During suspected Iranian cyberattacks on the Web sites of commercial banks last year, Gen. Keith B. Alexander, who simultaneously heads the country’s largest electronic spy agency and the military’s Cyber Command, proposed a simple solution: Shut off the attacks at their source.
“We had the expertise and could have done something about it,” said one U.S. official, who like others interviewed for this store spoke on the condition of anonymity to describe sensitive discussions. “We’re sitting on their networks overseas. Why don’t we just turn it off?”
But the proposal to send a simple computer “reset” command to the attacking servers was ultimately rejected by National Security Council officials this year because the attacks were not causing enough harm to warrant an offensive response.
The episode shows the willingness — some say eagerness — of Alexander to use his authority to conduct offensive actions to fend off attacks against the private sector. If a similar proposal were on the table today, it would be the new cyber-teams that Alexander is creating to defend the nation that probably would do the job.
As he builds out U.S. Cyber Command at Fort Meade, Md., and other installations to a fighting force of 6,000 over the next three years, there are fresh questions about the wisdom of so much power residing in one
The debate has taken on greater significance in the wake of disclosures by former National Security Agency contractor Edward Snowden about the sweeping scope of the agency’s domestic surveillance to thwart terrorist attacks and gain foreign intelligence.
“The mashing together of the NSA and Cyber Command has blurred the lines between a military command and a national spy agency,” said Peter Singer, a Brookings Institution expert on evolving modes of warfare.
Alexander disagrees. “It’s one network,” he said in a recent interview. “We all operate on the same network. You create more problems by trying to separate them and have two people fighting over who’s in charge [of both missions] than putting it all together. I think our nation benefits from that.”
He said that other countries “do similar things.” Britain’s GCHQ, the equivalent of the NSA, is able to conduct espionage and computer-network attacks.
With Alexander expected to retire next year after eight years as the longest-serving NSA director, his successor will face the questions.
Administration officials acknowledge that there are concerns with what they call the dual-hat assignment, which includes regularly briefing the president on counterterrorism. “It is an unusual arrangement,” said one senior administration official, speaking on the condition of anonymity. “I’m sure that debate will resurface when General Alexander leaves that position — whether that’s the right mixture to have.”
When it comes to cyberattacks, much of it is done by the NSA’s Tailored Access Operations unit, officials say. Many of the operators are uniformed military personnel who spy on overseas networks for national intelligence priorities, including targets such as Iran, Russia and North Korea, among other countries.
According to interviews with U.S. officials, these same personnel, who operate under intelligence legal authorities, may switch to a military authority when they are ordered to conduct a computer attack under an execute order by the president and the defense secretary. The process is documented. “You can be doing intelligence-gathering one second and then pull the trigger on an offensive op the next,” a former intelligence official said.
“We’re allowing the same military commander to tell us how bad the problem is and propose and implement suggestions to fix it,” said Jason Healey, director of the Atlantic Council’s Cyber Statecraft Initiative. “The concentration of power at Fort Meade risks further militarizing cyberspace.”
Alexander and his supporters have long argued that the NSA and Cyber Command must be closely connected because so much of what Cyber Command was set up to do — from defend to attack — depends on intelligence that comes from the NSA. To re-create the NSA’s capabilities is neither feasible nor desirable, officials say.
“It would be folly to separate them,” a former senior intelligence official said.
Such coordination, Alexander said, is key to the United States’ cyberattack prowess.
“Cyber offense requires a deep, persistent and pervasive presence on adversary networks in order to precisely deliver effects,” Alexander told the House Armed Services Committee in March in a written response to questions.
Effects could include things such as stopping a denial-
of-service attack, rerouting a jihadi Web site and disrupting an industrial control or military weapons system, actions that generally require presidential permission.
The NSA and the CIA carried out 231 offensive cyber-
operations in 2011, according to classified budget documents obtained by Snowden, The Washington Post reported last month. Their exact nature was not detailed in the documents, but most offensive operations have immediate effects only on data or the proper functioning of an adversary’s machine: slowing its network connection or scrambling the results of basic calculations, which the NSA would do for foreign intelligence purposes. The NSA, officials say, does not conduct a “computer network attack.” That is done by the military under an execute order.
But it can help develop the weapons used in a covert operation, as was reportedly the case with Stuxnet, a computer worm used in an extensive U.S.-Israeli campaign to delay Iran’s nuclear program by disrupting centrifuges in an uranium enrichment plant.
The House and Senate Armed Services committees have raised concerns with the dual-hat arrangement, as well as with a proposal to elevate Cyber Command to a unified command on a par with Central Command and Pacific Command. The cyber unit falls under Strategic Command in Omaha, though it leaves considerable leeway in policy and operational matters to Alexander, officials say. The move to a unified command, once looked upon as a sure bet, has been slowed because of concerns on Capitol Hill and the Snowden disclosures.
Alexander is moving ahead with plans to build out the fledgling command. By the end of 2016, there will be 133 teams, with about 2,000 new personnel in place. About 4,000 will be coming from the services. Alexander said it will take a couple of years to train the teams.
Of the 133 teams, 27 will support the combatant organizations such as Central Command, Pacific Command and European Command. Key questions remain as to how well the teams will meet combatant commanders’ needs and priorities.
Perhaps the most controversial, though, are the 13 national mission teams, whose job it will be to defend the nation in the event of attacks on critical systems in the private sector.
Some in the military say it is not the Defense Department’s job to stave off attacks against U.S. private-sector systems. “My role is to fight wars — not protect the private sector,” was how one military official put it.
But to settle the argument, last year, then-Defense Secretary Leon E. Panetta signed a memo stating that it was the Defense Department’s role to defend the country against cyberattacks.
The national mission forces are “absolutely critical,” Alexander said in the recent interview. “It’s the future. There are only a couple of ways that people can hurt this country: terrorism and cyber. We’re doing really good against terrorism. Our cyber-force we have to build up.”