@War: The Rise of the Military-Internet Complex (24 page)

Meanwhile, McConnell got the ball rolling on the civilian side of government. The Homeland Security Department, which had the legal authority for securing the .gov Internet domain used by most government departments (excluding the military and the intelligence agencies), oversaw an initiative to trim the number of civilian Internet gateways from more than a thousand down to fifty. It was a bigger and more diffuse challenge than the Defense Department's—these civilian networks weren't centrally managed, and there were many more of them. The project was guaranteed to outlast the remainder of Bush's time in office, and therefore McConnell's.

But Alexander wasn't under a term limit. He'd only been in office since 2005, and while tradition suggested that his tour would probably last four or five years, there was no reason that a future president or secretary of defense couldn't extend it. Indeed, Alexander's predecessor had served for six years, longer than anyone at that point in the agency's fifty-six-year history. As the NSA's influence over intelligence operations grew, particularly in counterterrorism, its directors became essential, and harder to replace. Alexander understood that the agency's future dominance in the intelligence hierarchy depended on cementing its role as the leader in cyber defense and offense. This was the next big problem to which the whole of government would focus its national security priorities. In a crude calculus, counterterrorism was out, cyber security was in. Alexander just had to wait for the moment when more of the country's leaders saw that, and would turn to him for help. He needed a crisis.

NINE

F
RIDAY, OCTOBER
24, 2008, had already been an unusually busy day at NSA headquarters.
President Bush came up to Fort Meade that afternoon to meet with senior agency leaders, his last scheduled visit before leaving office in January. At 4:30 p.m., when most NSA employees were getting ready to head home for the weekend, Richard Schaeffer, the top official in charge of computer security, walked into Keith Alexander's office with an urgent message.

A young analyst in one of the NSA's hunt teams that look for malicious intrusions had spotted a rogue program running on a military network. It was sending out a beacon, a signal to a host computer somewhere on the Internet, asking for instructions on what to do next—perhaps copy files or erase data. That itself wasn't so alarming. But the beacon was emanating from inside a classified network used by US Central Command, which ran the wars in Iraq and Afghanistan. And that was supposed to be impossible, because the network wasn't connected to the Internet.

No classified, air-gapped military network had ever been breached. Those networks were kept disconnected from the public Internet because they contained some of the military's most important secret communications, including war plans and orders to troops in the field. Analysts had been working feverishly for the past few days to determine how the malicious program had made its way onto the network, and they speculated that it must have piggybacked on an infected USB drive, probably inserted by an unwitting soldier in Afghanistan, where the majority of infections seemed to have occurred. And that was the other problem—there were infections, plural. The malware was replicating itself and spreading to different computers on the network via USB drives. And it appeared to have shown up on two other classified networks as well.

NSA officials immediately suspected the work of a hostile intelligence service trying to steal classified military information. Analysts speculated that an infected USB could have been dropped in a parking lot, waiting for an unsuspecting human—“patient zero”—to pick it up and insert it into a secure computer inside a Centcom facility or at a military base. The malicious program couldn't connect to the Internet to retrieve its orders. But a spy could be communicating with the malware from a few miles away via radio waves—the NSA used equipment to do that when it injected spyware behind an air gap. And there were indications that the worm was spreading to unclassified systems, too, which were connected to the outside world and could give foreign spies an entry point into the Pentagon.

The breach was unprecedented in military and intelligence history. Alexander said it was time to sound the alarm.

 

Air force general Michael Basla was working in the Pentagon Friday night when an emergency call came in from Fort Meade. Basla was then the vice director of command, control, communications, and computer systems for the Joint Chiefs. He quickly grasped the urgency of what the NSA official on the line was telling him. “In so many words,” Basla later recalled, “it was, ‘Houston, we've got a problem.'”

The gears of the national military command structure started spinning. That night Basla, along with NSA officials, briefed Admiral Mike Mullen, chairman of the Joint Chiefs and President Bush's top military adviser. The agency also informed the deputy secretary of defense, Gordon England, who'd been instrumental in setting up the Defense Industrial Base Initiative, as well as the leaders of Congress.

No one was sure when, or if, the malware would attempt to execute its mission—whatever it might be. But the members of the NSA hunt team who discovered the worm thought they had a way to neutralize it. It was sending out a message for orders from a host server. So why not give the worm what it wanted? The hunt team wanted to build an impostor command-and-control server that would make contact with the worm and then tell it, in effect, to go to sleep and take no further actions. The plan wasn't without risk. If the team disrupted or disabled legitimate programs running on the classified network, such as those that controlled communications among battlefield commanders, then they could harm military operations in Afghanistan and Iraq. The classified network still had to function.

The Pentagon told the NSA to move forward with its plan, which was given the code name Buckshot Yankee. The hunt team worked all Friday night to fine-tune the details, drinking soda to stay awake and bingeing on pizza. On Saturday they put a computer server onto a truck and drove to the nearby Defense Information Systems Agency, which runs the Defense Department's global telecommunications systems. They allowed the server to become infected with the malware, then activated the impostor controller that told the worm to stand down. It worked.

Now the NSA had a way to deactivate the worm. But first it had to find it—and all of the copies it had made of itself that had spread across Defense Department networks. The NSA called in its best hackers, the elite Tailored Access Operations group. They looked for worm infections on the military's computers. But then they went farther out, looking for its traces on nonmilitary computers, including those on civilian US government networks and in other countries. They found that the worm had spread widely.

