10:05 AM
Connect Directly

Was U.S. Government's Stuxnet Brag A Mistake?

Some lawmakers accuse Obama administration of failing to manage its secrets, but Stuxnet now stands as a warning of America's cyber-warfare capabilities.

Who Is Anonymous: 10 Key Facts
Who Is Anonymous: 10 Key Facts
(click image for larger view and for slideshow)
"My cyber-weapon is bigger than your cyber-weapon."

That's the playground-taunt version of what anonymous sources in the Obama administration last week essentially said to Iran, after they confirmed that the U.S. government developed and launched Stuxnet, in a bid to delay Iran's nuclear weapons program.

The Stuxnet credit-taking--if not warning to Iran--has prompted both Republican and Democratic lawmakers to accuse the Obama administration of failing to manage its secrets, as well as divulging crucial capabilities about the nation's offensive capabilities.

"This is the most highly classified information and has now been leaked by the administration at the highest levels of the White House. That's not acceptable," said Sen. John McCain (R-Ariz.), the top Republican on the Senate Armed Services Committee, on CBS news. McCain, who was Obama's opponent in the 2008 presidential election, also accused the White House of having leaked the information--including details of the drone-strike program--simply to make the president look good.

[Will Google warn about attacks by the U.S. government? Read Google Issues Warnings For State-Sponsored Attacks.]

As a result, "our enemies now know much more than they even did the day before they came out about important aspects of the nation's unconventional offensive capability and how we use them," he recently said on the Senate floor.

Similarly, the top members of both the Senate Intelligence Committee and the House Select Committee on Intelligence decried that information relating to Stuxnet and drone strikes had become public. "In recent weeks, we have become increasingly concerned at the continued leaks regarding sensitive intelligence programs and activities including specific details of sources and methods," reads a joint statement issued by Sens. Dianne Feinstein (D-Calif.) and Saxby Chambliss (R-Ga.), respectively the chair and ranking Republican on the Senate Intelligence Committee, and Reps. Mike Rogers (R-Mich.) and C.A. "Dutch" Ruppersberger (D-Md.), respectively the chair and ranking Democrat on the House Intelligence Committee.

"The accelerating pace of such disclosures, the sensitivity of the matters in question, and the harm caused to our national security interests is alarming and unacceptable," reads their statement. "Each disclosure puts American lives at risk, makes it more difficult to recruit assets, strains the trust of our partners, and threatens imminent and irreparable damage to our national security in the face of urgent and rapidly adapting threats worldwide."

But did the "leaks" really put lives at risk or are lawmakers' statements merely an attempt at flexing political muscle after not being consulted over the disclosures? "Keeping these programs secret may have a value," Jack Goldsmith, a Harvard law professor who served as a Justice Department official in the Bush administration, told The New York Times. "But there's another value that has to be considered, too--the benefit of transparency, accountability, and public discussion."

In the interests of open discussion, let's acknowledge that the identities of Stuxnet's creators were an open secret. After an extensive teardown of the malware, multiple researchers concluded that it had been built by the United States, as well as by Israel. Whether either government would confirm the finding, and whether or not the program was classified, was academic: everyone knew.

Technologically speaking, Stuxnet was also a marvel. Facing stiff competition from Anonymous (for its HBGary Federal Hack), as well as LulzSec (not least for its wit), Stuxnet even bagged the "Epic 0wnage" award at the Black Hat 2011 Pwnie awards ceremony in Las Vegas.

Of course, it's best to not fetishize any type of weapon, but does Stuxnet even qualify as such? Pwnie judge Mark Dowd memorably described the malware as "a non-violent protest against the Iranian nuclear program, allegedly done by a government with some pretty advanced intelligence capabilities." The malware apparently hurt no one, but did send a clear political signal, not least about the extent to which the United States would go to compromise Iran's nuclear program--preferably through non-violent means.

What are the negatives of Stuxnet, or taking credit for it? One line of Stuxnet thinking has been that Stuxnet changed the malware rules, by setting a precedent that other governments will be free to follow. And there's ample room for debate about whether any entity--governments, organized crime syndicates, anti-Anonymous hacktivists--should be lobbing malware at anyone. But did taking credit for Stuxnet cause "irreparable damage to our national security," as lawmakers have asserted?

In response to McCain's criticism, notably, White House press secretary Jay Carney Wednesday said: "This administration takes all appropriate and necessary steps to prevent leaks of classified information or sensitive information that could risk ongoing counterterrorism or intelligence operations." The "ongoing operations" caveat is key, because from a malware standpoint, security experts agree that the Stuxnet malware is played out. At this point, taking credit for it arguably strengthens national security, by serving as a further deterrent.

More than 900 IT and security professionals responded to InformationWeek’s 2012 Strategic Security Survey. Our results cover a variety of areas critical to information risk management, including cloud, mobility, and software development. Download the 2012 Strategic Security report now. (Free registration required.)

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
6/9/2012 | 9:55:53 PM
re: Was U.S. Government's Stuxnet Brag A Mistake?
I see both sides to this. In the long run, I am not sure leaking the information matters all that much in terms of national security because many people already assumed the U.S. and or Israel was involved due to the complexity of Stuxnet, its purpose and the fact that there were so many infections in Iran. There certainly is value in keeping capabilities a secret, but I am not sure the discovery of Stuxnet in and of itself (as opposed to recent leaks) wasn't enough to get Iran to ramp up its cyber capabilities the way they have.
Brian Prince, InformationWeek/Dark Reading Comment Moderator
User Rank: Apprentice
6/9/2012 | 6:10:55 PM
re: Was U.S. Government's Stuxnet Brag A Mistake?
Obama wants to BLOCK FREEDOM!
User Rank: Apprentice
6/9/2012 | 6:10:01 PM
re: Was U.S. Government's Stuxnet Brag A Mistake?
The fact that Stuxnet was injecting commands into the PLC and masking that it was doing so was evidence that it was designed, not for espionage as everyone had believed, but for physical sabotage. The researchers were stunned. It was the first time anyone had seen digital code in the wild being used to physically destroy something in the real world. Hollywood had imagined such a scenario years earlier in a Die Hard flick. Now reality had caught up with fantasy.

GǣWe were expecting something to be espionage, we were expecting something to steal credit card numbers; thatGs what we deal with every single day,Gǥ Chien recalls. GǣBut we werenGt expecting this.Gǥ

User Rank: Apprentice
6/8/2012 | 1:24:23 PM
re: Was U.S. Government's Stuxnet Brag A Mistake?
Your comments read like a lot of descriptions I've read elsewhere when speaking of Gen X - so where's the surprise? I will work only if on my terms and with my equipment, I will work only if I can follow my twitter feeds and Facebook, I will work only if we have a matrixed org and multiple bosses so noone actually controls what I do,...
User Rank: Apprentice
6/7/2012 | 9:54:03 PM
re: Was U.S. Government's Stuxnet Brag A Mistake?
For starters, the apparent supporters of an administration that outed a CIA agent as revenge for her non-partisan husband's telling the truth about issues related to WMD in Iraq, absolutely unconditionally putting at risk the lives of dozens of operatives throughout the middle East for the "crime" of supporting our interests, probably know a great deal about living in glass houses.

Let's ignore that ranting and look at the hot air du jour from DC. There's an assumption that the Obama administration as an administration is taking personal credit for this in an election year move. It's a given that the critics have just as much electioneering behind their intentions as Obama may have.

My sense is that the "bragging" is for external consumption. Hey you keep going forward we have ways of stopping you and we're not afraid to use them.

As to whether that kind of swagger and bluster is helpful, harmful or neutral there's surely room for debate. It was no secret to anyone that we were involved in developing Stuxnet but its details were not commonly known. If in the process of trying to intimidate Iran we give away any hints that technologists with lesser intentions can use, that will be no good thing.

Let's just hope that things get evaluated at that level in a discussion that's constructive, designed to move us forward not to tear down. I'm not holding my breath that we as a nation are capable of that nowadays.
User Rank: Apprentice
6/7/2012 | 6:59:15 PM
re: Was U.S. Government's Stuxnet Brag A Mistake?
I disagree with the conclusion. As the author points out, I think we all knew that the teams involved in creating Stuxnet were the U.S. and Israel because the DNA of the code indicated two teams, huge resources, and significant understanding of the control software for Iran's centrifuges. The prime suspects with those kind of resources and motivation would be Israel and the U.S. So, I would think that would be enough to provide any of the benefits cited in the article--leaving only downside to revealing all of the ingenious details of the exploit. Trumpeting it as a political accolade for the Obama administration's street cred on national security is amateurish in the extreme. Besides, it is pretty clear that, because of the time this took to develop and deploy, it didn't even start during the current administration. So, leaking this AND taking credit for it reveals not only a disregard for classified operations but also an egregious lack of integrity. And it shows our leadership as naive, self-centered, and infected with massive amounts of hubris to put politics ahead of protecting the details of a highly secret operation. Maybe the author thinks that naming the members of the Stuxnet development teams so they can be targeted by Iranian operatives would be even more helpful in building up our reputation as super genious cyberwarfare powers.
User Rank: Apprentice
6/7/2012 | 5:54:12 PM
re: Was U.S. Government's Stuxnet Brag A Mistake?
I guess we needn't be surprised when stones rain through the shattered roof of our glass house. But if there is any blame, give that to Bush. (The disclosure must be his fault, somehow.) However, if there is any credit, give that to Obama. (He's got mad hacking skilz.)
Register for Dark Reading Newsletters
White Papers
Current Issue
Dark Reading Must Reads - September 25, 2014
Dark Reading's new Must Reads is a compendium of our best recent coverage of identity and access management. Learn about access control in the age of HTML5, how to improve authentication, why Active Directory is dead, and more.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2014-10-01
SQL injection vulnerability in log.header.php in WordPress 0.7 and earlier allows remote attackers to execute arbitrary SQL commands via the posts variable.

Published: 2014-10-01
Cross-site scripting (XSS) vulnerability in facebook.php in the GRAND FlAGallery plugin (flash-album-gallery) before 1.57 for WordPress allows remote attackers to inject arbitrary web script or HTML via the i parameter.

Published: 2014-10-01
Multiple SQL injection vulnerabilities in Postfix Admin (aka postfixadmin) before 2.3.5 allow remote authenticated users to execute arbitrary SQL commands via (1) the pw parameter to the pacrypt function, when mysql_encrypt is configured, or (2) unspecified vectors that are used in backup files gene...

Published: 2014-09-30 in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to execute Python code via unspecified vectors, related to the admin interface.

Published: 2014-09-30
ZPublisher.HTTPRequest._scrubHeader in Zope 2 before 2.13.19, as used in Plone before 4.3 beta 1, allows remote attackers to inject arbitrary HTTP headers via a linefeed (LF) character.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Chris Hadnagy, who hosts the annual Social Engineering Capture the Flag Contest at DEF CON, will discuss the latest trends attackers are using.