by Fred Kaplan
Napolitano liked the idea. At a subsequent meeting, they drew up a memorandum of understanding on this arrangement, which included a set of firewalls to protect privacy and civil liberties. General Alexander, whom they consulted, gave it his blessings. On July 27, less than three weeks after their initial lunch, Gates and Napolitano took the idea to President Obama. He had no objections and passed it on to Thomas Donilon, his national security adviser, who vetted the idea with an interagency panel of the National Security Council.
Everything seemed on course. Gates and Napolitano left the details to their underlings and went back to more urgent business.
Over the next few months, the arrangement unraveled.
Before delegating the matter, Napolitano selected her candidate for the cyber deputy director—a two-star admiral named Michael Brown, who was her department’s deputy assistant secretary for cyber security. Brown seemed ideal for the job. He’d studied math and cryptology at the Naval Academy, worked on SIGINT teams at the NSA, and, in the late 1990s, moved over to the Pentagon as one of the charter analysts—dealing with the Solar Sunrise and Moonlight Maze hacks—at Joint Task Force-Computer Network Defense. When Mike McConnell convinced President Bush to spend $18 billion on cyber security, he asked Brown to go work at the Department of Homeland Security, to help protect civilian networks in the same way that he’d helped protect military networks. For the next two years, that’s what Brown tried to do, expanding the DHS cyber staff from twenty-eight people to roughly four hundred and turning its computer emergency response team into a vaguely functional organization. If there was someone who could merge the cultures of NSA and DHS, it was likely to be Mike Brown.
For that reason, though, he ran into obstacles at every step. Napolitano’s deputy, Jane Holl Lute—a lawyer, former assistant secretary-general for peacekeeping support at the United Nations, and an Army veteran in signals intelligence—was deeply suspicious of NSA and resistant to any plan that would give the agency any power in domestic matters or that might turn the Internet into a “war zone.” The same was true of the White House cyber security adviser, Howard Schmidt, who winced at those who described cyberspace as a “domain,” in the same sense that Air Force and Navy officers described the skies and oceans as “domains” for military operations. Brown’s rank as a naval officer, his background in cryptology, and his experience with the NSA suggested that this joint endeavor would be far from an equal partnership—that Fort Meade would run the show.
There was also resistance among the department deputies in the National Security Council, some of whom were peeved that this deal had gone down without their consultation. In the end, they approved Brown as “cybersecurity coordinator,” but they wouldn’t let him be a deputy director of the NSA; they wouldn’t give him the legal authority he’d need to do the job that Gates and Napolitano had envisioned.
It was reminiscent, though few remembered so far back, of the dispute more than a quarter century earlier, in 1984, when civil liberties advocates in Congress resisted the plan—laid out in President Reagan’s directive, NSDD-145—to put standards for computer security in the hands of a committee run by the director of the NSA.
The staff meetings between DHS and NSA practically seethed with tension. The Gates-Napolitano plan called for each agency to send ten analysts to the other’s headquarters as a sort of cultural exchange. Early on, Fort Meade sent its ten—nine from NSA, one from Cyber Command—but DHS was slow to reciprocate. Part of the problem was simple logistics. Twenty-five thousand people worked at NSA; trading ten of them required scant sacrifice. But DHS had only a few hundred cyber specialists; rather than transferring any, Lute decided to hire ten new people, a process that involved juggling the budget, vetting security clearances—in short, time: lots of time. Well before all ten came onboard, the arrangement sputtered, its wheels grinding nearly to a halt.
On October 31, 2010, U.S. Cyber Command raised its flag at Fort Meade, with General Alexander at the helm while, simultaneously, entering his sixth year as director of an NSA that was teeming with unprecedented political, bureaucratic, and computational power.
CHAPTER 11
* * *
“THE WHOLE HAYSTACK”
DURING the early weeks of Mike McConnell’s tenure as director of national intelligence, in 2007, one of his assistants showed him a chart produced by VeriSign, the company that operated the domain name system, which registered dot-com, dot-gov, dot-net, and other email addresses that made the Internet function. The chart displayed a map of the globe, laid out not by the geography of landmass and oceans but rather by the patterns and densities of network bandwidth. According to this map, 80 percent of the world’s digital communications passed through the United States.I
The implications for intelligence were profound. If a terrorist in Pakistan was exchanging email or talking on a cell phone with an arms supplier in Syria, and if the global network routed a piece of their communication through the United States, there was no need to set up a data-scooping station in hostile territory; the NSA could simply tap into the stream stateside.
But there was a legal obstacle. Back in the 1970s, hearings chaired by Senator Frank Church uncovered massive abuse by the CIA and NSA, including surveillance of American citizens, mainly political critics and antiwar activists, in violation of their Fourth Amendment rights against “unreasonable searches and seizures.” The hearings led to the passage, in 1978, of the Foreign Intelligence Surveillance Act, which barred domestic surveillance without evidence of probable cause that the target was an agent of a foreign power and that the places of surveillance were, or would be, used by that agent; and even then, the government would have to present the evidence of probable cause to a secret FISA court, whose judges would be appointed by the chief justice of the U.S. Supreme Court. The president could authorize surveillance without a court order, but only if the attorney general certified under oath that the target was believed to be a foreign agent and that the eavesdropping would not pick up the communications of a “United States person,” defined as an American citizen, permanent resident, or corporation.
