Since the early 1990s, the U.S. Department of Defense has been worried about the threat posed to its myriad computer systems by malicious outside intrusion. Since 1995, DoD systems have been regularly attacked, up to 250,000 times a year, and only about one of every 50 attacks is detected and reported. This primer lays out the progress of the Defense Department’s response to the threat to its information networks.
The Defense Department established its first unit to combat cyber threats in 1998. The primary motivation for the establishment of the initial unit, then known as Joint Task Force-Computer Network Defense, in late 1998, was a series of exercises and real events that demonstrated to DoD that a fresh approach to the problem was necessary. Two principal factors were: Exercise Eligible Receiver 97, in which National Security Agency (NSA) personnel inflicted, in simulation, a large amount of damage upon defense networks; and, a computer hacking attack at first feared to be the work of Iraqi agents during a confrontation with Iraq in the Middle East in late 1998. Exercises such as U.S. Atlantic Command’s Evident Surprise also contributed to the increasing awareness of many systems’ vulnerability.
Directed by the chairman of the Joint Chiefs of Staff and run from June 9-13, 1997, Eligible Receiver 97 was the first large-scale, no-warning military field exercise crafted to test the ability of the United States to respond to an attack on both U.S. military and civilian information infrastructure. The exercise involved simulated attacks against components of the civilian infrastructure, such as power and communications companies, and an actual "opposing force" attack against key defense information systems at the Pentagon, the Joint Staff, the Defense and Central Intelligence Agencies, other supporting agencies, and in the unified combatant commands.
The vulnerabilities exploited were common ones, such as bad or easily guessed passwords, operating system deficiencies, improper system configuration control, inadequate user awareness of operational security, sensitive site-related details posted on publicly accessible Internet pages, and poor operator training. The opposing force team, drawn from the National Security Agency (NSA), was given no inside information, but was still able to inflict considerable simulated damage partially due to its extensive preliminary electronic reconnoiter of target agencies and sites prior to the attacks.
Several months later, from Feb. 1-26, 1998, a number of computer attacks were detected that appeared to be originating from, amongst other places, the Middle East. At least 11 attacks were launched on a number of Navy, Marine Corps, and Air Force computers worldwide, primarily focusing on denial of service. The attacks exploited a well-known vulnerability in the Solaris operating system, for which a patch had been available for months at the time. As the attacks were launched as the U.S. military were preparing for possible combat missions against Iraq, there was much concern, and an interagency investigation, named ‘Solar Sunrise,’ was initiated. The Air Force, Navy, Army, NASA, the NSA, the Department of Justice, the CIA and FBI were all involved in the investigation. Given the circumstances, numerous court orders were issued quickly and it was found that the culprits were two California teenagers and an 18-year old Israeli mentor. Despite the fact that none of the systems involved were classified, the security breaches could have been used to disrupt DoD information flow in a possible Middle East war, and consequently, the investigation was one of the largest ever conducted in the United States.
Due to the high prominence of the ‘Solar Sunrise’ attacks and the previous experience during Eligible Receiver 97, the Defense Department moved relatively quickly to take a number of defensive measures. They included: - Increasing situational awareness via a 24-hour watch center. - Installing intrusion detection systems on key systems nodes. - Expanded computer emergency response teams to perform alerts, critical triage, and repair. - Developing contingency plans to mitigate the degradation or loss of networks. - Improving DoD’s ability to analyze data rapidly and assess attacks. Improving links with the FBI’s National Infrastructure Protection Center and other law enforcement agencies.
The operational response issue was specifically addressed by the formation of the Joint Task Force-Computer Network Defense (JTF-CND), activated on Dec. 30, 1998. After six months, it achieved full operational capability in June 1999. JTF-CND was assigned to U.S. Space Command in October 1999 as Space Command was assuming the Pentagon’s computer network defense mission. The JTF-CND is located in Arlington, Va., alongside the Defense Information Systems Agency’s Global Network Operations and Security Center. It incorporates the DoD’s Computer Emergency Response Team (CERT), and the four service Computer Emergency Response Teams. Three of the four CERTs are stationed in the Washington area. The original nucleus of the JTF-CND consisted of approximately 40 uniformed and civilian personnel including intelligence specialists, DoD law enforcement personnel, and counter-intelligence special agents focusing on computer-related criminal activity. Mid-2001 congressional testimony indicated that the JTF-CND is now set to grow to about 144 personnel.
A year after the JTF-CND was assigned to Space Command, Space Command gained the computer network attack - offensive information warfare - mission; and, on April 2, 2001, the unit was re-designated the Joint Task Force Computer Network Operations to reflect the fact that it was to perform that mission as well. More importantly for its cyber-defense mission, the revised unit has embarked on building relations with other involved agencies, such as the National Infrastructure Protection Center (which is now proposed to become part of the Homeland Security Department); and, the National Communications System, a confederation of 22 federal agencies and departments tasked with ensuring the availability of a safe and viable telecommunications infrastructure.
Indeed, the Joint Task Force’s defense computer security mission will rest to some extent on the linkages it establishes with other government agencies and private companies facing the same situation.
The Defense Department continues to be faced with computer infiltration difficulties beyond the scope of routine computer viruses and relatively unsophisticated hacker attacks. Most publicized was an apparent incursion from Russia in 1999, whose investigation codename was Moonlight Maze. It seemed to originate from the Russian Academy of Sciences. This attack, in concert with others, helped spur the development of automated intrusion detection systems, which have made a huge difference in DoD’s ability to detect and respond to cyber incursions.
Further advanced work is now in progress within the NSA to identify an intruder even before he/she enters a DoD system. Much of today’s problems - there were 14,500 attacks in 2001, of which 70 made it into DoD computers and three caused damage - result because system administrators who do not install routine patches. The three attacks that caused problems in 2001 were the same as those that damaged private computer networks at the same time.
While DoD seems to be making progress in its cyber defenses, much work remains to be done to educate users and systems administrators alike, as well as stay ahead of the ever-creative hackers.