U.S. Studies a New Threat: Cyber Attack
Washington Post Staff Writer
Sunday, May 24, 1998; Page A01
SAN ANTONIOIt was early morning on the first Monday in February when analysts at the Air Force's national computer monitoring center here started seeing an unusual series of red warning flags pop up on their screens, indicating unauthorized intrusions into about half a dozen electronic networks around the country.
The analysts had become accustomed to spotting hundreds of suspicious entries a day into Air Force systems, but these were different. They followed a pattern. They appeared to be coming first from Harvard University, and later from other educational institutions in Utah and Texas, entering unclassified networks by exploiting a vulnerability in the Solaris operating system widely used at defense installations.
"We were seeing things we hadn't seen before," said Col. James C. Massaro, who commands the Air Force Information Warfare Center. "Normally, there wouldn't be any correlations right away, but these connections seemed to be going to the same places and using the same techniques."
The hackers turned out to be two 16-year-old high school students in Northern California, assisted by another teenager in Israel, according to U.S. officials. But for nearly a month they led defense and law enforcement authorities on their biggest cyber chase yet. Unsure where the attacks were originating or how many hackers were involved, Deputy Defense Secretary John J. Hamre notified President Clinton early in the search that the intrusions might be the first shots of a genuine cyber war, perhaps by Iraq as it faced a renewed threat of U.S. airstrikes.
As far as U.S. authorities have determined, the penetrations did not compromise national security, but the episode left the Pentagon badly shaken. And it added urgency to initiatives announced Friday by Clinton for raising the nation's defensive barriers and, for the first time, establishing a national policy for cyber security.
Despite numerous studies warning of the growing risk of cyber attack, Pentagon authorities acknowledge they were caught with their guard down in February. They lacked sufficient monitoring devices to detect intrusions on computer networks at military installations. They also had no plan for coordinating a response -- either among military branches or among federal agencies -- to a broad cyber assault.
Even after government investigators were able to determine that some kind of systematic electronic break-in was underway, legal restrictions on tracing through cyberspace slowed their pursuit of the hackers across multiple Internet service providers in the United States and abroad.
Many of these same problems had been underscored eight months earlier, during a first-of-its-kind exercise run by the Pentagon's Joint Staff. Teams from the National Security Agency, equipped with off-the-shelf computers and widely available hacker programs for stealing passwords and probing network vulnerabilities, demonstrated they could disrupt computer operations at major military commands and interrupt electrical power and emergency phone service in several U.S. cities.
Pentagon officials say the June exercise, followed by the real scare in February, constituted a one-two punch that has pushed them into bolstering the Pentagon's defenses against cyber attack. In an interview, Hamre said the military services have since been ordered to install many more intruder detection devices on their unclassified networks and set up centers, modeled on the one here that scans 110 Air Force sites, to provide round-the-clock, system-wide oversight.
Hamre said the Pentagon is establishing a permanent joint task force on cyber security and taking steps to improve the training of those who operate military computer systems. The Pentagon's classified networks already employ sophisticated safeguards and are not considered at risk, Hamre added.
As part of the broader government initiative outlined by Clinton, the FBI is expanding its computer crime center with representatives from the Pentagon and other departments to provide better coordination. And the Justice Department is drafting new guidelines to facilitate the surveillance and pursuit of hackers.
But while the government acts to protect its systems, experts say the commercial networks that control utilities, telephones, air traffic, banking and other critical economic sectors also remain vulnerable to the kinds of electronic attacks that could undermine national security. The concern is that by penetrating these systems, terrorists or hostile states would be able to deny essential services to whole sections of the country, sowing chaos and compromising military and law enforcement operations.
In devising the government's new cyber policy, Clinton opted against trying to prescribe computer protection measures for the private sector. Instead, he is counting on self-interest to propel companies into identifying their vulnerabilities, installing improved detection systems and entering information-sharing arrangements with other firms and government authorities.
Many details of the exercise, dubbed Eligible Receiver, remain closely held. But according to official sources, a group of 35 NSA specialists simulated a series of rolling power outages and 911 emergency phone overloads in Washington and a handful of other cities. They showed that large-scale blackouts could be caused by targeting computerized sensing and control devices known as Supervisory Control and Data Acquisition systems, which have become common substitutes for human monitors in operating electrical, oil, gas, transportation and water treatment systems.
In a second phase of the exercise that was not simulated, four NSA teams in different locations -- including one aboard ship in the Pacific -- attempted to break into unclassified systems at four regional military commands and the National Military Command Center in Washington. They gained supervisory-level access to 36 networks, putting them in position to alter data in critical files, interrupt e-mail messages and disrupt phone service.
"If you can get supervisory access, you basically have the run of the network," said a defense official familiar with the exercise. "You can lodge yourself anywhere you want, monitor what you want, divert attempts at detection and so on."
Senior Washington officials who participated in the exercise had little clue they were under widespread cyber attack.
"Coordination within the executive branch was fraught with confusion," the official said. "We found that within the Defense Department, we lacked the ability to integrate the picture well, and the rest of the government was not prepared at all to handle this. It was a fairly wrenching experience for us."
By their nature, experts say, unauthorized electronic intrusions can be difficult to detect. Hackers can disguise their probes. They also can cover their tracks by bouncing through many Internet provider stations before zeroing in on their targets. Under current law, investigators need a court order to trace back beyond the most immediate Internet service provider.
This helps explain why U.S. defense and law enforcement authorities had trouble in February making sense for days of the unusual pattern of suspicious intrusions that showed up on the screens here at the Air Force Computer Emergency Response Team.
"We got a sense something was wrong, but we couldn't figure out where it was coming from," said a senior Air Force official in Washington involved in the search.
By the end of that first week, Pentagon officials discovered similar breaches at some Navy sites and concluded that a coordinated assault was underway. Pentagon leaders decided to mobilize in a way they never had against a cyber intrusion, setting up a special crisis cell on the Joint Staff for a search operation code-named Solar Sunrise.
Although the systems being hit were unclassified, they carried sensitive information on cargo shipments, payroll accounts, health records and a host of other administrative, logistical and personnel matters. Pentagon officials worried that by tampering with the data, the hackers could disrupt military operations, especially the U.S. force buildup then occurring in the Persian Gulf.
The weakness in the Solaris operating system that the intruders were exploiting was one that military administrators had been alerted about and told to patch last December. But many had failed to heed the warning.
As the attacks spread through multiple servers in the United States, as well as sites in the United Arab Emirates, Germany, France, Israel and Taiwan, U.S. investigators sought nine court orders to pursue the electronic trail.
Without alerting the hackers, investigators denied them access to new sites and steered them to ones already compromised, providing them essentially worthless downloads while the traces continued. The trail ended finally at a house in Cloverdale, Calif.
"Everything we learned in Eligible Receiver, we relearned in Solar Sunrise," Hamre said. "In big organizations, you learn things slowly. But there's nothing like a real-world experience to bring the lessons home."
© Copyright 1998 The Washington Post Company