@War: The Rise of the Military-Internet Complex (26 page)

Perhaps sensing that he couldn't always count on Obama's unconditional support, Alexander took his plans for Tranche 2 to Capitol Hill and the lawmakers who controlled his agency's multibillion-dollar budget. Alexander told them and their staff that he supported legally requiring companies to share their data with government-appointed traffic scanners.
But that was not a proposal the administration supported, at least not in its current form. White House aides had to admonish Alexander several times during 2011 and 2012, when a cyber bill was moving through Congress, not to speak on the president's behalf and make promises that the administration wasn't sure it could keep.

“They're pretty mad at me downtown,” Alexander said sheepishly in one meeting with congressional staffers.
But that didn't stop him from pushing harder. Alexander was an awkward public speaker, but in small groups he could be charming and compelling. He formed alliances with the Democratic and Republican chairs of the House and Senate Intelligence Committees. Lawmakers gave him the money he wanted and appropriated new funds for cyber security. Congressional oversight of NSA's activities was minimal and nonintrusive. Alexander was winning the war on Capitol Hill. But inside the administration, he had enemies.

 

By the time she arrived at the Homeland Security Department as the new deputy secretary in early 2009, Jane Holl Lute found that a battle for control of cyber security had already been fought—and Alexander had won.
Many of her colleagues had long since concluded that the NSA was the only game in town, because it was the only agency with an extensive catalog of threat signatures, including malware, hacker techniques, and suspect Internet addresses. They knew that information had been gleaned from classified, expensive intelligence-gathering operations, which gave it a certain cachet and credibility. They also knew that Homeland Security had no comparable store of information, and scarcely a cyber security staff to speak of. The department employed twenty-four computer scientists in 2009, while the Defense Department employed more than seven thousand, most of whom worked at the NSA. Homeland Security's computer-emergency watch center also couldn't monitor network traffic in real time, making it practically useless as an early-warning system for cyber attacks.
The best Homeland Security could hope to do was play a public relations role, encouraging companies to adopt good “cyber hygiene,” better monitor their own networks, and share information with the government. But these were gestures, not actions.

The first time Lute met the official in charge of the department's budding cyber defense mission was when he handed her his letter of resignation. In March, Rod Beckstrom quit in protest over what he described as the NSA's interference in policies that, by law, were Homeland Security's responsibility.
“NSA effectively controls DHS cyber efforts,” Beckstrom wrote in a scathing rebuke. The NSA had stationed its employees in the department's headquarters and installed its own proprietary technology. And recently NSA leaders had proposed relocating Beckstrom and his staff—all five of them—to the agency's headquarters at Fort Meade.

“During my term as director, we have been unwilling to subjugate the [center] underneath the NSA,” Beckstrom wrote. He warned Lute, Napolitano, and the president's top national security advisers, including Secretary of Defense Robert Gates, that if the NSA were given the reins, it would run roughshod over privacy and civil liberties and subsume the department into a culture of secrecy.

Lute was no cyber expert. A former army officer, she last served managing peacekeeping operations for the United Nations. But as the de facto chief operating offer of the department, she'd been charged with making sense of its muddied cyber policies. Clearly, that was going to entail battle with the NSA. (Napolitano didn't want the job, and was arguably unqualified for it. Practically a technophobe, she had no personal online accounts, and even at work she didn't use e-mail.)

Lute had been around intelligence officials long enough to conclude that they gained much of their power from secrecy, and by cultivating an appearance of omniscience. She didn't adhere to the conventional wisdom that only the NSA had the know-how to defend cyberspace. “Pretend the Manhattan phone book is the universe of malware,” she once told colleagues.
“NSA only has about one page of that book.” Lute thought that many companies already had the most important threat signatures, because they were collecting them from the hackers and foreign governments who tried to break in to their networks every day. Private security companies, antivirus researchers, even journalists were collecting and analyzing malware and other threat signatures, and either selling the information or publishing it as a public service. Software companies sent out automatic patches to fix known holes in their programs. The NSA tracked all this information. Why should anyone presume their intelligence didn't incorporate what was already widely known? The spy agency's information might be helpful, but companies didn't require it to defend themselves, Lute said. They needed to share what they knew with one another, like an Internet version of a neighborhood watch.

Lute wasn't alone in thinking that Alexander had oversold his “secret sauce.”

“There's a presumption that if something is classified, it must be true, which is not remotely the case,” says a senior law enforcement official who sparred with NSA officials in several meetings about whether it should take the leading role in defending companies' computer networks.
“We can lay out information to a policymaker that's ‘law enforcement sensitive' [a lower level of classification than top secret], and they'll say, ‘No, we've got this top-secret report, it must be true.' And that's hard to refute, because the NSA doesn't bring the facts to the table about how it got that information or whether it's unique. Policymakers and the public are not getting an accurate picture of the threat.”

Even when Alexander met with senior executives from the world's biggest technology firms, including Google, who knew plenty about cyber spies and attackers and had a financial interest in stopping them, he tried to persuade them that the NSA's intelligence was superior. “His attitude was, ‘If only you knew what we knew, you'd be very afraid. I'm the only one that can help you,'” says a former senior security official.

“Alexander convinced many lawmakers and policymakers that the NSA had a monopoly on this and it was all at Fort Meade,” says the former administration official who worked on cyber security issues. “And he'd use that phrase, ‘secret sauce.' I've been behind the curtain up there; there is no secret sauce. It's complete bullshit.”

