Flynn’s remarks start at 5:54.
The Grugq is an world renowned information security researcher with 15 years of industry experience. Grugq started his career at a Fortune 100 company, before transitioning to @stake, where he was forced to resign for publishing a Phrack article on anti-forensics. Since then the Grugq has presented on anti-forensics at dozens of international security conferences, as well as talks on numerous other security topics. As an independent information security consultant the Grugq has performed engagements for a wide range of customers, from startups to enterprises and the public sector. He has worked as a professional penetration tester, a developer, and a full time security researcher. The Grugq’s research has always been heavily biased towards counterintelligence aspects of information security. His research has been referenced in books, papers, magazines, and newspapers. Currently an independent researcher, the grugq is actively engaged in exploring the intersection of traditional tradecraft and the hacker skillset, learning the techniques that covert organisations use to operate clandestinely and applying them to the Internet. You can follow him on Twitter at @thegrugq.
John Little: You blog and have given conference presentations on Hacker OPSEC. You started doing this before the recent NSA revelations (and the general hysteria surrounding intelligence collection) but you were already warning hackers that states had superseded them as the internet’s apex predator. In just a couple of years we’ve moved from the seeming invincibility of LulzSec, to high profile busts, and now onto serious concerns being raised about the every aspect of the internet’s architecture, security models, and tools. Rock solid OPSEC is a refuge but maintaining it for long periods of time under significant pressure is very difficult. The deck is obviously stacked against anyone trying to evade state surveillance or prosecution so where do freedom fighters and those with less noble intentions go from here?
The Grugq: You raise a number of interesting points. I’ll ramble on about them in a moment, but before that I’d like to clarify for your readers a bit about where I am coming from. Firstly, I am not a “privacy advocate”, I am an information security researcher. My career in information security has been mostly focused around denial and deception at the technical level.
Recently, however, I became aware that this “fetishizing the technology” approach is simply not effective in the real world. So I turned to studying clandestine skills used in espionage and by illicit groups, such as narcotics cartels and terrorist groups. The tradecraft of these clandestine organizations is what I am trying to extract, inject with hacker growth hormone, and then teach to those who need real security: journalists; executives traveling to adversarial environments; silly kids making stupid life altering mistakes, etc.
The media has actually expressed a lot of interesting in improving their security posture, and I am engaged in helping some journalists develop good OPSEC habits. Or at least, learn what those habits would be, so they have some idea of what to aspire to. There is a strange intransigence with some who reject improved security with the line: “but we’re not criminals! Why do we need this?” Well, the only answer I have is that OPSEC is prophylactic, you might not need it now, but when you do, you can’t activate it retroactively. As I phrased it in my “The Ten Hack Commandments” — be proactively paranoid, it doesn’t work retroactively.
So, that’s how I’ve arrived at hacker tradecraft, and where I’m trying to take it. On to the issues you’ve raised about good OPSEC and living a clandestine life.
The stress of the clandestine lifestyle is something that people tend to gloss over all too easily. This is an observation that comes up frequently in the literature about terrorist groups, espionage agents, and revolutionaries. There are a lot of compound issues which combine to make this sort of “good OPSEC” lifestyle very unhealthy for the human mind:
2. Compartmentation of the ego
3. Paranoia related stress
Isolation provides the strongest security, and all good security involves a significant investment in maintaining a low profile, “going underground”, “off the grid”, etc. This means that the clandestine operative has reduced visibility over the social and political landscape, and their telemetry will suffer. Degraded telemetry means they will be unable to self-correct and reorient to what is happening around them. If they are part of a cell, a group of operatives in communal isolation, they will tend to self reinforce their ideology. Effectively radicalizing and distancing themselves further from the mainstream norms of society. This additional isolation can create a feedback loop.
If the operative isn’t living a completely isolated clandestine lifestyle in their Unabomber cabin, they will have to isolate parts of their individual selves to compartment the different aspects of their lives. There will be their normal public life, the one face they show to the world, and also a sharded ego with their clandestine life. Maintaining strict compartmentation of the mind is stressful, the sharded individual will be a sum less than the total of the parts.
As if that wasn’t enough, there is the constant fear of discovery, that the clandestine cover will be stripped away by the adversary. This leaves the operative constantly fretting about the small details of each clandestine operational activity. Coupled with the compartmentalization of the self, the operative also has to stress about each non-operational activity, will this seemingly innocent action be the trigger that brings it all crashing down?
Seriously, maintaining a strong security posture for prolonged periods of time is an extremely stressful and difficult act. Operatives working for the intelligence agencies have a significantly easier time of it than those on the other side of the protection of the state: e.g. their agents; hackers; terrorists, and narcos. The “legal” operatives have peers that they can confide in and unwind with thanks to the protections of the nation state. The true clandestine agents must be guarded with their peers, the public and the adversary. Any peer might be an informant, either now or in the future. Opening up and being friendly with their peers is part of what lead to the unraveling of the lulzsec hacker group.
This leaves people who need to operate clandestinely and use the internet with a real problem. How can you be on the Internet and isolated? Well, compartmentation is the only answer, but it is expensive and fragile, even a single error or mistake can destroy the whole thing. This is why I’ve advocated that people who seek to operate clandestinely combine deception, that is, multiple covers, for their compartmented activities. It is possible to embed tripwires into the cover identities and be alerted when they’re blown.
My thinking these days is that an operative must minimize the time that they are engaged in a clandestine operation. Something like the theory of special operations, the period of vulnerability only grows the longer the operation goes on. Clandestine operational activity must be compartmented, it must be planned, it must be short in duration, and it must be rehearsed (or at least, composed of habitual actions). It is possible to do, and I believe that even non-experts can pull it off, but it must be limited in scope and duration. Prolonged exposure to underground living is caustic to the soul.
John Little: There is a significant amount of paranoia circulating in hacker and activist communities right now. How much of it is justified? More importantly, how should people go about conducting a realistic personal risk assessment before they start piling on layer after layer of OPSEC? How can they strike that balance between the tedium and isolation and security that is “good enough”?
The Grugq: There is certainly a great deal of paranoia, some of it justified, some of it unjustified, and some of it misdirected. I think it is important to remember that paranoia is unhealthy, it is paralyzing, it is divisive, and it is harmful to operational effectiveness. The goal to aim for is caution. Allowing the adversary to inflict paranoia on you, or your group, gives them an easy psychological operation “win”. So lets drop the paranoia and figure out what security precautions we must take in order to operate safely and effectively.
As you bring up, the core to effective security is performing a risk assessment, deciding what information is most important to protect, and then developing mitigation strategies to safe guard that information. There are books and manuals that go into this in great depth, so I won’t spend a lot of time on the details.
A risk assessment should focus on the most high impact items first. To determine this, you list your adversaries and group them by intent and capability. So the NSA would have a very high capability, but probably has a low intent of targeting you. Then you make a list of information about your secrets, what you are trying to protect, and group that based on the negative impact it would have if it were in the hands of an opponent. The most damaging information must be protected from the likely and the most capable adversaries.
Generally speaking, if you’re engaged in a clandestine activity that you want to protect, the core information to secure is:
1. Your identity
2. Your clandestine activity
3. Your association with the activity
So lets take the example of the Dread Pirate Roberts, who’s been in the news recently after he got arrested. His adversaries were highly capable, including a wide range of law enforcement officials from across the globe. They were highly motivated, because DPR and his site were very high profile. So you have high capability, and high intent. Not looking good so far.
The information that was most important was his personal real world identity, followed by his location. Protecting that information would require:
1. Robust compartmentation
2. Reducing his exposure to the most capable adversaries (e.g. leave the USA)
3. A strong disinformation campaign
4. Limiting his time in “the dragonworld” (to use J. Bells’ term for the underground)
For most people engaged in a clandestine activity this list is probably what they will want to follow. The exact mitigation enacted for each component in the list is case dependent. As we discussed earlier, and as you’ve said, we need to find a good balance between an aggressive security posture and living a rewarding life.
Remember, the goal is to reduce the quantity and the quality of information available to the adversary.
John Little: So a point which both of us comment on with some regularity is the fact that security is rooted in behavior rather than technology. That’s always been true to some extent but never more than now. Tools are suspect, almost across the board. And a lot of assumptions about security have to be tossed aside. But one thing is certain, hackers adapt to the adversary. Terrorists do this well too. An attacker who can successfully parse all this and adapt is going to be a very significant threat. How can states counter the advanced threats? How can they counter hackers who know how to manage OPSEC and technical security to evade detection?
The Grugq: HUMINT. More of it.
The role of SIGINT in intelligence has basically been this weird bubble, starting around WWII when the love of SIGINT started until recently, when some of the SIGINT capabilities are starting to go dark. SIGINT is much more attractive than HUMINT. Signals don’t lie. They don’t forget. They don’t show up late to meetings, or provided intelligence information that is deliberately deceptive. SIGINT is the heroin of intelligence collection. The whole world got hooked on it when they discovered it, and it has had a very good run… it will probably continue to be useful for decades more, but really… the real utility of SIGINT will start to diminish now. It has to. The amount of encryption being deployed means that many mass collection capabilities will start to go dark. I, of course, am in total favour of this. I think that the privacy and protection of the entire Internet are more important than the ability of the US government to model the “chatter” between everyone using the Internet. The reduced security that the US government has tried (and succeeded) to force on the entire world is makes all of us less safe against any adversary.
SIGINT is really the sort of intelligence collection technique that needs to lose its prominence in the pantheon of intelligence gods. It is very easy for a serious adversary to defeat: basic tradecraft from the days of Allen Dulles will work (leave the phone behind, have the meeting while taking a walk). This tradecraft technique is described by Dulles, in 50 year old KGB manuals, and by Hizbollah operatives last year. The only way to catch people who are capable of any sort of OPSEC / tradecraft is via: a) Mistakes that they make (very easy for amateurs to make mistakes), or b) Via HUMINT. Spies catch spies, as the saying goes. It might be updated to, spies catch clandestine operatives.
Historically, the value of HUMINT has been very hit and miss, but those “hits” are extremely valuable. The major successes of the Cold War were almost all the result of human beings who became spies for the opposition: Ames, Hanssen, Walker, Howard, Tolkachev, etc. There are myriad cases with terrorist groups as well, informants is the best weapon against them. Relying on SIGINT is essentially relying on the adversary (terrorist groups) having poor tradecraft and terrible counterintelligence practices. This is simply not the case, at least not with sophisticated dangerous groups.
