ON February 20, two weeks before the Aurora Generator Test, Mike McConnell was sworn in as director of national intelligence. It was a new job in Washington, having been created just two years earlier, in the wake of the report by the 9/11 Commission concluding that al Qaeda’s plot to attack the World Trade Center succeeded because the nation’s scattered intelligence agencies—FBI, CIA, NSA, and the rest—didn’t communicate with one another and so couldn’t connect all the dots of data. The DNI, a cabinet-level post carrying the additional title of special adviser to the president, was envisioned as a sort of supra-director who would coordinate the activities and findings of the entire intelligence community; but many saw it as just another bureaucratic layer. When the position was created, President Bush offered it to Robert Gates, who had been CIA director and deputy national security adviser during his father’s presidency, but Gates turned it down upon learning that he would have no power to set budgets or hire and fire personnel.
McConnell had no problem with the job’s bureaucratic limits. He took it with one goal in mind: to put cyber, especially cyber security, on the president’s agenda.
Back in the early- to mid-1990s, as NSA director, McConnell had gone through the same roller-coaster ride that many others at Fort Meade had experienced: a thrilled rush at the marvels that the agency’s SIGINT teams could perform—followed by the realization that whatever we can do to our enemies, our enemies could soon do to us: a dread deepened, in the decade since, by America’s growing reliance on vulnerable computer networks.
After McConnell left the NSA in early 1996, he was hired by Booz Allen, one of the oldest management consulting firms along the capital’s suburban Beltway, and transformed it into a powerhouse contractor for the U.S. intelligence agencies—an R&D center for SIGINT and cyber security programs, as well as a haven of employment for senior NSA and CIA officials as they ferried back and forth between the public and private sectors.
Taking the DNI job, McConnell gave up a seven-figure salary, but he saw it as a singular opportunity to push his passions on cyber into policy. (Besides, the sacrifice was hardly long-term; after his two-year stint back in government, he returned to the firm.) In pursuit of this goal, he stayed as close as he could to the Oval Office, delivering the president’s intelligence briefing at the start of each day. A canny bureaucratic player with a casual drawl masking his laser-beam intensity, McConnell also dropped in, at key moments, on the aides and cabinet secretaries who had an interest in cyber security policy, whether or not they realized it. These included not only the usual suspects at State, Defense, and the National Security Council staff, but also the Departments of Treasury, Energy, and Commerce, since banks, utilities, and other corporations were particularly prone to attack. To McConnell’s dismay, but not surprise, few of these officials displayed the slightest awareness of the problem.
So, McConnell pulled a neat trick out of his bag. He would bring the cabinet secretary a copy of a memo. Here, McConnell would say, handing it over. You wrote this memo last week. The Chinese hacked it from your computer. We hacked it back from their computer.
That grabbed their attention. Suddenly officials who’d never heard of cyber started taking a keen interest in the subject; a few asked McConnell for a full-scale briefing. Slowly, quietly, he was building a high-level constituency for his plan of action.
In late April, President Bush received a request to authorize cyber offensive operations against the insurgents in Iraq. This was the plan that Generals Abizaid, Petraeus, McChrystal, and Alexander had honed for months—finally sent up the chain of command through the new secretary of defense, Robert Gates, who had returned to government just two months earlier than McConnell, replacing the ousted Donald Rumsfeld.
From his experiences at the NSA and Booz Allen, McConnell understood the nature and importance of this proposal. Clearly, there were huge gains to be had from getting inside the insurgents’ networks, disrupting their communications, sending them false emails on where to go, then dispatching a special-ops unit to kill them when they got there. But there were also risks: inserting malware into insurgents’ email might infect other servers in the area, including those of American armed forces and of Iraqi civilians who had no involvement in the conflict. It was a complex endeavor, so McConnell scheduled an hour with the president to explain its full dimensions.
