“The Department of Defense accidentally exposed an intelligence-gathering operation, thanks to an online storage misconfiguration.
It neglected to make those storage servers private, collecting billions of public internet posts from social media, news sites, and web forums and storing them on Amazon S3 repositories.
‘The data exposed in one of the three buckets is estimated to contain at least 1.8 billion posts of scraped internet content over the past 8 years’, UpGuard said in a Friday report – So anyone with a free Amazon AWS account could browse and download the data.”
“Much of the data was scraped from news sites, web forums, and social media services such as Facebook and Twitter. The information includes content relating to Iraqi and Pakistani politics and ISIS, but also social media posts made by Americans.
In a Twitter direct message, Vickery told PCMag he “made sure the [storage] buckets we discovered were secured before anything was brought to media attention.” However, he has no idea if anyone else, like malicious parties, ever accessed the data.
DOD didn’t immediately respond to a request for comment. But the Pentagon confirmed the accidental leak to CNN.
Why the Defense Department was collecting this information isn’t clear. But it certainly raises eyebrows at a time when concerns persist about US surveillance programs. It also comes as US agencies are struggling on the cybersecurity front. The National Security Agency, for instance, failed to stop breaches of its own classified hacking tools.
“Even the most sensitive intelligence organizations are not immune to sizable cyber risk,” UpGuard said in its Friday report.
The Defense Department isn’t the only one to commit the security slip-up with AWS cloud storage. Earlier this year, UpGuard found that Verizon and Dow Jones made the same mistake, effectively exposing their private customer data to the public.
Update: In an email, US Central Command commented on the accidental leak.
“Once alerted to the unauthorized access, CENTCOM implemented additional security measures to prevent unauthorized access,” said Major Josh Jacques, a spokesman for US Central Command.
The purpose of the data collection still wasn’t made clear. But Jacques told PCMag: “The information you are asking about is not sensitive information. It is not collected nor processed for any intelligence purposes.”
The data was actually provided by a contractor using “commercial off-the-shelf programs,” according to Jacques.
“U.S. Central Command has used commercial off-the-shelf and web-based programs to support public information gathering, measurement and engagement activities of our online programs on public sites,” he added. “The information is widely available to anyone who conducts similar online activities.”
President John F. Kennedy meets with the Chairman of the Joint Chiefs of Staff Gen. Maxwell D. Taylor and Defense Secretary Robert S. McNamara at the White House on Oct. 2, 1963.
“DEFENSE ONE” By Harlan Ullman
“Tragically, the U.S. started these wars for reasons that proved wildly wrong, or intervened based on lack of knowledge and understanding that led to failure.
The reasons for failure span generations of leaders and apply equally to both political parties, suggesting that somehow this predilection for failure has become part of the national DNA.”
“Most Americans believe that their military is the finest in the world, a belief well-founded by several measures. Yet if the U.S.military were a sports team, based on its record in war and when called upon to defend the nation since World War II, it would be ranked in the lowest divisions.
Consider history. The United States won the “big one”: the Cold War. But every time Americans were sent to wars that it started or into combat for reasons that lacked just cause, we lost or failed. Korea was at best a draw, ended not by a peace treaty but a “temporary” truce. Our record in subsequent conflicts was too often no better, and too often worse. Vietnam was an outright and ignominious defeat in which over 58,000 Americans died. George H.W. Bush’s administration deserves great credit in the first Iraq War and in handling the collapse of the Soviet Union. But the Afghanistan intervention begun in 2001 is still going with no end in sight. The Second Iraq War, launched in 2003, was rightly termed a fiasco. Even far smaller interventions — Beirut and Grenada in 1983, Libya in 2011 — failed.
Americans need to know why. Notably, failure was not the fault of the Pentagon. My new book, Anatomy of Failure: Why America Loses Every War It Starts, analyzes and explains why this record of failure has occurred and why these setbacks, if uncorrected, will continue.
Failure begins at the top. Americans elect presidents who, too often, are unprepared, unready and too inexperienced for the responsibilities of arguably the most difficult office in the world. This has led to flawed strategic judgment made worse by an absence of sufficient knowledge and understanding of the conditions in which force is to be used.
President John F. Kennedy tartly observed that there is no school for presidents. Yet both he and his successor Lyndon Johnson became trapped in the Vietnamese quagmire because of poor strategic judgment and a near-total lack of knowledge and understanding of that conflict.
Ronald Reagan wrongly believed he could bankrupt the Soviet Union by engaging in an arms race. Along the way, he blundered into Beirut, which cost the lives of 241 American servicemen blown up in a barracks; and Grenada, where he sought to protect American medical students who were in no danger and to stop the construction of a “Soviet air base” that was in fact a government effort to increase tourism.
It took Bill Clinton 78 days to force Serbian President Slobodan Milosevic to stop the killing of Kosovars through a bombing campaign that, if accompanied by the threat of ground forces, might have done the job in hours. George W. Bush invaded Iraq to change the “geostrategic landscape of the greater Middle East” by democratizing the region — and produced arguably the greatest American catastrophe since the Civil War. And Barack Obama touched off civil war in Syria by bombing Benghazi, leading to the death of Muramar Qaddafi and regional violence.
Tragically, the U.S. started these wars for reasons that proved wildly wrong, or intervened based on lack of knowledge and understanding that led to failure. While Donald Trump, fortunately, has not suffered a crisis such as 9/11, his strategic judgment and understanding seem as poor as or even worse than his predecessors’.
To prevent or mitigate future failures, we must discard our 20th-century thinking and adopt a new, brains-based approach to strategic judgments. Deterring the Soviet Union was far different from deterring a Russia that has no intent of attacking NATO or al Qaeda and the Islamic State that lack armies and navies. Moreover, our policymakers must have far greater knowledge and understanding of conditions in which force is to be used. And the focus of policy and strategy must be to affect, influence, and even control the will and perception of friends, foes and enemies.
Unless and until Americans recognize why we fail too often in using force and correct these flaws, the chances of future reverses may not be inevitable. But it is highly likely.”
Dr. Harlan Ullman is a Distinguished Senior Fellow and Visiting Professor at the U.S. Naval War College in Newport, R.I.; a Senior Advisor at Washington D.C.’s Atlantic Council and Business Executives for National Security; chairman of two private companies; and principal author of the doctrine of shock and awe. A former naval officer, he commanded a destroyer in the Persian Gulf and led more than 150 missions and operations in Vietnam as a Swift Boat skipper.
“STRATFOR” By Sarang Shidore Senior Global Analyst
“For decades the United States has sat atop a unipolar world, unrivaled in its influence over the rest of the globe.
And as the Earth’s sole superpower turns inward, [Russia and China] will seek to carve out bigger backyards for themselves.”
“An Informal Alliance Emerges
First, a few observations about the Cold War. The multidecade conflict was much like the classical great-power contests that have taken place since the advent of the modern nation-state: Two blocs of roughly equal power (NATO and the Warsaw Pact) participated in a continuous arms race, waged proxy wars and engaged in the politics of securing spheres of influence.
But the Cold War also contained some striking new elements. Chief among them were the feud’s pervasive reach into most sovereign states, the presence of nuclear weapons, the two participants’ radically different economic and political systems, and the missionary zeal each superpower had for exporting its ideology worldwide. Moreover, membership within each alliance was sizable and stable, though developing countries occasionally shifted their loyalties after a revolution or military intervention by the United States or the Soviet Union.
