didn’t like to share intelligence with operational commands; the only way to get it to do so was to fuse the NSA director and the cyber commander into the same person.
Gates had long thought McConnell’s idea made sense, and Buckshot Yankee drove the point home.
Another development laced this point with urgency. The clock was ticking on Alexander’s tenure at NSA. Most directors had served a three-year term; Alexander had been there for three years and two months. Beyond the math, Gates had heard rumors that Alexander was planning to retire, not just from the agency but also from the Army. Gates thought this would be disastrous: the CIA had recently predicted a major cyber attack in the next two years; here we were, in a crisis of lesser but still serious magnitude, and Alexander was the only official with a grip on what was happening.
The NSA director, by custom, was a three-star general or admiral; the heads of military commands were four-stars. Gates figured that one way to consolidate cyber policy and keep Alexander onboard was to create a new Cyber Command, write its charter so that the commander would also be the NSA director (as McConnell had suggested), and put Alexander in the double-hatted position, thus giving him a fourth star—and at least another three years on the job.
In fact, the rumors of Alexander’s imminent departure were untrue. By coincidence, not long before Buckshot Yankee, Alexander made an appointment for a retirement briefing that generals were required to receive upon earning a third star. Alexander had put off his session for months; these things were usually a waste of time, and he was busy. Finally, the Army personnel command applied pressure, so he went to the next scheduled briefing.
Two days later, he got a call from Gates, wanting to know if rumors of his retirement were true. Alexander assured him they were not. Nonetheless, Gates told him of the plan to get him a fourth star.
It would take several months to line up the pins in the Pentagon, the intelligence community, and the Congress. Meanwhile, an election took place, and a new president, Barack Obama, arrived at the White House. But Gates, who agreed to stay on as defense secretary for at least a year, pushed the idea through. On June 23, 2009, he
signed a memorandum, ordering the creation of U.S. Cyber Command.
* * *
During the final year of Bush’s presidency and the first few months of Obama’s, Gates wrestled with a dilemma. He’d realized for some time that, when it came to cyber security, there was no substitute for Fort Meade. The idea of turning the Department of Homeland Security into an NSA for civilian infrastructure, a notion that some in the White House still harbored, was a pipe dream. DHS didn’t have the money, the manpower, or the technical talent—and, realistically, it never would. Yet because NSA was legally (and properly) barred from domestic surveillance, it couldn’t protect civilian infrastructure, either.
On July 7, 2010, Gates had lunch at the Pentagon with Janet Napolitano, the secretary of homeland security, to propose a way out of the thicket. The idea was this: she would appoint a second deputy director of the NSA (Gates would have to name the person formally, but it would be her pick); in the event of a threat to the nation’s critical infrastructure, this new deputy could draw on the technical resources of the NSA while invoking the legal authority of DHS.