From the Crypt Newsletter (JOSEPH K) Guide To Tech Terminology:
Eligible Receiver: A Pentagon ghost story repeated ad nauseum to journalists and the easily frightened in which ludicrous or totally unsubstantiated claims about menaces from cyberspace are passed off as astonishing deeds of techno-legerdemain performed by cybersoldiers working within a highly classified wargame.
Usage: Author James Adams claimed in Techweek magazine that Pentagon hackers employed in Eligible Receiver "did more than the massed might of Saddam Hussein's armies, than the Nazis in the Second World War."
Since its first appearance in 1997, Eligible Receiver, like the phrase "electronic Pearl Harbor," has become a good touchstone for uncritical, unsophisticated journalism on the potential for cyberterrorism to lay low the nation.
Although never substantiated with solid proof by Pentagon leadership, it has become an article of faith in the mainstream newsmedia and still appears regularly as prima facie evidence of what hackers could do to plunge the empire into chaos.
Characteristics of invocations of Eligible Receiver can include any or all of the following: there were 20 hackers, there were about 25 hackers, there were 35 hackers, there were 30 or 35 hackers, the hackers were from the [Pentagon, the NSA, the Joint Staff], the national power grid was taken down, the 911 service was taken down, troop movements were disrupted, laptops were bought, laptops were stolen, software was bought off-the-shelf, software was obtained from the Net, unspecified secret computer systems were compromised and/or unspecified public computer systems were compromised.
Here then, a selection of examples of Eligible Receiver in the news:
From the April 1999 issue of "Government Executive," a reporter writes on the danger of cyberterror to the national networks:
"The liability posed by such dependence became clear when the Pentagon conducted an exercise known as Eligible Receiver in 1997. Using off-the-shelf technology and software downloaded from hacker Web sites, a team of about 20 employees from the National Security Agency hacked into unclassified Pentagon computer systems. The surprise exercise, designed to expose weaknesses in computer security, succeeded beyond the planners' wildest expectations. Among other things, the exercise showed how hackers might disrupt troop deployments.
"It was startling," [Deputy Defense Secretary] John Hamre said. 'We didn't really let them take down the power system in the country, but we made them prove that they knew how to do it.'"
From an April 22, 1999, issue of "Inside the Army:"
"Two years after Eligible Receiver, a joint exercise conducted by DOD in which virtual 'terrorists' used stolen hardware from a government facility to gain control over secret computer systems without being detected, the military finds itself 'in full-scale conflict,' [Deputy Secretary of Defense] John Hamre said. Important lessons learned over this period include 'that cyperspace ain't for geeks, it's for warriors,' he said."
From a March 22, 1999 report by Associated Press writer Laura Myers entitled "Study Finds Hacker Threat a Real Danger." Reporter Myers appears to be only vaguely familiar with the Pentagon claim and gets a figure wrong -- hardly a liability, even Pentagon proponents of "Eligible Receiver" can't seem to agree on the number of people involved -- but nevertheless passes on the growing legend as proof of national danger:
"In 1997, a national security team of about 20 people, in a cyberwar game [Eligible Receiver] lasting three months, gained access to unclassified Pentagon computers, giving the team the ability to disrupt troops movements."
From an interview on cyberterrorism conducted with Senator John Kyl by the United States Information Agency (USIA), published in November 1998:
Kyl: Well, [cyberterrorism is] surprisingly easy. It's hard to quantify that in words, but there have been some exercises run recently. One that's been in the media, called Eligible Receiver, demonstrated in real terms how vulnerable the transportation grid, the electricity grid, and others are to an attack by, literally, hackers -- people using conventional equipment, no "spook" stuff in other words.
From the Fall 1998 issue of the University of Southern California's "Networker" magazine:
"Operating under the code-name Eligible Receiver, 35 people working for the National Security Agency targeted unclassified computer systems across the country. Employing only hacking tools downloaded from the Net and standard-issue computers, the team reportedly accessed the U.S. Pacific Command in Hawaii - in charge of 100,000 troops - among other targets.
"'We didn't really let them take down the power system in the country, but we made them prove that they knew how to do it,' Deputy Secretary of Defense John Hamre told the press.
"Before Eligible Receiver, what you had was a bunch of driven geeks and a few admirals and generals dotted around who said that 'this is really important stuff' and a bunch of traditionalists who were saying 'yeah, right. It's all just rubbish, really,' says Adams. 'Well, Eligible Receivergave everyone a very nasty shock because it showed that the whole system could be devastated,' he adds.
