35+ Years of Freedom of Information Action

Cyber Vault Highlights

Published: May 3, 2017
Briefing Book #590

Edited by Jeffrey T. Richelson

For more information, contact: 202-994-7000 or nsarchiv@gwu.edu

40+ Primary Sources Every Cyber Student Needs

From the seminal 1967 Prophecy to the latest 2017 Grizzly Steppe Hack Analysis

Washington, D.C., May 3, 2017 – A Rand Corporation 1967 paper predicted many of the cyber dilemmas faced by policy makers today, and a 2017 expanded analysis of the “GRIZZLY STEPPE” hacking by Russian cyber operators disclosed key findings about the techniques the hackers used and ways to mitigate them, according to the National Security Archive publication today of 40+ highlighted primary sources from the critically-praised “Cyber Vault” at https://nsarchive.gwu.edu/project/cyber-vault-project.

Compiled and edited by noted intelligence historian Dr. Jeffrey T. Richelson, the Cyber Vault collection of primary sources is growing by a dozen or more documents every week, and includes the declassified briefings provided by the National Security Agency to the George W. Bush and Barack Obama transition teams in 2000 and 2009, respectively.  The collection also includes a 2016 order from the U.S. Cyber Command to set up a unit with the mission of debilitating and destroying computer and communications operations of the terrorist group ISIS. 

The Cyber Vault team obtained the 2016 order under the Freedom of Information Act (FOIA).  The project has filed scores of other FOIA and declassification requests as part of a multi-year documentation contribution to the growing field of cyber studies, with the support of the William and Flora Hewlett Foundation. 

The 2000 transition briefing explicitly foreshadowed the Edward Snowden controversy, warning the new White House team that the 4th Amendment-protected communications of Americans were inextricably mixed with those of foreigners on the Internet.  The 2016 U.S. Cyber Command order established a joint task force designed to bring the resources of the Defense Department, Intelligence Community, and Justice Department to bear against the terrorist group that the Trump administration has since designated its top foreign policy priority.

Cyber Vault Highlights

By Jeffrey T. Richelson

On March 30, 2016, the National Security Archive opened its Cyber Vault, a repository of documents on all aspects of cyber activity – including computer network defense (and other other aspects of cybersecurity), computer network attack, and computer network exploitation. The more than 750 documents currently in the vault have been drawn from a variety of sources – Freedom of Information Act releases, websites of both U.S. federal and state government organizations, courts, foreign government organizations, NATO, government contractors, think-tanks, advocacy groups, and media websites (including Wikileaks and those that posted documents provided by Edward Snowden).

In addition to relying on a multitude of sources to populate the Cyber Vault, the Archive has sought to accumulate a diverse set of documents – which has guided its collection strategy. As a result, the Cyber Vault includes significant documents from the 1960s and each subsequent decade, on cyber organization, on policy and strategy, on domestic and foreign cyber activities, on cybersecurity requirements, and on cyber crimes and the related investigations. Also included are intelligence assessments and theses. The documents also represent a spectrum of classifications, from unclassified, to formerly classified, and – in the cases of Wikileaks and Snowden documents – currently classified documents. Many of the documents cut across a number of categories.

Among the documents represented from the 1960s and 1970s are two seminal papers.  One is Willis Ware’s 1967 effort, Secrecy and Privacy in Computer Systems (Document 1), written for the RAND Corporation, and one of the very first systematic approaches to information leakage, security, and privacy. The other (Document 2), produced by a staff member of Britain’s signals intelligence agency, the Government Communications Headquarters (GCHQ), represents the initial development of public key cryptography – although it was not declassified until years after the concept had been made public by American mathematicians.

