Cyber War: The Next Threat to National Security and What to Do About It (6 page)

As later chapters will discuss, there is every reason to believe that most future kinetic wars will be accompanied by cyber war, and that other cyber wars will be conducted as “stand-alone” activities, without explosions, infantry, airpower, and navies. There has not
yet, however, been a full-scale cyber war in which the leading nations in this kind of combat employ their most sophisticated tools against each other. Thus, we really do not know who would win, nor what the results of such a cyber war would be. This book will lay out why the unpredictability associated with full-scale cyber war means that there is a credible possibility that such conflict may have the potential to change the world military balance and thereby fundamentally alter political and economic relations. And it will suggest ways to reduce that unpredictability.

I
n a television ad, a crew-cut young man in a jumpsuit walks around a darkened command center, chatting with subordinates who are illuminated by the greenish light from their computer screens. We hear his voice over the video: “control of power systems…water systems…that is the new battlefield…in the future this is going to be the premier war-fighting domain…this is going to be where the major battles are fought.” He then looks right at the camera and says, “I am Captain Scott Hinck, and I am an Air Force Cyber Warrior.” The screen fades to black, and then three words appear: “Air, Space, Cyberspace.” Then, as the ad ends, we see a winged symbol and the name of the sponsor, “United States Air Force.”

So now we know what one cyber warrior looks like. At least in
Scott’s case, he looks a lot like the bright, fit, earnest officers who populate the world’s most potent military. That is not quite our image of hackers, whom movies have portrayed as acned, disheveled guys with thick glasses. To attract more of those with the skills needed to understand how to fight cyber war, however, the Air Force seems to think it may have to bend the rules. “If they can’t run three miles with a pack on their back, but they can shut down a SCADA system,” mused Air Force Major General William Lord, “we need to have a culture where they can fit in.” (A SCADA system is the software that controls networks such as electric power grids.) That progressive attitude reflects the U.S. Air Force’s strong desire to play the leading role for the U.S. in cyber war. That service was the first to create an organization for the purpose of combat in the new domain: U.S. Air Force Cyber Command.

THE FIGHT FOR CYBER WAR

In October 2009, when the doors opened on the multiservice, joint U.S. Cyber Command, the Navy had already followed the Air Force in standing up its own cyberwarfare unit. All the new organizations and big pronouncements gave some the impression that the U.S. military was just getting interested in cyber warfare, coming rather late to the game. Not so. The Department of Defense invented the Internet, and the possibility of using it in warfare was not overlooked even in its early days. As highlighted above, in chapter 1, early cyber warriors had a plan back in the first Gulf War to use cyber weapons to take down Iraq’s air defense system. Shortly after that war, the Air Force set up its Info War Center. In 1995, National Defense University graduated its first class of officers trained to lead cyber war campaigns.

Some in the 1990s military did not fully understand what cyber
war meant and thought of it as “info ops,” part of psychological warfare, or “psyops” (using propaganda to influence the outcome of wars). Others, particularly those in the intelligence branches, were seeing the ever expanding Internet as a bonanza for electronic espionage. It started to become pretty obvious that once you had penetrated a network to collect information, a few more keystrokes could take that network down.. As this realization grew among the electronic intelligence officers, they had a dilemma. The intelligence guys knew that if they told the “operators” (the fighting units) that the Internet was making a new kind of war possible, they would lose some control of cyberspace to the “warriors.” On the other hand, the warriors would still have to rely on the intelligence geeks to do anything in cyberspace. Moreover, the opportunities cyberspace offered to relatively easily do significant damage to an enemy were too good to pass up. Slowly, the warriors realized that the geeks were on to something.

By the time George W. Bush was starting his second term, the importance of cyber war to the Pentagon became apparent, as the Air Force, Navy, and intelligence agencies engaged in a bitter struggle to see who would control this new area of warfare. Some advocated the creation of a Unified Command, bringing the units of all three services under one integrated structure. There were already Unified Commands for transportation, strategic nuclear war, and for each of the world’s regions. When it appeared in the early 1980s that there would be a large role for the military in outer space, the Pentagon created a Unified Command for what it then thought of as a new domain for war-fighting, a domain that the United States had to control. U.S. Space Command lasted from 1985 to 2002, by which time it had become clear that neither the U.S. nor any other government had the money to do much in space. Space Command was folded into Strategic Command (STRATCOM), which operates the strategic nuclear forces. STRATCOM, headquartered at a
bomber base in Nebraska, was also given the centralized responsibility for cyber war in 2002. The Air Force, however, was set on running the actual war-fighting units. The creation of Air Force Cyber Command and the standing given to cyberspace in the Air Force recruitment ads jarred the other services and many in the Pentagon.

