CSS, NSA and Cyber ​​Command: Structural changes in the cyber process across the Atlantic

NSA to create new Cybersecurity Directorate

La National Security Agency announced plans to create a cybersecurity directorate during 2019 as part of a broader initiative to merge its offensive (LIO) and defensive (LID) cyber operations.

The NSA has for several years been the subject of reorganizations, the scope of which has broadened under the direction of General Paul Nakasone – current head of the Central Security Service (CSS) – as the agency eventually lost its focus on cybersecurity. The latter has therefore just announced the creation of a Cybersecurity Directorate and appointed Anne Neuberger to head it after nearly 10 years within the NSA.

Anne Neuberger, who currently serves on the NSA Board of Directors, was the first Chief Risk Officer and was part of the team that helped establish US Cyber ​​Command in 2009. Most recently, she oversaw the NSA's election security efforts before and during the 2018 elections that would have seen the NSA and the USCYBERCOM intensify their efforts against Russian interference and improve information sharing with agencies like the FBI and DHS, in charge of the judicial aspect.

The new Cybersecurity Directorate will replace the NSA's current Information Assurance Directorate. This announcement comes in a context where more and more voices are being raised to affirm the need for a separation of the NSA and USCYBERCOM. These two entities are distinct by their missions, but above all by their legal authority.

Created in November 1952, the National Security Agency/Central Security Service (NSA/CSS) is in charge – for the American government – ​​of subjects relating to cryptology, encompassing both electronic intelligence (SIGINT) and cybersecurity, allowing the exploitation of computer networks (CNO) providing a decision-making advantage .

For a long time the country's only center of competence, the NSA has been able to develop a large amount of know-how linked to cyberspace. It was not until 2008 that the United States took stock of the risks linked to cyberspace. Ignorance at best, feeling of invulnerability at worst, Operation Buckshot Yankee will reveal what many will call the greatest national security threat the country has ever known.

While a new malware appeared on the radars of cybersecurity researchers and specialized companies, a particularly virulent version was discovered on certain machines of the NATO military command in June 2008. Nicknamed “Agent.btz” by the company F- Secure, it will lead to a profound questioning of the United States' abilities to ensure the security of its computer networks.

Operation Buckshot Yankee

Nearly four months later, in October 2008, NSA analysts discovered the same malware in the systems of the very critical Secret Internet Protocol Router Network, the network through which the most sensitive information of the Departments of State and Defense, as well as within the Joint Worldwide Intelligence Communication System, the network that allows American authorities to transmit sensitive information to their allies.

nsa data center Defense analyzes | Communication and Defense Networks | Spying
The “ivory towers”, although disconnected from the global network, have shown their vulnerability to advanced attacks

What is surprising at first glance is that these networks are separated from the Internet and have – in principle – no interface with the World Wide Web, forming an “Air Gap”: a physical separation, supposedly hermetic. But the “Agent.btz” malware was already within these networks and was communicating extremely sensitive information to the outside world. This technique, supposed to completely protect a network from the outside, is not flawless and, as is often the case, is found “between the computer and the chair”.

Like Stuxnet, this malware was introduced, knowingly or not, onto the protected network via a previously infected USB key. Once it has penetrated the target system, the malware spreads by capillary action, infecting all removable devices that will be connected to the machine.

But to operate Agent.btz had to communicate with its external sponsor. These signals, tangible evidence of malicious activity, were spotted by a team analyst Advanced Network Operations (ANO) of the NSA in charge of surveillance of telecommunications (SIGNIT) of enemies of the United States abroad (in theory only because, in fact, the revelations of Edward Snowden have largely supported cases of surveillance of American citizens on national territory).

After several days of investigations, ANO operators came to the conclusion that the security breach was serious enough to refer it to the highest level of the American security apparatus. On October 24, 2008, Richard C. Schaeffer Jr., then the NSA's chief computer network security officer, and General Keith Alexander, the agency's director, participated in a security briefing during which they inform the President of the time, George W. Bush – then about to leave office – the Chief of Staff, the Deputy Secretary of State as well as the leaders of Congress.

During the following weeks, all the means of the National Security Agency were implemented to contain, if not eliminate, Agent.btz without causing damage to the infrastructure of the country's secure networks: c is the start of the operation Buckshot Yankee strictly speaking.

