QuoteObama Order Sped Up Wave of Cyberattacks Against Iran
By DAVID E. SANGER
Published: June 1, 2012
WASHINGTON — From his first months in office, President Obama secretly ordered increasingly sophisticated attacks on the computer systems that run Iran's main nuclear enrichment facilities, significantly expanding America's first sustained use of cyberweapons, according to participants in the program.
Mr. Obama decided to accelerate the attacks — begun in the Bush administration and code-named Olympic Games — even after an element of the program accidentally became public in the summer of 2010 because of a programming error that allowed it to escape Iran's Natanz plant and sent it around the world on the Internet. Computer security experts who began studying the worm, which had been developed by the United States and Israel, gave it a name: Stuxnet.
At a tense meeting in the White House Situation Room within days of the worm's "escape," Mr. Obama, Vice President Joseph R. Biden Jr. and the director of the Central Intelligence Agency at the time, Leon E. Panetta, considered whether America's most ambitious attempt to slow the progress of Iran's nuclear efforts had been fatally compromised.
"Should we shut this thing down?" Mr. Obama asked, according to members of the president's national security team who were in the room.
Told it was unclear how much the Iranians knew about the code, and offered evidence that it was still causing havoc, Mr. Obama decided that the cyberattacks should proceed. In the following weeks, the Natanz plant was hit by a newer version of the computer worm, and then another after that. The last of that series of attacks, a few weeks after Stuxnet was detected around the world, temporarily took out nearly 1,000 of the 5,000 centrifuges Iran had spinning at the time to purify uranium.
This account of the American and Israeli effort to undermine the Iranian nuclear program is based on interviews over the past 18 months with current and former American, European and Israeli officials involved in the program, as well as a range of outside experts. None would allow their names to be used because the effort remains highly classified, and parts of it continue to this day.
These officials gave differing assessments of how successful the sabotage program was in slowing Iran's progress toward developing the ability to build nuclear weapons. Internal Obama administration estimates say the effort was set back by 18 months to two years, but some experts inside and outside the government are more skeptical, noting that Iran's enrichment levels have steadily recovered, giving the country enough fuel today for five or more weapons, with additional enrichment.
Whether Iran is still trying to design and build a weapon is in dispute. The most recent United States intelligence estimate concludes that Iran suspended major parts of its weaponization effort after 2003, though there is evidence that some remnants of it continue.
Iran initially denied that its enrichment facilities had been hit by Stuxnet, then said it had found the worm and contained it. Last year, the nation announced that it had begun its own military cyberunit, and Brig. Gen. Gholamreza Jalali, the head of Iran's Passive Defense Organization, said that the Iranian military was prepared "to fight our enemies" in "cyberspace and Internet warfare." But there has been scant evidence that it has begun to strike back.
The United States government only recently acknowledged developing cyberweapons, and it has never admitted using them. There have been reports of one-time attacks against personal computers used by members of Al Qaeda, and of contemplated attacks against the computers that run air defense systems, including during the NATO-led air attack on Libya last year. But Olympic Games was of an entirely different type and sophistication.
It appears to be the first time the United States has repeatedly used cyberweapons to cripple another country's infrastructure, achieving, with computer code, what until then could be accomplished only by bombing a country or sending in agents to plant explosives. The code itself is 50 times as big as the typical computer worm, Carey Nachenberg, a vice president of Symantec, one of the many groups that have dissected the code, said at a symposium at Stanford University in April. Those forensic investigations into the inner workings of the code, while picking apart how it worked, came to no conclusions about who was responsible.
A similar process is now under way to figure out the origins of another cyberweapon called Flame that was recently discovered to have attacked the computers of Iranian officials, sweeping up information from those machines. But the computer code appears to be at least five years old, and American officials say that it was not part of Olympic Games. They have declined to say whether the United States was responsible for the Flame attack.
Mr. Obama, according to participants in the many Situation Room meetings on Olympic Games, was acutely aware that with every attack he was pushing the United States into new territory, much as his predecessors had with the first use of atomic weapons in the 1940s, of intercontinental missiles in the 1950s and of drones in the past decade. He repeatedly expressed concerns that any American acknowledgment that it was using cyberweapons — even under the most careful and limited circumstances — could enable other countries, terrorists or hackers to justify their own attacks.
"We discussed the irony, more than once," one of his aides said. Another said that the administration was resistant to developing a "grand theory for a weapon whose possibilities they were still discovering." Yet Mr. Obama concluded that when it came to stopping Iran, the United States had no other choice.
If Olympic Games failed, he told aides, there would be no time for sanctions and diplomacy with Iran to work. Israel could carry out a conventional military attack, prompting a conflict that could spread throughout the region.