Editor's note: James Adams wrote a book called "The Next World War," published in 1998, that based most of its premises that computers would fight all future wars on Pentagon claims like "Eligible Receiver." The book was pilloried for passing on myths and April Fool's jokes, such as the Gulf War virus hoax, as fact.
"[Eligible Reciever] resonated at the Department of Defense, which has 2.1 million computers, 100,000 local area networks, and more than 100 long-distance networks. Eligible Receiver was 'a very telling example for all of the senior leadership here,' says Susan Hansen, a [Pentagon flack] for Secretary of Defense William Cohen.
From a USIA interview (published in November 1998) with reporter James Adams, here advertised as the CEO of "Infrastructure Defense," a firm presumably started to help protect from potential Eligible Receivers:
"The 'hackers' taking part in the exercise -- called Eligible Receiver -- were, in fact, U.S.government employees. They were given no advance intelligence. They bought their laptops from a local computer store.
"The hackers successfully demonstrated that they could with ease break into the power grids of all the major U.S. cities -- from Los Angeles to Chicago to Washington, D.C., to New York -- that were linked to the U.S. capability to deploy forces. At the same time they were able to break into the -911- emergency telephone system and could comfortably have taken both of those networks down . . ."
From a September 2, 1998, Jane's Defense Weekly piece on information warfare and the Department of Defense:
"In one Joint Chiefs of Staff simulation, known as Eligible Receiver, US officials posing as terrorists were able to shut down key command and control systems at US Pacific Command headquarters."
In an August 2, 1998 story by Cox Newspapers' by Andrew Glass entitled: "Target America: Computer Warfare," the Pentagon grail is credited with turning off all operations of the DoD's Pacific Ocean/Asian command as well as the 911 system. Sun Tzu is credited with the germ of the idea, too.
"Last June, the National Security Agency staged a 'red team' exercise, code-named Eligible Receiver, in which agents pretending to be North Koreans infiltrated the command-and-control facilities of the U.S. Pacific Command in Honolulu --- demonstrating their ability to neutralize most U.S. armed forces from Okinawa to San Diego for many hours without firing a shot.
"Attaining 100 victories in 100 battles is not the pinnacle of excellence," [Sun Tzu] wrote in 'The Art of War,' the earliest known treatise on military science. 'Subjugating the enemy's army without fighting is the true pinnacle of excellence.'"
And, further on:
"Appearing last June before the Senate Judiciary subcommittee on technology, terrorism and government information, Ellie Padgett, deputy chief of the NSA's office of defensive information warfare, told of one aspect of the worrisome success in Eligible Receiver.
In a phase of the exercise that simulated attacks, she said, 'we scripted (an) Internet message (that) would be sent out to everybody saying there was a problem with the 911 system, understanding that human nature would result in people calling the 911 system to see if there was a problem' --- thus causing the overloaded phone system to crash."
In a speech in Aspen, Colorado, in late July 1998, the Pentagon's John Hamre said of Eligible Receiver: "A year ago, concerned for this, the department undertook the first systematic exercise to determine the nation's vulnerability and the department's vulnerability to cyber war. And it was startling, frankly. We got about 30, 35 folks who became the attackers, the red team . . . We didn't really let them take down the power system in the country, but we made them prove that they knew how to do it."
From a June 1998 Congressional Governmental Affairs Committee meeting chaired by former actor Fred Thompson who played a naval commander in the movie adaptation of Tom Clancy's "The Hunt for Red October":
"Lt. General Minihan, the Director of the National Security Agency, will identify in greater detail the nation's vulnerability as revealed in a recent war game known as Eligible Receiver. The Committee also will explore whether the [Y2K] problem will increase America's vulnerability to attack. As we approach the 21st century, will terrorists and rogue nations test their information warfare weapons without fear of being caught and insert data smart bombs into the nation's computers for use at a later date?"
From a May 24, 1998 story in the Washington Post written by Bradley Graham:
"Many details of the exercise, dubbed Eligible Receiver, remain closely held. But according to official sources, a group of 35 NSA specialists simulated a series of rolling power outages and 911 emergency phone overloads in Washington and a handful of other cities. They showed that large-scale blackouts could be caused by targeting computerized sensing and control devices known as Supervisory Control and Data Acquisition systems, which have become common substitutes for human monitors in operating electrical, oil, gas, transportation and water treatment systems."
From an April 23, 1998 press conference led by Kenneth Bacon, the Pentagon's head flack:
"And that was one of the, as I said, one of the signal achievements of the exercise the Joint Staff ran, ELIGIBLE RECEIVER, to improve the awareness of people within the Department of what the computer security issue is."
Other relevant links:
copyright 1999 Crypt Newsletter. All rights reserved.