In addition to “cleaning” the systems, intelligence service operators went so far as to physically disconnect infected machines from the network to replace them entirely or directly change the hard drives.

In addition to the ANO, the NSA called on another of its components, which would subsequently become famous, the Tailored Access Operations (TAO). This secret unit, highly specialized in offensive actions, has developed expertise in the exploitation of data from computer espionage since the early 1990s. This expertise will largely contribute to the discovery of malware variants and will contribute to the development of the new doctrine of “active” network protection: cyberdefense.

According to some US officials, the nature of the response to Agent.btz has been the subject of a long debate within the US executive and military apparatus. The TAO would have proposed actions to neutralize civilian networks identified as relays of the sponsor and its Command & Control system (C2 or C&C). The decision will be taken to qualify the malware (like the entire operation) as a “classic” act of espionage and not as a proper attack, which therefore did not justify an armed response and even less kinetic from the United States.

Ultimately, the use of USB keys and all removable disks will be temporarily banned from critical systems, but “patient zero” – the source of the security breach – will never be formally established, even if strong suspicions have weighed on Russia.

By analyzing the code of all variants of Agent.btz, ANO and TAO will still be able to trace it back to systems connected to secure networks from Afghanistan and Iraq. The malware will remain active until the beginning of 2009 before finally being declared inactive and having been eradicated from all compromised networks.

A decisive realization

Buckshot Yankee will in any case have raised real awareness of the vulnerability of critical military networks. But from a broader point of view, it is the approach to protecting the latter which has been put to the test and which has proven its ineffectiveness in the face of a recurring, precise and technically sophisticated threat. Passive protection, the “wall”, in other words cybersecurity, has proven its inability to face all threats. The ubiquity and virtuality of this new space of conflict means that the effect and the surprise will always be on the side of the aggressor.

The operation carried out by the NSA will therefore have had the effect of radically changing its security approach in cyberspace. Protection must now no longer be only passive (cybersecurity) but also active (cyberdefense) or even proactive.

Agent.btz, whose success remains to be demonstrated for its instigator, will have been an excellent “catalysis” for the evolution of the mentalities of the US security apparatus The need for active protection of critical networks, as well as strategic infrastructures overseas Atlantic, will now be the subject of particular attention.

Defense Cyber ​​Analysis Room | Communication and Defense Networks | Spying
US CYBERCOM is responsible for protecting the integrity and sustainability of the networks and information of all American armed forces.

With a budget of 155 million dollars and 750 personnel, a new organization was created on October 31, 2010: US Cyber ​​Command or USCYBERCOM. This is "responsible for planning, coordinating, integrating, synchronizing and conducting activities to direct the operations and defense of the Department of Defense's information networks, prepare for conduct full-spectrum cyberspace military operations to enable actions in all domains, ensure freedom of action for the United States and its allies in cyberspace and deny it to their adversaries.”

The creation of Cyber ​​Command, however, did not provide all the answers.

Several fundamental questions will ultimately lead to the structural reshuffling we are witnessing today. The governance of American operations in cyberspace has been the subject of debate between civil and military authorities for several years. Who is the authority in charge of offensive operations? Is conducting an operation to neutralize an attacker's network part of cyber defense or offensive cyber warfare?

In fact, the NSA and USCYBERCOM were grouped within the CSS (Central Security Service) and headed by a soldier. Initially, this “dual hat” made sense because of a fundamental similarity between the technical aspects of military operations in cyberspace (Cyber ​​Command domain) and intelligence-related computer network operations (NSA domain). General Michael Hayden, first director of the CSS, pointed out that offensive operations in cyberspace and signals intelligence are technically indistinguishable from each other.

It is from this observation that the idea was born to unify the command of the two organizations responsible for each of these areas. The imperative need to establish a solid capacity for military operations in cyberspace ultimately motivated the decision to link the two entities and to develop technologies and techniques in close collaboration.

“The NSA has the capacity to conduct such actions, USCYBERCOM has the authority” General Michael Hayden.

Operation Gladiator Phoenix

From the summer of 2009, the Pentagon began to develop a set of rules of engagement, and more broadly a doctrine for the use of cyber tools.

