UNCLASSIFIED Exercise ELIGIBLE RECEIVER 97 I CL BY Brig Gen Bruce A Wright REASON 1 5 a DECL ON 11 DEC 2006 Page 1 UNCLASSIFIED UNCLASSIFIED I ELIGIBLE RECEIVER Program o ELIGIBLE RECEIVER - An exercise series - Directed by the Chairman of the Joint Chiefs of Staff - Designed to test DOD planning and crisis-action capabilities o ELIGIBLE RECEIVER 97 Conducted 9-13 June 1997 - First large-scale exercise designed to test our ability to respond to an attack on our information infrastructure - Also evaluated ability to work with other branches of government to respond to an attack on National Infrastructure ELIGIBLE RECEIVER 97 revealed - Significant vulnerabilities in US Defense Information Systems - Deficiencies in responding to a coordinated attack on National infrastructure and information systems UNCLASSIFIED CL BY Brig Gen Bruce A Wright REASON 1 5 a DECL ON 11 DEC 2006 Page 2 UNCLASSIFIED ELIGIBLE RECEIVER 97 Participants I o o o o Department of Defense The Joint Staff Military Services Combatant Commands - - - - US Atlantic Command US Pacific Command US Space Command US Special Operations Command - US Transportation Command o o o o o o o o National Security Agency o o Defense Information Systems Agency CL BY Brig Gen Bruce A Wright REASON 1 5 a DECL ON 11 DEC 2006 Page 3 National Security Council Department of State Department of Justice Department of Transportation Defense Intelligence Agency Central Intelligence Agency Federal Bureau of Investigation National Reconnaissance Office UNCLASSIFIED UNCLASSIFIED Attack Phases I o Phase I National Infrastructure Attack Simulated - Against portions of national infrastructure power and communications systems - Designed to cause public pressure for action - Simulated but based on assessed vulnerabilities o Phase II Defense Information Attack Actual - Targeted key Defense information systems - Actually intruded into many computer systems - Exploited actual vulnerabilities of our system CL BY Brig Gen Bruce A Wright REASON 1 5 a DECL ON 11 DEC 2006 Page 4 UNCLASSIFIED UNCLASSIFIED Power and Telecom Attack I Regional coordinated attacks o Power systems o Telephone 911 system Detroit Simulated but based on assessment of actual vulnerability Chicago Norfolk Colorado St Louis Springs Los Angeles Oahu o SCADA systems provided entry for simulated cyber attacks on power systems o Overloading phone systems disrupted communications o Public sources provided the knowledge Fayetteville Tampa Supervisory Control and Data Acquisition CL BY Brig Gen Bruce A Wright REASON 1 5 a DECL ON 11 DEC 2006 Page 5 UNCLASSIFIED UNCLASSIFIED Computer Network Attack Plan I PRIORITY TARGETS TYPES OF ATTACK o National Military Command Center o Combatant Commands - Pacific Command - Space Command - Transportation Command - Special Ops Command o Defense Logistics Agency o Intruded into Computer Systems o Denied Service o Changed Data o Removed Data o Interrupted E-mail o Disrupted phone service All attacks used commonly available hacker tools CL BY Brig Gen Bruce A Wright REASON 1 5 a DECL ON 11 DEC 2006 Page 6 UNCLASSIFIED UNCLASSIFIED I ELIGIBLE RECEIVER 97- Key Observations Defense and National Information Infrastructures are highly interdependent National decision-making structure and coordination processes are unresponsive to speed of attacks No structure or process exists to coordinate DoD defense - No ability to interface with rest of US government allies and private sector Indications and Warning process is inadequate Little capability exists to detect or assess cyber attacks Characterization and attribution of attacks is very difficult Many legal questions must be addressed Poor information operational security practices contributed to vulnerabilities CL BY Brig Gen Bruce A Wright REASON 1 5 a DECL ON 11 DEC 2006 Page 7 UNCLASSIFIED UNCLASSIFIED This is Not an Exercise I An Actual Attack on DOD Computer Systems occurred during February 1998 Code Name SOLAR SUNRISE UNCLASSIFIED CL BY Brig Gen Bruce A Wright REASON 1 5 a DECL ON 11 DEC 2006 Page 8 UNCLASSIFIED SOLAR SUNRISE I o SOLAR SUNRISE incident occurred from 1 to 26 February 1998 - DOD computer systems were systematically attacked o Attack pattern indicative of preparation for a coordinated attack on Defense Information