Attacks/Breaches
6/7/2012
10:05 AM
Connect Directly
RSS
E-Mail
50%
50%

Was U.S. Government's Stuxnet Brag A Mistake?

Some lawmakers accuse Obama administration of failing to manage its secrets, but Stuxnet now stands as a warning of America's cyber-warfare capabilities.

Who Is Anonymous: 10 Key Facts
Who Is Anonymous: 10 Key Facts
(click image for larger view and for slideshow)
"My cyber-weapon is bigger than your cyber-weapon."

That's the playground-taunt version of what anonymous sources in the Obama administration last week essentially said to Iran, after they confirmed that the U.S. government developed and launched Stuxnet, in a bid to delay Iran's nuclear weapons program.

The Stuxnet credit-taking--if not warning to Iran--has prompted both Republican and Democratic lawmakers to accuse the Obama administration of failing to manage its secrets, as well as divulging crucial capabilities about the nation's offensive capabilities.

"This is the most highly classified information and has now been leaked by the administration at the highest levels of the White House. That's not acceptable," said Sen. John McCain (R-Ariz.), the top Republican on the Senate Armed Services Committee, on CBS news. McCain, who was Obama's opponent in the 2008 presidential election, also accused the White House of having leaked the information--including details of the drone-strike program--simply to make the president look good.

[Will Google warn about attacks by the U.S. government? Read Google Issues Warnings For State-Sponsored Attacks.]

As a result, "our enemies now know much more than they even did the day before they came out about important aspects of the nation's unconventional offensive capability and how we use them," he recently said on the Senate floor.

Similarly, the top members of both the Senate Intelligence Committee and the House Select Committee on Intelligence decried that information relating to Stuxnet and drone strikes had become public. "In recent weeks, we have become increasingly concerned at the continued leaks regarding sensitive intelligence programs and activities including specific details of sources and methods," reads a joint statement issued by Sens. Dianne Feinstein (D-Calif.) and Saxby Chambliss (R-Ga.), respectively the chair and ranking Republican on the Senate Intelligence Committee, and Reps. Mike Rogers (R-Mich.) and C.A. "Dutch" Ruppersberger (D-Md.), respectively the chair and ranking Democrat on the House Intelligence Committee.

"The accelerating pace of such disclosures, the sensitivity of the matters in question, and the harm caused to our national security interests is alarming and unacceptable," reads their statement. "Each disclosure puts American lives at risk, makes it more difficult to recruit assets, strains the trust of our partners, and threatens imminent and irreparable damage to our national security in the face of urgent and rapidly adapting threats worldwide."

But did the "leaks" really put lives at risk or are lawmakers' statements merely an attempt at flexing political muscle after not being consulted over the disclosures? "Keeping these programs secret may have a value," Jack Goldsmith, a Harvard law professor who served as a Justice Department official in the Bush administration, told The New York Times. "But there's another value that has to be considered, too--the benefit of transparency, accountability, and public discussion."

In the interests of open discussion, let's acknowledge that the identities of Stuxnet's creators were an open secret. After an extensive teardown of the malware, multiple researchers concluded that it had been built by the United States, as well as by Israel. Whether either government would confirm the finding, and whether or not the program was classified, was academic: everyone knew.

Technologically speaking, Stuxnet was also a marvel. Facing stiff competition from Anonymous (for its HBGary Federal Hack), as well as LulzSec (not least for its wit), Stuxnet even bagged the "Epic 0wnage" award at the Black Hat 2011 Pwnie awards ceremony in Las Vegas.

Of course, it's best to not fetishize any type of weapon, but does Stuxnet even qualify as such? Pwnie judge Mark Dowd memorably described the malware as "a non-violent protest against the Iranian nuclear program, allegedly done by a government with some pretty advanced intelligence capabilities." The malware apparently hurt no one, but did send a clear political signal, not least about the extent to which the United States would go to compromise Iran's nuclear program--preferably through non-violent means.

What are the negatives of Stuxnet, or taking credit for it? One line of Stuxnet thinking has been that Stuxnet changed the malware rules, by setting a precedent that other governments will be free to follow. And there's ample room for debate about whether any entity--governments, organized crime syndicates, anti-Anonymous hacktivists--should be lobbing malware at anyone. But did taking credit for Stuxnet cause "irreparable damage to our national security," as lawmakers have asserted?

In response to McCain's criticism, notably, White House press secretary Jay Carney Wednesday said: "This administration takes all appropriate and necessary steps to prevent leaks of classified information or sensitive information that could risk ongoing counterterrorism or intelligence operations." The "ongoing operations" caveat is key, because from a malware standpoint, security experts agree that the Stuxnet malware is played out. At this point, taking credit for it arguably strengthens national security, by serving as a further deterrent.

