Counterstrike: The Untold Story of America's Secret Campaign Against Al Qaeda (18 page)

As President Obama took office in January 2009, the drone attacks would escalate sharply and drive senior Al Qaeda leaders further into hiding. But plots were being hatched in the tribal areas that the drones would not disrupt. The success or failure of those threatened attacks against the United States ultimately would hinge on a combination of luck and skill for both the terrorists and their pursuers.

5

TERROR 2.0

On a Monday morning just a year into the Obama administration, the Defense Department’s top civilian and military leaders gathered for a war game built around a most urgent and emerging national security threat. This was the first time they had met in a large group at such a senior level to play out attack, defense, and counterattack in the new and worrisome environment of cyberspace. The assemblage was formally christened the Defense Senior Leadership Conference, but like all Pentagon terms, it was better known by its acronym, DSLC, or “D-Slick.” Its membership included the secretary of defense, the deputy secretary, the top civilian policy and intelligence officials, the Joint Chiefs of Staff, and all the regional combatant commanders, who flew in from their headquarters around the globe.

Many of the items on the agenda for this particular morning session were the standard litany of strategic-level threats to the nation, including how the global recession and congressional concerns about the ballooning deficit would limit the Pentagon’s ability to ask Congress for the money necessary to pay for national defense. But the agenda item on cyberwarfare was new. Sitting behind closed doors in a dining room on the outer ring of the Pentagon’s third floor of executive suites, the Defense Department’s leaders, dressed in suits and in uniforms, played a war game to simulate how they would respond to a sophisticated cyberattack in which an adversary paralyzed America’s power grids, communications systems, and financial networks.

The results were anything but encouraging. The mock enemy operating in the virtual battle space of the World Wide Web had anonymity, speed, and unpredictability—the hallmarks of a terrorist network. It was difficult to anticipate when the cyberadversary was about to move from aggressive probing of government and commercial networks (which occurs hundreds of thousands of times every day) to a crippling attack. It proved impossible to identify the country from which the attack originated—and even if that could be done, it would be impossible to say with certainty whether that government was actually an adversary itself, or if Internet servers on its territory had simply been hacked by outsiders to launch the attack. It was impossible even to say with certainty that the cyber-enemy had not simply set up shop over an espresso in a commercial cybercafé as a readily accessible but anonymous beachhead for the assault. Thus, there was no way to prevent further damage by threatening retaliation. What’s more, the Pentagon officials and military commanders noted that they lacked the legal authority to respond, especially because it was never clear whether the attack was an act of terrorism, vandalism, commercial theft, or a state-sponsored effort to cripple the United States perhaps as a prelude to a conventional war.

While the implementation of the “new deterrence” against terrorism had been showing promise in some areas, in the emerging world of cyberwarfare, the military was starting from scratch, a situation somewhat analogous to the dawn of the nuclear age, when the United States and the Soviet Union had to develop new rules of behavior to deter each other from ever launching an attack. But unlike the 1950s, when theory kept somewhat closer pace with technology, America’s cyberwarriors have come to realize that the capacity for computers to wreak havoc has far outpaced the unwritten rules and codified legal constraints that might govern combat operations across the Internet.

Pentagon officials said the cyberwar game in February 2010 marked the first time that all of the Defense Department’s top leaders had sat together in one room for an exercise in virtual warfare. It was fitting, since the election of Barack Obama as president of the United States in November 2008 brought a number of notable firsts, including the first approval of a document laying out a national cyberpolicy with responsibilities assigned across the government, the appointment of a cyber “czar” to the National Security Council staff, and the finalization of plans to create for the military a new U.S. Cyber Command with responsibility for coordinating America’s computer network defense as well as a capacity for attack.

For much of the decade since 9/11, terrorists operating in cyberspace have focused many of their efforts on communications, command, organization, fund-raising, and propaganda, but U.S. officials are preparing themselves for the day when violent religious militants adapt their tactics of hijacking and destructive attack to the digital world and strike at America’s financial networks or critical computer infrastructure. The financial cost to the nation of crashing a regional power grid or taking the banking system off-line would make the dollar damage of 9/11 pale in comparison. Imagine the havoc if Wall Street could not trade, if power went off to hospitals in an entire time zone, if the safety system went down at a nuclear power plant. Just as the war on terror under George W. Bush repeatedly crashed against the wall of civil liberties and constitutional protections, so the Obama administration has wrestled with issues of privacy and domestic guarantees of individual rights while attempting to reshape cyberpolicy as a tool in combating global extremism.

Complicating matters is the fact that while 90 percent of the capability for cyberdefense and -offense resides in the military and intelligence community, about 90 percent of the vulnerable targets are in the private sector. Federal statutes and privacy concerns prevent the Defense Department’s cybertools from being used to assist the Department of Homeland Security, the FBI, the Treasury Department, or the Department of Energy in defending American targets, short of a presidential directive in a time of crisis. With an attack traveling at network speed, there is simply no time to hit the pause button during a cyberbattle and ask the White House for a presidential order. The challenge is to design a linkage between the military’s capabilities, designed for operations overseas, and domestic protections if an attack should hit the homeland. This has necessitated the drafting of new rules of engagement for military cyberoperations to defend the United States against digital attacks across the territory of neutral nations and allies. This effort provoked some of the Obama administration’s most contentious debates.

