By Ellen Nakashima
Washington Post Staff Writer
Friday, March 19, 2010; A01
By early 2008, top U.S. military officials had become convinced that extremists planning attacks on American forces in Iraq were making use of a Web site set up by the Saudi government and the CIA to uncover terrorist plots in the kingdom.
"We knew we were going to be forced to shut this thing down," recalled one former civilian official, describing tense internal discussions in which military commanders argued that the site was putting Americans at risk. "CIA resented that," the former official said.
Elite U.S. military computer specialists, over the objections of the CIA, mounted a cyberattack that dismantled the online forum. Although some Saudi officials had been informed in advance about the Pentagon's plan, several key princes were "absolutely furious" at the loss of an intelligence-gathering tool, according to another former U.S. official.
Four former senior U.S. officials, speaking on the condition of anonymity to discuss classified operations, said the creation and shutting down of the site illustrate the need for clearer policies governing cyberwar. The use of computers to gather intelligence or to disrupt the enemy presents complex questions: When is a cyberattack outside the theater of war allowed? Is taking out an extremist Web site a covert operation or a traditional military activity? Should Congress be informed?
"The point of the story is it hasn't been sorted out yet in a way that all the persons involved in cyber-operations have a clear understanding of doctrine, legal authorities and policy, and a clear understanding of the distinction between what is considered intelligence activity and wartime [Defense Department] authority," said one former senior national security official.
CIA spokeswoman Marie Harf said, "It's sheer lunacy to suggest that any part of our government would do anything to facilitate the movement of foreign fighters to Iraq."
The Pentagon, the Justice Department and the National Security Agency, whose director oversaw the operation to take down the site, declined to comment for this story, as did officials at the Saudi Embassy in Washington.Precedent before policy
The absence of clear guidelines for cyberwarfare is not new. The George W. Bush administration was compelled in its final years to refine doctrine as it executed operations. "Cyber was moving so fast that we were always in danger of building up precedent before we built up policy," said former CIA director Michael V. Hayden, without confirming or denying the existence of the site or its dismantling.
Lawyers at the Justice Department's Office of Legal Counsel are struggling to define the legal rules of the road for cyberwarriors, according to current and former officials.
The Saudi-CIA Web site was set up several years ago as a "honey pot," an online forum covertly monitored by intelligence agencies to identify attackers and gain information, according to three of the former officials. The site was a boon to Saudi intelligence operatives, who were able to round up some extremists before they could strike, the former officials said.
At the time, however, dozens of Saudi jihadists were entering Iraq each month to carry out attacks. U.S. military officials grew concerned that the site "was being used to pass operational information" among extremists, one former official said. The threat was so serious, former officials said, that Gen. Ray Odierno, the top U.S. military commander in Iraq, requested that the site be shut down.
The operation was debated by a task force on cyber-operations made up of representatives from the Defense and Justice departments, the CIA, the Office of the Director of National Intelligence, and the National Security Council. Lt. Gen. Keith B. Alexander, who directs the National Security Agency, made a presentation.
The CIA argued that dismantling the site would lead to a significant loss of intelligence. The NSA countered that taking it down was a legitimate operation in defense of U.S. troops. Although one Pentagon official asserted that the military did not have the authority to conduct such operations, the top military commanders made a persuasive case that extremists were using the site to plan attacks.
The task force debated whether to go forward and, if so, under what authority. If the operation was deemed a traditional military activity, no congressional committee needed to be briefed. If it was a covert action, members of the intelligence committees would have to be notified.
The task force weighed possible collateral damage, such as disruption of other computer networks, against the risk of taking no action. Most thought that the damage would be limited but that the gain would be substantial.
"The CIA didn't endorse the idea of crippling Web sites," said a U.S. counterterrorism official. The agency "understood that intelligence would be lost, and it was; that relationships with cooperating intelligence services would be damaged, and they were; and that the terrorists would migrate to other sites, and they did."
Moreover, the official said, "the site wasn't a pipeline for foreign fighters, it was a broad forum for extremists."
But the concerns of U.S. Central Command and other defense officials prevailed. "Once DoD went to the extent of saying, 'Soldiers are dying,' because that's ultimately what the command in Iraq, what Centcom did, it's hard for anyone to push back," one former official said.
The matter appeared settled, ex-officials said. The military would dismantle the site, eliminating the need to inform Congress.
A group of cyber-operators at the Pentagon's Joint Functional Component Command-Network Warfare at Fort Meade seemed ideally suited to the task. The unit carries out operations under a program called Countering Adversary Use of the Internet, established to blunt Islamist militants' use of online forums and chat groups to recruit and mobilize members and to spread their beliefs.
"We were very clear in the meetings" that the goal was to upend the site, one participant said. "The only thing that caught us by surprise was the effect."Unintended outcomes
A central challenge of cyberwarfare is that an attacker can never be sure that an action will affect only the intended target. The dismantling of the CIA-Saudi site inadvertently disrupted more than 300 servers in Saudi Arabia, Germany and Texas, a former official said. "In order to take down a Web site that is up in Country X, because the cyber-world knows no boundaries, you may end up taking out a server that is located in Country Y," the task force participant explained.
After the operation, Saudi officials vented their frustration about the loss of intelligence to the CIA. Agency officials said the U.S. military had upset an ally and acted outside its authority in conducting a covert operation, former officials said.
Efforts were made to mollify the Saudis and the Germans, they said. "There was a lot of bowing and scraping," one official said.
One early advocate for using cyber-operations against extremists was Gen. John P. Abizaid, former Central Command chief. He told a Senate committee in 2006, "We must recognize that failing to contest these virtual safe havens entails significant risk to our nation's security and the security of our troops in the field."
But some experts counter that dismantling Web sites is ineffective -- no sooner does a site come down than a mirror site pops up somewhere else. Because extremist groups store backup copies of forum information in servers around the world, "you can't really shut down this process for more than 24 or 48 hours," said Evan F. Kohlmann, a terrorism researcher and a consultant to the Nine/Eleven Finding Answers Foundation.
"It seems difficult to understand," he added, "why governments would interrupt what everyone acknowledges now to be a lucrative intelligence-gathering tool."
Staff writers Dana Priest and Karen DeYoung contributed to this report.