DURING the early weeks of Mike McConnell’s tenure as director of national intelligence, in 2007, one of his assistants showed him a chart produced by VeriSign, the company that operated the domain name system, which registered dot-com, dot-gov, dot-net, and other email addresses that made the Internet function. The chart displayed a map of the globe, laid out not by the geography of landmass and oceans but rather by the patterns and densities of network bandwidth. According to this map, 80 percent of the world’s digital communications passed through the United States.I
The implications for intelligence were profound. If a terrorist in Pakistan was exchanging email or talking on a cell phone with an arms supplier in Syria, and if the global network routed a piece of their communication through the United States, there was no need to set up a data-scooping station in hostile territory; the NSA could simply tap into the stream stateside.
But there was a legal obstacle. Back in the 1970s, hearings chaired by Senator Frank Church uncovered massive abuse by the CIA and NSA, including surveillance of American citizens, mainly political critics and antiwar activists, in violation of their Fourth Amendment rights against “unreasonable searches and seizures.” The hearings led to the passage, in 1978, of the Foreign Intelligence Surveillance Act, which barred domestic surveillance without evidence of probable cause that the target was an agent of a foreign power and that the places of surveillance were, or would be, used by that agent; and even then, the government would have to present the evidence of probable cause to a secret FISA court, whose judges would be appointed by the chief justice of the U.S. Supreme Court. The president could authorize surveillance without a court order, but only if the attorney general certified under oath that the target was believed to be a foreign agent and that the eavesdropping would not pick up the communications of a “United States person,” defined as an American citizen, permanent resident, or corporation.
After the attacks of September 11, 2001, Congress hurriedly passed the Patriot Act, which, among other things, revised FISA to allow surveillance of not only foreign agents but also members of amorphous terrorist groups, such as al Qaeda, which had no affiliation with a nation-state.
To McConnell’s mind, even with that revision, FISA was out of date and in need of change. In the digital age, there were no discrete places of surveillance; cyberspace was everywhere. Nor could the government honestly certify that, while intercepting a terrorist’s email or cell phone conversation, it wouldn’t also pick up some innocent American’s chatter; this was the nature of data packets, which whooshed pieces of many communications through the most efficient path. Since the most efficient path often ran through the United States, it would be hard not to pick up some Americans’ data in the process.
In briefings to the president, meetings with national security aides, and informal sessions with members of Congress, McConnell brought along the VeriSign map, explained its implications, and made his pitch to amend FISA.
He knew that he was making progress when he met with Jack Murtha, ranking Democrat on the House appropriations defense subcommittee. Seventy-four years old, in his seventeenth term in Congress, Murtha had given McConnell a hard time back in the 1970s when he was NSA director; at one point, Murtha threatened to kill the agency’s information warfare programs, especially those that had an offensive tilt. But the VeriSign map riveted his attention.
“Look at where all the bandwidth is,” McConnell said, pointing to the bulge on American territory. “We need to change the law to give us access.” Murtha bought the pitch, and so did almost everyone else who heard it.
President Bush needed no special pleading. Keen to do anything that might catch a terrorist in the act, he found a rationale for action in the VeriSign map and told his legal team to draft a bill.
On July 28, in his Saturday radio address, Bush announced that he was sending the bill to Congress. In the age of cell phones and the Internet, he said, current laws were “badly out of date,” and, as a result, “we are missing a significant amount of foreign intelligence that we should be collecting to protect our country.”
Four days later, the Senate’s Republican leaders brought the bill to the floor as the Protect America Act. It did everything McConnell wanted it to do. One key passage noted that “electronic surveillance” of an American would not be illegal—would not even be defined as “electronic surveillance”—if it was aimed at a person who was “reasonably believed to be located outside of the United States.” The stray collection of Americans’ data, unavoidable in the digital world, would thus be exempt from possible prosecution. Another clause clarified that, under this new law, the attorney general’s certification to the FISA court “is not required to identify the specific facilities, places, premises, or property” where the intelligence gathering would take place. As McConnell had been saying over and over, targets of surveillance in the digital age—unlike those in the era of phone taps—occupied no physical space.