It was still a rare thing for a president to be briefed on cyber offensive operations—there hadn’t been many of them, at this point—and the proposal came at a crucial moment: a few months into Bush’s troop surge and the shift to a new strategy, new commander, and new defense secretary. So McConnell’s briefing, which took place on May 16, was attended by a large group of advisers: Vice President Cheney, Secretary Gates, Secretary of State Condoleezza Rice, National Security Adviser Stephen Hadley, the Joint Chiefs of Staff vice chairman Admiral Edmund Giambastiani (the chairman, General Peter Pace, was traveling), Treasury Secretary Henry Paulson, and General Keith Alexander, the NSA director, in case someone asked about technical details.
As it turned out, there was no need for discussion. Bush quickly got the idea, finding the upside enticing and the downside trivial. Ten minutes into McConnell’s hour-long briefing, he cut it short and approved the plan.
The room turned quiet. What was McConnell going to say now? He hadn’t planned on the prospect, but it seemed an ideal moment to make the pitch that he’d taken this job to deliver. He switched gears and revved up the spiel.
Mr. President, he began, we come to talk with you about cyber offense because we need your permission to carry out those operations. But we don’t talk with you much about cyber defense.
Bush looked at McConnell quizzically. He’d been briefed on the subject before, most fully when Richard Clarke wrote his National Strategy to Secure Cyberspace, but that was four years earlier, and a lot of crises had erupted since; cyber had never been more than a sporadic blip on his radar screen.
McConnell swiftly recited the talking points from two decades of analyses—the vulnerability of computer systems, their growing use in all aspects of American life, the graphic illustration supplied by the Aurora Generator Test, which had taken place just two months earlier. Then he raised the stakes, stating his case in the most urgent terms he could muster: those nineteen terrorists who mounted the 9/11 attack—if they’d been cyber smart, McConnell said, if they’d hacked into the servers of one major bank in New York City and contaminated its files, they could have inflicted more economic damage than they’d done by taking down the Twin Towers.
Bush turned to Henry Paulson, his treasury secretary. “Is this true, Hank?” he asked.
McConnell had discussed this very point with Paulson in a private meeting a week earlier. “Yes, Mr. President,” he replied from the back of the room. The banking system relied on confidence, which an attack of this sort could severely damage.
Bush was furious. He got up and walked around the room. McConnell had put him in a spot, spelling out a threat and describing it as greater than the threat weighing on his and every other American’s mind for the past five and a half years—the threat of another 9/11. And he’d done this in front of his most senior security advisers. Bush couldn’t just let it pass.
“McConnell,” he said, “you raised this problem. You’ve got thirty days to solve it.”
It was a tall order: thirty days to solve a problem that had been kicking around for forty years. But at least he’d seized the president’s attention. It was during precisely such moments—rare in the annals of this history—that leaps of progress in policy had been plotted: Ronald Reagan’s innocent question after watching WarGames (“could something like this really happen?”) led to the first presidential directive on computer security; Bill Clinton’s crisis mentality in the wake of the Oklahoma City bombing spurred the vast stream of studies, working groups, and, at last, real institutional changes that turned cyber security into a mainstream public issue. Now, McConnell hoped, Bush’s pique might unleash the next new wave of change.
McConnell had been surveying the landscape since returning to government, and he was shocked how little progress had been made in the decade that he’d been out of public life. The Pentagon and the military services had plugged a lot of the holes in their networks, but—despite the commissions, simulations, congressional hearings, and even the presidential decrees that Dick Clarke had written for Clinton and Bush—conditions elsewhere in government, and still more so in the private sector, were no different, no less vulnerable to cyber attacks.
The reasons for this rut were also the same: private companies didn’t want to spend the money on cyber security, and they resisted all regulations to make them do so; meanwhile, federal agencies lacked the talent or resources to do the job, except for the NSA, which had neither the legal authority nor the desire.
Entities had been created during the most recent spate of interest, during Clarke’s reign as cyber coordinator under Clinton and the first two years of Bush, most notably the interagency Cyber Council and the ISACs—Information Sharing and Analysis Centers—that paired government experts with the private owners of companies involved in critical infrastructure (finance, electrical power, transportation, and so forth). But most of those projects stalled after Clarke resigned four years earlier. Now, with Bush’s marching orders in hand, McConnell set out to bulk up these entities or create new ones, this time backed by serious money.
