CYBERCOM versus NSA: On Fighting Isis or Spying on Them
I keep thinking back to this story, in which people in the immediate vicinity of Ash Carter and James Clapper told Ellen Nakashima that they had wanted to fire Admiral Mike Rogers, the dual hatted head of CyberCommand and NSA, in October. The sexy reason given for firing Rogers — one apparently driven by Clapper — is that NSA continued to leak critical documents after Rogers was brought in in the wake of the Snowden leaks.
But further down in the story, a description of why Carter wanted him fired appears. Carter’s angry because Rogers’ offensive hackers had not, up until around the period he recommended to Obama Rogers be fired, succeeded in sabotaging ISIS’ networks.
Rogers has not impressed Carter with his handling of U.S. Cyber Command’s cyberoffensive against the Islamic State. Over the past year or so, the command’s operations against the terrorist group’s networks in Syria and Iraq have not borne much fruit, officials said. In the past month, military hackers have been successful at disrupting some Islamic State networks, but it was the first time they had done that, the officials said.
Nakashima presents this in the context of the decision to split CYBERCOM from NSA and — click through to read that part further down in the piece — with Rogers’ decision to merge NSA’s Information Assurance Directorate (its defensive wing) with the offensive spying unit.
The expectation had been that Rogers would be replaced before the Nov. 8 election, but as part of an announcement about the change in leadership structure at the NSA and Cyber Command, a second administration official said.
“It was going to be part of a full package,” the official said. “The idea was not for any kind of public firing.” In any case, Rogers’s term at the NSA and Cyber Command is due to end in the spring, officials said.
The president would then appoint an acting NSA director, enabling his successor to nominate their own person. But a key lawmaker, Sen. John McCain (R-Ariz.), the chairman of the Senate Armed Services Committee, threatened to block any such nominee if the White House proceeded with the plan to split the leadership at the NSA and Cyber Command.
I was always in favor of splitting these entities — CYBERCOM, NSA, and IAD — into three, because I believed that was one of the only ways we’d get a robust defense. Until then, everything will be subordinated to offensive interests. But Nakashima’s article focuses on the other split, CYBERCOM and NSA, describing them as fundamentally different missions.
The rationale for splitting what is called the “dual-hat” arrangement is that the agencies’ missions are fundamentally different, that the nation’s cyberspies and military hackers should not be competing to use the same networks, and that the job of leading both organizations is too big for one person.
They are separate missions: CYBERCOM’s job is to sabotage things, NSA’s job is to collect information. That is made clear by the example that apparently irks Carter: CYBERCOM wasn’t sabotaging ISIS like he wanted.
It is not explicit here, but the suggestion is that CYBERCOM was not sabotaging ISIS because someone decided it was more important to collect information on it. That sounds like an innocent enough trade-off until you consider CIA’s prioritization for overthrowing Assad over eliminating ISIS, and its long willingness to overlook that its trained fighters were fighting with al Qaeda and sometimes even ISIS. Add in DOD’s abject failure at training their own rebels, such that the job reverted to CIA along with all the questionably loyalties in that agency.
There was a similar debate way back in 2010, when NSA and CIA and GCHQ were fighting about what to do with Inspire magazine: sabotage it (DOD’s preference, based on the understanding it might get people killed), tamper with it (GCHQ’s cupcake recipe), or use it to information gather (almost certainly with the help of NSA, tracking the metadata associated with the magazine). At the time, that was a relatively minor turf battle (though perhaps hinting at a bigger betrayed by DOD’s inability to kill Anwar al-Alwaki and CIA’s subsequent success as soon as it had built its own drone targeting base in Saudi Arabia).
This one, however, is bigger. Syria is a clusterfuck, and different people in different corners of the government have different priorities about whether Assad needs to go before we can get rid of ISIS. McCain is clearly on the side of ousting Assad, which may be another reason — beyond just turf battles — why he opposed the CYBERCOM/NSA split.
Add in the quickness with which Devin Nunes, Donald Trump transition team member, accused Nakashima’s sources of leaking classified information. The stuff about Rogers probably wasn’t classified (in any case, Carter and Clapper would have been the original classification authorities on that information). But the fact that we only just moved from collecting intelligence on ISIS to sabotaging them likely is.
CYBERCOM and NSA do have potentially conflicting missions. And it sounds like that was made abundantly clear as Rogers chose to prioritize intelligence gathering on ISIS over doing things that might help to kill them.
Those missions have been present in NSA since the beginning. Originally they were communications security (com sec) and communications intelligence (com int). They have evolved from communications to information and now to cyber. There has been considerable synergy between the missions. You don’t do sec very well without understanding int and vice versa.
That this is now being presented as an insoluble conflict that requires separating the functions seems a fabricated issue. Perhaps it is more a political exercise than technical. I don’t often agree with McCain, but it seems he may have this right.
This is an important point. Historically within the NSA and GCHQ community there has been a critical cross-fertilization between the COM/INFOSEC people (defensive) and the SIGINT people (active). Specifically, many of the most significant modern cryptanalytic techniques in the SIGINT world originated in the COMSEC world as techniques for stressing and validating new defensive cryptosystems. Erecting an institutional wall between them would have been profoundly counterproductive.
You *ASSUME* that no such wall exists.
You *ASSUME* that all NSA players all
agree on the same mission.
Totally assumes facts not in evidence.
With compartmentalization and a huge set
of Classification Markings, there is no reason
to assume that the SIGINT side is up to date
on the latest INFOSEC knowledge. Zilch.
SIGINT is looking for needles in haystacks
while INFOSEC is buiding better haystacks.
It is the new and improved haystacks inside
NSA that are the problem and the SIGINT
folks inside NSA are not even looking for
the internal haystacks. Most do not know
they even exist due to compartmentalization
and classification markings. Some know.
At this point in time, there are no watchers
watching the watchers. The ones that should
be doing that are spinning their wheels
because they have been compartmentalized
and classified out of the big picture.
That’s why I was speaking historically, and from broad and extensive first-hand knowledge, pre-9/11. What’s happened since then, and even before that beginning with Hayden’s tenure as DIRNSA, is mostly chaotic.
That said, the internal haystacks you refer to are pretty uninteresting technically. They’re just hard without being clever, and certainly aren’t illuminating in a theoretical sense.
The internal haystacks have to be interesting technically. They *have* to be hard and be clever, and certainly woud be illuminating in a theoretical sense if they were discovered.
But again, with compartmentalization and
classification markings, there is likely no one
really doing the ‘watching the watchers’ role.
Here’s a couple of dots re internal haystacks:
. It is not TCP based.
. It is not over normal routed Internet.
But what are all the analysts wasting their
TCP traffic over normal routed internet.
Interesting on the order of, say, elliptic curve cryptography? Or, perhaps, the discovery that whole families of critical techniques (like Maximum Likelihood Re-estimation or inference on Bayesian Nets) are all special cases of the same fundamental algorithm? Probably not.
What you’re talking about is not news. It’s been the case at least since major outsourcing began back in the late 90s, and in the same target domains. And in any case, it wasn’t the operational arm (where all the analysts live) I was talking about, but rather research, which is where the cross-fertilization matters.