As rumors build that the Trump administration plans to boot Rex Tillerson from his post atop the State Department in order to replace him with Mike Pompeo, it’s worth examining who would lead the CIA in Pompeo’s absence. Trump is reportedly considering Arkansas Republican Tom Cotton to replace Pompeo as the head of the CIA — a pick that isn’t uncontroversial given Cotton’s deep Trump loyalty and relative intelligence inexperience.
The insanity of treating these massively consequential roles as interchangeable aside, here’s a bit of background on Cotton in case the rumors come to pass.
Who is Tom Cotton?
An Army veteran, Cotton served two combat tours in the Iraq war where he received a Bronze Star, among other decorations. He served one term in the House before joining the Senate in 2014 where he is serving his first term.
What does Cotton do in the Senate?
Cotton serves on the Senate Committee on Banking, Housing and Urban Affairs, the Senate Select Committee on Intelligence, the Joint Economic Committee and the Senate Committee on Armed Services. He serves as the chair of the Air Land Power Subcommittee and the Economic Policy Subcommittee.
Cotton on surveillance and Section 702
Cotton strongly believes in intensive surveillance measures as a prophylaxis against terrorism — a hardline stance that’s vehemently opposed by privacy advocates. “We’ve deprived very patriotic intelligence officials of critical tools that would keep this country safe,” he told Politico after losing a battle in favor of enhanced NSA surveillance measures.
Unsurprisingly, Cotton is a staunch supporter of Section 702, a controversial portion of the Foreign Intelligence Surveillance Act (FISA) that provisions warrantless surveillance of American citizens. As he wrote in September, Cotton supports a full reauthorization of Section 702:
“I’m pleased that Attorney General Sessions and Director Coats have joined me in calling for a clean and permanent reauthorization of FISA Section 702. It’s crucial to collecting the intelligence we need to keep our country safe, and it has all the necessary safeguards to protect Americans’ privacy rights. My bill would extend the program indefinitely, as requested by the Trump administration, and now is as good a time as any for the Senate to pass it. The threats to our nation won’t end anytime soon, and neither should this vital tool.”
Cotton on election security
Cotton has expressed concerns about state-level election security, one of the least partisan viewpoints regularly expressed by the Arkansas Senator.
“These state governors, legislators, secretaries of state need to understand that if their voting systems are connected to the Internet, and they don’t have an auditable paper trail, that what didn’t happen in 2016 could happen in 2018, which is, say the actual impact on tabulated votes,” Cotton told Politico in a wide-ranging interview last month.
“No evidence that happened in 2016, but could happen. And we certainly don’t want that to happen. So I would advise every state, like I’ve advised my own state, to take very seriously this threat.”
In 2016, Cotton told CNN that he didn’t believe that the extreme interrogation practice of waterboarding qualified as torture: “Waterboarding isn’t torture. We do waterboarding on our own soldiers in the military,” Cotton told CNN’s Wolf Blitzer. “If experienced intelligence officials come to the President of the United States and say we think this terrorist has critical information and we need to obtain it and this is the only way we can obtain it — it’s a tough call. But the presidency is a tough job. And if you’re not ready to make those tough calls, you shouldn’t seek the office. Donald Trump’s a pretty tough guy, and he’s ready to make those tough calls.”
In 2015, Cotton joined 20 other Republicans in voting against a Senate amendment that would ban torture, particularly the kind of practices that proved controversial during the Bush administration.
Cotton fiercely opposes Obama-era policy toward Iran, including its nuclear deal with Tehran, going so far as to draft a controversial letter in 2015 directly to the leadership in Iran that at least one Army general called “mutinous.”
On Russia and the 2016 election
A close Trump ally in Congress, Cotton has gestured toward his disbelief of the CIA’s own analysis of Russia’s interference in the 2016 U.S. election. In a Senate Intel hearing with Jeff Sessions earlier this year, Cotton lobbed Sessions softball questions, at one point eliciting a laugh from the Attorney General with the question “Have you ever, ever in any of these fantastical situations heard of a plot line so ridiculous that a sitting United States senator and an ambassador of a foreign government colluded at an open setting with hundreds of other people to pull off the greatest caper in the history of espionage?”
In later intel hearings, he generally strayed from the task at hand along with the committee’s other deeply partisan Republicans, introducing new threads like a criticism of the FBI allowing Russian diplomats to “wander around the country” in some back and forth with FBI Counterintelligence Assistant Director Bill Priestap.