A Bush Initiative
The impetus for Olympic Games dates from 2006, when President George W. Bush saw few good options in dealing with Iran. At the time, America's European allies were divided about the cost that imposing sanctions on Iran would have on their own economies. Having falsely accused Saddam Hussein of reconstituting his nuclear program in Iraq, Mr. Bush had little credibility in publicly discussing another nation's nuclear ambitions. The Iranians seemed to sense his vulnerability, and, frustrated by negotiations, they resumed enriching uranium at an underground site at Natanz, one whose existence had been exposed just three years before.
Iran's president, Mahmoud Ahmadinejad, took reporters on a tour of the plant and described grand ambitions to install upward of 50,000 centrifuges. For a country with only one nuclear power reactor — whose fuel comes from Russia — to say that it needed fuel for its civilian nuclear program seemed dubious to Bush administration officials. They feared that the fuel could be used in another way besides providing power: to create a stockpile that could later be enriched to bomb-grade material if the Iranians made a political decision to do so.
Hawks in the Bush administration like Vice President Dick Cheney urged Mr. Bush to consider a military strike against the Iranian nuclear facilities before they could produce fuel suitable for a weapon. Several times, the administration reviewed military options and concluded that they would only further inflame a region already at war, and would have uncertain results.
For years the C.I.A. had introduced faulty parts and designs into Iran's systems — even tinkering with imported power supplies so that they would blow up — but the sabotage had had relatively little effect. General James E. Cartwright, who had established a small cyberoperation inside the United States Strategic Command, which is responsible for many of America's nuclear forces, joined intelligence officials in presenting a radical new idea to Mr. Bush and his national security team. It involved a far more sophisticated cyberweapon than the United States had designed before.
The goal was to gain access to the Natanz plant's industrial computer controls. That required leaping the electronic moat that cut the Natanz plant off from the Internet — called the air gap, because it physically separates the facility from the outside world. The computer code would invade the specialized computers that command the centrifuges.
The first stage in the effort was to develop a bit of computer code called a beacon that could be inserted into the computers, which were made by the German company Siemens and an Iranian manufacturer, to map their operations. The idea was to draw the equivalent of an electrical blueprint of the Natanz plant, to understand how the computers control the giant silvery centrifuges that spin at tremendous speeds. The connections were complex, and unless every circuit was understood, efforts to seize control of the centrifuges could fail.
Eventually the beacon would have to "phone home" — literally send a message back to the headquarters of the National Security Agency that would describe the structure and daily rhythms of the enrichment plant. Expectations for the plan were low; one participant said the goal was simply to "throw a little sand in the gears" and buy some time. Mr. Bush was skeptical, but lacking other options, he authorized the effort.
QuoteBreakthrough, Aided by Israel
It took months for the beacons to do their work and report home, complete with maps of the electronic directories of the controllers and what amounted to blueprints of how they were connected to the centrifuges deep underground.
Then the N.S.A. and a secret Israeli unit respected by American intelligence officials for its cyberskills set to work developing the enormously complex computer worm that would become the attacker from within.
The unusually tight collaboration with Israel was driven by two imperatives. Israel's Unit 8200, a part of its military, had technical expertise that rivaled the N.S.A.'s, and the Israelis had deep intelligence about operations at Natanz that would be vital to making the cyberattack a success. But American officials had another interest, to dissuade the Israelis from carrying out their own pre-emptive strike against the Iranian nuclear facilities. To do that, the Israelis would have to be convinced that the new line of attack was working. The only way to convince them, several officials said in interviews, was to have them deeply involved in every aspect of the program.
Soon the two countries had developed a complex worm that the Americans called "the bug." But the bug needed to be tested. So, under enormous secrecy, the United States began building replicas of Iran's P-1 centrifuges, an aging, unreliable design that Iran purchased from Abdul Qadeer Khan, the Pakistani nuclear chief who had begun selling fuel-making technology on the black market. Fortunately for the United States, it already owned some P-1s, thanks to the Libyan dictator, Col. Muammar el-Qaddafi.
When Colonel Qaddafi gave up his nuclear weapons program in 2003, he turned over the centrifuges he had bought from the Pakistani nuclear ring, and they were placed in storage at a weapons laboratory in Tennessee. The military and intelligence officials overseeing Olympic Games borrowed some for what they termed "destructive testing," essentially building a virtual replica of Natanz, but spreading the test over several of the Energy Department's national laboratories to keep even the most trusted nuclear workers from figuring out what was afoot.
Those first small-scale tests were surprisingly successful: the bug invaded the computers, lurking for days or weeks, before sending instructions to speed them up or slow them down so suddenly that their delicate parts, spinning at supersonic speeds, self-destructed. After several false starts, it worked. One day, toward the end of Mr. Bush's term, the rubble of a centrifuge was spread out on the conference table in the Situation Room, proof of the potential power of a cyberweapon. The worm was declared ready to test against the real target: Iran's underground enrichment plant.