McConnell delegated the task to an interagency cyber task force, run by one of his assistants, Melissa Hathaway, the former director of an information operations unit at Booz Allen, whom he’d brought with him to be his chief cyber aide at the National Intelligence Directorate.
Protecting the civilian side of government from cyber attacks was new terrain. Fifteen years earlier, when the military services began to confront the problem, the first step they took was to equip their computers with intrusion-detection systems. So, as a first step, Hathaway’s task force calculated what it would take to detect intrusions of civilian networks. The requirements turned out to be massive. When the tech crew at Kelly Air Force Base started monitoring computer networks in the mid-1990s, all of the Air Force servers, across the nation, had about one hundred points of access to the Internet. Now, the myriad agencies and departments of the entire federal government had 4,300 access points.
More than this, the job of securing these points was assigned, by statute, to the Department of Homeland Security, a mongrel organization slapped together from twenty-two agencies, once under the auspices of eight separate departments. The idea had been to take all the agencies with even the slightest responsibility for protecting the nation from terrorist attacks and to consolidate them into a single, strong cabinet department. But in fact, the move only dispersed power, overloading the department’s secretary with a portfolio much too large for any one person to manage and burying once-vibrant organizations—such as the Pentagon’s National Communications System, which ran the alert programs for attacks of all sorts, including cyber attacks—in the dunes of a remote bureaucracy. The department was remote physically as well as politically, its headquarters crammed into a small campus on Nebraska Avenue in far Northwest Washington, five miles from the White House—the same campus where the NSA had stuck its Information Security Directorate until the late 1960s, when it was moved to the airport annex a half hour’s drive (somewhat closer than Nebraska Avenue’s hour-long trek) from Fort Meade.
In 2004, its second year of operations, the Homeland Security Department, in an outgrowth of one of Dick Clarke’s initiatives, put out a contract for a government-wide intrusion-detection system, called Einstein. But the task proved unwieldy: the largest supercomputer would have had a hard time monitoring the traffic in and out of four thousand entryways to the Internet, and federal agencies weren’t required to install the system in any case.
This mismatch between goals and capabilities set the stage for the new program put in motion by McConnell and Hathaway, which they called the Comprehensive National Cybersecurity Initiative, or CNCI. It called for the creation of a supra-agency that would consolidate the government’s scattered servers into a single “Federal Enterprise Network,” set strict security standards, and whittle down the points of entry to the Internet from over four thousand to just fifty.
That was the goal, anyway.
On January 9, 2008, eight months after McConnell’s big briefing, Bush signed a national security presidential directive, NSPD-54, which cited the dangers posed by America’s cyber vulnerabilities—taking much of its language from a decade of directives and studies—and ordered Hathaway’s plan into action as the remedy.
In the weeks leading up to the directive, McConnell stressed that the plan would be expensive; Bush waved away the warning, saying that he was willing to spend as much money as Franklin Roosevelt had spent on the Manhattan Project. Along with the White House budget office, McConnell drew up a five-year plan amounting to $18 billion. The congressional intelligence committees cut only a small slice, leaving him with $17.3 billion.
Although the plan’s mission was to protect the computer networks of mainly civilian agencies, the entire program—the multibillion-dollar budget, the text of NSPD-54, even the existence of something called the Comprehensive National Cybersecurity Initiative—was stamped Top Secret. Like most matters cyber, it was bound up with the blackout secrecy of the NSA, and this was no coincidence: on paper, the Department of Homeland Security was the initiative’s lead agency, but the NSA was placed in charge of technical support; and since neither Homeland Security nor any other agency had the know-how or resources to do what the president’s directive wanted done, the locus of power, for this program, too, would tilt from the campus on Nebraska Avenue to the sprawling complex at Fort Meade.