In June 2017, Cotton used his time in a Senate Intel Committee hearing to mock Hillary Clinton for “blaming her loss” on external factors, going so far as to suggest that she has become an “unwitting agent of Russia’s goals in the United States.” In the same hearing, Cotton used some of his other time to question if states and localities that run elections should avoid Kaspersky Labs security products but received no substantive response.
In an interview with Politico, Cotton seemed to accept the intelligence community’s assessment of Russia’s desire to sow chaos while dismissing the idea that Russia electing Trump was its best outcome:
“But also that they wanted to help elect Donald Trump. I think there’s at least some—an open question, there, not based on classified information, but based on the campaigns that the candidates ran. Donald Trump wanted to increase defense spending. Hillary Clinton didn’t want to, as much. Donald Trump wanted to accelerate nuclear modernization, not so with Hillary Clinton. Donald Trump wanted to expand ballistic-missile defense, not so with Hillary Clinton. Donald Trump wanted to pump more American oil and gas, Hillary Clinton did not.”
While he nearly always lines up with Trump’s more out-there notions, he doesn’t always line up. In June, he voted in favor of Russian sanctions, a departure in his record of voting with Trump 92.3% percent of the time, according to FiveThirtyEight’s tracker of Cotton’s voting record.
With a leak of intelligence methods like the N.S.A. tools, Mr. Panetta said, “Every time it happens, you essentially have to start over.”
Fifteen months into a wide-ranging investigation by the agency’s counterintelligence arm, known as Q Group, and the F.B.I., officials still do not know whether the N.S.A. is the victim of a brilliantly executed hack, with Russia as the most likely perpetrator, an insider’s leak, or both. Three employees have been arrested since 2015 for taking classified files, but there is fear that one or more leakers may still be in place. And there is broad agreement that the damage from the Shadow Brokers already far exceeds the harm to American intelligence done by Edward J. Snowden, the former N.S.A. contractor who fled with four laptops of classified material in 2013.
Mr. Snowden’s cascade of disclosures to journalists and his defiant public stance drew far more media coverage than this new breach. But Mr. Snowden released code words, while the Shadow Brokers have released the actual code; if he shared what might be described as battle plans, they have loosed the weapons themselves. Created at huge expense to American taxpayers, those cyberweapons have now been picked up by hackers from North Korea to Russia and shot back at the United States and its allies.
Millions of people saw their computers shut down by ransomware, with demands for payments in digital currency to have their access restored. Tens of thousands of employees at Mondelez International, the maker of Oreo cookies, had their data completely wiped. FedEx reported that an attack on a European subsidiary had halted deliveries and cost $300 million. Hospitals in Pennsylvania, Britain and Indonesia had to turn away patients. The attacks disrupted production at a car plant in France, an oil company in Brazil and a chocolate factory in Tasmania, among thousands of enterprises affected worldwide.
American officials had to explain to close allies — and to business leaders in the United States — how cyberweapons developed at Fort Meade in Maryland came to be used against them. Experts believe more attacks using the stolen N.S.A. tools are all but certain.
Inside the agency’s Maryland headquarters and its campuses around the country, N.S.A. employees have been subjected to polygraphs and suspended from their jobs in a hunt for turncoats allied with the Shadow Brokers. Much of the agency’s arsenal is still being replaced, curtailing operations. Morale has plunged, and experienced specialists are leaving the agency for better-paying jobs — including with firms defending computer networks from intrusions that use the N.S.A.’s leaked tools.
“It’s a disaster on multiple levels,” Mr. Williams said. “It’s embarrassing that the people responsible for this have not been brought to justice.”
In response to detailed questions, an N.S.A. spokesman, Michael T. Halbig, said the agency “cannot comment on Shadow Brokers.” He denied that the episode had hurt morale. “N.S.A. continues to be viewed as a great place to work; we receive more than 140,000 applications each year for our hiring program,” he said.
Compounding the pain for the N.S.A. is the attackers’ regular online public taunts, written in ersatz broken English. Their posts are a peculiar mash-up of immaturity and sophistication, laced with profane jokes but also savvy cultural and political references. They suggest that their author — if not an American — knows the United States well.