In many ways, the debate over cyberwarfare mirrors the questions that were raised when the Bush administration first crafted its secret “Execute Orders” to deal with the Al Qaeda threat after the 9/11 attacks. “That AQ ‘ExOrd’ was the first designed against an enemy without defining an area of hostility,” said one Bush administration official involved in those discussions. “That was a fundamental legal difference from past ‘ExOrds’ written to deal with a specific nation-state adversary. Al Qaeda could be anywhere—in an area of hostility, in a neutral nation, on the territory of an ally, not to mention operating in the homeland.” Dealing with similar legal and logistical constraints that might dangerously limit the capacity for defense and counterattacks was a central consideration for the Obama administration as it wrote its new cyberwar plans. The United States needed a way to get past current barriers, foreign as well as domestic. Because of the speed of an attack, a response must be immediate, and only a presidential directive could brush aside the barriers that prevent the U.S. military from operating on American territory. Unless such limitations were overcome, the Pentagon’s advanced cybercapabilities might be employed too late to do any good.

Operations abroad could be constrained as well. Recalling a political conflict that had complicated the deployment of troops to Iraq in 2003, one Bush administration official observed, “Just like if I want to go to Iraq with the Fourth Division, but the Turks say no, what happens if somebody says no to our desire to pass through their virtual territory to carry out cyber offense and defense? In cyber, we may be able to pass through and do no harm; or we may desire to do something active if bad things are propagating in networks on their territory. But another government can justifiably ask, ‘What gave you the writ to go into a sovereign nation and do damage, even with zeros and ones?’ We cannot keep arguing that we can go anyplace on the face of the earth and exercise our authorities. We have to build legal institutions to control it, the same way that we would if we want to drop a bomb.”

The official in charge of the cybersimulation played out for the Pentagon leadership was William J. Lynn III, who had just taken office as deputy secretary of defense. He said that the most worrisome realization that emerged from the simulated combat was that the Internet had so blurred the line between military and civilian targets that an adversary could cripple a nation by crashing its credit markets or utilities infrastructure without even firing an electronic shot at a military or government installation. America’s existing plans for protecting computer networks reminded him of one of defensive warfare’s great failures, the Maginot Line of pre–World War II France. He argued that the billions of dollars spent on defensive firewalls and shields provided a similar illusory sense of security. “A fortress mentality will not work in cyber,” he said. “If we stand still for a minute, our adversaries will overtake us.”

In response, officials at the Pentagon and the White House are drawing on the same concepts that emerged for protecting the American homeland after the 9/11 attacks. Among the veteran military officers working on the problem is General Larry D. Welch, who served as Air Force chief of staff and the top officer overseeing America’s nuclear arsenal at the former Strategic Air Command before retiring and becoming a defense policy analyst. He agrees that terrorists can be deterred in the physical world and in the digital world. “You don’t just deter with costs, but also with benefits,” he said. Layered defenses—blast walls, hardened buildings, metal detectors, chemical sniffers—are one step. So are obvious efforts toward “consequence management,” the ability to respond to an attack with quick fixes and long-term recovery, all to convince a terrorist that even a successful attack will have limited effect. The goal, he said, is to “create resilience and thus diminish the prospects for benefits from terrorism.” In the digital world, he continued, this means publicly announcing the overwhelming punishment the United States would inflict on any cyberattacker and building resiliency and redundancy into America’s most critical and vulnerable computer networks. “We need to be able to fight through a cyber attack and sustain losses and damage,” he said. “Some people say you can’t deter terrorists. Nonsense. You can deter terrorists. Even if the suicide bomber cares nothing about the costs, and is willing to give up their life, they do care about the benefits.”

Quietly, then, a strategy of cyberdeterrence has evolved to protect national security. “Deterrence has been a fundamental part of the administration’s cybersecurity efforts from the start,” said one Obama administration official. But that official would not say how the United States would respond after a major cyberattack, in keeping with a policy of deliberate ambiguity carried over from Cold War–era deterrence. As a precedent, the official cited how, in managing the standoff with the overwhelmingly superior conventional forces of the Soviet Union and its Warsaw Pact allies, the United States never declared that it would be bound to respond to an invasion of NATO territory with only conventional forces. The Kremlin’s uncertainty about whether an invasion of Western Europe might go nuclear was viewed as crucial to Cold War deterrence and stability. Uncertainty about how the United States would respond to a cyberattack is intended to serve a similar purpose. “The United States reserves the right to respond to intrusions into government, military, and national infrastructure information systems and networks by nations, terrorist groups, or other adversaries in a manner it deems appropriate,” said one high-level Pentagon official.

But many of the old principles of warfare do not really work in this new age. “We are looking beyond just the pure military might as the solution to every deterrence problem,” said General Kevin P. Chilton, who retired in 2011 as the officer in charge of the military’s Strategic Command, which defends military computer networks, in addition to overseeing America’s nuclear arsenal. “There are other elements of national power that can be brought to bear. You could deter a country with some economic moves, for example.” But terrorists on the Web have the same advantages as terrorists planting a bomb. Unless they are captured or leave behind a clear set of clues, the only attribution may be if they claim credit for the attack.

Secretary of State Hillary Rodham Clinton has also drawn on the language of the “new deterrence” to put potential adversaries on notice. “States, terrorists and those who would act as their proxies must know that the United States will protect our networks,” she declared in January 2010. “Those who disrupt the free flow of information in our society, or any other, pose a threat to our economy, our government and our civil society.” But Clinton did not say specifically how the United States would respond, except to hold responsible any country that knowingly allowed cyberattacks to be launched from its territory. Vague as they were, her comments were viewed as the first public articulation of an emerging government policy that, borrowing from Cold War deterrence, would issue a “declaratory policy” to officially warn potential cyberaggressors of the immediate and very punitive response that could be expected.

The Pentagon’s invigorated focus on the threat of computer-network warfare can be seen in the marching orders from Secretary of Defense Gates to the Defense Policy Board, his personal think tank, which draws its advisers from the ranks of retired military officers, the defense industry, and the academic community. In the transition from the Bush administration to the Obama administration, Gates gave the board three national security risks to ponder, analyze, and attempt to neutralize: One was China. One was Iran. And one was cyber.