Cyber Warriors and Cyber Spies Struggle to Strike Balance

| Ned Carmody
Ned Carmody
Former Case Officer, CIA

On May 2, 2011 the agonizing, decade-long hunt for Osama bin Laden finally ended. The raid by U.S. Navy seals on the walled compound in Abbottabad, Pakistan was the culmination of years of intelligence gathering.

Following the September 11, 2001 attacks, the CIA stepped up efforts begun years earlier to gather information on al Qaeda’s major players as well as its foot soldiers and couriers. Reports began filtering in about a courier particularly close to bin Laden who operated under the pseudonym of Abu Ahmed al-Kuwaiti. Sometimes what was not said was as useful as what was. In the “wilderness of mirrors” that is the world of intelligence, when detainee Khalid Sheikh Mohammed initially denied knowing al-Kuwaiti, it only raised suspicions that al-Kuwaiti was an important figure in the al Qaeda organization.

Slowly but relentlessly, snippets of additional information began to accumulate. In 2005, the CIA finally discovered the courier’s family name but still could not locate him. NSA began intercepting telephone calls and emails from al-Kuwaiti’s family in the Middle East to individuals in Pakistan. In 2009, armed with a general area in which to search, officers of the intelligence arm of the Pakistan military, the Inter Services Intelligence Directorate (ISI), spotted al-Kuwaiti driving a vehicle in the northern Pakistan city of Peshawar. A year later, al-Kuwaiti unknowingly led the Pakistan officers to a large, secluded and secure compound in Abbottabad.

The exact details of the hunt for bin Laden are not important for our purposes here. What is critical to understand, however, is that somewhere along the line, a conscious decision was made to continue this effort to locate al-Kuwaiti – and hopefully bin Laden – as an intelligence operation. U.S. officials had to have considered taking military action against al-Kuwaiti, sending in a commando team to take him prisoner or even launching a drone to take him out. Yet, no precipitous action was taken. Al-Kuwaiti was left untouched in order to collect the intelligence needed to achieve the ultimate goal: the capture of America’s number one enemy, Osama bin Laden. Risk was involved in allowing al-Kuwaiti to continue functioning as a courier, but in the long run, the payoff for continuing to collect intelligence was infinitely more valuable.

This fundamental conflict between military action and intelligence collection continues to affect our counterterrorism efforts to this day. For the past few years, U.S. Cyber Command has been engaged in cyber warfare against ISIS and other terrorist groups. The objective is to disrupt the ability of ISIS to spread its propaganda, attract new recruits, raise money, and communicate with its widely dispersed network of fighters.

Unlike intelligence agencies – who operate under Title 50 authorities – Cyber Command has warfighting authority under Title 10 of U.S. Code to disrupt, deny, degrade, or destroy information on ISIS computers and networks, or the computers or networks themselves.  Cyber Command operators not only can retrieve information they find, but they are also able to corrupt or erase data, or even to change the content of messages. Seemingly a marvelous mechanism for shutting down ISIS internet command and control and for sowing dissent and confusion within its ranks, Cyber Command’s campaign has been less successful in disrupting ISIS’s global reach for recruitment as originally hoped. The problem is that every time one channel of outreach is shutdown, another quickly pops up to take its place. Taking advantage of relatively low-tech systems and low-cost but highly effective encryption technologies, the terrorist group seems to have little difficulty in quickly re-building their communication centers in new locations. As a result, Cyber Command finds itself caught in a never-ending game of whac-a-mole.

The other concern with Cyber Command’s campaign against ISIS takes us back to the military action versus intelligence collection dilemma alluded to above. An inherent clash exists between the military’s mission to disrupt ISIS communications and the intelligence community’s mandate to collect and analyze intelligence from those same computer networks. Inevitably, tensions created by differing goals and objectives come into play. Intelligence officers undoubtedly applaud Cyber Command’s efforts to cut off ISIS recruitment efforts, but they must also wonder, at what cost in potential intelligence gained?

Intelligence cyber operators want to mount penetrations to collect critically needed information on ISIS and its modus operandi, not to knock out every computer found. If the military’s computer network attack (CNA) approach is not as successful than hoped, should we be giving computer network exploitation (CNE) – i.e., digital age “spying” using computers to get inside adversary’s networks to collect intelligence – more of a chance?