“Is NSA chasing shadowses?” the Shadow Brokers asked in a post on Oct. 16, mocking the agency’s inability to understand the leaks and announcing a price cut for subscriptions to its “monthly dump service” of stolen N.S.A. tools. It was a typically wide-ranging screed, touching on George Orwell’s “1984”; the end of the federal government’s fiscal year on Sept. 30; Russia’s creation of bogus accounts on Facebook and Twitter; and the phenomenon of American intelligence officers going to work for contractors who pay higher salaries.
One passage, possibly hinting at the Shadow Brokers’ identity, underscored the close relationship of Russian intelligence to criminal hackers. “Russian security peoples,” it said, “is becoming Russian hackeres at nights, but only full moons.”
Russia is the prime suspect in a parallel hemorrhage of hacking tools and secret documents from the C.I.A.’s Center for Cyber Intelligence, posted week after week since March to the WikiLeaks website under the names Vault7 and Vault8. That breach, too, is unsolved. Together, the flood of digital secrets from agencies that invest huge resources in preventing such breaches is raising profound questions.
Have hackers and leakers made secrecy obsolete? Has Russian intelligence simply outplayed the United States, penetrating the most closely guarded corners of its government? Can a work force of thousands of young, tech-savvy spies ever be immune to leaks?
Some veteran intelligence officials believe a lopsided focus on offensive weapons and hacking tools has, for years, left American cyberdefense dangerously porous.
“We have had a train wreck coming,” said Mike McConnell, the former N.S.A. director and national intelligence director. “We should have ratcheted up the defense parts significantly.”
At the heart of the N.S.A. crisis is Tailored Access Operations, the group where Mr. Williams worked, which was absorbed last year into the agency’s new Directorate of Operations.
T.A.O. — the outdated name is still used informally — began years ago as a side project at the agency’s research and engineering building at Fort Meade. It was a cyber Skunk Works, akin to the special units that once built stealth aircraft and drones. As Washington’s need for hacking capabilities grew, T.A.O. expanded into a separate office park in Laurel, Md., with additional teams at facilities in Colorado, Georgia, Hawaii and Texas.
The hacking unit attracts many of the agency’s young stars, who like the thrill of internet break-ins in the name of national security, according to a dozen former government officials who agreed to describe its work on the condition of anonymity. T.A.O. analysts start with a shopping list of desired information and likely sources — say, a Chinese official’s home computer or a Russian oil company’s network. Much of T.A.O.’s work is labeled E.C.I., for “exceptionally controlled information,” material so sensitive it was initially stored only in safes. When the cumulative weight of the safes threatened the integrity of N.S.A.’s engineering building a few years ago, one agency veteran said, the rules were changed to allow locked file cabinets.
The more experienced T.A.O. operators devise ways to break into foreign networks; junior operators take over to extract information. Mr. Williams, 40, a former paramedic who served in military intelligence in the Army before joining the N.S.A., worked in T.A.O. from 2008 to 2013, which he described as an especially long tenure. He called the work “challenging and sometimes exciting.”
T.A.O. operators must constantly renew their arsenal to stay abreast of changing software and hardware, examining every Windows update and new iPhone for vulnerabilities. “The nature of the business is to move with the technology,” a former T.A.O. hacker said.
Long known mainly as an eavesdropping agency, the N.S.A. has embraced hacking as an especially productive way to spy on foreign targets. The intelligence collection is often automated, with malware implants — computer code designed to find material of interest — left sitting on the targeted system for months or even years, sending files back to the N.S.A.
The same implant can be used for many purposes: to steal documents, tap into email, subtly change data or become the launching pad for an attack. T.A.O.’s most public success was an operation against Iran called Olympic Games, in which implants in the network of the Natanz nuclear plant caused centrifuges enriching uranium to self-destruct. The T.A.O. was also critical to attacks on the Islamic State and North Korea.
It was this arsenal that the Shadow Brokers got hold of, and then began to release.
Like cops studying a burglar’s operating style and stash of stolen goods, N.S.A. analysts have tried to figure out what the Shadow Brokers took. None of the leaked files date from later than 2013 — a relief to agency officials assessing the damage. But they include a large share of T.A.O.’s collection, including three so-called ops disks — T.A.O.’s term for tool kits — containing the software to bypass computer firewalls, penetrate Windows and break into the Linux systems most commonly used on Android phones.