Double down on HUMINT and scale back SIGINT. SIGINT can be evaded, but HUMINT, essentially exploiting trust relationships, will always bite you in the ass.
John Little: Hackers are going to have to evolve in the same direction though aren’t they? Technology isn’t their salvation from an OPSEC perspective, in fact it is really the weakest link in their security model, so they will have to fully embrace good old-fashioned tradecraft and deception to avoid detection. Do you see an appreciation of that in the hacking community? It seems like a lot of big name hackers are still making fairly simple OPSEC mistakes.
The Grugq: Exactly, this is really the understanding that needs to sink in: technology alone will not save you. Hacker culture, almost by definition, is technology obsessed. We fetishize technology and gadgets, and this leads us to the deep-seated belief that if we just use the right tool, our problems will be solved. This mindset is fundamentally wrong. At best, I would call it misguided, but really I believe that most of the time it is actually counter productive.
Trust is the weakest link in the security chain, it is what will get you in the most trouble. This goes double for trusting in technology (even, as Bruce Schneier says “trust the math”). Tech is not the path to security. Security comes from the way that you live your life, not the tools. The tools are simply enablers. They’re utilities. OPSEC is a practice.
Expecting the tools to provide security for you is like buying a set of weights and then sitting around waiting for your fitness to improve. The fallacy that technology will provide the solution has to be seen for what it is, a false promise. There is nothing that will protect secrets better than not telling them to people!
Good OPSEC is founded on the same basic principles that have governed clandestine activities since the dawn of time. Hackers might be new, but good hackers require the same set of skills as the second oldest profession. Good OPSEC is timeless, and it stems from the application of the principles of clandestine operation, using caution and common sense.
The “73 rules of spycraft” by Allen Dulles was written before the Internet, before hacker culture (even phreaker culture) existed. I believe it is one of the most valuable guides available to understanding how to implement OPSEC. (As an interesting aside, harking back to one of my previous points, Dulles recommends taking vacations to get away from the stress of “work”.)
There are a lot of very public hackers who exhibit terrible security practices. Many of them are techno fetishists rather than espionage geeks, consequently they fail to understand how limited their knowledge is. Its the Dunning–Kruger effect in full tilt. They don’t do the research on their opposition and don’t know what sort of techniques will be used against them. By the time they figure it out, they are usually just an opportunity for the rest of us to practice Lessons Learned analysis. Of course the great tragedy is that many of the hacker community suffer from hubris that prevents them from actually learning from other’s failures.
A friend of mine paraphrase Brian Snow (formerly of the NSA) “our security comes not from our expertise, but from the sufferance of our opposition”. As soon as the adversary is aware of the existence of secrets worth discovering, and has the resources available to pursue them, hackers rapidly learn how good their OPSEC is.
John Little: I’ve always been amazed at the very public profiles of some hackers, especially where conferences are concerned. Granted, most are legitimate security researchers but there are also many in the community who occupy a grey area that is guaranteed to draw attention from intelligence or law enforcement agencies. Are hackers largely underestimating the skill with which intelligence agencies can penetrate, encircle, and absorb aspects of their community? Are we in for significant changes in the relationship between IC/LE and hackers, how hackers view themselves from a security standpoint, and how hackers engage each other?
The Grugq: Yes, very much so. There is a growing awareness of the altered threat landscape, and the need for an improved security posture. For decades the hacker community has been myopically focused on SIGINT threats, the sorts of technical attacks that have technical solutions. The HUMINT threat has been misunderstood, or ignored completely. That is changing as the hacker community is starting to learn and practice counterintelligence.
It is a difficult transition though, as some core counterintelligence principles run directly counter to the hacker ethos. There are a lot of factors at play, but one of the important ones is that hacker culture is very much a research culture. There is a great deal of knowledge exchange that goes on rather freely within various segments of the community. The problem, of course, is that the trading of information, which is so central to hacker culture, is the antithesis of a strong security posture. Many hackers realize this, so they only share with trusted friends, who then only share with their trusted friends, who then… and then suddenly everyone is on lists and someone is going to jail.
Security conferences are important events for hackers where they disseminate their research and findings, and socialize. This makes these events very target rich environments for intelligence agencies looking to build dossiers on hackers. They can see who is socializing with whom, attempt to recruit people, elicit information on capabilities, install malware on computers, collect intel from computers, and so on. That hackers would expose themselves to these activities seems very counterproductive for robust security. What gives?
The hacker community has a slightly different set of moral and ethical guidelines than mainstream society, which leads to problems with the authorities. Broadly speaking, few hackers view breaking into a system as unethical or morally wrong. Damaging the system, stealing information, or otherwise abusing the system is wrong. Simply accessing it is a challenge. The police, of course, view things differently: an illegal act is an illegal act.
For hackers the secret knowledge that they discover from active research is something to be proud of, and so we’re very excited to brag about our findings, activities or capabilities. This information is treated as something that will be kept within the community, bound by the FrieNDA. Of course, this is all based on trust, which is a very dangerous foundation for any security system. As Dulles’ says, the second greatest vice is vanity, the third is drink. Security conferences are not the places to avoid those vices!
So there is certainly this dynamic of wanting to brag about our discoveries from active research, but at the same time the tension of “what will happen if this leaks?”. These days we know what will happen, over zealous law enforcement and prosecution: weev, Aaron Schwartz, Stephen Watt, Dan Cuthbert, etc. The authorities view hackers as modern day witches, something to be feared and destroyed. It is unfortunate for the hacker community in many ways. Intelligent people who could contribute to mainstream society have their lives destroyed. So the repercussions of what are generally harmless activities can be devastating and life altering. Unfortunately, the protections that hackers turn to tend to be technological, but the problem is humans.
The hacker community is easy prey for law enforcement and the intelligence community. Very few hackers are savvy enough to spot a recruitment pitch, or to understand that what they think is amusing others view as criminal. I think this is starting to change. These days there is a lot less discussion about illegal hacking of systems (whether for monetary gain or not), and more about how to protect against the massive Internet surveillance that has been made public.
In this, I think, the hacker community and the general public are finding a lot of common cause against the LE/IC. There is a lot of good that will come out of this realization that the technology of privacy is actually important and should be ubiquitous, and easy to use. The default should be secure. Of course, as we know, this won’t help that much if someone is going around making basic OPSEC errors. So strong privacy protections for everyone will make the job of the LE/IC a bit harder, but it will also make everyone safer. I think that is a fair trade off.
Similarly, I think a lot of hackers would be quite happy to help the LE/IC community with technology support and ideas. The problem is that the relationship is a difficult one to establish. The IC is a black-hole, sucking in information and returning nothing. I don’t know how there can be meaningful engagement between the two communities, which I believe is a tremendous shame. There is a lot that can be learned from both sides, and I would love for the IC to contribute back. Law enforcement doesn’t interest me that much. Personally, my interest with LE begins and ends with studying their tools techniques and procedures for counterintelligence purposes. Something, that historically at least, few other hackers actually do. That is changing.
Hackers are learning to tighten up their security posture, they are learning about the tools techniques and procedures that get used against them, and they are learning how to protect themselves. Of course, the preponderance of criminal activity is committed in places where lax enforcement of computer crime laws allows blackhats to operate inside “protected territory”. In the long term, this is an extremely dangerous situation for those guys, of course, because without an adversarial environment they won’t learn how to operate securely. When the rules change, they will be caught out, completely unprepared.
The intelligence agencies and law enforcement departments have decades of organizational history and knowledge. The individual members can display wide ranges of skill and competence, but the resources and core knowledge of the organization dwarf what any individual hacker has available. Many of the skills that a hacker needs to learn, his clandestine tradecraft and OPSEC, are the sort of skills that organizations are excellent at developing and disseminating. These are not very good skill-sets for an individual to learn through trial and error, because those errors have significant negative consequences. An organization can afford to lose people as it learns how to deal with the adversary; but individual cannot afford to make a similar sacrifice — after all, who would benefit from your negative example?
The skills that hackers do have, the highly technical capabilities they can bring to the game, are not useful against an adversary who’s primary skill is manipulating other people. Knowing how to configure a firewall, use Tor, encrypt everything, etc. isn’t going to do much good if you also attend a conference without a highly tuned functioning spook-dar and a working knowledge of anti-elicitation techniques. The hackers are hopelessly outclassed at this game. Hell, the majority of them don’t even know that they’re playing!
Times are changing though, and hackers are starting to learn: OPSEC will get you through times of no crypto better than crypto will get you through times of no OPSEC.
William serves as a senior security representative to a major government contractor where he acts as the Counterintelligence Officer, advises on counterterrorism issues, and prepares personnel for overseas travel. His additional duties include advising his superiors in matters concerning emergency management and business continuity planning. Mr. Tucker regularly writes on terrorism, intelligence (geopolitical/strategic), violent religious movements, and psychological profiling. Prior to his current position, Mr. Tucker served in the U.S. Army where he frequently briefed superior military officers in global terrorist movements and the modernization of foreign militaries. Additionally, he advised Department of Defense Police on domestic and international terrorist movements and trends in guerrilla attacks. Mr. Tucker received his B.A. and M.A. in Homeland Security (both with Honors from American Military University – AMU). You can follow William on Twitter at @tuckerwj.
Everybody spies. Intelligence professionals acknowledge this fact easily enough and the public at large, too, may understand this to some extent, though the intricacies of how and what intelligence actually is may remain a mystery to them. In fact, most Americans are at least familiar with the existence of the CIA and FBI due to media exposure and Hollywood dramatization, but these are only two agencies out of 16 in the U.S. intelligence community. One would think that a spy agency exposed for spying would be rather pedestrian news, though judging by recent coverage that is not always the case. All too often outrage ensues over these activities even when details are scant and the source is questionable. In other words, this outrage stems not from what actually happened, or even that a leak occurred, but more often how the story concerning this information is framed. Context matters a great deal with understanding how intelligence works and the recent revelations about the National Security Agency are no exception. The European press has been running stories over the last week claiming that the NSA intercepted over 70 million phone calls made by French citizens and another 60 million calls made in Spain. As expected, the citizens of France and Spain were quite upset that the U.S. was spying on them, and rightfully so. After all, the U.S., Spain, and France are allies, and allies don’t spy on one another, right? This information caused quite a stir in Paris and Madrid resulting in the summoning of the respective U.S. Ambassadors to explain what Washington was doing. A few days later the source of this information was finally parsed by people who understood the program – not only did the NSA not collect these phone calls, these intercepted calls didn’t even take place within French or Spanish borders. Furthermore, the calls were intercepted by the French and Spanish themselves and then turned over to the NSA as part of an intelligence cooperation agreement. In essence, what the press reported and what actually happened were worlds apart.
