CYBERCOM versus NSA: On Fighting Isis or Spying on Them

I keep thinking back to this story, in which people in the immediate vicinity of Ash Carter and James Clapper told Ellen Nakashima that they had wanted to fire Admiral Mike Rogers, the dual hatted head of CyberCommand and NSA, in October. The sexy reason given for firing Rogers — one apparently driven by Clapper — is that NSA continued to leak critical documents after Rogers was brought in in the wake of the Snowden leaks.

But further down in the story, a description of why Carter wanted him fired appears. Carter’s angry because Rogers’ offensive hackers had not, up until around the period he recommended to Obama Rogers be fired, succeeded in sabotaging ISIS’ networks.

Rogers has not impressed Carter with his handling of U.S. Cyber Command’s cyberoffensive against the Islamic State. Over the past year or so, the command’s operations against the terrorist group’s networks in Syria and Iraq have not borne much fruit, officials said. In the past month, military hackers have been successful at disrupting some Islamic State networks, but it was the first time they had done that, the officials said.

Nakashima presents this in the context of the decision to split CYBERCOM from NSA and — click through to read that part further down in the piece — with Rogers’ decision to merge NSA’s Information Assurance Directorate (its defensive wing) with the offensive spying unit.

The expectation had been that Rogers would be replaced before the Nov. 8 election, but as part of an announcement about the change in leadership structure at the NSA and Cyber Command, a second administration official said.

“It was going to be part of a full package,” the official said. “The idea was not for any kind of public firing.” In any case, Rogers’s term at the NSA and Cyber Command is due to end in the spring, officials said.

The president would then appoint an acting NSA director, enabling his successor to nominate their own person. But a key lawmaker, Sen. John McCain (R-Ariz.), the chairman of the Senate Armed Services Committee, threatened to block any such nominee if the White House proceeded with the plan to split the leadership at the NSA and Cyber Command.

I was always in favor of splitting these entities — CYBERCOM, NSA, and IAD — into three, because I believed that was one of the only ways we’d get a robust defense. Until then, everything will be subordinated to offensive interests. But Nakashima’s article focuses on the other split, CYBERCOM and NSA, describing them as fundamentally different missions.

The rationale for splitting what is called the “dual-hat” arrangement is that the agencies’ missions are fundamentally different, that the nation’s cyberspies and military hackers should not be competing to use the same networks, and that the job of leading both organizations is too big for one person.

They are separate missions: CYBERCOM’s job is to sabotage things, NSA’s job is to collect information. That is made clear by the example that apparently irks Carter: CYBERCOM wasn’t sabotaging ISIS like he wanted.

It is not explicit here, but the suggestion is that CYBERCOM was not sabotaging ISIS because someone decided it was more important to collect information on it. That sounds like an innocent enough trade-off until you consider CIA’s prioritization for overthrowing Assad over eliminating ISIS, and its long willingness to overlook that its trained fighters were fighting with al Qaeda and sometimes even ISIS. Add in DOD’s abject failure at training their own rebels, such that the job reverted to CIA along with all the questionably loyalties in that agency.

There was a similar debate way back in 2010, when NSA and CIA and GCHQ were fighting about what to do with Inspire magazine: sabotage it (DOD’s preference, based on the understanding it might get people killed), tamper with it (GCHQ’s cupcake recipe), or use it to information gather (almost certainly with the help of NSA, tracking the metadata associated with the magazine). At the time, that was a relatively minor turf battle (though perhaps hinting at a bigger betrayed by DOD’s inability to kill Anwar al-Alwaki and CIA’s subsequent success as soon as it had built its own drone targeting base in Saudi Arabia).

This one, however, is bigger. Syria is a clusterfuck, and different people in different corners of the government have different priorities about whether Assad needs to go before we can get rid of ISIS. McCain is clearly on the side of ousting Assad, which may be another reason — beyond just turf battles — why he opposed the CYBERCOM/NSA split.

Add in the quickness with which Devin Nunes, Donald Trump transition team member, accused Nakashima’s sources of leaking classified information. The stuff about Rogers probably wasn’t classified (in any case, Carter and Clapper would have been the original classification authorities on that information). But the fact that we only just moved from collecting intelligence on ISIS to sabotaging them likely is.

CYBERCOM and NSA do have potentially conflicting missions. And it sounds like that was made abundantly clear as Rogers chose to prioritize intelligence gathering on ISIS over doing things that might help to kill them.

6 replies
  1. lefty665 says:

    Those missions have been present in NSA since the beginning.  Originally they were communications security (com sec) and communications intelligence (com int). They have evolved from communications to information and now to cyber. There has been considerable synergy between the missions. You don’t do sec very well without understanding int and vice versa.

    That this is now being presented as an insoluble conflict that requires separating the functions seems a fabricated issue.  Perhaps it is more a political exercise than technical. I don’t often agree with McCain, but it seems he may have this right.

    • uymalchin says:

      This is an important point. Historically within the NSA and GCHQ community there has been a critical cross-fertilization between the COM/INFOSEC people (defensive) and the SIGINT people (active). Specifically, many of the most significant modern cryptanalytic techniques in the SIGINT world originated in the COMSEC world as techniques for stressing and validating new defensive cryptosystems. Erecting an institutional wall between them would have been profoundly counterproductive.

      • SpaceLifeForm says:

        You *ASSUME* that no such wall exists.
        You *ASSUME* that all NSA players all
        agree on the same mission.

        Totally assumes facts not in evidence.

        With compartmentalization and a huge set
        of Classification Markings, there is no reason
        to assume that the SIGINT side is up to date
        on the latest INFOSEC knowledge. Zilch.

        SIGINT is looking for needles in haystacks
        while INFOSEC is buiding better haystacks.

        It is the new and improved haystacks inside
        NSA that are the problem and the SIGINT
        folks inside NSA are not even looking for
        the internal haystacks. Most do not know
        they even exist due to compartmentalization
        and classification markings. Some know.

        At this point in time, there are no watchers
        watching the watchers. The ones that should
        be doing that are spinning their wheels
        because they have been compartmentalized
        and classified out of the big picture.

        • uymalchin says:

          That’s why I was speaking historically, and from broad and extensive first-hand knowledge, pre-9/11. What’s happened since then, and even before that beginning with Hayden’s tenure as DIRNSA, is mostly chaotic.

          That said, the internal haystacks you refer to are pretty uninteresting technically. They’re just hard without being clever, and certainly aren’t illuminating in a theoretical sense.

          • SpaceLifeForm says:

            Au contraire!

            The internal haystacks have to be interesting technically. They *have* to be hard and be clever, and certainly woud be illuminating in a theoretical sense if they were discovered.

            But again, with compartmentalization and
            classification markings, there is likely no one
            really doing the ‘watching the watchers’ role.

            Here’s a couple of dots re internal haystacks:

            . It is not TCP based.
            . It is not over normal routed Internet.

            But what are all the analysts wasting their
            time on?

            TCP traffic over normal routed internet.

            • uymalchin says:

              Interesting on the order of, say, elliptic curve cryptography? Or, perhaps, the discovery that whole families of critical techniques (like Maximum Likelihood Re-estimation or inference on Bayesian Nets) are all special cases of the same fundamental algorithm? Probably not.

              What you’re talking about is not news. It’s been the case at least since major outsourcing began back in the late 90s, and in the same target domains. And in any case, it wasn’t the operational arm (where all the analysts live) I was talking about, but rather research, which is where the cross-fertilization matters.

Comments are closed.