That document is also one of several illustrating or concerning foreign government cyber efforts. A much more recent GCHQ product (Document 30 ) was one of the documents provided to Glenn Greenwald and Laura Poitras by Edward Snowden – a briefing on efforts to deanonymize users of The Onion Router (TOR) network, which had been developed by  members of the U.S. Naval Research Laboratory (Document 33) as a means of protecting online communications. Chinese cyber organization, policy, and operations are covered, collectively, by two documents – an unclassified paper (Document 37) produced under the auspices of the NATO Cooperative Cyber Defence Centre of Excellence and a Top Secret codeword NSA briefing (Document 25) on the People Republic of China’s computer network exploitation activity. Current Russian cyber activities are discussed in an extract (Document 36) from the controversial “Trump Dossier,” written by a former British Secret Intelligence Service officer.

Other documents concern hostile cyber activities from an earlier era. One, from 1998  (Document 12) provides information to the then director of the FBI, Louis Freeh, concerning the SOLAR SUNRISE investigation concerning intrusions into at least 11 unclassified DoD Computer systems at various locations in the United States. Another FBI memo (Document 13), concerns a 1999 investigation into intrusions into computer systems in the United States, the United Kingdom, Canada, Brazil, and Germany – an investigation which took some of the investigators to Moscow. In a newly released portion, it discusses possible response to intrusions – including the creation of “honeypots” containing “beacon” files.

In addition to being the victim of intrusions, the U.S. has also debated and formulated policy, granted authority over, and conducted intrusions in pursuit of national security objectives. In March 1997, Secretary of Defense William Cohen assigned the responsibility for computer network attack and exploitation to the National Security Agency in a short memo (Document 10). During that Spring a senior NSA official addressed the issue of cyberwar in a Secret article (Document 11) in a NSA journal. Many years later, according to a number of accounts, U.S. and Israeli cyber personnel were able to penetrate industrial control systems associated with the Iranian nuclear program and damage centrifuges that could produce weapons-grade material. While there have been no publicly released executive branch documents concerning the “Stuxnet” operation, it has been the subject of reports by RAND and the Congressional Research Service. (Document 27).

Concern over possible Russian intrusion into U.S. computer systems related to elections became a significant subject of discussion in the 2016 presidential election. Apprehensions over the possibility of such intrusions go back at least a decade. A December 2007 report (Document 21) was commissioned by Ohio’s Secretary of State, and contained disturbing results about the vulnerability of Ohio’s electronic voting systems. In the wake of a poorly-received, brief analysis of alleged Russian cyber activity related to the 2016 election, the Department of Homeland Security’s National Cybersecurity and Communications Integration Center produced more detailed examination (Document 42) of the GRIZZLY STEPPE activity.

By the time the DHS report was issued, President Trump had been presented with a draft executive order on cybersecurity (Document 41 ), which would undoubtedly have been the first of a significant number of presidential actions on cybersecurity – just as President Obama had signed a number of cyber-related executive orders and presidential directives, including one (Document 35) that established a Cyber Threat Intelligence Integration Center. Ultimately, the Trump draft order became the first in a series of drafts, and no order has yet been signed.

Other highlight documents include:

  • A 1979 exploration (Document 5) in an NSA journal on computer system vulnerabilities 
  • A 1996 treatment (Document 9) of the threat to computer systems from human Intelligence operations.
  • A 2001 memo (Document 15) from the director of NSA concerning a major computer outage at the agency.
  • A 2008 Director of National Intelligence cyber counterintelligence plan (Document 22).
  • A 2016 USCYBERCOM order (Document 38) to establish a task force to combat ISIS in cyber space
  • A 2016 examination (Document 39) of cyber threats to nuclear weapons systems.
  • A 2016 DHS Office of Intelligence and Analysis briefing (Document 40) on cyber threats to the homeland


Read the documents

Document 01

Willis H. Ware, RAND Corporation, P-3544, Security and Privacy in Computer Systems, April 1967. Unclassified.


This seminal paper consists of two parts. The first examines information leakage in a resource-sharing computer system while the second examines the issues of security and privacy.

Document 02

J.H. Ellis, Communications - Electronics Security Group, Government Communications Headquarters, Research Report No. 3006, The Possibility of Secure Non-Secret Digital Encryption, January 1970. Secret.


