Counterstrike: The Untold Story of America's Secret Campaign Against Al Qaeda (20 page)

It is an ironic but important footnote to history that these debates over taking down terror Web sites resulted in the largest interagency meetings held since the 9/11 attacks. Some of them were so large that the lawyers spilled over to a second conference room where they had to be tied in by video. At the end of debate, a weeks-long process described by participants as robust and passionate, two terrorist Internet sites, including the JRTN site, were knocked off the Web ahead of the election. They were posting specific operational information that was considered a clear and emerging threat to the security of the vote. At least one of the sites was hosted by an Internet service provider in the United States, and a visit from government lawyers presenting snapshots of virulent, extremist, and violent Web pages carried on their server prompted the company’s executives to quietly pull the plug on that militant site. The ISP’s managers later told government investigators that they could not be expected to monitor the content on each of the hundreds of thousands of pages hosted on their server.

Even so, both sites were soon able to reconstitute themselves on other servers, a new lesson for the emerging tactics of cyberwar. But the attacks and counterattacks continued. “We chased them all over the globe,” said one senior Pentagon official. Yet even that silent war on the Web brought an unexpected but welcome second-order effect inside the jihadist leadership. “It took them a long time to figure out what happened, and that created infighting inside their own organizations,” said another officer involved in the cyber-counterattack. The successful network strikes were not physical and left no digital fingerprints. “We can do the magic inside their systems, in a non-kinetic way,” the officer said. “We have to be creative, very creative.”

To achieve maximum results when launching counterstrikes like these, commanders made the case for extending their authorities to fight in the virtual battle space of terrorists hiding behind the anonymity of the Web and under the legal protections of other nations. The result was “a knock-down, drag-out interagency battle to grant NSA and CIA new authorities to shut down servers in the U.S. and allied countries,” said one official involved in the high-level debate. The top officers of the Central Command, starting with General Abizaid and including General Petraeus, led the fight for the military’s cause. But they ran headlong into objections from the Justice Department as well as resistance from the intelligence community. If the military perceived a threat to the force or the mission, it wanted the site taken down. The law enforcement community wanted to monitor the sites, to learn about terrorists and terrorist planning in order to identify suspects, deepen their defenses, and further their investigations. The intelligence agencies wanted to do likewise but also to exploit, provoke internal dissent, create confusion, and weaken the adversary.

“The community is split,” said Arthur Cummings at the FBI. In the fierce interagency debates, those who advocated taking down Web sites that can pop back up in a matter of days were dismissed as adopting “whack-a-mole” tactics. They were warned about potential civil liberties lawsuits, since if the material passed through an American-based network there would be the implicit protection of freedom of speech and other rights of citizens. The debate was cast in terms of “collection capacity and knowledge that we gain from that collection versus the risk of allowing that entity to continue to do what it is doing,” Cummings said, adding, “Is the radicalization on the Internet so bad now that it outweighs the gains of the collection?” It was capture-kill versus whole-of-government all over again but in the digital world: “We’re back to the same equation, just using bits and bytes and electrons instead of flesh and bone,” he said.

*   *   *

A half hour beyond the Washington Beltway, in the flat farmlands and gentle woods of Maryland, is a military post named for General George G. Meade, the commander of the Union forces who defeated Robert E. Lee’s Confederates at Gettysburg. Small in area, Fort Meade looks more like a high-tech office park than an armed forces installation. But with the advent of the first power locks on automobiles, drivers passing by noticed something odd: Their doors would occasionally and mysteriously lock and unlock as they drove along the perimeter on a small state highway. What was deploying at Fort Meade was America’s new army of electrons.

The outlines of operations at Fort Meade have since emerged from the shadows, and they no longer accidentally spoof electronic car door locks. The National Security Agency is the nation’s premier signals intelligence organization, responsible for (among many other things) cracking codes and breaking into telephone conversations, computer networks, and e-mail traffic. As part of President Obama’s cyberinitiatives, the director of the NSA, General Keith B. Alexander, was given a second job: pulling together the military’s disparate components for computer network defense and computer network attack into one military command. In his position as head of the new Cyber Command, he is the global combatant commander for war on the Internet. His mission includes both securing the Defense Department’s round-the-world computer networks and, if so ordered, taking the fight to adversaries by carrying out offensives in cyberspace.

For most of his career, Alexander had been reluctant to meet with the media. In part his reticence stemmed from the fact that his mission remained one of the most classified in the U.S. government, but there was doubtless another reason: the controversial role of the NSA in intercepting telephone calls to and from the United States, first approved by secret orders from President Bush and largely continued by President Obama. This mission generated intense contention within and scrutiny by Congress and the courts.

So it was a great surprise when Alexander agreed in September 2010 to be interviewed—his first after being confirmed by the Senate as the head of Cyber Command. Due to the rigorous secrecy surrounding everything inside Fort Meade’s walls, the session was held in a conference room just outside the wire of the post, in the National Cryptologic Museum, which pays homage to code breakers throughout American history, with an actual Enigma machine, U-2 spy plane parts, and even a supercomputer on display. On a large field just beyond the museum, a variety of aircraft are mounted on static display: typical civilian and military types except for the Rube Goldberg contraptions of wires and antennae and dishes that mark them as retired reconnaissance, surveillance, and electronic signals-intercept platforms.

Soft-spoken and avuncular, Alexander began by describing the lay of the digital landscape. In 2010, he said, there were 1.9 billion Internet users worldwide, sending 247 billion e-mail messages daily. While 70 percent is spam, that presents an opaque thicket in which adversaries hide malicious messages and poisonous code. On top of that are the 4.6 billion cell phone subscribers around the world. That is a lot of digits to watch and listen to. And a cyberthreat travels fast at network speed. Divide one second on the clock into 1,000 parts. In just 70 of those, malicious code could strike a target in the United States from anywhere on the globe. “There’s your decision space,” Alexander said. “Wow. That’s pretty quick. That’s not a lot of time.

“There is a real probability that in the future, this country will get hit with a destructive attack, and we need to be ready for it,” Alexander continued. “I believe this is one of the most critical problems our country faces. We need to get that right. I think we have to have a discussion about roles and responsibilities: What’s the role of Cyber Command? What’s the role of the ‘intel’ community? What’s the role of the rest of the Defense Department? What’s the role of DHS? And how do you make that team work? That’s going to take time.”

The lack of clearly defined legal authorities worried Alexander as well as civil libertarians. Some critics have questioned whether the Defense Department can enhance the protection of vital computer networks without threatening what many Americans see as their right to have unimpeded access to and use of the Internet without Big Brother watching and listening. “We can protect civil liberties and privacy and still do our mission,” Alexander said. “We’ve got to do that.” But Alexander expresses concern for the “what-if” in the event of an attack on civilian networks or infrastructure. “If one of those destructive attacks comes right now, I’m focused on the Defense Department,” he said. “What are the responsibilities—and I think this is part of the discussion—for the power grid, for financial networks, for other critical infrastructure? How do you protect the country when it comes to that kind of attack, and who is responsible for it?”

But even the Pentagon’s advanced defenses, if ordered into play on American soil by emergency presidential order, would be static and not expected to prevent any more than 80 percent of potential attacks. And so Cyber Command is moving to a doctrine of active defense—“hunting on our network,” Alexander called it. “You go look for stuff. Who could this be in our network, and why are they here? We have to up our game.” While Cyber Command focuses mostly on potential computer network threats from nation-states, the risk of attack by a terrorist organization or lone-wolf militant remains a great concern as well. “Somebody who stumbles across something very bad in cyberspace and launches it—one person could cause a lot of damage,” he warned. “Protecting yourself from nation-state and non-nation-state actors is going to be key.”

