‘Delete all phones’ — How one man killed communications at an Air Force base for weeks

‘Is this good-bye?’ Daniels said, while being escorted off base.
Air Force Airman 1st Class Enya Johnson, 509th Operation Support Squadron Airfield Management operations coordinator, answers the phone while working at the base operations desk at Whiteman Air Force Base, Missouri, Sept. 23, 2020 (Air Force photo / Airman 1st Class Christina Carter)

Share

A former Air Force contractor named Alan Daniels pleaded guilty to intentionally sabotaging the communications system at Whiteman Air Force Base in 2017, causing disruptions at the Missouri base that took 702 man-hours at the cost of nearly $27,000 to fix over the course of several weeks, according to a plea agreement unsealed in the U.S. District Court for the Western District of Missouri on Thursday. 

Daniels pleaded guilty to one count of intentional damage to a protected computer and one count of communication interference. According to the agreement, it was just another morning on October 5, 2017, at approximately 7:30, when a member of the base communications squadron’s phones restarted and reloaded with blank screens. That was odd, because no work was scheduled to be done on the system, Staff Sgt. Thibodeaux (whose first name was not included in the agreement) and others determined. 

Thibodeaux went to the offices of the Leader Communications, Inc. contractors responsible for the switch controlling the Voice over Internet Protocol (VoIP) database, which allows users to make voice calls over the internet instead of through a regular phone line. Thibodeaux spoke with Daniels, an LCI contractor, who was sitting at his desk and responsible for the switch, but he denied knowing what caused the disruption.

The ensuing investigation found that all of the VoIP communications for the base, which affected over 2,500 users, had been deleted. That really threw a wrench into trying to call anybody on the base.

“For weeks after the event, a routine call for maintenance might be routed to the munitions unit, for example,” the agreement said. “Without the data, the switch would not properly route calls. By 11:00 a.m., on October 5, 2017, it was determined that there was no data to recover, and all of the lost data would need to be re-entered manually.”

The next day, investigators found a “delete all phones” command had been entered into the Cisco Call Manager. Such a command cannot be entered by accident because it is a six-step procedure. Further, they found out what computer the command had come from and, sure enough, Daniels was the one logged in using it at that time.

With corroborating evidence showing that Daniels was indeed logged in and present at the time the command was sent, the base escorted him off base that day and seized his computer. “Daniels did not ask why, and instead said, ‘Is this goodbye?’” according to the agreement.

In a 2018 simulation of the event, Whiteman personnel found that there was no way for Daniels to have triggered the command by accident, as there were too many steps involved. Further, the user who triggered the command would have to be on base using a specifically configured port in known locations during work hours, the agreement found.

The agreement does not specify why Daniels triggered the command, but it did explain that his crimes have a maximum punishment of 10 years of imprisonment and a $250,000 fine. Instead, with the guilty plea, Daniels agreed to a sentence of five years’ probation, no fine, $26,927.08 in restitution to the Air Force and a $200 special assessment. The court has the option of rejecting the plea agreement.

Related: Can US troops face life in a Kuwaiti prison for selling pork? An investigation