Another interesting case study that makes this point was the intercepting of phone calls between president Clinton and Monica Lewinsky by a allied nation. Because these calls were conducted on an unsecure phone line it was a relatively easy task to accomplish. One would assume that U.S. allies would be uninterested in the private affairs of the president, but Lewinsky was an intern and Mr. Clinton may have discussed professional matters in addition to personal affairs. It was a golden target of opportunity to get into the president’s thought process when he was most vulnerable. In other words, he may have been more candid on certain topics then he would’ve been with another head of state or a member of his staff. The same could be said for the NSA’s monitoring of German Chancellor Angela Merkel’s private cell phone. Consider that since Vladimir Putin began re-consolidating power back to the Kremlin, the U.S. became increasingly worried that Russia would use its energy stranglehold on Europe to strong arm U.S. allies into compliance with Moscow’s interests. This was first witnessed when the so-called color revolutions in the former Soviet states began to undergo a reversal and fall back into Moscow’s orbit. Russia would go on to put an exclamation point on their drive to reemerge as a world power by invading the Republic of Georgia, thus demonstrating its resolve to reestablish its sphere of influence. Though Washington likely understood that Germany may not have been vulnerable to a radical shift in orientation, Berlin has an energy hungry export driven economy and that reality would play a strong role in German-Russian relations. There was a very real fear that Germany would become friendlier with Moscow and less inclined to align with the U.S. as a result. When Merkel claimed that Germany was, “again acting like a normal country,” she was essentially stating that Germany would lay out and follow its national interests. It was vital to the U.S. to understand precisely what those interests might be. Again, context matters.
Naturally, Europe is not the only area of concern to the U.S. In South America the Brazilian profile has been rising both regionally and internationally, thus is makes sense that the NSA would be interested in the phone calls of Brazilian President Luiz da Silva and his successor Dilma Rousseff. When da Silva and Turkish prime minister Recep Tayyip Erdogan visited Iran in 2010 to hammer out a deal regarding Iran’s nuclear program, per a U.S. request, it set in motion a high profile interaction between three important nations that were having a measurable impact in their respective regions. Inevitably, the interaction between these three nations at such a high-level would also lead to other agreements and promises of cooperation – a common outcome of these types of gatherings. For the U.S., a nation with far flung and complex interests, knowing the details of these agreements would be vital to complimenting and understanding public discussions by these leaders. Misinterpretations can be dangerous and good intelligence can often add color to a nation’s intentions which, in turn, can prevent a breakdown in relations, or worse, conflict. Though we may be uncomfortable with government spying the benefits often far outweigh the risks. This isn’t to defend everything the U.S. intelligence community does as some illicit activity may have occurred, but criticism should be focused on actual malfeasance, and not on the flawed analysis of a naive journalist. The ensuing Congressional hearing on intelligence will likely help to settle many of these issues, and U.S. citizens can take solace in the fact that these agencies are required to testify before elected officials – a quality one wouldn’t likely find in an agency that was out of control.
Tara Maller is a research fellow in the National Security Studies Program at the New America Foundation. Her current areas of focus include sanctions, diplomacy, intelligence, cybersecurity, terrorism and women in security. Previously, she worked at BrightWire Inc., a NY-based startup, where she served as the managing editor and managing director of Operations, Americas. In 2011, she received her Ph.D. in political science at MIT, where her dissertation focused on information collection, diplomacy and sanctions. During this time, she was an affiliate of MIT’s Security Studies Program and she served as research fellow in the International Security Program at the Belfer Center for Science & International Affairs at Harvard’s Kennedy School of Government. Previously, Maller worked as a military analyst at the Central Intelligence Agency, focusing on the Iraq insurgency. She has published articles in The Washington Quarterly, Studies in Conflict and Terrorism and PS: Political Science and Politics. She has also written for foreignpolicy.com, CNN.com and The Huffington Post and has appeared on CNN’s Erin Burnett OutFront and Bloomberg’s Bottom Line. She graduated with a B.A. in government from Dartmouth College and received a M.A. in international relations from the University of Chicago. You can follow her on Twitter at @TaraMaller
In light of the recent discussion regarding a response to the use of chemical weapons in Syria, I thought it would be interesting provide a look back at the grouping of biological, chemical and nuclear weapons together categorically and look at the history of the WMD category and the international norms that developed around these weapons.
The term “weapon of mass destruction” has not always referred to the grouping of nuclear, biological and chemical weapons. Despite the unique histories and differences between nuclear, biological and chemical weapons, the creation of a WMD category brought these three weapons groups together in a way that has had significant policy implications. The construction of the category itself preceded the actual solidification of the notion of the idea of the WMD threat. First, the grouping itself was established, bringing nuclear, biological and chemical weapons under one roof. Second, after years of sitting around on the shelves of international policy experts, the WMD terminology was reconstituted in a manner which framed the category as what is currently understood as the WMD threat.
According to a variety of sources, one of the first early published uses of this term appears to date back to 1937. In a December 28, 1937, article of The London Times, “Archbishop’s Appeal: Individual Will and Action, Guarding Personality,” an excerpt from the Archbishop’s of Canterbury’s “Christian Responsibility” broadcast is reprinted and includes the phrase “weapons of mass destruction.” In it, the Archbishop states,
Take, for example, the question of peace. Who can think without dismay of the fears, jealousies, and suspicions which has compelled nations, our own among them, to pile up their armaments? Who can think at this present time without a sickening of the heart of the appalling the slaughter, the suffering, the manifold misery brought by war to Spain and to China? Who can think without horror of what another widespread war would mean, waged as it would be with all the new weapons of mass destruction? Yet how fruitless seem to be all efforts to secure a really settled peace.
This unofficial use of the term “weapons of mass destruction” was not used in the same way that the term is understood today. In his quotation the Archbishop is not using the term to refer to nuclear, biological and chemical weapons, but rather, he is referring to the conventional bombing of cities. While there were earlier uses of the term “mass destruction” with regard to poisonous gas in World War I and other various weapons, this genealogy will focus on the actual phrase “weapons of mass destruction.”
As a result of prior treaties and attitudes about these weapons, such weapons became the focus of United Nations disarmament discussions in the 1940s. As stated earlier, the United Nations first resolution made it clear that one of its main goals was the elimination of such weapons from the weapons arsenals of the world. Following the massive destruction of World War I and World War II, there was a genuine effort by the United Nations to attempt to limit the use of weapons that had the ability to carry out such destruction in the future. The first official use of the term that I was able to locate was in the first resolution of the General Assembly of the United Nations, on January 24, 1946. This resolution, called for “the elimination from national armaments of atomic weapons and all other major weapons adaptable to mass destruction.” However, the primary focus of the resolution was to establish a commission to focus on the new issue of atomic energy. A few months later in October 1946, the term appears in an article that reported on President Truman’s welcome to delegates at the opening of the General Assembly of the United Nations in New York. The article quotes Truman as saying,
Two of the greatest obligations undertaken by the United Nations towards the removal of the fear of war remain to be fulfilled. First, we must reach an agreement establishing international controls of atomic energy that will ensure its use for peaceful purposes only, in accordance with the Assembly’s unanimous resolution of last winter. Second, we must reach agreements that will remove the deadly fear of other weapons of mass destruction, in accordance with the same resolution.
In a December 1946 United Nations General Assembly titled, “Principles Governing the General Regulation and the Reduction of Armaments,” the same goal is reiterated with the same terminology. This resolution, Resolution 41, refers to the January 24th resolution and recommends that the Security Council, “expedite consideration of a draft convention or conventions for the creation of an international system of control and inspection, these conventions to include the prohibition of atomic and all other major weapons adaptable now and in the future to mass destruction and the control of atomic energy to the extent necessary to ensure its use only for peaceful purposes.” However, in both of these resolutions and President Truman’s statement, the only specific type of weapon that is directly referred to with regard to the term “mass destruction” appears to be weapons that employ atomic energy. The use of the term “mass destruction” in this context makes sense, as the dropping of the atomic bomb on both Hiroshima and Nagasaki resulted in the “mass destruction” of both lives and property. There is no language in the resolutions that refer directly to either chemical or biological weapons.
Following the original use in the context of a UN General Assembly resolution, the frequency of the term’s appearance increased in the media. From the time of the 1937 article in The London Times, the term does not appear again in that newspaper until July 1, 1946. In the July 1, 1946, article titled “Effects of Two Atom Bombs: British Survey in Japan,” the article quotes a report that was written by British officials who went to Japan to see the effects of the atomic bomb. The article states that the report opens by stating, “His Majesty’s Government consider that a full understanding of the consequences of the new form of attack may assist the United Nations Organization in its task of securing the control of atomic energy for the common good and in abolishing the use of weapons of mass destruction.” The article then goes on to describe the report which details the destruction that resulted from the atomic bombs that were dropped on Hiroshima and Nagasaki. However, at this point in time, there does not seem to be any precise definition of what actually is included in the category of weapons of mass destruction. However, it is clear that it is primarily being used to refer to the newly created atomic bomb that was used against Hiroshima and Nagasaki. Once again, the use of this term with regard to atomic weapons makes sense due to the destruction and devastation that resulted from the dropping of the two bombs.
In 1948, the United Nations Commission for Conventional Armaments took further steps to define the term “weapons of mass destruction.” According to UN document S/C.3/32/Res.1, such weapons were defined as, “those which include atomic explosive weapons, radioactive material weapons, lethal chemical and biological weapons, and any weapons developed in the future which have characteristics comparable in destructive effect to those of the atomic bomb or other weapons mentioned above.” However, at this time, the term’s usage was not nearly as commonly understood or used as it is today. As stated earlier, the term “weapons of mass destruction” appeared only once in The London Times prior to July 1, 1946. The term’s use increased in frequency from July 1, 1946 to 1950, appearing in 23 articles in The London Times. In the years that follow, the term’s appearance in The London Times is as follows: 1951-1960: 167 articles, 1961-1970: 71 articles, 1971-1980: 19 articles, 1981-1990: 68 articles, 1991-2000: 508 articles, 2001-2003: 1509 articles.