Evidence shows that the Shadow Brokers obtained the entire tool kits intact, suggesting that an insider might have simply pocketed a thumb drive and walked out.
But other files obtained by the Shadow Brokers bore no relation to the ops disks and seem to have been grabbed at different times. Some were designed for a compromise by the N.S.A. of Swift, a global financial messaging system, allowing the agency to track bank transfers. There was a manual for an old system code-named UNITEDRAKE, used to attack Windows. There were PowerPoint presentations and other files not used in hacking, making it unlikely that the Shadow Brokers had simply grabbed tools left on the internet by sloppy N.S.A. hackers.
Some officials doubt that the Shadow Brokers got it all by hacking the most secure of American government agencies — hence the search for insiders. But some T.A.O. hackers think that skilled, persistent attackers might have been able to get through the N.S.A.’s defenses — because, as one put it, “I know we’ve done it to other countries.”
The Shadow Brokers have verbally attacked certain experts, including Mr. Williams. When he concluded from their Twitter hints that they knew about some of his hacks while at the N.S.A., he canceled a business trip to Singapore. The United States had named and criminally charged hackers from the intelligence agencies of China, Iran and Russia. He feared he could be similarly charged by a country he had targeted and arrested on an international warrant.
He has since resumed traveling abroad. But he says no one from the N.S.A. has contacted him about being singled out publicly by the Shadow Brokers.
“That feels like a betrayal,” he said. “I was targeted by the Shadow Brokers because of that work. I do not feel the government has my back.”
The Hunt for an Insider
For decades after its creation in 1952, the N.S.A. — No Such Agency, in the old joke — was seen as all but leakproof. But since Mr. Snowden flew away with hundreds of thousands of documents in 2013, that notion has been shattered.
The Snowden trauma led to the investment of millions of dollars in new technology and tougher rules to counter what the government calls the insider threat. But N.S.A. employees say that with thousands of employees pouring in and out of the gates, and the ability to store a library’s worth of data in a device that can fit on a key ring, it is impossible to prevent people from walking out with secrets.
Mr. Martin’s gargantuan collection of stolen files included much of what the Shadow Brokers have, and he has been scrutinized by investigators as a possible source for them. Officials say they do not believe he deliberately supplied the material, though they have examined whether he might have been targeted by thieves or hackers.
But according to former N.S.A. employees who are still in touch with active workers, investigators of the Shadow Brokers thefts are clearly worried that one or more leakers may still be inside the agency. Some T.A.O. employees have been asked to turn over their passports, take time off their jobs and submit to questioning. The small number of specialists who have worked both at T.A.O. and at the C.I.A. have come in for particular attention, out of concern that a single leaker might be responsible for both the Shadow Brokers and the C.I.A.’s Vault7 breaches.
Then there are the Shadow Brokers’ writings, which betray a seeming immersion in American culture. Last April, about the time Mr. Williams was discovering their inside knowledge of T.A.O. operations, the Shadow Brokers posted an appeal to President Trump: “Don’t Forget Your Base.” With the ease of a seasoned pundit, they tossed around details about Stephen K. Bannon, the president’s now departed adviser; the Freedom Caucus in Congress; the “deep state”; the Alien and Sedition Acts; and white privilege.
“TheShadowBrokers is wanting to see you succeed,” the post said, addressing Mr. Trump. “TheShadowBrokers is wanting America to be great again.”
The mole hunt is inevitably creating an atmosphere of suspicion and anxiety, former employees say. While the attraction of the N.S.A. for skilled operators is unique — nowhere else can they hack without getting into legal trouble — the boom in cybersecurity hiring by private companies gives T.A.O. veterans lucrative exit options.
Young T.A.O. hackers are lucky to make $80,000 a year, while those who leave routinely find jobs paying well over $100,000, security specialists say. For many workers, the appeal of the N.S.A’s mission has been more than enough to make up the difference. But over the past year, former T.A.O. employees say an increasing number of former colleagues have called them looking for private-sector work, including “graybeards” they thought would be N.S.A. lifers.
“Snowden killed morale,” another T.A.O. analyst said. “But at least we knew who he was. Now you have a situation where the agency is questioning people who have been 100 percent mission-oriented, telling them they’re liars.”
Because the N.S.A. hacking unit has grown so rapidly over the past decade, the pool of potential leakers has expanded into the hundreds. Trust has eroded as anyone who had access to the leaked code is regarded as the potential culprit.