This report, produced by a member of the United Kingdom's signals intelligence agency, developed the concept of public key cryptography - several years before the concept was advanced by U.S. academic mathematicians.

Document 03

Jack J. Peterson and Sandra A. Veit, The MITRE Corporation, Survey of Computer Networks, September 1971. Unclassified.


This study is the result of a survey of ten major "state-of-the-art" (in 1971) computer networks - including ARPA, COINS (the Community Online Intelligence System), CYBERNET (a commercial network offering computer services to the general public), and MERIT (a cooperative effort by the three largest universities in Michigan).

Document 04

Howard Frank, Network Analysis Corporation, The Practical Impact of Recent Computer Advances on the Analysis and Design of Large Scale Networks, December 1973. Unclassified.


This report was the result of a contract from the Advanced Research Projects Agency to the Network Analysis Corporation which had a number of objectives -- including, but not limited to, determining the most economical and reliable configurations to meet growth requirements in the ARPANET, studying the properties of packet switched computer communications networks, and developing techniques for the analysis and design of large scale networks.

Document 05

[Deleted], National Security Agency, "Computer Operating System Vulnerabilities," Cryptolog, VI, 3 (March 1979). Unclassified.


This article, which appeared in a classified NSA journal, explores seven common computer operating system vulnerabilities, several penetration techniques, defensive measures, and future research areas.

Document 06

Secretaries Committee on Intelligence and Security (SCIS), "The Threat to Australian Government Communications," October 7, 1993. Secret.


This report contains discussion of the threat to standard telephonic communications as well as to data links, and notes "a continuing threat from 'hackers' to Government information processing systems."

Document 07

National Ground Intelligence Center, Defense Intelligence Reference Document, Nonlethal Technologies - Worldwide, May 1995. Secret//Noforn//WNINTEL. (Extract)


This section of an Army intelligence assessment on nonlethal technologies deals primarily with electronic intrusion and malicious software. It reports on both KGB and Cuban intelligence efforts related to disrupting U.S. computer systems.

Document 08

National Security Telecommunications Advisory Committee, An Assessment of the Risk to the Security of Public Security Networks. Unclassified.


This study assesses the risk to public networks from "electronic intruders and software-based attacks." Topics explored include the changing business environment, the threat, deterrents, vulnerabilities, and protective measures.

Document 09

[Deleted], "Out of Control," Cryptologic Quarterly, Special Edition, 15, 1996. Secret.


This article, in another National Security Agency journal, discusses the threat to computer systems containing classified information via human intelligence operations directed at systems administrators. A largely redacted section is titled ""Foreign Intelligence Services Are Already Targeting Computer Personnel," while the final section offers recommendations on how to address the problem.

Document 10

William A. Cohen, Memorandum for the Director, National Security Agency, Subject: Delegation of Authority and Creation of Executive Agent. Secret/US Only.


This memo from the secretary of defense to the director of NSA authorized the agency to develop computer network attack (CNA), exploitation, and related techniques as well as to conduct analysis of foreign information infrastructure systems in support of CNA technology development.

Document 11

William B. Black, National Security Agency, "Thinking Out Loud About Cyberspace," Cryptolog, XXIII, 1 (Spring 1997). Secret.


This article, by a senior NSA official, notes that NSA was assigned the mission of computer network attack in March 1997, and argues that the world was on the verge of a new age - "the information age" - and that the future of war would be warfare in cyberspace.

Document 12

K.M. Gode, To Director Freeh, Re: SOLAR SUNRISE, CITA Matter; OO: HQ, February 25, 1998. Unclassified/For Official Use Only.


This memo to the director of the FBI provides basic information on the SOLAR SUNRISE investigation into computer intrusions - including the starting date, target institutions, type of targeted devices (Domain Name Servers), and progress of the FBI's investigation.

Document 13

Federal Bureau of Investigation, "MOONLIGHT MAZE," April 15, 1999. Secret/Noforn.