One other significant passage specified that the government could obtain this information only “with the assistance of a communications service provider.” This provision was barely noticed; to the extent it was, it seemed like a restriction, but in fact it gave the NSA license to retrieve data from private corporations—and gave the corporations legal cover to cooperate with the NSA. Few outsiders knew that service providers—from Western Union and AT&T in the early days, to Sprint and Verizon in the “Baby Bells” era, to Microsoft, Google, and the other pioneers of the Internet age—had long enjoyed mutually beneficial arrangements with the NSA and FBI. This section of the bill would loom large, and incite enormous controversy, six years later, when Edward Snowden’s leaks revealed the vast extent of those arrangements.
Except for the requirement to consult with the FISA Court and the select congressional committees, both of which met in secrecy, the only limit that the bill placed on surveillance was that the data acquired from Americans—whose communications often got swept up along with the packets of data under surveillance—had to be “minimized.” This meant that, to preserve privacy and civil liberties, the government could not store the names of any Americans or the contents of their communications, but rather only their phone numbers and the date, time, and duration of a conversation. Few who read the bill understood the definition of “minimized” or grasped how much even this amount of information—metadata, it was called—could reveal about someone’s identity and activities.
After two days of debate, the Senate passed the measure, 60–28. The next day, the House concurred, 227–183. The following day, August 5, 2007, just eight days after his radio address, President Bush signed the bill into law.
With the technical advances of the previous decade—the Turbulence program, the Real Time Regional Gateway, the new generation of supercomputers, and the ingenuity of the hackers in the Office of Tailored Access Operations—the government could wade into all the streams of the World Wide Web. And with the new political powers invested in Fort Meade—the consolidation of all the services’ signals intelligence bureaus and the start-up of U.S. Cyber Command, to be headed by the NSA director—it would be the NSA that did the wading, with the consent and authority of the White House, the Congress, and the secret chamber that the Supreme Court had set up as its proxy in the dark world.
It was a new age of expansive horizons for the NSA, and Keith Alexander was its ideal voyager. A common critique of the intelligence failure on 9/11 was that the relevant agencies possessed a lot of facts—a lot of data points—that might have pointed to an imminent attack, but no one could “connect the dots.” Now, six years later, new technology allowed the NSA to gather so much data—a seamless stream of data points—that the dots almost connected themselves.
The convergence of technological advances and the post-9/11 fears of terrorism spawned a cultural change, too: a growing, if somewhat resigned, acceptance of intrusions into daily life. Back in 1984, the first presidential directive on computer security, signed by Ronald Reagan, was quashed because it empowered the NSA to set standards for all American computers—military, government, private, and commercial—and Congress wasn’t about to let Fort Meade have a say in domestic surveillance or policy. Now, not quite a quarter century later, digital data crossed borders routinely; for all practical purposes, borders withered away, and so did the geographic strictures on the reach of the NSA.
In this context, Alexander saw an opening to revive the metadata program that he’d created, back at the start of the decade, as head of the Army Intelligence and Security Command at Fort Belvoir. The case for a revival seemed a logical fit to the technical, political, and cultural trends. Let’s say, Alexander would argue, that, while tracking foreign communications, SIGINT operators spotted an American phone number calling the number of a known terrorist in Pakistan. The NSA could seek a warrant from the FISA Court to find out more about this American. They might also find it useful to learn other phone numbers that the suspicious American had been calling, and then perhaps to track what numbers those people had been calling. And, just like the Belvoir experiment, but writ large, it wouldn’t take long before the NSA had stored data on millions of people, many of them Americans with no real connection to terrorism.
Then came a modern twist. At some point, Alexander’s argument continued, the SIGINT analysts might find some American engaged in genuinely suspicious activity. They might wish that they’d been tracking this person for months, even years, so they could search through the data for a pattern of threats, possibly a nexus of conspirators, and trace it back to its origins. Therefore, it made sense to scoop up and store everything from everybody. NSA lawyers even altered some otherwise plain definitions, so that doing this didn’t constitute “collecting” data from American citizens, as that would be illegal: under the new terminology, the NSA was just storing the data; the collecting wouldn’t happen until an analyst went to retrieve it from the files, and that would be done only with proper FISA Court approval.