On their face, any parallels between today and the Cold War of decades past seem overblown. The United States leads most formal alliance structures; Russia and China have no obvious ideology to export; and variations of capitalism have won out worldwide, leading to a deeply integrated global economy. Furthermore, Russia and China appear to have too many conflicts of interest to form an enduring partnership.
A closer look at recent events, however, suggests otherwise. Despite lacking an official alliance, Russia and China have acted virtually in lockstep on many major security issues. Both were first neutral, then opposed to, NATO’s intervention in Libya in 2011. Both have taken nearly identical positions on the Syrian conflict and cybergovernanceat the United Nations. Both have issued a joint proposal to resolve the crisis on the Korean Peninsula by freezing North Korea’s nuclear and missile programs in exchange for halting joint military exercises between South Korea and the United States. Both are firmly opposed to undermining the Iranian nuclear deal. And both have lobbied against U.S. missile defenses in Central Europe and Asia, as well as the Western doctrine of intervention known as “responsibility to protect.” Meanwhile China — a well-known defender of the principle of national sovereignty — has been noticeably silent on Russia’s intervention in Ukraine.
At the same time, Beijing and Moscow have symbolically demonstrated their compact in the realm of defense. They have conducted joint military exercises in unprecedented locales, including the Mediterranean Ocean and the Baltic Sea, as well as in disputed territories, such as the Sea of Japan and the South China Sea. Weapons deals between them are likewise on the rise. Russian arm sales to China skyrocketed in 2002. After temporarily dropping off between 2006 and 2013 amid suspicion that China was reverse-engineering Russian platforms, Russia’s sales to China resumed. Moscow agreed to sell its most sophisticated systems, the Su-35 aircraft and the S-400 surface-to-air missile systems, to its Asian neighbor.
The two great powers have signed several major energy deals of late, too. Russian oil has made up a steadily growing share of China’s energy portfolio for years, and in 2016 Russia became the country’s biggest oil supplier. China, for its part, has begun to substantially invest in Russia’s upstream industry while its state-run banks have heavily bankrolled pipelines connecting the two countries. Beijing, for instance, recently acquired a large stake in Russian oil giant Rosneft. Russian exports of natural gas, including liquefied natural gas, to China are climbing as well. These moves are rooted in grand strategy: Russia and China are privileging each other in energy trade and investment to reduce their dependence on locations where the United States is dominant.
With their robust indigenous defense industries and vast energy reserves alone, China and Russia satisfy the basic requirements of presenting an enduring challenge to the United States. But both have also begun pushing for greater financial and monetary autonomy by distancing themselves from the dollar-dominated order of international trade and finance. China has already partially seceded from the SWIFT system of global banking transactions by creating its own system, CIPS. Russia is following suit, and it too has started to build an alternative network. Moreover, the Chinese yuan recently entered the International Monetary Fund’s Special Drawing Rights currency basket. Now most Asian currencies track far more closely with the yuan than the dollar in value. China plans to introduce an oil futures contract in yuan that can be fully converted to gold as well. This, along with Beijing and Moscow’s decision to boost their gold reserves, suggests that they may be preparing to switch to a gold standard someday. (The convertibility of gold is an important intermediate step toward boosting investor confidence in an up-and-coming currency like the yuan, which still suffers from many constraints such as illiquidity and significant risk in its country of origin.) The seriousness of their effort indicates their determination to move away from a system ruled by the U.S. currency.
Of course, China and Russia still suffer huge deficits with respect to the United States in technology, innovation and global force projection. But the gap may be closing as China makes substantial investments into sunrise technologies such as renewable energy, biotechnology and artificial intelligence. Plus, the projection of power to every corner of the globe probably isn’t their immediate goal. Rather, the two powers seem to be aiming for maximum autonomy and a proximate sphere of influence that encompasses Eastern Europe and parts of the Middle East and Asia. They also seek to overhaul international rule-making with the intention of gaining greater influence in multilateral institutions, securing vetoes over military interventions, increasing global governance of the internet (albeit for their own self-interest), ending U.S. pressure regarding democracy and human rights, dethroning the reigning dollar and accounting for their interests in the design of the global security order.
A Durable Marriage of Convenience
China and Russia are not natural allies. They have a long history of discord and at least three areas of conflicting interests: overlapping backyards in Central Asia, competition in arms sales and a growing asymmetry in power that favors Beijing.
Over the years, the two countries have taken on somewhat distinct roles in Central Asia. Russia has become the leading security guarantor in the region by founding the Collective Security Treaty Organization (CSTO), a formal alliance with a mutual self-defense clause, and by building military bases in Kyrgyzstan and Tajikistan. Russia has also integrated Kazakhstan into its air defense system. By comparison, China is rapidly emerging as the leading energy and infrastructure partner in the region. The country’s Belt and Road Initiative is well underway, and several oil and natural gas pipelines connecting China to its Central Asian neighbors are already functional. That said, both powers have a stake in the region’s security and economic integration, as evidenced by the presence of the Russia-led Eurasian Economic Union and the China-led Shanghai Cooperation Organization there.
Despite their dependence on China and Russia, Central Asian states still enjoy considerable autonomy and cannot be deemed satellites of either great power. The recent resistance of Kazakhstan, a CSTO member, to Russian pressure to deploy troops to Syria is a case in point. Of the five Central Asian countries, Kyrgyzstan, Tajikistan and Kazakhstan are most closely intertwined with China and Russia; Uzbekistan and Turkmenistan have kept a greater distance.
The dynamic Chinese economy’s steady outpacing of its Russian counterpart would ordinarily cause deep consternation in Moscow. However, Russia seems to have largely accepted the reality of China’s rising power — an acceptance that is key to the formation of a compact between them. Beijing, for its part, has tactfully walked back from its historical claims to Outer Manchuria, paving the way for the settlement of its long-standing border dispute with Moscow. China has also worked to keep its economic competition with Russia from degenerating into political antagonism.
Russia is still wary of China, though. Against the wishes of Beijing, which has a long-standing competition with New Delhi, Moscow supported and facilitated India’s accession to the Shanghai Cooperation Organization. The Kremlin also keeps close ties to Vietnam and maintains an ongoing dialog with Japan. However, Russia has also compromised with China on some of these matters, including by agreeing to Pakistan’s simultaneous admission to the bloc. It has also limited its cooperation with Tokyo, dragging its feet in settling its Kuril Islands dispute with Japan.
These concessions indicate Moscow’s pursuit of a hedging strategy, not a balancing one. If Russia were truly trying to balance China, their rivalry in Central Asia would take on a security dimension, resulting in factionalization or, in the worst-case scenario, wars between their local proxies. So while some structural tension certainly exists between China and Russia and could lead to a security rivalry in the long run, their leaders have actively managed and largely contained it thus far. This marriage of convenience will likely prove lasting, given its goals for dramatically transforming the international system. And even if a formal Russia-China alliance never comes to pass, the durability of their partnership already makes it feel like one in many ways. That the two countries feel no need to formalize their alliance, moreover, indicates that informality will increasingly serve as a template for strategic partnerships in the future.
The Resurgence of the Middle
Could an alignment between Russia and China expand to new states? The country most likely to join their compact is Iran. A revolutionary state with deep enmity for the United States and its allies, including Israel and Saudi Arabia, Iran has a strong desire to rewrite the rules of the current global order. As China’s Belt and Road Initiative has taken off, Chinese investment in Iran has started to rise. And though Iran and Russia have their differences, their security interests have recently aligned. In the Syrian civil war, for instance, they have closely coordinated their air and ground operations over the past two years. Iran, meanwhile, would add to the two great powers’ energy heft and welcome any attempt to shift global energy markets away from the dollar. Under the current circumstances, Iran has every reason to strengthen its strategic ties with Russia and China, even as it woos global investors.