This memo is a less-redacted version of the memo released in 2012, and contains (on pp. 6-7) additional information on the discussion of possible responses to computer intrusions, including the creation of "honeypots" containing "beacon" files.

Document 14

NSA Scientific Advisory Board Panel on Digital Network Intelligence, Report to the Director, June 28, 1999. Secret/Comint.


The panel that produced this report, heavily-redacted before release, was chaired by James Clapper, who went on to serve as Director of National Intelligence from 2010 to January 20, 2017. It noted that the availability of intelligence by gathering communications transmitted between or resident on network computers created an "entirely new paradigm for SIGINT."

Document 15

Michael V. Hayden, Director, National Security Agency, "Message from the Director re: Major Systems Failure." Top Secret/Comint. [Via mail]


This message from the NSA director provides information to agency employees concerning a massive failure of the agency's computer system that left it temporarily incapable of processing data collected by U.S. signals intelligence collection systems.

Document 16

National Security Agency, Transition 2001, December 2000. Secret


This document, prepared for the incoming administration of George W. Bush, was intended to provide a background on NSA's organization and mission, as well as of the issues facing NSA in the years ahead. Its main sections include those devoted to management, external process, budget, and personnel, policy/issues.

Document 17

United States Space Command, USCINCSPACE Implementation Plan for Computer Network Operations, May 13, 2001. Secret/Noforn.


This plan was produced to implement a key milestone in the evolution of U.S. military cyber operations - the merger of cyber defense and computer network attacks activities under a single commander.

Document 18

Director of Central Intelligence, Director of Central Intelligence Directive 7/3, "Information Operations and Intelligence Community Related Activities," June 5, 2003. Secret.


This directive states the responsibilities of Intelligence Community components with regard to (1) information operations, (2) intelligence and related support to information operations, and (3) deconfliction of specific computer network operations conducted by National Foreign Intelligence Program agencies.

Document 19

C.S Glantz, R.B. Bass, J.R. Casah, G.A. Coles, D.J. Gower, J.J. Heilman, M.D. Lammets, and J.L. Thomas, Pacific Northwest National Laboratory, NUREG/CR-6847, Cyber Security Self-Assessment Method for U.S. Nuclear Power Plants, October 2004. Unclassified.


This report describes, in response to the increased employment of digital technology at nuclear power plants, a self-assessment method to assist plant personnel in assessing and managing cyber security risks.

Document 20

[Author Name Redacted], Internet Exploitation - Springboard to a New Open Source Business Model: Thinking About the Internet in an Internet Way, 2005-2007. Unclassified.


This document is one of the 2005-2007 award winning papers in the DNI's Galileo Awards program, intended to find "innovative ideas and creative solutions" to U.S. intelligence challenges.

Document 21

Pennsylvania State University, University of Pennsylvania, and Web Wise Security, EVEREST: Evaluation and Validation of Election-Related Equipment, Standards and Testing, December 7, 2007. Not classified.


The goal of this review, commissioned by Ohio's Secretary of State, was to assess the security of electronic voting systems used in Ohio, and to identify procedures that might eliminate or mitigate any problems that were discovered. The review discovered that "all of the studied systems possess critical security failures that render their technical controls insufficient to guarantee a trustworthy election."

Document 22

National Counterintelligence Executive, Office of Director of National Intelligence and Department of Justice, The United States Government-Wide Cyber Counterintelligence Plan, 2008, TOP SECRET/SI/NOFORN.


The core of this document is the identification of, and discussion related to, six cyber counterintelligence objectives (the specifics of two having been redacted from the version released). It also contains several appendices, including one on the assessment of damage/loss from cyber intrusions, and a glossary.

Document 23

Intelligence Science Board, Technical Challenges of the National Cyber Initiative, January 24, 2008. SECRET/CODEWORD.


The ISB, an advisory body reporting to the DNI, identifies in this report a number of technical challenges to the DNI's National Cyber Initiative. These include, but are not limited to, the need for extensive cooperation, a strategic view, macro-level metrics, and a national approach. They note their agreement with a 2004 CIA assessment that the cyber problem is on the scale of a "Manhattan Project."

