Authors: Fred Kaplan
Dark Territory (10 page)
This was the ultimate goal of information warfare, and Eligible Receiver revealed that it was more feasible than anyone in the world of conventional warfare had imagined.
A few weeks after it was over, an Air Force brigadier general named John “Soup” Campbell put together a postmortem briefing on the exercise. Campbell, a former F-15 fighter pilot, had been transferred to the Pentagon just as Eligible Receiver was getting under way. His new job was head of J-39, a bureau inside the operations directorate of the Joint Staff that served as a liaison between the managers of ultrasecret weapons programs and the military's combatant commanders. The Joint Staff needed someone to serve as its point man on Eligible Receiver; Campbell got the assignment.
He delivered the briefing to a small group that included senior civilian officials and the vice chiefs of the Air Force, Navy, and Marines. (The Army had decided not to participate in the exercise: a few of its officers knew they were vulnerable but didn't want to expose themselves to embarrassment; most of them dismissed the topic as a waste of time.)
Campbell's message was stark: Eligible Receiver revealed that the Defense Department was completely unprepared and defenseless for a cyber attack. The NSA Red Team had penetrated its entire network. Only a few officers had grasped that an attack was going on, and they didn't know what to do about it; no guidelines had ever been issued, no chain of command drawn up. Only one person in the entire Department of Defense, a technical officer in a Marine unit in the Pacific, responded to the attack in an effective manner: seeing that something odd was happening with the computer server, he pulled it offline at his own initiative.
After Campbell's briefing, the chief of the NSA Red Team, a Navy captain named Michael Sare, made a presentation, and, in case anyone doubted Campbell's claims, he brought along records of the intrusionâphotos of password lists retrieved from dumpsters, tape recordings of phone calls in which officers blithely recited their passwords to strangers, and much more. (In the original draft of his brief, Sare noted that the team had also cracked the JCS chairman's password. Minihan, who read the draft in advance, told Sare to scratch that line. “No need to piss off a four-star,” he explained.)
Everyone in the room was stunned, not least John Hamre, who had been sworn in as deputy secretary of defense at the end of July. Before then, Hamre had been the Pentagon's comptroller, where he'd gone on a warpath to slash the military budget, especially the part secretly earmarked for the NSA. Through the 1980s, as a staffer for the Congressional Budget Office and the Senate Armed Services Committee, Hamre had grown to distrust the NSA: it was a dodgy outfit, way too covert, floating in the gray area between “military” and “intelligence” and evading the strictures on both. Hamre didn't know anything about information warfare, and he didn't care.
A few weeks before Eligible Receiver, as Hamre prepared for his promotion, Minihan had briefed him on the threats and opportunities of information warfare and on the need for a larger budget to exploit them. Hamre, numbed by the technical detail, had sighed and said, “Ken, you're giving me a headache.”
But now, listening to Campbell and Sare run down the results of Eligible Receiver, Hamre underwent a conversion, seized with a sense of urgency. Looking around the room of generals and colonels, he asked who was in charge of fixing this problem.
They all looked back at him. No one knew the answer. No one was in charge.
Around the same time, Ken Minihan delivered his own briefing on Eligible Receiver to the Marsh Commission. The panel, by now, had delved deeply into the fragile state of America's critical infrastructure. But the scenarios they'd studied were hypothetical and dealt with the vulnerability of
civilian
sectors; no one had ever launched an actual cyber attack, and most of the commissioners had assumed that the military's networks were secure. Minihan's briefing crushed their illusions on both counts: an NSA Red Team had launched an actual attack, and its effects were devastating.
Minihan did not reveal one episode of Eligible Receiver, an incident that only a few officials knew about: when the Red Team members were hacking into the networks as part of the exercise, they came across some strangersâtraceable to French Internet addressesâhacking into the network for real. In other words, foreign spies were already penetrating vital and vulnerable networks; the threat wasn't hypothetical.
Even without this tidbit, the commissioners were stunned. Marsh asked what could be done to fix the problem. Minihan replied, “Change the law, give me the power, I'll protect the nation.”
