Proposed NSA-Cybercom split comes as govt. looks to justify cyberattacks

Adm. Mike Rogers, the “dual-hatted” head of both the National Security Agency (NSA) and U.S. Cyber Command (Cybercom), repeated his position Tuesday that the two agencies should be split and run separately, saying it is only a matter of “the right time” and “the right process.”

The proposed move is opposed by some including Senate Armed Services Committee Chairman John McCain (R-Arizona), but both Defense Secretary Ash Carter and Director of National Intelligence James Clapper are reportedly in favor of the split. The idea seems to have arisen for legal clarification reasons. The line where NSA ends and Cybercom begins has been blurry since Cybercom’s inception in 2009. As Mark Pomerleau of C4ISRNET reports:

Both organizations, while often times conducting similar activity, are defined under different statutory terms. CYBERCOM, as a military organization under the chain of command of the secretary of defense, falls under Title 10 of the United States Code. The NSA, on the other hand, as an intelligence organization falls under the scope of Title 50, though it does perform Title 10 duties from time to time. These legal distinctions trigger certain roles and responsibilities for the organizations that govern them.

“Cyberspace operations as a Title 10 operations is a military operation, not an intelligence operation,” Ronald Pontius, deputy to the commanding general of Army Cyber Command, said. “So it’s very important and we go through a lot of training and we have our operational lawyers very much with us on everything. … You have to understand under what authorities are you conducting what operation, and we work that very carefully.”

(…) The close relationship with NSA was logical at the beginning in standing up a brand new organization with similar, yet separate mission sets and skills. However, the similarities have presented the potential to blur these intelligence and war fighting lines — or Title 10 and Title 50.

In addition to the head of CYBERCOM and NSA being dual-hatted, many employees of each also share this designation. A former NSA worker, speaking to C4ISRNET on condition of anonymity, explained that many individuals in this dual-hat role conduct intelligence work for the NSA and once they discover an entry point into a network, they can “flip their hat” and create cyber effects for CYBERCOM.

This issue — balancing the equities between the spying and effects — is at the heart of the Title 10 and Title 50 debate, the former NSA worker said. The NSA will find the path inside to exploit the target, but the effects generated as well as the planning and executing will be conducted within CYBERCOM’s Title 10 authorities.

From what is publicly known about some of the NSA’s spying and exploitation activities, the claim that all of the agency’s activities fail to qualify as cyberwarfare “effects” seems dubious at best. In August, a group calling itself the “Shadow Brokers” revealed several NSA hacking tools described as “the keys to the kingdom” by a former Tailored Access Operations (TAO) employee who spoke to the Washington Post.

TAO is a team of top NSA hackers that has been expanding in recent years, reportedly to more than 2,000 operatives. “An internal description of TAO’s responsibilities makes clear that aggressive attacks are an explicit part of the unit’s tasks,” the German news outlet Der Spiegel reported in 2013. Earlier that year, the Post had reported on hundreds of offensive cyber operations conducted under an NSA program code-named GENIE:

The scope and scale of offensive operations represent an evolution in policy, which in the past sought to preserve an international norm against acts of aggression in cyberspace, in part because U.S. economic and military power depend so heavily on computers. (…)

U.S. agencies define offensive cyber-operations as activities intended “to manipulate, disrupt, deny, degrade, or destroy information resident in computers or computer networks, or the computers and networks themselves,” according to a presidential directive issued in October 2012. (…)

The administration’s cyber-operations sometimes involve what one budget document calls “field operations” abroad, commonly with the help of CIA operatives or clandestine military forces, “to physically place hardware implants or software modifications.”

Much more often, an implant is coded entirely in software by an NSA group called Tailored Access Operations (TAO). As its name suggests, TAO builds attack tools that are custom-fitted to their targets. (…)

Under U.S. cyberdoctrine, these operations are known as “exploitation,” not “attack,” but they are essential precursors both to attack and defense.

The Post‘s Barton Gellman and Ellen Nakashima also noted in that same article that the Central Intelligence Agency has stepped up its cyber warfare role:

The growth of Tailored Access Operations at the NSA has been accompanied by a major expansion of the CIA’s Information Operations Center, or IOC.

The CIA unit employs hundreds of people at facilities in Northern Virginia and has become one of the CIA’s largest divisions. Its primary focus has shifted in recent years from counterterrorism to cybersecurity, according to (a) budget document.

The military’s cyber-operations, including U.S. Cyber Command, have drawn much of the public’s attention, but the IOC undertakes some of the most notable offensive operations, including the recruitment of several new intelligence sources, the document said.

In September, it was reported that officials investigating the Shadow Brokers hack believe that Russian state-sponsored actors are to blame. “The investigators have not determined conclusively that the Shadow Brokers group is affiliated with the Russian government, but that is the presumption,” according to Reuters.

Earlier this month, however, a former NSA contractor, Harold Thomas Martin III, was arrested at his Maryland home and is now reportedly being investigated by the FBI in connection with the Shadow Brokers leak. “Martin and The Shadow Brokers had some of the same materials, according to officials,” reports NBC News.

It is unclear as of yet exactly how the “Shadow Brokers” got access to NSA hacking tools that they then published, but in the wake of that disclosure and others such as the hack of emails from the Democratic National Committee, Vice President Joe Biden said last weekend that the US would be “sending a message” to Russian President Vladimir Putin. “We have the capacity to do it,” he said.

Biden added that “it will be at the time of our choosing, and under the circumstances that have the greatest impact.”

It appears that the US has a fairly narrow definition of what constitutes a cyberattack — or at least they are coming to realize that coming up with such a narrow definition would be helpful, hence the push to split NSA and Cybercom. Officially, for instance, last year’s Office of Personnel Management (OPM) hack that compromised the personal information of tens of millions of Americans — essentially anyone who worked or even applied for a federal government job since 2000 — including things like social security numbers and biometric data, was not an “attack.”

“There was no destruction of data or manipulation of data,” DNI Clapper said last year. “It was simply stolen — so that’s a passive intelligence collection activity, just as we do.”

Biden didn’t go into detail regarding what kind of retaliation against Russia he was suggesting, though the New York Times article about his comments included ideas such as exposing the identities of Russian intelligence officials who have authorized operations against the US, or temporarily breaking through Russia’s online censorship system to allow in banned information. Either of these ultimately sounds like a plan to publish information that Russia would rather keep secret.

But the US might be wise to be wary of upping the ante in this particular game. The Russians seem fairly confident. They’ve already shown that (if they are truly to blame for the various hacks) they have had extensive access to data the US intelligence community has every incentive to keep secure, and in many cases have long had such access without US agencies apparently being aware. If America decides to escalate this cyber war, the Russians may reciprocate — with even more shocking, unprecedented, and unheard of data breaches to come as a result.