Is there a cyber security equivalent of ‘SEAL Team Six’?
On May 2, 2011, the United States government, by executive order, dispatched a crack squad of commandos to a compound in northeastern Pakistan and authorized the assassination of one of the world’s most wanted men. Two dozen U.S. Navy SEALs—as in Sea, Air, Land—debarked from a couple of Black Hawk helicopters and, as meticulously trained, stormed a white manor tucked away in the normally quiet suburbs of Abbottabad, a city inscribed in the verdant Sarban hills. Like surgery, a subset of the team pinpointed its target—the leader of Islamist militant group Al Qaeda—and plunged him, following a short-lived firefight and the confirmation of his bodily remains, into a watery tomb.
Most people have by now heard an account of that night. Between a TV movie, book deals, and a major motion picture, the supposedly covert gang of government-backed “cleaners” has received a lot of attention. But one must wonder: Given the recent frequency of high profile cyber attacks—Sony Pictures, J.P. Morgan, Home Depot, Target, et cetera—does the U.S. support a digital version of the special mission unit? Is there a go-to team of top-secret cyber warriors that goes on the offensive at the drop of a hat? And if so, where might one find it?
Fortune contacted a host of government agencies to inquire whether anything equivalent to a cyber “SEAL Team Six” exists. (Yes, we realize that if it really did exist, they probably wouldn’t tell us.) The Secret Service, Federal Bureau of Investigation, and U.S. Cyber Command all acknowledged that they have or are building professional teams to conduct cyber activities, but they aren’t a secret and most are defensive in nature.
Other agencies remained hush-hush. A spokesperson for the NSA merely redirected Fortune in an e-mail to “the Bureau.” And a spokesperson for the Central Intelligence Agency offered, also via e-mail, the following statement: “CIA routinely shares foreign intelligence with our federal government partners across a range of issues that include helping the FBI and the Department of Homeland Security protect our nation’s critical infrastructure.” Right.
Here’s what we do know about U.S. cyber investigations. For nearly three decades, the Secret Service and FBI have been examining computer fraud and network intrusions for the purposes of national security and foreign relations. The former, with nearly 40 offices containing electronic crimes task forces, takes the lead on financially motivated cyber crime, such as that suffered by big retailers and banks. The latter, with 56 field offices each containing at least one cyber task force, takes charge on matters of national security. (The NSA and CIA provide support to those agencies as needed and they increasingly share information with one another.) To help coordinate threat responses, President Obama in 2008 directed the FBI to create a National Cyber Investigative Joint Task Force that serves as a “focal point” for coordinating responses to threats; that unit, which hunts cyber attackers, includes 19 intelligence agencies and law enforcement and is a sort-of centralized hub.
As far as breaches involving money go, the Secret Service is a business’s best bet. Ari Baranoff, assistant special agent in charge of the agency’s criminal investigative division, likens the cyber intelligence practice of the Secret Service to a SEAL operation. That team helps to identify the aliases of bad actors and translate them into real-world identities so it may bring charges against and apprehend crooks overseas. (Many of whom, he says, are Russian-speaking.) “What we consider the equivalent of our cyber SEALs combines decades worth of experience and information that we have curated to help us connect the dots on major cases across the country,” he says. “We’re not the only game in town, but we’re probably the best game in town.”
The crew of special agents, analysts, and scientists works out of a headquarters building in Washington, D.C., a co-location which, Baranoff adds, is unusual for such a unit. This year the cyber intelligence section responded to approximately 350 network intrusions or incidents, including Home Depot (HD) and J.P. Morgan (JPM), though the majority of cases involve small or medium-sized businesses, he says. By embedding agents on rotating basis with the national police forces of the Baltic states as well as teams in Ukraine and the Netherlands, the unit has helped capture some of the world’s most notorious cyber criminals—such as Vladislav Horohorin, a stolen credit card trafficker, and Roman Seleznyov, another fraudster and son of a member of the Russian parliament. “You don’t need to have a large operation to focus on and identify and bring to justice the greatest threats,” Baranoff says. “Look at the landscape of the worst of the worst. We’re not talking about armies of thousands of people; we’re talking about individuals, and that doesn’t require an army to chase after. We’re a specialized unit that handles that.”
When Fortune asked an FBI spokesperson whether the agency sponsors anything resembling SEAL-like operations, she offered the cyber action teams in the bureau’s cyber division. The teams consist of agents and computer scientists trained in computer network forensics and malicious code analysis. “They travel around the world to respond to computer intrusions,” she said. “Along the way, they gather vital intelligence on emerging threats and trends that helps us identify the cyber crimes that are most dangerous to our national security and to our economy.” (Fortune made a request to interview one member of that team, but it could not be arranged by press time, probably due to the ongoing revelations about the Sony hacking incident.)