The term is also found in another important statement issued in 1955, The Pugwash Manifesto. The Pugwash Manifesto was issued by a small group of renowned scientists, including Albert Einstein. The Manifesto opens by stating, “In the tragic situation which confronts humanity, we feel that scientists should assemble in conference to appraise the perils that have arisen as a result of the development of weapons of mass destruction, and to discuss a resolution in the spirit of the appended draft.” It is clear in the Manifesto that the term’s use refers to the nuclear bomb. During the 1960s and throughout the Cold War, the ambiguity of the term during this period is complicated further when it is discussed in the context of other weapons, making it unclear whether or not these are considered part of the category or outside the category. In 1961, the United States and the Soviet Union issue a joint statement regarding disarmament, called the McCloy-Zorin Accords. The accords are adopted by the United Nations General Assembly on September 20, 1961.
This statement appears to group NBC weapons together, when it states: To this end, the programme for general and complete disarmament shall contain the necessary provisions, with respect to the military establishment for every nation, for; (a) Disbanding of armed forces, dismantling of military establishments including bases, cessation of the production of armaments as well as their liquidation or conversion to peaceful uses; (b) Elimination of all stockpiles of nuclear, chemical, bacteriological, and other weapons of mass destruction and cessation of the production of such weapons; (c) Elimination of all means of delivery of weapons of mass destruction; (d) Abolishment of the organization and institutions designed to organize the military effort of States, cessation of military training, and closing of all military training institutions; (e) discontinuance of military expenditures.
While official documents and policymakers referred to these weapons in conjunction with one another through Cold War, the main concern when talking about “mass destruction” appears to have centered primarily on nuclear weapons. Even when the three groups of weapons appeared in conjunction with one another, they were part of an intense general disarmament effort at the time – not a specific isolated categorical threat in and of themselves.
The Construction of the WMD Threat
Despite the fact that treaties regarding use and possession of nuclear, biological and chemical weapons existed throughout the 20th century, the construction of the WMD category as a threat did not actually emerge and solidify until the emergence of a new post-Cold War security environment. Prior to this, the early signs of securitization could be seen in disarmament discussions, as these groups started to be discussed together. The association of such weapons with the “uncivilized” and the strong disarmament attitudes at the time of the aforementioned UN resolutions were conducive to laying the foundations for the securitization of the “WMD threat” as we currently know it. Biological and chemical weapons were perceived at the time as being less controllable than other more conventional weaponry, so people viewed them as weapons that could not be contained; therefore, more unintended consequences could result from their use. In addition, there was thought to be more unpredictability and uncertainty with regard to these weapons. As a result of these types of perceptions about the weapons themselves and the association that had developed in previous treaties regarding the “uncivilized” nature of such weapons, the dangers of biological and chemical weapons were grouped together in the WMD category. However, today, the term “weapons of mass destruction” is no longer understood merely as a grouping of weapons, but rather, these weapons constitute a phenomenon beyond a mere categorization – they constitute a commonly understood WMD threat. The next issue to be addressed is how and why such weapons have been turned into this notion of the WMD threat in the current international system.
It appears that the WMD threat, as we currently understand it to be, was not actually solidified and commonly understood until the post-Cold War era, specifically in the early 1990s. It was around this time that the term’s usage also increased drastically in frequency (see London Times appearance numbers above) and began to extend far beyond the vocabularies of only individuals in the government and the defense community. Much of discussion about the WMD threat appears under the first Bush administration, specifically with regard to the Persian Gulf War and the development of a U.S. post-Cold War nuclear policy. In 1990, Vice President Dick Cheney (then Secretary of Defense) argued to Congress that the United States needed to maintain its nuclear arsenal, “because there is a growing proliferation of weapons of mass destruction and sophisticated weapons technology in the Third World.” The solidification of the stigmatized threat associated with all three of the weapons contained in this group was significantly shaped through United Nations Security Council Resolution 687 in 1991. While this was by no means the first formal grouping of these weapons, it was the first time that such weapons were grouped and actually turned into a comprehensive security issue in themselves. Following Iraq’s invasion of Kuwait, UN Resolution 687 prohibited Iraq from manufacturing or using “weapons of mass destruction,” specifically defining such weapons to be nuclear, biological or chemical in nature. In addition, throughout the Persian Gulf War the Bush Administration appeared to suggest that a nuclear response would be considered in retaliation for the use of biological or chemical weapons by Saddam Hussein. In the Post-Cold war era, the Russian nuclear arsenal was a fading threat, as new concerns developed over stockpiles of biological and chemical weapons, specifically facilities that could be buried underground. In 1993, the Clinton Administration embarked on the first review of the U.S. nuclear arsenal and policy of the post-Cold War period. The review resulted in the 1994 Nuclear Posture Review (NPR). The NPR recognized that Russia no longer posed the security threat that it did during the Cold War and consequently called for reductions in the arsenal. Throughout both the first Bush Administration and the Clinton administration there was a focus on the changing security environment in which proliferation of nuclear weapons and WMD to other hostile or “rogue states” became a new central issue. A shift in policy from targeting fixed targets in Russia to a more flexible and adaptive targeting set was one of the main changes from the Cold War to post-Cold War nuclear policy. However, the WMD threat was of key importance in reshaping U.S. nuclear policies. These weapons were used by many government officials justification for maintaining strong nuclear arsenals despite the diminished Russian nuclear threat. In a 1995 Doctrine for Joint Theater Operations put out by the Joint Chief of Staffs, the Pentagon argued that the WMD threat proliferation was growing and the Pentagon set forth detailed plans involving nuclear weapons for specific areas of the world such as the Korean Peninsula and the Middle East. In addition, while these developments were taking place on the policy front, nuclear labs were working on the development of nuclear weapons that could be used to target underground biological and chemical weapons facilities. These types of nuclear weapons became part of the U.S. nuclear arsenal in 1996.
