What @Snowden Told Me About the NSA’s Cyberweapons

To Stephen Gerwin, chief of the Howard County Bureau of Utilities, it was “a peculiar project.” His workers were told they needed to get background checks and sign nondisclosure forms before they could begin work on a wastewater pump station in a forested area near the Little Patuxent River. “You sign a document that says if you say anything,” he told the Washington Post in 2014, “you go to jail for a million years.”

According to restricted documents and blueprints that I reviewed, what makes the pump station so sensitive is that it is intended to supply upwards of 2 million gallons of water each day to a massive, highly secretive construction project code-named Site M.

Located adjacent to the National Security Agency (NSA) at Fort Meade, Maryland, and scheduled to be completed in 2016, Site M is the future home of U.S. Cyber Command, an NSA-affiliated organization created six years ago to direct the United States’ digital wars. It will host a mammoth cyberbrain — a 600,000-square-foot, $896.5 million supercomputer facility called the High Performance Computing Center-2.

Because technology of that size requires a vast amount of water for cooling, the NSA is paying $40 million for the new pump house.

As buildings, computer labs, and research spaces go up at Site M, the United States is entering a new era of warfare. In both the media and the public conscience, concern over a cyberattack has overtaken the Cold War fear of a nuclear confrontation. Or perhaps, in some ways, the fears are merging: Cyberweapons crossed the “kinetic” threshold with the U.S.-Israeli Stuxnet digital strike on Iran’s nuclear centrifuges in 2010, progressing from erasing hard drives and stealing data to disrupting or destroying physical objects. (The same technique employed in Stuxnet — implanting a virus to send a system out of control — could be used to derail a train or bring down a dam.) And U.S. President Barack Obama has refused to take off the table the use of nukes in response to a severe cyberattack.

As the Internet turns into a battlefield with dangerous real-world implications, there’s an urgent need for the United States to begin thinking of ways to de-escalate this new kind of warfare. But that requires extensive dialogue and debate, both of which are impossible without cyber-transparency. People should know what digital arms America owns, how they are used, and the rules that govern them. The same openness that has long allowed the public to gain an understanding of the risks and benefits of nuclear weapons should apply to digital ones as well.

Instead of transparency, however, the Obama administration is offering the public a distorted view of cyberwarfare. It’s not just that officials aren’t talking about the top-secret likes of Site M. They’re also hammering an incomplete narrative: that foreign governments — or other actors — are constantly attacking America. What people don’t know is how aggressively and for how long the United States has been the one doing the striking.

When Iran launched a cyberassault on banks in the United States in 2012, the public was left to believe that the event was unprovoked. In reality, it was retaliation for the far more destructive Stuxnet incident, an illegal act of war according to the Defense Department’s own definition. Similarly, the White House has accused Russia, China, and North Korea of unprovoked assaults on U.S. systems — but how extensive confrontations are in the opposite direction is not public information.

This dearth of transparency greatly distorts the public’s perception of Cyber Command. Many people wrongly believe its primary purpose is to defend against attacks. This is a topic I brought up with Edward Snowden when I interviewed him in Russia for a PBS Nova documentary on cyberwarfare that’s due to air this October. As a former “infrastructure analyst” for the NSA, a job which involved developing ways to penetrate the Internet and computer systems, Snowden knows the subject well. “Cyber Command itself has always been branded in a sort of misleading way from its very inception,” he told me. “It’s an attack agency.… If you ask anybody at Cyber Command or look at any of the job listings for openings for their

positions, you’ll see that the one thing they don’t prioritize is computer-network defense. It’s all about computer-network attack and computer-network exploitation at Cyber Command.”

The trove of documents leaked by Snowden in 2013 also shows that with cyberwarfare, everyone could be a potential target. As part of an enormous, top-secret program known as TreasureMap, the NSA is developing a system it claims will track every person on the planet who is connected to the Internet. An official PowerPoint presentation on TreasureMap describes the program as a “Capability for building a near real-time, interactive map of the global internet.… Any device, anywhere, all the time.” Among the “wide range of missions” are “Computer Attack/Exploit Planning” and “Network Reconnaissance,” meaning TreasureMap would enable tracking to turn into striking. Another operation, code-named Turbine, involves secretly placing “millions of implants” — that is, malware — in computer systems worldwide. They could be used for both spying and cyberassaults.

In our conversation, Snowden also highlighted a secret program, code-named MonsterMind, that was still in development when he left the NSA. It is intended to detect suspicious malware entering the United States by spotting known algorithms as they zip through communications links. But there were indications it could also include an automated strike-back capability, allowing it to instantly initiate a counterstrike at a piece of malware’s source. An error in such an autonomous system, Snowden pointed out, could lead to an accidental war. “What happens when the algorithms get it wrong?” he asked. “What if it was a Chinese hacker launching an attack from an Iranian computer targeting the United States?… We’re opening the doors to people launching missiles and dropping bombs by taking the human out of the decision chain.”

For years, these types of concerns have gone unaddressed. In fact, they’ve largely gone unnoticed — because the public and even much of Congress have been deliberately kept in the dark about the dimensions of U.S. involvement in cyberwarfare. There need not be, say, a revealing of algorithm designs, but not allowing Americans to have vital information about their national defense and to discuss it honestly is in violation of the democratic project.

The reality of cyberconflict today is one of offense. “Somebody has used an entirely new class of weapon to effect destruction,” retired Gen. Michael Hayden, former director of the NSA and CIA, told me in 2014. “Somebody’s army has crossed the Rubicon, and we’ve got a legion on the other side of the river now, and it’s not going back.”

What Hayden failed to mention is that Caesar broke the law by traversing the infamous river. To keep America from reaching the point of no return in cyberwarfare, the public must be let on board.

A version of this article originally appeared in the September/October 2015 issue of FP under the title “Battle in the Cloud.”

Illustration by Matthew Hollister