Keith Alexander, the director of NSA, was also more adept at budget politics than the managers at Homeland Security. He knew, as Mike Hayden had before him, which legal statutes authorized which sets of activities (Title 50 for intelligence, Title 10 for military operations, Title 18 for criminal probes) and which congressional committees dished out the money for each. So, when the initiative’s $17.3 billion was divvied up among the various agencies, the vast bulk of it went to NSA—which, after all, would be buying and maintaining the hardware, the program’s costliest element. Congress specified that Fort Meade spend its share of the sum on cyber defense. But that term was loosely defined, and the NSA budget was highly classified, so Alexander allocated the funds as he saw fit.
Meanwhile, Homeland Security upgraded Einstein, the inadequate intrusion-detection system, to Einstein 2, which was designed not only to detect malicious activity on a network, but also to send out an automatic alert. And the department started drawing the conceptual blueprints for Einstein 3, which—again, in theory—would automatically repel intruders. The NSA took on these projects as part of its share of the $17.3 billion, integrating them with the massive data-gathering, data-crunching enterprises it had already launched. But soon after joining forces on the Einstein project, Alexander backed out, explaining that the civilian agencies’ requirements and Homeland Security’s approach were incompatible with NSA’s. Einstein’s commercial contractors stayed on, and Homeland Security hired a team of cyber specialists, but, left to themselves, they had to start over; the program bogged down, fell short of its goals, and went into a tailspin.
And so, despite the president’s full commitment and heaps of money, the vulnerability of computers and its implications for national security, economic health, and social cohesion—a topic that had set off intermittent alarm bells through the previous four decades—drifted once again into neglect.
Alexander was still obligated to spend his share of the money on cyber defense, but by this time, Ken Minihan’s epiphany—that cyber offense and cyber defense ran on the same technology, were practically synonymous—had been fully ingrained in Fort Meade thinking.
The basic concepts of cyber were still in circulation—Computer Network Attack, Computer Network Defense, and Computer Network Exploitation—but the wild card was, and always had been, exploitation, CNE: the art and science of finding and exploiting vulnerabilities in the adversary’s network, getting inside it, and twisting it around. CNE could be seen, used, and justified as preparation for a future cyber attack or as a form of what strategists had long called “active defense”: penetrating an adversary’s network to see what kinds of attacks he was planning, so that the NSA could devise a way to disrupt, degrade, or defeat them preemptively.
Alexander put out the word that, as in other types of warfare, active defense was essential: some cyber equivalent of the Maginot Line or the Great Wall of China wouldn’t hold in the long run; adversaries would find a way to maneuver around or leap over the barriers. So, in the interagency councils and behind-closed-doors testimony, Alexander made the case that his piece of the Comprehensive National Cybersecurity Initiative should focus on CNE. And of course, once the money was lavished on tools for CNE, they could be programmed for offense and defense, since CNE was an enabler of both. When Alexander penetrated and probed the email and cell phone networks of Iraqi insurgents, that was CNE; when President Bush authorized him to disable and disrupt those networks—to intercept and send false messages that wound up getting insurgents killed—that was CNA, Computer Network Attack. Except for the final step, the decision to attack, CNE and CNA were identical.
Regardless of anyone’s intentions (and Alexander’s intentions were clear), this was the nature of the technology—which made it all the more vital for political leaders to take firm control: to ensure that policy shaped the use of technology, not the other way around. Yet, just as cyber tools were melding into weapons of war, and as computer networks were controlling nearly every facet of daily life, the power shifted subtly, then suddenly, to the technology’s masters at Fort Meade.
The pivotal moment in this shift occurred at NSA headquarters on Friday, October 24, 2008. At two-thirty that afternoon, a team of SIGINT analysts noticed something strange going on in the networks of U.S. Central Command, the headquarters running the wars in Afghanistan and Iraq.
A beacon was emitting a signal, and it seemed to be coming from inside CentCom’s classified computers. This was not only strange, it was supposedly impossible: the military’s classified networks weren’t connected to the public Internet; the two were separated by an “air gap,” which, everyone said, couldn’t be crossed by the wiliest hacker. And yet, somehow, someone had made the leap and injected a few lines of malicious code—that was the only plausible source of the beacon—into one of the military’s most secure lines of communication.
It was the first time ever, as far as anyone knew, that a classified network of the Department of Defense had been hacked.