Which brought Alexander to the emerging theories of deterrence and cyberspace. “We are cycling through deterrence strategy again,” he said. Today, “the issue that you are going to quickly get to is who are you trying to deter in cyberspace? Who is a nation-state and who is a non-nation-state actor? You have both. So our deterrence strategy has to look at both of those. We may come up with a multilayered deterrence strategy.”

Alexander pulled back the veil and acknowledged that policy directives and legal controls over digital combat had become outdated and outmoded and had failed to keep pace with the technical capabilities now under his command. The United States and the other nations of the world have not reached a consensus on what constitutes a cyberattack and have not been able to define what would be the appropriate response given the status of the laws of war based on traditional combat. Even if the U.S. government cannot instantly respond to an attack, it may still launch a counterattack, but it may do so too late to prevent the damage and serve only as an aid in the recovery or the forensics investigation into the adversary. Without defined legal authorities in place, Alexander warned of a still-unresolved “mismatch between our technical capabilities to conduct operations and the governing laws and policies.” One solution he advocated was to create a separate, secure computer network to protect civilian government agencies and critical industries like the nation’s power grid against attacks mounted over the Internet. Alexander labeled the new network “a protected zone.” Others have nicknamed it “dot-secure.”

There is an old military saying that amateurs do strategy while the pros do logistics. Likewise, the lawyers often are in charge of developments in national security policy, and this was evident during the final years of the Bush administration and the first years of the Obama administration, as the government struggled to cope with the dramatic emergence of the terrorist threat on the Internet. The military, the intelligence community, and law enforcement agencies had battled to near exhaustion over whether threatening sites should be attacked or monitored. To end the interagency battles, what finally emerged, according to a four-star officer involved in the negotiations, was a legal document, the Trilateral Memorandum of Agreement, which set up a process to “deconflict” these disputes among the Pentagon, the Justice Department, and the intelligence community. This agreement put in place a formal, almost judicial system for arbitrating disputes. Under the classified arbitration system, if one of the military’s regional combatant commanders proposed attacking an Internet site, the intelligence community and law enforcement agencies could then articulate their views, usually in opposition to taking down the sites. If disagreement remained, the case would be sent to General Alexander at Cyber Command, who would settle the dispute, although the loser could appeal to the National Security Council and even to the president. If it was a terrorist cyberissue, as opposed to a threat from a nation-state, then the National Counterterrorism Center could weigh in before the National Security Council reviewed the dispute. Alexander wrote to Congress in late 2010 to report that after years of vicious feuding about the rules of the road for attacking or monitoring a terror Web site, a formal accord for settling disputes had finally been reached.

*   *   *

One of the leading “unconstrained” Web sites sponsored by Al Qaeda is Al Falluja Forum, which maintains a robust presence on the Internet but also transmits its messages via social-networking sites and smart phones. Intelligence analysts believe that some of its individual sponsors, authors, and webmasters are not individuals at all but “ten guys in ten countries” who combine online into a specific “virtual persona” to avoid detection and arrest. The site and its affiliates operate from a main server, with multiple back-ups around the world. The forum has been attacked before—when, for example, the military believed it was about to post a particularly gruesome and provocative video of a captured American service member—but the effects of each successful intervention are short lived. “We can take them down for a brief time, if it’s important to delay a release,” said one military planner. But it pops up again within a few days. Even so, the tactical pause in the Web site’s activities may provide a valuable effect for the military.

Another major player in the jihadist cyberscape is the Global Islamic Media Front, which intelligence and military officials call the Jihad Drudge. The site translates virulent speeches and extremist propaganda into fifteen languages for linking and reposting on sympathetic Web sites around the world. That makes it a “virtual company,” more or less based everywhere and nowhere, but at times up to 80 percent of its content can be found hosted on servers in the United States. The organization uses a 128-byte advanced encryption software package with high-profile algorithms to keep out unwanted watchers, according to military and intelligence officers who have drilled into the site. It even includes tutorials on secure communications and is sophisticated in its IT support. The site offers aspiring jihadists a list of the nearest open servers from which to download the encoded software; the files are so big that time can be saved by finding the shortest distance to the encryption program.