One summer long ago, a team of government hackers yanked the digital carpet out from under the U.S. military.
They flooded Department of Defense communications networks with traffic. They broke into computers, planted data-destroying software and cracked critical infrastructure systems. The results of the classified military exercise were so shocking that U.S. officials shared some take-aways publicly as a clarion call for action.
"The bottom line to all of this is that America’s infrastructure is wide open to disruption, increasingly connected to the Internet, and connected to a technology for which there is no embedded security," then-Deputy Secretary of Defense John Hamre told the Council on Foreign Relations nearly two decades ago.
Since then, the June 1997 "Eligible Receiver" exercise has grown into something of a cyber legend, marking an aha moment for U.S. military planners even as details of the operation remained secret. One scholar described the interagency war game as "a myth that functions even without proof," while others ridiculed the doomsday aura surrounding coverage of the event.
Eligible Receiver was based on an eye-opening premise, made all the more surprising because most participants had no advance notice of what was happening.
"The United States has experienced multiple electronic attacks on many power systems throughout the county (over a dozen during the last few days)," reads a tasking document from the Strategic Plans and Policy Directorate of the Joint Chiefs of Staff, obtained by EnergyWire through a Freedom of Information Act request. "There is a strong possibility that this is a coordinated, multi-tiered attack on the U.S., and that this attack may involve Iran, North Korea, and Cuba."
Eligible Receiver’s exact scenario may be less likely to play out today, given the recent thaw in tensions between the United States and Cuba. Yet both Iran and North Korea have been implicated in major cyberattacks on U.S. targets in recent years. The Obama administration blamed North Korea’s government for damaging Sony Pictures Entertainment’s networks in 2014, while private cybersecurity firms have traced computer breaches at power utilities and oil companies back to Iran-based hackers (EnergyWire, Dec. 4, 2014).
Other intrusions on critical infrastructure systems have been tied to actors based in Russia and China, although linking the attacks to those countries’ militaries is much harder.
Eligible Receiver highlighted many of these ambiguities with cyberwar.
"It is not easy to judge the threshold between a criminal act (terrorist, hacker, etc.) or a series of criminal acts, and a concerted attack on the security of the United States," noted Marine Corps Maj. Gen. Michael Byron in an observation report after the 1997 exercise. "This is important in deciding whether jurisdiction belongs to law enforcement agencies or the DOD."
Eighteen years later, senior defense officials are grappling with some of the same questions.
"The level of coordination was very poor during Eligible Receiver, and many people did not expect that," said Clay Wilson, a cybersecurity expert who studied the exercise for the Congressional Research Service in the 2000s. "It showed that traditional organizational structures are not well-suited for handling cybersecurity attacks — attacks are very rapid, and they’re becoming more and more secretive and quiet."
Wilson said exercises similar to Eligible Receiver "are probably happening more and more frequently" in military and infrastructure circles, although their details are closely guarded.
To this day, senior officials directly involved in the Eligible Receiver exercise declined comment to EnergyWire. The Department of Defense did not respond to requests for comment on some of the newly declassified material relating to the program.
Back to sleep
Eligible Receiver was, as one observer noted, the first time the U.S. military "got really screwed" in cyberspace, albeit only in a simulation. The exercise prompted Defense to appoint a chief information officer. It also presaged U.S. Strategic Command’s focus on cyber in the following decade, ultimately leading to the establishment of a unified Cyber Command under STRATCOM’s aegis.
The 1997 war game "was useful in the sense that it got a lot of people’s attention at the time who wouldn’t have otherwise paid attention" to cybersecurity vulnerabilities, said Herb Lin, a senior research scholar for cyber policy and security at Stanford University’s Center for International Security and Cooperation. "But the real question is whether the wake-up call has endured. Just because you have a very loud alarm clock doesn’t mean you won’t go back to sleep after a while."
Lin described a "flurry of activity" in the wake of the exercise, but before long, the U.S. military became bogged down in other priorities, not to mention two conventional wars. "There’s only so much attention that they can sustain, and of course the Department of Defense always has to deal with a hundred different problems, all of high priority, at the same time," Lin said.
Operating in the asymmetrical, unpredictable cyber arena is especially challenging for forces more accustomed to fighting on air, land and sea, current and former leaders say.
"What do I do when my hacker may be in Russia, but the jumping-off point for their [attack] is in Malaysia and the actual attack happens in the United States?" said Rear Adm. Danelle Barrett, deputy director of current operations at U.S. Cyber Command, at a recent American Security Project event. "That becomes an infinitely more complicated problem, and one that several years ago we weren’t structured to deal with."
That problem becomes even more complex when considering how power utilities and other private entities may play into a future cyberwar. The U.S. military often relies on these outside networks, which, in turn, may use Internet-connected and potentially vulnerable supervisory control and data acquisition (SCADA) systems.
"We’re always worried about SCADA — our systems for controlling our water and our electricity, our national infrastructure, our critical infrastructure," Barrett said.
She pointed to a 2009 disaster at the Sayano-Shushenskaya hydroelectric plant in Russia that killed scores of people as the power station fell apart (Greenwire, Aug. 18, 2009). Workers prematurely brought a turbine online to compensate for a fire elsewhere and, when coupled with a computer glitch, ended up compounding the damage. While it was not a deliberate attack, "you could see how that [capability] could be used by an adversary, could be used against you," Barrett said.
The U.S. military has even considered rolling out cybersecure microgrids to lessen the risk of SCADA attacks on key installations (EnergyWire, Aug. 28).
Out of the loop
The Department of Defense has a stake in ensuring the reliability of the U.S. electric system. But the bulk of it is beyond military control.
"DOD really isn’t in the loop on domestic infrastructure," noted Richard Andres, a professor of national security strategy at the National War College.
Andres added that since Eligible Receiver, the government has "gotten a lot better at assigning responsibility" to different agencies for investigating and responding to cyberattacks.
For a catastrophic online attack on the power grid, the Department of Homeland Security, not Defense, would likely be first on the scene.
While such a threat would be unprecedented — "low probability relative to others, but high risk, high cost," as DHS Secretary Jeh Johnson put it last week — Homeland Security officials have a team of industrial cybersecurity experts on hand to help the private sector in the event of a major incident (EnergyWire, Oct. 15, 2014).
In its 2015 Cyber Strategy, the Department of Defense also raises the specter of such an event, noting that "a sophisticated actor could target an industrial control system (ICS) on a public utility to affect public safety." If a cyberattack causes widespread destruction or loss of life, the military has said it will step in. But DOD is careful to not cast itself as a cyber savior ready to blunt attacks before they spin out of control.
"The private sector owns and operates over ninety percent of all of the networks and infrastructure of cyberspace and is thus the first line of defense," DOD said in its latest Cyber Strategy, published in April (EnergyWire, April 27).
In other words, grid operators, at least initially, are on their own.
Red team, blue team
The power grid had a role to play in the first Eligible Receiver exercise, even if utilities didn’t get a seat at the table. A DOD spokesman said after the simulation that "we did learn that computer hackers could have a dramatic impact on the nation’s infrastructure, including the electrical power grid."
The war game pitted friendly "red team" hackers against "blue team" defenders. The few dozen National Security Agency attackers weren’t allowed to use any classified software or tools during their attack — just "off the shelf" equipment, according to multiple reports.
"Many exercises for the U.S. military to test readiness and combat ability do involve a cyber dimension," said Lin of Stanford. "But those exercises can be unrealistic, especially when they involve large numbers of people."
If the red team takes out the defenders too quickly or easily, Lin explained, often organizers will restart the exercise "tying one hand behind red’s back."
"Only when red cyber is not successful at shutting down the exercise does the exercise proceed," Lin observed. "Given that the military has many non-cyber training goals, that’s not an unreasonable thing to do."
But he added that a reader of any after-action report "could be excused if he or she did not appreciate the remarkable impact that red cyber could have had on the entire exercise."
Even in this potentially watered-down context for direct cyber training, it took months for the Defense Information Systems Agency, the combat support network targeted in the simulation, to fully restore its systems after the June exercise. NSA didn’t finish compiling the vulnerabilities it found in DISA’s computers until August, according to FOIA documents, which also point to involvement from the FBI, the CIA, the Defense Intelligence Agency and a smattering of other agencies.
The Eligible Receiver assessment told of "cumulative, increasingly more violent and potentially more dangerous" information warfare strikes that would be "capable of large-scale civil and military disruptions."
It was a clear warning, first sounded more than 18 years ago. But it’s not clear how well it’s been heeded.
"If Eligible Receiver had resulted in permanent changes to the operating attitudes, culture and so on, it would have been a really good thing to do, it would have had much more effect," Lin said. "But in fact, what’s happened is that cyber has just sort of gone up and down in importance depending on what the latest story was."