The intrusion might not have been spotted, except that, a year earlier, when cyber war took off as a worldwide phenomenon, Richard Schaeffer, head of the NSA’s Information Assurance Directorate—whose staff spent their workdays mulling and testing new ways that an outsider might breach its defenses—dreamed up a new tangent. Over the previous decade, the military services and the various joint task forces had done a reasonably good job of protecting the perimeters of their networks. But what if they’d missed something and an adversary was already inside, burrowing, undetected, through thousands or millions of files, copying or corrupting their contents?
Schaeffer assigned his Red Team—the same unit that had run the Eligible Receiver exercise back in 1997—to scan the classified networks. This team discovered the beacon. It was attached to a worm that they’d seen a couple years earlier under the rubric agent.btz. It was an elegant device: after penetrating the network and scooping up data, the beacon was programmed to carry it all home. The Office of Tailored Access Operations, the NSA’s cyber black-bag shop, had long ago devised a similar tool.
Schaeffer brought the news to Alexander. Within five minutes, the two men and their staffs came up with a solution. The beacon was programmed to go home; so, they said, let’s get inside the beacon and reroute it to a different home—specifically, an NSA storage bin. The idea seemed promising. Alexander put his technical teams on the task. Within a few hours, they figured out how to design the software. By the following morning, they’d created the program. Then they tested it on a computer at Fort Meade, first injecting the agent.btz worm, then zapping it with the rerouting instruction. The test was a success.
It was two-thirty, Saturday afternoon. In just twenty-four hours, the NSA had invented, built, and verified a solution. They called the operation Buckshot Yankee.
Meanwhile, the analytical branches of the agency were tracing the worm’s pathways back to its starting point. They speculated that a U.S. serviceman or woman in Afghanistan had bought a malware-infected thumb drive and inserted it into a secure computer. (A detailed analysis, over the next few months, confirmed this hypothesis.) Thumb drives were widely sold at kiosks in Kabul, including those near NATO’s military headquarters. It turned out, Russia had supplied many of these thumb drives, some of them preprogrammed by an intelligence agency, in the hopes that, someday, some American would do what—it now seemed clear—some American had actually done.
But all that was detail. The big picture was that, on the Monday morning after the crisis began, Pentagon officials were scrambling to grasp the scope of the problem—while, two days earlier, the NSA had solved it.
Admiral Mike Mullen, chairman of the Joint Chiefs of Staff, called an emergency meeting Monday morning to discuss a course of action, only to find that the service chiefs had sent mere colonels to attend. “What are you doing here?” he almost hollered. The networks of the nation’s active war command had been compromised; it couldn’t win battles without confidence in those networks. He needed to talk with the commanders and with the Joint Staff’s directors of operations and intelligence—that is to say, he needed to talk with three- and four-star generals and admirals.
Later that morning, Mullen arranged a teleconference call with Mike McConnell, Keith Alexander, and General Kevin Chilton, the head of U.S. Strategic Command, which housed Joint Task Force-Global Network Operations, the latest incarnation of the loosely structured bureaus that had first been set up, a decade earlier, as Joint Task Force-Computer Network Defense.
Mullen started off the call with the same question that John Hamre had asked back in 1998, in the wake of Solar Sunrise, the first deep penetration of military networks: Who’s in charge?
For twenty-five years, ever since Ronald Reagan signed the first presidential directive on computer security, the White House, the Pentagon, Congress, Fort Meade, and the various information warfare centers of the military services had been quarreling over that question. Now, General Chilton insisted that, because Strategic Command housed JTF-GNO, he was in charge.
“Then what’s the plan?” Mullen asked.
Chilton paused and said, “Tell him, Keith.”
Clearly, StratCom had nothing. No entity, civilian or military, had anything—any ideas about who’d done this, how to stop it, and what to do next—except for the agency with most of the money, technology, and talent to deal with such questions: the NSA.