Some were concerned that the Air Force was talking too openly about something they believed should have been kept secret: the mere existence of cyber war capability. Yet there was the civilian Air Force Secretary (a vestigial post from the time before there was a strong civilian Defense Department) saying publicly, “Tell the nation the age of cyber war is here.” There were those damn ads, including one that said, ominously, that in the future a blackout “could be a cyber attack.” Another ad showed the Pentagon and claimed that it was “attacked” millions of times a day in cyberspace, but it was defended by the likes of an Air Force sergeant shown at his keyboard. There were persistent interviews and speeches by Air Force leaders who sounded very aggressive about their intentions. “Our mission is to control cyberspace, both for attacks and defense,” Lieutenant General Robert Elder had admitted. The Director of the Air Force Cyberspace Operations Task Force had been equally candid: “If you are defending in cyberspace, you’re already too late. If you do not dominate in cyberspace, you cannot dominate in other domains. If you are a developed country [and you are attacked in cyberspace], your life comes to a screeching halt.”

By 2008, those in the Pentagon not wearing blue uniforms had become persuaded about the importance of cyber war, but they were also convinced that it should not just be conducted by the Air Force. An integrated multiservice structure was agreed on in principle, but many were reluctant to “make the Space Command mistake again.” They did not want to create a Unified Command for what might
prove to be a passing fad, as war fighting in space had been. The compromise was that a multiservice Cyber Command would be created, but it would remain subordinated to STRATCOM, at least on paper. The Air Force would have to stop calling its organization a command and would instead have to be satisfied with a “numbered air force,” their basic organizational unit, like Navy’s numbered fleets. The agreement in principle did not resolve all of the major issues standing in the way of a new command.

The intelligence community had a view. Under the post-9/11 reorganization, there was now a single person in charge of all eighteen U.S. intelligence agencies. In 2008, that man was Mike McConnell. He looked much the part of what he had recently been, a well-to-do businessman often seen in the halls of Wall Street financial institutions. He had come to the intelligence job from the global consulting giant Booz Allen Hamilton. Slightly hunched over and wearing thick glasses, the soft-spoken McConnell had not taken a traditional path to leadership at Booz. For most of his life, he had been in Navy intelligence, retiring as a three-star (or vice) admiral, the man in charge of the world’s premier electronic intelligence organization, the National Security Agency (NSA).

Hearing McConnell, or his successor, Air Force General Ken Minihan, talk about NSA even on an unclassified basis, you begin to understand why they believe re-creating some of its capabilities elsewhere is folly and perhaps impossible. They both speak with real reverence about the decades of experience and expertise NSA has in “doing the impossible” when it comes to electronic espionage. NSA’s involvement in the Internet grew out of its mission to listen to radio signals and telephone calls. The Internet was just another electronic medium. As Internet usage grew, so did intelligence agencies’ interest in it. Populated with Ph.D.s and electrical engineers, NSA quietly became the world’s leading center of cyberspace expertise.
Although not authorized to alter data or engage in disruption and damage, NSA thoroughly infiltrated the Internet infrastructure outside of the U.S. to spy on foreign entities.

When McConnell left NSA in 1996 for Booz Allen Hamilton, he continued his focus on the Internet, working with leading U.S. companies on their cyber security plans for over a decade. Returning to the spook business in 2007, he tried, as the second-ever Director of National Intelligence, to assert authority over all of the U.S. intelligence agencies, including CIA. In doing so, his longstanding friendship with CIA Director Mike Hayden was damaged. Hayden had also once been Director of NSA, or as they say it in the intelligence community DIRNSA (pronounced “
dern
-sah”). Hayden remained an active-duty four-star Air Force General much of the time he ran CIA.

