Appendix B: Scenario and Instructional Materials Used in Exercise

This appendix contains all of the exercise materials used in the March 23, 1996 exercise.

The Day After... in Cyberspace - II (ARPA)


23 March 1996

Scenario and Instructional Materials Used in Exercise

Robert H. Anderson, Anthony C. Hearn, Eugene Gritton, Richard O. Hundley, Richard F. Mesic, Roger C. Molander, Kevin O'Connell, Peter Wilson

Data in this appendix may not be duplicated or used in whole or in part for any purpose without the written permission of RAND. This restriction does not limit any individual's right to use information contained in the data if it is obtained from another source without restriction.

The "Day After..." methodology requires a realistic scenario; however, specific companies, systems, or system components appearing in this scenario are examples only and their appearance implies no unique capability or vulnerability. Attribution to any organization or entity shall not be made as a result of the text contained herein.

Table of Contents


STEP ONE: The Day Of ...

Situation Report
Memo for the SECDEF

(Note: Step Two is provided on site.)

STEP TWO: The Day Before...

Memo for the SECDEF


"The Day After..." exercise methodology has been developed to explore new and evolving post-Cold War international security problems, in particular in the realm of new types of strategic warfare.

This version of the exercise methodology is based on a two-step process generally lasting a total of approximately four to five hours.

Participants in the exercises take on the role of advisors to a senior-level decision-maker (or decision-making body) in a group deliberative process akin to a classic time-constrained "pre-meeting" where the principal task is to finalize a document or set of materials (e.g., an issues and options paper) for a formal deliberative/decision-making meeting (such as a National Security Council meeting).

In general, two or more groups (of nominally 6-12 individuals under the leadership of a chairperson) go through the identical exercise at the same time and compare the character and results of their deliberations at the end of each of the steps.

* * *

In this particular application of the methodology--"The Day Cyberspace - II (ARPA)--participants take on the role of a technical tiger team advising the Secretary of Defense and the Director of ARPA on recommendations to put forth to the President:

  1. on possible short-term technical solutions to a set of pressing cyberspace security problems that emerge in the context of a future political-military crisis (STEP ONE of the exercise) and
  2. on prospective current/near-term R&D-related strategy and policy initiatives that would address existing and projected strategic vulnerabilities in the U.S. defense and national information infrastructures (STEP TWO).

* * *

The exercise process begins (see schematic on the next page) with the tiger team convened to examine a set of critical cyberspace-related technical issues that are manifest on "the day of" (STEP ONE) a significant change in the strategic situation in a crisis in the Persian Gulf set in the year 2000.

The group's STEP ONE task is to revise a draft of a memo from the SECDEF to the President on possible short-term fixes to the pressing cyberspace technical issues that have emerged in this crisis.

In the context of this tasking group, consensus on the text of the memo and recommendations to go forward to the SECDEF is desirable but not necessary. Where consensus cannot be achieved, the group notes and conveys forward the prevailing differences for final decision-making by the Secretary of Defense in consultation with the Director of ARPA.

In "the day before" (STEP TWO) of the exercise, the context changes to the present or near future.

In this more contemporary context, the group is again convened as a team with another time-constrained tasking. This group must revise and improve a memo which is going from the Director of ARPA to the Secretary of Defense immediately in advance of a cabinet- level meeting where it is intended that the President decide on a new national R&D initiative investment strategy for information systems security, to be manifest in a set of new initiatives on:

  1. Overall investment strategy,
  2. New operational concepts and practices based on new technological opportunities, and
  3. New R&D initiatives and new R&D priorities

In this second step the group's task is to revise a draft memo from the Director of ARPA to the SECDEF on a recommended set of initiatives.

The objective in this last step is to seek initiatives that would help minimize the prospect that future crises such as that just faced would occur--or, if they do, to mitigate their consequences, and reduce the likelihood that they would ever occur again.

STEP ONE: The Day Of ...



It is now mid-spring in the year 2000.

As the Twentieth Century drew to a close, political changes and continued unrest in the Persian Gulf, in Pakistan, in the Islamic countries of the former Soviet Union, and across the breadth of North Africa had created a new and profoundly troubled region of the world now frequently labeled "the Islamic Arc of Crisis."

Adding to U.S. and European concerns about this region was the rising prospect that one or more of the potential predators in the region had developed the capacity to exploit the Global Information Infrastructure (GII) as a field of strategic political-military operations.

The latter situation has sparked particular anxiety in the U.S. about the safety and security of the U.S. National Information Infrastructure (NII) and an evolving Defense Information Infrastructure (DII) (see below).


In the 1990s the Cellular/Wireless Revolution proceeded apace with the availability of new low and medium earth orbit satellite constellations such as Iridium and Globestar providing readily accessible global two-way communications via portable telephones. It is now estimated that 25% of the North American, European, and Japanese adults routinely carry a cellphone. A similar explosion of cellphone use continues in other major markets.

The Internet has become a pillar of both the NII and GII. All countries now have Internet hosts, and it is estimated that 70% of the world's population now lives within a local telephone call of an Internet gateway.

The phenomenon of the World Wide Web has continued to expand, with over forty million "home pages" of information providing links to data bases around the world. Many of these home pages include video and voice releases specially designed for consumption by the mass media.

One of the most significant trends of the past decade has been the growth of electronic commerce. Current estimates suggest that a third of all formal U.S. business transactions now occur electronically using both standardized data interchanges and specialized communications between cooperating companies employing a range of digital encryption standards.

Attempts by the U.S. government to establish a hardware encryption standard (successors to the CLIPPER CHIP initiative) have been thwarted by lawsuits brought by both citizen groups and software companies.

The NII and GII are also being heavily used by a new generation of activist groups. Many such groups are linked in transnational networks that address a broad range of environmental, human-rights, and other global issues.

The Internet and World Wide Web have become virtual battlegrounds for software "agents" of various types. Tens of thousands of such agents have been unleashed to roam "the Net" and "the Web" looking for items meeting a profile of interests of their users, or blocking such access.

In 1998 the President decided to allow the bulk of the Defense Department's "peacetime and administrative communications" to continue to rely on the commercial switched telephone and public data systems. The vast majority of DII communications now pass over the commercial Public Switched Network (PSN), relying on various levels of encryption to protect classified information.

During the period from 1995-2000 various largely unsuccessful attempts were made to increase the security of the PSN. These efforts have been complicated by the fact that "the PSN" is run and maintained by many competing companies including cable, cellular, and satellite operators, so that changes are difficult to mandate and place into effect. As a result, other than individual use of end-to-end encryption by cooperating parties, PSN security in the year 2000 is not much better than that in 1996.

The problem is exacerbated by several continuing trends: (1) widespread use of open, standard systems whose protocols and internals are well known; (2) cost saving by increased use of remote maintenance (e.g., through dial-in ports) in telecom and energy control systems; (3) more shared trust among many disparate providers of PSN service; (4) more frequent changes to PSN software caused by competition based on new features and facilities among providers.

In 1998 the possibility of the U.S. developing a (national and global) Minimum Essential Information Infrastructure (MEII)--to insure that there would be "emergency lanes on the information highway" for a variety of contingencies --became a matter of serious discussion. The principal motivation was the perceived need to establish a minimum capability to support prospective large-scale U.S. and allied force deployment operations.

While discussion of various MEII architectures and performance criteria continue, serious development work on an actual MEII has not yet begun. There remains broad disagreement on the scope of such a system with the debate focused on:

  • Protecting only military and other communications and information systems key to major force deployment operations vs.
  • Also protecting other infrastructure information systems more directly impacting the U.S. populace vs.
  • Also protecting the information systems of allies and potential coalition partners

There is also wide debate about the ability to maintain the viability and effectiveness of any MEII that could be developed, largely in light of the continued highly dynamic character of the information revolution.

In light of the above environment, in the last few years there has been rising concern over the increasing interdependence of the PSN, the U.S. electrical power grid, data networks supporting the air traffic control system, the Global Positioning System (GPS), and other key U.S. infrastructure elements. As a consequence of this concern, national security, intelligence, and law enforcement agencies in the U.S. (as well as in other nations) are devoting increased resources to efforts to assess and counter both domestic and foreign IW threats.


Saudi Arabia Under Stress

Recently there have been major steps by the Saudi government to open up Saudi society politically, economically, and socially. New independent television stations are broadcasting and there has been proliferation of direct broadcast satellite receivers and cellular telecommunications systems. All elements of society are making increasing use of a variety of Internet nodes.

The Saudi monarchy has suffered substantially from internal dissent and distress since the 1997 death of King Fahd. A weak successor now struggles to govern both the family and the kingdom, which is increasingly beset by growing tensions between an Islamic fundamentalist dissident movement and the "nationalist modernizers" who currently dominate the Saudi government.

By 1998, much of the Saudi dissident movement (especially within the universities) had coalesced around the goals and objectives of the increasingly influential Campaign for Islamic Renewal and Democracy (CIRD). This loose transnational CIRD coalition, formed at the 1997 Damascus meeting of Islamic state and non-governmental organizations (NGOs), has become a prominent force for social and political change in the Persian Gulf region as well as throughout the Islamic world.

The CIRD is very well funded, principally by North American and European Islamic sources but also in part by domestic sources in Saudi Arabia, Iran, and Pakistan. The CIRD exploits a variety of modern advanced information and communications technologies for organizing, fund-raising, media coverage, and building ties to organizations throughout the global Islamic and broader NGO community. Several CIRD chapters are now very prominent within the North American Islamic community.

Oil prices have remained stable throughout the 1990s which has forced the Saudi Kingdom to make cutbacks in ambitious domestic and social programs designed in part to "keep domestic peace."

The Saudi regime's nervousness about their overall security and financial vulnerability markedly increased in early 1998 following the revelation that the Bank of Saudi Arabia had been "looted" of nearly $1.2 billion by a sophisticated electronic attack which for two months had successfully used "skimming" and other "cyberspace bank robbery" techniques before detection by a British financial security service. The Saudi government later found strong evidence of both Iranian and Syrian involvement in the attack.

Adding to the Saudi kingdom's fiscal woes is the broad consensus within the monarchy and government elites-- strongly opposed by CIRD supporters within Saudi Arabia--that defense spending must remain high in the face of the increasing military and political power of Iran (see below).

Persia Ascendant

Iran's power and influence in the Persian Gulf rose dramatically following the 1997 Iraqi civil war that erupted in the wake of Saddam Hussein's abrupt departure. As a result of a highly effective Iranian intervention in the civil war, Iraq is now essentially divided. A weak post-Baathist central government has been installed in Baghdad while the Kurds in the north and Shiites in the south enjoy virtual autonomy in most matters.

Iran openly supports radical Islamic fundamentalist groups in almost all of the Gulf states and trumpets a "pan-Islamic" strategy of building a broad political-military coalition to "resist American and European hegemony in the Islamic world."

Iran's nuclear weapons ambitions are widely acknowledged though there is at present no evidence that the Iranians have any operational nuclear weapons. The Iranians continue to maintain that their rapidly growing nuclear infrastructure--which remains under IAEA inspection--is for "nuclear energy alone."

Iran continues to improve its long-range weapons delivery capability which currently includes: (1) 36 Russian Tu-22M Backfires, (2) an IRBM force of two dozen North Korean Nodong II missiles, and (3) an MRBM force of 200-300 Nodong I missiles.

Evidence of the extent of development of Iranian IW activity emerged in 1999 in India when three Indian nationals (including an acknowledged "world class" software writer) were arrested by authorities after penetrating supposedly highly secure Indian defense networks, and in the course of plea-bargaining confessed to selling Iran "a variety of 21st Century information warfare tools."

Iran maintains an uneasy relationship with the CIRD which has resisted Iranian efforts to convert the coalition to a more fundamentalist Islamic posture. In addition, a number of CIRD leaders have privately criticized the slow pace of democratization in Iran. However, intelligence sources report that Iran is channeling funds to some factions within the CIRD coalition.


Popular support for the Algerian military martial law government continued to unravel into 1996, and in June 1996 a pro-Islamic "colonels' faction" led a coup which took control of the government in concert with the "Rome coalition" of former government opposition groups. In the fall of 1996, an Islamic government was formally established in a new round of national elections.

In the summer of 1998, relations between Algeria and the U.S. and Europe began to deteriorate as the new Algerian regime increasingly tilted toward the geo-strategic and political interests of Iran and military cooperation programs between the two countries became more widespread.

During the summer of 1999, French intelligence services were alerted to the attempted placement of a computer "Trojan horse" in the latest variant of the AirBus Industries AB-330 flight control software, apparently by Algerian agents in France acting under the direction of Iran. French aviation authorities found that Aerospatiale had been relying upon several Indian software subcontractors which had access to supposedly "secure" source code development and compilers.


In November of 1998 while flying to inspect a new chemical weapon facility in southern Libya, President Qadhafi was severely injured in a helicopter crash and shortly thereafter retired. In the political turmoil that followed, a strongly nationalist Islamic government quickly seized power and consolidated control of the country.

Much to the surprise of many observers, the new Libyan government moved rapidly to hold elections and embrace "Islamic democracy." It is now viewed as one of the CIRD's strongest government supporters in the effort to build a united democracy-based Islamic political force.


In 1997, the Bhutto regime was overthrown by a military coup which faulted the government for "political indecisiveness and inadequate military assistance" in the failed "Tet-like" general uprising in Kashmir in late 1996.

With the departure of the Bhutto regime, the military-dominated government took on an increasingly militant Islamic stance which included dramatically expanded political-military ties with Iran.

Israel and the Arabs

Israel signed peace agreements with both Syria and Lebanon in 1997.

In the summer of 1999, the Israeli government began to be subject to (in Mossad's terminology) "a new form of strategic warfare"--a series of electronic attacks on Israel's military command and control system by a sophisticated array of "sniffers" and "logic bombs" of uncertain origin.

The Russian Federation

A strongly "Russian nationalist" regime came to power in the 1996 elections and moved quickly to consolidate power and influence both within the Federation and in "the near abroad."

In 1997 the Russian military created a new Radio Electronic Combat Command which has been charged with the development of "a comprehensive 21st Century offensive and defensive information warfare capability."

The new Russian information warfare effort in part reflected acknowledgment of a continuing domestic problem--increasingly sophisticated internal "cyberspace banditry" techniques employed by Russian "mafiya" organized crime groups. While such attacks within Russia have diminished, the groups continue to mount successful attacks on European and American banks (with an estimated gain of over $2 billion in the year 1999 alone). U.S. and European intelligence and law enforcement services strongly suspect that some of the best Russian "mafiya hacker talent" is now in the pay of the Russian intelligence services.


A "tough, pragmatic, and strongly nationalist" leadership has consolidated power in a post-Deng Xiaopeng China which continues to lead Asia on an upward trajectory of economic growth.

Reflecting ever-increasing Chinese self-confidence, there is now a dominant view among the Chinese political and military leadership that China should acquire "strategic military power second to none" in the early 21st Century.

A new and widely remarked Chinese "21st Century strategic asset" is the acknowledged skill of a emerging generation of Chinese computer experts which provide both the Chinese commercial and banking sectors and the government with world- class offensive and defensive IW "hacker" capability.


The Japanese government interest in potential IW threats was profoundly heightened after the "Great Yen crisis of 1998" when the Japanese currency nearly collapsed after a two-day fall of 22%. Only several months after the fact was there sufficient suspicion the massive fall in the Yen had been partially "induced by a very sophisticated computer virus program" of which the authors were believed to be an alliance of several Chinese and other Asian Transnational Criminal Organizations (TCOs).

The Koreas

Kim Jong Il continues to maintain control over the key levers of power in the DPRK although there continue to be internal power struggles around him between various factions in the North Korean elite--which continues to hold back reunification efforts.

Implementation of the 1994 U.S.-DPRK nuclear "framework" has proceeded in fits and starts, but it continues to be seen as successful in holding back the North Korean nuclear program. However, the DPRK maintains a robust indigenous missile development and production program and an extensive missile export and cooperative development program with Iran.

The United States

Following the highly contentious 1996 elections, there emerged a tentative political consensus that the United States had no choice but to remain heavily engaged in maintaining a semblance of "international law and order." At the same time continued public concerns about acute U.S. domestic problems appeared to weigh heavily against seeking costly military solutions to the evolving menu of security problems.

In this challenging political context there emerged in 1997 the Consortium for Planetary Peace (CPP), an unusual grass roots political coalition with support from both the left and right and organized around the twin propositions that: (1) it was not in the U.S. national interest to become "a global policeman" and (2) "modern conflict resolution and communications methods" should be aggressively employed as flagship elements of U.S. international security policy.

With support from a broad range of existing peace, human-rights, environmental, and other activist groups, the CPP grew quickly with a "start in your own international neighborhood" organizing theme--using the Internet to organize a wide range of U.S., Canadian, and Mexican NGOs to focus a coordinated effort on the continued acute political unrest in southern Mexico. In late 1998 the organization gained considerable prestige by facilitating a widely hailed "peace agreement" between the Mexican government and the "Third Zapatista Revolution."

Building on the success in Mexico, the CPP over the past year and a half has become increasingly involved as a mediator and Internet organizer of "peacemaking coalitions" in a number of regional and other conflicts around the world (in which capacity it has developed substantial informal ties with the Islamic CIRD coalition).

In 1998, an organization was established within the JCS to oversee the development of offensive and defensive operational concepts and campaigns and new requirements for "electronic warfare techniques." This organization works with the various unified commands to develop Radio Electronic Combat or IW planning annexes for the CINCs' CONPLANs for various contingencies.

Increasing concerns about the viability of the nuclear non- proliferation regime led in 1998 to major revisions in U.S. force structure plans to make room for a package of counter- proliferation initiatives which included: (1) A crash effort on the Theater High Altitude Air Defense (THAAD) system, (2) Extensive overseas sales of Patriot/ERINT and Standard anti-tactical missiles, and (3) Accelerated development of long-endurance unmanned air vehicles (UAVs) and a companion program of multi-mission unattended ground sensors (UGS).

In late 1999 in the wake of the French AirBus incident reported earlier U.S. commercial aircraft companies initiated a survey of the software in the flight control systems of aircraft under development to insure software system integrity. Other than some minor software code errors, nothing was found--but there emerged a heightened vigilance in the commercial aircraft sector to protect these systems.

Persian Gulf Security

In 1999 in the face of Iran's growing political military power, the U.S., France, and the U.K. updated their military agreements with the Gulf Coordinating Council (GCC).

The military contingency plans for the region now include the prepositioning of substantial additional military equipment in the region and rapid deployment commitments code-named GREEN HORNET for the U.S. (see Table 1) and SILVER SABRE for the U.K. and France.

A British air mobile/motorized and a French air mobile/motorized division along with several squadrons of tactical fighter aircraft constitute the principal European military components of SILVER SABRE.

In 1998, the Joint Staff approved an IW contingency plan for CENTCOM combining both electronic and physical attack: Operation FORCE FIELD--a theater-wide command and control warfare master plan designed to provide "information dominance within a 500 km battle cube" and in particular render ineffective the key elements of a future regional opponent's tactical reconnaissance, air defense, and C3I systems.

Table 1. Major Components of GREEN HORNET

  Phase One
Deterrent Phase
Phase Two
Initial Defense
Phase Three
Full Capability
  • Deploy 2 THAAD battalions
  • Place 2 Phase Two Divisions on Alert
  • Deploy Army equipment set from Diego Garcia
  • Airlift 3 brigades to prepositioned equipment sets in Kuwait and Bahrain
  • Fully deploy 2 Phase Two Divisions
  • Place 4 Phase Three Divisions (3 CONUS/1 Europe) on Alert
  • Fully deploy 4 Phase Three Divisions
  • Reserve call-up
  • Move 1 Carrier Battle Group (CBG) to Gulf of Oman
  • Move 1 Aegis to Persian Gulf
  • Deploy CBG to Red Sea
  • Move 1 Aegis to Persian Gulf
  • Move 2 Aegis to Med
  • Partial Ready Reserve Fleet (RRF) call-up
  • Deploy 3 CBGs
  • Move 6 Aegis to Theater
  • Reserve call-up
  • Full RRF
Air Force
  • Deploy 1 Air Combat Wing (ACW)
  • Deploy AWACS, JSTARS, intel aircraft
  • Deploy 3 ACWs
  • Deploy 7 ACWs
Marine Corps
  • Deploy 1 Maritime Prepositioning Squadron (MPS) from Diego Garcia and off load in Saudi Arabia
  • Off load in-Theater MPS
  • Airlift associated CONUS brigade personnel to theater
  • Deploy 2 MPS from Atlantic and Pacific
  • Marry up 2 CONUS brigades w/in-theater MPS equipment
  • Deploy 2 amphibious brigades from CONUS
  • 2 amphibious brigades in Theater
  • Reserve call-up
Troop Strength 50,000 +100,000 = 150,000 +150,000 = 300,000
Time to Complete
(from t=0)
7 Days 30 Days 60 Days
Aircraft Req't
0 120 200


In Caracas

On May 4, 2000, OPEC ministers met in Caracas to review production and pricing policy. Iran, Iraq, Libya, and Algeria were promoting a major cutback in production with a goal of driving the price to "at least $60 (FY-95 dollars) a barrel."

The Caracas OPEC meeting ended in total failure and disarray after three days of tense discussions marked by a final televised shouting match between the Iranian and Saudi oil ministers.

In the Persian Gulf

On May 7 Iran announced that it would soon begin conducting "military exercises appropriate to the evolving security situation in the Gulf."

On May 8 the Saudi ruler called in the U.S. Ambassador and expressed his deep concerns about the Iranians whom he feared might use the OPEC stalemate as an excuse for "a move of greatness" in the Gulf.

On May 10, Tehran radio and television announced that the Iranian Foreign Minister was flying to Riyadh with an "urgent proposal" that would "resolve the OPEC stalemate" and "respond to the evolving security situation in the region."

On the evening of May 10, the U.S. Ambassador to Saudi Arabia reported on the contents of the Iranian "proposal:"

  • Iran, Iraq, Saudi Arabia and the other GCC states should immediately cut oil production by 20 percent.
  • The GCC states should annul their military agreements with the U.S. and declare "neutrality" or non- alignment.
  • In return Iran would declare the GCC states to be under "a new Iranian Persian Gulf security umbrella."

The next day, May 11, U.S. intelligence detected the preliminary mobilization of three of the six Iranian divisions located near Dezful in southwestern Iran, including the mobilization of several regiments of heavy equipment transporters designed to rapidly move heavy armor and artillery.

At 2030 local time on May 11, Saudi Arabia ordered the redeployment of one armored division toward its border with Iraq and a partial mobilization of selected reserve elements. Two hours later Kuwait placed its army and reserves on a higher level of alert.

In Egypt

Later that night, 90% of the power in the Cairo area went out for several hours.

In a message to the Secretary of State the U.S. Ambassador in Cairo noted that there was considerable uncertainty about whether the blackout was the product of "deliberate sabotage or just Egyptian bad luck."

In Saudi Arabia

On the evening of May 11 the White House Situation Room received a message from the U.S. ambassador in Riyadh indicating that the public switched telephone network for Riyadh had suffered a series of massive failures.

In Washington

The U.S. National Communications Center reported that, nearly simultaneously with the Saudi disruption, the base phone system in Fort Lewis, Washington had been subjected to a massive wardialing attack by personal computers--apparently initiated by a bulletin board post which stated the dial-in line numbers-- which paralyzed phone service for several hours.

On the Saudi problem the CIA had "preliminary indications" that a hidden "trap door" was used that had apparently been placed into the latest release of code controlling many switching centers of the Saudi PSN. This code allows unauthorized passwords to be used to gain access through remote maintenance ports. The source of this problem was unclear although a radical anti-interventionist group claimed responsibility on the Internet.

In the Persian Gulf Region

At 0500 local time in the Gulf on May 12 (2200 EDT on the 11th), two Saudi missile gunboats were fired upon by Iranian warships discovered on an apparent intelligence collection mission off the coast of Al Jubayl.

Twelve Saudi F-15s arrived on the scene in minutes and in the ensuing battle both of the Saudi gunboats and three Iranian ships were sunk. Minutes later fifteen Iranian MiG-29s and 31s arrived and in the air battle that followed nine Iranian aircraft were downed at the cost of five Saudi F-15s.

At 0630 local time on the 12th, a S-3B Viking from the CBG Ronald Reagan was fired upon by an Iran missile frigate while conducting a maritime surveillance mission over the Straits of Hormuz.

Thirty minutes later, F/A-18s and F/A-14s from the Reagan found the frigate some fifteen miles south of Bandar Abbas. The USN aircraft were confronted by eight Iranian MiG-29s. During the short air battle three MiG-29s were shot down and the frigate was sunk after receiving three Harpoon missile hits.

In Saudi Arabia

At 1100 local time on May 13, the largest ARAMCO refinery near Dhahran had a catastrophic flow control malfunction which led to a large explosion and fire at a brand new cracking tower.

This event was followed by a "war communiqué" from a radical Islamic group linked to Iran asserting that "the enemies of the true faith of Islam were vulnerable to the full range of Islamic might." The statement concluded with the threat that the economy of the Saudi Kingdom "could be brought to its knees with the touch of a button."

In a memcon to the Secretary of State, the U.S. Ambassador to Saudi Arabia warned that the Saudi elite was "horrified by the prospect that Iran might have the capacity to severely disrupt their economy without firing a shot" and beginning to express concerns that the United States may be "unable to help the Saudi government respond to this new threat."

In Moscow

At a news conference late on May 13 the Russian Foreign Minister called on the UN Security Council to "immediately seek to mediate a settlement to the escalating crisis" in the Persian Gulf.

In Tehran

At 0730 local time on May 14 (0030 EDT) Iran sent messages to the GCC members, the U.S., the U.K., and France calling for:

  • A cease-fire in place of all forces on both sides.
  • An immediate freeze on further deployments by "foreign forces" in the region.
  • An immediate summit at a neutral site to discuss "a peaceful resolution of a crisis not of Iran's making."

The notes closed by stating that "if there were not a positive response within 12 hours" Iran would be "forced to take actions consistent with its security rights and responsibilities in the Persian Gulf region."

The notes to the leaders of Kuwait and Saudi Arabia also included a separate and explicit message that Iran would soon "demonstrate the futility of depending upon the American imperialists for protection from modern weapons systems."

Early that afternoon local time, Iran fired three Nodong I MRBMs virtually simultaneously from a field site south of Tehran. Two of the three successfully deployed previously unseen exoatmospheric penetration aids.

In Germany

At 1812 EDT on May 14, the new high-speed Deutsche Bundesbahn passenger train Siegfried traveling at 300 km/hr slammed into an apparently mis-routed freight train near Frankfurt am Main. German Federal Police estimated that the train wreck had killed over 60 passengers and crew and critically injured another 120 persons.

Within three hours, the CIA issued a preliminary report indicating there was "clear evidence" that the freight train had been misrouted onto the passenger track with "some evidence" pointing to a sophisticated intrusion into the Bundesbahn rail control system.

In New York

At a mid-day reception on May 15 sponsored by the CPP, the Iranian Ambassador to the UN was overheard to state that the United States and Western Europe as "the technologically most advanced powers on the planet" were highly vulnerable to "21st Century attacks" by "states and others who had mastered contemporary computer and telecommunication technology."

In Washington

Later on the 15th a preliminary report on the German train crash by the DCI indicated that a "logic bomb" had been placed into the Deutsche Bundesbahn computer systems, possibly by someone with inside access, with "some tenuous evidence pointing to Iran."

In passing the report to the President that evening the National Security Advisor noted that "NSA had considerable doubts about the origin of the attack." Further, he noted that the CIA's Foreign Terrorism Center was preparing a report voicing the strong suspicion that the tragedy was the product of a conspiracy which "may or may not be connected with the unfolding events in the Persian Gulf."

In the United Kingdom

At 1100 GMT on the 16th the Director of Scotland Yard informed the Prime Minister that the Bank of England had detected "three different sniffer devices of new design in its main funds transfer system" and that the Bank leadership was very fearful that unauthorized individuals could now enter the funds transfer system, formerly believed to be invulnerable.

In Atlanta and London

A few hours later CNN and ITN aired "Special Report" stories which featured the German train wreck and leaked reports of problems with the Bank of England's funds transfer system. The CNN report stated that "some Western intelligence agencies" believe that Iran may be employing computer experts from the Russian Mafiya and "renegade software writers" from India to "threaten the entire economic fabric of the United States and West Europe." The effects of both broadcasts were reinforced by interviews with a wide range of computer security experts.

The London Stock Exchange Index fell 10% in late trading on the 16th with investors shifting assets to safer havens.

In New York

At 1430 EDT on the 16th, the New York Stock Exchange suffered its largest drop since the crash of 1987. Even with the tripping of automatic exchange restraints, the Dow had fallen by nearly 17 percent by the end of the day's trading. Analysts on CNBC and other business news networks speculated that major institutional investors were attempting to get out of the electronically managed market.

At 1500 the oil futures market closed with the spot oil price at $75 a barrel. Gold prices for the day were up ten percent.

At 1700 the Security and Exchange Commission(SEC)'s crisis investigating team informed the Secretary of Commerce that "a pattern of institutional investment manipulation involving as yet unknown parties working through a set of European and Middle Eastern Banks" had been "a leading factor in the rapid acceleration in the Dow's mid-afternoon decline."

In Germany

That afternoon the power grid serving a region of Germany that included the U.S. Air Base at Rhein Main failed sporadically when several areas were unexpectedly cut off from the grid. Although power was quickly restored to these areas an assessment of the cause of the failure indicated intrusion in a key grid information management and control system.

In Washington

At noon EDT on May 17th the Consortium for Planetary Peace (CPP) announced that an "emergency mobilization to stop an unnecessary and potentially devastating war" would take place in the next 48 hours.

Two hours later the Consortium submitted a formal request to the U.S. Park Police for a permit for the Mall for May 21 for a "demonstration of support for mediation and opposition to U.S. intervention in Saudi Arabia" for "an estimated 100,000 participants." By nightfall similar permits had been requested in ten other major U.S. cities.

Approval of the Mall and other CPP requests seemed certain and mobilization of CPP chapters began to occur through communiqués sent over the Internet and more traditional media outlets.

In the Persian Gulf

Early in the evening on the 18th local time, after receiving reports on further massing of Iranian armored forces for possible entry into southern Iraq, increased Iranian naval activity near the Straits of Hormuz, and an Iranian "strategic alert," USCINCCENT sent a message recommending the immediate execution of Phases I and II of the GREEN HORNET Gulf deployment plan.

In Delaware

At 1440 the PSN for Delaware and Maryland's Eastern Shore began to suffer a series of failures in the face of what appeared to be repeated attacks of unknown origin. The attacks focused on a set of communications switches whose failure in all cases brought down the air traffic control facility at Dover Air Force Base.

In Washington

An emergency NSC meeting was convened at 1500 EDT on the 18th to address USCINCCENT's recommendation and other military, diplomatic, and political issues related to the evolving Gulf crisis.

The meeting opened with an intelligence briefing by the DCI who emphasized the uncertainty in the source or sources of the attack and noted that at this time there was "no way of knowing for sure" whether what we are seeing is:

  1. Testing of strategic IW capability by one or more parties,
  2. The beginning of a dedicated IW campaign to derail anticipated U.S. Gulf deployment plans, or
  3. Most of what we can expect from a strategic IW campaign mounted by Iran or others."

He also emphasized the added complication that anti- interventionist international political groups in both the U.S. and Europe could be behind many of the IW incidents.

The CJCS Chairman immediately emphasized that the Time Phased Force Deployment List (TPFDL) for GREEN HORNET was very dependent on the ability to meet "a host of just-in-time logistic timelines" and would not tolerate "any significant disruption."

He also expressed growing concern about the problem of mobilizing the CRAF aircraft and crews that were "key to Phase II of GREEN HORNET" if someone were able to penetrate the management information systems of major U.S. airlines.

In the highly speculative discussion that immediately followed it became very clear that in spite of "circumstantial evidence" pointing to Iran there remained considerable uncertainty about the extent of Iranian involvement in the recent IW incidents.

The discussion eventually turned to the military situation in the Gulf where after further reviewing the military and diplomatic issues on the table, the President announced the following decisions:

  • Execute Phases I and II of GREEN HORNET.
  • Deploy one-half all available CONUS-based ATBM battalions to Egypt and Saudi Arabia.
  • Set up a trilateral video conference with the British Prime Minister and the President of France to gain agreement of these governments to execute SILVER SABRE.
  • Immediately convene the North Atlantic Council.
  • Reject any diplomatic initiatives at this time with Iran or the CIRD.

The President also indicated that he wanted to obtain Congressional approval of his actions through a resolution to be introduced in the Congress on the 19th.

The President then led a further in-depth discussion of the IW situation in which he expressed particular concerns about the long- and short-term implications of possible successful IW attacks against U.S. and allied Persian Gulf deployment plans and the national information infrastructures of the U.S. and its European allies and key coalition partners in the Gulf region. He emphasized the need to "demonstrate persuasively and as soon as possible" that further IW attacks such as those already experienced would not be able to fundamentally undermine U.S. military strategy in the current crisis.

During the discussion the President strongly admonished the Press Secretary to "keep the lid on" and "downplay all speculation" regarding both the extent of U.S. cyberspace vulnerabilities and the origins of the IW attacks experienced to date especially those in the U.S. He noted that further decisions on the crisis could be made even more difficult if there were public panic growing out of "media hyping" of the IW threat to the U.S. and attributing the attacks to date to Iran when the actual source might be "domestic anti-interventionist political forces."

In closing the meeting the President turned to the SECDEF and asked him to see if he could pull together some information security experts to generate "new or creative ideas" that could be brought to bear "in the near term" on the IW problems of principal concern in the crisis.

Another NSC meeting was scheduled for late the next morning to review the results of the trilateral discussions and again address the IW problem.

Upon leaving the meeting, the SECDEF contacted the Director of ARPA and instructed him to immediately assemble a tiger team of information system security experts to address the IW- related issues and concerns that had come up at the NSC meeting. The SECDEF described the President's principal concerns and asked for recommendations on possible "near-term creative solutions" to the problems posed "beyond the standard procedures to tighten information systems security that the services and the CINCs would be likely to take on their own."

In Washington, London, and Paris

At 1630 EDT on the 18th at a trilateral video conference between the President, the British Prime Minister, and the President of France it was agreed that the U.K. and France would join in the U.S. response to the crisis and execute SILVER SABRE. It was also agreed that the three countries should keep each other fully informed of further developments in terms of possible IW attacks.


How to Proceed

  1. You have been selected as a member of a technical tiger team advising the Secretary of Defense and the Director of ARPA, in a time-urgent process. The group's task is to revise a draft memo to the SECDEF in preparation for the ARPA Director's meeting with the SECDEF scheduled for a few hours hence.
  2. The group's tasking is to produce an assessment for the SECDEF to send to the President proposing possible short-term technical solutions to these pressing cyberspace problems.

The Chair(person)

  1. The tiger team will be led in its deliberations by a Chairperson (hereinafter Chair) who will take the group through the tasking described in the Decisions to Be Made section to the right.
  2. The Chair will ask one participant to record the results of the group's deliberations and recommendations.
  3. The Chair will likely begin by asking for participants in her/his group to very briefly (e.g., in a few sentences) give their individual perspectives on the overall situation and the particular challenge presented to the group.

Decisions to Be Made

I. Issues and Options

An ARPA staff working group has prepared an incomplete Draft Memo for the President on the following pages. It essentially provides a working template of what might go forward on a set of emergency technical and procedural "information assurance" issues related to the current crisis.

Under the guidance of the Chair, the group should discuss and expand this Draft Memo as judged appropriate. In particular the Chair should ascertain whether there are other critical issues beyond those presented which the SECDEF might bring up at this point in time--and modify the Draft Memo accordingly.

It should be kept in mind that the group is not being convened primarily as a decision-making body; the group's principal responsibility is to craft a good issues and options memo to send forward to the President.

2. Recommendations

As the group settles on the individual issues and options to go forward to the SECDEF, the Chair should attempt to see if consensus can be reached on recommendations on individual issues--keeping in mind that at this point a consensus on all issues is not expected.

When the time for STEP ONE is up, the Chair of each group will be asked to summarize very concisely the group's deliberations and recommendations. This summary should be brief--if at all possible, not more than five minutes.

Draft Memo for the Secretary of Defense


19 May 2000


FROM: Secretary of Defense

SUBJECT: Tiger Team Recommendations on Persian Gulf Crisis - Information Warfare Issues

In response to your request at the May 18 NSC meeting, we proceeded to assemble an ARPA-led "tiger team" of information security experts to consider the information warfare (IW) aspects of the ongoing Persian Gulf crisis and make recommendations on:

  • Near-term measures to strengthen as quickly as possible the U.S. Defense Information Infrastructure (DII) and other U.S. and allied/coalition information systems critical to the GREEN HORNET and SILVER SABRE deployment plans and our overall military strategy in this crisis, and
  • Other possible measures to strengthen the national information infrastructure (NII) of the U.S. and the NIIs of our allies and coalition partners against possible strategic IW attacks.


Consistent with your public statement and guidance at previous NSC meetings, my guidance to the team was that our principal long-term objectives in this situation in terms of IW are:

  • Demonstrate broad U.S. capability to detect, assess, and effectively defend against IW attacks targeted on critical U.S. defense and national information systems.
  • Foster the development of cooperative efforts with U.S. allies and coalition partners that achieve comparable capabilities in response to IW attacks against their key information systems.
  • Deter future strategic IW attacks of the kind that we appear to be experiencing in the current crisis.

I also told them that your principal short-term objectives in terms of IW are:

  • Ensure that the GREEN HORNET and SILVER SABRE deployment plans proceed without serious disruption due to IW attacks.
  • Identify the source(s) of the recent series of IW-related events.
  • Take concrete defensive IW actions which can be made public and serve to reassure the American public that we can respond effectively to cyberspace attacks against the DII and key U.S. NII systems.
  • Assist Saudi Arabia in responding to the IW attacks on its NII in order to enhance the prospects that the Saudi government will survive the threat posed by the internal dissident movement and Iran.


In response to the tasking summarized above, below you will find a set of recommended near-term actions for your consideration along with preliminary assessment of possible implementation obstacles. The issues and recommendations have been organized as follows:


A. DII Issues

B. Other Related U.S. NII Issues

C. Allied/Coalition Partner Information Systems Issues

II. Issues Related to IW Tactical Warning/Attack Assessment

III. Issues Related to Strategic IW Attacks on the U.S. NII

IV. Issues Related to Strategic IW Attacks on Allies and Coalition Partners


You expressed particular concern about the tight timelines for both the GREEN HORNET and SILVER SABRE deployment plans and the possible vulnerability of these plans to disruption by IW attack by either the Iranians, the CIRD, or domestic political forces opposed to Western intervention in the Gulf crisis.

As you are aware from earlier assessments, we do not at this point know the full extent of the capacity of any of these entities to disrupt a U.S. deployment to the Gulf. We have already seen one kind of attack--the mass dialing attack on the base phone system at Ft. Lewis, WA--that could potentially cause problems if widespread (i.e., if it occurred at a large number of U.S. military bases involved in GREEN HORNET) and sustained for many days.

In examining the different elements of the GREEN HORNET and SILVER SABRE deployment plans we see potentially serious IW-related problems in the following areas:

  • Sustained IW attacks that disrupt and degrade U.S. and European air traffic control systems (ATCS).
  • Sustained IW attacks on the information systems of U.S. airlines that are supplying Civilian Reserve Aircraft Fleet (CRAF) aircraft and crews to support GREEN HORNET.
  • IW attacks that succeed in modifying the Time Phased Force Deployment List (TPFDL) for GREEN HORNET.
  • IW attacks on the PSN in the U.S., Britain, and France.

As you know, under current planning we do not need to communicate large amounts of information to support the initial "Deterrent Phase" deployments for GREEN HORNET (beyond the "Go" message which has already been passed to the relevant military units). Nevertheless we need to be concerned about disruption of the air traffic control system here and in Europe since the efficient operation of these ATC systems is key to maintaining the fast pace of these initial deployments.

The second "Initial Defense" phase is more complex and potentially more vulnerable to disruption both here in the United States (since it involves CRAF aircraft and far more extensive rail and air transport of troops and equipment) and in Europe (since it involves U.S. forces stationed in Europe and the British and French Silver SABRE forces). The same is true of the third deployment phase which is necessary to achieve full offensive and defensive capability in the Gulf region. The amount of communications involved (relating to logistics and transportation and other logistics matters) is also much greater in both of these phases than in the initial deployment phase which raises more serious PSN concerns.

The recommendations of the tiger team in terms of possible near- term technical responses to these GREEN HORNET/SILVER SABRE IW- related problems (and possible implementation obstacles) are as follows:

A. DII Issues
Recommended Technical Response Possible Implementation Obstacles
1. Close all possible firewalls to and within DII systems  
2. Disable all remote dial-in maintenance ports on DII system telecommunications switches Alternative maintenance procedures may prove inefficient and lead to selected system failures or delays
3. Provide 24-hr. system operator monitoring and overview of all critical information system nodes with special attention paid to detecting disruptions and abnormal system behavior  

B. Other Related U.S. NII Issues
Recommended Technical Response Possible Implementation Obstacles
1. (re PSN) Route all critical GREEN HORNET Phase Two/Three communications over available robust command and control channels rather than relying on the U.S. PSN Could result in significant delays in GREEN HORNET Phase Two/Three communications and thus in deployment timelines
2. (re ATCS)  
3.(re CRAF) Need to ensure security of commercial airlines' main scheduling system
4. (re Power Grid)  

C. Allied/Coalition Partner Information Systems Issues
Recommended Technical Response Possible Implementation Obstacles
1. (re European PSN's)  
2. (re European ATCS's)  


You have indicated that among your main concerns was an inability to identify the source(s) of the various IW attacks that have recently taken place and the total absence of any warning relating to these attacks. This has given rise to related uncertainties as to whether the attacks represented Iranian (or other potential sources) testing of their IW capability, the beginnings of a much larger IW campaign, or most of what we might have to deal with in terms of strategic IW attacks during the current crisis.

The tiger team judged that the tactical warning/attack assessment (TW/AA) problem to be extremely difficult. In approaching this issue, they concluded that existing legal constraints or impediments to this problem might be removed in crisis in order to have any hope of improving the TW/AA situation.

The recommendations of the ARPA tiger team in terms of possible near-term technical responses to these tactical warning/attack assessment (TW/AA) IW-related problems are as follows:

TW/AA Issues
Recommended Technical Response Possible Implementation Obstacles
1. (re Tactical Warning)
  • Place automated software "backtrack" programs in those information systems that have already been subject to attack and at other likely targets,
  • Begin emergency development of a tactical warning and attack assessment scheme based on the follow design philosophy and system components:
Legal challenges
2. (re Attack Assessment)  


You expressed particular concern about the domestic political impact, and thus the broad political-military impact in the crisis, of successful strategic IW attacks against key elements of the U.S. NII--and the resultant loss of the national sanctuary that the American people have enjoyed for nearly two centuries.

With this perspective in mind, the tiger team looked at possible near-term measures to enhance the security of the key elements of the U.S. NII relating to: (1) the PSN, (2) the transportation system, (3) the electric power grid, and (4) the oil and gas pipeline system.

The recommendations of the team in terms of possible near-term technical responses to possible strategic IW attacks on the U.S. NII are as follows:

U.S. NII Strategic IW Attack Issues
Recommended Technical Response Possible Implementation Obstacles
1. (re the PSN)  
2. (re Transportation Systems)  
4. (re the Electric Power Grid)  
5. (re the Oil and Gas Pipeline System  


Our European allies and regional coalition partners Saudi Arabia and Egypt appear already to be in the throes of some kind of strategic IW campaign designed to weaken their resolve in the crisis.

The approach that the tiger team took to this problem was as follows:

  • Look for technical solutions to the vulnerability of the Saudi PSN sufficient to insure that the Saudi government could maintain a limited but high-confidence communications network for the country as a whole.
  • For other elements of the Saudi NII and the Egyptian and European NII's look for general technical solutions to enhance the survivability and overall viability of key information systems.

With this approach the recommendations of the tiger team in terms of possible near-term technical responses to possible strategic IW attacks on the NII's of U.S. European allies and coalition partners are as follows:

Allies/Coalition Partners NII Strategic IW Attack Issues
Recommended Technical Response Possible Implementation Obstacles
1. (re the Saudi PSN)
  • Make emergency modifications to U.S. dedicated secure communications equipment so that it can be given to the Saudis now, but selectively disabled at a later time of our choosing.
  • Assist the Saudis in fencing off selected PSN circuits.
2. (re other NII Systems of European Allies and Coalition Partners)
  • Send a crack team of computer security specialists to work collectively with our allies on all key software system and application code controlling major rail, pipeline, telecommunications, and power grid systems.
  • Offer use of U.S. "server" computer systems containing substantial firewall software to help isolate key European information system connections through which IW attacks may be launched.

Recent Developments



The following is a synopsis of developments in the crisis since the initial report you were given.

MAY 20

In the United States

On the morning of May 20th the U.S. Senate passed a resolution supporting the President's decision to send troops to the Gulf. The margin of victory for the Administration was two votes.