Iran isn’t the only core state candidate that may join the Sino-Russian compact. China’s Belt and Road Initiative is a formidable gambit, partly intended to draw several states into its orbit. Among them are Pakistan, Myanmar, Bangladesh, Turkey, Sri Lanka and Thailand. All of these nations, in theory, could join the Sino-Russian core. Still, it is doubtful whether most will. Turkey, a member of NATO, has worked more closely with Russia and Iran in the past few months to manage the Syrian conflict, and it is heavily reliant on Russian energy supplies. But Turkey will find it difficult to abandon its commitments to NATO; instead it will most likely play a transactional game with all three powers.
On the Asian continent, it is in Sri Lanka’s and Bangladesh’s best interests not to antagonize their next-door neighbor, India, by tilting too far toward China. Moreover, Myanmar has a complex history with China, while Thailand is a U.S. treaty ally that lately has sought a middle ground between Washington and Beijing. Pakistan has been close to China for decades while maintaining an intense (if transactional) security relationship with the United States and complicated ties with Iran. If relations between Islamabad and Washington as well as New Delhi and Beijing deteriorate sharply, Pakistan may find that aligning with Russia and China brings more benefits than costs. But when all is said and done, any attempt to transform the Sino-Russian compact into an expansive, international alliance would encounter massive roadblocks.
Meanwhile, all is not going as planned within the United States’ own bloc. Washington’s treaty ally, South Korea, staunchly opposes any U.S. military action against North Korea. The United States’ ties with another major partner, Turkey, are deteriorating. The Philippines is trying to balance between the United States and China, as is Thailand. Australia is increasingly torn between its deep economic dependence on China and its commitments to the United States. Wide rifts have opened between the United States and Europe over trade, climate action and Iran. Hungary has moved closer to Russia as populist nationalism — in some cases laced with support for Russian President Vladimir Putin — rises across the Continent. Then there is Germany, which the United States has long worried is less than fully committed to balancing against Russia. On top of all this, a nationalist upswing in U.S. politics has made the superpower more hostile to trade agreements and foreign entanglements.
On the other hand, the United States is bolstering its security relationship with India and Vietnam, finding ready partners against China and Russia in Japan and Poland, respectively, and enjoying the prospect of a post-Brexit United Kingdom that is more beholden to Washington than ever before. With a population of more than a billion people, India’s future is particularly consequential to the global order — but only if it can transcend its many domestic challenges. And though India could become a core member of the U.S.-led bloc in the future, its historical autonomy and deep defense ties with Russia could limit just how close New Delhi can get to Washington and Tokyo.
Added to these factors are the non-state challenges to state power that have emerged since the 1990s and now show no sign of going away. Giant technology corporations, criminal networks, transnational terrorist groups, global civil society and growing environmental threats often weaken the system of sovereign nation-states, and they will continue to do so in the years to come.
Two Poles, Much Smaller Than Before
The upshot of these changes is that bipolarity, though not inevitable, is likely a foundational feature of the future. But it would be much diminished, compared with that of the Cold War — a “bipolarity-minus” of sorts. Each side in such a world would boast a much smaller set of core members: Russia, China, probably Iran and plausibly Pakistan, on one side, and the United States, the United Kingdom, Canada, probably Japan and plausibly India and Australia on the other.
Though all other powers may lean in one direction or another, they would have more malleable relationships with each bloc and with each other. At the same time, there would be ample space for non-state actors and fluid minor coalitions to try to maximize their own freedom by, among other things, limiting the intensity of bipolarity among the great powers. Core states would have to work that much harder to win over the many swing states scattered across the globe, and alignment based on specific issues will become the norm. Existing institutions of global governance will either become moribund or will shrink as competing institutions with different approaches form and gain traction.
The Cold War years offered a faint preview of this world. The Non-Aligned Movement and the G-77 influenced issues such as decolonization, foreign aid and disarmament, while OPEC briefly shook the world with an oil embargo. Core bloc members occasionally demonstrated radical autonomy — the Sino-Soviet split of 1959, “goulash communism” in Hungary and Ostpolitik in West Germany are only a few examples. Still, these deviations never seriously undermined the global system, dominated as it was by two superpowers.
Today a new constraint on the emergence of true bipolarity exists: the intertwining of the U.S. and Chinese economies. Interdependence determinists will argue that such ties are incompatible with bipolarity and will ultimately prevent it. However, the limited nature of a bipolarity-minus world may allow the phenomena to coexist, albeit uneasily, as they did in a highly interdependent Europe before World War I. Alternatively, the United States and China may reorder their supply chains to reduce this interdependence over time. Technological advances are already shrinking these supply chains, a trend that could accelerate if the United States becomes far more protectionist.
If the future does indeed hold a bipolar-minus world, the United States may not be ready for it. To be prepared, Washington would have to recalibrate its strategy. In a world in which many major powers are uncommitted and have large degrees of freedom, tools like open-ended military interventions, unilateral sanctions, extraterritoriality and hostility to trade will likely yield diminishing returns. By comparison, incentivization, integration, innovation and adroit agenda-setting can be smarter and more effective options. The United States historically has been a pioneer of these approaches, and it may prove able to wield them persuasively once again. But perhaps most important, the superpower will have to resolve its internal polarization if it hopes to position itself as a cohesive leader of the international community. Only then will it once again become, as former U.S. President Ronald Reagan so eloquently put it, “a shining city upon a hill.”
“POGO found that the median return on investment was $1,323 in contracts for every dollar spent on federal lobbying and election activities.
The federal government’s 100 largest contractors received an incredible return on their investment in lobbying and election contributions in FY 2016, spending just $289 million on political influence but receiving more than $262 billion in federal business.”
“This data comes in part from POGO’s Federal Contractor Misconduct Database (FCMD), recently updated with the government’s Federal Procurement Data System fiscal year 2016 ranking of the top 100 contractors. POGO’s database currently tracks 220 of the federal government’s largest providers of goods and services and contains more than 2,700 resolved and pending misconduct instances dating back to 1995. Over that time, these entities have paid nearly $99 billion in fines, settlements, and court judgments.
The top 100 companies were collectively awarded more than $262 billion in contracts in FY 2016, accounting for 55 percent of all contracts awarded that year. According to data compiled by the Center for Responsive Politics, the top 100 collectively spent more than $218 million on federal lobbying in 2016 and nearly $71 million in federal campaign donations during the 2016 election cycle, resulting in a median return on investment (dollar amount in contracts received for each dollar spent on lobbying and campaign contributions) of $1,323.
POGO also found a strong positive correlation between contract awards and lobbying/election expenditures for aerospace/defense contractors. By comparing the two data sets and analyzing it by industry sector, we found the median return on investment for aerospace/defense companies was $1,120 for every dollar spent lobbying, while for IT services firms it was an astonishing $5,296. Four IT giants have joined our database this year, including Carahsoft, Engility, Hewlett Packard Enterprise Company, and prestigious IT institution Stanford University.
Eight of the ten largest federal contractors in FY 2016 were military hardware suppliers. Of these eight, five were also among the ten biggest spenders on political influence. Lockheed Martin and Boeing topped both lists and earned relatively high returns on investment: $2,382 and $1,225, respectively.