No one quite knew what he meant. Or, if he meant what they thought he meant, nobody took it seriously: nobody was going to revive Reagan's NSDD-145 or anything like it.
On October 13, the Marsh Commission published its report. Titled
Critical Foundations
,
it only briefly alluded to Eligible Receiver. Its recommendations focused mainly on the need for the government and private industry to share information and solve problems jointly. It said nothing about giving the NSA more money or power.
Four months later, another attack on defense networks occurredâsomething that looked like Eligible Receiver, but coming from real, unknown hackers in the real, outside world.
SOLAR SUNRISE, MOONLIGHT MAZE
O
N
February 3, 1998, the network monitors at the Air Force Information Warfare Center in San Antonio sounded the alarm: someone was hacking into a National Guard computer at Andrews Air Force Base on the outskirts of Washington, D.C.
Within twenty-four hours, the center's Computer Emergency Response Team, probing the networks more deeply, detected intrusions at three other bases. Tracing the hacker's moves, the team found that he'd broken into the network through an MIT computer server. Once inside the military sites, he installed a “packet sniffer,” which collected the directories of usernames and passwords, allowing him to roam the entire network. He then created a back door, which let him enter and exit the site at will, downloading, erasing, or distorting whatever data he wished.
The hacker was able to do all this because of a well-known vulnerability in a widely used UNIX operating system. The computer specialists in San Antonio had been warning senior officers of this
vulnerabilityâKen Minihan had personally repeated these warnings to generals in the Pentagonâbut no one paid attention.
When President Clinton signed the executive order on “Critical Infrastructure Protection,” back in July 1996, one consequence was the formation of the Marsh Commission, but anotherâless noticed at the timeâwas the creation of the Infrastructure Protection Task Force inside the Justice Department, to include personnel from the FBI, the Pentagon (the Joint Staff and the Defense Information Systems Agency), and, of course, the National Security Agency.
By February 6, three days after the intrusion at Andrews Air Force Base was spotted, this task force was on the case, with computer forensics handled by analysts at NSA, DISA, and a unit in the Joint Staff called the Information Operations Response Cell, which had been set up just a week earlier as a result of Eligible Receiver. They found that the hacker had exploited a specific vulnerability in the UNIX systems, known as Sun Solaris 2.4 and 2.6. And so, the task force code-named its investigation Solar Sunrise.
John Hamre, the deputy secretary of defense who'd seen the Eligible Receiver exercise eight months earlier as the wake-up call to a new kind of threat, now saw Solar Sunrise as the threat's fulfillment. Briefing President Clinton on the intrusion, Hamre warned that Solar Sunrise might be
“the first shots of a genuine cyber war,” adding that they may have been fired by Iraq.
It wasn't a half-baked suspicion. Saddam Hussein had recently expelled United Nations inspectors who'd been in Iraq for six years to ensure his compliance with the peace terms that ended Operation Desert Stormâespecially the clause that barred him from developing weapons of mass destruction. Many feared that Saddam's ouster of the inspectors was the prelude to resuming his WMD program. Clinton had ordered his generals to plan for military action; a second aircraft carrier was steaming to the Persian Gulf; American troops were prepared for possible deployment.
So when the Solar Sunrise hack expanded to more than a dozen military bases, it struck some, especially inside the Joint Staff, as a pattern. The targets included bases in Charleston, Norfolk, Dover, and Hawaiiâkey deployment centers for U.S. armed forces. Only unclassified servers were hacked, but some of the military's vital support elementsâtransportation, logistics, medical teams, and the defense finance systemâran on unclassified networks. If the hacker corrupted or shut down these networks, he could impede, maybe block, an American military response.
Then came another unsettling report: NSA and DISA forensics analysts traced the hacker's path to an address on Emirnet, an Internet service provider in the United Arab Emiratesâlending weight to fears that Saddam, or some proxy in the region, might be behind the attacks.