Because both Mikes (McConnell and Hayden) had the background of running NSA, they agreed on at least one thing: any new Cyber Command must not try to replicate the capabilities it had taken decades to develop at NSA. If anything were to be done, they and many of the other NSA alumni believed, NSA should just
become
the new Cyber Command. Their views mattered in the Pentagon, since they were, or had been, senior military officers, and they actually knew something about cyberspace. To counter the “NSA takeover” of Cyber Command, some in the military argued that NSA was really a civilian organization, an intelligence unit, and therefore could not legally fight wars. They talked about “Title 50 versus Title 10” authority, referring to the parts of the U.S. Code that give legal authority and limitations to various government departments and agencies. Such laws can, of course, be changed if they have outlived their utility. Nonetheless, the issue of who would run America’s cyber wars soon became a battle between military and civilian government lawyers.

In any other alignment of leaders, the outcome would likely have
been decided in the military’s favor and some new organization would have been built from the ground up, replicating the hacking skills at which NSA was the past master. In 2006, however, the turf-grabbing Secretary of Defense, Donald Rumsfeld, had been replaced after devastating midterm election losses brought on in part by mismanagement of the Iraq War. Rumsfeld’s replacement was the president of Texas A&M University, Robert Gates. At the time of his nomination I had known Bob for the better part of three decades and expected that he would be an unusually good Secretary of Defense. He was not a Pentagon man, had not grown up there. Nor was he a national security novice from industry or academia, the type easily manipulated by experienced Pentagon hands. Bob had been a career CIA officer who worked his way up to CIA Director, stopping off in the White House National Security Council along the way. Gates saw the Cyber Command debate from an intelligence community perspective and, more important, from the unique perch one has at the White House. When you are working directly for whoever the President may be at the time, you suddenly realize that there is a national interest that surpasses the turf concerns of whatever bureaucracy you may have come from. Gates had that broader view, and he was a pragmatist.

What resulted was a compromise in which the Director of NSA would become a four-star general (up from three stars) and would also be the head of U.S. Cyber Command. The Pentagon calls having two jobs being “dual hatted.” For now, at least, Cyber Command would be a “sub-Unified Command” under STRATCOM. The assets of NSA would be available to support U.S. Cyber Command, thus obviating the need for reinventing many wheels. The Air Force, Navy, and Army would continue to have cyber war units, but they would be run by U.S. Cyber Command. Technically, it would be those war-fighting military units that would actually engage in cyber combat and not the partially civilian intelligence agency that
is NSA. While NSA has a lot of expertise in network penetration, under U.S. law (Title 10) the agency is restricted to collecting information and prohibited from war-fighting. Therefore it will have to be military personnel under Title 50 that enter the keystrokes to take down enemy systems. To assist Cyber Command in its defensive role of protecting Defense Department networks, the Pentagon would also co-locate its own Internet service provider at Fort Meade, Maryland, alongside NSA. The Pentagon’s ISP is unlike any other, since it runs two of the largest networks in the world. Called the Defense Information Systems Agency (DISA), it is run by a three-star general. Thus, ninety-two years after it opened as an Army base, home to hundreds of horses, Fort Meade became the heart of America’s defensive and offensive cyber war forces. Defense contractors are building offices nearby in the hopes of sharing in some of the billions of dollars that will be flowing to Fort Meade. Maryland-area universities are already recipients of large research grants from the nearby military campus, referred to throughout Washington simply as “The Fort.”

As a result of the decision to create U.S. Cyber Command, what had been Air Force Cyber Command became the 24th Air Force, with headquarters at Lackland Air Force Base in Texas. This numbered air force won’t have any aircraft. The mission of the 24th will be to provide “combat-ready forces trained and equipped to conduct sustained cyber operations, fully integrated within air and space operations.” The 24th Air Force will have control of two existing “wings,” the 688th Information Operations Wing, formerly the Air Force Information Operations Center, and the 67th Network Warfare Wing, as well as control of a new wing, the 689th Combat Communications Wing. The 688th IOW, as the Information Operations Wing is known, will act as the Air Force’s “center of excellence” in cyber operations. The 688th will be a forward-looking element with the mission of finding new ways to create an advantage
for the U.S. Air Force using cyber weapons. The 67th Wing will have the day-to-day responsibility for defending Air Force networks and for attacking enemy networks. All totaled, the 24th Air Force will comprise some 6,000 to 8,000 military and civilian cyber warriors.