Eligible Receiver
THE WASHINGTON TIMES
April 16, 1998
Bill Gertz
Computer hackers could disable military; System compromised in secret
exercise
Senior Pentagon leaders were stunned by a military exercise showing how
easy it is for hackers to cripple U.S. military and civilian computer
networks, according to new details of the secret exercise.
Using software obtained easily from hacker sites on the Internet, a group
of National Security Agency officials could have shut down the U.S.
electric-power grid within days and rendered impotent the
command-and-control elements of the U.S. Pacific Command, said officials
familiar with the war game, known as Eligible Receiver.
"The attack was actually run in a two-week period and the results were
frightening," said a defense official involved in the game. "This attack,
run by a set of people using standard Internet techniques, would have
basically shut down the command-and-control capability in the Pacific
theater for some considerable period of time."
Pentagon spokesman Kenneth Bacon said, "Eligible Receiver was an important
and revealing exercise that taught us that we must be better organized to
deal with potential attacks against our computer systems and information
infrastructure."
The secret exercise began last June after months of preparation by the NSA
computer specialists who, without warning, targeted computers used by U.S.
military forces in the Pacific and in the United States.
The game was simple: Conduct information warfare attacks, or "infowar," on
the Pacific Command and ultimately force the United States to soften its
policies toward the crumbling communist regime in Pyongyang. The "hackers"
posed as paid surrogates for North Korea.
The NSA "Red Team" of make-believe hackers showed how easy it is for
foreign nations to wreak electronic havoc using computers, modems and
software technology widely available on the darker regions of the
Internet: network-scanning software, intrusion tools and password-breaking
"log-in scripts."
According to U.S. officials who took part in the exercise, within days the
team of 50 to 75 NSA officials had inflicted crippling damage.
They broke into computer networks and gained access to the systems that
control the electrical power grid for the entire country. If they had
wanted to, the hackers could have disabled the grid, leaving the United
States in the dark.
Groups of NSA hackers based in Hawaii and other parts of the United States
floated effortlessly through global cyberspace, breaking into unclassified
military computer networks in Hawaii, the headquarters of the U.S. Pacific
Command, as well as in Washington, Chicago, St. Louis and parts of
Colorado.
"The attacks were not actually run against the infrastructure components
because we don't want to do things like shut down the power grid," said a
defense official involved in the exercise. "But the referees were shown
the attacks and shown the structure of the power-grid control, and they
agreed, yeah, this attack would have shut down the power grid."
Knocking out the electrical power throughout the United States was just a
sideline for the NSA cyberwarriors. Their main target was the U.S. Pacific
Command, which is in charge of the 100,000 troops that would be called on
to deal with wars in Korea or China.
"The most telling thing for the Department of Defense, when all was said
and done, is that basically for a two-week period the command-and-control
capability in the Pacific theater would have been denied by the 'infowar'
attacks, and that was the period of the exercise," the official said.
The attackers also foiled virtually all efforts to trace them. FBI agents
joined the Pentagon in trying to find the hackers, but for the most part
they failed. Only one of the several NSA groups, a unit based in the
United States, was uncovered. The rest operated without being located or
identified.
The attackers breached the Pentagon's unclassified global computer network
using Internet service providers and dial-in connections that allowed them
to hop around the world.
"It's a very, very difficult security environment when you go through
different hosts and different countries and then pop up on the doorstep of
Keesler Air Force Base [in Mississippi], and then go from there into
Cincpac," the official said, using the acronym for the Commander in Chief,
Pacific.
The targets of the network attacks also made it easy. "They just were not
security-aware," said the official.
A second official found that many military computers used the word
"password" for their confidential access word.
[TRANSCRIPT]
DoD News Briefing
Thursday, April 16, 1998 - 1:30 p.m. (EDT)
Mr. Kenneth H. Bacon, ASD (PA)
----------------------------------------------------------------
[Snip...]
Q: Ken, could you give us a bit of a readout on this war game,
ELIGIBLE RECEIVER and what steps the Pentagon is taking to
shore up computer security?
