27 July 2016

Inside “Eligible Receiver”



The NSA’s disturbingly successful hack of the American military. 

During its most sensitive drills, the Red Team worked out of a chamber called the Pit, which was so secret that few people at NSA knew it ex­isted.

Excerpted from Dark Territory: The Secret History of Cyber War by Fred Kaplan. Out now from Simon & Schuster. On Wednesday, March 9, Kaplan will discuss his book in New York; for more information and to RSVP, visit the New America website.

On June 9, 1997, 25 officials of the National Security Agency—members of a security squad known as the “Red Team”—hacked into the computer networks of the Department of Defense, using only commercially available equipment and soft­ware. It was the first high-level exercise testing whether the U.S. military’s leaders, facilities, and global combatant commands were prepared for a cyber attack. And the outcome was alarming.

The simulated hack was the brainchild of the NSA director, Lt. Gen. Kenneth Minihan, who, before coming to the agency, had been commander of the Air Force Information Warfare Center in San Antonio, Texas. The center’s tech crews had been detecting frequent hackings of U.S. military computer networks, and had come up with ways to counter them—but few senior officers took notice or cared.

Fred Kaplan is the author of Dark Territory: The Secret History of Cyber War

Each year, the Pentagon’s Joint Staff held an exercise called Eligi­ble Receiver—a simulation or war game designed to highlight some threat or opportunity on the horizon. Minihan wanted the next exercise to test the vulnerability of the U.S. military’s networks to a cyber attack. The most dramatic way to do this, he proposed, was to launch a realattack on those networks. He’d heard about small-scale exercises of this sort, against battalions or air wings of the Army or Air Force. In these war games, he’d been told, the hackers always succeeded. The NSA Red Team was part of the Information Assurance Directorate, the defensive side of the agency, stationed in FANEX, a drab brick building out near Friendship Airport, a 20-minute drive from NSA headquarters at Fort Meade, Maryland. During its most sensitive drills, the Red Team worked out of a chamber called the Pit, which was so secret that few people at NSA knew it ex­isted, and even they couldn’t enter without first passing through two combination-locked doors. In its workaday duties, the Red Team probed for vulnerabilities in new hardware or software that had been designed for the Defense Department, sometimes for the NSA itself. These systems had to clear a high bar to be deemed secure enough for government purchase and installation. The Red Team’s job was to test that bar.

It took Minihan a year of jumping through the Pentagon bureaucracy’s hoops to get permission to hold the exercise. In particular, the gen­eral counsel needed convincing that it was legal to hack into military computers, even as part of an exercise to test their security. NSA lawyers pointed to a document called National Security Directive 42, signed by President George H. W. Bush in 1990, which expressly allowed such tests, as long as the secretary of defense gave written consent. Secretary William Perry signed the agreement form.

The lawyers placed just one restriction on the exercise: The NSA hackers couldn’t attack American networks with any of their top secret gear; they could use only commercially available equipment and software.

On Feb. 16, 1997, Gen. John Shalikashvili, the chairman of the Joint Chiefs of Staff, issued Instruction 3510.01, “No-Notice Interoperability Exercise Program,” authorizing and de­scribing the scenario for Eligible Receiver.

The game laid out a three-phase scenario. In the first, North Korean and Iranian hackers (played by the NSA Red Team) would launch a coordinated attack on the critical infrastructures, especially the power grids and 911 emergency communication lines, of eight American cities—Los Angeles, Chicago, Detroit, Norfolk, St. Louis, Colorado Springs, Tampa, Fayetteville—and the island of Oahu, in Hawaii. (This phase was played as a tabletop game, premised on recent analyses of how easy it might be to disrupt the grid and overload the 911 lines.) The purpose of the attack, in the game’s scenario, was to pressure American political leaders into lifting sanctions that they’d recently imposed on the two countries.

In the second part of the game, the hackers would launch a massive attack on the military’s telephone, fax, and computer networks—first in U.S. Pacific Command, then in the Pentagon and other Defense Department facilities. The stated purpose was to disrupt America’s command-control systems, to make it much harder for the generals to see what was going on and for the president to respond to threats with force. This phase would not be a simulation; the NSA Red Team would actually penetrate the networks.

For the 3½ months between the JCS chairman’s authorization and the actual start of the game, the NSA Red Team prepared the attack, scoping the military’s networks and protocols, figuring out which computers to hack, and how, for maximum effect.

The game, its preparation and playing, was carried out in total secrecy. Gen. Shalikashvili had ordered a “no-notice exercise,” meaning that no one but those executing and monitoring the assault could know that an exercise was happening. Even inside the NSA, only the most senior officials, the Red Team itself, and the agency’s lawyer—who had to approve every step the team was taking, then brief the Pentagon’s general counsel and the attorney general—were let in on the secret.

At one point during the exercise, Richard Marshall, the NSA counsel, was told by an agency higher-up that he was under investigation for espionage; someone on the security staff had no­ticed him coming in at odd hours and using the encrypted cellphone more than usual.

