Pacific Command recently played a series of wargames on a 7-inch-high box with NATO and other international partners to intentionally scramble communications, according to contractors that provided the equipment. The chassis, or case containing circuit boards and wiring, comes prepackaged with infections that hurl torrents of malicious traffic and imaginary users at communications systems. The goal of this exercise is to ensure participating nations and humanitarian organizations stay in contact with one another during crises.
In other classified simulations, the military and intelligence agencies upload code into the chassis -- without sharing the code with manufacturer Ixia Breaking Point -- to recreate sophisticated viruses already targeting the government that agencies don’t want to tell anyone about.
“The exploits, many of them, are public . . . [But] if they have collected that attack in the wild, they have the ability to replay that attack within their device. So, we at Breaking Point, don’t have to know what it was,” said Tom Taschler, the company’s assistant vice president of federal sales. Pentagon officials have indicated they test undisclosed worms, company executives said.
One of the most recent public exercises took place in August at Changi Naval Base in Singapore. Among the players at the Cyber Endeavor workshop were representatives from militaries of more than 20 countries, including Bangladesh, Cambodia, India, Japan, Republic of Korea, and Vietnam. The U.S. European and Cyber Commands conduct similar tests using the boxes. The devices are sold to the government for between $150,000 and $500,000, including technical support.
In general, the simulations involve a red team of hackers, a blue team of cybersecurity experts, and a green team of non-technical personnel just trying to communicate with one another. The blue team monitors vital statistics about the system under attack, such as the resiliency of the network.
One type of scenario, called “fuzzing,” helps the network defenders find unintentional flaws in otherwise safe software programs. Fuzzing spews random information at software, while security specialists monitor the program for signs of failure. “It purposely mangles it. It purposely messes it up,” said Pat McGarry, an Ixia systems engineer. “It’s a great way of finding zero days for example,” referring to the slang term for previously unknown software bugs. If the software stops responding, that indicates there is a vulnerability hackers could exploit.
Attackers practice fuzzing to find holes too, McGarry acknowledged. He claims, however, that his firm’s test code is too complex for hackers -- even state-sponsored adversaries -- to emulate. But McGarry admits there is a chance that nation states prohibited from buying the product, such as Iran, can smuggle it in. “There is a possibility that they could use us illegally. If they can get it off the black market, we can’t stop them,” he said.
Scott Griffin, Pacific Command’s technical director for multinational communications interoperability program, said in a statement that Ixia’s “hands-on facilitation” with the red, blue and green teams “further developed capacities of the participants to maintain and defend critical network infrastructures during humanitarian assistance and disaster response.”
Federal agencies likely run cyber wargames on the boxes weekly, company executives said. “Many of them are classified in nature. Some of them -- we’re not sure they are even happening,” Taschler said. The Defense Advanced Research Projects Agency, the Pentagon’s technology incubator, replicates large-scale network attacks at a national cyber range. Ixia’s chassis is not a part of the DARPA program.