Authors: Fred Kaplan
By 1990, the Air Force Cryptology Support Center (which, a few years later, became part of the Air Force Information Warfare Center) was upgrading its intrusion-detection system. After the Morris Worm, the tech specialists started installing “host-based attack-detection” systems, the favored method of the day, which could protect a single computer; but they were quickly deemed inadequate. Some of the specialists had read about Heberlein's Network Security Monitoring software, and they commissioned him to adapt it to the center's needs.
Within two years, the cryptologists installed his softwareâwhich they renamed the Automated Security Incident Measurement, or ASIM, systemâon Air Force networks. A new subdivision of the Air Force center, called the Computer Emergency Response Team, was
set up to run the software, track hackers, and let higher-ups know if a serious break-in was under way. From their cubicles in San Antonio, the team could look out on Air Force networks across the nationâor that was the idea, anyway.
The program faced bureaucratic obstacles from the start. On October 7, 1992, Robert Mueller, the assistant attorney general in charge of the Justice Department's criminal division, wrote a letter, warning that network monitoring might violate federal wiretapping laws. A device that monitored a network couldn't help but pick up the Internet traffic of some innocent civilians, too. Mueller noted that the practice
might
not be illegal: the wiretapping statutes were written before the age of computer hackers and viruses; no court had yet ruled on their present-day application. But pending such a ruling, Mueller wrote, all federal agencies using these techniques should post a
“banner warning,” giving notice to “unauthorized intruders” that they were being monitored.
The Air Force officers in San Antonio ignored Mueller's letter: it wasn't a cease-and-desist order; and besides, warning hackers that they were being watched would destroy the whole point of a monitor.
One year later, Heberlein got a phone call from an official at the Justice Department. At first, he held his breath, wondering if at last the feds were coming to get him. To the contrary, it turned out, the department had recently installed his software, and the official had a technical question about one of its features. Justice had changed its tune, and adapted to the new world, very quickly. In a deep irony, Robert Mueller later became director of the FBI and relentlessly employed network-monitoring software to track down criminals and terrorists.
Still, back at the dawn of the new era, Mueller raised a legitimate question: Was it legal for the government to monitor a network that carried the communications not just of foreign bad guys but of ordinary Americans, too? The issue would raise its head again twenty
years later, with greater passion and wider controversy, when an NSA contractor named Edward Snowden leaked a trove of ultrasecret documents detailing the agency's vast metadata program.
More daunting resistance to the network-monitoring software, in its beginnings, came from the Air Force itself. In October 1994, Minihan was transferred from Kelly to the Pentagon, where he assumed the post of Air Force intelligence chief. There, he pushed hard for wider adoption of the software, but progress was slow. Air Force computer servers had slightly more than a hundred points of entry to the Net;
by the time he left the Pentagon, two years later, the computer teams back in San Antonio had received permission to monitor only twenty-six of them.
It wasn't just the monitors that Minihan had a hard time getting the top brass to accept; it was the very topic of computer security. He told three- and four-star generals about the plan to tie up the phone lines in Haiti, adding that his former teams in San Antonio were now devising similar operations against enemy
computers
. Nobody was interested. Most of the generals had risen through the ranks as pilots of fighter planes or bombers; to their way of thinking, the best way to disable a target was to drop a bomb on it. This business of hacking into computer links wasn't reliable and couldn't be measured; it reeked of “soft power.” General Colin Powell may have issued a memorandum on information warfare, but they weren't buying it.
Minihan's beloved Air Force was moving too slowly, and it was way ahead of the Army and Navy in this game. His frustration had two layers: he wanted the militaryâall three of the main services, as well as the Pentagon's civilian leadershipâto know how good his guys were at hacking the adversaries' networks; and he wanted them to know how wide open their own networks were to hacking by the same adversaries.
As the new director of the NSA, he was determined to use the job to demonstrate just how good and how bad these things were.
