On my LinkedIn profile, there’s a blurb in my bio that
generates some fun conversations. That
blurb is: “In 1988, he hacked into the
national nuclear warning system from a public pay phone.” At the request of several friends and
colleagues, here’s the story behind that blurb…
From 1983-1991, I was an information systems officer in the
US Air Force, the last two years of that in the reserves. My entire career was centered on nuclear
warfare operations, supporting what was then known as the Strategic Air Command
(SAC). The pinnacle of that job was
serving as a member of the battle staff on an aircraft known at the Looking
Glass. There were 14 of us who
functioned as airborne CIOs, primarily managing the battle staff information
systems on the plane and the vast array of information systems that were ground
and space-based, associated with nuclear warfare. As an Airborne Launch Control Officer, the
CIO was also responsible for “turning keys” with the Operations Controller to
launch all 1,000 nuclear ballistic missiles in the US inventory. Lynda Sabin, to this day a dear friend, was
also one of those 14 officers and now she, too, is in healthcare
analytics. Interesting coincidence. The Wikipedia write-up is available here, but in
short, the Looking Glass aircraft and battle staff were responsible for
assuming command of all US nuclear forces in the event of war, and managing
that war from the safety and survivability of the air-- in a nuclear war, not
much would be left of ground-based command centers like the Pentagon. The Looking Glass was the anchor in a larger
“World Wide Airborne Command Post” organization that consisted of numerous
aircraft operating from bases around the world that were connected by a global
wireless network.
That global wireless network between the orbiting aircraft
was also connected to wireless ground entry points that were managed by
AT&T. These ground entry points took
our wireless signal for voice and data traffic and routed it via landlines to
SAC and other military forces, as well as the White House. There were two very critical voice
conferencing systems that operated on isolated AT&T ground networks: the SAC Operational Conferencing System (SOCS,
pronounced sox) and the Joint Chiefs of Staff Alerting Network (JCSAN,
pronounced jay-san). SOCS was the voice
conferencing system used primarily to manage SAC nuclear forces in the event of
an emergency—i.e., Air Force bombers, cruise missiles, and intercontinental
ballistic missiles. JCSAN was the voice
conferencing system used to manage nuclear and other military operations from
the Pentagon, including the nuclear forces associated with the Army and Navy,
but Air Force, too. AT&T provided
the circuits and technical support for each of these physically isolated and
independent networks.
As those who have served will attest, life in the military
can be summarized as hours and hours of pure boredom interrupted by moments of
shear terror. During those hours of
boredom, I would read and study everything I could find—the latest intelligence
reports, force status reports; military plans, especially the President’s
“Black Book” and the Single Integrated Operational Plan, or SIOP, which were
the massive handbooks for nuclear warfare and reconstitution of US society
after a nuclear exchange. I would also
study the configuration of the information systems that we were tasked with
managing, and along with our IS teams, we would quiz each other on the trivia
and nuances of those configurations.
SOCS and JCSAN were supposed to be physically separate
networks from AT&Ts public telephone switching systems. All three—the public telephone network, SOCS
and JCSAN were supposed to have an “air gap” between them. Under certain emergency situations, the air
gap could be manually closed, like patching two servers together or bypassing a
firewall with a hardwire connection. The
air gap and physical separation were a very deliberate design. SAC had its need for a conferencing system to
manage SAC specific-issues and the Pentagon had its need for managing more
global issues across all of the military branches by using JCSAN. In the worst
case communications scenario, if the President or National Command Authority
needed to communicate to military forces from a public telephone, the public
telephone network could be manually connected to JCSAN and SOCS. Like a separate highway, AT&T’s publicly
switched telephone networks were supposed to be completely separate from both the
SOCS and JCSAN, with the exception of a drawbridge that could be lowered in an
emergency to allow traffic to travel among the three. But, over a period of several months studying
and quizzing members of my IS team, I saw what I thought was an oddity in the
design of the AT&T networks that could allow public access to the SOCS and
JCSAN networks-- a backdoor that was open… a drawbridge that was already
lowered.
