Black Ice: Cyber-terrorism and the Private Sector

Computerworld - Editor's Note: Dan Verton's book gets its title from an emergency planning exercise for the 2002 Winter Olympics in Utah, code-named Black Ice. In the simulation, a major ice storm combines with the disruption of utility computer systems to produce regional blackouts, Internet outages, cell phone overload and telephone failures. It demonstrated the devastating effect of physical and electronic attacks on the power grid and everything that depends on power, including computer systems. An earlier exercise, run by the National Security Agency (NSA) and code-named Eligible Receiver, was equally chilling:
Prior to launching their attacks on June 9, 1997, officials briefed the team of 35 NSA computer hackers on the ground rules. They were told in no uncertain terms that they were allowed to use only software tools and other hacking utilities that could be downloaded freely from the Internet through any one of the hundreds and possibly thousands of hacker Web sites. In other words, the Pentagon's own arsenal of secret offensive information warfare tools, which the NSA certainly had, could not be used. And while they were allowed to penetrate various Pentagon networks, the Red Team was prohibited from breaking any U.S. laws. The primary target was the U.S. Pacific Command in Hawaii, which is responsible for all military contingencies and operations conducted in the Pacific theater, including the tension-wracked Korean peninsula.

Posing as hackers hired by the North Korean intelligence service, the NSA Red Team dispersed around the country and began digging their way into military networks. They floated through cyberspace with ease, mapping networks and logging passwords gained through brute-force cracking and the more subtle tactic of social engineering - sometimes it was just easier to call somebody on the telephone, pretend to be a technician or high-ranking official, and ask for his password. The team gained unfettered access to dozens of critical Pentagon computer systems. With that level of access, they were free to create legitimate user accounts for other hackers, delete accounts belonging to authorized officials, reformat the server hard drives and scramble the data, or simply shut the systems down. They were able to break through the paltry network defenses with ease, after which they could conduct denial-of-service attacks, read or make minor changes to sensitive e-mail messages, and disrupt telephone services. And they did so without being traced or identified.
The results of the exercise stunned all who were involved. The NSA Red Team, using hacking tools that were available to anybody on the Internet, could have crippled the U.S. military's command and control system