Each year, the Pentagon's Joint Staff held an exercise called Eligible Receiverâa simulation or war game designed to highlight some threat or opportunity on the horizon. One recent exercise had focused on the danger of biological weapons. Minihan wanted the next one to test the vulnerability of the U.S. military's networks to a cyber attack. The most dramatic way to do this, he proposed, was to launch a
real
attack on those networks by a team of SIGINT specialists at the NSA.
Minihan got the idea from a military exercise, already in progress, involving the five English-speaking alliesâthe United States, Great Britain, Canada, Australia, and New Zealandâknown in NSA circles as the “five eyes,” for their formal agreement to share ultrasecret intelligence. The point of the exercise was to test new command-control equipment, some of it still in research and development. As part of this test, an eight-man crew, called the Coalition Vulnerability Assessment Team, working out of the Defense Information Systems Agency in Arlington, Virginia, would try to hack into the equipment. Minihan was told that the hackers
always
succeeded.
The assessment team's director was an American civilian named Matt Devost, twenty-three years old, a recent graduate of St. Michael's College in Burlington, Vermont, where he'd studied international relations and computer science. In his early teens, Devost had been a recreational hacker, competing with his tech friendsâall of whom had watched
WarGames
several timesâto see who could hack into the servers of NASA and other quasi-military agencies. Now Devost was sitting in an office with several like-minded foreigners, hacking some of the most classified systems in the world, then briefing two- and three-star generals about their exploitsâall in the name of bolstering American and allied defenses.
In the most recent coalition war game, Devost's team had shut
down the command-control systems of three playersâCanada, Australia, and New Zealandâand taken over the American commander's personal computer, sending him fake emails and false information, thus distorting his view of the battlefield and leading him to make bad decisions, which, in a real war, could have meant defeat.
The NSA had a similar group called the Red Team. It was part of the Information Assurance Directorate (formerly called the Information Security Directorate), the defensive side of the NSA, stationed in FANEX, the building out near Friendship Airport. During its most sensitive drills, the Red Team worked out of a chamber called The Pit, which was so secret that few people at NSA knew it existed, and even they couldn't enter without first passing through two combination-locked doors. In its workaday duties, the Red Team probed for vulnerabilities in new hardware or software that had been designed for the Defense Department, sometimes for the NSA itself.
These systems had to clear a high bar to be deemed secure enough for government purchase and installation. The Red Team's job was to test that bar.
Minihan's idea was to use the NSA Red Team in the same way that the five-eyes countries were using Devost's Coalition Vulnerability Assessment Team. But instead of putting it to work in a narrowly focused war game, Minihan wanted to expose the security gaps of the entire Department of Defense. He'd been trying for years to make the point to his fellow senior officers; now he wanted to hammer it home to the top officials in the Pentagon.
Bill Perry liked the idea. Still, it took Minihan a year to jump through the Pentagon bureaucracy's hoops. In particular, the general counsel needed convincing that it was legal to hack into military computers, even as part of an exercise to test their security. NSA lawyers pointed to a document called National Security Directive 42, signed by President George H. W. Bush in 1990 (as an update to
Reagan's NSDD-145), which expressly allowed such tests, as long as the secretary of defense gave written consent. Secretary Perry signed the agreement form.
The lawyers placed just one restriction on the exercise: the NSA hackers couldn't attack American networks with any of their top secret SIGINT gear; they could use only commercially available equipment and software.
On February 16, 1997, General John Shalikashvili, the chairman of the Joint Chiefs of Staff, issued Instruction 3510.01, “No-Notice Interoperability Exercise (NIEX) Program,” authorizing and describing the scenario for Eligible Receiver.