“You know why I’m here, right?” Marshall asked, a bit alarmed.

“Yes, of course,” the official replied, assuring Marshall that he’d briefed one security officer on what was happening. Even that offi­cer was instructed not to tell his colleagues, but instead to continue going through the motions of an investigation until the game was over.

Eligible Receiver 97 formally got under way on Monday, June 9. Two weeks had been set aside for the exercise to unfold, with provisions for a two-week extension if necessary. But the game was over—the entire defense establishment’s network was penetrated—in four days. The National Military Command Center—the facility that would transmit orders from the president of the United States in wartime—was hacked on the game’s first day. And most of the officers manning those servers didn’t even know they’d been hacked.

The task turned out to be appallingly easy. Many defense computers, it turned out, weren’t protected by passwords. Others were protected by the lamest passwords, like “password” or “ABCDE” or “12345.” In some cases, the Red Team snipped all of an office’s links except for a fax line, then flooded that line with call after call after call, shutting it down. In a few instances, NSA attachés—one inside the Pentagon, the other at a Pacific Com­mand facility in Hawaii—went dumpster diving, riffling through trash cans and dumpsters, looking for passwords. This trick, too, bore fruit.

The team had the hardest time hacking into the server of the J-2, the Joint Staff’s intelligence directorate. Finally, one of the team members simply called the J-2’s office and said that he was with the Pentagon’s IT department, that there were some technical problems, and that he needed to reset all the passwords. The person answering the phone gave him the existing password without hesitating. The Red Team broke in.

In most of the systems they penetrated, the Red Team players simply left a marker—the digital equivalent of “Kilroy was here.” In some cases, though, they did much more: they intercepted and al­tered communications, sent false emails, deleted files, and reformat­ted hard drives. High-ranking officers who didn’t know about the exercise found phone lines dead, messages sent but never received (or sent, but saying something completely different upon arrival), whole systems shut down or spitting out nonsense data. One offi­cer who was subjected to this barrage sent his commander an email (which the Red Team intercepted), saying, “I don’t trust my com­mand-control.”

This was the ultimate goal of what was called “information warfare” and would later be called “cyber warfare.” Eligible Receiver revealed that it was more feasible than anyone in the world of conventional combat had imagined.

There was one other surprise about Eligible Receiver, an incident that was revealed to just a handful of officials. When the Red Team members were hacking into the military’s networks, they came across some strangers—traceable to French Internet addresses—hacking into the network for real. In other words, foreign spies were already penetrating vital and vulnerable networks; the threat wasn’t hypothetical.

A few weeks after it was over, an Air Force brigadier general named John “Soup” Campbell put together a postmortem briefing on the exercise.

Campbell’s message was stark: Eligible Receiver revealed that the Defense Department was completely unprepared and defenseless for a cyber attack. The NSA Red Team had penetrated its entire net­work. Only a few officers had grasped that an attack was going on, and they didn’t know what to do about it; no guidelines had ever been issued, no chain of command drawn up. Only one person in the entire Department of Defense, a technical officer in a Marine unit in the Pacific, responded to the attack in an effective manner: seeing that something odd was happening with the computer server, he pulled it offline at his own initiative.

After Campbell’s briefing, the chief of the NSA Red Team, a Navy captain named Michael Sare, made a presentation, and, in case anyone doubted Campbell’s claims, he brought along records of the intrusion—photos of password lists retrieved from dumpsters, tape recordings of phone calls in which officers blithely recited their pass­words to strangers, and much more. (In the original draft of his brief, Sare noted that the team had also cracked the JCS chairman’s pass­word. Minihan, who read the draft in advance, told Sare to scratch that line. “No need to piss off a four-star,” he explained.)

Everyone in the room was stunned, not least John Hamre, who had been sworn in as deputy secretary of defense at the end of July. Before then, Hamre had been the Pentagon’s comptroller, where he’d gone on a warpath to slash the military budget, especially the part secretly earmarked for the NSA. Through the 1980s, as a staffer for the Congressional Budget Office and the Senate Armed Services Committee, Hamre had grown to distrust the NSA: It was a dodgy outfit, way too covert, floating in the gray area between “military” and “intelligence” and evading the strictures on both. Hamre didn’t know anything about information warfare, and he didn’t care.

A few weeks before Eligible Receiver, as Hamre prepared for his promotion, Minihan had briefed him on the threats and opportu­nities of information warfare and on the need for a larger budget to exploit them. Hamre, numbed by the technical detail, had sighed and said, “Ken, you’re giving me a headache.”

But now, listening to Campbell and Sare run down the results of Eligible Receiver, Hamre underwent a conversion, seized with a sense of urgency. Looking around the room of generals and colonels, he asked who was in charge of fixing this problem

They all looked back at him. No one knew the answer. No one was in charge.

No comments: