Nervous System: The Day the NSA Took Down the Military
In this month's look at the history of cybersecurity, David Kalat looks back at the '90s, when the NSA reminded the U.S. government just how vulnerable to intrusion its systems could be.
July 02, 2019 at 07:00 AM
7 minute read
|
With the aggressive pace of technological change and the onslaught of news regarding data breaches, cyber-attacks, and technological threats to privacy and security, it is easy to assume these are fundamentally new threats. The pace of technological change is slower than it feels, and many seemingly new categories of threats have actually been with us longer than we remember. Nervous System is a monthly blog that approaches issues of data privacy and cybersecurity from the context of history—to look to the past for clues about how to interpret the present and prepare for the future.
The world of cybersecurity has two enduring clichés. One is that the National Security Agency (NSA) is the ultimate Big Brother, a secretive and all-powerful eavesdropper that can invade any computer system at will. The other is that teenage hackers in their bedrooms are unstoppable forces of cyber intrusion. The general public has come to believe that no privacy protection can effectively keep either of them out.
The roots of these stereotypes are deep and complex, but in the late 1990s both clichés coincided to cement their hold on the public imagination. The one–two punch of “Eligible Receiver” in the summer of 1997 and the “Solar Sunrise” attack in early 1998 dealt humiliating blows to national security. Journalists like Fred Kaplan have written about how these two events influenced the defense establishment to improve cybersecurity policy. Alongside that positive response, however, was a less productive one.
Lt. General Kenneth Minihan became director of the NSA in early 1996. It was a period of calm after the Cold War and before the War on Terror. Minihan, though, knew an awful secret: The country's growing reliance on networked computer systems came at a terrible price—those systems were vulnerable to intrusion. Minihan felt frustrated that the mainstream defense establishment had dismissed his warnings as “Chicken Little” paranoia.
The problem was people. Users locked their computers with easily guessable passwords like “password” or “1234.” System administrators allowed known vulnerabilities to go unpatched. Businesses expected the government to attend to security concerns, while the government left businesses to protect themselves. Given the choice between taking proactive steps toward securing computer networks versus passing the buck and hoping for the best, people almost invariably opted for the cheapest, least demanding path.
Minihan decided the best way to get through to a complacent establishment was to shock it.
In the summer of 1997, Minihan deployed a classified wargame called “Eligible Receiver.” The first phase of the game was a tabletop simulation in which a “Red Team” of NSA agents played the roles of Iranian, North Korean, and Cuban cyber-attackers. A “Blue Team” of defenders from the CIA, Defense Intelligence Agency, FBI, Department of State, Department of Justice, Defense Information Systems Agency, and National Reconnaissance Office failed to prevent the Red Team from inflicting major—although simulated—damage on systems like 911 centers and power grids.
In the second phase, NSA agents set up operations in a remote warehouse with the express mission of actually disrupting the communications of the U.S. military's command and control systems. During Minihan's quest to get approval for the exercise, he had been informed that the NSA was bound by law not to use its specialized tools domestically. This meant the Red Team had to rely exclusively on “off-the-shelf” hacker tools found on the Internet. This limitation made what happened next that much scarier.
Minihan set aside two weeks for the exercise, but the Red Team penetrated the entire defense establishment network within four days. Had this been a real war, orders from the President of the United States would have been transmitted through a command center that the hackers breached on the first day.
In a third phase, the Red Team took actual hostages in Guam and Hawaii, and hijacked a marine vessel at sea. These real-world (albeit fake) crises were unfolding when the defense establishment was unable to send or receive messages with any reliability.
John Hamre, the newly appointed deputy secretary of defense, and the rest of the defense establishment had to admit that a handful of smart people armed with nothing more than an Internet connection had demonstrated the ability to cause havoc. It was a sobering realization; but it would have shaken the generals even more to have learned one fact Minihan kept to himself—during the exercise, his Red Team hackers had run across what appeared to be actual foreign spies rummaging around in the defense networks.
While the government sized up how to react, in early 1998 another round of attacks that came to be known as “Solar Sunrise” hit almost two dozen computer systems across the military. The common assumption was that Saddam Hussein was behind the attack. Iraq had just expelled the UN inspectors responsible for confirming he had not restarted his weapons programs; President Clinton had started preparing troops for possible deployment to the Persian Gulf; and then Solar Sunrise happened. It was easy to draw lines of connection between the events.
One of the NSA Red Team hackers, however, disagreed. Having planned a similar attack himself for a possible follow-up to Eligible Receiver, he knew what would have been possible. To him, the actual Solar Sunrise breach seemed meandering, disjointed, and almost pointless. If this was an actual Iraqi attack, it was a poor one.
In fact, the real culprits were teenage boys. Israeli forces arrested 19-year-old Ehud Tenenbaum, the alleged ringleader of the group. An FBI raid picked up two American accomplices, who were so young they would only be publicly identified by their hacker pseudonyms “Stimpy” and “Mac.” Tenenbaum pled guilty, but claimed he was only motivated to demonstrate that the systems were insecure and needed to be reinforced.
This was the sad truth of Eligible Receiver and Solar Sunrise. The hackers got as far as they did because the users had made it so easy. The NSA Red Team broke into the Joint Chiefs of Staff's intelligence directorate by simply calling the office, claiming to be from IT, and asking for passwords—not especially high-level espionage requiring extraordinary tools or skillsets. Tenenbaum's teenage hackers got into military computers because of a flaw in the Sun Microsystems Solaris operating system—that Minihan had urged be fixed, but no one had taken any steps to patch.
Modest steps on the part of computer users could have hindered or thwarted either attack. That lesson, though, perhaps cut too close to home. It was more comforting to indulge the illusion that our computers were threatened by unbeatable adversaries and hacking prodigies. The myth of the all-seeing NSA and teen geniuses absolved the victims of their role in the incidents.
David Kalat is Director, Global Investigations + Strategic Intelligence at Berkeley Research Group. David is a computer forensic investigator and e-discovery project manager. Disclaimer for commentary: The views and opinions expressed in this article are those of the author and do not necessarily reflect the opinions, position, or policy of Berkeley Research Group, LLC or its other employees and affiliates.
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllTrending Stories
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250