The culmination of this reformulation of U.S. nuclear policy resulted in the more recent 2002 Nuclear Posture Review, which updated and changed the 1994 Nuclear Posture Review. While much of the report remains classified, the 2002 NPR renews the focus on developing weapons aimed at targeting underground facilities and a list of rogue states: Iraq, Iran, Syria, Libya, and North Korea. The review also emphasizes the threat of “weapons of mass destruction” as one of the main concerns at the core of the posture. In a foreword to the report, Secretary of Defense Donald Rumsfeld writes,
We have concluded that a strategic posture that relies solely on offensive nuclear forces is inappropriate for deterring the potential adversaries we will face in the 21st century. Terrorists or rogue states armed with weapons of mass destruction will likely test America’s security commitments to its allies and friends. In response, we will need a range of capabilities to assure friend and foe alike of U.S. resolve. A broader array of capability is needed to dissuade states from undertaking political, military, or technical courses of action that would threaten U.S. and allied security. U.S. forces must pose a credible deterrent to potential adversaries who have access to modern military technology, including NBC weapons and the means to deliver them over long distances.
In the actual text of the report itself, the issue of “weapons of mass destruction” is directly addressed. The report states,
Nuclear weapons play a critical role in the defense capabilities of the United States, its allies and friends. They provide credible military options to deter a wide range of threats, including WMD and large-scale conventional military force. These nuclear capabilities possess unique properties that give the United States options to hold at risk classes of targets [that are] important to achieve strategic and political objectives.
While the 2002 NPR is in many ways a continuation of the development of the post-Cold War nuclear policies that have been emerging since the early 1990s, it also marks a significant departure from the earlier Nuclear Posture Review. The 2002 NPR appears to demonstrate a lack of commitment to nuclear reductions through less of an emphasis on the importance of arms control treaties and more of an emphasis on flexibility for the United States with regard to its nuclear policies. The formulation of post-Cold War policy is significant in the genealogy of the WMD threat because it shows the way in which this category of weapons was invoked throughout the formulation of important strategic U.S. nuclear policy decisions.
While official documents and policymakers referred to these nuclear, biological and chemical weapons in the context of disarmament discussions during the Cold War, the main concern when talking about “mass destruction” during the Cold War appears to have centered on nuclear weapons. The WMD threat was not actually solidified and commonly understood until the early 1990s. I believe that the term’s present day understanding and the stigma associated with all three of the weapons contained in this group was really shaped through United Nations Security Council Resolution 687 in 1991. As demonstrated earlier, while this was by no means the first formal grouping of these weapons, it was the first time that such weapons were grouped and officially turned into a comprehensive security issue. In addition, as seen by the statistics previously discussed, the term’s use increased drastically in the media beginning in the early 1990s. Following Iraq’s invasion of Kuwait, Resolution 687 prohibited Iraq from manufacturing or using “weapons of mass destruction,” specifically defining such weapons to be nuclear, biological or chemical in nature.
The historical record demonstrates that the construction of the WMD threat as we currently know it has been a pretty recent phenomenon. The association of such weapons with the evil regime of Saddam and its invasion of Kuwait was a pivotal point in the solidification of this grouping and the construction of the taboo associated with WMD. However, this sort of stigmatization through association with “the other” or “the evil” or the “uncivilized” was by no means a new tactic in terms of controlling nuclear, biological and chemical weapons. In earlier treaties controlling certain forms of weapons, the language of the documents frequently referred to the signatories that condemned certain weapons as being the “civilized.” Such language was often invoked in order to frame certain behavior with being part of the civilized world and other behavior as being outside realm of the civilized world. For example, in 1922, the Washington Treaty worked to solidify a prohibition on chemical weapons. According to Robert Harris and Jeremy Paxman, in the Washington Treaty, “the ‘civilised powers’ decreed that the banning of chemical warfare should ‘be universally accepted as part of international law binding alike to the conscience and practice of nations.’” Also, in May 1925, the Geneva Protocol outlawed the use of asphyxiating poisonous or other gases and also included the prohibition of biological warfare. Like the Washington Treaty, the Protocol pointed out the condemnation of such weapons in the eyes of the “civilized” world. The United States and other countries view weapons in the WMD category as a dangerous and destructive asymmetric threat posing a threat to unprotected civilian populations due to the indiscriminate nature of these weapons and the potential for terrorists to use these weapons. Hopefully, this background on the normative prohibitions against this weapons category helps put some of the discussion on responding to the use of chemical weapons in Syria into a broader historical context regardless of how one thinks the U.S. ought to respond to such use.
I’ve made a ton of changes over the last couple of days. The extension has been updated to pull national security news from dozens of my favorite sources. The list of U.S. government feeds in the mix has grown as well with multiple feeds from the Department of Defense, State Department, CIA and NSA added to the mix. The look and feel has been modified as well with each story being displayed on it’s own card composed of the headline and a brief summary.
The number of stories available in the extension has been boosted as well. It now pulls in the 50 most recent updates from these sources making it a pretty useful tool for a quick scan of the stories that matter.
Please rate it and drop a review on the Chrome Web Store to let me know what you think. Click on the install button below to add it to your browser.