NSA penetrations are stealthy and subtle – difficult, if not impossible, to detect. NSA cyber operators have the ability to extract large volumes of data from adversary networks without the enemy ever knowing it happened. On the other hand, when Cyber Command loudly kicks in the door of an ISIS computer, the secrecy is lost and intelligence avenues are blown. Even if the data is not completely destroyed, vulnerabilities are exposed and exploits revealed. The enemy now knows we can penetrate his network and can take measures to change codes or enhance security. He can also share U.S. hacking capabilities among fellow terrorist operators, potentially undermining intelligence collection efforts against other nodes of the group’s network. How much critical information is being lost?

The irony is, of course, that under the current structure the same individual is dual-hatted as the head of both NSA and Cyber Command. Earlier this month, President Donald Trump announced the elevation of Cyber Command to a unified combatant command after it had previously functioned as a sub-unified command under U.S. Strategic Command. The president also asked Secretary of Defense James Mattis to examine the possibility of separating NSA and Cyber Command, which have been joined at the hip since Cyber Commands establishment in 2009.  Under requirements present in the 2017 National Defense Authorization Act, however, it must be made certain that the capabilities of both Cyber Command and NSA will not be degraded if the institutions undergo a bureaucratic split.

The relative pluses and minuses of separation have been under discussion for years, almost since the inception of Cyber Command in 2009. On the one hand, the combination of the two entities makes considerable sense. NSA skill in getting inside adversary networks to map out its structure and to identify weak points largely makes Cyber Command’s cyber attacks possible. In addition, Cyber Command relies heavily on NSA’s resources, personnel, expertise and equipment. Particularly when it was first formed, Cyber Command could not come close to duplicating NSA’s capabilities.

On the other hand, the joining is an awkward fit. Cyber Command is a warfighting body, established to provide offensive cyber support to the other commands in the event of declared hostilities. Cyber Command is the military’s attempt to put the fight in cyberspace on the same footing as more traditional battle domains on land, at sea, and in the air. NSA, alternatively, is an intelligence collection and information assurance organization. It operates under different authorities and answers to different overseers – the House and Senate intelligence committees provide oversight to the intelligence agencies while the armed services committees oversee Cyber Command.

As but one example of the differences, NSA is specifically prohibited from engaging in any form of computer attack, while Cyber Command was created to do exactly that in times of war. Most importantly, as we have seen, the intelligence goals of NSA and the military objectives of Cyber Command are not always in alignment. Most expert believe that the divide is too great to continue, and separation is inevitable and imminent.

Advocates for more autonomy and authority for Cyber Command argue that working through Strategic Command slows down operational approval, coordination, and getting the job done. Yet, Michael Sulmeyer, Director of the Belfer Center’s Cyber Security Project at Harvard’s Kennedy School, has written that in his experience in the Cyber Policy office of the Office of the Secretary of Defense, he never came across a function Cyber Command might be asked to execute that could only be performed by a full, unified command (Strategic Command) but not by a sub-unified command (Cyber Command). Sulmeyer believes the Trump administration’s decision to elevate Cyber Command will not have much of an effect, although he also does not see elevation as harmful in any way.

Sulmeyer and other critics do worry, however, that separating Cyber Command from NSA could result in a lessening of sharing and cooperation. Tensions already exist between the two. Without a single boss in charge of both organizations, the possibility of personality conflicts arises. NSA could also simply chose to focus on its own core missions of signals intelligence collection and information assurance, while limiting its support to Cyber Command. As Sulmeyer has cautioned, the White House and the Pentagon will have to reach a clear understanding with the new NSA director – who may be a civilian for the first time ever – about NSA’s ongoing relationship with Cyber Command.

Military victories on the ground have shrunk ISIS territory and have undoubtedly helped Cyber Command’s program. As ISIS loses ground in Syria, it simply has fewer places to hide its communications platforms. Nevertheless, Cyber Command will continue to rely heavily on NSA’s computer exploitation abilities in years to come. The dilemma over whether to take military action to shut down terrorist computers or to promote intelligence collection operations against those same computers will not go away.

CLICK TO ADD YOUR POINT OF VIEW

The Author is Ned Carmody

Ned Carmody served as a case officer in the CIA's Directorate of Operations for nearly 28 years. His career included interagency assignments to NSA, the FBI's National Joint Terrorism Task Force, the U.S. Army War College and the Office of the Director of National Intelligence.

Learn more about The Cipher Brief's Network here.