Daniel Verton, U.S. 'military', (b. do not know)

Writer for, or was writer for, Computerworld, in Washington, D.C. 2003 winner of the Jesse H, Neal National Business Journalism Award.

Terror on a Wire: The Internet as Weapon

In summer 1997, the U.S. Joint Chiefs of Staff organized what is known as a “no-notice” exercise that would test the Pentagon’s ability to detect and defend against a coordinated cyber-attack against various military installations and critical computer networks. It would involve dozens of world-class computer hackers and last for more than a week. The Joint Chiefs gave the highly classified exercise the codename “Eligible Receiver.” The operational details of how the “Red Team” of pretend-hackers would carry out their attacks were left to the senior officials of…. ….National Security Agency.

Prior to launching their attacks on June 9, officials briefed the team of 35 NSA computer hackers on the ground rules. They were told in no uncertain terms that they were allowed to use only software tools and other hacking utilities that could be downloaded freely from the Internet through any one of the hundreds and possibly thousands of hacker Web sites. In other words, the Pentagon’s own arsenal of secret offensive information warfare tools, which the NSA certainly had, could not be used. And while they were allowed to penetrate various Pentagon networks, the Red Team was prohibited from breaking any U.S. laws.

The primary target of the exercise was the U.S. Pacific Command in Hawaii, which is responsible for all military contingencies and operations conducted in the Pacific theatre, including the tension-racked Korean Peninsula. Other targets included the National Military Command Center (NMCC) in the Pentagon, the U.S. Space Command in Colorado, the heart of the Pentagon’s logistic operation at the U.S. Transportation Command in Ohio, and the Special Operations Command in Tampa, Florida.

Posing as hackers hired by the North Korean intelligence service, the NSA Red Team dispersed around the country and began digging their way into military networks. They floated through cyberspace with ease, mapping networks and logging passwords gained through brute force cracking and the more subtle tactic of social engineering – sometimes it was just easier to call somebody on the telephone, pretend to be a technician or high-ranking official, and ask for their password to the network. The team gained unfettered access to dozens of critical Pentagon computer systems. With that level of access, they were free to create legitimate user accounts for other hackers, delete accounts belonging to authorized officials, reformat the server hard drives and scramble the data, or simply shut the systems down. They were able to break through the paltry network defences with ease, after which they could conduct denial of service attacks, read or make minor changes to sensitive e-mail messages, and disrupt telephone services. And they did so without being traced or identified.

The results of the exercise stunned all who were involved, including the senior NSA officials responsible for running it. The bottom line was that the NSA Red Team, using hacking tools that were available to anybody on the Internet, could have crippled the U.S. military’s command and control system for the entire Pacific theater of operations. From the military perspective, that alone was a nightmare. But it soon became clear that the exercise had revealed much broader vulnerabilities that could have catastrophic implications for the rest of the U.S. national infrastructure.

The Internet is, of should be, a library and post office, not a revolutionary means of the nomenklatura.

Does the NMCC truly spell 'center' that way Daniel? ;)