By Glenn Greenwald
The Guardian | www.guardian.co.uk
January 28 2013 – As the US government depicts the Defense Department as shrinking due to budgetary constraints, the Washington Post this morning announces “a major expansion of [the Pentagon’s] cybersecurity force over the next several years, increasing its size more than fivefold.” Specifically, says the New York Times this morning, “the expansion would increase the Defense Department’s Cyber Command by more than 4,000 people, up from the current 900.” The Post describes this expansion as “part of an effort to turn an organization that has focused largely on defensive measures into the equivalent of an Internet-era fighting force.” This Cyber Command Unit operates under the command of Gen. Keith Alexander, who also happens to be the head of the National Security Agency, the highly secretive government network that spies on the communications of foreign nationals – and American citizens.
The Pentagon’s rhetorical justification for this expansion is deeply misleading. Beyond that, these activities pose a wide array of serious threats to internet freedom, privacy, and international law that, as usual, will be conducted with full-scale secrecy and with little to no oversight and accountability. And, as always, there is a small army of private-sector corporations who will benefit most from this expansion.
Disguising aggression as “defense”
Let’s begin with the way this so-called “cyber-security” expansion has been marketed. It is part of a sustained campaign which, quite typically, relies on blatant fear-mongering.
In March, 2010, the Washington Post published an amazing Op-Ed by Adm. Michael McConnell, Bush’s former Director of National Intelligence and a past and current executive with Booz Allen, a firm representing numerous corporate contractors which profit enormously each time the government expands its “cyber-security” activities. McConnell’s career over the last two decades – both at Booz, Allen and inside the government – has been devoted to accelerating the merger between the government and private sector in all intelligence, surveillance and national security matters (it was he who led the successful campaign to retroactively immunize the telecom giants for their participation in the illegal NSA domestic spying program). Privatizing government cyber-spying and cyber-warfare is his primary focus now.
McConnell’s Op-Ed was as alarmist and hysterical as possible. Claiming that “the United States is fighting a cyber-war today, and we are losing”, it warned that “chaos would result” from an enemy cyber-attack on US financial systems and that “our power grids, air and ground transportation, telecommunications, and water-filtration systems are in jeopardy as well.” Based on these threats, McConnell advocated that “we” – meaning “the government and the private sector” – “need to develop an early-warning system to monitor cyberspace” and that “we need to reengineer the Internet to make attribution, geolocation, intelligence analysis and impact assessment – who did it, from where, why and what was the result – more manageable.” As Wired’s Ryan Singel wrote: “He’s talking about changing the internet to make everything anyone does on the net traceable and geo-located so the National Security Agency can pinpoint users and their computers for retaliation.”
The same week the Post published McConnell’s extraordinary Op-Ed, the Obama White House issued its own fear-mongering decree on cyber-threats, depicting the US as a vulnerable victim to cyber-aggression. It began with this sentence: “President Obama has identified cybersecurity as one of the most serious economic and national security challenges we face as a nation, but one that we as a government or as a country are not adequately prepared to counter.” It announced that “the Executive Branch was directed to work closely with all key players in US cybersecurity, including state and local governments and the private sector” and to “strengthen public/private partnerships”, and specifically announced Obama’s intent to “to implement the recommendations of the Cyberspace Policy Review built on the Comprehensive National Cybersecurity Initiative (CNCI) launched by President George W. Bush.”
Since then, the fear-mongering rhetoric from government officials has relentlessly intensified, all devoted to scaring citizens into believing that the US is at serious risk of cataclysmic cyber-attacks from “aggressors”. This all culminated when Defense Secretary Leon Panetta, last October, warned of what he called a “cyber-Pearl Harbor”. This “would cause physical destruction and the loss of life, an attack that would paralyze and shock the nation and create a profound new sense of vulnerability.” Identifying China, Iran, and terrorist groups, he outlined a parade of horribles scarier than anything since Condoleezza Rice’s 2002 Iraqi “mushroom cloud”:
“An aggressor nation or extremist group could use these kinds of cyber tools to gain control of critical switches. They could derail passenger trains, or even more dangerous, derail passenger trains loaded with lethal chemicals. They could contaminate the water supply in major cities, or shut down the power grid across large parts of the country.”
