@War: The Rise of the Military-Internet Complex (9 page)

Information warfare—the term “cyber warfare” had yet to be widely adopted in military jargon—was an obvious job for the NSA to take on. The agency's eavesdroppers and interceptors pried and peered into the world's networks. Their supercomputers spun twenty-four hours a day trying to break codes that encrypted data sitting on foreign computers. The NSA knew how to break in to networks. Once inside, it could also destroy them.

McConnell was a natural leader for that mission. During Operation Desert Storm in 1991 he was the intelligence adviser to the chairman of the Joint Chiefs of Staff, Colin Powell, and his performance made him a celebrity in the ranks of military intelligence officers. McConnell was credited for predicting Saddam Hussein's invasion of Kuwait by one day. His foresight didn't stop Iraq's attack on its neighbor, but it sure got the attention of his bosses. McConnell was adroit at using satellite imagery and intercepted communications—the fruits of intelligence gathering—to paint a picture of what was happening on the ground. Where the enemy was moving. Where he was likely to go next and what he was likely to do when he got there. McConnell, a native of South Carolina, had a plainspoken delivery and an affable demeanor. He performed so well in private briefings that Powell put him in charge of the daily press briefings, covered by reporters from around the world.

In 1992 the job of NSA director was about to become vacant—Admiral Bill Studeman, himself a widely admired military intelligence officer, was nominated by President George H. W. Bush as the next deputy director of the CIA. Powell and Secretary of Defense Dick Cheney supported McConnell for the NSA directorship. The position could only be filled by a military flag officer with three stars, and McConnell, then in his late forties, had just one. Powell and Cheney made sure he got promoted.

Under McConnell's leadership, the NSA first began to grapple with the complexities, the risks, and the potential advantages of cyber warfare.

The NSA's early cyber warriors were also building a kind of arsenal, looking for vulnerabilities in networks, software, and hardware that they could use to hijack the system, and then inject viruses or install hidden backdoors for use in future operations. The NSA hid these vulnerabilities from the manufacturers of the technologies they were exploiting. If it had disclosed them, the manufacturers could have patched the holes, making the technology safer for others to use. But that would deprive the NSA of its secret access. At least eighteen separate organizations within the agency were collecting vulnerability information, according to an internal newsletter, and they were even keeping secrets about their work from one another. “Intelligence operatives wish to protect their sources and methods,” wrote one anonymous NSA author. “No one really knows how much knowledge exists in each sector.” Without that knowledge, there could be no “large-scale national” approach to cyber war, which was not only something NSA wanted, it was something the agency had been directed to prepare for by the Pentagon.

Under McConnell there was a certain breathlessness to the advent of cyber warfare. The NSA was at once captivated by the strategic advantage the United States could have if it penetrated the information networks that were then spreading around the globe. And yet officials were anxious that the very kinds of cyber weapons they were developing could be used against the United States. The NSA was full of brilliant cryptographers and computer scientists, but they knew there was a low barrier to entry on this new battlefield. The knowledge to exploit networks was advancing as fast as the networks themselves. Cyber warfare would not be the province of nations alone.

Soon the cyber war fever spread beyond the NSA. By the late 1990s the air force was creating offensive cyber teams, under the direction of a task force that was initially set up to defend the service's networks. The army got in on the action, too, and began researching “ways to knock out the lights in Tehran,” as one former officer puts it.

McConnell had left the NSA in 1996 and gone to work for the government contractor Booz Allen Hamilton, where he made millions off his expertise and connections. He built an intelligence unit at Booz that specialized in—what else?—cyber security. Everything he'd learned at the NSA he was now selling back to the government.

On December 23, 2006, a decade after McConnell had left public service, his secretary walked into his expansive corner office at Booz, twenty miles outside downtown Washington.

“The vice president's on the phone,” she said.

“The vice president of what?” McConnell asked.

“The vice president of the United States.”

