Washington, D.C., May 3, 2017 – A Rand Corporation 1967 paper predicted many of the cyber dilemmas faced by policy makers today, and a 2017 expanded analysis of the “GRIZZLY STEPPE” hacking by Russian cyber operators disclosed key findings about the techniques the hackers used and ways to mitigate them, according to the National Security Archive publication today of 40+ highlighted primary sources from the critically-praised “Cyber Vault” at http://nsarchive.gwu.edu/cybervault.



Compiled and edited by noted intelligence historian Dr. Jeffrey T. Richelson, the Cyber Vault collection of primary sources is growing by a dozen or more documents every week, and includes the declassified briefings provided by the National Security Agency to the George W. Bush and Barack Obama transition teams in 2000 and 2009, respectively.  The collection also includes a 2016 order from the U.S. Cyber Command to set up a unit with the mission of debilitating and destroying computer and communications operations of the terrorist group ISIS.

The Cyber Vault team obtained the 2016 order under the Freedom of Information Act (FOIA).  The project has filed scores of other FOIA and declassification requests as part of a multi-year documentation contribution to the growing field of cyber studies, with the support of the William and Flora Hewlett Foundation.

The 2000 transition briefing explicitly foreshadowed the Edward Snowden controversy, warning the new White House team that the 4th Amendment-protected communications of Americans were inextricably mixed with those of foreigners on the Internet.  The 2016 U.S. Cyber Command order established a joint task force designed to bring the resources of the Defense Department, Intelligence Community, and Justice Department to bear against the terrorist group that the Trump administration has since designated its top foreign policy priority.

Cyber Vault Highlights

By Jeffrey T. Richelson

On March 30, 2016, the National Security Archive opened its Cyber Vault, a repository of documents on all aspects of cyber activity – including computer network defense (and other other aspects of cybersecurity), computer network attack, and computer network exploitation. The more than 750 documents currently in the vault have been drawn from a variety of sources – Freedom of Information Act releases, websites of both U.S. federal and state government organizations, courts, foreign government organizations, NATO, government contractors, think-tanks, advocacy groups, and media websites (including Wikileaks and those that posted documents provided by Edward Snowden).

In addition to relying on a multitude of sources to populate the Cyber Vault, the Archive has sought to accumulate a diverse set of documents – which has guided its collection strategy. As a result, the Cyber Vault includes significant documents from the 1960s and each subsequent decade, on cyber organization, on policy and strategy, on domestic and foreign cyber activities, on cybersecurity requirements, and on cyber crimes and the related investigations. Also included are intelligence assessments and theses. The documents also represent a spectrum of classifications, from unclassified, to formerly classified, and – in the cases of Wikileaks and Snowden documents – currently classified documents. Many of the documents cut across a number of categories.

Among the documents represented from the 1960s and 1970s are two seminal papers.  One is Willis Ware’s 1967 effort, Secrecy and Privacy in Computer Systems (Document 1), written for the RAND Corporation, and one of the very first systematic approaches to information leakage, security, and privacy. The other (Document 2), produced by a staff member of Britain’s signals intelligence agency, the Government Communications Headquarters (GCHQ), represents the initial development of public key cryptography – although it was not declassified until years after the concept had been made public by American mathematicians.

That document is also one of several illustrating or concerning foreign government cyber efforts. A much more recent GCHQ product (Document 29) was one of the documents provided to Glenn Greenwald and Laura Poitras by Edward Snowden – a briefing on efforts to deanonymize users of The Onion Router (TOR) network, which had been developed by  members of the U.S. Naval Research Laboratory (Document 32) as a means of protecting online communications. Chinese cyber organization, policy, and operations are covered, collectively, by two documents – an unclassified paper (Document 36) produced under the auspices of the NATO Cooperative Cyber Defence Centre of Excellence and a Top Secret codeword NSA briefing (Document 24) on the People Republic of China’s computer network exploitation activity. Current Russian cyber activities are discussed in an extract (Document 35) from the controversial “Trump Dossier,” written by a former British Secret Intelligence Service officer.

Other documents concern hostile cyber activities from an earlier era. One, from 1998  (Document 12) provides information to the then director of the FBI, Louis Freeh, concerning the SOLAR SUNRISE investigation concerning intrusions into at least 11 unclassified DoD Computer systems at various locations in the United States. Another FBI memo (Document 13), concerns a 1999 investigation into intrusions into computer systems in the United States, the United Kingdom, Canada, Brazil, and Germany – an investigation which took some of the investigators to Moscow. In a newly released portion, it discusses possible response to intrusions – including the creation of “honeypots” containing “beacon” files.

In addition to being the victim of intrusions, the U.S. has also debated and formulated policy, granted authority over, and conducted intrusions in pursuit of national security objectives. In March 1997, Secretary of Defense William Cohen assigned the responsibility for computer network attack and exploitation to the National Security Agency in a short memo (Document 10). During that Spring a senior NSA official addressed the issue of cyberwar in a Secret article (Document 11) in a NSA journal. Many years later, according to a number of accounts, U.S. and Israeli cyber personnel were able to penetrate industrial control systems associated with the Iranian nuclear program and damage centrifuges that could produce weapons-grade material. While there have been no publicly released executive branch documents concerning the “Stuxnet” operation, it has been the subject of reports by RAND and the Congressional Research Service. (Document 26).

Concern over possible Russian intrusion into U.S. computer systems related to elections became a significant subject of discussion in the 2016 presidential election. Apprehensions over the possibility of such intrusions go back at least a decade. A December 2007 report (Document 20) was commissioned by Ohio’s Secretary of State, and contained disturbing results about the vulnerability of Ohio’s electronic voting systems. In the wake of a poorly-received, brief analysis of alleged Russian cyber activity related to the 2016 election, the Department of Homeland Security’s National Cybersecurity and Communications Integration Center produced more detailed examination (Document 41) of the GRIZZLY STEPPE activity.

By the time the DHS report was issued, President Trump had been presented with a draft executive order on cybersecurity (Document 40 ), which would undoubtedly have been the first of a significant number of presidential actions on cybersecurity – just as President Obama had signed a number of cyber-related executive orders and presidential directives, including one (Document 34) that established a Cyber Threat Intelligence Integration Center. Ultimately, the Trump draft order became the first in a series of drafts, and no order has yet been signed.

Other highlight documents include:A 1979 exploration (Document 5) in an NSA journal on computer system vulnerabilities


    • A 1996 treatment (Document 9) of the threat to computer systems from human Intelligence operations.
    • A 2001 memo (Document 15) from the director of NSA concerning a major computer outage at the agency.
    • A 2008 Director of National Intelligence cyber counterintelligence plan (Document 21).
    • A 2016 USCYBERCOM order (Document 37) to establish a task force to combat ISIS in cyber space
    • A 2016 examination (Document 38) of cyber threats to nuclear weapons systems.
    • A 2016 DHS Office of Intelligence and Analysis briefing (Document 39) on cyber threats to the homeland