Washington, D.C., August 1, 2018 – An early classified Defense Department cybersecurity exercise named “Eligible Receiver 97” (ER97) featured a previously unpublicized series of mock terror attacks, hostage seizures, and special operations raids that went well beyond pure cyber activities in order to demonstrate the potential scope of threats to U.S. national security posed by attacks in the cyber domain, according to recently declassified documents and a National Security Agency (NSA) video posted today by the nongovernmental National Security Archive at The George Washington University.

“Joint Exercise Eligible Receiver 97”, run during the Clinton presidency, is frequently pointed to as a critical event in the United States’ appreciation of threats in cyber space. The exercise led directly to the formation of what would eventually become United States Cyber Command (USCYBERCOM) and informed key studies such as the formative Marsh Report on critical infrastructure protection. Despite the significance of ER97, however, very little is publicly known about the exercise itself.

ER97 involved an NSA Red Team playing the role of North Korean, Iranian and Cuban hostile forces whose putative aim was to attack critical infrastructure as well as military command-and-control capabilities to pressure the U.S. government into changing its policies toward those states. An interagency Blue Team was required to provide recommendations to personnel enacting defensive responses. Until now, only two phases out of three (infrastructure and command-and-control) had been publicly known. The video and documents posted today provide new details about the third phase involving kinetic attacks in the physical domain – i.e. more traditional terrorist assaults on civilian targets – which were built upon intelligence gathered through the Red Team’s successes.

-----------------------------------------------------------------------

Eligible Receiver 97

By Michael Martelle

Existing History

Joint Exercise Eligible Receiver 97 marks a critical moment in the evolution of American cyber policy. Over the course of the exercise an NSA Red Team using “off the shelf” equipment demonstrated the ability to compromise civilian infrastructure networks and succeeded in penetrating Department of Defense networks to the point of seriously degrading military command and control systems. Newly released documents now suggest that the exercise may have had a physical component in which the consequences of the Red Team's network exploitation would have manifested. The shocking results of the exercise led directly to the formation of what would eventually become United States Cyber Command (USCYBERCOM) and were briefed to the writers of the formative Marsh Report on critical infrastructure protection. Despite the significance of ER97, however, very little is publicly known about the exercise itself.

ER97 pitted an inter-agency Blue Team against an NSA Red Team playing the roles of North Korean, Iranian and even Cuban hostile forces whose putative aim was to attack critical infrastructure as well as military command-and-control capabilities as a way to pressure the U.S. government to change its policies toward those states. Until now, only two phases out of three (civilian infrastructure and military networks) had been publicly known. The video and documents posted today provide new details about a third phase involving kinetic attacks in the physical domain – i.e. more traditional assaults on civilian targets.

An overview of ER97 was made available in Fred Kaplan’s history of cyber war, Dark Territory, which dedicates a chapter to the event. Kaplan summarizes the exercise as follows:

“The game laid out a three-phase scenario. In the first, North Korean and Iranian hackers (played by the NSA Red Team) would launch a coordinated attack on the critical infrastructures, especially the power grids and 911 emergency communication lines, of eight American cities […] The purpose of the attack, in the game’s scenario, was to pressure American political leaders into lifting sanctions that they’d recently imposed on the two countries.

In the second part of the game, the hackers would launch a massive attack on the military’s telephone, fax, and computer networks – first in U.S. Pacific Command, then in the Pentagon and other Defense Department facilities. The stated purpose was to disrupt America’s command-control systems, to make it much harder for the generals to see what was going on and for the president to respond to threats with force.”

Kaplan’s account, which describes only two of three phases, suggests that a significant portion of the exercise was still unknown.

The Legacy of ER97 – Task Force to Combatant Command

ER97 was a shock to decisionmakers and forced changes in how the US conducted network operations. As Jason Healey’s history book A Fierce Domain describes, “at the time, the military responses to major cyber incidents were conducted by the Joint Staff Information Operations Response Cell, which fell under Campbell’s J-39.” ER97, and only months later the real-life SOLAR SUNRISE incident, indicated that this response mechanism was insufficient to deal with a high-tempo crisis. ER97 accelerated plans to implement a new Information Condition, or INFOCON, to mirror the more traditional Defense Condition, DEFCON, which would be raised to indicate a higher readiness level online.

ER97 also led the Department of Defense in December 1998 to stand up the first joint cyber command, the Joint Task Force – Computer Network Defense (JTF-CND), reporting directly to the Deputy Secretary of Defense and run by Campbell. A series of cyber-components were formed under Strategic Command (STRATCOM), and JTF-CND in turn was re-aligned as a component of STRATCOM when JTF-CND evolved into JTF-Computer Network Operations (JTF-CNO) and then JTF-Global Network Operations (JTF-GNO). These components were finally combined under CYBERCOM which in 2018 was elevated to a combatant command, on the same echelon as STRATCOM.