 

A low-grade tension persisted for the first two years of Lute's tenure at Homeland Security. In February of 2011, it erupted into a public turf war. At a defense industry conference in Colorado Springs, the home of the US Air Force Academy, Alexander declared that the NSA should take a leading role in protecting cyberspace, the fifth domain of warfare. He called for new powers to defend against potentially crippling attacks on the United States. “I do not have the authority to stop an attack against Wall Street or industry, and that's a gap I need to fix,” he said.
Alexander had thrown down the gauntlet, effectively declaring US cyberspace a militarized zone.

Alexander was scheduled to give a version of the same talk eight days later at one of the biggest annual computer security conferences, in San Francisco. Major newspapers and technology trade press would be there. Lute cut him off at the pass. On February 14, three days ahead of his speech, she and another senior Homeland Security official published an online op-ed for
Wired
, the influential technology magazine.
“These days, some observers are pounding out a persistent and mounting drumbeat of war, calling for preparing the battlefield, even saying that the United States is already fully into a ‘cyberwar,' that it is, in fact, losing,” Lute wrote. “We disagree. Cyberspace is not a war zone.”

It was a direct shot at Alexander. “Conflict and exploitation are present there, to be sure, but cyberspace is fundamentally a civilian space,” Lute wrote, “a neighborhood, a library, a marketplace, a school yard, a workshop—and a new, exciting age in human experience, exploration and development. Portions of it are part of America's defense infrastructure, and these are properly protected by soldiers. But the vast majority of cyberspace is civilian space.”

Alexander was undeterred. He gave his speech as scheduled and repeated the same themes.
And a few days later he fired back at Lute. “There's a lot of folks that say we'd like the technical capabilities of NSA . . . but we don't want NSA in there” protecting networks, Alexander said at a conference in Washington about domestic security, which was the Homeland Security Department's domain.
He bristled at the suggestion that his agency should lean back and only help defend when asked, rather than rush to the front lines. Alexander even invoked the Maginot Line, the long stretch of concrete fortifications France built along its border with Germany in the 1930s, suggesting that the United States risked being overrun if it focused its defense purely on strategy and underestimated the cunning of their enemies. (The Nazis overcame the line by going around it, a move the French hadn't planned for, and ultimately conquered the country in six weeks.)

The turf war was getting hot. The White House ultimately nixed Alexander's Tranche 2 plan, not because Obama thought the NSA wasn't up to the job of defending cyberspace but because it looked too much like a big government-surveillance program. The administration didn't abandon Alexander's core idea. It opted instead to use the existing DIB program, which was itself a big government-surveillance program, to test whether Internet service providers could monitor traffic using classified government intelligence—that NSA secret sauce. It was a compromise. The NSA wouldn't get access to companies' networks, but it would funnel intelligence to them through the Internet service providers.

In the spring of 2011, seventeen defense companies volunteered for the test. The NSA still gave threat signatures to three service providers—CenturyLink, AT&T, and Verizon. The latter two were intimately familiar with NSA surveillance, having been a part of the agency's bulk collection of Americans' phone records since shortly after the 9/11 terrorist attacks. And all three companies were accustomed to handing over e-mails and online data about their customers at the request of the FBI and NSA.

The test focused on two specific countermeasures: quarantining incoming e-mails infected with malware and preventing outbound traffic from contacting malicious Internet addresses, a process known as sinkholing. Most organizations only monitored traffic coming into their networks and ignored data that was being sent from inside their systems. Hackers took advantage of that ignorance and frequently disguised a company's own documents as legitimate outbound traffic, before sending it on to a server under the hackers' control.

The test was a qualified success. An independent review by Carnegie Mellon University, one of the top technology research institutions in the country, found that the Internet service providers were able to receive the classified threat signatures and keep them secret. But there was some bad news for the vaunted cyber warriors at Fort Meade: practically none of the signatures told the companies anything they didn't already know, a finding that supported Lute and others who doubted the power of Alexander's secret sauce.

Most of NSA's intelligence was out of date by the time it was received. Of fifty-two cases of malicious activity that were detected during the test, only two were the result of NSA threat signatures.
The rest the companies found on their own, because they'd spent the last few years building their own network-monitoring capabilities and beefing up their defenses.

The NSA could take some pride in knowing that those companies got so much better at defense because of their early participation in the DIB program, back in 2007, when they'd been essentially required to hand over threat information and take the government's help if they wanted to keep doing business with the military. But the pilot undercut Alexander's argument that his agency was uniquely qualified to protect the nation.

Not that the companies needed a university study to tell them that. As early as 2010, corporate executives began to question whether the NSA was as sophisticated as Alexander claimed. During a meeting with CEOs at Homeland Security Department headquarters, Alexander gave a presentation on the NSA's threat signature catalog. According to one participant, Google CEO Eric Schmidt leaned over to the person sitting next to him and whispered, “You mean to tell me they spent all this money and this is what they came up with? We've all moved beyond this now.” Google, like many other large companies that were frequent targets of hackers, had its own sources of threat intelligence from private security companies—such as Endgame, which sells zero day information—and had begun its own intelligence-gathering operations on hackers in China. But the company was also using other tactics, such as implementing stronger encryption for its users, and moving toward a “secure sockets layer” service that would set end-to-end encryption by default for everyone logged in to their Google account. Threat signatures alone “don't work anymore,” Schmidt said. “The threats don't just come where the NSA points its sensors.” Hackers were constantly changing their techniques and looking for new points of entry. They knew that the government was monitoring them—that's why they changed up their tactics.

For Google, like other large companies, there was no one secret sauce but a stew of techniques whose recipe was constantly changing. Broadly speaking, companies were taking security more seriously, investing money in protecting their information at its source and hiring outside expertise to make up for what they lacked.