For several of those boring nights aboard the Looking Glass,
I studied the JCSAN, SOCS, and private telephone network configurations and
occasionally talked to AT&T engineers in the ground entry points, asking
them questions that focused on the oddity that caught my attention-- I see a
way to connect AT&T’s public telephone system into the JCSAN, without
manual intervention—without the patch cord across the air gap that separated
them. No, that’s not possible. Naturally, when you start to see something
like I was seeing—when the pattern in the puzzle first emerges-- you can’t
believe what you’re seeing. You keep
telling yourself that you misunderstand something… surely it can’t be so. And
that’s what I did for weeks… I wrestled in disbelief.
I mentioned what I thought I saw—this backdoor-- to a few
colleagues and teammates, but none of them really took it seriously because
even I didn’t believe it completely. But
the more I thought about it, the more I looked at the puzzle, the more I was
convinced that the backdoor existed. My
mind wouldn’t let it go… and there was only one way to confirm it or prove that
I was wrong—try to hack the backdoor. If
I were right and the door opened, it would mean uncovering a big stinky mess
associated with one of the most important information systems assets in the US military. The JCSAN was connected to the “red phone” in
the Oval Office and Situation Room. If I
were wrong and the hack failed, it would go unnoticed—a failed hack of no
significance. But that’s not something
you “just try” in the military as a young officer. If you uncover that big stinky mess, it’s
going to splatter on a lot of people’s toes, all the way up the ladder. But if I didn’t uncover it and reveal the
problem, what if someone else did? What
if one of the “bad guys” found it and kept it a secret until there was a
national emergency… and then they exploited it and disrupted our ability to
manage US nuclear forces? This was in
1987 and ’88, when the Cold War was on steady simmer and the stability of the
Soviet Union was just beginning to unravel. We weren’t sure who would be in charge of
Soviet nuclear weapons nor what their state of leadership mind might be. And I was only 28 years old at the time… it
was a stressful burden and decision at a young age, but in a twisted way, the
burden was captivating.
One night, at the conclusion of a Looking Glass flight, a
group of us from the battle staff went to a local watering hole—Gilmore Lake
Tavern—near Bellevue, Nebraska, not far outside the gates of SAC Headquarters
in Omaha. During idle conversation over
beer, I mentioned finding what appeared to be a backdoor to the JCSAN, through
the public telephone network. To some of
the teammates at Gilmore’s Tavern that night, it was old news—I had told them
before—and they lightheartedly dismissed it.
To other teammates, it was just another crazy scheme from The Beave
(they nicknamed me The Beaver, as in Ozzie and Harriet’s son, because of the
1950’s flattop haircut that made me look more like 18 than 28 years). Major Chuck Horton, a dear friend, laughed and
bet me a pitcher of beer that I was wrong.
No way was there a backdoor to the JCSAN. It’s time to put The Beave’s rumor to rest. Put up or shut up Sanders. Open the door or quit talking about it.
I didn’t respond for a few minutes, percolating on whether
it was worth calling his bet or not. A
pitcher of beer was meaningless; the challenge of the bet was about the risk of
adventure. While I percolated, so did the
beer that I’d been drinking and the liquid courage soon overtook the
inhibitions.
The dialing sequence to the backdoor was in the breast
pocket of my flight suit. I’d been
carrying it around with me for about a month.
I pulled it out, looked at Horton and said, “OK, here we go. Let’s see what happens.” He laughed and stayed in his chair. No one else at the table was paying much
attention. I walked across the bar to
the pay phone, put in a quarter, and started dialing the sequence, traversing
my way across AT&T’s publicly switched network. Click, click, click… I would enter a public network
switch, get a dial tone, and dial into another.
As I recall, I traversed about 12 switches and networks.
And then I reached what I predicted was the backdoor—the
switch that bridged the public telephone system with JCSAN. I paused like I was standing in front of a
real door, stared at it, took a breath, and dialed the last sequence. If the sequence was wrong, I would get
another dial tone into an unknown switch, like opening a door into a an empty
room; or I would get a trunk busy signal indicating a dead end…the dead end air
gap between the public system and the JCSAN.
If the door opened, I would set off a worldwide alert, known as a warble
tone, in all of the US military’s major command centers, including the
Pentagon. The battle staffs of those
command centers would pick up their “red phone”, join the conference call, and
prepare to receive emergency action messages (EAMs) or other instructions from
the Joint Chiefs of Staff or National Command Authorities.
A warble tone went off.
The backdoor was open. The
command centers started answering—This is NORAD. This is NMCC. This is CENTCOM. This is Space Command…and so
on.