Infrastructure UNCLASSIFIED CL BY Brig Gen Bruce A Wright REASON 1 5 a DECL ON 11 DEC 2006 Page 9 UNCLASSIFIED SOLAR SUNRISE - Attack Profile I o Attacks targeted DOD network Domain Name Servers o Exploited well-known vulnerability in Solaris Operating System o Attack profile 1234- Probe to determine if vulnerability exists in server Exploit vulnerability to enter computer Implant program to gather data Return later to retrieve collected data o Numerous attacks followed same profile UNCLASSIFIED CL BY Brig Gen Bruce A Wright REASON 1 5 a DECL ON 11 DEC 2006 Page 10 UNCLASSIFIED Further Indications of Activity I Utah State Notre Dame Onizuka AFS Channel Island ANG Kirtland Okinawa Fort AFB Huachuca Pearl Harbor Harvard MIT Army Research Lab Yale Univ of MD Shaw AFB Columbus Gunter AFB AFB Maroon com Lackland AFB Tyndall AFB Andrews AFB USNA Univ of NC NAVHOSP Charleston CENTCOM UAE Origin Probe CL BY Brig Gen Bruce A Wright REASON 1 5 a DECL ON 11 DEC 2006 Compromise Page 11 UNCLASSIFIED UNCLASSIFIED The Basis of Our Concern I o Attacks were widespread and appeared to be coordinated o Attacks targeted key parts of defense networks o Attackers attained many network passwords o Could not characterize or attribute attacks - Potential connection with impending operations in Gulf o Key support systems depend on unclassified network - - - - Global Transportation System Defense Finance System Medical personnel logistics Official unclassified e-mail UNCLASSIFIED CL BY Brig Gen Bruce A Wright REASON 1 5 a DECL ON 11 DEC 2006 Page 12 UNCLASSIFIED Characterization I o Important to establish intent - Worst-case coordinated strategic attack o Coordinated with Gulf activities o Possible preparation for Information attack - Possible terrorists criminals o No intelligence information to support - Most likely Hackers o Some characteristics of hacker games o No damaging exploitation of systems or data o Forensic analysis helps but slow and resource-intensive UNCLASSIFIED CL BY Brig Gen Bruce A Wright REASON 1 5 a DECL ON 11 DEC 2006 Page 13 UNCLASSIFIED Attribution Challenges I Impossible to attribute intrusions - Multiple-node paths hide origin - Legal restrictions hindered search Harvard Andrews AFB Cloverdale CA Gunter AFB College Station TX UAE UNCLASSIFIED CL BY Brig Gen Bruce A Wright REASON 1 5 a DECL ON 11 DEC 2006 Page 14 UNCLASSIFIED DOD Defensive Actions I o Increase DOD awareness 24-hour watch o o Identify and patch systems at risk Install intrusion detection systems on key nodes o o o Analyze data to assess attacks and develop leads Dispatch Emergency Response Teams to hottest sites to assist fixes Assess status of systems fix and begin cleanup o o Form Red Team to reverse engineer attacks Plan for degradation loss of network o o Share data with private sector Team with law enforcement agencies UNCLASSIFIED CL BY Brig Gen Bruce A Wright REASON 1 5 a DECL ON 11 DEC 2006 Page 15 UNCLASSIFIED SOLAR SUNRISE Summary I o Confirmed ELIGIBLE RECEIVER findings - - - - Legal issues remain unresolved No effective Indications and Warning system Intrusion detection systems insufficient DOD and Government organizational deficiencies hinder ability to react effectively - Characterization and attribution problems remain o Need to establish standing response team o Increased detection capability forces new choices o High interest high visibility issue - Increases pressure for an quick response UNCLASSIFIED CL BY Brig Gen Bruce A Wright REASON 1 5 a DECL ON 11 DEC 2006 Page 16 UNCLASSIFIED The ENEMY I o On 26 Feb FBI served warrants on the attackers two 16 year old boys in California o Tools were only moderately sophisticated o May have been tutored by foreign mentor Note On 18 March Israeli police in Jerusalem arrested The Anaylzer for his role in DOD intrusions o Hacker 1 We did it for the power What can determined and sophisticated attackers do UNCLASSIFIED CL BY Brig Gen Bruce A Wright REASON 1 5 a DECL ON 11 DEC 2006 Page 17 BACKUP CL BY Brig Gen Bruce A Wright REASON DECL ON 1 1 DEC 2006 Page 18 This document is from the holdings of The National Security Archive Suite 701 Gelman Library The George Washington University 2130 H Street NW Washington D C 20037 Phone 202 994-7000 Fax 202 994-7005 nsarchiv@gwu edu