Some contractors had deceptively low returns on investment. General Atomics received $377 in contracts for every dollar spent on influence, while General Electric received just $183. However, these companies get other returns from Uncle Sam, such as subsidies (grants, loans, and tax credits) and favorable tax, trade, and regulatory policies. According to Good Jobs First’s Subsidy Tracker database, in FY 2016 General Atomics received nearly $68 million in research grants from the Department of Energy, while General Electric received more than $42 million in federal grants, loans, and loan guarantees from various agencies.
In the past, POGO has recommended common-sense reforms to bring greater transparency and accountability to the contracting system:
“The Army needs at least two years to figure out a new, war-ready communications network to replace its current, fragile systems, the acting secretarysaid this week.
There’s no a quick fix: The service is effectively starting over on what it’s long described as its No. 1 priority for modernization.”
“A recently created task force called a Cross-Functional Team (CFT) will overhaul the network architecture, Acting Secretary of the Army Ryan McCarthy told reporters, but its major recommendations won’t be ready until 2019, when the budget request for 2020 is submitted. In the meantime, to ensure that troops are ready to “fight tonight” against immediate threats like Russia and North Korea, the Army is urgently seeking off-the-shelf stopgaps from the commercial world.
“It’s going to take a few years. What do you in between?” said Gen. Mark Milley, the Army Chief of Staff, speaking alongside McCarthy at a Defense Writers’ Group breakfast Wednesday. “What happens if there’s a conflict? And that’s a real challenge, Sydney, that’s hard, and there’s an element of risk there.”
The Army is still issuing some units with the current battlefield network, WIN-T Increment 2, which began fielding in 2012 and still hasn’t reached the entire force. (The Hawaii-based 2nd Brigade, 25th Infantry Division is getting its WIN-T kit right now). But the Warfighter Integrated Network – Tactical program will end next year because it isn’t reliable and resilient enough for fast-moving operations against a sophisticated enemy who can jam or hack it. So after a decade working on WIN-T, the Army will take another two years or more to go back to the drawing board.
“Yes, it probably will take a couple of years to get it right. Changing the architecture of our network…the scale is massive,” McCarthy said. “We stood up these Cross-Functional teams a couple of weeks ago, to be honest with you. They are going to influence the ’20 budget” — not 2019.
The Army strategy is “halt-fix-pivot,” Gen. Milley and Sec. McCarthy explained:
immediately halt programs that simply won’t hold up on a mobile battlefield under sophisticated cyber and electronic attack;
“We want to stop those subsets of the programs that we know with certainty will not work…for the combat environment that we envision,” Milley said. He wouldn’t say which specific programs were on the block: “Those are still under evaluation,” he said.
While some programs must go, Milley continued, “there are other parts of the system that we know can be fixed. We’ve had many meetings with industry (and) industry is already working on those piece parts of the quote, ‘network system’ that can be fixed in order to operate in a highly dynamic and very lethal maneuver battlefield.”
“And then, what we do is pivot the entire system of systems…to develop a holistic system that does operate in the (high-intensity) environment,” Milley concluded.
This isn’t about any one program: “It’s stepping back and looking at a common architecture, as opposed to particular issues with hardware (or) software,” McCarthy said. “It will take us several years to review the architecture and make fundamental changes.”
How fundamental? “We went back to the white board , literally, and we started laying out things like first principles,” Milley said. “We used that to evaluate not just WIN-T…but the whole suite.”
“We learned that a lot of these systems don’t talk to each other, within the army or the joint force,” Milley said. “We learned that the system is very, very fragile and is probably not going to be robust and resilient enough to operate in a highly dynamic battlefield with lots of ground maneuver and movement. We know that the system is probably vulnerable to sophisticated nation-state countermeasures.”
Short-Term vs. Long
Going back to the drawing board to fix these problems — the pivot phase — will take “years,” Milley acknowledged, “but the fix part is a much faster piece. Will we be fast enough? Time will tell,” he said. ” I know that we are working extremely hard, and we know we’re against the clock.”
But this has pitfalls too. The Army and the other services already bypassed the procurement bureaucracy and rushed off-the-shelf equipment into service in Afghanistan and Iraq, from network tech to Mine-Resistant Ambush-Protected trucks (MRAPs). They had to take shortcuts to save lives, but the result was a lot of wasted money and a patchwork of incompatible equipment.
Ironically, the program that was supposed to bring order to this chaos was WIN-T. Now the Army is halting WIN-T and, once again, embarking on a multi-year quest for one network to rule them all. In the meantime, once again, the service has to keep kludging together partial solutions. The short-term fix may, once again, make the long-term solution harder. The risk of just repeating history is very real.”
Ellen Lord (Above Lower Left) is a former Textron Executive and now the Under Secretary of Defense for Acquisition, Technology and Logistics
“John Rood, in line to become the next under secretary of defense for policy. His last job was as a senior vice president at Lockheed Martin International.
John McCain – “One of my major concerns has been the big five (defense industry companies) and the rotating back and forth between government and business.”
“The White House’s nominee to take over the Pentagon’s top policy job sparred with lawmakers over potential business conflicts with his last job, the latest episode in a series of fights over the President Donald Trump’s reliance on defense industry executives to fill senior military posts.
John Rood, in line to become the next under secretary of defense for policy, has previously served as acting undersecretary of state for arms control and deputy assistant secretary of defense for forces policy.
But his last job was as a senior vice president at Lockheed Martin International, where his responsibilities included “executing strategies to grow (the company’s) international business” and managing government relations activities overseas.
Senate Armed Services Committee member Elizabeth Warren, D-Mass., said she saw that as a problematic issue for his nomination.
“You were responsible for selling Lockheed’s products to other countries,” she said. “In you new role, you will be responsible for defense policy, including overseeing policy on foreign military sales to those same countries.”
Under department rules, Rood is already blocked from decisions directly related to Lockheed for two years, and required to divest himself from the company fully. But when asked if he would also recuse himself from policy discussions that may involve any foreign Lockheed sales, he demurred.
“Those issues that involve particular matters, something that involves the financial health of the company, I’m recused from,” he said. “If you’re describing a policy matter, such as how the United States should have a relationship with another country in an arms area, or cooperation between our air forces, I would be involved in that.”
The response drew criticism from Warren and a warning from committee Chairman John McCain, R-Ariz., that his unclear answers would cause “trouble” with his nomination.
“One of my major concerns has been the big five (defense industry companies) and the rotating back and forth between government and business,” he said. “This is a straightforward example of why we need straight answers.
“This isn’t something that should be difficult. You should not be making decisions that are related to your previous employment.”
McCain said he would request additional information from Rood before advancing his nomination. Several times in recent months, he has complained about the large number of Trump’s nominees coming from the defense industry, and had said Rood would be the last one he would support.
Whether he’ll withdraw that support now remains unclear.
Among major jobs filled from the defense industry are Patrick Shanahan, a Boeing vicepresident who is now deputy secretary of defense; Mark Esper, a Raytheon executive who is now Army secretary; Ellen Lord, a Textron executive who now heads the Office of the Under Secretary of Defense for Acquisition, Technology and Logistics; and Ryan McCarthy the undersecretary of the Army who previously worked at Lockheed.
Rood’s nomination filled one of the last prominent vacancies at the Defense Department, bringing relief to some outside advocates who worry that the Pentagon is months behind on critical policy work without a permanent new leader there.
The post’s responsibilities include finalizing the new National Defense Strategy, under development since the spring. The document is designed to set Pentagon priorities for operations, readiness and spending.
Rood told committee members he would work to answer their concerns in the days to come. Lawmakers are scheduled to leave town later today for a week-long Thanksgiving break, before returning to Capitol Hill for four weeks of end-of-year wrap up work.”
