The making of America's cyberweapons
Shift in Thought
Since Internet adoption accelerated in the 1990s, the US has proven it can successfully strike adversaries online, but in doing so we've ushered in a dangerous – and unpredictable – new military era.
America hasn't militarized the cyberdomain more than other nations. But we certainly threw plenty of resources into our efforts and our natural tendencies toward transparency – and how we talk about defending cyberspace – has opened us up to charges that we have indeed militarized the digital world.
An example: The seminal American thought piece on cyber wasn't written by the deputy attorney general, deputy secretary of State, deputy secretary of Commerce, or even by the president's science adviser. The deputy secretary of Defense wrote it. People outside this country notice things like that.
In 2010, Bill Lynn wrote in Foreign Affairs that, "As a doctrinal matter, the Pentagon has formally recognized cyberspace as a new domain of warfare. Although cyberspace is a man-made domain, it has become just as critical to military operations as land, sea, air, and space. As such, the military must be able to defend and operate within it."
It was as if Mr. Lynn had copied the notes from our discussions in the mid-1990s at my first cyber-related command in Texas.
The ideas we developed then and there eventually gained traction in the Department of Defense. In retrospect, however, we didn't appreciate that there was an entire generation growing up at that time believing that cyberspace was a global commons, a pristine playground, and not a potential zone of conflict among powerful nation-states. The debate over those competing archetypes continues today.
The digital Eden fallacy
Several years after I had left government, I was sitting in front of a Skype screen in Colorado arguing via video link with author Jim Bamford, who has made a living writing unauthorized books about National Security Agency, where I was the director from 1999 to 2005. One of my distant NSA predecessors, Lt. Gen. Lincoln Faurer, wanted to have him arrested over his first opus, "The Puzzle Palace," when it hit bookshelves in 1982.
The Skype debate was for a TV trade audience in Beverly Hills organized by PBS, which at the time was hyping an upcoming NOVA special on NSA. Mr. Bamford was a coproducer and was arguing that America had tragically militarized the cyberdomain through actions such as the Stuxnet worm, which he described as an American cyberattack on the Iranian nuclear facility at Natanz. America's intemperate behavior, he claimed, had legitimated an Iranian attack against the giant oil company Saudi Aramco and against American banks. The Internet was now a free fire zone and it was our fault.
I responded by defaulting to the "land, sea, air, space, cyber" construct. "The cyberdomain wasn't the only global commons on the list," I said. "The maritime domain had been such for eons. And no one objected to the existence of navies. In fact, a good case could be made that navies were essential to keeping that commons common."
I could have added that the cyberdomain had never been a digital Eden. It was always Mogadishu. The president of Estonia, Toomas Hendrik Ilves, knows something about this. His country's Internet collapsed in 2007 under attack by "patriotic Russian hackers" (read criminal gangs repaying a debt to the Russian state for the freedom of action they enjoy there) after Tallinn tried to move a Red Army memorial from downtown to the suburbs.
President Ilves has a wonderful way of capturing all this. He says that, lacking a Lockean social contract in the cyberdomain, what we have is an almost purely Hobbesian universe, a universe where Hobbes' description of ungoverned life as "poor, nasty, brutish, and short" really applies. There is simply no rule of law there.
The US government agrees about the danger. In January 2005, it stood up Joint Functional Component Command-Net Warfare, or JFCC-NW, which was essentially the nation’s computer network attack force to defend itself in this Hobbesian world.
I was the first commander of JFCC-NW but didn't stay very long. A month later, the president announced my nomination as the first principal deputy director of National Intelligence and I was confirmed by the Senate for that job in late April.
Even as I left, though, I could see that we now had a structure to go along with the vision we had been nurturing since the 1990s: A defensive center in the NSA Threat Operations Center (NTOC), an ongoing espionage enterprise in NSA’s Tailored Access Operations (TAO), and an offensive arm in JFCC-NW. All were big, thriving enterprises set up in about a decade – the speed of light by Washington standards.
We also had a vote of confidence from the Joint Chiefs and enough promise that Congress swallowed some unusual command relationships. All we needed were some real weapons.
The evolution of cyberweapons
Despite the cyberdomain’s tilt toward the offense, this is still hard work. To attack a target, you first have to penetrate it. Access bought with months if not years of effort can be lost with a casual upgrade of the targeted system, not even one designed to improve defenses, but merely an administrative upgrade from something 2.0 to something 3.0.
Once in, you need a tailored tool to create the desired effects. Very often this has to be a handcrafted tool for the specific target. It is not the same as cranking out 500 pound bombs and putting them on the shelf with their laser guidance kits.
A lot of the weapons in our toolbox were harvested in the wild from the Web. Tools with a Web history would make attribution an even more difficult challenge if they were ever used. But some of those exploits could be pretty ugly, so they had to be modified to meet our operational and legal requirements.