McConnell jumped to his feet and grabbed the phone. His old patron Dick Cheney informed McConnell that President Bush wanted to nominate him for director of national intelligence.
It was a thankless job, and one that McConnell knew more powerful men than he had turned down, most famous among them Robert Gates, the former CIA director and an old friend of McConnell's, who was now the secretary of defense.

McConnell told Cheney he needed to think about it and that he'd give him an answer after Christmas. He hung up and called Gates, who already knew the nomination was in play. McConnell said he'd only take the job if he had a free hand to make some big changes in the way the intelligence community was run, and if he had Gates's support. Gates promised that he did.

When McConnell had left the NSA, cyber war was in its infancy. In his absence, it entered adolescence. Now he would take it into adulthood.

 

McConnell's tenure as director of national intelligence, the chief of all the government's intelligence agencies, lasted just under two years. But the mark he left on the office, espionage, and warfare was profound.

It was McConnell, of course, who convinced President Bush to sign off on the cyber warfare tactics the NSA and the military used in Iraq. But he also spearheaded a major overhaul of the law that governs many of the NSA's operations, the Foreign Intelligence Surveillance Act. As it happened, when McConnell was coming into the job, a federal judge on the FISA court, set up to oversee electronic spying, had ruled that the government needed a warrant to intercept communications between foreign individuals who were outside the United States if the surveillance was performed on equipment located there. McConnell spent the months of June and July explaining to lawmakers that most of the world's communications traffic moved through cables, routers, and switches inside the country. But when the NSA tapped that equipment for foreign intelligence purposes, it shouldn't need a warrant, he argued—it wasn't spying on any Americans, after all.

McConnell told lawmakers that if the NSA were no longer allowed to monitor wholly foreign communications on United States–based equipment, it would lose its coverage on many foreign people, including members of al-Qaeda and insurgents in Iraq. As he saw it, this was not the time to lose access to the very technological infrastructure on which the United States was fighting a new kind of war.

Congress's summer recess was approaching, and Democrats, who ran the House and Senate, risked looking weak on counterterrorism if they failed to enact the changes required to keep NSA operations up and running. Most lawmakers didn't know about the cyber warfare operations, but the administration had long said publicly that surveillance activities by the agency were essential to preventing terrorist attacks in the United States.

McConnell seized the opportunity and pushed for more than just a tweak in existing law. He wanted to rewrite FISA to allow broad searches on whole groups of individual targets—say, all the telephone traffic coming out of Yemen. This was an unprecedented expansion. The Constitution had never been used to justify warrants against whole groups of people. The Fourth Amendment required the government to name the person and the place it wanted to search. And while FISA could accommodate spying on an individual whose identity the government might not know, it still required the government to point to that one person as the target. Now McConnell wanted authority for dragnet surveillance.

The truth was, the NSA already had it, as long as it was conducting the surveillance overseas and not spying on American citizens or legal residents. But a change in the law, critics feared, would allow the broad surveillance to be conducted inside the United States. It would give the NSA license to demand access to huge volumes of data from US technology companies by broadly invoking the need to protect national security.

Which is exactly what happened. In August 2007, Democrats, who believed they'd been backed into a corner by McConnell and the White House, reluctantly signed on to the bill. Just over a month later the NSA ramped up a new collection system, called Prism, which obtained large numbers of e-mails and other Internet communications from US companies.
The first company to come on board was Microsoft, on September 11, 2007. Yahoo joined the following March. Over the next four years, some of the biggest names in American business were added to the Prism list, including Google, Facebook, YouTube, and Apple. There were nine companies under Prism surveillance by October 2012. Today those companies are responsible for huge portions of Internet traffic and usage in the United States. Google alone accounts for a quarter of all traffic moving through Internet service providers in North America. YouTube is responsible for almost 20 percent of all download traffic in the United States. (Its closest rival is Netflix, the video streaming service, which accounts for about one-third.) The companies' e-mail services also attract billions of people around the world. Three years after Google was added to the Prism program, the company announced that 425 million people were using its Gmail product. (More recent figures aren't available.) Yahoo claimed 281 million users of its mail service as of December 2012. And as of February 2013, Microsoft says 420 million people were using its Outlook e-mail system. Apple, which was the last known company added to Prism, in 2012, said that year it had sold 250 million iPhones.