The NSA directors of the past decade had worked feverishly to keep the business at Fort Meade in the face of competition from the services’ scattershot cyber bureaus—“preserving the mystique,” as Bill Perry had described the mission to Ken Minihan. The best way to do this was to make the case, day by day, that NSA was the only place that knew how to do this sort of thing, and that’s what Alexander dramatized with Buckshot Yankee.
Bob Gates watched over this contrast between Fort Meade’s control and the Pentagon’s scramble with a mixture of horror and bemusement. He had been secretary of defense for nearly two years, after a long career in the CIA and a brief spell in the White House of Bush’s father, and he continued to marvel at the sheer dysfunction of the Pentagon bureaucracy. When he first took the job, the military was locked in the grip of two wars, both going badly, yet the building’s vast array of senior officers acted as if the world was at peace: they were pushing the same gold-plated weapons, built for some mythic major war of the future, that they’d been pushing since the Cold War, and promoting the same kinds of salute-snapping, card-punching officers—in short, they were doing nothing of any use—until he fired a few generals and replaced them with officers who seemed able and willing to help the men and women fighting, dying, and getting hideously injured in the wars that were happening now.
Almost every day since coming to the Pentagon, Gates had heard briefings on the latest attempt, by some serious adversary or mischievous hacker, to penetrate the Defense Department’s networks. Here was the really serious breach that many had warned might happen, and, still, everyone was playing bureaucratic games; nobody seemed to recognize the obvious.
Mike McConnell, who’d been friendly with Gates since his time as NSA director, had been repeatedly making the case for a unified Cyber Command, which would supersede all the scattered cyber bureaus, run offensive and defensive operations (since they involved the same technology, activities, and skills), and ideally be located at Fort Meade (since that was where the technology, activities, and skills were concentrated). McConnell backed up his argument with a piece of inside knowledge: the NSA didn’t like to share intelligence with operational commands; the only way to get it to do so was to fuse the NSA director and the cyber commander into the same person.
Gates had long thought McConnell’s idea made sense, and Buckshot Yankee drove the point home.
Another development laced this point with urgency. The clock was ticking on Alexander’s tenure at NSA. Most directors had served a three-year term; Alexander had been there for three years and two months. Beyond the math, Gates had heard rumors that Alexander was planning to retire, not just from the agency but also from the Army. Gates thought this would be disastrous: the CIA had recently predicted a major cyber attack in the next two years; here we were, in a crisis of lesser but still serious magnitude, and Alexander was the only official with a grip on what was happening.
The NSA director, by custom, was a three-star general or admiral; the heads of military commands were four-stars. Gates figured that one way to consolidate cyber policy and keep Alexander onboard was to create a new Cyber Command, write its charter so that the commander would also be the NSA director (as McConnell had suggested), and put Alexander in the double-hatted position, thus giving him a fourth star—and at least another three years on the job.
In fact, the rumors of Alexander’s imminent departure were untrue. By coincidence, not long before Buckshot Yankee, Alexander made an appointment for a retirement briefing that generals were required to receive upon earning a third star. Alexander had put off his session for months; these things were usually a waste of time, and he was busy. Finally, the Army personnel command applied pressure, so he went to the next scheduled briefing.
Two days later, he got a call from Gates, wanting to know if rumors of his retirement were true. Alexander assured him they were not. Nonetheless, Gates told him of the plan to get him a fourth star.
It would take several months to line up the pins in the Pentagon, the intelligence community, and the Congress. Meanwhile, an election took place, and a new president, Barack Obama, arrived at the White House. But Gates, who agreed to stay on as defense secretary for at least a year, pushed the idea through. On June 23, 2009, he signed a memorandum, ordering the creation of U.S. Cyber Command.
During the final year of Bush’s presidency and the first few months of Obama’s, Gates wrestled with a dilemma. He’d realized for some time that, when it came to cyber security, there was no substitute for Fort Meade. The idea of turning the Department of Homeland Security into an NSA for civilian infrastructure, a notion that some in the White House still harbored, was a pipe dream. DHS didn’t have the money, the manpower, or the technical talent—and, realistically, it never would. Yet because NSA was legally (and properly) barred from domestic surveillance, it couldn’t protect civilian infrastructure, either.
