@War: The Rise of the Military-Internet Complex (6 page)

In September 2007 a US raid in the Iraqi village of Sinjar, ten miles from the Syrian border, turned up a massive intelligence cache, including al-Qaeda operatives' names, e-mail addresses, and phone numbers, as well as the web addresses and passwords for secret al-Qaeda chatrooms.
This cache became an essential component of the intelligence efforts to track down fighters and capture or kill them. Once inside the chatrooms, analysts could see the rhetoric and images al-Qaeda was using to recruit new fighters. Armed with that insight, they developed counterpropaganda. They sprinkled messages throughout different conversation threads, questioning whether al-Qaeda was violating the tenets of Islam by killing other Muslims.

US spies also began to target individual propagandists. Gruesome videos of fighters beheading their captives—sometimes American contractors working in Iraq—had become a powerful recruitment tool. Videos of roadside bombs ripping into US armored vehicles were set to jihadi anthems. The American hackers could have blocked the propagandists' access to the Internet. But that wouldn't put them out of business permanently. Instead, they located the computers uploading the videos by their unique Internet address. Then special forces were sent out to capture or kill the video maker.

This was an exceptionally difficult task—much more so than locating a fighter via his local cell phone signal. The Internet offered a cloak of anonymity. Anyone could set up an e-mail address with a fake name using Google or Hotmail, which had millions of customers and kept their data in repositories located around the world. Those people were hard enough to find. But more sophisticated adversaries knew how to route their traffic through servers or computers in different countries, making it nearly impossible for them to be tracked to their actual physical location.

In the years before the surge, the NSA had been intensely focused on building and buying software that could locate people based on their Internet addresses. At the time, the agency was interested not so much in finding insurgents as in finding hackers who stole classified information from government and corporate computers and threatened to disable critical facilities, such as power plants and financial systems. By the time the surge began, the agency had sharpened its techniques for finding people in the haze of cyberspace. So-called network forensics tools could help peel away layers of anonymity and unmask an adversary. But human analysts had to apply some old-fashioned investigative work as well. The NSA began studying the telltale techniques that certain hackers used—what malware they favored, what publicly available toolkits they used to break in to systems. The NSA bought forensics software from Computer Associates, an established technology company based in New York, as well as a new entrant into the market called NetWitness, which had set up shop not in the tech corridors of Silicon Valley but in Reston, Virginia, to be near the Pentagon and US intelligence agencies just down the road in suburban Washington, DC. The spy agency took these and other software, some of which engineers devised in-house, and devoted years of energy to solving the so-called attribution problem so they could positively locate someone in the real world based on his Internet activity. The NSA sleuths honed those techniques in Iraq. And in the years to come they would deploy them in a global hunt for hackers.

 

The cyber warriors in Iraq also turned their focus to new networks being set up in the country. Insurgents gravitated to Internet cafes that sprouted up after the fall of Saddam Hussein, whose regime had tightly restricted access to foreign media. Cyber warriors with the air force penetrated Internet cafe computers and watched what the insurgents were posting and with whom they were communicating. Going to the cafes made the insurgents vulnerable because they had to come into the open to use them, and the computers were not under their constant control and supervision. Every time they logged on to a public machine, they risked being tracked.

The NSA also developed a tool called Polarbreeze for tapping wirelessly into nearby computers.
An American intelligence officer or agent would sit in the cafe, pretending to check e-mail or talk on the phone or send a text message, when really using a kind of remote data-sucking device, aimed at computers in the room only a few feet away.

Sometimes it was easier to shut down a web server than try to track someone through it. On several occasions US hackers disabled the infrastructure that fighters were using to send e-mail and Internet-based communications, forcing them onto the phone network, where they could be more easily tracked.