Beyond the Secret Service (which is housed in the U.S. Department of Homeland Security) and the FBI (which resides in the Department of Justice), the Department of Defense’s U.S. Cyber Command seems another likely home for a cyber version of “SEAL Team Six,” should such a clandestine troop exist. Based in Fort Meade, Maryland along with the NSA, the Cyber Command enlists more than 2,000 people on a budget of $562 million, up from $191 million last year. The group is responsible for defending critical national infrastructure and information networks, as well as for assisting offensive operations. One segment, the Cyber Combat Mission Force, “provides cyber support to combatant commanders across the globe,” according to a U.S. Department of Defense website.
“The Cyber Mission Force is no longer an idea on a set of briefing slides,” said Keith Alexander, then-commander of the organization and director of the NSA, earlier this year in a speech before the Senate Committee on Armed Forces delivered prior to his retirement. “Its personnel are flesh-and-blood Soldiers, Marines, Sailors, Airmen, and Coast Guardsmen, arranged in military units that are on point in cyber space right now.” At the time the Cyber Command enlisted 1,100 people comprising 17 operational teams; by 2016, it aims to boost its headcount to 6,000 and 133 teams.
As warfare digitizes, the Cyber Command, which was established in 2010, seeks to stay ahead of the threats it has been designed to address. A relative newcomer on the scene—especially compared to the combined two-and-a-half century legacy of the Secret Service and FBI—it’s growing fast and still finding its place within the federal bureaucracy and military hierarchy. Expect it to continue to evolve; in that same pre-retirement statement, Alexander shared his thoughts about a road map for the organization he inaugurated:
Let me share with you my vision for what we at U.S. Cybercom are building toward. We all know the U.S. military is a force in transition. We are shifting away from legacy weapons, concepts, and missions, and seeking to focus—in a constrained resource environment—on being ready for challenges from old and new technologies, tensions, and adversaries. We have to fulfill traditional-style missions at the same time that we prepare for emerging ones, with new tools, doctrines, and expectations, both at home and abroad.
We are building this force and aligning the missions of the teams with intelligence capabilities and military requirements. Our cyber mission teams will bring even more capability to the “joint fight” and to whole-of-government and international efforts
Translation: Scrap the assault rifle; brandish a keyboard. Questioned further about the team’s training, a Cyber Command spokesperson responded, “We train units using realistic scenarios, including force-on-force exercises against a simulated adversary on a closed, virtual exercise network.” The Cyber Command, for instance, recently pitted teams against each other in a “cyber flag” competition, a rehearsal assessing its crisis readiness. Through mock conflict, the organization hopes to prime its educands for the perils of the real world.
It may be too early to compare the government’s IT whiz kids to its special operations forces; for most citizens, electronic warfare does not yet bear the immediacy of life-taking kinetic weaponry. But the world is changing fast—and the Internet of Things promises, in due time, to connect to the Internet virtually everything around us. Assuming the distinction between our digital and analog worlds continues to vanish, the comparison gains plausibility—indeed, urgency.
Two years ago, President Obama issued a directive, Presidential Policy Directive 20, that enables the U.S. to conduct quicker emergency actions in cyber space with greater flexibility. (Thank Edward Snowden for the leak of the document.) It dictates that the U.S. government needs no consent to launch a cyberattack when “the President—on the recommendation of the Deputies Committee and, as appropriate, the Principals Committee—determines that an exception to obtaining consent is necessary, takes into account overall U.S. national interests and equities, and meets a high threshold of need and effective outcomes relative to the risks created by such an exception.” In other words: it’s the boss’ call. Say the word and digital choppers fly.
Stuxnet, the U.S.-backed computer worm that knocked nearly 1,000 Iranian nuclear facility centrifuges offline in 2010, may have encouraged the commander-in-chief to adopt the new framework and take a more active, agile cyber posture. That operation “appears to be the first time the United States has repeatedly used cyberweapons to cripple another country’s infrastructure,” wrote the New York Times, “achieving, with computer code, what until then could be accomplished only by bombing a country or sending in agents to plant explosives.” Perhaps the president was emboldened, too, by another tactical hit.
All of this goes to say that a market certainly exists for a special team of crack U.S. cyber troops. During the reporting of this story, some of the government agencies contacted were eager to compare their operations to a unit as distinguished and elite as SEAL Team Six. Others hesitated to make the leap, maintaining that a comparison between their forces and the well-known but classified unit isn’t exactly appropriate, given their distinct missions and methods. Is there actually a cyber SEAL Team Six? We don’t know. But we do know that the environment for one couldn’t be more hospitable.