As usual, though, reality is exactly the opposite. This massive new expenditure of money is not primarily devoted to defending against cyber-aggressors. The US itself is the world’s leading cyber-aggressor. A major purpose of this expansion is to strengthen the US’s ability to destroy other nations with cyber-attacks. Indeed, even the Post report notes that a major component of this new expansion is to “conduct offensive computer operations against foreign adversaries”.
It is the US – not Iran, Russia or “terror” groups – which already is the first nation (in partnership with Israel) to aggressively deploy a highly sophisticated and extremely dangerous cyber-attack. Last June, the New York Times’ David Sanger reported what most of the world had already suspected: “From his first months in office, President Obama secretly ordered increasingly sophisticated attacks on the computer systems that run Iran’s main nuclear enrichment facilities, significantly expanding America’s first sustained use of cyberweapons.” In fact, Obama “decided to accelerate the attacks . . . even after an element of the program accidentally became public in the summer of 2010 because of a programming error that allowed it to escape Iran’s Natanz plant and sent it around the world on the Internet.” According to the Sanger’s report, Obama himself understood the significance of the US decision to be the first to use serious and aggressive cyber-warfare:
“Mr. Obama, according to participants in the many Situation Room meetings on Olympic Games, was acutely aware that with every attack he was pushing the United States into new territory, much as his predecessors had with the first use of atomic weapons in the 1940s, of intercontinental missiles in the 1950s and of drones in the past decade. He repeatedly expressed concerns that any American acknowledgment that it was using cyberweapons – even under the most careful and limited circumstances – could enable other countries, terrorists or hackers to justify their own attacks.”
The US isn’t the vulnerable victim of cyber-attacks. It’s the leading perpetrator of those attacks. As Columbia Professor and cyber expert Misha Glenny wrote in the NYT last June: Obama’s cyber-attack on Iran “marked a significant and dangerous turning point in the gradual militarization of the Internet.”
Indeed, exactly as Obama knew would happen, revelations that it was the US which became the first country to use cyber-warfare against a sovereign country – just as it was the first to use the atomic bomb and then drones – would make it impossible for it to claim with any credibility (except among its own media and foreign policy community) that it was in a defensive posture when it came to cyber-warfare. As Professor Glenny wrote: “by introducing such pernicious viruses as Stuxnet and Flame, America has severely undermined its moral and political credibility.” That’s why, as the Post reported yesterday, the DOJ is engaged in such a frantic and invasive effort to root out Sanger’s source: because it reveals the obvious truth that the US is the leading aggressor in the world when it comes to cyber-weapons.
This significant expansion under the Orwellian rubric of “cyber-security” is thus a perfect microcosm of US military spending generally. It’s all justified under by the claim that the US must defend itself from threats from Bad, Aggressive Actors, when the reality is the exact opposite: the new program is devoted to ensuring that the US remains the primary offensive threat to the rest of the world. It’s the same way the US develops offensive biological weapons under the guise of developing defenses against such weapons (such as the 2001 anthrax that the US government itself says came from a US Army lab). It’s how the US government generally convinces its citizens that it is a peaceful victim of aggression by others when the reality is that the US builds more weapons, sells more arms and bombs more countries than virtually the rest of the world combined.
Threats to privacy and internet freedom
Beyond the aggressive threat to other nations posed by the Pentagon’s “cyber-security” programs, there is the profound threat to privacy, internet freedom, and the ability to communicate freely for US citizens and foreign nationals alike. The US government has long viewed these “cyber-security” programs as a means of monitoring and controlling the internet and disseminating propaganda. The fact that this is all being done under the auspices of the NSA and the Pentagon means, by definition, that there will be no transparency and no meaningful oversight.