Under the FISA law, data could be stored only if it was deemed “relevant” to an investigation of foreign intelligence or terrorism. But under this new definition, everything was potentially relevant: there was no way of knowing what was relevant until it became relevant; therefore, you had to have everything on hand to make a definitive assessment. If much of intelligence involved finding a needle in a haystack, Alexander liked to say, you had to have access to “the whole haystack.”
The FISA Court had been created to approve, deny, or modify specific requests for collection; in that sense, it was more like a municipal court than the Supreme Court. But in this instance, the FISA Court ruled on the NSA’s broad interpretation of the law, and it endorsed this definition of “relevant.”
Keith Alexander had the whole haystack.
This was the state of cyberspace—a web thoroughly combed, plowed, and penetrated by intelligence services worldwide, especially America’s own—when Senators Barack Obama and John McCain wound down their race for the White House in the fall of 2008.
President Bush was obligated to provide intelligence briefings to both candidates, so, on September 12, he sent Mike McConnell to brief Obama, the Democrat, at his campaign headquarters in Chicago. Bush was leery of the whole exercise and told McConnell, before he left, not to divulge anything about operations in Afghanistan and Iraq—and to brief only the candidate, not anyone on his staff.
Two of Obama’s staff members, who’d planned to sit in and take notes, were miffed when the intelligence director asked them to leave; so was the candidate. But the session proceeded in a cordial enough way, Obama saying that he didn’t want to hear anything about Iraq or Afghanistan, he had his own ideas on those wars; what he really wanted to discuss was terrorism.
McConnell went through the threats posed by al Qaeda and its affiliates, the various plots, some only barely disrupted, at home and abroad. Obama, who’d been a junior member of the Senate Foreign Relations Committee but had never heard such a detailed briefing from such a high-level intelligence official, was fascinated. At this point, fifty minutes had passed, more time than his aides had scheduled, but Obama was settling in; he asked McConnell what else he had in his briefing book.
Glad to oblige, the intelligence director told the next president about the status of North Korea’s plan to detonate an A-bomb, Iran’s program to build one, and Syria’s atomic reactor in the desert. (Israel had bombed it a year earlier, but Assad was still in touch with his Pyongyang suppliers.) This took up another twenty minutes. Obama told him to go on.
And so, just as he’d done when Bush approved the Iraq cyber offensive plan after ten minutes of a meeting that had been scheduled for an hour, McConnell turned to the topic of his deepest worries. Earlier in the year, U.S. officials had alerted both Obama and McCain that China had hacked into their campaign computer systems, rummaging through their position papers, finances, and emails.
“They exploited your system,” McConnell said. “What if they’d destroyed it?”
“That would have been problematic for me,” Obama replied.
“Imagine,” McConnell went on, warming up to his theme, “that they could destroy our critical infrastructure.”
Obama, seeing where the director was headed, said, as if completing his sentence, “That would be problematic for the nation.”
“That’s the danger,” McConnell said, and then he stepped into his well-rehearsed summation of the nation’s vulnerabilities and the ability of many powers, not just China, to exploit them.
At its conclusion, Obama told McConnell to come see him again in the first week of his presidency.
In fact, McConnell next saw Obama in his transition office, on December 8, midway between his election-night victory and inauguration day. He brought with him his aide, Melissa Hathaway, who briefly outlined the Comprehensive National Cybersecurity Initiative that she’d written for Bush but that hadn’t yet been implemented. Obama told her to start thinking about a sixty-day review of U.S. cyber policy.
The review hit a slight delay. Cyber was hardly the most urgent issue on the new president’s agenda. He first ordered another campaign aide, a former CIA analyst named Bruce Riedel, to write a sixty-day review of U.S. policy in Afghanistan. Then there was the matter of solving the banking crash, the collapse of the auto industry, and the worst economic crisis since the Great Depression.
Still, on February 9, just three weeks into his term, not too far behind schedule, Obama publicly announced the sixty-day cyber review and presented Hathaway as its chair. It took longer than sixty days to complete—it took 109 days—but on May 29, she and her interagency group issued their seventy-two-page document, titled Cyberspace Policy Review: Assuring a Trusted and Resilient Information and Communications Infrastructure.
