@War: The Rise of the Military-Internet Complex (14 page)

Service in the crack unit also gives members an impressive credential and sophisticated training that they can parlay into a more lucrative job doing cyber security operations for businesses. Former members of TAO have gone on to work for government contractors, including the software maker SAP and Lockheed Martin, and for brand-name corporations, including Amazon; they have formed their own private cyber security companies, conducting hacker-for-hire operations against companies and foreign groups that are trying to steal information from the private firms' clients.

 

If TAO represents the elite of NSA hackers, a unit within it gathers together the elite of the elite. Its official name is the Remote Operations Center, but insiders call it simply the ROC—pronounced “rock.”

The ROC is home to the most highly skilled and experienced hackers in the government, working at Fort Meade or at outposts in Colorado, Georgia, Texas, and Hawaii, beyond the reach of senior policymakers in Washington. In fiscal year 2013, the ROC was authorized to spend $651.7 million to break in to computer systems around the world, according to the NSA's classified budget. That was twice as much as the entire intelligence community spent defending US military and classified computer networks from attack.

Technically, US Cyber Command is supposed to work with the military combatant commands to conduct cyber war. In reality, the ROC and Cyber Command work hand in hand on surveillance and attack operations, and the ROC is usually in the lead. The ROC's work is inseparable from cyber warfare—surveillance is an essential precursor to attack. The ROC is authorized to scout out systems and networks and provide targeting information to the Cyber Command. And since the two organizations are overseen by the same person—the director of NSA, who is “dual-hatted” to run Cyber Command—they can work together with relative ease.

The regional centers are particularly active when it comes to tracking the United States' foreign enemies—and its allies. In the second half of 2009, a small team at the Hawaii center conducted targeting operations against high-priority al-Qaeda targets.
The hackers broke in to the terrorists' electronic devices, as during the cyber operations in Iraq, in order to lead military forces to them.

The regional centers are also home to some of the most sensitive spying operations against US allies. In May 2010, members of a team in San Antonio, Texas, reported that they'd successfully broken in to an e-mail server used by the president of Mexico and his staff. In a top-secret summary of the operation, dubbed Flatliquid, TAO members crowed that they'd gained “first-ever access to President Felipe Calderón's public e-mail account.”
The team worked with the CIA and spy teams in US embassies in Mexico as well, to surveil phone calls and text messages on Mexican networks.

The same e-mail domain that the NSA compromised also was used by Mexican cabinet officials. The American spies now had access to “diplomatic, economic and leadership communications which continue to provide insight into Mexico's political system and internal stability.” Calderón, a reliable US ally, had been secretly turned into “a lucrative source.”

It was an especially treacherous mission, because Calderón had been so close to US intelligence, military, and law enforcement officials as they worked together to combat Mexico's violent drug cartels, which had assassinated law enforcement officials and practically taken over entire Mexican towns during their reign of terror. Whenever senior US intelligence officials spoke about United States–Mexican relations, they were quick to praise Calderón and the way he'd opened up his government to work with the Americans, who provided intelligence about the drug cartels, including communications intercepted by the very same agency that was spying on the Mexican president.

It wasn't that US officials doubted Calderón's commitment to the drug war. But they apparently wanted to be sure that he was doing all he'd promised on his side of the border, and that there weren't threats against him that he either couldn't see or couldn't deter. It was paternalism mixed with condescension—the country was too unstable for Calderón to manage on his own, officials seemed to think.

But it was in America's self-interest to spy on Calderón too. American officials thought that the cartels could extend their violent reach over the border into the United States, and that they might even topple Calderón's government or weaken it so much that Mexico effectively became a failed state. In the summer of 2012 the NSA accessed the e-mails of then presidential candidate Enrique Peña Nieto, who took office in December of that year. The agency intercepted his cell phone calls, too, along with those of “nine of his close associates,” as well as more than 85,000 text messages sent by Nieto and his associates, the top-secret NSA document states. The spies used a graphing program that displayed who was in touch with whom, then determined which sets of communications indicated significant relationships among those being monitored. Those people were watched more closely.

To say that the NSA has a tin ear for the political sensitivity of its work is to misinterpret what it does. Though the spying operations against US allies are obvious betrayals of trust, they are standard practice in the espionage business—and in that business, NSA officials and employees insist they are only following orders from the president, his cabinet, and top policymakers. In fact, twice a year they craft and approve a document that lays out the topics on which they want intelligence from the NSA and other agencies. Monitoring the inner workings of the Mexican government was essential to preserving the security of both countries, Obama administration officials decided. The NSA didn't choose to spy on Mexico—it was assigned that task.

 

The way that Tailored Access Operations and the ROC blend expertise and personnel from the spy agencies and the military points to one of the key features of cyber warfare: it blurs the lines between pure intelligence and military operations. Intelligence agencies, under US law, are allowed to engage in covert operations that violate other countries' laws and sovereignty and are designed to obscure the United States government's involvement. Military operations are conducted under international laws of war and, while not exactly done out in the open, are arguably more transparent and accountable than intelligence operations. When the two are put together, it creates challenges for lawyers and agency officials to know when an operation is being conducted under intelligence laws and regulations or under military ones. In practical terms, the decision is made by NSA officials, up to and including the director, who himself switches back and forth between running the agency (where he is a spy) and running Cyber Command (where he is a warrior).

This fungibility between spy and soldier mirrors what has happened in the world of special operations forces, in which military commandos, trained to fight wars, are sent out on covert intelligence missions. The operation that killed bin Laden was run in fact by the head of the Joint Special Operations Command, Admiral Bill McRaven. But in law it was overseen by the director of the CIA, Leon Panetta. In practice, that meant that Panetta sat in a room in Langley, Virginia, declared himself nominally in charge, and then told McRaven to run the show. No one doubted that McRaven was calling the operational shots, and that his soldiers were in charge of their own mission. But the legal distinction was important. For starters, it would give the United States government the ability to deny knowledge of the operation were it ever discovered. Second, it allowed the United States to skirt certain laws of war—namely, that a country cannot invade another, in this case Pakistan, where bin Laden was hiding, if the two countries aren't at war. Turning soldiers into spies is a common practice when boots are on the ground. So it is in cyberspace.

Indeed, the NSA couldn't carry out all of its hacking missions without the CIA's help. CIA personnel have conducted more than one hundred so-called “black bag jobs” to break in to physical facilities and install malware or surveillance equipment on the computer systems of foreign governments, militaries, and corporations—particularly telecommunications and Internet services providers. These computers are too hard for the NSA to reach remotely.

These secret break-ins are conducted by the Special Collection Service, a joint CIA-NSA office headquartered near Beltsville, Maryland, about a ten-minute drive from the NSA. The group earned a reputation for derring-do at the height of the Cold War, bugging Communist Party officials of the Soviet Union and Eastern bloc. Its members have been compared to the stealthy, acrobatic break-in artists of the
Mission: Impossible
TV series and movie franchise. Reportedly, they used lasers aimed at windows to record conversations inside offices. They even tied surveillance devices to pigeons that perched on the windowsills of the Soviet embassy in Washington, DC.

Today the Special Collection Service works out of sixty-five locations, or “listening posts,” in US embassies and consulates. Its new targets are terrorists in remote areas, where it's difficult to place a listening device, and on foreign governments building up their own cyber armies, particularly in China and East Asia. (Alexander sent some members of the service to work with cyber forces in Iraq to hunt down insurgents and terrorists.) The group plays an indispensable role in helping NSA establish the digital beachheads it needs to listen in on hard-to-reach communications networks and devices and, should the need arise, to launch cyber attacks to destroy or disrupt those systems. A few years ago the Special Collection Service reportedly got access to the switching center that services several fiber-optic trunk lines in a South Asian country. It gave the NSA the ability to intercept the communications of the country's top military commanders and also created a vital access point to its communication arteries. These kinds of operations result in an intelligence twofer—surveillance and a base of operations for cyber attacks. The NSA secretly commandeers computers in these countries as well, and can use them to launch malicious software, so that it can't easily be traced back to the United States. Several dozen clandestine CIA officers trained for the black-bag operations to implant this spyware now work full-time at NSA headquarters in Fort Meade.

The CIA has also set up its own hacker force, known as the Information Operations Center, or IOC.
According to a budget document leaked by Edward Snowden, this CIA group has grown in size in recent years and now employs hundreds of people, making it one of the agency's largest groups. The IOC launches cyber attacks and recruits foreign spies to help conduct its operations, according to the document.

 

The Internet has become a battlefield. In recent years the alliance between soldiers and spies has grown stronger, and they have expanded the terrain on which they fight together.

They've exported to Afghanistan the hunting techniques that proved so effective in Iraq. NSA hackers went into the war zone and worked alongside combat forces rounding up or killing Taliban fighters. Under a program called Shifting Shadow, the agency collected communications and locations information on cell phones in Afghanistan, tapping into what a classified document calls a “foreign access point.” But other data was pumped into the analysis machine, including public-opinion polling, vehicular traffic reports, and even the price of food staples in the marketplace.
Analysts were trying to gauge the public's mood and seeking connections between, for example, spikes in the prices of potatoes and the outbreak of violence. Results were mixed. One US official claimed the system could “predict the future,” and credited it with determining the time and location of Taliban attacks with 60 to 70 percent accuracy. Others derided the system as a bloated and expensive data-mining experiment that never really provided the useful results that its backers claimed.

But whatever the degree of effectiveness, senior military leaders in Afghanistan believed that cyber warfare made a major contribution, and as the war dragged on, they opened a window on those usually secretive operations. “I can tell you that as a commander in Afghanistan in the year 2010, I was able to use my cyber operations against my adversary with great impact,” said marine lieutenant general Richard P. Mills during a speech at a technology conference in Baltimore in August 2012. “I was able to get inside his nets, infect his command-and-control, and in fact defend myself against his almost constant incursions to get inside my wire, to affect my operations.” At the time, Mills had been the highest-ranking marine in Afghanistan, where he led combat forces in the southwest. In his public remarks he was describing the same techniques and tactics that had been used in Iraq.

Over the course of two wars, the NSA deployed more than six thousand of its personnel to combat zones. Twenty of them died. No one could say that a cyber war was entirely without risk to those who fought it.

These cyber warriors were sent into smaller, shorter wars as well.

During US military operations in Libya in 2011, which led to the ouster of Muammar Gaddafi, the NSA worked with the navy's cyber warriors to track targets in Libya and help create “strike packages.” The hackers found targets on the ground via their electronic devices and radio signals, then passed along the coordinates to an aircraft carrier strike group, led by the USS
Enterprise
. Those cyber operations were conducted in the navy's Information Operations Command, which is based at Fort Meade along with the NSA.

It was hardly the first time the navy and the NSA had worked together. During a six-month project directed by the secretary of defense in 2010, the navy's Information Operations Command worked with the NSA and its Special Source Operations division, which monitors US communications companies, including those who provide information to the Prism system. Certain details remain classified, including whether it was aimed at a government or a terrorist network. But according to a participant, the operation led to the real-time tracking of more than 600 individual targets in at least fourteen countries and generated nearly 150 written reports. It marked a further evolution in cyber warfare and espionage that a branch of the armed forces was working with an intelligence agency to tap into information held by US companies. Historically, the military had refrained from conducting operations inside the United States. And while their targets were not there, the tools they were using to fight this new war were. At moments like this, the Internet seems to be a borderless battlefield.