Back in 2003, the Rumsfeld Pentagon prepared a secret report entitled “Information Operations (IO) Roadmap”, which laid the foundation for this new cyber-warfare expansion. The Pentagon’s self-described objective was “transforming IO into a core military competency on par with air, ground, maritime and special operations”. In other words, its key objective was to ensure military control over internet-based communications:
It further identified superiority in cyber-attack capabilities as a vital military goal in PSYOPs (Psychological Operations) and “information-centric fights”:
(U) We Must Improve Network and Electro-Magnetic Attack Capability. To prevail in an information-centric fight, it is increasingly important that our forces dominate the electromagnetic spectrum with attack capabilities.
And it set forth the urgency of dominating the “IO battlespace” not only during wartime but also in peacetime:
(U) Peacetime preparation. The Department’s IO concept should emphasize the fullspectrum information operations are full-time operations requiring extensive preparation in peacetime.
– (U) Well before crises develop, the IO battlespace should be prepared through intelligence, surveillance, and reconnaissance and extensive planning activities.
As a 2006 BBC report on this Pentagon document noted: “Perhaps the most startling aspect of the roadmap is its acknowledgement that information put out as part of the military’s psychological operations, or Psyops, is finding its way onto the computer and television screens of ordinary Americans.” And while the report paid lip service to the need to create “boundaries” for these new IO military activities, “they don’t seem to explain how.” Regarding the report’s plan to “provide maximum control of the entire electromagnetic spectrum”, the BBC noted: “Consider that for a moment. The US military seeks the capability to knock out every telephone, every networked computer, every radar system on the planet.”
Since then, there have been countless reports of the exploitation by the US national security state to destroy privacy and undermine internet freedom. In November, the LA Times described programs that “teach students how to spy in cyberspace, the latest frontier in espionage.” They “also are taught to write computer viruses, hack digital networks, crack passwords, plant listening devices and mine data from broken cellphones and flash drives.” The program, needless to say, “has funneled most of its graduates to the CIA and the Pentagon’s National Security Agency, which conducts America’s digital spying. Other graduates have taken positions with the FBI, NASA and the Department of Homeland Security.”
In 2010, Lawrence E. Strickling, Assistant Secretary of Commerce for Communications and Information, gave a speech explicitly announcing that the US intends to abandon its policy of “leaving the Internet alone”. Noting that this “has been the nation’s Internet policy since the Internet was first commercialized in the mid-1990s”, he decreed: “This was the right policy for the United States in the early stages of the Internet, and the right message to send to the rest of the world. But that was then and this is now.”
The documented power of the US government to monitor and surveil internet communications is already unfathomably massive. Recall that the Washington Post’s 2010 “Top Secret America” series noted that: “Every day, collection systems at the National Security Agency intercept and store 1.7 billion e-mails, phone calls and other types of communications.” And the Obama administration has formally demanded that it have access to any and all forms of internet communication.
It is hard to overstate the danger to privacy and internet freedom from a massive expansion of the National Security State’s efforts to exploit and control the internet. As Wired’s Singel wrote back in 2010:
“Make no mistake, the military industrial complex now has its eye on the internet. Generals want to train crack squads of hackers and have wet dreams of cyberwarfare. Never shy of extending its power, the military industrial complex wants to turn the internet into yet another venue for an arms race“.
Wildly exaggerated cyber-threats are the pretext for this control, the “mushroom cloud” and the Tonkin Gulf fiction of cyber-warfare. As Singel aptly put it: “the only war going on is one for the soul of the internet.” That’s the vital context for understanding this massive expansion of Pentagon and NSA consolidated control over cyber programs.
Bonanza for private contractors
As always, it is not just political power but also private-sector profit driving this expansion. As military contracts for conventional war-fighting are modestly reduced, something needs to replace it, and these large-scale “cyber-security” contracts are more than adequate. Virtually every cyber-security program from the government is carried out in conjunction with its “private-sector partners”, who receive large transfers of public funds for this work.
Two weeks ago, Business Week reported that “Lockheed Martin Corp., AT&T Inc., and CenturyLink Inc. are the first companies to sign up for a US program giving them classified information on cyber threats that they can package as security services for sale to other companies.” This is part of a government effort “to create a market based on classified US information about cyber threats.” In May, it was announced that “the Pentagon is expanding and making permanent a trial program that teams the government with Internet service providers to protect defense firms’ computer networks against data theft by foreign adversaries” – all as “part of a larger effort to broaden the sharing of classified and unclassified cyberthreat data between the government and industry.”
Indeed, there is a large organization of defense and intelligence contractors devoted to one goal: expanding the private-public merger for national security and intelligence functions. This organization – the Intelligence and National Security Alliance (INSA) – was formerly headed by Adm. McConnell, and describes itself as a “collaboration by leaders from throughout the US Intelligence Community” which “combines the experience of senior leaders from government, the private sector, and academia.”
As I detailed back in 2010, one of its primary goals is to scare the nation about supposed cyber-threats in order to justify massive new expenditures for the private-sector intelligence industry on cyber-security measures and vastly expanded control over the internet. Indeed, in his 2010 Op-Ed, Adm. McConnell expressly acknowledged that the growing privatization of internet cyber-security programs “will muddy the waters between the traditional roles of the government and the private sector.” At the very same time McConnell published this Op-Ed, the INSA website featured a report entitled “Addressing Cyber Security Through Public-Private Partnership.” It featured a genuinely creepy graphic showing the inter-connectedness between government institutions (such as Congress and regulatory agencies), the Surveillance State, private intelligence corporations, and the Internet:
Private-sector profit is now inextricably linked with the fear-mongering campaign over cyber-threats. At one INSA conference in 2009 – entitled “Cyber Deterrence Conference” – government officials and intelligence industry executives gathered together to stress that “government and private sector actors should emphasize collaboration and partnership through the creation of a model that assigns specific roles and responsibilities.”
As intelligence contractor expert Tim Shorrock told Democracy Now when McConnell – then at Booz Allen – was first nominated to be DNI:
“Well, the NSA, the National Security Agency, is really sort of the lead agency in terms of outsourcing . . . . Booz Allen is one of about, you know, ten large corporations that play a very major role in American intelligence. Every time you hear about intelligence watching North Korea or tapping al-Qaeda phones, something like that, you can bet that corporations like these are very heavily involved. And Booz Allen is one of the largest of these contractors. I estimate that about 50% of our $45 billion intelligence budget goes to private sector contractors like Booz Allen.”
This public-private merger for intelligence and surveillance functions not only vests these industries with large-scale profits at public expense, but also the accompanying power that was traditionally reserved for government. And unlike government agencies, which are at least subjected in theory to some minimal regulatory oversight, these private-sector actors have virtually none, even as their surveillance and intelligence functions rapidly increase.
What Dwight Eisenhower called the military-industrial complex has been feeding itself on fear campaigns since it was born. A never-ending carousel of Menacing Enemies – Communists, Terrorists, Latin American Tyrants, Saddam’s chemical weapons, Iranian mullahs – has sustained it, and Cyber-Threats are but the latest.
Like all of these wildly exaggerated cartoon menaces, there is some degree of threat posed by cyber-attacks. But, as Singel described, all of this can be managed with greater security systems for public and private computer networks – just as some modest security measures are sufficient to deal with the terrorist threat.
This new massive expansion has little to do with any actual cyber-threat – just as the invasion of Iraq and global assassination program have little to do with actual terrorist threats. It is instead all about strengthening the US’s offensive cyber-war capabilities, consolidating control over the internet, and ensuring further transfers of massive public wealth to private industry continue unabated. In other words, it perfectly follows the template used by the public-private US National Security State over the last six decades to entrench and enrich itself based on pure pretext.