It read uncannily like the reports, reviews, and directives that had come before it, and even referred to several of them by name, among them Bush’s NSPD-54 and his National Strategy to Secure Cyberspace, the Marsh Report, a few Defense Science Board studies, and Senator Nunn’s hearings. There was little new to say about the subject; but few of the old things had ever been officially adopted, so no one had heard of them—outside the coterie of experts who’d been following the cycles for years or decades—and it was, therefore, no redundancy for Hathaway to re-recite the same old problems and remedies.
Once again, then, there was the preface noting the ubiquity of cyberspace, its “strategic vulnerabilities,” the “great risks” posed to “critical infrastructure” and “sensitive military information.” There was the bit about the “overlapping authorities” among federal agencies, the need for a “national dialogue,” an “action plan” for “information sharing” with “public-private partnerships,” and, finally, the proposed appointment of a “cybersecurity policy official” in the White House—a position that Hathaway assumed she would hold, just as Dick Clarke designated himself the “national coordinator” in a similar document for Bill Clinton.
But from the outset, Hathaway ran into obstacles. White House staffers disdained her as “prickly” and “sharp-elbowed,” diatribes commonly hurled at women—Hathaway was blond, attractive, and barely forty—for behavior that would be tolerated as merely aggressive, or even normal, possibly admirable, in men. Hathaway’s elbows were certainly less sharp than Clarke’s, but Clarke was a master of office politics, cultivating protectors at the highest echelons and allies throughout the bureaucracy. Hathaway had only one protector, Mike McConnell, and when Obama replaced him in the first week of his presidency, she was left with no cover.
There was another problem, one that Clarke had also faced. Hathaway’s review noted that private companies owned most of the pathways of cyberspace and thus must “share the responsibility” for its security—a line that triggered reflexive fears of government regulation, still the nastiest word in the book among the executives of Silicon Valley. Obama’s brash economic adviser, Lawrence Summers, took industry’s side in this dispute, insisting that, especially during what had come to be called the Great Recession, the engines of economic growth must not be constrained. (As Clinton’s treasury secretary, Summers had been Clarke’s bête noire when he tried to push for regulations, as well.)
Between the prominence of economic concerns and her own bureaucratic isolation, Hathaway and her portfolio took a tumble. She was gone by August and sidelined well before then.
Yet Obama didn’t ignore Hathaway’s concerns. On May 29, the same day that she released her review, he spoke for seventeen minutes in the East Room of the White House on cyberspace, its central place in modern life, and “this cyber threat” as “one of the most serious economic and national security challenges we face as a nation.”
He spoke not just from a script but also from personal experience. Born in 1961, near the end of the baby boom (unlike Bush and Clinton, who were born fifteen years earlier, at the boom’s onset), Obama was the first American president who surfed through cyberspace in his daily life. (When the Secret Service demanded that he give up his BlackBerry for security reasons, Obama resisted; as a compromise, the NSA Information Assurance Directorate built him a one-of-a-kind BlackBerry, equipped with state-of-the-art encryption, shielding, and a few other highly classified tricks.) And he was the first president whose campaign records had been hacked by a foreign power. Obama understood the stakes.
But something else stirred his concerns. A few days before inauguration day, President Bush had briefed him on two covert operations that he hoped Obama would continue. One concerned secret drone strikes against al Qaeda militants in Pakistan. The other involved a very tightly held, astonishingly bold cyber offensive campaign—code-named Operation Olympic Games, later known as Stuxnet—to delay and disable what seemed to be a nuclear weapons program in Iran.
Coming so soon after Mike McConnell’s briefing on America’s vulnerability to cyber attacks, this disclosure switched on a different light bulb from the one that had flashed in the heads of presidents, senior officials, and advisers who’d been exposed to the subject in the decades before. It was the obverse of the usual lesson: what the enemy might someday do to us, we can now do to the enemy.
I. In the late 1990s, when he started researching the vulnerability of infrastructure, Richard Clarke learned that 80 percent of global Internet traffic passed through just two buildings in the United States: one, called MAE West (MAE standing for Metropolitan Area Exchange), in San Jose, California; the other, MAE East, above a steakhouse in Tysons Corner, Virginia. One night, Clarke took a Secret Service agent to dinner at the steakhouse, after which they took a look at the room upstairs. (He brought the agent along to avoid getting arrested.) They were both shocked at how easily a saboteur could wreak devastating damage.