10:05 AM
Connect Directly

Was U.S. Government's Stuxnet Brag A Mistake?

Some lawmakers accuse Obama administration of failing to manage its secrets, but Stuxnet now stands as a warning of America's cyber-warfare capabilities.

Who Is Anonymous: 10 Key Facts
Who Is Anonymous: 10 Key Facts
(click image for larger view and for slideshow)
"My cyber-weapon is bigger than your cyber-weapon."

That's the playground-taunt version of what anonymous sources in the Obama administration last week essentially said to Iran, after they confirmed that the U.S. government developed and launched Stuxnet, in a bid to delay Iran's nuclear weapons program.

The Stuxnet credit-taking--if not warning to Iran--has prompted both Republican and Democratic lawmakers to accuse the Obama administration of failing to manage its secrets, as well as divulging crucial capabilities about the nation's offensive capabilities.

"This is the most highly classified information and has now been leaked by the administration at the highest levels of the White House. That's not acceptable," said Sen. John McCain (R-Ariz.), the top Republican on the Senate Armed Services Committee, on CBS news. McCain, who was Obama's opponent in the 2008 presidential election, also accused the White House of having leaked the information--including details of the drone-strike program--simply to make the president look good.

[Will Google warn about attacks by the U.S. government? Read Google Issues Warnings For State-Sponsored Attacks.]

As a result, "our enemies now know much more than they even did the day before they came out about important aspects of the nation's unconventional offensive capability and how we use them," he recently said on the Senate floor.

Similarly, the top members of both the Senate Intelligence Committee and the House Select Committee on Intelligence decried that information relating to Stuxnet and drone strikes had become public. "In recent weeks, we have become increasingly concerned at the continued leaks regarding sensitive intelligence programs and activities including specific details of sources and methods," reads a joint statement issued by Sens. Dianne Feinstein (D-Calif.) and Saxby Chambliss (R-Ga.), respectively the chair and ranking Republican on the Senate Intelligence Committee, and Reps. Mike Rogers (R-Mich.) and C.A. "Dutch" Ruppersberger (D-Md.), respectively the chair and ranking Democrat on the House Intelligence Committee.

"The accelerating pace of such disclosures, the sensitivity of the matters in question, and the harm caused to our national security interests is alarming and unacceptable," reads their statement. "Each disclosure puts American lives at risk, makes it more difficult to recruit assets, strains the trust of our partners, and threatens imminent and irreparable damage to our national security in the face of urgent and rapidly adapting threats worldwide."

But did the "leaks" really put lives at risk or are lawmakers' statements merely an attempt at flexing political muscle after not being consulted over the disclosures? "Keeping these programs secret may have a value," Jack Goldsmith, a Harvard law professor who served as a Justice Department official in the Bush administration, told The New York Times. "But there's another value that has to be considered, too--the benefit of transparency, accountability, and public discussion."

In the interests of open discussion, let's acknowledge that the identities of Stuxnet's creators were an open secret. After an extensive teardown of the malware, multiple researchers concluded that it had been built by the United States, as well as by Israel. Whether either government would confirm the finding, and whether or not the program was classified, was academic: everyone knew.

Technologically speaking, Stuxnet was also a marvel. Facing stiff competition from Anonymous (for its HBGary Federal Hack), as well as LulzSec (not least for its wit), Stuxnet even bagged the "Epic 0wnage" award at the Black Hat 2011 Pwnie awards ceremony in Las Vegas.

Of course, it's best to not fetishize any type of weapon, but does Stuxnet even qualify as such? Pwnie judge Mark Dowd memorably described the malware as "a non-violent protest against the Iranian nuclear program, allegedly done by a government with some pretty advanced intelligence capabilities." The malware apparently hurt no one, but did send a clear political signal, not least about the extent to which the United States would go to compromise Iran's nuclear program--preferably through non-violent means.

What are the negatives of Stuxnet, or taking credit for it? One line of Stuxnet thinking has been that Stuxnet changed the malware rules, by setting a precedent that other governments will be free to follow. And there's ample room for debate about whether any entity--governments, organized crime syndicates, anti-Anonymous hacktivists--should be lobbing malware at anyone. But did taking credit for Stuxnet cause "irreparable damage to our national security," as lawmakers have asserted?

In response to McCain's criticism, notably, White House press secretary Jay Carney Wednesday said: "This administration takes all appropriate and necessary steps to prevent leaks of classified information or sensitive information that could risk ongoing counterterrorism or intelligence operations." The "ongoing operations" caveat is key, because from a malware standpoint, security experts agree that the Stuxnet malware is played out. At this point, taking credit for it arguably strengthens national security, by serving as a further deterrent.

More than 900 IT and security professionals responded to InformationWeek’s 2012 Strategic Security Survey. Our results cover a variety of areas critical to information risk management, including cloud, mobility, and software development. Download the 2012 Strategic Security report now. (Free registration required.)