“In addition to digitizing more than 500 million pages of records, NARA [The National Archives and Records Administration] announced that it will cease accepting non-electronic records from agencies by the end of 2022.
Given that NARA will only be accepting electronic formats with appropriate metadata tagging, while rejecting any permanent or temporary records in analog format, agencies need to be prepared for the deadline that lies ahead.”
“NARA recently released its draft FY 2018 – FY 2022 Strategic Plan.In addition to digitizing more than 500 million pages of records, NARA announced that it will cease accepting non-electronic records from agencies by the end of 2022.
This gives agencies a good reason to assess their current records and information management (RIM) framework and complement them through value-added modernization capabilities.
Agency Progress and Looking Forward
Even though print-and-file email retention methods have decreased dramatically in recent years, many agencies (according to the latest Records Management Self Assessment, at least 46 percent) are still using manual paper-based processes, which slow down workflows, increase inefficiencies and human errors, and eat up agency budgets. As agencies evolve and implement wholly digital record keeping strategies, they have an opportunity to not only meet, but exceed government-wide records keeping goals and prepare for NARA’s impending strategic change.
While the digitization of paper records is one essential approach for reducing and eliminating paper-based processes, it can be very costly, and should be only one consideration, not the be all end all approach. Firstly, agencies should examine their storage processes, seeking to identify creative approaches that reduce their reliance on NARA storage for physical records. Potential alternatives include working with private industry to arrange the off-site storage of essential physical records and reevaluating retention periods to create more robust policies that better map to agency records storage needs. An off-site, consumption-based (i.e. Records Management as a Service) model will also reduce agency footprints while improving service levels.
Meeting NARA’s 2022 deadline goes beyond just managing the storage of physical records. It also compels agencies to modernize their technologies and processes to eliminate the necessity of creating physical records. Instead, agencies should be cultivating methodologies to ensure that any newly developed records originate and are managed digitally throughout their entire lifecycle. This includes adopting technologies that help them to simplify the creation, identification, retention and disposition of records.
One area of focus that is best poised to make a significant impact on agencies’ digital chain of records custody is workflow automation. The implementation of workflow automation software helps to eliminate administrative tedium, enables faster processing and increases accuracy. It starts with capturing information at the start, managing and accessing that information effectively, integrating automation into business processes, and measuring and storing what is needed. It takes content-heavy processes and simplifies them, and can be applied across many functional areas, such as contract management, FOIA response management, employee file management, vendor management and document management.”
“America can’t prevail in cyberspace through superior numbers. We could never match China hacker for hacker. So our best shot might be an elite corps of genius hackers whose impact is multiplied by automation.
Talent definitely matters – and it is not distributed equally. “Our best (coders) are 50 to 100 times better than their peers,” Lt. Gen. Paul Nakasone, head of Army Cyber Command (ARCYBER), said. There’s no other military profession, from snipers to pilots to submariners, that has such a divide between the best and the rest, he told last week’s International Conference on Cyber Conflict(CyberCon), co-sponsored by the US Army and NATO. One of the major lessons learned from the last 18 months standing up elite Cyber Protection Teams, he said, is the importance of this kind of “super-empowered individual.”
Such super-hackers, of course, exist in the civilian world as well. One young man who goes by the handle Loki “over the course of a weekend…found zero-day vulnerabilities, vulnerabilities no one else had found in Google Chrome, Internet Explorer and Apple Safari,” Carnegie Melon CyLab director David Brumley said. “This guy could own 80 percent of all browsers running today.” Fortunately, Loki’s one of the good guys, so he reported the vulnerabilities – and got paid for it – instead of exploiting them.
The strategic problem with relying on human beings, however, is simple. We don’t have enough of them. “We don’t want to be in a person-on-person battle because, you know what, it just doesn’t scale,” Brumley told CyCon. “The US has six percent of the world’s population (actually 4.4). Other countries, other coalitions of countries are going to have more people, (including) more people like Loki.”
That creates a strategic imperative for automation: software programs that can detect vulnerabilities and ideally even patch them without human intervention. Brumley’s startup, ForAllSecure, created just such a program, called Mayhem, that won DARPA’s 2016 Cyber Grand Challenge against other automated cyber-attack and defense software. However, that contest was held under artificial conditions, Brumley said, and Mayhem lost against skilled humanhackers – although it found some kinds of bugs better and faster. So automation may not be entirely ready for the real world yet.
Even when cybersecurity automation does come of age, Brumley said, we’ll still need those elite humans. “What these top hackers are able to do… is come up with new ways of attacking problems that the computer wasn’t programmed to do,” he said. ” I don’t think computers or autonomous systems are going to replace humans; I think they’re going to augment them. They’re going to allow the human to be free to explore these creative pursuits.”
“For those of you who are in the military who are 25 years old or younger, captains and below…you’re going to have to lead the way. People my age do not have the answers,” the Army’s Chief of Staff said at CyberCon. After his speech, Gen. Mark Milley called up to the stage lieutenants and West Point cadets – but not captains, he joked, “you’re getting too old.” (He let the captains come too).
“It’s very interesting to command an organization where the true talent and brainpower is certainly not at the top, but is at the beginning stages,” said Lt. Gen. Nakasone at the same event. “It’s the lieutenants. It’s the sergeants. It’s the young captains.”
The Army has rapidly grown its cyber force. It now has 8,920 uniformed cyber soldiers, almost a ninefold increase since a year ago (and cyber only became an official branch three years ago, when it had just six officers). There are also 5,231 Army civilians, 3,814 US contractors, and 788 local nationals around the world. All told, “there’s 19,000 of them,” Milley said. “I suspect it’s gonna get a lot bigger.”
To speed up recruiting, Gen. Milley wants to bring in cyber experts at a higher rank than fresh-out-of-ROTC second lieutenants – say, as captains. Such “direct commissioning” is used today for doctors, lawyers, and chaplains, but Milley notes it was used much more extensively in World War II, notably to staff the famous Office of Strategic Services (OSS). Why not revive that model? “There’s some bonafide brilliant dudes out there. We ought to try to get them, even if it’s only 24 months, 36 months,” he said. “They’re so rich we won’t even have to pay ’em.”
(That last line got a big laugh, as intended, but “dollar-a-year men” have served their country before, including during the World Wars.)
No matter how much the military improves recruiting, however, it will probably have enough talent in-house. (Neither will business, which is short an estimated two million cyber professionals short worldwide). So how does the military tap into outside talent?
One method widely used in the commercial world is bug bounties: paying freelance hackers like Loki for every unique vulnerability they report. (Note that the Chinese military runs much of its hacking this way.) The Defense Department has run three bounty programs in the last year – Hack the Pentagon, Hack the Army, and Hack the Air Force – that found roughly 500 bugs and paid out $300,000. That’s “millions” less than traditional security approaches, says HackerOne, which ran the programs.
What’s really striking, though, is the almost 3,000 bugs that people have reported for free. Historically, the Pentagon made it almost impossible for white-hack hackers to report bugs they find, but a Vulnerability Disclosure Policy created alongside the bug bounties “has been widely successful beyond anyone’s best expectation,” said HackerOne co-founder Alex Rice, “without any actual monetary component.”
So what’s motivating people to report? For some it’s patriotism, Rice told me, but participating hackers come from more than 50 countries. In many cases, he said, hackers are motivated by the thrill of the challenge, the delight of solving a puzzle, the prestige of saying they “hacked the Pentagon,” or just a genuine desire to do good.