What we wanted were weapons that met the standards of the laws of armed conflict – weapons that reflected the enduring principles of necessity, distinction, and proportionality.
First, they had to produce an effect that was predictable and responsive to a genuine military need. I'm not talking about pounding bank websites with massive distributed denial of service, or DDoS, attacks like the Iranians did to US banks in 2012. I mean disabling an air defense system – which the Israelis were alleged to have done in 2007 while destroying a Syrian nuclear reactor.
And even when the effects were predictable and legitimate, policymakers wanted to know if you could limit them to the intended target – which is the distinction part – and, to the degree you could not, if the desired effect justified the collateral damage, which is where proportionality comes in.
These are time-honored, universal principles for any war-maker with a conscience. But in physical space, there was often a century or more of experience to fall back on. You'd consider what a high-explosive warhead would do when it hit at a particular angle and against a particular target. But that calculus hadn't yet been developed when considering the damage from a cyberweapon.
In concrete terms, the dialogue in the Situation Room began with the National Security Advisor asking something like this:
"So, you're saying that you can disrupt the power supply to this key military facility."
"Yes, sir, and through persistent attacks keep it down."
"Good. Now what else is on that net?"
"Well, sir, we think we can keep the effects confined to a pretty small physical area."
"Probably 30-40 square miles."
"Worst case, how many hospitals in that area?"
"Worst case, four. Maybe five."
"Do they all have UPS [uninterruptible power supply]?"
"We're working that now."
The National Security Advisor pauses, reflects, and then moves on by saying, "OK. Get back to me. We'll take this up again next time".
And the next time and the next time and the next time.
These kinds of meetings invariably take place in the Situation Room – not in the Pentagon or at Langley or at some combatant command headquarters. From their inception, cyberweapons have been viewed as "special weapons," not unlike nuclear devices of an earlier time.
But these weapons are not well understood by the kind of people who get to sit in on meetings in the West Wing and as of yet there has not been a Herman Kahn, the famed military strategist who worked at Rand Corp., to explain things to them.
First, there's the technical challenge. I recall one cyberoperation while I was in government that went awry, at least from my point of view. In hindsight, it was clear that no one at the final approval session had left the Situation Room thinking they had approved the same operation.
Beyond complexity, developing policy for cyberops is hampered by excessive secrecy (even for an intelligence veteran). I can think of no other family of weapons so anchored in the espionage services for their development (except perhaps armed drones). And the habitual secrecy of the intelligence services bled over into cyberops in a way that has retarded the development – or at least the policy integration – of digital combat power. It is difficult to develop consensus views on things that are largely unknown or only rarely discussed by a select few.
Technical challenges and policy ambiguities, however, did little to dim the spirit of cyber enthusiasts. We were like Airpower enthusiasts before World War II: "The bomber will always get through!" Like them, for a long time we were long on theory and short on practical success.
Even so, in 2004 and 2005, we had largely been spray painting virtual graffiti on digital subway cars. We could harass but we weren't decisive. An effort before the invasion of Iraq to e-mail Iraqi officials warning them of their fate and suggesting alternative courses of action did little more than annoy them. In another operation, we made Slobodan Milosevic’s phone ring incessantly, but there is no evidence that it shortened any aspect of the Balkan conflict.
A crucial turning point
The dramatic event in the annals of airpower was the sinking of the captured German battleship, the Ostfriesland, off of Hampton Roads in 1921. The ship was undefended and not underway, but with multiple waves of attacks over two days she was sent to the bottom by land based bombers. It was not even close to an operational test, but airmen hailed it as the dawn of a new age.
I reminded our cyber warriors that as staged as the Ostfriesland event was, we were even less convincing. We hadn't yet come close to sinking the Ostfriesland. America's cyber warriors kept trying, though, perhaps at times a little too hard.
With wars underway in Iraq and Afghanistan and globally against terrorist networks, the Joint Chiefs had issued a standing execute order (EXORD) authorizing action to counter the enemy's use of the Internet. It went by the unwieldy acronym CAUI (pronounced cow-ee). On the surface, it appeared like broad authority, but it was actually quite limited since it required specific, senior level permission to undertake any operation that wasn't merely tactical in its conduct and very local in its effects.
In the run up to one of the 9/11 anniversaries, while I was serving as director of the CIA, it was proposed that broad CAUI authorities be used to block a video that Osama bin Laden had prepared to mark the occasion. His purpose was to taunt us and demonstrate that we couldn't dilute his propaganda. Our goal was to visibly frustrate his timetable to get his message online in time for the anniversary. That wasn't really a strategic effect, but it was attractive enough to be approved at a deputies' committee meeting.
The plan called for denying Al Qaeda access to websites that they intended to use for distribution. Some could be controlled cooperatively. Others had to be taken down.