"Previous cyberattacks had effects limited to other computers," Michael V. Hayden, the former chief of the C.I.A., said, declining to describe what he knew of these attacks when he was in office. "This is the first attack of a major nature in which a cyberattack was used to effect physical destruction," rather than just slow another computer, or hack into it to steal data.
"Somebody crossed the Rubicon," he said.
Getting the worm into Natanz, however, was no easy trick. The United States and Israel would have to rely on engineers, maintenance workers and others — both spies and unwitting accomplices — with physical access to the plant. "That was our holy grail," one of the architects of the plan said. "It turns out there is always an idiot around who doesn't think much about the thumb drive in their hand."
In fact, thumb drives turned out to be critical in spreading the first variants of the computer worm; later, more sophisticated methods were developed to deliver the malicious code.
The first attacks were small, and when the centrifuges began spinning out of control in 2008, the Iranians were mystified about the cause, according to intercepts that the United States later picked up. "The thinking was that the Iranians would blame bad parts, or bad engineering, or just incompetence," one of the architects of the early attack said.
The Iranians were confused partly because no two attacks were exactly alike. Moreover, the code would lurk inside the plant for weeks, recording normal operations; when it attacked, it sent signals to the Natanz control room indicating that everything downstairs was operating normally. "This may have been the most brilliant part of the code," one American official said.
Later, word circulated through the International Atomic Energy Agency, the Vienna-based nuclear watchdog, that the Iranians had grown so distrustful of their own instruments that they had assigned people to sit in the plant and radio back what they saw.
"The intent was that the failures should make them feel they were stupid, which is what happened," the participant in the attacks said. When a few centrifuges failed, the Iranians would close down whole "stands" that linked 164 machines, looking for signs of sabotage in all of them. "They overreacted," one official said. "We soon discovered they fired people."
Imagery recovered by nuclear inspectors from cameras at Natanz — which the nuclear agency uses to keep track of what happens between visits — showed the results. There was some evidence of wreckage, but it was clear that the Iranians had also carted away centrifuges that had previously appeared to be working well.
But by the time Mr. Bush left office, no wholesale destruction had been accomplished. Meeting with Mr. Obama in the White House days before his inauguration, Mr. Bush urged him to preserve two classified programs, Olympic Games and the drone program in Pakistan. Mr. Obama took Mr. Bush's advice.
The Stuxnet Surprise
Mr. Obama came to office with an interest in cyberissues, but he had discussed them during the campaign mostly in terms of threats to personal privacy and the risks to infrastructure like the electrical grid and the air traffic control system. He commissioned a major study on how to improve America's defenses and announced it with great fanfare in the East Room.
What he did not say then was that he was also learning the arts of cyberwar. The architects of Olympic Games would meet him in the Situation Room, often with what they called the "horse blanket," a giant foldout schematic diagram of Iran's nuclear production facilities. Mr. Obama authorized the attacks to continue, and every few weeks — certainly after a major attack — he would get updates and authorize the next step. Sometimes it was a strike riskier and bolder than what had been tried previously.
"From his first days in office, he was deep into every step in slowing the Iranian program — the diplomacy, the sanctions, every major decision," a senior administration official said. "And it's safe to say that whatever other activity might have been under way was no exception to that rule."
But the good luck did not last. In the summer of 2010, shortly after a new variant of the worm had been sent into Natanz, it became clear that the worm, which was never supposed to leave the Natanz machines, had broken free, like a zoo animal that found the keys to the cage. It fell to Mr. Panetta and two other crucial players in Olympic Games — General Cartwright, the vice chairman of the Joint Chiefs of Staff, and Michael J. Morell, the deputy director of the C.I.A. — to break the news to Mr. Obama and Mr. Biden.
An error in the code, they said, had led it to spread to an engineer's computer when it was hooked up to the centrifuges. When the engineer left Natanz and connected the computer to the Internet, the American- and Israeli-made bug failed to recognize that its environment had changed. It began replicating itself all around the world. Suddenly, the code was exposed, though its intent would not be clear, at least to ordinary computer users.
"We think there was a modification done by the Israelis," one of the briefers told the president, "and we don't know if we were part of that activity."
QuoteMr. Obama, according to officials in the room, asked a series of questions, fearful that the code could do damage outside the plant. The answers came back in hedged terms. Mr. Biden fumed. "It's got to be the Israelis," he said. "They went too far."
In fact, both the Israelis and the Americans had been aiming for a particular part of the centrifuge plant, a critical area whose loss, they had concluded, would set the Iranians back considerably. It is unclear who introduced the programming error.
The question facing Mr. Obama was whether the rest of Olympic Games was in jeopardy, now that a variant of the bug was replicating itself "in the wild," where computer security experts can dissect it and figure out its purpose.