After the attacks of September 11, 2001, Congress hurriedly passed the Patriot Act, which, among other things, revised FISA to allow surveillance of not only foreign agents but also members of amorphous terrorist groups, such as al Qaeda, which had no affiliation with a nation-state.
To McConnell’s mind, even with that revision, FISA was out of date and in need of change. In the digital age, there were no discrete places of surveillance; cyberspace was everywhere. Nor could the government honestly certify that, while intercepting a terrorist’s email or cell phone conversation, it wouldn’t also pick up some innocent American’s chatter; this was the nature of data packets, which whooshed pieces of many communications through the most efficient path. Since the most efficient path often ran through the United States, it would be hard not to pick up some Americans’ data in the process.
In briefings to the president, meetings with national security aides, and informal sessions with members of Congress, McConnell brought along the VeriSign map, explained its implications, and made his pitch to amend FISA.
He knew that he was making progress when he met with Jack Murtha, ranking Democrat on the House appropriations defense subcommittee. Seventy-four years old, in his seventeenth term in Congress, Murtha had given McConnell a hard time back in the 1970s when he was NSA director; at one point, Murtha threatened to kill the agency’s information warfare programs, especially those that had an offensive tilt. But the VeriSign map riveted his attention.
“Look at where all the bandwidth is,” McConnell said, pointing to the bulge on American territory. “We need to change the law to give us access.” Murtha bought the pitch, and so did almost everyone else who heard it.
President Bush needed no special pleading. Keen to do anything that might catch a terrorist in the act, he found a rationale for action in the VeriSign map and told his legal team to draft a bill.
&
nbsp; On July 28, in his Saturday radio address, Bush announced that he was sending the bill to Congress. In the age of cell phones and the Internet, he said, current laws were “badly out of date,” and, as a result, “we are missing a significant amount of foreign intelligence that we should be collecting to protect our country.”
Four days later, the Senate’s Republican leaders brought the bill to the floor as the Protect America Act. It did everything McConnell wanted it to do. One key passage noted that “electronic surveillance” of an American would not be illegal—would not even be defined as “electronic surveillance”—if it was aimed at a person who was “reasonably believed to be located outside of the United States.” The stray collection of Americans’ data, unavoidable in the digital world, would thus be exempt from possible prosecution. Another clause clarified that, under this new law, the attorney general’s certification to the FISA court “is not required to identify the specific facilities, places, premises, or property” where the intelligence gathering would take place. As McConnell had been saying over and over, targets of surveillance in the digital age—unlike those in the era of phone taps—occupied no physical space.
One other significant passage specified that the government could obtain this information only “with the assistance of a communications service provider.” This provision was barely noticed; to the extent it was, it seemed like a restriction, but in fact it gave the NSA license to retrieve data from private corporations—and gave the corporations legal cover to cooperate with the NSA. Few outsiders knew that service providers—from Western Union and AT&T in the early days, to Sprint and Verizon in the “Baby Bells” era, to Microsoft, Google, and the other pioneers of the Internet age—had long enjoyed mutually beneficial arrangements with the NSA and FBI. This section of the bill would loom large, and incite enormous controversy, six years later, when Edward Snowden’s leaks revealed the vast extent of those arrangements.
Except for the requirement to consult with the FISA Court and the select congressional committees, both of which met in secrecy, the only limit that the bill placed on surveillance was that the data acquired from Americans—whose communications often got swept up along with the packets of data under surveillance—had to be “minimized.” This meant that, to preserve privacy and civil liberties, the government could not store the names of any Americans or the contents of their communications, but rather only their phone numbers and the date, time, and duration of a conversation. Few who read the bill understood the definition of “minimized” or grasped how much even this amount of information—metadata, it was called—could reveal about someone’s identity and activities.
After two days of debate, the Senate passed the measure, 60–28. The next day, the House concurred, 227–183. The following day, August 5, 2007, just eight days after his radio address, President Bush signed the bill into law.
With the technical advances of the previous decade—the Turbulence program, the Real Time Regional Gateway, the new generation of supercomputers, and the ingenuity of the hackers in the Office of Tailored Access Operations—the government could wade into all the streams of the World Wide Web. And with the new political powers invested in Fort Meade—the consolidation of all the services’ signals intelligence bureaus and the start-up of U.S. Cyber Command, to be headed by the NSA director—it would be the NSA that did the wading, with the consent and authority of the White House, the Congress, and the secret chamber that the Supreme Court had set up as its proxy in the dark world.
It was a new age of expansive horizons for the NSA, and Keith Alexander was its ideal voyager. A common critique of the intelligence failure on 9/11 was that the relevant agencies possessed a lot of facts—a lot of data points—that might have pointed to an imminent attack, but no one could “connect the dots.” Now, six years later, new technology allowed the NSA to gather so much data—a seamless stream of data points—that the dots almost connected themselves.
The convergence of technological advances and the post-9/11 fears of terrorism spawned a cultural change, too: a growing, if somewhat resigned, acceptance of intrusions into daily life. Back in 1984, the first presidential directive on computer security, signed by Ronald Reagan, was quashed because it empowered the NSA to set standards for all American computers—military, government, private, and commercial—and Congress wasn’t about to let Fort Meade have a say in domestic surveillance or policy. Now, not quite a quarter century later, digital data crossed borders routinely; for all practical purposes, borders withered away, and so did the geographic strictures on the reach of the NSA.
In this context, Alexander saw an opening to revive the metadata program that he’d created, back at the start of the decade, as head of the Army Intelligence and Security Command at Fort Belvoir. The case for a revival seemed a logical fit to the technical, political, and cultural trends. Let’s say, Alexander would argue, that, while tracking foreign communications, SIGINT operators spotted an American phone number calling the number of a known terrorist in Pakistan. The NSA could seek a warrant from the FISA Court to find out more about this American. They might also find it useful to learn other phone numbers that the suspicious American had been calling, and then perhaps to track what numbers those people had been calling. And, just like the Belvoir experiment, but writ large, it wouldn’t take long before the NSA had stored data on millions of people, many of them Americans with no real connection to terrorism.
Then came a modern twist. At some point, Alexander’s argument continued, the SIGINT analysts might find some American engaged in genuinely suspicious activity. They might wish that they’d been tracking this person for months, even years, so they could search through the data for a pattern of threats, possibly a nexus of conspirators, and trace it back to its origins. Therefore, it made sense to scoop up and store everything from everybody. NSA lawyers even altered some otherwise plain definitions, so that doing this didn’t constitute “collecting” data from American citizens, as that would be illegal: under the new terminology, the NSA was just storing the data; the collecting wouldn’t happen until an analyst went to retrieve it from the files, and that would be done only with proper FISA Court approval.
Under the FISA law, data could be stored only if it was deemed “relevant” to an investigation of foreign intelligence or terrorism. But under this new definition, everything was potentially relevant: there was no way of knowing what was relevant until it became relevant; therefore, you had to have everything on hand to make a definitive assessment. If much of intelligence involved finding a needle in a haystack, Alexander liked to say, you had to have access to “the whole haystack.”
The FISA Court had been created to approve, deny, or modify specific requests for collection; in that sense, it was more like a municipal court than the Supreme Court. But in this instance, the FISA Court ruled on the NSA’s broad interpretation of the law, and it endorsed this definition of “relevant.”
Keith Alexander had the whole haystack.
This was the state of cyberspace—a web thoroughly combed, plowed, and penetrated by intelligence services worldwide, especially America’s own—when Senators Barack Obama and John McCain wound down their race for the White House in the fall of 2008.
President Bush was obligated to provide intelligence briefings to both candidates, so, on September 12, he sent Mike McConnell to brief Obama, the Democrat, at his campaign headquarters in Chicago. Bush was leery of the whole exercise and told McConnell, before he left, not to divulge anything about operations in Afghanistan and Iraq—and to brief only the candidate, not anyone on his staff.
Two of Obama’s staff members, who’d planned to sit in and take notes, were miffed when the intelligence director asked them to leave; so was the candidate. But the session proceeded in a cordial enough way, Obama saying that he didn’t want to hear anything about Iraq or Afghanistan, he had his own ideas on those wars; what he really wanted to discuss was terrorism.
McConnell went through the threats posed by a
l Qaeda and its affiliates, the various plots, some only barely disrupted, at home and abroad. Obama, who’d been a junior member of the Senate Foreign Relations Committee but had never heard such a detailed briefing from such a high-level intelligence official, was fascinated. At this point, fifty minutes had passed, more time than his aides had scheduled, but Obama was settling in; he asked McConnell what else he had in his briefing book.
Glad to oblige, the intelligence director told the next president about the status of North Korea’s plan to detonate an A-bomb, Iran’s program to build one, and Syria’s atomic reactor in the desert. (Israel had bombed it a year earlier, but Assad was still in touch with his Pyongyang suppliers.) This took up another twenty minutes. Obama told him to go on.
And so, just as he’d done when Bush approved the Iraq cyber offensive plan after ten minutes of a meeting that had been scheduled for an hour, McConnell turned to the topic of his deepest worries. Earlier in the year, U.S. officials had alerted both Obama and McCain that China had hacked into their campaign computer systems, rummaging through their position papers, finances, and emails.
“They exploited your system,” McConnell said. “What if they’d destroyed it?”
“That would have been problematic for me,” Obama replied.
“Imagine,” McConnell went on, warming up to his theme, “that they could destroy our critical infrastructure.”
Obama, seeing where the director was headed, said, as if completing his sentence, “That would be problematic for the nation.”
“That’s the danger,” McConnell said, and then he stepped into his well-rehearsed summation of the nation’s vulnerabilities and the ability of many powers, not just China, to exploit them.
At its conclusion, Obama told McConnell to come see him again in the first week of his presidency.