The other big advantage of outsourcing security this way, said Rice, is the volunteer hackers test your system in many more different ways than any one security contractor could afford to do. “Every single model, every single tool, every single scanner has slightly different strengths, but also slightly different blind spots,” Rice said. “One of the things that is so incredibly powerful about this model is that every researcher brings a slightly different methodology and a slightly different toolset to the problem.”
Those toolsets increasingly include automation and artificial intelligence.
Automation & AI
“I’m the bad news guy,” Vinton Cerf, co-inventor of the Internet, told the audience at CyCon. “We’re losing this battle (for) safety, privacy, and security in cyberspace.”
Why? “The fundamental reason we have this problem is we have really bad programming tools,” Cerf said. “We don’t have software that helps us identify mistakes that we make…..What I want is a piece of software that’s watching what I’m doing while I’m programming. Imagine it’s sitting on my shoulder, and I’m typing away, and it says ‘you just created a buffer overflow.’” (That’s a common mistake that lets hackers see data beyond the buffer zones they’re authorized for, as in the Heartbleed hack.)
Such an automated code-checker doesn’t require some far-future artificial intelligence. Cerf says there are new programming languages such as TLA+ and COQ that address at least parts of the problem already. Both use what are called “formal methods” or “formal analysis” to define and test software rigorously and mathematically. There are also semi-automated ways to check a system’s cybersecurity, such as “fuzzing” – essentially, automatically generating random inputs to see if they can make a program crash.
Artificial intelligence doesn’t have to be cutting-edge to be useful. The Mayhem program that won DARPA’s Cyber Grand Challenge, for instance, “did require some amount of AI, but we did not use a huge machine learning (system),” Brumley said. “In fact, NVIDIA called us up and offered their latest GPUs, but we had no use for them.” Mayhem’s main weapon, he said, was “hardcore formal analysis.”
“There is a lot of potential in this area, but we are in the very, very early stages of true artificial intelligence and machine learning,” HackerOne’s Rice told me. “Our tools for detection have gotten very, very good at flagging things that might be a problem. All of the existing automation today lags pretty significantly today on assessing if it’s actually a problem. Almost all of them are plagued with false positives that still require a human to go through and assess (if) it’s actually a vulnerability.”
So automation can increasingly take on the grunt work, replacing legions of human workers – but we still need highly skilled humans to see problems and solutions that computers can’t.”
“The Afghanistan reconstruction effort, now in its seventeenth year, has cost taxpayers approximately $121 billion.
The Special Inspector General for Afghanistan Reconstruction (SIGAR) noted the United States has spent more than $72 billion since 2002 to build up the Afghan Forces, and warned the increased classification “will hinder SIGAR’s ability to publicly report on progress or failure in a key reconstruction sector.”
Last week, the Special Inspector General for Afghanistan Reconstruction (SIGAR) reported to Congress that U.S. Forces-Afghanistan (USFOR-A) has “classified or otherwise restricted” metrics about the Afghan National Defense and Security Forces (Afghan Forces), including casualties, personnel strength, attrition, and operational readiness—information SIGAR had recently been permitted to share with the public. This data is crucial for determining when security in the country can finally be turned over to the Afghan military and police. An internal SIGAR memorandum posted on Monday by Senator Charles Grassley (R-IA) shows exactly what data will now be kept secret.
According to SIGAR, USFOR-A determined that Afghan Forces data “belongs to the Afghan government,” which requested that it be classified. A spokesman for USFOR-A told the Project On Government Oversight that it “recognizes and respects” the Afghan government’s decision, and that it was based on “operational security and protecting national interests.”
We find it difficult to take this official explanation at face value for two reasons. First, the DoD tried this before. In early 2015, the U.S. command, citing security concerns, began to retroactively classify certain Afghan Forces metrics. At the time, there was speculation the real reason was to hide the bad news about the Afghan Forces’ strength and readiness. Weeks later, the military—without explanation—reversed course and declassified most of the data. (Since then, SIGAR has published restricted data in a classified annex to its quarterly reports that is only made available to those with a high-level security clearance.)
Second, the new classification policy just doesn’t make sense. As explained in the internal SIGAR memo, the restricted material is “historical in nature (usually between one and three months old)” and is “top-line” (as opposed to unit-specific) data. It’s basic information essential for accountability. Moreover, USFOR-A retroactively classified equipment operational readiness data as it pertains to the Afghan national army and police, but not the Afghan air force, even though USFOR-A’s classification guide states that “all material readiness data should be classified,” according to SIGAR.
The DoD should declassify the Afghan Forces data immediately, regardless of who it “belongs” to. (POGO can think of 72 billion reasons the United States is the rightful owner.) Taxpayers need to hear the bad news. We deserve to know exactly what we are paying for in Afghanistan.”
“American officials [have] had to explain to close allies — and to business leaders in the United States — how cyber weapons developed at Fort Meade in Maryland came to be used against them.
Experts believe more attacks using the stolen N.S.A. tools are all but certain.”
“Jake Williams awoke last April in an Orlando, Fla., hotel where he was leading a training session. Checking Twitter, Mr. Williams, a cyber security expert, was dismayed to discover that he had been thrust into the middle of one of the worst security debacles ever to befall American intelligence.
Mr. Williams had written on his company blog about the Shadow Brokers, a mysterious group that had somehow obtained many of the hacking tools the United States used to spy on other countries. Now the group had replied in an angry screed on Twitter. It identified him — correctly — as a former member of the National Security Agency’s hacking group, Tailored Access Operations, or T.A.O., a job he had not publicly disclosed. Then the Shadow Brokers astonished him by dropping technical details that made clear they knew about highly classified hacking operations that he had conducted.
America’s largest and most secretive intelligence agency had been deeply infiltrated.
“They had operational insight that even most of my fellow operators at T.A.O. did not have,” said Mr. Williams, now with Rendition Infosec, a cybersecurity firm he founded. “I felt like I’d been kicked in the gut. Whoever wrote this either was a well-placed insider or had stolen a lot of operational data.”
The jolt to Mr. Williams from the Shadow Brokers’ riposte was part of a much broader earthquake that has shaken the N.S.A. to its core. Current and former agency officials say the Shadow Brokers disclosures, which began in August 2016, have been catastrophic for the N.S.A., calling into question its ability to protect potent cyberweapons and its very value to national security. The agency regarded as the world’s leader in breaking into adversaries’ computer networks failed to protect its own.
“These leaks have been incredibly damaging to our intelligence and cyber capabilities,” said Leon E. Panetta, the former defense secretary and director of the Central Intelligence Agency. “The fundamental purpose of intelligence is to be able to effectively penetrate our adversaries in order to gather vital intelligence. By its very nature, that only works if secrecy is maintained and our codes are protected.”
With a leak of intelligence methods like the N.S.A. tools, Mr. Panetta said, “Every time it happens, you essentially have to start over.”
Fifteen months into a wide-ranging investigation by the agency’s counterintelligence arm, known as Q Group, and the F.B.I., officials still do not know whether the N.S.A. is the victim of a brilliantly executed hack, with Russia as the most likely perpetrator, an insider’s leak, or both. Three employees have been arrested since 2015 for taking classified files, but there is fear that one or more leakers may still be in place. And there is broad agreement that the damage from the Shadow Brokers already far exceeds the harm to American intelligence done by Edward J. Snowden, the former N.S.A. contractor who fled with four laptops of classified material in 2013.