That was not surprising. As it turned out, the worm was not so new. It had been discovered by a Finnish security researcher and, in June 2008, had shown up on the military computers of a NATO member country. The researcher dubbed it Agent.btz,
agent
being a generic name for a newly discovered piece of malware, and the
.btz
an internal reference marker. There was no evidence that any infection of Agent.btz on a US computer had resulted in stolen or destroyed data. In fact, the worm didn't appear to be that sophisticated, which raised the question of why a foreign intelligence service would go to the trouble of building a worm that burrowed into computers around the world and didn't steal anything.

But military leaders still treated the breach as a dire threat to national security. The week after the NSA alerted the Pentagon, Mullen briefed President Bush and Secretary of Defense Gates. The NSA took on the mission of hunting down every infection of Agent.btz and using the impostor controller to turn it off. In November, US Strategic Command, which at that time had overall responsibility for cyber warfare, sent out a decree: the use of thumb drives was henceforth banned on all Defense Department and military computers worldwide. It was an overreaction, and underscored the degree to which senior military leaders felt threatened.

Alexander was not so alarmed. In the panic he saw the chance to make the NSA the military's new leader in cyberspace. It was his hunt team that discovered the worm, he argued. His experts who devised a clever way to kill it. His elite hackers who used their spying skills to track the worm in its hiding places. Pentagon officials wondered if they should launch an offensive cyber strike to eradicate the worm, rather than just tricking it into talking to their impostor. (The process of getting rid of the infections ultimately took fourteen months.)

At the time, the responsibility for carrying out a coordinated military strike—a true cyber war—lay principally with the Joint Functional Component Command for Network Warfare, a subordinate to Strategic Command. But it was small in comparison with the NSA, and it didn't have the NSA's expertise in computer defense and espionage. Officials decided that an offensive strike, particularly on computers in other countries, was a step too far for countering Agent.btz—which after all hadn't done any damage. But the Buckshot Yankee operation showed them that in the event of a real national crisis—a cyber attack on a power grid or a bank—the military needed all its sharpest shooters under one roof.

“It became clear that we needed to bring together the offense and defense capabilities,” Alexander told a congressional committee in 2010, after the Pentagon declassified certain details of the operation. It was what he had wanted all along.

 

The Buckshot Yankee operation became the catalyst for establishing US Cyber Command, a single entity that oversaw all of the military's efforts to defend against virtual attacks on their systems, and to initiate their own. This was the idea that national intelligence director Mike McConnell had backed and that eventually won the support of Bob Gates. Senior military leaders realized that they'd been caught flatfooted, and that many of them had overestimated their ability to respond quickly to an incursion into the Pentagon's computers. “It opened all our eyes,” Basla says.

The quick thinking of Alexander and his team of cyber warriors convinced the Pentagon brass, Gates, and the White House that the NSA was best positioned to marshal the military's cyber forces, and therefore should take the lead. Alexander would run the new Cyber Command from Fort Meade. He would get more personnel and a budget. But the warriors and the infrastructure would come mostly from the NSA.

The NSA also still had to completely eradicate the Agent.btz infections. That process lasted more than a year, and the agency used it to expand its newfound power. Whenever a new infection was found, the NSA restricted all information to those with a “need to know” what had occurred. Each instance became a kind of classified sub-project of the larger operation. According to a former Defense Department intelligence analyst who was cleared to know about Buckshot Yankee, this made it more difficult for agencies other than the NSA to respond to the breach and to gather information about what had happened—which is apparently just what Alexander wanted.
A veil of secrecy fell over nearly every aspect of the NSA's new cyber mission. The former Defense Department analyst describes the NSA's response to Buckshot Yankee as “a power grab.”

The need for secrecy would be understandable if the Agent.btz infection really was part of an intelligence campaign by Russia, China, or a hostile nation. But Pentagon officials never claimed that the breach caused a loss of secrets or any other vital information. And it was never settled whether the infected USB drive that analysts thought was the initial vector was deliberately planted near a military facility or if some careless soldier or contractor had just picked up the Agent.btz worm on the outside, maybe when connecting a laptop at an Internet café, and then brought the worm behind the air gap. It's possible that patient zero simply happened upon the worm, and that it wasn't the handiwork of a foreign government at all. In fact, Agent.btz turned out to be a variant of a three-year-old, mostly harmless worm. Some officials who worked on Buckshot Yankee doubted that foreign spies were to blame.
If they were going to break in to the inner sanctum of military cyberspace, wouldn't they be craftier? And wouldn't they actually steal something? Then again, perhaps they were testing the Americans' defenses, seeing how they'd respond to an incursion in order to learn how they'd designed their security.

Had lawmakers and Bush administration officials understood that the Agent.btz infection was relatively benign, they might have thought twice about giving the NSA so much authority to control cyber defense and offense. Perhaps Alexander and his lieutenants were eager to keep the details of the incursion a secret so as not to undercut their own case for putting NSA in charge of Cyber Command. That would be in keeping with Alexander's pattern of trying to frighten government officials about the cyber threat, and then assure them he was the one who could keep the bogeymen at bay. “Alexander created this aura, like the Wizard of Oz, of this incredible capability behind the curtain at Fort Meade,” says a former Obama administration official who worked closely with the general on cyber security issues.
“He used classification to ensure that no one could pull back that veil.”

Secrecy was—and still is—a great source of the NSA's power. But the agency was also aided by a low-grade paranoia that took root among senior Defense Department officials after Buckshot Yankee. To ward off the risk of future infections, senior leaders banned the use of thumb drives across the entire department and in all branches of the armed forces, a decree met with outrage by service members in the field who relied on the portable storage devices to carry documents and maps between computers. The ban persisted for years after Buckshot Yankee. “If you pulled out a USB and put it in my computer, in a few minutes someone will knock on my door and confiscate the computer,” Mark Maybury, chief scientist of the air force, said during an interview in his Pentagon office in 2012.