More than 900 IT and security professionals responded to InformationWeek’s 2012 Strategic Security Survey. Our results cover a variety of areas critical to information risk management, including cloud, mobility, and software development. Download the 2012 Strategic Security report now. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
ttn
50%
50%
ttn,
User Rank: Apprentice
6/7/2012 | 5:54:12 PM
re: Was U.S. Government's Stuxnet Brag A Mistake?
I guess we needn't be surprised when stones rain through the shattered roof of our glass house. But if there is any blame, give that to Bush. (The disclosure must be his fault, somehow.) However, if there is any credit, give that to Obama. (He's got mad hacking skilz.)
ANON1241631011972
50%
50%
ANON1241631011972,
User Rank: Apprentice
6/7/2012 | 6:59:15 PM
re: Was U.S. Government's Stuxnet Brag A Mistake?
I disagree with the conclusion. As the author points out, I think we all knew that the teams involved in creating Stuxnet were the U.S. and Israel because the DNA of the code indicated two teams, huge resources, and significant understanding of the control software for Iran's centrifuges. The prime suspects with those kind of resources and motivation would be Israel and the U.S. So, I would think that would be enough to provide any of the benefits cited in the article--leaving only downside to revealing all of the ingenious details of the exploit. Trumpeting it as a political accolade for the Obama administration's street cred on national security is amateurish in the extreme. Besides, it is pretty clear that, because of the time this took to develop and deploy, it didn't even start during the current administration. So, leaking this AND taking credit for it reveals not only a disregard for classified operations but also an egregious lack of integrity. And it shows our leadership as naive, self-centered, and infected with massive amounts of hubris to put politics ahead of protecting the details of a highly secret operation. Maybe the author thinks that naming the members of the Stuxnet development teams so they can be targeted by Iranian operatives would be even more helpful in building up our reputation as super genious cyberwarfare powers.
MyW0r1d
50%
50%
MyW0r1d,
User Rank: Apprentice
6/8/2012 | 1:24:23 PM
re: Was U.S. Government's Stuxnet Brag A Mistake?
Your comments read like a lot of descriptions I've read elsewhere when speaking of Gen X - so where's the surprise? I will work only if on my terms and with my equipment, I will work only if I can follow my twitter feeds and Facebook, I will work only if we have a matrixed org and multiple bosses so noone actually controls what I do,...
ANON1237925156805
50%
50%
ANON1237925156805,
User Rank: Apprentice
6/7/2012 | 9:54:03 PM
re: Was U.S. Government's Stuxnet Brag A Mistake?
For starters, the apparent supporters of an administration that outed a CIA agent as revenge for her non-partisan husband's telling the truth about issues related to WMD in Iraq, absolutely unconditionally putting at risk the lives of dozens of operatives throughout the middle East for the "crime" of supporting our interests, probably know a great deal about living in glass houses.

Let's ignore that ranting and look at the hot air du jour from DC. There's an assumption that the Obama administration as an administration is taking personal credit for this in an election year move. It's a given that the critics have just as much electioneering behind their intentions as Obama may have.

My sense is that the "bragging" is for external consumption. Hey you keep going forward we have ways of stopping you and we're not afraid to use them.

As to whether that kind of swagger and bluster is helpful, harmful or neutral there's surely room for debate. It was no secret to anyone that we were involved in developing Stuxnet but its details were not commonly known. If in the process of trying to intimidate Iran we give away any hints that technologists with lesser intentions can use, that will be no good thing.

Let's just hope that things get evaluated at that level in a discussion that's constructive, designed to move us forward not to tear down. I'm not holding my breath that we as a nation are capable of that nowadays.
danii
50%
50%
danii,
User Rank: Apprentice
6/9/2012 | 6:10:01 PM
re: Was U.S. Government's Stuxnet Brag A Mistake?
The fact that Stuxnet was injecting commands into the PLC and masking that it was doing so was evidence that it was designed, not for espionage as everyone had believed, but for physical sabotage. The researchers were stunned. It was the first time anyone had seen digital code in the wild being used to physically destroy something in the real world. Hollywood had imagined such a scenario years earlier in a Die Hard flick. Now reality had caught up with fantasy.

GǣWe were expecting something to be espionage, we were expecting something to steal credit card numbers; thatGs what we deal with every single day,Gǥ Chien recalls. GǣBut we werenGt expecting this.Gǥ

danii
50%
50%
danii,
User Rank: Apprentice
6/9/2012 | 6:10:55 PM
re: Was U.S. Government's Stuxnet Brag A Mistake?
Obama wants to BLOCK FREEDOM!
Bprince
50%
50%
Bprince,
User Rank: Ninja
6/9/2012 | 9:55:53 PM
re: Was U.S. Government's Stuxnet Brag A Mistake?
I see both sides to this. In the long run, I am not sure leaking the information matters all that much in terms of national security because many people already assumed the U.S. and or Israel was involved due to the complexity of Stuxnet, its purpose and the fact that there were so many infections in Iran. There certainly is value in keeping capabilities a secret, but I am not sure the discovery of Stuxnet in and of itself (as opposed to recent leaks) wasn't enough to get Iran to ramp up its cyber capabilities the way they have.
Brian Prince, InformationWeek/Dark Reading Comment Moderator
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-0640
Published: 2014-08-20
EMC RSA Archer GRC Platform 5.x before 5.5 SP1 allows remote authenticated users to bypass intended restrictions on resource access via unspecified vectors.

CVE-2014-0641
Published: 2014-08-20
Cross-site request forgery (CSRF) vulnerability in EMC RSA Archer GRC Platform 5.x before 5.5 SP1 allows remote attackers to hijack the authentication of arbitrary users.

CVE-2014-2505
Published: 2014-08-20
EMC RSA Archer GRC Platform 5.x before 5.5 SP1 allows remote attackers to trigger the download of arbitrary code, and consequently change the product's functionality, via unspecified vectors.

CVE-2014-2511
Published: 2014-08-20
Multiple cross-site scripting (XSS) vulnerabilities in EMC Documentum WebTop before 6.7 SP1 P28 and 6.7 SP2 before P14 allow remote attackers to inject arbitrary web script or HTML via the (1) startat or (2) entryId parameter.

CVE-2014-2515
Published: 2014-08-20
EMC Documentum D2 3.1 before P24, 3.1SP1 before P02, 4.0 before P11, 4.1 before P16, and 4.2 before P05 does not properly restrict tickets provided by D2GetAdminTicketMethod and D2RefreshCacheMethod, which allows remote authenticated users to gain privileges via a request for a superuser ticket.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Three interviews on critical embedded systems and security, recorded at Black Hat 2014 in Las Vegas.