From this reflection was born an “executive order” under which only USSTRATCOM and USCYBERCOM could direct the operations and defense of military networks throughout the world. Initially, this applied to essential private computer systems in the United States.

The directive sets out a certain number of additional conditions that must be met to trigger a militarized response:

  • It must be a hostile action directed toward the United States, its critical infrastructure, and/or its citizens;
  • It must involve the probable imminence of death, serious injury, or damage that would threaten the national or economic security of the United States;
  • The intervention must be coordinated with the government agencies and combat units concerned;
  • The action must be limited to the necessary spectrum aimed at interrupting the attack, while minimizing collateral impacts on civilian targets.

But the continued effort to reach a consensus on the rules of engagement and on the authority in charge of conducting these cyber defense and Offensive Computer Warfare (LIO) operations failed. Pressured by numerous intelligence agencies – led by the CIA – and the Departments of Homeland Security and Justice, the attempt at compromise was sacrificed on the altar of inter-agency quarrels.

The debate has gotten bogged down on the role of USCYBERCOM and how far it should be able to go in pursuing its mission. The question is all the more critical when it comes to servers located on national territory.

In February 2011, theexecutive order is signed. This, largely revised since its first version, limits the army to the defense of its own networks and can only deviate from this rule with the express agreement of the president.

Ineffectiveness of the “double hat” system

As a direct consequence of the relationship between the NSA and Cyber ​​Command, whose commands are entrusted to a single individual (the director of the CSS), the initial motivation of this organization – supposed to be temporary – was to allow the nascent Cyber ​​Command to benefit from expertise, capabilities and experience of the NSA to achieve its full operational capacity.

In practice, the relationship allows a single person to weigh the often competing interests of two organizations whose responsibilities in the cyberspace domain frequently overlap and even cannibalize each other. This shared command has been continually reviewed by presidential administrations since its inception, and experts have made conflicting arguments in favor of dissolving and continuing the arrangement.

Although most arguments for ending this system focus on the success of USCYBERCOM's establishment, or the risk to NSA operations and capabilities, relatively little attention has been given to how organizational overlap with the NSA affects the continued conduct of military operations in cyberspace.

According to an official of Cyber ​​Command, "the interdependence between the two organizations has allowed it to become accustomed to virtually uninterrupted operational and logistical support from NSA offices. This deep-rooted organizational reliance on NSA techniques and processes has fundamentally shaped how the command approaches cyberspace operations. Specifically, by drawing on NSA procedures and culture, USCYBERCOM has become increasingly risk-averse […] review and approval processes must shift paradigm.”

If you Central Security Service bringing together today the NSA and USCYBERCOM has been able to develop capabilities and technical expertise unique in the world, this is largely thanks to the close collaboration between very high-level technicians. The NSA has approximately 30 military and civilian personnel and has more than 000 doctoral students in the fields of mathematics, physical sciences and engineering. Grouped together at the Fort Meade site in Maryland, the NSA and USCYBERCOM evolved symbiotically for a decade and it is this organization that has since made the success of the United States in the conduct of its military operations and intelligence (Olympic Games, Flame, DuQu and Gauss in particular).

This now weighs on the continuity of this development, even on the leading position of the United States in cyberspace. The work begun with Operation Gladiator Phoenix will have to resume in order to establish clear rules of governance between the NSA and USCYBERCOM, with arbitration ultimately remaining the responsibility of the executive.

From this debate should arise across the Atlantic a new doctrine for the conduct of operations in cyberspace. If France has chosen to separate cyber defense (ComCyber), cybersecurity (ANSSI) and intelligence (DRM, DGSI and DGSE) activities; the offensive computer fight (LIO) remains the responsibility of the Prime Minister, relying on the military capabilities and the technical direction of the DGSE (DT-DGSE). The lack of information does not allow conclusions to be drawn regarding the effectiveness of this collaboration. It remains that the overlap between the different dimensions of operations in cyberspace represents a real challenge in terms of cooperation between the different stakeholders. By adopting a model close to that of the United States, France has so far been able to spare itself the misery, in particular by relying on people. Remember that the first director of the National Agency for Information Systems Security (ANSSI) has been, since March 1, 2014, technical director of the DGSE.

All that remains is to hope that “Titi” has learned to be discreet.

Jean Lebougre
Cyberwarfare Specialist

For further


Last articles