The importance of increasing the use of Red Teams

Phil Mayr

The intelligence agencies and military branches of the U.S. Government need to operate live “Red Teams” for use against physical structures and Red Teams that are separate from the planners for the war-gaming phase of planning operations. These Red Teams need to be external to the agency or organization they support. Increasing the use of Red Teams is important now more than ever due to the dynamics of combating terrorism.

Red Teams typically are small groups of persons from individual agencies or organizations that test the effectiveness of U.S. infrastructure, operations, capabilities, plans and concepts. The Red Team attempts to observe the U.S. agency or organization’s infrastructure, operation, capability, plan or concept from the enemy’s point of view in order to identify vulnerabilities. Identifying such flaws, and correcting them before the enemy would have a chance to act, would ultimately improve security.

Three examples help demonstrate the potential benefits that Red Teams provide. The first example is the U.S. Navy’s “Red Cell.” In 1984, the Deputy Chief of Naval Operations, Vice Admiral James Lyons, Jr., tasked Navy SEAL Commander Richard Marcinko with building and leading a team that would test the security measures of the U.S. Navy. Commander Marcinko formed a team, composed mostly of SEALs, which he led to penetrate U.S. naval bases and expose the security flaws of those bases. Red Cell had the backing and oversight of senior leadership to conduct the “attacks” and it coordinated to ensure that base security did not inadvertently mistake the Red Cell for an actual enemy assault. Red Cell successfully conducted these exercises at several naval bases. During the pre-mission reconnaissance of the U.S. Navy’s Trident and Ohio-class nuclear submarine home base in New London, CT, Red Cell found numerous lapses in security. These included: no true front gate, an ordnance facility protected only by a single chain link fence and train tracks that ran through the middle of the base, all making it easy for an enemy to infiltrate the base and gather information.

Red Cell also was able to rent a small boat, fly a Soviet flag from it and get close enough to the base to take photographs of classified features of the submarines. This occurred in 1985, well before the fall of the Soviet Union. Even after Red Cell informed the base security of the exact time that their attack would take place, they were successful in breaching the base and raiding a particular building, remaining undetected all the while.

The second example involves the Federal Aviation Administration (FAA). The FAA had a Red Team that was an elite group of security agents who traveled to major airports within the U.S. and abroad to conduct covert penetration testing of airport security systems, in order to provide the FAA with realistic data on the state of aviation security.

The team found serious security weaknesses at Boston’s Logan International Airport -- the same airport from which two of the four hijacked planes used in the 9/11 attacks originated. The agents who were part of the Red Team believed that their findings were covered up by FAA officials. Perhaps, if their identified security flaws received more attention, the events of 9/11 would not have occurred.

The third example deals with the realm of cyber-security. The National Security Agency (NSA) has a Red Team that attempts to hack in to Department of Defense (DoD) computer systems in order to identify gaps that need to be secured, before the enemy has a chance to exploit them. The NSA Red Team is separate from the rest of NSA and does not give advanced notice of its attempts to breach DoD entities, but it does leave a calling card for any networks it is able to breach, informing the network administrator of the security compromises that need to be fixed. A Red Team member says that majority of its personnel are military and civilian government employees, as well as a small cadre of contractors. The military guys mainly conduct the ops (the actual breaking and entering), while the civilians and contractors mainly write code to support their endeavors. Their goal is not to damage anything, but to identify the security flaws.

One benefit of Red Team activities is that they confront preconceived judgment by demonstration. They also serve to clarify the true problem-state that planners are attempting to mitigate. Additionally, a more accurate understanding can be gained about how sensitive information is viewed from an outside point-of-view, as well as highlight exploitable patterns and cases of unnecessary preconceived notions, with regard to controls and planning.

Many times, situations turn out differently than one anticipates. More security problems can be identified through demonstration by both the live Red Teams and the war-gaming Red Teams. The U.S. Navy’s Red Cell identified many security shortfalls by demonstrating that penetrating a secured base was possible. It is easier to identify exploitable patterns from the outside looking in than from the inside looking out.

Red Teams constraints include operational, political and safety limitations that need to be considered. Operationally, senior leadership needs to approve Red Team activities. For example, Commander Marcinko had permission from the Deputy Chief of Naval Operations. Having this approval protected Commander Marcinko, a Navy O-5, from being punished by the base commanders, typically a Navy Captain (O-6). Operational coordination needs to be conducted to minimize confusion and keep everyone safe.

A political limitation is that any change of policy usually takes a long time and might exceed the scope of the policy-makers’ influence. “Policy-makers don’t always have the required range of response options recommended by a Red Team,” one observer noted, as some Red Team suggestions may be too controversial.