Mr. Snowden’s cascade of disclosures to journalists and his defiant public stance drew far more media coverage than this new breach. But Mr. Snowden released code words, while the Shadow Brokers have released the actual code; if he shared what might be described as battle plans, they have loosed the weapons themselves. Created at huge expense to American taxpayers, those cyberweapons have now been picked up by hackers from North Korea to Russia and shot back at the United States and its allies.
Millions of people saw their computers shut down by ransomware, with demands for payments in digital currency to have their access restored. Tens of thousands of employees at Mondelez International, the maker of Oreo cookies, had their data completely wiped. FedEx reported that an attack on a European subsidiary had halted deliveries and cost $300 million. Hospitals in Pennsylvania, Britain and Indonesia had to turn away patients. The attacks disrupted production at a car plant in France, an oil company in Brazil and a chocolate factory in Tasmania, among thousands of enterprises affected worldwide.
American officials had to explain to close allies — and to business leaders in the United States — how cyberweapons developed at Fort Meade in Maryland came to be used against them. Experts believe more attacks using the stolen N.S.A. tools are all but certain.
Inside the agency’s Maryland headquarters and its campuses around the country, N.S.A. employees have been subjected to polygraphs and suspended from their jobs in a hunt for turncoats allied with the Shadow Brokers. Much of the agency’s arsenal is still being replaced, curtailing operations. Morale has plunged, and experienced specialists are leaving the agency for better-paying jobs — including with firms defending computer networks from intrusions that use the N.S.A.’s leaked tools.
“It’s a disaster on multiple levels,” Mr. Williams said. “It’s embarrassing that the people responsible for this have not been brought to justice.”
In response to detailed questions, an N.S.A. spokesman, Michael T. Halbig, said the agency “cannot comment on Shadow Brokers.” He denied that the episode had hurt morale. “N.S.A. continues to be viewed as a great place to work; we receive more than 140,000 applications each year for our hiring program,” he said.
Compounding the pain for the N.S.A. is the attackers’ regular online public taunts, written in ersatz broken English. Their posts are a peculiar mash-up of immaturity and sophistication, laced with profane jokes but also savvy cultural and political references. They suggest that their author — if not an American — knows the United States well.
“Is NSA chasing shadowses?” the Shadow Brokers asked in a post on Oct. 16, mocking the agency’s inability to understand the leaks and announcing a price cut for subscriptions to its “monthly dump service” of stolen N.S.A. tools. It was a typically wide-ranging screed, touching on George Orwell’s “1984”; the end of the federal government’s fiscal year on Sept. 30; Russia’s creation of bogus accounts on Facebook and Twitter; and the phenomenon of American intelligence officers going to work for contractors who pay higher salaries.
One passage, possibly hinting at the Shadow Brokers’ identity, underscored the close relationship of Russian intelligence to criminal hackers. “Russian security peoples,” it said, “is becoming Russian hackeres at nights, but only full moons.”
Russia is the prime suspect in a parallel hemorrhage of hacking tools and secret documents from the C.I.A.’s Center for Cyber Intelligence, posted week after week since March to the WikiLeaks website under the names Vault7 and Vault8. That breach, too, is unsolved. Together, the flood of digital secrets from agencies that invest huge resources in preventing such breaches is raising profound questions.
Have hackers and leakers made secrecy obsolete? Has Russian intelligence simply outplayed the United States, penetrating the most closely guarded corners of its government? Can a work force of thousands of young, tech-savvy spies ever be immune to leaks?
Some veteran intelligence officials believe a lopsided focus on offensive weapons and hacking tools has, for years, left American cyberdefense dangerously porous.
“We have had a train wreck coming,” said Mike McConnell, the former N.S.A. director and national intelligence director. “We should have ratcheted up the defense parts significantly.”
America’s Cyber Special Forces
At the heart of the N.S.A. crisis is Tailored Access Operations, the group where Mr. Williams worked, which was absorbed last year into the agency’s new Directorate of Operations.
T.A.O. — the outdated name is still used informally — began years ago as a side project at the agency’s research and engineering building at Fort Meade. It was a cyber Skunk Works, akin to the special units that once built stealth aircraft and drones. As Washington’s need for hacking capabilities grew, T.A.O. expanded into a separate office park in Laurel, Md., with additional teams at facilities in Colorado, Georgia, Hawaii and Texas.
The hacking unit attracts many of the agency’s young stars, who like the thrill of internet break-ins in the name of national security, according to a dozen former government officials who agreed to describe its work on the condition of anonymity. T.A.O. analysts start with a shopping list of desired information and likely sources — say, a Chinese official’s home computer or a Russian oil company’s network. Much of T.A.O.’s work is labeled E.C.I., for “exceptionally controlled information,” material so sensitive it was initially stored only in safes. When the cumulative weight of the safes threatened the integrity of N.S.A.’s engineering building a few years ago, one agency veteran said, the rules were changed to allow locked file cabinets.
The more experienced T.A.O. operators devise ways to break into foreign networks; junior operators take over to extract information. Mr. Williams, 40, a former paramedic who served in military intelligence in the Army before joining the N.S.A., worked in T.A.O. from 2008 to 2013, which he described as an especially long tenure. He called the work “challenging and sometimes exciting.”
T.A.O. operators must constantly renew their arsenal to stay abreast of changing software and hardware, examining every Windows update and new iPhone for vulnerabilities. “The nature of the business is to move with the technology,” a former T.A.O. hacker said.
Long known mainly as an eavesdropping agency, the N.S.A. has embraced hacking as an especially productive way to spy on foreign targets. The intelligence collection is often automated, with malware implants — computer code designed to find material of interest — left sitting on the targeted system for months or even years, sending files back to the N.S.A.
The same implant can be used for many purposes: to steal documents, tap into email, subtly change data or become the launching pad for an attack. T.A.O.’s most public success was an operation against Iran called Olympic Games, in which implants in the network of the Natanz nuclear plant caused centrifuges enriching uranium to self-destruct. The T.A.O. was also critical to attacks on the Islamic State and North Korea.
It was this arsenal that the Shadow Brokers got hold of, and then began to release.
Like cops studying a burglar’s operating style and stash of stolen goods, N.S.A. analysts have tried to figure out what the Shadow Brokers took. None of the leaked files date from later than 2013 — a relief to agency officials assessing the damage. But they include a large share of T.A.O.’s collection, including three so-called ops disks — T.A.O.’s term for tool kits — containing the software to bypass computer firewalls, penetrate Windows and break into the Linux systems most commonly used on Android phones.
Evidence shows that the Shadow Brokers obtained the entire tool kits intact, suggesting that an insider might have simply pocketed a thumb drive and walked out.
But other files obtained by the Shadow Brokers bore no relation to the ops disks and seem to have been grabbed at different times. Some were designed for a compromise by the N.S.A. of Swift, a global financial messaging system, allowing the agency to track bank transfers. There was a manual for an old system code-named UNITEDRAKE, used to attack Windows. There were PowerPoint presentations and other files not used in hacking, making it unlikely that the Shadow Brokers had simply grabbed tools left on the internet by sloppy N.S.A. hackers.
Some officials doubt that the Shadow Brokers got it all by hacking the most secure of American government agencies — hence the search for insiders. But some T.A.O. hackers think that skilled, persistent attackers might have been able to get through the N.S.A.’s defenses — because, as one put it, “I know we’ve done it to other countries.”
The Shadow Brokers have verbally attacked certain experts, including Mr. Williams. When he concluded from their Twitter hints that they knew about some of his hacks while at the N.S.A., he canceled a business trip to Singapore. The United States had named and criminally charged hackers from the intelligence agencies of China, Iran and Russia. He feared he could be similarly charged by a country he had targeted and arrested on an international warrant.
