Over a four-day period in June 20 years ago, hackers simulated an attack on the power grids and 911 emergency systems in eight U.S. cities and then infiltrated and took control of U.S. Pacific Command computers. The simulated attack on the grid and 911 systems was a tabletop game used to create some of the events that would be used in an exercise conducted by a NSA Red Team to actually infiltrate U.S. Pacific Command computers. The results produced an embarrassing wake up call for the Department of Defense that demonstrated that their Information Systems were extremely vulnerable to attack and disruption in any military operation.
The Red Team from the NSA also included the CIA, FBI, State Department, and the Defense Intelligence Agency and the exercise was known as Eligible Receiver 97. The operation used software available on the Internet at that time, no “zero day” classified top-secret code was allowed. The results, in one word, were “Shocking”.
While much of the information on the exercise remains classified 20 years later, suffice it to say, the “hackers” had root access to more than 35 government networks and free reign to do serious exploitation and possibly damage if so inclined. At the time there were intrusion detection systems in place but they posed very little effective defense against the NSA Red Team.
In 1997, Bill Clinton was President and Lt. General Kenneth Minihan, was Director of the National Security Agency. He had formally been running the Information Warfare Center in San Antonio, Texas. Today it is the 24th Air Force Cyber Command at Lackland, AFB. William Crowell, Deputy Director, was second in command and the agency’s highest-ranking civilian. Richard Marshall was the senior legal council to the NSA Director and his staff. Both Bill and Rich are personal friends. I interviewed them to reflect on ER 97’s impact, comment on the state of cybersecurity defense in the DoD today, and any advice for the cybersecurity industry heading in the future.
When Eligible Receiver 97 was concluded, the entire defense establishment’s network was penetrated - in four days. One unexpected outcome was that foreign spies were uncovered already penetrating the networks! Eligible Receiver revealed that the DoD was wide open for a cyber attack as the NSA Red Team exercise had little problem penetrating its entire network.
I had to personally convince the NSA/GC, DOD/GC and later the US Attorney General Janet Reno that the exercise I had played such a key advisory role in helping design was not going to bring down the Internet; was not going to violate US, International, or Nation State law; was not going to disclose any penetration testing techniques (i.e. “sources and methods”) or publicly disclose system vulnerabilities. Our OPLAN was designed as if we were attacking a real-world adversary. Legal restrictions were built in and strictly followed. The NSA Red Team – to a person – was highly skilled technically and well educated on the legal constraints.
I took comfort is their dedicated professionalism from start to finish.
That confidence gave me great comfort when NSA security “interviewed” me as a possible spy based solely on my suspicious activities which to this day I think remain classified. Be that as it may, I was somewhat taken aback initially but soon realized that the Red Team Mission had not been compromised.
ER-97 was a major wakeup call about the state of our digital defenses and a game-changing event. There were ample opportunities to implement “lessons learned” just as is the case in every military exercise. Some of those lessons learned were implemented; others were postponed for policy and resource reasons. The result was incremental improvements, and DOD still is not as secure as it could be but maybe we are “good enough” for now. Every time the cyber alarm goes off, we ‘reset” it rather than solve the underlying problem. Integrating and maintain diverse legacy systems is and always will be a challenge.
The big lesson from ER-97 is an old lesson in leadership and change management. Change must be lead from the top; not the bottom; not the middle, but by the leadership at the top. Responsibility and accountability go hand in hand and are best achieved with proper resources in a sustainable environment.
Eligible Receiver was a remarkable demonstration of how information technology, which is fundamental to our military capabilities, was so easily penetrated, exploited and potentially disrupted in 1997. While it is arguable that military systems are better protected today, they are still vulnerable and are still being subjected to real world attacks by our adversaries. More importantly, however, is the fact that our critical infrastructure, much of which is in the private sector, is less well protected and being attacked and exploited almost every day. Americans have learned that their identity, privacy, and financial systems are being successfully attacked and that much of the information that can be used to attack their personal well-being as citizens has been compromised. What is less well known is that the same kind of penetration, exploitation, and disruption is being carried out against critical infrastructure, and even our election systems.
As for finding spies in our network, the reaction was disbelief by most people. We had long postulated that meaningful attacks were possible, but finding the evidence was an important ingredient in moving forward to build better defenses for the DoD networks. As for security today within the DoD, I believe that it is better, but so are the adversaries.
It is my strong belief that many (if not most) of the cyber security systems and tools that have been developed over the last 20 years are “point solutions” and that while they may deal with very specific cyber threats very well, they are not integrated into a more comprehensive cyber security system that is aware of all of the results of the many point solutions that are installed in today’s networks. What we need and what I believe we will achieve over the next 20 years is a more systematic approach to integrating security indicators and automating the responses and mitigation of the threats.
I do not believe that we will get better operating systems, applications and fundamental network systems. The IT industry (e.g. smart phones and tablets, IoT, etc.) move so fast to the next generation of devices that it is difficult to imagine them getting better at fielding devices and systems that are fundamentally more secure with fewer bugs and vulnerabilities. With that in mind, cyber security is cited by many as an “arms race” that pits cyber defensive tools against a constantly changing set of vulnerabilities. We are most certainly going to have to field and integrate constant upgrades of defensive tools in a more timely manner against an increasingly agile set of attackers.
As for the next 20 years, “May you live in interesting times”. This quote is an English translation (purportedly) of a Chinese curse. (Source: Wikipedia). Makes sense to me.
Dan Dunkel is President of New Era Associates, a sales consultancy developing strategic partnerships to drive revenues in the emerging market of The Internet of Things (IoT). He has 22 years of successful enterprise IT sales and executive experience with ten years of physical and cyber security consulting across domestic and international markets. He is also a published author, Physical & Logical Security Convergence, (Elsevier, 2007), and contributing writer for both SDM magazine and Security magazine.