Some agency veterans have seen projects they worked on for a decade shut down because implants they relied on were dumped online by the Shadow Brokers. The number of new operations has declined because the malware tools must be rebuilt. And no end is in sight.
“How much longer are the releases going to come?” a former T.A.O. employee asked. “The agency doesn’t know how to stop it — or even what ‘it’ is.”
One N.S.A. official who almost saw his career ended by the Shadow Brokers is at the very top of the organization: Adm. Michael S. Rogers, director of the N.S.A. and commander of its sister military organization, United States Cyber Command. President Barack Obama’s director of national intelligence, James R. Clapper Jr., and defense secretary, Ashton B. Carter, recommended removing Admiral Rogers from his post to create accountability for the breaches.
But Mr. Obama did not act on the advice, in part because Admiral Rogers’s agency was at the center of the investigation into Russia’s interference in the 2016 election. Mr. Trump, who again on Saturday disputed his intelligence agencies’ findings on Russia and the election, extended the admiral’s time in office. Some former intelligence officials say they are flabbergasted that he has been able to hold on to his job.
A Shadow War With Russia?
Lurking in the background of the Shadow Brokers investigation is American officials’ strong belief that it is a Russian operation. The pattern of dribbling out stolen documents over many months, they say, echoes the slow release of Democratic emails purloined by Russian hackers last year.
But there is a more specific back story to the United States-Russia rivalry.
Starting in 2014, American security researchers who had been tracking Russia’s state-sponsored hacking groups for years began to expose them in a series of research reports. American firms, including Symantec, CrowdStrike and FireEye, reported that Moscow was behind certain attacks and identified government-sponsored Russian hacking groups.
In the meantime, Russia’s most prominent cybersecurity firm, Kaspersky Lab, had started work on a report that would turn the tables on the United States. Kaspersky hunted for the spying malware planted by N.S.A. hackers, guided in part by the keywords and code names in the files taken by Mr. Snowden and published by journalists, officials said.
Kaspersky was, in a sense, simply doing to the N.S.A. what the American companies had just done to Russian intelligence: expose their operations. And American officials believe Russian intelligence was piggybacking on Kaspersky’s efforts to find and retrieve the N.S.A.’s secrets wherever they could be found. The T.A.O. hackers knew that when Kaspersky updated its popular antivirus software to find and block the N.S.A. malware, it could thwart spying operations around the world.
So T.A.O. personnel rushed to replace implants in many countries with new malware they did not believe the Russian company could detect.
In February 2015, Kaspersky published its report on the Equation Group — the company’s name for T.A.O. hackers — and updated its antivirus software to uproot the N.S.A. malware wherever it had not been replaced. The agency temporarily lost access to a considerable flow of intelligence. By some accounts, however, N.S.A. officials were relieved that the Kaspersky report did not include certain tools they feared the Russian company had found.
As it would turn out, any celebration was premature.
On Aug. 13 last year, a new Twitter account using the Shadow Brokers’ name announced with fanfare an online auction of stolen N.S.A. hacking tools.
“We hack Equation Group,” the Shadow Brokers wrote. “We find many many Equation Group cyber weapons.”
Inside the N.S.A., the declaration was like a bomb exploding. A zip file posted online contained the first free sample of the agency’s hacking tools. It was immediately evident that the Shadow Brokers were not hoaxsters, and that the agency was in trouble.
The leaks have renewed a debate over whether the N.S.A. should be permitted to stockpile vulnerabilities it discovers in commercial software to use for spying — rather than immediately alert software makers so the holes can be plugged. The agency claims it has shared with the industry more than 90 percent of flaws it has found, reserving only the most valuable for its own hackers. But if it can’t keep those from leaking, as the last year has demonstrated, the resulting damage to businesses and ordinary computer users around the world can be colossal. The Trump administration says it will soon announce revisions to the system, making it more transparent.
Mr. Williams said it may be years before the “full fallout” of the Shadow Brokers breach is understood. Even the arrest of whoever is responsible for the leaks may not end them, he said — because the sophisticated perpetrators may have built a “dead man’s switch” to release all remaining files automatically upon their arrest.
“We’re obviously dealing with people who have operational security knowledge,” he said. “They have the whole law enforcement system and intelligence system after them. And they haven’t been caught.”