Today, nation-states hack each other with impunity. Whether interfering in elections or probing power grids, governments worldwide have embraced hacking as an integral part of statecraft.
But the US government was not always convinced about the national security risks posed by hacks against its own networks. “Cyber” security only became a central concern for the US government after it was hacked by an unlikely assailant: its own Department of Defense (DoD). Although much of the details about this hack are still shrouded in secrecy, this recently declassified video interview of some of the hackers who led the attack provides insight into how US “cyber” security became synonymous with US “national” security.
Back in the spring of 1997, a cadre of hackers from the ultra-secretive National Security Agency (NSA) was busy conducting reconnaissance for an attack against US government networks. Unbeknownst to much of the DoD, the NSA team had been authorized by high-ranking DoD officials to infiltrate military networks while posing as enemies and simulate attacks against civilian critical infrastructures––or, in the jargon of the NSA, to engage in a “no-notice interoperability exercise emphasizing realistic joint contingency operations.” The NSA hackers were given a few rules: to only use readily available off-the-shelf equipment and, above all, to keep the impending attack a secret from their colleagues. After months of preparations, on June 9th, 1997 they launched their assault.
After only four days, their mission was complete. They had compromised the DoD.
Following the exercise––codenamed Eligible Receiver 97 (ER97)––members of the NSA team were interviewed in the still redacted video excerpted above. Their vocabulary is bureaucratic and their tone is solemn. The Chief Targeting Officer notes that by the third day, they had military systems administrators “on the run,” despite having only deployed “about 30%” of possible attacks. The team successfully exfiltrated data and manipulated sensitive military systems. It also simulated how civilian communication networks could be brought down. In a separate and still classified operation, the team engaged in a mock hijacking of a ship. The exercise’s takeaway, the officer emphasizes, is that the attack “could have been a lot worse.” The team’s leader also reports that they came to “know quite clearly how to take the [DoD’s information infrastructure] down and how to attack the United States in an information warfare campaign”—and that potential enemies could exploit the same vulnerabilities.
The seemingly mundane video belies ER97’s lasting influence on US cybersecurity policy. To previously skeptical government officials, it demonstrated the vulnerability of the DoD and civilian critical infrastructures to potential hacks. After the exercise, the director of the NSA, who orchestrated the attack, briefed a Presidential commission on protecting critical infrastructure. The commission’s report––citing ER97, the destruction of Pearl Harbor, and the success of radars developed to detect Soviet missiles––spurred an ambitious government-wide intrusion detection system still used today. Following ER97’s completion, a series of high profile hacks like Solar Sunrise at last motivated other defense officials to sign on to the exercise’s overarching goal: the institutionalization and central control of cybersecurity responsibilities within the DoD.
The DoD, in turn, created the Joint Task Force-Computer Network Defense (JTF-CND), a team that ultimately evolved into a standalone combatant command within the DoD that conducts both offensive and defensive hacking operations worldwide today.
Since ER97, US cybersecurity policy has continued to be directed disproportionately by the concerns of secretive three-letter agencies. In response to real and simulated hacking attempts, these agencies have developed arsenals of hacking tools and have erected virtual walls in a putative attempt to “secure the nation.” But their notion that cybersecurity is synonymous with national security––the realm of spying and militarized defense––can be counterproductive to the public interest. It can overshadow the security needs of ordinary internet users plagued by hacks, leaks, and breaches. It risks neglecting that those unjustly targeted by state, corporate, and interpersonal surveillance also deserve cybersecurity.