Among the latter was a site controlled by a counterterrorism partner in the Middle East. It was a vile site designed to attract genuine jihadists. The debate over taking it down reflected a perennial question for us: Did we want to take jihadists on in the cyberdomain, or was it better to just monitor them there to better attack them in physical space? The traditional answer was the latter; in this case we were going with the former.
The attack was a success. The site went down hard. The 9/11 anniversary passed without an Osama bin Laden release. But before any celebrations, my regional experts were all over me complaining about the impact on our counterterror partner. The partner knew they were being attacked and were sure they knew who was doing it. And every time they rebuilt their site, it went down again.
No one thought we could keep the video off the Web forever. There were just too many sites that could be used. It was time to stop this.
Over our objections, though, the attack persisted, so I called Gen. Jim Cartwright, vice chairman of the Joint Chiefs. General Cartwright seemed to understand the dilemma: We had achieved a tactical success, but now were threatening an important strategic relationship.
Cartwright approved me calling my counterpart and promising that the attacks would stop within 24 hours. I did so on a Saturday morning, confident the attacks would stop that day.
But they didn't. I still can't explain why. In 1921, Air Force Gen. Billy Mitchell had to break the ground rules to demonstrate his point with the Ostfriesland. That really angered the Navy. Now, it seemed that we were doing the same thing here except that this time we were disappointing, angering, and almost betraying a partner, one who put great stock in personal relationships and trust. I broke ranks and confessed to the partner that we did not support the continued action, but that I was powerless to stop it.
Later, at my request, Cartwright apologized personally to our ally in my office. Afterwards, I requested some private time with then National Security Advisor Stephen Hadley.
"Steve," I began, "There is no need for CIA to attend future meetings on proposed cyberoperations. Until we get a governance structure that is more sophisticated and sensitive than this last 'fire and forget' drill, we'll just mail it in. Put us down as opposed."
Mr. Hadley was taken aback. The anger was a little out of character for me, he said. And he was probably remembering that I was JFCC-NW's first commander. Just shows how mad we were.
To be clear, it wasn't that we at CIA were ideologically opposed to cyberops. Quite the opposite. We even had our own cyber force, the Information Operations Center (IOC), that former CIA director George Tenet launched and which had grown steadily under the next spy chief, Porter Goss, and me.
The CIA didn't try to replicate or try to compete with NSA or JFCC-NW. When asked about it, I explained that the IOC was a lot like Marine Corps aviation while NSA was an awful lot like America's Air Force.
Marine Corps aviation is an integral part of the Marines' air-ground team. It doesn't try to match the Air Force; it simply provides airpower to support the Marines' historic missions. The IOC develops cyberpower so that the agency can perform its traditional missions, too.
In aviation, it is important that both the Marines and the Air Force are on the same air tasking order. Otherwise, you could have fratricide.
The same is true for the IOC and Fort Meade in the cyberdomain. Each has to be aware of the other's actions and those actions have to be de-conflicted. That actually works pretty well. There is plenty of work to go around.
Point of no return
I left government in February 2009. Little more than a year later US Cyber Command (the more robust and more permanent successor to JFCC-NW) stood up at Fort Meade and Gen. Keith Alexander received a fourth star and took over the command and continued the tradition of aggressively proselytizing the cybermission.
From the outside, it looked like he may have occasionally gotten out in front of the administration's cyber headlights. Reports surfaced that he was called downtown for meetings with Howard Schmidt, the Obama administration's previous cyberczar, and being taken to the woodshed by John Brennan, the president's homeland security adviser.
By the middle of 2010, though, there was little doubt that cyberweapons had come of age. Someone, almost certainly a nation-state (since this was something too hard to do from your garage) had used a cyberweapon that was popularly labeled Stuxnet to disable 1,000 centrifuges at the Iranian nuclear facility at Natanz. For someone like me, that was almost an unalloyed good. It set the Iranian program back some six to 12 months.
But let me describe that achievement in just a slightly different way. Someone had just used a weapon comprised of ones and zeros, during a time of peace, to destroy what another nation could only describe as critical infrastructure.
When the fact of the attack became public, I commented that – although this did not compare in any way in destructive power – it felt to me a little bit like August 1945. Mankind had unsheathed a new kind of weapon. Someone had crossed a Rubicon. A legion was now permanently on the other side of the river.
We were in a new military age. What had been concept and anticipation only two decades earlier in Texas was now reality. I had been a part of it – probably pushed some of it along – and certainly got a chance to be present at some important milestones and decisions.
And now I knew that we would all have to live with the consequences of what we had conceptualized, nurtured, and created.
Gen. Michael Hayden (ret.) directed the National Security Agency, served as principal deputy director of National Intelligence, and led the CIA. He is currently a principal at The Chertoff Group, a consulting firm in Washington.
This piece was adapted from General Hayden's newly released book, "Playing to the Edge: American Intelligence in the Age of Terror." Reprinted by arrangement of Penguin Press, part of Penguin Random House Inc. Copyright 2016 by Michael V. Hayden.