By William M. Arkin
Special to washingtonpost.com
Monday, March 29, 1999

On February 4, 1998, while the U.S. military was beginning a fourth week of preparations to bomb Iraq, hackers penetrated military computer networks via the Internet and gained "root" access to over 20 systems, where they downloaded passwords and installed "sniffers" and trap doors. In the arsenal of hacking, such tools can smooth the way for a cyber intruder to return to the scene of a crime later.

Air Force, Army and Navy sites detected the raids, which were given the code name Solar Sunrise. At MacDill Air Force Base in Tampa, Fla., U.S. Central Command (CENTCOM) had just tested a new Defensive Information Operations (DIO) plan in a mock military exercise called Internal Look 98 when it discovered the intrusion.

Gen. Anthony Zinni ordered the DIO plan into effect for real. The Air Force's 609th Information Warfare Squadron saw first combat, erecting a complex cyber intrusion detection system. Both CIA and the National Security Agency were called in to help.

Was this a prototype of the so-called "asymmetric" attack that many military planners feared in the post-Cold War era?

'War Games' for Real

Three weeks later, the affair emerged from the shadows. John Hamre, the deputy secretary of defense, revealed Solar Sunrise to reporters at a breakfast, calling it "the most organized and systematic attack the Pentagon has seen to date."

Within days, the homes of two teenage boys in Cloverdale, Calif., were raided by the FBI. A Canadian confederate was hunted down by the Royal Canadian Mounted Police. Finally, in March, 18-year-old Ehud Tenebaum was arrested by Israeli police.

"The United States will treat computer intrusions as serious crimes." – Attorney General Janet Reno

The arrests, Attorney General Janet Reno said, "should send a message to would-be computer hackers all over the world that the United States will treat computer intrusions as serious crimes."

It was an intense international manhunt involving cooperation from many governments and agencies, Internet Service Providers, intelligence agencies, and net security firms. Some made fun of the fact that a half dozen teens and not Saddam's computer legions were threatening America's chips of state. Yet as Clarke points out, "if two 14-year-olds could do that, think about what a determined foe could do?"

It probably didn't help matters that, despite Israeli law enforcement cooperation, Prime Minister Benjamin Netanyahu swelled like a proud father, calling Tenebaum "damn good."

Solar Sunrise quickly came to symbolize the information warfare warning that some day would precede an electronic Pearl Harbor for real.

Many in government saw the specter of crime, espionage, and war melding into one. A new Joint Task Force on Computer Network Defense quickly emerged to take charge of protecting military networks. In May, President Clinton signed a new directive on cyber terror, establishing an interagency National Information Protection Center. Homeland defense was reborn.

Still there was that simple question: Why hadn't the military bothered to effectively patch known vulnerabilities?

War Games that are not Real

Originally chartered by Congress to evaluate the interoperability of military information systems (that is, leveraging the information bonanza for military purposes), the board took a detour into information security, alarmed by what it saw in Defense Department practices and attitudes.

The report warns that the department is falling behind in a race to protect computer systems. The "gap" between rapid growth and protection "is growing wider over time," it says, leaving DOD "a likely target for disruption or pin-down via information attack."

In February, as Solar Sunrise was underway, board members by coincidence visited Eglin Air Force Base, also in Florida, and observed a far different culture and level of preparedness on the part of troops in the field. They were there to observe Blue Flag 98-2, an Air Force command post exercise with cyber-warfare "play."

The attackers won.

According to the report, the defensive cell was overwhelmed. In one example, the red team – the attackers – was able to surreptitiously download the air tasking order (ATO) before it was transmitted to forces.

The ATO is the day's flight schedule and bombing plan used throughout the military. One is prepared daily to direct all of the air operations over Serbia in operation Allied Force.

At one point, when told that their computer systems had been penetrated, technicians laughed. One reality was that there were NSA spooks working in support of the red team. But when it came to the defense, no NSA computer specialists were involved and the Air Force did not use NSA-supplied tools.

Defending against information attack is more critical and more difficult than conducting an information attack against an adversary.

"One critical aspect of improving information systems security is changing the DOD culture, especially within the uniformed military," the report observes. "With a culture that values the taking of the offensive in military operations, the military may well have difficulty in realizing that defending against information attack is more critical and more difficult than conducting an information attack against an adversary."

This and other site visits led the board to conclude "that DOD's words regarding the importance of information systems security have not been matched by comparable action."

Dr. Jon Eisenberg, one of the project scientists on the board, says that activation of the Computer Network Defense task force is certainly a step in the right direction for the Defense Department. There is certainly "more recognition in the senior leadership than there was in 1998," he concedes.

Yet Eisenberg believes that the main cultural observation about offense and defense remains. Institutions may be proliferating like mushrooms to deal with the information security problem. But until the culture changes, an electronic take-down of some unnamed future opponent remains the priority mission.