He has since resumed traveling abroad. But he says no one from the N.S.A. has contacted him about being singled out publicly by the Shadow Brokers.
“That feels like a betrayal,” he said. “I was targeted by the Shadow Brokers because of that work. I do not feel the government has my back.”
The Hunt for an Insider
For decades after its creation in 1952, the N.S.A. — No Such Agency, in the old joke — was seen as all but leakproof. But since Mr. Snowden flew away with hundreds of thousands of documents in 2013, that notion has been shattered.
The Snowden trauma led to the investment of millions of dollars in new technology and tougher rules to counter what the government calls the insider threat. But N.S.A. employees say that with thousands of employees pouring in and out of the gates, and the ability to store a library’s worth of data in a device that can fit on a key ring, it is impossible to prevent people from walking out with secrets.
Mr. Martin’s gargantuan collection of stolen files included much of what the Shadow Brokers have, and he has been scrutinized by investigators as a possible source for them. Officials say they do not believe he deliberately supplied the material, though they have examined whether he might have been targeted by thieves or hackers.
But according to former N.S.A. employees who are still in touch with active workers, investigators of the Shadow Brokers thefts are clearly worried that one or more leakers may still be inside the agency. Some T.A.O. employees have been asked to turn over their passports, take time off their jobs and submit to questioning. The small number of specialists who have worked both at T.A.O. and at the C.I.A. have come in for particular attention, out of concern that a single leaker might be responsible for both the Shadow Brokers and the C.I.A.’s Vault7 breaches.
Then there are the Shadow Brokers’ writings, which betray a seeming immersion in American culture. Last April, about the time Mr. Williams was discovering their inside knowledge of T.A.O. operations, the Shadow Brokers posted an appeal to President Trump: “Don’t Forget Your Base.” With the ease of a seasoned pundit, they tossed around details about Stephen K. Bannon, the president’s now departed adviser; the Freedom Caucus in Congress; the “deep state”; the Alien and Sedition Acts; and white privilege.
“TheShadowBrokers is wanting to see you succeed,” the post said, addressing Mr. Trump. “TheShadowBrokers is wanting America to be great again.”
The mole hunt is inevitably creating an atmosphere of suspicion and anxiety, former employees say. While the attraction of the N.S.A. for skilled operators is unique — nowhere else can they hack without getting into legal trouble — the boom in cybersecurity hiring by private companies gives T.A.O. veterans lucrative exit options.
Young T.A.O. hackers are lucky to make $80,000 a year, while those who leave routinely find jobs paying well over $100,000, security specialists say. For many workers, the appeal of the N.S.A’s mission has been more than enough to make up the difference. But over the past year, former T.A.O. employees say an increasing number of former colleagues have called them looking for private-sector work, including “graybeards” they thought would be N.S.A. lifers.
“Snowden killed morale,” another T.A.O. analyst said. “But at least we knew who he was. Now you have a situation where the agency is questioning people who have been 100 percent mission-oriented, telling them they’re liars.”
Because the N.S.A. hacking unit has grown so rapidly over the past decade, the pool of potential leakers has expanded into the hundreds. Trust has eroded as anyone who had access to the leaked code is regarded as the potential culprit.
Some agency veterans have seen projects they worked on for a decade shut down because implants they relied on were dumped online by the Shadow Brokers. The number of new operations has declined because the malware tools must be rebuilt. And no end is in sight.
“How much longer are the releases going to come?” a former T.A.O. employee asked. “The agency doesn’t know how to stop it — or even what ‘it’ is.”
One N.S.A. official who almost saw his career ended by the Shadow Brokers is at the very top of the organization: Adm. Michael S. Rogers, director of the N.S.A. and commander of its sister military organization, United States Cyber Command. President Barack Obama’s director of national intelligence, James R. Clapper Jr., and defense secretary, Ashton B. Carter, recommended removing Admiral Rogers from his post to create accountability for the breaches.
But Mr. Obama did not act on the advice, in part because Admiral Rogers’s agency was at the center of the investigation into Russia’s interference in the 2016 election. Mr. Trump, who again on Saturday disputed his intelligence agencies’ findings on Russia and the election, extended the admiral’s time in office. Some former intelligence officials say they are flabbergasted that he has been able to hold on to his job.
A Shadow War With Russia?
Lurking in the background of the Shadow Brokers investigation is American officials’ strong belief that it is a Russian operation. The pattern of dribbling out stolen documents over many months, they say, echoes the slow release of Democratic emails purloined by Russian hackers last year.
But there is a more specific back story to the United States-Russia rivalry.
Starting in 2014, American security researchers who had been tracking Russia’s state-sponsored hacking groups for years began to expose them in a series of research reports. American firms, including Symantec, CrowdStrike and FireEye, reported that Moscow was behind certain attacks and identified government-sponsored Russian hacking groups.
In the meantime, Russia’s most prominent cybersecurity firm, Kaspersky Lab, had started work on a report that would turn the tables on the United States. Kaspersky hunted for the spying malware planted by N.S.A. hackers, guided in part by the keywords and code names in the files taken by Mr. Snowden and published by journalists, officials said.
Kaspersky was, in a sense, simply doing to the N.S.A. what the American companies had just done to Russian intelligence: expose their operations. And American officials believe Russian intelligence was piggybacking on Kaspersky’s efforts to find and retrieve the N.S.A.’s secrets wherever they could be found. The T.A.O. hackers knew that when Kaspersky updated its popular antivirus software to find and block the N.S.A. malware, it could thwart spying operations around the world.
So T.A.O. personnel rushed to replace implants in many countries with new malware they did not believe the Russian company could detect.
In February 2015, Kaspersky published its report on the Equation Group — the company’s name for T.A.O. hackers — and updated its antivirus software to uproot the N.S.A. malware wherever it had not been replaced. The agency temporarily lost access to a considerable flow of intelligence. By some accounts, however, N.S.A. officials were relieved that the Kaspersky report did not include certain tools they feared the Russian company had found.
As it would turn out, any celebration was premature.
On Aug. 13 last year, a new Twitter account using the Shadow Brokers’ name announced with fanfare an online auction of stolen N.S.A. hacking tools.
“We hack Equation Group,” the Shadow Brokers wrote. “We find many many Equation Group cyber weapons.”
Inside the N.S.A., the declaration was like a bomb exploding. A zip file posted online contained the first free sample of the agency’s hacking tools. It was immediately evident that the Shadow Brokers were not hoaxsters, and that the agency was in trouble.
The leaks have renewed a debate over whether the N.S.A. should be permitted to stockpile vulnerabilities it discovers in commercial software to use for spying — rather than immediately alert software makers so the holes can be plugged. The agency claims it has shared with the industry more than 90 percent of flaws it has found, reserving only the most valuable for its own hackers. But if it can’t keep those from leaking, as the last year has demonstrated, the resulting damage to businesses and ordinary computer users around the world can be colossal. The Trump administration says it will soon announce revisions to the system, making it more transparent.
Mr. Williams said it may be years before the “full fallout” of the Shadow Brokers breach is understood. Even the arrest of whoever is responsible for the leaks may not end them, he said — because the sophisticated perpetrators may have built a “dead man’s switch” to release all remaining files automatically upon their arrest.
“We’re obviously dealing with people who have operational security knowledge,” he said. “They have the whole law enforcement system and intelligence system after them. And they haven’t been caught.”