The game laid out a three-phase scenario. In the first, North Korean and Iranian hackers (played by the NSA Red Team) would launch a coordinated attack on the critical infrastructures, especially the power grids and 911 emergency communication lines, of eight American citiesâLos Angeles, Chicago, Detroit, Norfolk, St. Louis, Colorado Springs, Tampa, Fayettevilleâand the island of Oahu, in Hawaii. (This phase was played as a tabletop game, premised on analyses of how easy it might be to disrupt the grid and overload the 911 lines.) The purpose of the attack, in the game's scenario, was to pressure American political leaders into lifting sanctions that they'd recently imposed on the two countries.
In the second part of the game, the hackers would launch a massive attack on the military's telephone, fax, and computer networksâfirst in U.S. Pacific Command, then in the Pentagon and other Defense Department facilities. The stated purpose was to disrupt America's command-control systems, to make it much harder for the generals to see what was going on and for the president to respond to threats with force. This phase would not be a simulation; the NSA Red Team would actually penetrate the networks.
For the three and a half months between the JCS chairman's
authorization and the actual start of the game, the NSA Red Team prepared the attack, scoping the military's networks and protocols, figuring out which computers to hack, and how, for maximum effect.
The game, its preparation and playing, was carried out in total secrecy. General Shalikashvili had ordered a “no-notice exercise,” meaning that no one but those executing and monitoring the assault could know that an exercise was happening. Even inside the NSA, only the most senior officials, the Red Team itself, and the agency's lawyerâwho had to approve every step the team was taking, then brief the Pentagon's general counsel and the attorney generalâwere let in on the secret.
At one point during the exercise, Richard Marshall, the NSA counsel, was approached by Thomas McDermott, deputy director of the agency's Information Assurance Directorate, which supervised the Red Team. McDermott informed Marshall that he was under investigation for espionage; someone on the security staff had noticed him coming in at odd hours and using the encrypted cell phone more than usual.
“
You
know why I'm here, right?” Marshall asked, a bit alarmed.
“Yes, of course,” McDermott said, assuring Marshall that he'd briefed one security officer on what was happening. Even that officer was instructed not to tell his colleagues, but instead to continue going through the motions of an investigation until the game was over.
Eligible Receiver 97 formally got under way on Monday, June 9. Two weeks had been set aside for the exercise to unfold, with provisions for a two-week extension if necessary. But the game was overâthe entire defense establishment's network was penetratedâin four
days
. The National Military Command Centerâthe facility that would
transmit orders from the president of the United States in wartimeâwas hacked on the game's first day. And most of the officers manning those servers didn't even know they'd been hacked.
The NSA Red Team steered clear of only one set of targets that it otherwise might have hacked: the two dozen Air Force servers that were monitored by the computer response team analysts in San Antonio. Figuring they'd be spotted if they broke through those networks, the hackers aimed their attacks elsewhereâand intruding elsewhere turned out to be absurdly easy.
Many defense computers, it turned out, weren't protected by a password. Others were protected by the lamest passwords, like “password” or “ABCDE” or “12345.” In some cases, the Red Team snipped all of an office's links except for a fax line, then flooded that line with call after call after call, shutting it down. In a few instances, NSA attachésâone inside the Pentagon, the other at a Pacific Command facility in Hawaiiâwent dumpster diving, riffling through trash cans and dumpsters, looking for passwords. This trick, too, bore fruit.
The team had the hardest time hacking into the server of the J-2, the Joint Staff's intelligence directorate. Finally, one of the team members simply called the J-2's office and said that he was with the Pentagon's IT department, that there were some technical problems, and that he needed to reset all the passwords.
The person answering the phone gave him the existing password without hesitating. The Red Team broke in.
In most of the systems they penetrated, the Red Team players simply left a markerâthe digital equivalent of “Kilroy was here.” In some cases, though, they did much more: they intercepted and altered communications, sent false emails, deleted files, and reformatted hard drives. High-ranking officers who didn't know about the exercise found phone lines dead, messages sent but never received (or sent, but saying something completely different upon arrival),
whole systems shut down or spitting out nonsense data. One officer who was subjected to this barrage sent his commander an email (which the Red Team intercepted), saying, “I don't trust my command-control.”