As the operations picked up pace and began to pay dividends, the NSA called in its most skilled cyber warriors. They worked in a unit called Tailored Access Operations, or TAO. As their name implies, they devised bespoke tools and techniques for breaking in to computers. The stealthiest of all US hackers, they were also the rarest—only a few hundred worked for TAO, and many of them had undergone years of NSA-devised training, sometimes through colleges and universities where the spy agency had helped write the curriculum.

In one successful operation, the TAO hackers set their sights on the Islamic State of Iraq, an insurgent group that had formed in 2004, pledged allegiance to al-Qaeda, and then fallen under its banner. The group fought US soldiers, but it also terrorized and murdered civilians. In 2007 alone this al-Qaeda branch killed two thousand Iraqis and seized control of the Dora neighborhood in southern Baghdad, where it tried to install Islamic law and set up a new “emirate” to govern the people. Local Christians who had lived in Dora for decades fled their homes rather than live under such harsh religious rule.
A member of the new emirate knocked on the door of one Christian man and told him that if he wanted to stay, he could pay a tax or convert to Islam. Otherwise, he must abandon his house; the al-Qaeda members offered to help remove his furniture.

TAO hackers zeroed in on the leaders of the al-Qaeda group. Centering their operations in Baghdad, they scooped up e-mail messages that the terrorists had left in draft form in their personal accounts, where they could be picked up by fellow fighters without having to be sent over the Internet. This was a common trick terrorists used to avoid detection. TAO had been on to it for years.

The TAO hackers joined forces with troops on the ground as part of a major offensive, Operation Arrowhead Ripper, that aimed to rout the al-Qaeda branch from neighborhoods in Bequeath, where it had established a foothold. The operation began in June 2007 and included about ten thousand soldiers, the bulk of them from Forward Operating Base Warhorse.
The offensive included an Iraqi army brigade and about five hundred police officers. Operations began with a ground and air strike on Baquba. United States–led forces killed nearly two dozen fighters on the first day. Meanwhile, in Anbar Province, troops rounded up six terrorists suspected of being tied to senior al-Qaeda officials. And they apprehended three would-be roadside bombers in Fallujah, as well as three more suspected terrorists in the town of Tarmiyah.

US intelligence had gotten very good at locating these fighters, linking them to al-Qaeda, and understanding how the terrorist group was recruiting and carrying out its attacks.

For TAO, hacking into the communications network of the senior al-Qaeda leaders in Iraq helped break the terrorist group's hold on the neighborhoods around Baghdad. By one account, it aided US troops in capturing or killing at least ten of those senior leaders from the battlefield.
When Arrowhead Ripper concluded in mid-August, Baquba had been reclaimed, and most insurgent activity in the area had ceased. By November, al-Qaeda had left the Dora neighborhood.

The intelligence machine continued to win victories. There were 28 bombings and other attacks by al-Qaeda in Iraq reported in the first six months of 2008, down from 300 such attacks in the previous year.
And the number of civilian casualties attributed to the terror group plummeted, from 1,500 in 2007 to 125 in the first half of 2008. A former military intelligence officer likened the cyber assault on the top echelons of al-Qaeda to “cutting the head off a snake.”

“We took operations to get inside the communications systems and the command-and-control structure that allowed terrorists and insurgents to coordinate attacks against US forces,” he said. “That's the key to
any
successful operation.”

For the first time in the now four-year-old Iraq War, the United States could point to a strategy that was actually working. The overall success of the surge, which finally allowed US forces to leave Iraq, has been attributed to three major factors by historians and the commanders and soldiers who served there. First, the additional troops on the ground helped to secure the most violent neighborhoods, kill or capture the “irreconcilables,” as Petraeus called them, and protect Iraq's civilians. The cities became less violent, and the people felt safer and more inclined to help the US occupation. Second, insurgent groups who were outraged by al-Qaeda's brutal, heavy-handed tactics and the imposition of religious law turned against the terrorists, or were paid by US forces to switch their allegiances and fight with the Americans. This so-called Sunni Awakening included eighty thousand fighters, whose leaders publicly denounced al-Qaeda and credited the US military with trying to improve the lives of Iraqi citizens.

But the third and arguably the most pivotal element of the surge was the series of intelligence operations undertaken by the NSA and soldiers such as Stasio, authorized by Bush in that fateful Oval Office meeting. Former intelligence analysts, military officers, and senior Bush administration officials say that the cyber operations the president authorized opened the door to a new way of obtaining intelligence, and then integrating it into combat operations on the ground. The information about enemy movements and plans that US spies swiped from computers and phones gave troops a road map to find the fighters, sometimes leading right to their doorsteps. This was the most sophisticated global tracking system ever devised, and it worked with lethal efficiency.

Petraeus credited this new cyber warfare “with being a prime reason for the significant progress made by US troops” in the surge, which lasted into the summer of 2008, “directly enabling the removal of almost 4,000 insurgents from the battlefield.”
The tide of the war in Iraq finally turned in the United States' favor. The intelligence operations, which were later exported to Afghanistan, “saved US and allied lives by helping to identify and neutralize extremist threats across the breadth of both battlefields.” Later the NSA integrated the techniques it had developed on the battlefield into its other intelligence operations used to track terrorists, spies, and hackers around the world. That alliance between the spy agency and the military, forged in Iraq, would forever change the way America fights wars.

TWO

T
HE
2007
SURGE
marked the first time US military and intelligence agencies tested the theories of cyber war on the battlefield. But the lethally efficient system they set up in Iraq was born of an earlier battle, and one of the darkest periods in the NSA's history.

On September 11, 2001, Lieutenant General Michael Hayden, then NSA director, had been at work for two hours when he got a call telling him that a plane had crashed into one of the Twin Towers in New York. A few minutes later a second plane hit. Hayden called his wife, Jeanine, asked her to track down their three children, and then prepared for a lockdown of the agency's 350-acre campus at Fort Meade, Maryland, about twenty-five miles outside downtown Washington.

Hayden ordered all nonessential personnel to evacuate. Guards carrying machine guns and directing bomb-sniffing dogs fanned out. Near the top floor of a high-rise, workers in the agency's counterterrorist center started tacking blackout curtains to their windows. The NSA's headquarters had moved from Washington to its present location in 1957, because the fort was far enough outside the city to survive the blast of a nuclear explosion.
No one had imagined that terrorists might attack it with commercial airliners.

Hayden went first to the counterterrorist center, where he found employees in tears. It was clear to everyone that the NSA had missed some very important signals in the terrorist “chatter” that its vast network of global data interceptors was so good at snatching up. The agency had electronic ears on its targets, but it failed to understand their true intentions. Investigators would later discover that on September 10, 2001, the NSA had intercepted a phone conversation from a known terrorist, warning in Arabic that “tomorrow is zero hour.” It sat in the agency's databases, untranslated into English, until September 12.

Hayden's immediate concern was stopping any follow-up attacks. On September 14 he approved “targeting,” or electronic monitoring, of communication links between the United States and foreign countries where terrorists were known to be operating—principally Afghanistan, where al-Qaeda had a sanctuary, thanks to the theocratic Taliban regime. The NSA was to look for telephone numbers associated with terrorists. In practice, that meant that any telephone number in Afghanistan that contacted a number in the United States was presumed to have foreign intelligence value, and therefore could be monitored. But when it came to spying on numbers in the United States, Hayden was more circumspect. Only preapproved telephone numbers were allowed to be monitored on communications links that originated inside the United States. Hayden knew that the NSA was prohibited from spying inside the country. But, as he later recalled, he made a “tactical decision” to use his existing authority to monitor foreign intelligence, albeit more aggressively than before. Hayden reasoned that so long as one end of the communication was outside the United States and involved foreign terrorist groups, it was fair game. The nation was in crisis, and at the time no one would have begrudged him a more expansive view of his agency's mandate. The NSA's general counsel determined that Hayden's orders were legal.