On July 7, 2010, Gates had lunch at the Pentagon with Janet Napolitano, the secretary of homeland security, to propose a way out of the thicket. The idea was this: she would appoint a second deputy director of the NSA (Gates would have to name the person formally, but it would be her pick); in the event of a threat to the nation’s critical infrastructure, this new deputy could draw on the technical resources of the NSA while invoking the legal authority of DHS.
Napolitano liked the idea. At a subsequent meeting, they drew up a memorandum of understanding on this arrangement, which included a set of firewalls to protect privacy and civil liberties. General Alexander, whom they consulted, gave it his blessings. On July 27, less than three weeks after their initial lunch, Gates and Napolitano took the idea to President Obama. He had no objections and passed it on to Thomas Donilon, his national security adviser, who vetted the idea with an interagency panel of the National Security Council.
Everything seemed on course. Gates and Napolitano left the details to their underlings and went back to more urgent business.
Over the next few months, the arrangement unraveled.
Before delegating the matter, Napolitano selected her candidate for the cyber deputy director—a two-star admiral named Michael Brown, who was her department’s deputy assistant secretary for cyber security. Brown seemed ideal for the job. He’d studied math and cryptology at the Naval Academy, worked on SIGINT teams at the NSA, and, in the late 1990s, moved over to the Pentagon as one of the charter analysts—dealing with the Solar Sunrise and Moonlight Maze hacks—at Joint Task Force-Computer Network Defense. When Mike McConnell convinced President Bush to spend $18 billion on cyber security, he asked Brown to go work at the Department of Homeland Security, to help protect civilian networks in the same way that he’d helped protect military networks. For the next two years, that’s what Brown tried to do, expanding the DHS cyber staff from twenty-eight people to roughly four hundred and turning its computer emergency response team into a vaguely functional organization. If there was someone who could merge the cultures of NSA and DHS, it was likely to be Mike Brown.
For that reason, though, he ran into obstacles at every step. Napolitano’s deputy, Jane Holl Lute—a lawyer, former assistant secretary-general for peacekeeping support at the United Nations, and an Army veteran in signals intelligence—was deeply suspicious of NSA and resistant to any plan that would give the agency any power in domestic matters or that might turn the Internet into a “war zone.” The same was true of the White House cyber security adviser, Howard Schmidt, who winced at those who described cyberspace as a “domain,” in the same sense that Air Force and Navy officers described the skies and oceans as “domains” for military operations. Brown’s rank as a naval officer, his background in cryptology, and his experience with the NSA suggested that this joint endeavor would be far from an equal partnership—that Fort Meade would run the show.
There was also resistance among the department deputies in the National Security Council, some of whom were peeved that this deal had gone down without their consultation. In the end, they approved Brown as “cybersecurity coordinator,” but they wouldn’t let him be a deputy director of the NSA; they wouldn’t give him the legal authority he’d need to do the job that Gates and Napolitano had envisioned.
It was reminiscent, though few remembered so far back, of the dispute more than a quarter century earlier, in 1984, when civil liberties advocates in Congress resisted the plan—laid out in President Reagan’s directive, NSDD-145—to put standards for computer security in the hands of a committee run by the director of the NSA.
The staff meetings between DHS and NSA practically seethed with tension. The Gates-Napolitano plan called for each agency to send ten analysts to the other’s headquarters as a sort of cultural exchange. Early on, Fort Meade sent its ten—nine from NSA, one from Cyber Command—but DHS was slow to reciprocate. Part of the problem was simple logistics. Twenty-five thousand people worked at NSA; trading ten of them required scant sacrifice. But DHS had only a few hundred cyber specialists; rather than transferring any, Lute decided to hire ten new people, a process that involved juggling the budget, vetting security clearances—in short, time: lots of time. Well before all ten came onboard, the arrangement sputtered, its wheels grinding nearly to a halt.
On October 31, 2010, U.S. Cyber Command raised its flag at Fort Meade, with General Alexander at the helm while, simultaneously, entering his sixth year as director of an NSA that was teeming with unprecedented political, bureaucratic, and computational power.