Document 24

National Security Agency/Central Security Service, Presidential Transition 2009, November 3, 2008. Top Secret/COMINT/REL TO USA, FVEY.


Among the topics discussed in this document, prepared for the incoming Obama administration, is NSA’s role in cyber activities – including “defending vital networks” as well as discovering and mitigating vulnerabilities in U.S. information systems. Also included are the identification of “the 12 interdependent cybersecurity initiatives” and their objectives.

Document 25

[Name Redacted], NTOC, National Security Agency, BYZANTINE HADES: An Evolution of Collection, June 2010, Top Secret//Comint//Rel to USA, Aus, Can, GBR, NZL.


This briefing identifies various components of BYZANTINE HADES, a term denoting PRC Computer Network Exploitation activities, and focuses on one particular component - BYZANTINE CANDOR, which involved targeting of DoD, economic, and geopolitical event targets.

Document 26

U.S. Strategic Command, JFT-CND/JTC-CNO/JTF-GNO: A Legacy of Excellence - December 30, 1998 - September 7, 2010, September 2010. Unclassified. [1595]


This brief history focuses on the task force (initially named the Joint Task Force for Computer Network Defense and subsequently 'for Computer Network Operations' and then 'for Global Network Operations') that would serve as a key component of the foundation for the U.S. Cyber Command. It does not discuss operations but key decisions and developments with regard to the evolution of the task force's mission, structure, and capabilities.

Document 27

Paul K. Kerr, John Rollins, and Catherine A. Theohary, Congressional Research Service, The Stuxnet Computer Worm: Harbringer of an Emerging Warfare Capability, December 9, 2010. Unclassified.


This short paper provides an overview of the Stuxnet worm, an exploration of possible developers and future users, a discussion of whether Iran was the intended target, as well as industrial control systems vulnerabilities and critical infrastructure, national security implications, and issues for Congress.

Document 28

Federal Bureau of Investigation, Cyber Division Policy Implementation Guide, March 31, 2011. Unclassified/FOUO.


This guide was produced to provide instruction for the management and conduct of cyber operations, including the operational and procedural requirements within cyber investigations. It also was intended to ensure that investigations comply with applicable laws.

Document 29

United States Cyber Command, USCYBERCOM Operations Order (OPORD) 11-002, Operational Gladiator Shield (OGS), May 19, 2011. Secret/Rel to USA, FVEY.


The purpose of this heavily redacted operations order is to guide and direct "the Department of Defense (DoD) and, as authorized, designated missions partners for cyberspace operations to secure, operate and defend the critical mission elements of the DoD Global Information Grid." It provides a concept of operations, and specifies tasks for the relevant DoD components - CYBERCOM headquarters, CYBERCOM service components (e.g. the U.S. Fleet Cyber Command), combatant commands, the military services, the National Security Agency, Defense Intelligence Agency, and other entities. 

Document 30

[Name Redacted], OPC-MCR, Government Communications Headquarters, A potential technique to deanonymise users of the TOR network, June 13, 2011. UK Top Secret Strap 1 Comint.


This paper, from the United Kingdom's SIGINT agency, describes a new technique to remove anonymity from the users of the TOR network.

Document 31

United States Secret Service, The United States Secret Service. January 2013. Unclassified.


This presentation on the Secret Service focuses on its cyber-related activities. It contains information on cyber asset locations, computer forensic, the electronic crimes task force, and the service's cyber intelligence section.

Document 32

Department of Defense Instruction S-3325.10, Subject: Human Intelligence (HUMINT) Activities in Cyberspace, June 6, 2013. Secret/Noforn.


This heavily redacted instruction discusses DoD policy for conducting human intelligence operations in cyberspace. It also defines the responsibilities of Defense Department components (including the undersecretary of defense for intelligence, the National Security Agency, and Defense Intelligence Agency), as well as procedures. 

Document 33

Paul Syversson, Naval Research Laboratory, A Peel of Onion. August 8, 2014. Unclassified.


This presentation, from one of the Naval Research Laboratory's staff members who developed TOR - The Onion Router - explains the purpose, methodology, and use of the system, which allows anonymous communications over a computer network.

Document 34

National Reconnaissance Office, "Recommendations for NRO Personnel Internet Conduct," August 11, 2014. Unclassified/For Official Use Only.


This six-page document contains a significant number of recommendations to NRO personnel with regard to their Internet activity. It identifies the type of information (including resumes) that might require NRO review before being posted and offers a variety of recommendations for mitigating risks - including 14 ways to protect personal information. It also contains a discussion of how NRO employees can "protect your professional identity."

Document 35

Barack Obama, Memorandum, Subject: Establishment of the Cyber Threat Intelligence Integration Center. Unclassified.


This memo directed the establishment under the Office of the Director of National Intelligence of an analytic center to receive and evaluate intelligence on cyber threats. It also contains provisions concerning privacy and civil liberties.

Document 36

Christopher Steele, "Russia/Cyber Crime: A Synopsis of Russian State Sponsored and Other Cyber Offensive (Criminal) Operations," July 26, 2015. Not classified.


These three pages are part of the controversial "Trump Dossier," prepared by a former British intelligence officer. It discusses FSB (Russian Federal Security Service) recruitment, operations, targets, and cyber crime.

Document 37

Mikk Raud, NATO Cooperative Cyber Defence Centre of Excellence, China and Cyber: Attitudes, Strategies, Organisation. 2016. Unclassified.


This study focuses on three topics - China's cyber background and related challenges, China's cyber strategy and its main objectives (via the examination of three key documents), and China's strategic cyber governance - both civilian and military.

Document 38

USCYBERCOM to CDRUSACYBER, Subj: CYBERCOM FRAGORD 01 to TASKORD 16-0063 To Establish Joint Task Force (JTF)-ARES to Counter the Islamic State of Iraq and the Levant (ISIL) in Cyber Space, May 5, 2016. Secret//Rel to USA, [Redacted].


The unit established by this order, the subject of an article in the Washington Post, was assigned the mission of developing malware and other cyber-tools in order to escalate operations to damage and destroy ISIS networks, computers, and mobile phones.

Document 39

Andrew Futter, Royal United Services Institute, Cyber Threats and Nuclear Weapons: New Questions for Command and Control, Security and Strategy, July 2016. Not Classified.


This paper, prepared for a British think tank, examines the nature of the cyber challenge to nuclear weapons, the specific actions hackers might take against nuclear systems (including espionage, sabotage, or 'spoofing'), and the implications for strategic stability, crisis management, and nuclear strategy.

Document 40

Office of Intelligence and Analysis, Department of Homeland Security, Cyber Threats to the Homeland, October 2016. Unclassified//For Official Use Only.


This briefing discusses, inter alia, the sources of cyber threats (e.g. state actors, cyber criminals), an assessment of cyber actor capabilities (from destruction of critical infrastructure to web defacement), recent threats to state, local and private institutions, and the vulnerability of the Internet of Things.

Document 41

Donald J. Trump, Draft Executive Order, "Strengthening U.S. Cyber Security and Capabilities," January 26, 2017. Unclassified.


This draft executive order directed a review of cyber vulnerabilities, with initial recommendations to be provided within sixty days, U.S. cyber adversaries, and U.S. cyber capabilities.

Document 42

National Cybersecurity and Communications Integration Center, Department of Homeland Security, AR-17-20045, Enhanced Analysis of GRIZZLY STEPPE Activity, February 10, 2017. Unclassified. [4006]


This report is a greatly expanded version of the GRIZZLY STEPPE analysis released in late December 2016, and focuses on the use of the Cyber Kill Chain model (whose components are reconnaissance, weaponization, delivery, exploitation, installation, command and control, and actions on the objective) to analyze malicious cyber activity.