Declassifying ER97

ER97 has been a standing research priority of the Cyber Vault project and was the subject of several FOIA requests producing only a heavily redacted set of briefing slides (Document 1). A recent review of the Department of Defense’s FOIA reading room, however, revealed that another FOIA campaign had been more fruitful. Eight documents, including the briefing slides also obtained by The National Security Archive, had been declassified and are the basis of today’s posting. Cross referencing the FOIA case number against a Department of Defense FOIA log (itself a document obtained via FOIA) revealed the original requester to be none other than retired US Navy Captain Michael Sare, the head of the NSA Red Team in ER97. Sare, along with ER97 Red Team Chief Targeting Officer Keith Abernethy, has mounted a sustained campaign to drive the declassification of documents around the exercise.

Joining Sare and Abernethy in efforts to increase awareness of ER97 is retired General John “Soup” Campbell, the first commander of Joint Task Force Computer Network Defense (JTF-CND) which was formed in response to ER97 and evolved into USCYBERCOM. Campbell’s own efforts recently produced a redacted copy of the ER97 After Action Report (AAR) video containing edited interview footage of Sare and Abernethy. That these three individuals continue to push for the declassification of the ER97 story more than 20 years after the event speaks to its significance in the minds of those who participated. According to Abernethy, “My hope, and that of Capt. Sare, was to use it as a relevant case study for the masses regarding our cyber vulnerability. Unfortunately, politics and agendas have stymied most of those efforts.” Adds Sare, it is “surprising that full declassification has not occurred after over 20 years since ER97 completion.”

Nevertheless, the successes of Sare, Abernethy, and Campbell shine new light on a critical chapter in cyber history.

Familiar Concerns

These newly available sources echo several points from Kaplan’s account. Speaking in the AAR, Abernethy highlights the rapid penetration of networks by the Red Team using cyber tools commonly available on the internet and “off the shelf” equipment, saying “We had the Blue Team on the run by the third day of the actual exercise […] we only played about 30% of what we could have […] it could have been a lot worse” (6:05). The network penetration succeeded in “significantly affect[ing] the command and control capability of US forces” (7:10). It became apparent to defenders that the existing delegation of responsibilities complicated any US response. Observation reports submitted by Major General Byron of the US Marine Corps (Document 8) describe now-familiar concerns regarding the divide between military and law enforcement authorities in responding to ambiguous events.

Filling in Gaps

According to Kaplan’s account, two out of three “phases” of ER97 were exclusively concerned with computer network penetration of civilian infrastructure and military command and control. The new releases suggest that the exercise connected events in cyberspace to operations in physical domains.

This connection is suggested most clearly in the exercise’s event update slides (Document 7). These slides reveal that ER97 included a real-world hijacking-at-sea of the sea vessel MV National Pride by participants roleplaying as North Korean Special Operations Forces accompanied by Iranian personnel and mention a joint Iranian/North Korean terrorist campaign. The slides also include information on a US Department of Energy presence at the Yongbyon Nuclear Facility, though the significance of the site and US personnel within the exercise is unclear. The briefing also analyzes the possibility of a conventional surprise attack by North Korea, underscoring the political tension present in the exercise’s events.

A tasking order to the J-5, or joint planning officer, (Document 6) also references specific physical attacks which took place within the exercise. The document suggests attacks on two satellite tracking locations in Guam and Hawaii involving four civilian hostages are being coordinated with “over a dozen” cyber-attacks on civilian power systems as part of a multi-tiered campaign by Iran, North Korea, and Cuba.

Documents related to the formation and activation of the ER97 Crisis Action Team (Documents 2, 3, 4, 5) provide information on the staffing of the Blue Team. The personnel assigned to the team further outline the exercise’s scope beyond computer network defense. The CAT includes:

J-3 Operations Action Officer for the Special Operations Division

J-3 Operations Action Officer for Counter-Terrorism (J-34)

J-38 for Defense and Space Operations

Through these documents we now come to understand that, in addition to the infamous network penetration component, ER97 featured significant events in the physical realm. Terror attacks, hostage crises on US soil, satellite tracking, and special operations raids on civilian sea vessels were all occurring while Sare’s Red Team compromised Department of Defense command and control. It is not clear in what other ways the Blue Cell’s capacity to respond to physical attacks was impacted, but future research and declassification will reveal more about the in-exercise consequences of Sare and Abernethy’s Red Team operations.

Read the DOCUMENTS

Document 1

Joint Chiefs of Staff, "Eligible Receiver 97-1," June 1997. Unclassified.

These heavily-redacted briefing slides provide some information related to the Eligible Receiver exercise, including computer emergency response, intelligence agency involvement, and expectations of future activities.

New documents: