The Internet had been brought to its knees. In 1988, a computer program written by a graduate student named Robert Morris snaked its way across much of the early Internet. The so-called Morris Worm infected and crashed anywhere from one-sixth to one-third of all computers connected to the Internet, according to a Government Accountability Office report from the time.
Shortly after the worm’s demise, a young Air Force officer named Lee Sutterfield left San Antonio for a closed council in California on lessons from the attack. The virus had been defeated, but the response had been piecemeal. Sutterfield, along with his boss, Greg White, listened as experts from across the country spoke of the need to work together on cybersecurity
Sutterfield and White returned to San Antonio’s Security Hill believing that the Air Force needed a team of its own to take on hackers and other threats. What happened next at Security Hill gave birth to the Air Force Computer Emergency Response Team, revolutionized how the military saw cybersecurity and led to an intrusion detection system that shaped the growing Internet.
The Internet in the late ’80s was like the Wild West, with tech-savvy pioneers rewriting rules as they went. This held true even in the Air Force. Sutterfield, called a “free agent” by those nominally in charge of him, was someone known as an evangelist for change. He and White spent hours talking about how the Air Force needed to change its cyberstrategy.
“It was really only just a few of us here,” Sutterfield said. “We were tasked with writing the next generation’s policies for the Air Force. What was in place was not working well.”
“If we owned the world, how would we construct this?” White recalled being asked. “If we were in charge, how would we do it?”
The problem: Air Force cybersecurity remained analog. Regulations focused on keeping doors locked to the computer room, not on protecting the actual data on those computers.
“Invariably, something is going to happen,” White said. “And when that happens, you need to detect when prevention failed, and you need to be able to respond to that in real time.”
Fred Ramirez, one of many Hispanic administrators on Security Hill at the time, likened the Internet to an apartment complex attacked by robbers. He said asking each resident to lock their own doors was wishful thinking. Instead, the Internet needed alarm systems and security guards.
The Air Force Community Emergency Response Team, created in the wake of the Morris Worm, would be the service’s Internet security response, its “A-Team,” its “Avengers.” The team aimed to monitor anomalies, track patterns and then deploy and destroy threats. Young officers such as Toney Jennings, who was slated for a tour at a missile silo, were instead sent to Security Hill to develop Air Force cybersecurity.“There was nothing to go by,” said Raul Salas, one of Sutterfield’s bosses. “We knew we had responsibility over the entire Air Force, to protect its systems. How are we going to do that?”
AFCERT found its first test in the summer of 1990, when Sutterfield got a call from the FBI. As the Gulf War loomed, hackers had attacked Army and Air Force computers. The FBI called the AFCERT in San Antonio and asked for help in its investigation.
The hackers, according to the FBI, followed certain patterns. The attacks began in April 1990 and ended in May 1991, according to a Government Accountability Office report. The hackers used university and government sites as platforms to enter military systems.
They found computers with easily guessed passwords or no passwords. In some cases, they found computers with hidden accounts used by contractors to maintain the computers. Once they were in, they created bogus accounts with administrator privileges.
The FBI told Sutterfield that the hackers attacked a certain type of operating system. The Internet was smaller then, just 5,000 networks used by the government and universities. Sutterfield searched for all Air Force computers using that particular operating system and connected to the Internet. There were 73.
Sutterfield wanted to know how many of these 73 computers had been attacked. He and others at the AFCERT began calling administrators at each of the systems to check for bogus accounts, according to an oral history recorded by an Air Force historian.
“We would ask them these questions and ask them to do one of two things: You either need to block this, or you … leave the accounts open and let us work with you to monitor them,” Sutterfield said.
In essence, Sutterfield was asking system administrators to run a “very crude honeypot operation.” Instead of shutting down the hacker’s activity, the AFCERT could watch what the hackers were doing and what they were after — two key pieces of information. Sutterfield said such an operation would be among the first of its kind.
“There was no precedent set for this,” said Todd Schell, an Air Force officer who worked on the case with Sutterfield. “We hadn’t detected attacks against our networks where we were watching people live.”
The risk, Schell said, was that letting a hacker run free could lead to the attack slipping out of control. What Sutterfield wanted was a big request for an organization — the AFCERT — that few in the Air Force knew about.
“Of course, we actually — literally and technically — had no authority to do this,” Sutterfield said. “No one had really authorized this.”
“We were improvising, no doubt about it at the time,” Schell said.
System after system rejected the AFCERT’s plea. When organizations found that they had been hacked, they would rather shut the attack down than let it run for data. Then, at Kirtland AFB in New Mexico, two system administrators decided to give the experiment a chance. They put their commander on the line with Sutterfield, who explained what the AFCERT wanted to do.
“He was a really smart guy,” Sutterfield recalled. “He heard us out, then he asked, ‘Who are you guys again?’”
The commander said the AFCERT could monitor the hackers on Kirtland’s systems, but if anything went awry, the whole thing would get shut down immediately. Sutterfield reassured him by saying other bases would do the same thing, which was a bluff.
“We got lucky at this one facility,” Sutterfield said. “That was our source of data.”
The two system administrators at Kirkland monitored what the hackers were doing over the next three days. They sent information, which included IP addresses and domain names, to the AFCERT, which forwarded it to the FBI.
The hacks were eventually traced to Geldrop, Holland. Investigators found that the hackers had accessed information on the Patriot missile launching system and the Tomahawk cruise missile. They learned about the mobilization of military reserves for the Gulf War. They had also entered systems at the Kennedy Space Center and the Lawrence Livermore National Laboratory.
No arrests occurred as a result of the hacks, as the Netherlands had no laws barring unauthorized computer access, according to a 1991 New York Times article.
Today, each branch of the military has its own version of AFCERT. San Antonio has the nation’s second-largest concentration of cybersecurity experts, according to Port San Antonio. It boasts the 24th Air Force, also known as Air Forces Cyber, and the Texas branch of the National Security Agency. It is also home to the University of Texas at San Antonio, which has one of the nation’s top cybersecurity programs and where White currently teaches as a professor.
“This needed to be done — this idea that we have to have an organization dedicated to cybersecurity and cyberincident response,” said Col. Brad Pyburn, commander of the 67th Cyberspace Wing at Joint Base San Antonio-Lackland.
Many of the early Air Force cyberpioneers went on to form their own company, the WheelGroup. There, they developed a product that would shape the public’s growing use of the Internet: NetRanger.
During the Dutch hacker case, the system administrators at Kirtland had to manually search for evidence of hacking. NetRanger aimed to observe attacks or suspicious activity automatically as they passed through the network.
“How can you automate that so that a computer security system would automatically catch the bad guys without a lot of human involvement?” said Jennings, the young officer who helped develop Air Force cybersecurity. “We took the experience and everything we learned from our time in the Air Force and rolled that into a commercial product.”
In 1998, Cisco bought WheelGroup, and NetRanger became the backbone of the networking giant’s intrusion prevention systems, which bolstered firewalls across the growing Internet of the early 2000s. Today, cybersecurity measures are more sophisticated, but they follow in the footsteps of NetRanger.
“I just think it was a seed that has grown into a lot of things you see in the world,” said Sutterfield, who with White was elected to San Antonio’s Cyber Hall of Honor in 2016. He called it a “seed that grew into a beautiful, big oak tree.”
Credit: J.P. Lawrence
Source: San Antonio Express News