A: Sure. First is, ELIGIBLE RECEIVER is a game that was played
by the Joint Staff last June. It tested our ability to deal with
cyber attacks. It was directed only against our unclassified
systems, not against classified systems, and it found that we
have a lot of work to do to provide better security. We're not
alone in this regard. Most businesses, many private institutions,
many individuals have a lot of work to do in improving their
ability to protect their computers and computer systems. But
because of ELIGIBLE RECEIVER and the subsequent attack by hackers
against unclassified computer networks earlier this year,
John Hamre, the deputy secretary of defense, has launched a
number of initiatives to improve computer security in the
Pentagon.
The first is, of course, something that we achieved by holding
ELIGIBLE RECEIVER, and in fact it was the point of ELIGIBLE
RECEIVER which was to improve everybody's awareness of the
threats posed to computer systems today. And ELIGIBLE RECEIVER
I think succeeded beyond its planner's wildest dreams in
elevating the awareness of threats to our computer systems.
Since then we've had a series of meetings with the Justice
Department, with the Vice President's office and other agencies
in the government to address, on a broad scale basis, issues of
computer security. In this building in particular, we've
appointed a Chief Information Officer, Art Money, who's going
to become the Assistant Secretary of Defense for command,
control and communications. He's been nominated to do that.
He is in charge of being the main focal point for efforts
to improve computer security across the military.
This is a daunting prospect. We have in the Department of
Defense 2.1 million computers, 100,000 local area networks,
and more than 100 long distance networks. Of course some of
these are highly secure, and those are the ones that receive
the most attention, but we've come to realize that we have
to pay a lot of attention to just standard computer networks
that transmit e-mail and other information such as payroll
information, etc.
One of the things that Dr. Hamre did earlier this year was
issue a memorandum directing that a number of actions be taken.
One was, for instance, that every computer network in the
Department of Defense has to have a named security officer,
sort of a central point of contact to go to to deal with
problems for that particular network.
There are a whole series of other efforts to develop better
ways for detecting attacks. We're putting a lot of effort
into better ways of detecting attacks against our computer
systems. In the fiscal years 1999 to 2002, the Department
of Defense will spend $3.6 billion to address computer
security issues, so it's something we are devoting a lot
of resources and a lot of time to, but we have a ways
to go. I think we are making progress, and we will make
progress at an accelerating rate as we grapple with the
dimensions of this problem.
Q: Have there been any investigations on the apparent
attempts to hack into the Special Operations Forces
computer?
A: I'm not up to speed on that. We'll get somebody to
look into that. I assume if we know of attempts to break
into our computer systems we investigate them. That's one
of the things we've talked about with the Justice Department.
One of the things we've looked at is ways to set up a better
counter-intelligence system for detecting attacks and for
going after the people who are making the attacks. In addition,
we're trying to do a much better job of staying in touch with
our teenage children and others to learn the latest hacker
techniques so we can be one step ahead of them rather than
several steps behind. But as all of you know, that's easier
said than done.
But there are a variety of efforts across a wide spectrum of
issues that we're taking here to improve computer security.
Obviously this is a moving train. We've got two problems.
We've got to make the switches as we continue to pump
increasing amounts of important information over the computer
systems. That's the first thing. And we have to keep up with
technology that's changing very rapidly.
Q: Do you agree with the assessment that this could have
drastically impacted the electrical grid in the country,
number one? Have they had mal-intent? And number two,
why did they not attempt to go into the classified, or
to penetrate the classified systems?
A: There are tests done on a fairly regular basis against
a number of the classified systems to make sure that they
are in fact secure. By virtue of the fact that they are
secure they receive much more attention.
I guess I'd rather not make apocalyptic statements about the
electrical grid, but we did learn that computer hackers could
have a dramatic impact on the nation's infrastructure,
including the electrical power grid. That, of course, is why
there's a whole commission set up to deal with that, the
Commission on Critical Infrastructure.
One of the things that Deputy Secretary Hamre did back early
this year when we were subject to attack by hackers, the
unclassified systems, was talk to the President about this
because the President and the Vice President are both very
concerned about computer security and infrastructure stability
generally.