That morning the automatic tellers of the largest bank chain in Georgia malfunctioned with bank clients being debited and/or credited thousands of the dollars after each ATM transaction--leading the bank to shut down its ATM network. Bank officials stated that it must have been "an inside job" since they had recently installed a new release of the ATM software about three weeks ago and suspected a logic bomb triggered by some means.

Early that afternoon the CNN news center feed out of Atlanta was intermittently off the air for twelve minutes.

On May 20 DoD discovered that the computer data base for the Time Phased Force Deployment List (TPFDL) had become plagued with "corrupt data." The JCS IW planning cell's initial report on the problem indicated that a computer worm--origin uncertain-- had likely been unleashed inside the TPFDL software through a personal computer temporarily linked to the TPFDL system running popular commercial off-the-shelf database software with a known security flaw.

MAY 21

In the United States

On the morning of May 21 the U.S. Ambassador in Egypt notified the Secretary of State that the President of Egypt had become "very concerned about Iran's capacity to cause economic and political damage in Egypt."

That morning the Pentagon first revealed their concerns about delays in military deployments to the Gulf due to IW attacks on the local area networks and phone systems of a number of key Army and Marine bases.

Early in the afternoon of May 21 a new Continental Airlines AB- 340 making a final instrumented approach to O'Hare International Airport suffered a massive malfunction in its flight deck avionics and minutes later crashed in a residential area killing all 236 passengers and crew and 36 people on the ground.

Later that day the FAA grounded all late model AB-340 and 330 aircraft on the basis that the flight control software might be infected by a sophisticated logic bomb.

That evening the Justice Department reported the interrogation of two suspects at a San Antonio, Texas software firm which had provided the most recent update of the AB- 340 flight control software. (Both had recently received large cash payments through a Swiss bank.) Although the source code for the flight control software had been checked line-by- line before installation, the two suspects apparently had access to the compiler, and presumably modified it to cause unauthorized actions in the compiled control software.

The May 21 CPP "anti-intervention" demonstration in Washington drew a crowd estimated by the U.S. Park Police at over 400,000. Many other well-attended demonstrations in both large and small cities across the country were also organized via the Internet.

MAY 22

In the United States

At an NSC Meeting early on the morning of May 22 the President was briefed on:

  1. Operation IRON LANCE - an all-out preemptive air and missile strike against Iranian conventional forces threatening Saudi Arabia and
  2. Operation FORCE FIELD - a theater-wide command and control attack plan.

A highly contentious debate on both operations followed but no decisions were taken on either operation.

In Saudi Arabia

At 1920 local time (1220 EDT) on May 22, the news anchors of the two Saudi government TV networks were suddenly replaced by the face of the head of the CIRD Council who called on the citizens of Saudi Arabia to overthrow the monarchy. Large scale demonstrations against the Saudi monarchy began shortly thereafter in Riyadh, Jiddah, Mecca, and Dhahran.

That same day the Saudi public switched network began to fail again. The failure was attributed to unauthorized modification of the system through trap doors in the logic controlling its switches - which were very similar to those found earlier in the failure of the Saudi PSN." (The Saudi telecom system was purchased from the same company supplying approximately 30% of the U.S. PSN.)

By that evening the self-described "Provisional Islamic Republic of Arabia" had seized power in Dhahran and Mecca.

That evening saw the beginning of heavy fighting in Riyadh between security police and members of the National Guard which had pledged their loyalty to the new Provisional Islamic Republic. Within hours the U.S. Ambassador reported that fighting was spreading rapidly throughout the city and that a coup attempt was underway.

MAY 23

In the United States

On the morning of May 23 the CJCS reported to the SECDEF a "full-scale IW attack" by unknown sources against almost every U.S. military base involved in GREEN HORNET and SILVER SABRE. His report also stated bluntly that the TPFDL was "a goddamned mess" and that he had "no idea" what kind of GREEN HORNET schedule was achievable."

At a mid-morning Atlanta news conference the members of the "Executive Council" of the Consortium for Planetary Peace announcing that the CPP was "mobilizing all of its chapters to conduct civil disobedience actions to stop the U.S. Government's mad dash to war to save an undemocratic and failed Saudi regime."

At 1230 EDT on the 23rd the Chicago Commodity Exchange experienced its wildest fluctuations in history and halted trading on the grounds that the Exchange was apparently being subjected to a powerful form of electronic manipulation by unknown parties.

In mid-afternoon the entire phone network in the Washington/Baltimore region including local cellular systems failed. The attack was attributed to trap doors not unlike those that caused the earlier PSN failure in Saudi Arabia. Preliminary indications were that only 70% of the switches were disabled, but that remaining carriers and switches could not handle the additional load.

At 1700 EDT the President asked the National Security Advisor to arrange an NSC Meeting for the next morning so he could "assess the overall situation and especially our defensive IW prospects" in order to decide on "next steps" in the crisis.

It is now 1900 on May 23, 2000.

STEP TWO: The Day Before...


How to Proceed

  1. You will have a total of two hours for STEP TWO --roughly 10 minutes for reading and the remainder of the two hours for deliberations.
  2. The time period is the very near future--say the late spring of 1996.
  3. You are again in the role of a top advisor to the Director of ARPA, preparing him for a meeting with the Secretary of Defense on a national R&D investment strategy for information systems security and related issues.
  4. The Chair will lead a discussion that moves through the tasking described in the Decisions to Be Made section to the right--which follows essentially the same basic process as the previous two steps.

Decisions to Be Made

1. Issues and Options

The objective of the meeting with the SECDEF that the Director of ARPA will attend is to formulate both U.S. and Defense research strategies addressing a set of near-term issues that have emerged from a study commissioned by a Presidential Review Directive on: (1) threats to national security and safety arising from the evolution of new information warfare (IW) techniques and (2) means that can be used to help counter those threats.

The staff-prepared Draft Memo for the Secretary of Defense (on the pages immediately following) is designed to serve this purpose.

Under the guidance of the Chair, the group should discuss this Draft Memo and expand and modify it as judged appropriate.

2. Recommendations

When the group settles on the material to go forward to the SECDEF, it should attempt under the Chair's leadership to see if it can reach consensus on a recommendation on the issues in the Draft Memo--keeping in mind that consensus is not necessarily expected; the SECDEF invariably will have to make some decisions.

When it is clear to the Chair that there is a division of views on an issue, vote on the options still on the table and record the vote.

Draft Memo for the Secretary of Defense

Advanced Research Projects Agency

xx XXXXXX 1996

MEMORANDUM FOR: The Secretary of Defense

FROM: Director, Advanced Research Projects Agency

SUBJECT: A Research Strategy Addressing Threats to National Security and Safety from New Techniques of Information Warfare

This memorandum presents discussion issues for the meeting tomorrow on a new R&D investment strategy for DoD and the nation as a whole to respond to threats to national security and safety arising from the evolution of new information warfare (IW) techniques.

The recently completed interagency study on this subject emphasized that our national interests are increasingly dependent on a set of information systems critical not only to U.S. military operations but also more broadly to U.S. health, safety, and commerce. A range of critical U.S. information systems appear to be vulnerable to a spectrum of possible IW attacks, including disruption and denial of service, implanting false data, covert installation of harmful programs (e.g., viruses), and the outright theft of information. Unlike other threats to U.S. national security, the "cost of entry" to potential attackers is extremely low, enabling attacks to be initiated by a wide range of sources including other nations, "hackers," terrorists, zealots, disgruntled insiders, criminals, and commercial organizations.

Because of the unconventional nature of this new strategic threat, it is increasingly clear that traditional R&D approaches are not fully appropriate to assessing risks and devising counters to specific threats.

Another problem is that "cyberspace" transcends our national borders and has traditionally been a forum exhibiting and facilitating freedom of interconnection and expression. There are no current regulations or licensing provisions governing who can connect to the Internet, much less government-mandated systems and security provisions. This raises questions as to how aggressive the U.S. can or should be in pursuing the imposition of restrictions or technical solutions on cyberspace.

The set of research approaches set forth below attempt to give structure and clarity to several key facets of this complex problem that would appear to warrant near-term attention.


In the items below we have identified several key issues that relate explicitly to the overall question of investment strategy.

1.1 Commercial Software

Although substantial security techniques and devices have been developed, by and large they are not incorporated in the widely used commercially available operating systems and programs (e.g., Windows 95; commercial UNIX systems). To be effective, existing technology and procedures should become widespread.

What steps should the U.S. and DoD take to ensure that known security technology becomes embedded in widely-available commercial operating systems and applications?

__________ A. Assure that key developers of commercial software are part of the development process for new security technology;

__________ B. ______________________________________


__________ C. ______________________________________


The ARPA recommendation is that we pursue Option __________________.

Possible implementation obstacles for this option: ________________________________________________

In addition (on the matter of commercial software issues) ARPA recommends:






1.2 Minimum Essential Information Infrastructure

Broad benefits have been derived from the open information architecture and information-sharing that has to date characterized the evolution of the NII and the GII. Retaining these benefits, while meeting the critical needs of cyberspace safety and security, poses a major challenge.

In this context a key issue for near-term decision is whether to launch an effort to establish a Minimum Essential Information Infrastructure (MEII) to meet a variety of national security emergency preparedness needs--for example, ensuring that regional force deployments that depend heavily on the operations of segments of the NII are resilient to attack. Such an MEII would be analogous to the Minimum Essential Emergency Communications Network (MEECN) that was designed to insure the execution of U.S. nuclear war plans.

There are, however, serious questions as to whether key NII infrastructure components are too interdependent to isolate a manageable subset as "minimum essential." One approach to this problem might be to select the parts of the NII most critical to military and civilian operations and then defending them by whatever means appropriate and affordable. As an example, a portion of the infrastructure might be placed on dedicated fiber optic cables with protected input/output switches procured by the Defense Department to ensure essential point-to-point communications to enhance force deployment capabilities. In addition, modifications to existing laws might allow cooperation between the intelligence community and domestic law enforcement agencies to improve the gathering of intelligence on U.S. citizens who operate in cyberspace performing actions counter to U.S. national interests--or imposes some protection standards. Another component might be a tax incentive to encourage commercial firms to cooperate with U.S government-led protection processes and encourage development of rapid reconstitution capabilities.

The most promising strategy for the U.S. to pursue in developing an MEII would be:

__________ A. Select some subset of existing telecommunications links to be hardened or specially protected in some manner.

__________ B. Create a separate secure U.S. backbone telecommunication structure to which critical communications may be diverted in an emergency.

__________ C. ____________________________________


__________ D _____________________________________


The ARPA recommendation is that we pursue Option _____.

Possible implementation obstacles for this option: ______


In addition (on the matter of an MEII) ARPA recommends:






1.3 (Subject) _______________



__________ A. ________________________________


__________ B _________________________________


__________ C. ________________________________



2.1 Tactical Warning and Attack Assessment (TW/AA)

Information and telecommunications systems--and systems dependent on them--sometimes fail, either catastrophically (e.g., the "Northeast blackout") or more narrowly (one major carrier's long- distance lines were once unavailable for 6 hours). Earthquakes, hurricanes, tornadoes, and other natural phenomena cause disruptions. Given normal exigencies, it may well be difficult to tell whether the U.S. is being subjected to a coordinated IW attack. We should have warning regarding whether we are under attack, and if so by whom.

The following are some possible approaches to TW/AA.

__________ A. For critical national information systems, mandate the generation of unassailable audit trails recording transactions passing through key nodes, supplemented by "expert systems" or other agent-type software continuously monitoring for unusual patterns. Automatically report unusual data to a central "clearing house" node for higher-level pattern analysis and interpretation.

__________ B. Significantly expand the concept of CERTs (Computer Emergency Response Teams) to cover all key national information systems. These provide human analysis and interpretation of events as they are reported by automated information-gathering nodes and reporting by systems administrators.

__________ C. ____________________________________


__________ D _____________________________________


The ARPA recommendation is that we pursue Option _____.

Possible implementation obstacles for this option: ______


2.2 People and Procedures as the Weak Link in Security

Substantial research and development programs in computer and network security have been undertaken--by ARPA and others--over the past 20 years, yet the vast majority of computers and networks in use within the U.S. and its information infrastructure are insecure. Reasons for this include: (1) inertia; (2) lack of perception of a problem--benefits do not appear to outweigh costs for any individual site or organization; (3) no central point of control; (4) lax operational procedures, including physical security.

If we are to have greater information assurance in our systems, in addition to addressing technical solutions these "people and procedures" aspects of the problem must also be addressed as well as technical solutions:

__________ A. Substantially greater programs in education and training of system operators and users;

__________ B. "Make 'em feel it." Develop, support and encourage "red-teams" to attack key portions of our national information infrastructure to demonstrate security flaws in systems and operational procedures, with ensuing embarrassment and possible sanctions for those found inadequate;

__________ C. ____________________________________


__________ D _____________________________________


The ARPA recommendation is that we pursue Option _____.

Possible implementation obstacles for this option: ______


In addition (on the matter of people and procedures issues) ARPA recommends:






2.3. (Subject)_______________



__________ A. ________________________________


__________ B _________________________________


__________ C. ________________________________


3. R&D Program

In the items below we have identified several possible new R&D initiatives (or new R&D priorities) to enhance information systems security.

3.1 Trusted Insiders

Trusted insiders are a particular security problem. For less than the cost of a major, targeted computer and network hacking/cracking campaign, it may often be possible to "buy" the services of a disgruntled trusted insider who already possesses the needed passwords, physical access codes, and knowledge of operating procedures.

The basic options for countering this weakness in many infrastructure information systems are:

__________ A. Work toward creating systems that are autonomous and require many fewer "insiders" for their operation;

__________ B. Research on "tamper-proof" audit trails and system monitoring devices that cannot be bypassed or defeated by an insider, and will provide warning and evidence of any wrongdoing;

__________ C. ____________________________________


__________ D _____________________________________


The ARPA recommendation is that we pursue Option _____.

Possible implementation obstacles for this option: ______


In addition (on the matter of trusted insiders) ARPA recommends:



3.2 New Security Techniques

Existing information security techniques (firewalls, encapsulation, multi-level secure operating systems, passwords, etc.) are not widely and effectively employed throughout the key national information systems or in mass-market commercial operating systems and networks, and they are viewed as difficult to use. (The two factors are of course not unrelated.)

There may be fundamentally new techniques upon which the U.S. might base the security of its information infrastructure. Possible examples might include: (1) a "biological immune system" metaphor (currently being explored by some scientists) in which systems have both "barrier" (e.g., skin, cell membrane) defenses and "active" defenses (e.g., generating antibodies tailored to antigens); (2) Detection and rapid recovery; bad things--foreseen and unforeseen--will happen to information systems, rather than protecting against all foreseen dangers, concentrate on designing systems that recover fast enough that ill effects from their downtime or disablement are not severe.

The possible new techniques that the U.S. might explore in pursuit of a breakthrough in national information infrastructure security are:

__________ A. ____________________________________



__________ B _____________________________________



The ARPA recommendation is that we pursue Option _____.

Possible implementation obstacles for this option: ______


In addition (on the matter of new security techniques) ARPA recommends:






3.3. (Subject)_______________



__________ A. ________________________________


__________ B _________________________________


Appendix A