An army of tech-savvy warriors has been fighting its battles in cyberspace

By Ellen Nakashima

Washington Post Staff Writer

Thursday, September 23, 2010; 3:58 PM



They were Air Force fighter pilots, Army rangers and Marine tank commanders. There was even a Navy fighter jet radar officer who had been taken prisoner during the Persian Gulf War.

Warriors all.

But in 1998 they fought in a different realm - their weapons bits and bytes, their foxholes temperature-controlled computer operations rooms. In the new battleground of cyberspace, they battled shadowy foes whose computer attacks were given names like Moonlight Maze and Titan Rain.

These were the men and women of the Joint Task Force Computer Network Defense, 24 tech-savvy war fighters who were part of the pioneering group tasked with protecting the Pentagon's computer networks - vital for everything from directing troop movements to passing intelligence to issuing commands to fire missiles.

To the surprise and approval of the group's first leaders, the task force has not only endured, it has evolved into what is today the U.S. Cyber Command, arguably the world's most potent computer network fighting force.

The recently launched Cyber Command is much larger, with about 1,000 personnel, and with authority not only to defend, but to attack adversaries. It will leverage the abilities of the National Security Agency to penetrate foreign networks and spy on targets.

But one thing remains constant, the veterans say: In the world of defending military networks, it takes fighters - not merely techies - to do the job.

"It was supposed to be a war fighter unit, not a geek unit," said task force veteran Jason Healey, who had served as an Air Force signals intelligence officer.

A fighter would understand, for instance, if an enemy had penetrated the networks and changed coordinates or target times, said Dusty Rhoads, a retired Air Force colonel and former F-117 pilot who recruited the original task force members. "A techie wouldn't have a clue," he said.

"What was cool about it was they thought like war fighters," said Michele Iversen, an original task force member and the only woman in an operational role.

The roots of JTF-CND, as it was called, lay in a 1997 Joint Staff exercise called Eligible Receiver. In the exercise, a National Security Agency "red team" hacked the classified networks of Pacific Command in Honolulu. The team also proved to exercise referees that it had the capability to penetrate the civilian power grids in Hawaii, though it did not actually do so.

"The bottom line was it really did scare a lot of people and made us aware of the fact that we just weren't well-positioned to defend against that," said retired Gen. John "Soup" Campbell, the task force's first commander.

Senior officials agreed that they needed a plan to defend the networks. They debated for months. In the end, Campbell said, they decided on a joint task force because it would have authority to take defensive and potentially offensive action. It would also be able to direct the services to take action.

Even as they were debating options, the Pentagon's networks were under assault. In early 1998, as the United States was preparing for potential military action against Iraq, a series of massive intrusions occurred across unclassified military systems. The attackers were leaving "backdoors," or ways to reenter the networks and potentially take them down.

The attacks, dubbed Solar Sunrise, appeared to be coming from overseas, including from the United Arab Emirates. Intelligence officials thought Iraqi President Saddam Hussein might have ordered them.

"It looked as though Saddam was about to take down massive amounts of infrastructure . . . because we were threatening to bomb him," recalled one former intelligence official. Tensions were building. President Bill Clinton was briefed. Senior officials convened another meeting in the Pentagon's "tank," the Joint Chiefs' conference room. The threat was no longer hypothetical, it seemed.

Then the real culprits were identified: A pair of 16-year-old boys in California and a teenager from Israel who had exploited a known vulnerability in the Solaris (UNIX) operating system.

Solar Sunrise, like Eligible Receiver, underscored just how weak the Pentagon's defenses were.

More attacks would follow. Moonlight Maze, which was discovered in 1998 and lasted several years, marked the beginning of the widespread exploitation of unclassified networks and was thought to have been conducted by the Russians to steal technology. Titan Rain was a series of intrusions into hundreds of military and other government networks from 2003 to 2005 that were said to be Chinese in origin.

The original task force set up shop in a vinyl-sided trailer in Arlington in 1998, not far from the Pentagon and on the premises of the Defense Information Systems Agency (DISA), which runs the military's computer networks.

Intelligence was important to the mission, Campbell said. The unit's intelligence officer, Robert Gourley, said he worked to "achieve deep penetration of the adversary so we'll know what they're thinking." The intelligence could be obtained through computers, satellites or other technology, or by more traditional means, he said, recalling the time he sent "a human agent into a foreign marketplace to buy a CD of hacker tools" to better understand a particular attack that had taken place.

The focus initially was on defense. In 2000, the task force, which had more than doubled in size, took on the offensive mission. But a few years later, it was split in two, with offense assigned to one group and defense to another. The launch of U.S. Cyber Command has reunited the missions.

Though the task force in the early years lacked clout, it did have some notable successes, veterans said. During Moonlight Maze, it issued the first military-wide order to change passwords, said Marc Sachs, who had been an Army engineer. And it instituted precautions to ensure that military networks would be protected against any "Y2K" calamity.

On New Year's Eve 2000, a group of task force members watched a bank of clocks as first Japan, then Australia passed into the new millennium without incident. When that happened, they were confident the United States would follow suit, Sachs recalled.

A few minutes after midnight, Campbell and several other members ascended to the DISA roof top. They gazed across the Potomac River and saw the lights in the capital city still blazing. They lit their cigars and watched the fireworks shoot across the sky.

© 2010 The Washington Post Company