As vast as the Prism program was, the government still needed an individual warrant if it wanted to obtain the contents of an American's communications. The rest of the world, though, was more or less fair game. Judges who approved FISA surveillance were now being asked to sign off on “authorizations,” prepared by senior administration officials, that listed broad categories of surveillance targets and gave highly technical and complex explanations for how the NSA would ensure it was collecting only on the categories it had specified. That sounded workable in theory, but really, the agency often didn't know how much data it was collecting, on foreigners or Americans. That's because it's exceptionally difficult to know the nationality and location of the sender or recipient of an e-mail, which is sent over the Internet not as a discrete communication but as a series of packets, broken up and dispersed through the network on the fastest and most efficient path, then reassembled at their destination. Frequently that end point is not the recipient's computer but the servers of whatever e-mail service the recipient is using, such as Microsoft's Hotmail or Google's Gmail. Since the NSA might not know where the sender and recipient are, or who they are, it can't always be certain that it's spying on only foreigners.

On the surface, the changes to the surveillance seemed only to expand the NSA's ability to spy. But it also gave the agency more access points to the physical infrastructure of the Internet, from which it could conduct cyber warfare operations. And with access to the systems of major e-mail and Internet companies, the NSA could gather more intelligence about its adversaries and craft messages that looked trustworthy but were actually loaded with viruses and other malware. The Internet was a battlefield, and the new law gave the NSA more ways to enter it.

As the NSA's powers grew, it cast its net wider, tapping into the undersea cables that carry communications between continents. The agency started filtering the content of all e-mails going in and out of the United States, scanning them for the names, phone numbers, or e-mail addresses of suspected terrorists. And it managed to penetrate the defenses of Google and Yahoo, stealing communications as they traveled between the companies' overseas private data centers and the public Internet.

McConnell's second big contribution to the burgeoning cyber battle came toward the end of his tenure, in 2008. After Senator Barack Obama won the presidential election in November, McConnell flew to Chicago and met with the soon-to-be commander in chief in a secure facility at the FBI field office.
There he explained the contours of the new battlefield. McConnell put special emphasis on how weak the United States' own defenses were, and described some of the steps the Bush administration had taken to shore them up. Later, in a private meeting with Bush, Obama learned that the president had authorized a covert set of cyber attacks on an Iranian nuclear facility, using the computer worm that later came to be known as Stuxnet.
Bush told Obama that the sabotage operation, code-named Olympic Games, was one of two intelligence missions that he believed the new president shouldn't relinquish. The other was a CIA program to kill suspected terrorists and militants in Pakistan using armed aerial drones.

Obama agreed on both counts. And for the cyber program, he ordered up a new round of Stuxnet attacks in 2009. Unlike Bush, who had opted to quietly degrade and frustrate the Iranians' capability to make a nuclear weapon, Obama wanted to cause massive damage inside the Natanz plant. The United States deployed a new variant of the worm designed to make the rotors inside the centrifuges spin at dangerous speeds. The worm also carried multiple novel attack codes designed to penetrate different software programs through hidden flaws that the Iranians hadn't detected. The new features made it a more destructive weapon. Researchers generally credit Stuxnet with destroying one thousand centrifuges between 2009 and 2010. This was only about 20 percent of the total number operating at the plant, and the Iranians had more centrifuges in reserve to replace the damaged equipment. But Obama administration officials have said that Stuxnet set back Iran's weapons program by up to two years. That's precious and valuable time if, as appears to be the case, Stuxnet was designed to forestall a war, not to start one.