I wasn’t prepared. I
hadn’t actually thought completely through the scenario—“What if the door
opens?” I sat there with the black handset
from the Gilmore Lake Tavern phone in my hand, pressed to my ear, stunned for a
few seconds, speechless. I looked across the bar at Horton and mouthed the
words, “Holy &#*%!”, my eyes wide open. He leaned forward in his chair with
a frown of concern. Then I silently mouthed
a second time, “Holy &#*%!”. Horton’s
jaw dropped and his eyes popped.
A waitress walked by, glanced and smiled at me and then
Horton, wondering about the exchange of all the odd facial gestures. She looked back at me quizzically and paused
just long enough to become a party to the event that was unfolding. I reacted instinctively, like a 12-year old
caught red handed in a serious prank—and handed the phone to her.
She looked at me, “What…?
Who is it? What do you want me to
do?”
I said the first thing that popped in my head.
“Say ‘Hello, General’.”
“Say ‘Hello, General’?”
“Yes, say ‘Hello General’.”
And that’s what she said, “Hello General”. Her voice came across loud and clear to every
US major command center and nuclear battle staff in the world. I grabbed the phone back, now in a panic, and
stuck it to my ear. My mind racing with
oh my god, what have I done?? There was
total, stunned silence on the other end.
After a few seconds, someone finally asked, “Who is this? Who convened this conference?”
Slam. I hung up the
phone and stood there staring at it.
Sanders, you’ve gone a little too far this time, was the voice inside my
head. The waitress asked me, “Who was
that?” but I couldn’t respond. I looked
at Horton and shook my head, side to side.
I walked across the bar, back to the table, slowly, eyes wide, mouth tightly
closed.
“It worked”, I told Horton.
“No way”, he said without excitement, only stern denial.
“Oh yes—it worked.”
I told him what happened.
He responded, “You can’t tell
anyone you did this. Don’t say a
#$%&* word about this to anyone!”
It was a sleepless night, excited like an explorer who
stumbled on an important but forbidden discovery. I wanted to talk about it, but knew quiet
discretion was the wiser choice.
The next day, “the incident” was the topic of discussion all
over our squadron, and apparently SAC headquarters, too.… and probably all over
the military command centers and the Pentagon, as well. A few of my SAC and Looking Glass teammates
knew that I had been talking about this backdoor for quite some time. They knew it was most likely me behind the
incident—they would glance at me in a knowing way-- but they didn’t say a
word. A formal investigation was
launched. I wasn’t involved in the
investigation, nor was I quizzed or implicated.
To this day, I don’t know what became of the situation. I heard that AT&T was summoned to explain,
but I don’t really know. I purposely
laid low, no interest in attracting attention to myself, but rather satisfied
in the confidence that the backdoor would be closed.
I never had any interest in testing the backdoor again,
assuming that it had been closed, but also feeling like I’d used one of my nine
lives the first time-- no need to risk another. Over time, as the seriousness
of the incident subsided and the military became more concerned about other
matters, such as the demise of the Soviet Union, the incident became more
openly discussed, often times with a sense of humor about a significant but
ultimately harmless caper. I didn’t openly
discuss and fully admit to being the culprit until a couple of years after I resigned
from the Air Force and was working for TRW where the incident became a small
badge of honor among a cult of similarly mischievous “kids”. Later, our team at TRW, led by Ron Gault, was
hired by the National Security Agency to conduct counter espionage and threat
analysis on the entire US nuclear command and control system; those hours of
boring study on the Looking Glass paid off nicely under the NSA project.
There are pros and cons to an obsessively curious
personality. I’ve had an interesting
life because of that curiosity, but it can push you to the borders of trouble,
too. In this case, it was more than
curiosity that pushed me into the incident.
I couldn’t stand not knowing if that backdoor would open or not, and my
somewhat impetuous side pushed me to indulge that curiosity in a very unusual
setting—Gilmore Lake Tavern. It would
have been just as easy to test the backdoor in a controlled and official Air
Force setting, which crossed my mind. But,
the sense of adventure in opening that door by myself, without any supervision,
was far more appealing. The color in
life comes from unusual events and settings.
As the janitor for the Liberty Bell museum in Philadelphia told me one
time, “If it weren’t for the crack, it would just be a bell and it wouldn’t
mean a thing to nobody.”
Sometimes, if life doesn’t do it for you, you have to put a
crack in the bell. J
No comments:
Post a Comment