Comment  | 
Print  | 
More Insights
Oldest First  |  Newest First  |  Threaded View
User Rank: Apprentice
6/7/2012 | 5:54:12 PM
re: Was U.S. Government's Stuxnet Brag A Mistake?
I guess we needn't be surprised when stones rain through the shattered roof of our glass house. But if there is any blame, give that to Bush. (The disclosure must be his fault, somehow.) However, if there is any credit, give that to Obama. (He's got mad hacking skilz.)
User Rank: Apprentice
6/7/2012 | 6:59:15 PM
re: Was U.S. Government's Stuxnet Brag A Mistake?
I disagree with the conclusion. As the author points out, I think we all knew that the teams involved in creating Stuxnet were the U.S. and Israel because the DNA of the code indicated two teams, huge resources, and significant understanding of the control software for Iran's centrifuges. The prime suspects with those kind of resources and motivation would be Israel and the U.S. So, I would think that would be enough to provide any of the benefits cited in the article--leaving only downside to revealing all of the ingenious details of the exploit. Trumpeting it as a political accolade for the Obama administration's street cred on national security is amateurish in the extreme. Besides, it is pretty clear that, because of the time this took to develop and deploy, it didn't even start during the current administration. So, leaking this AND taking credit for it reveals not only a disregard for classified operations but also an egregious lack of integrity. And it shows our leadership as naive, self-centered, and infected with massive amounts of hubris to put politics ahead of protecting the details of a highly secret operation. Maybe the author thinks that naming the members of the Stuxnet development teams so they can be targeted by Iranian operatives would be even more helpful in building up our reputation as super genious cyberwarfare powers.
User Rank: Apprentice
6/7/2012 | 9:54:03 PM
re: Was U.S. Government's Stuxnet Brag A Mistake?
For starters, the apparent supporters of an administration that outed a CIA agent as revenge for her non-partisan husband's telling the truth about issues related to WMD in Iraq, absolutely unconditionally putting at risk the lives of dozens of operatives throughout the middle East for the "crime" of supporting our interests, probably know a great deal about living in glass houses.

Let's ignore that ranting and look at the hot air du jour from DC. There's an assumption that the Obama administration as an administration is taking personal credit for this in an election year move. It's a given that the critics have just as much electioneering behind their intentions as Obama may have.

My sense is that the "bragging" is for external consumption. Hey you keep going forward we have ways of stopping you and we're not afraid to use them.

As to whether that kind of swagger and bluster is helpful, harmful or neutral there's surely room for debate. It was no secret to anyone that we were involved in developing Stuxnet but its details were not commonly known. If in the process of trying to intimidate Iran we give away any hints that technologists with lesser intentions can use, that will be no good thing.

Let's just hope that things get evaluated at that level in a discussion that's constructive, designed to move us forward not to tear down. I'm not holding my breath that we as a nation are capable of that nowadays.
User Rank: Apprentice
6/8/2012 | 1:24:23 PM
re: Was U.S. Government's Stuxnet Brag A Mistake?
Your comments read like a lot of descriptions I've read elsewhere when speaking of Gen X - so where's the surprise? I will work only if on my terms and with my equipment, I will work only if I can follow my twitter feeds and Facebook, I will work only if we have a matrixed org and multiple bosses so noone actually controls what I do,...
User Rank: Apprentice
6/9/2012 | 6:10:01 PM
re: Was U.S. Government's Stuxnet Brag A Mistake?
The fact that Stuxnet was injecting commands into the PLC and masking that it was doing so was evidence that it was designed, not for espionage as everyone had believed, but for physical sabotage. The researchers were stunned. It was the first time anyone had seen digital code in the wild being used to physically destroy something in the real world. Hollywood had imagined such a scenario years earlier in a Die Hard flick. Now reality had caught up with fantasy.

G«£We were expecting something to be espionage, we were expecting something to steal credit card numbers; thatG«÷s what we deal with every single day,G«• Chien recalls. G«£But we werenG«÷t expecting this.G«•

User Rank: Apprentice
6/9/2012 | 6:10:55 PM
re: Was U.S. Government's Stuxnet Brag A Mistake?
Obama wants to BLOCK FREEDOM!
User Rank: Ninja
6/9/2012 | 9:55:53 PM
re: Was U.S. Government's Stuxnet Brag A Mistake?
I see both sides to this. In the long run, I am not sure leaking the information matters all that much in terms of national security because many people already assumed the U.S. and or Israel was involved due to the complexity of Stuxnet, its purpose and the fact that there were so many infections in Iran. There certainly is value in keeping capabilities a secret, but I am not sure the discovery of Stuxnet in and of itself (as opposed to recent leaks) wasn't enough to get Iran to ramp up its cyber capabilities the way they have.
Brian Prince, InformationWeek/Dark Reading Comment Moderator
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the ďsecurity connectedĒ approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2014-10-24
Cross-site scripting (XSS) vulnerability in admincp/apilog.php in vBulletin 4.4.2 and earlier, and 5.0.x through 5.0.5 allows remote authenticated users to inject arbitrary web script or HTML via a crafted XMLRPC API request, as demonstrated using the client name.

Published: 2014-10-24 in Not Yet Commons SSL before 0.3.15 does not properly verify that the server hostname matches a domain name in the subject's Common Name (CN) field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.

Published: 2014-10-24
WP-Ban plugin before 1.6.4 for WordPress, when running in certain configurations, allows remote attackers to bypass the IP blacklist via a crafted X-Forwarded-For header.

Published: 2014-10-24
Stack-based buffer overflow in CPUMiner before 2.4.1 allows remote attackers to have an unspecified impact by sending a mining.subscribe response with a large nonce2 length, then triggering the overflow with a mining.notify request.

Published: 2014-10-24
Electric Cloud ElectricCommander before 4.2.6 and 5.x before 5.0.3 uses world-writable permissions for (1) and (2), which allows local users to execute arbitrary Perl code by modifying these files.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.