RSAC A malware-laced USB stick, inserted into a military laptop at a base in Afghanistan in 2008, led to what has been called the worst military breach in US history, and to the creation of the US Cyber Command.

The laptop was attached to the Department of Defense's Central Command network and the malware - which had been planted by suspected Russian cyber spies - soon infected other DoD systems, both classified and unclassified. 

"These are the warfighting networks that we're using for US Central Command," recalled retired Army general Paul Nakasone, who spent about six years as commander of US Cyber Command and director of the National Security Agency. 

The Pentagon saw this as a wake-up call that it needed to prepare for cyberspace being used as a battlefield, and started Operation Buckshot Yankee to rid the Department of Defense networks of the malware - a process that took over a year.

US Cyber Command was established as a sub-unified command a year later, and in 2018 it became an independent unified command as the offensive arm of the United States' digital military.

At the RSA Conference in San Francisco on Wednesday the four individuals tasked with developing this battle plan for the digital era reunited on stage for the first time in 15 years to talk about building US Cyber Command from the ground up.

The so-called Four Horsemen of Cyber - Nakasone, Air Force lieutenant general SL Davis, US CISA director Jen Easterly, and retired US Navy vice admiral TJ White - discussed what a crisis moment this was for the DoD. It came at a time when, as Nakasone observed, high-ranking military and government officials still didn't read their email electronically. "They'd get it printed, and then read it."

So waking up to the discovery of compromised classified networks and trying to remove malware from the DoD systems was a major problem at a time when the military struggled even to understand its scope. 

"It was very, very senior people asking very, very basic questions," Nakasone explained. "Like: how many computers are infected, or where did it come from or what do we do?"

The urgency in taking action and creating what would become US Cyber Command was there, however. As White remembered: "This was a no shitter."

Easterly also recalled a "period of violence" in Iraq, where she was stationed with the US Army during 2006 and 2007, when Al-Queda was using improvised explosive devices against troops and citizens. General Keith Alexander was the head of NSA at the time, and "he really wanted to take NSA from behind the green door and make us relevant to the warfighter," Easterly said. 

To this end, the Army began using NSA officers in the field to support the combat teams. "The other thing that we were asked to work on was to stand up this capability," Easterly remembered. 

It was called RT10, and then RT-RG or Real-Time Regional Gateway. At the time it was classified, but has since been opened to public view. 

"What it was supposed to do was to take all of the communications in-theater that insurgents were using, in particular to plan and operationalize these attacks - whether that's satellite, or cell phone, or reporting from troops on the ground - and integrate them, and enrich them, and correlate them so we could illuminate terrorist networks," she explained. "Not in days or weeks, but in hours and minutes."

The four also had to convince the DoD to sign on to this new idea of warfighting in cyberspace. "We started with a narrative," Nakasone said - and for that had to learn "cyber storyboarding." 

This involved flying to Hollywood and employing a graphic artist to help the team create a storyboard and video, which they then carted around to military officials to convince them of the need for a US Cyber Command. 

We're told the story involved a gated housing development, and explained why securing the community involved more than simply locking windows and doors on houses. The storyboard, tragically, remains classified. Easterly told the audience she's hoping it will soon be declassified. We are, too. ®

https://www.theregister.com//2024/05/10/dod_usb_attack/