The FBI's national intelligence director sent a cable to all his field agents, citing
“concern that the intrusions may be related to current U.S. military actions in the Persian Gulf.” At Fort Meade, Ken Minihan came down firmer still, telling aides that the hacker seemed to be “a Middle Eastern entity.”
Some were skeptical. Neal Pollard, a young DISA consultant who'd studied cryptology and international relations in college, was planning a follow-on exercise to Eligible Receiver when Solar Sunrise, a real attack, took everyone by surprise. As the intrusions spread, Pollard downloaded the logs, drafted briefings, tried to figure out the hacker's intentionsâand, the more he examined the data, the more he doubted that this was the work of serious bad guys.
In the exercise that he'd been planning, a Red Team was going to penetrate an unclassified military network, find a way in to its classified network (which, Pollard knew from advance probing, wasn't very secure), hop on it, and crash it. By contrast, the Solar Sunrise hacker wasn't doing anything remotely as elaborate: this guy would poke around briefly in one unclassified system after another, then get
out, leaving behind no malware, no back door, nothing. And while some of the servers he attacked were precisely where a hacker would go to undermine the network of a military on the verge of deployment, most of the targets seemed selected at random, bearing no significance whatever.
Still, an international crisis was brewing, war might be in the offing; so worst-case assumptions came naturally. Whatever the hacker's identity or motive, his work was throwing commanders off balance. They remembered Eligible Receiver, when they didn't know they'd been hacked; the NSA Red Team had fed some of them false messages, which they'd assumed were real. This time around, they knew they were being hacked, and it wasn't a game. They didn't
detect
any damage, but how could they be
sure
? When they read a message or looked at a screen, could they trustâ
should
they trustâwhat they were seeing?
This was the desired effect of what Perry had called counter command-control warfare: just knowing that you'd been hacked, regardless of its tangible effects, was disorienting, disrupting.
Meanwhile, the Justice Department task force was tracking the hacker twenty-four hours a day. It was a laborious process. The hacker was hopping from one server to another to obscure his identity and origins; the NSA had to report all these hops to the FBI, which took a day or so to investigate each report. At this point, no one knew whether Emirnet, the Internet service provider in the United Arab Emirates, was the source of the attacks or simply one of several landing points along the hacker's hops.
Some analysts in the Joint Staff's new Information Operations Response Cell noticed one pattern in the intrusions: they all took place between six and eleven o'clock at night, East Coast time. The analysts calculated what time it might be where the hacker was working: he might, it turned out, be on the overnight shift in Baghdad or Moscow, or maybe the early morning shift in Beijing.
One possibility they didn't bother to consider: it was also after-school time in California.
By February 10, after just four days of sleuthing, the task force found the culprits. They weren't Iraqis or “Middle Eastern entities” of any tribe or nationality. They were a pair of sixteen-year-old boys in the San Francisco suburbs, malicious descendants of the Matthew Broderick character in
WarGames,
hacking the Net under the usernames Makaveli and Stimpy, who'd been competing with their friends to hack into the Pentagon the fastest.
In one day's time, FBI agents obtained authority from a judge to run a wiretap. They took the warrant to Sonic.net, the service provider the boys were using, and started tracking every keystroke the boys typed, from the instant they logged on through the phone line of Stimpy's parents. Physical surveillance teams confirmed that the boys were in the houseâeyewitness evidence of their involvement, in case a defense lawyer later claimed that the boys were blameless and that someone else must have hacked into their server.
Through the wiretap, the agents learned that the boys were getting help from an eighteen-year-old Israeli, an already notorious hacker named Ehud Tenenbaum, who called himself The Analyzer. All three teenagers were brazenâand stupid. The Analyzer was so confident in his prowess that, during an interview with an online forum called AntiOnline (which the FBI was monitoring), he gave a live demonstration of hacking into a military network. He also announced that he was training the two boys in California because he was
“going to retire” and needed successors. Makaveli gave an interview, too, explaining his own motive. “It's power, dude,” he typed out. “You know, power.”