Washington D.C., February 15, 2021 - Since our last posting about exercise Eligible Receiver 97-1, the Cyber Vault project has continued its efforts to unearth more documents and information about the secretive exercise that was so formative in shaping the U.S. information operations environment. Through Freedom of Information Act requests to various agencies, we are now able to share two more documents about, in the words of one senior DOD official, “the most interesting, informative, and challenging exercise we have seen in a long, long time” [Document 1, p. 4].
The continuing relevance of these materials has been demonstrated dramatically in the wake of the recent SolarWinds breach, which has shown that both government and private sector computer defenses in the United States remain dangerously vulnerable to outside attack.
Document 1 is the Exercise Eligible Receiver 97-1 (ER97-1) Final Observation Report, which is referenced in a previous document (Joint Chiefs of Staff, “Eligible Receiver 97-1,” 1997, p. 23, slide 2). Although the Final Observation Report is heavily redacted (the Archive is pursuing a re-review for further declassification), the Table of Contents alone demonstrates the tremendous scope and impact of the issues raised by ER97-1. The Executive Summary notes, “a comprehensive listing of the actions taken to correct the deficiencies uncovered in ER97 is beyond the scope of this observation report. However, the Joint Staff Deputy Director for OperationsInformation (sic) Operations (J-39) will be identified as the lead office in developing this action plan in coordination with J-2 [Director for Intelligence] and J-6 [Director for Command, Control, Communications, and Computer Systems] [p. 4]. The observation report also affirms that while all ER97-1 objectives were achieved, the assessment is limited to DOD objectives, as “other participants (sic) objectives were not assessed by the Joint Staff observation team” [p.13].
The next several sections of this posting cover topics of particular interest that appear in selected chapters of the final report (Document 1), starting with Chapter II. The final section of the posting deals with Document 2, a brief memo relating to the objectives of the National Reconnaissance Office in Eligible Receiver 97.
Chapter II: Awareness and Understanding
The discussion section in Chapter II notes that during the simulation “several critical infrastructures were attacked, particularly power systems and DOD computer systems” [p. 20]. There seems to have been a lack of clarity around the role of the military in critical infrastructure protection, particularly when the infrastructure is privately held, as well as the roles of other agencies. In order to understand the “various agency responsibilities and capabilities and how to coordinate unity of effort” to protect critical infrastructure, the report makes such superficial recommendations as:
(a) The DOD role in the protection of critical infrastructure, including the private sector, should be determined.
(b) The role of industry in developing infrastructure protection responsibilities and procedures should be determined.
(c) When to involve State, local, and private-sector officials, both during and after infrastructure attacks, should be determined.
(d) A decision support structure to provide unity of effort in dealing with infrastructure attacks should be established.
(e) The Department of Defense and other Government agencies should continue to conduct exercises in national infrastructure protection. [p.20]
The report also speaks to the impact of system vulnerability that was created by a lack of adherence to information security principles, noting: “red team was able to take advantage of system security vulnerabilities that should have been closed by either properly trained users or system administrators.” Examples of these vulnerabilities included “simple passwords, improper configuration of system networks, and operation security (OPSEC) of particular system Internet protocol (IP) names” [p.20].
Chapter III: Policy Issues
While much of Chapter III is redacted, the unredacted portions speak to conflicting perceptions over who had authority over different domains or nodes, particularly within the Defense Information Infrastructure (DII). An example of such conflict and confusion is provided: “In ER97-1, there was nearly a situation with a commander in chief (CINC) saying block it and the Global Operations and Security Center (GOSC) saying leave it open for a router suspected of being penetrated” [p.23].
Chapter IV: Interagency Coordination Issues
Given that ER97-1 was an interagency exercise, it is unsurprising that coordination and understanding between agencies was somewhat of a stumbling block. ER97-1 provides a clear example of the constraints that cyber defenders continue to face over 20 years later, asserting that “jurisdiction for defending against information operations depends on the identity and location of the perpetrators” [p.26].
Additionally, ER97-1 highlighted the conflicting priorities of the different agencies involved:
The Department of Defense and DOJ had conflicting goals regarding captured individuals and equipment. The DOD idea was a quick preliminary intelligence assessment of any captured material. DOJ and the DEST [Domestic Emergency Support Team] configuration were oriented toward evidence and prosecution, not on-scene IO intelligence [p.27-28].
The exercise also seems to have involved the recovery of a disk, which required notional relocation from Guam to Washington, DC for analysis. Again, conflicting priorities between the DOD and DOJ came into play:
The notional modification to the DEST was insufficient to permit on-site review of the disk. The disk had to be notionally transported to Washington, DC for analysis and evidence (needs of the FBI) but did not satisfy the DOD need for on-sight (sic) analysis for intelligence purposes. Local technical resources in Guam were also insufficient, thus necessitating sending the evidence to the FBI laboratory in Washington [p.28].
One particular incident documents perhaps the unfamiliarity with the processes and procedures of other agencies, as well as a lack of interagency communication of necessary information:
From a legal perspective, the Department of Justice (DOJ) was proactive in obtaining court orders in Guam to allow for communication intercepts from the ship [likely the “hijacked” ship, National Pride]. Unbeknownst to DOJ, the military was already intercepting International Maritime Satellite (INMARSAT) communications and had the information that DOJ was trying to obtain [p.27].
While the high level of redaction both before and after the recounting of this incident provides few clues as to its context in the report, the DOD does label the account as an example of needed “Legal Requirements Awareness.”
Chapter VII: Intelligence Support Issues
The observation report dedicates five pages to observed intelligence support issues and the majority of the text is unfortunately redacted. However, one important issue that is revealed in the unredacted text is the impact of the dearth of properly trained and cleared technical staff across agencies. The report emphasizes that “the NMJIC [National Military Joint Intelligence Center] found the exchange of LNOs [liaison officers] to be invaluable in interpreting information, facilitating the exchange of information, and providing technical advice;” furthermore, the use of LNOs is described as a “time-honored, comfortable, and effective method” to facilitate inter-agency coordination during a crisis. However, despite the NMJIC’s approval of the practice, “DISA [Defense Information Systems Agency] was particularly hit hard with requests for LNOs. Each request essentially cut into the available technical staff used for event analysis” [p.48]. The report asserts the critical nature of this situation, particularly in the electronic/information operations space, noting, “agencies and staffs have experienced dramatic downsizing in recent years. The pool of available technically competent manpower has decreased at the same time our electronic data management capability has increased” [p. 48].
Chapter XI: Other Observations
Chapter XI begins by noting the historic nature of Eligible Receiver 97-1, namely that U.S. forces and agencies were far from prepared to engage in a cyber war:
This exercise was the first serious cyber war for most in the Department of Defense and the Government Interagency Community. Unlike most exercises that are designed to train and also to evaluate established plans, policies, and procedures, this exercise clearly demonstrated that information operations (IO) plans, policies, and procedures are still very much in the formative stage of development [p. 59].
Chapter XI also provides a largely unredacted summary of questions and concerns raised by ER97-1 participants, which range in scope from the coordination of a review of the deficiencies of intrusion detection programs, to distinguishing between “widespread criminal activity and a coordinated strategic attack against the United States” [p.60]. The report writers emphasize the critical importance of these questions, as well as the need to document and preserve “the essence of uncertainty” experienced by participants; an awareness of ambiguities perhaps first stirred by this exercise, and an enduring element of the cyber domain ever since:
perhaps first stirred by this exercise, and an inherent element of the cyber domain ever since:
… the most notable observation from this exercise was that it raised more questions than it answered. People know what needs to be done; however, who or what organization should do it? How do we detect intrusions? Who reports to whom and in what format is it reported? … Some questions reflect a lack of policy or lack of knowledge of the existing policy or the implementing procedures; and some questions reflect contradictions within and among agencies [p. 59].
Advent of INFOCON
In Part I of the Archive’s assessment of ER97-1 documents, Michael Martelle noted, ”ER97 accelerated plans to implement a new Information Condition, or INFOCON, to mirror the more traditional Defense Condition, DEFCON, which would be raised to indicate a higher readiness level online.” The Final Observation Report also speaks to the inadequacy of existing mechanisms to address a rapidly evolving crisis in in the information operations space, noting, “there was no evidence of coordination of defensive Information Operations to parallel Defense Readiness Conditions (DEFCONS) or Threat Conditions (THREATCONS)” [p.38]. At least one exercise participant queried, “Is there any correlation between [DEFCONs and IO THREATCONs]?” [p.63], and six months later, the Joint Staff concluded, “No approved IO THREATCONs exist” [p. 38].
Agency Objectives: National Reconnaissance Office (NRO)
In Annex A of the Final Observation Report [p. 74], the individual non-DOD agency objectives for ER97 are listed but are unfortunately redacted. However, a separate document uncovered through a National Security Archive FOIA request speaks to the objectives of the National Reconnaissance Office. Document 2, below, “Eligible Receiver 97: NRO Objective,” reveals the NRO’s primary objective in the exercise was to “determine the ability of the NRO to recover from an interruption to national systems data flow.” It also identifies sub-goals, including the evaluation of “the ability of NRO personnel to … identify the interruption as intentional,” and to “exercise recovery procedures (work-arounds, alternate paths).” This one page memo, in addition to the 76-page Final Observation Report, are available below.