"I don't think we have enough information," Mr. Obama told the group that day, according to the officials. But in the meantime, he ordered that the cyberattacks continue. They were his best hope of disrupting the Iranian nuclear program unless economic sanctions began to bite harder and reduced Iran's oil revenues.
Within a week, another version of the bug brought down just under 1,000 centrifuges. Olympic Games was still on.
A Weapon's Uncertain Future
American cyberattacks are not limited to Iran, but the focus of attention, as one administration official put it, "has been overwhelmingly on one country." There is no reason to believe that will remain the case for long. Some officials question why the same techniques have not been used more aggressively against North Korea. Others see chances to disrupt Chinese military plans, forces in Syria on the way to suppress the uprising there, and Qaeda operations around the world. "We've considered a lot more attacks than we have gone ahead with," one former intelligence official said.
Mr. Obama has repeatedly told his aides that there are risks to using — and particularly to overusing — the weapon. In fact, no country's infrastructure is more dependent on computer systems, and thus more vulnerable to attack, than that of the United States. It is only a matter of time, most experts believe, before it becomes the target of the same kind of weapon that the Americans have used, secretly, against Iran.
This article is adapted from "Confront and Conceal: Obama's Secret Wars and Surprising Use of American Power," to be published by Crown on Tuesday.
Is there any military secret New York Times won't reveal?
Yeah. I mean we knew much of that information already, but it was surprising so many officials would be talking to the NYT about what is after all an ongoing operation.
Quote from: Barrister on June 01, 2012, 01:40:31 PM
Yeah. I mean we knew much of that information already, but it was surprising so many officials would be talking to the NYT about what is after all an ongoing operation.
During an election year.
Quote from: Admiral Yi on June 01, 2012, 02:30:46 PM
Quote from: Barrister on June 01, 2012, 01:40:31 PM
Yeah. I mean we knew much of that information already, but it was surprising so many officials would be talking to the NYT about what is after all an ongoing operation.
During an election year.
Ah. Of course. :rolleyes:
Still after postign what I posted, I did see this article suggesting there is sure to be some foreign policy fallout from this all-but-official admission.
http://arstechnica.com/tech-policy/2012/06/stuxnet-admission-likely-to-have-foreign-policy-consequences/
This indicates one of two things to me:
1) The US is trying to put a confident face on cyberwar while winding down, and/or
2) The psychological component of knowledge has been deemed to have greater strategic value than "making the Iranians feel stupid."
Also, Israel's involvement isn't exactly a surprise to any up-to-date ACM members, since we've known for a while that most of the software talent comes from/goes to Israel at some point.
Face it, fellas; by the time this sort of stuff makes it to open source, the relevant actors involved on all sides are already aware of things. The New York Times will not spawn any epiphanies in Tehran.
Quote from: CountDeMoney on June 01, 2012, 03:21:24 PM
Face it, fellas; by the time this sort of stuff makes it to open source, the relevant actors involved on all sides are already aware of things. The New York Times will not spawn any epiphanies in Tehran.
It removes any plausible deniability on the part of the US.
Quote from: Barrister on June 01, 2012, 04:25:17 PM
Quote from: CountDeMoney on June 01, 2012, 03:21:24 PM
Face it, fellas; by the time this sort of stuff makes it to open source, the relevant actors involved on all sides are already aware of things. The New York Times will not spawn any epiphanies in Tehran.
It removes any plausible deniability on the part of the US.
Right, because it could conceivably be pinned on Uruguay.
Quote from: CountDeMoney on June 01, 2012, 04:26:26 PM
Quote from: Barrister on June 01, 2012, 04:25:17 PM
Quote from: CountDeMoney on June 01, 2012, 03:21:24 PM
Face it, fellas; by the time this sort of stuff makes it to open source, the relevant actors involved on all sides are already aware of things. The New York Times will not spawn any epiphanies in Tehran.
It removes any plausible deniability on the part of the US.
Right, because it could conceivably be pinned on Uruguay.
It could have been a purely Israeli operation.
Quote from: Barrister on June 01, 2012, 04:28:13 PM
It could have been a purely Israeli operation.
They don't do shit on Fridays.
Quote from: CountDeMoney on June 01, 2012, 03:21:24 PM
Face it, fellas; by the time this sort of stuff makes it to open source, the relevant actors involved on all sides are already aware of things. The New York Times will not spawn any epiphanies in Tehran.
The camel in charge of IT over there was still in the dark.
How the hell did this get leaked out? An investigation better be done and some heads need to roll!
:mad:
Also, leaks about the Yemeni agent's identity. The one who found out about the new bomb process the radicals were going to use. That agent had to be pulled out, of course, and probably his and his family's safety compromised. I don't know if this was a US, UK or some other leak though. But if a US then the US has a lot of work to do, and more heads to be rolled! :mad:
Also, for the movie on the OBL raid, someone, the Pentagon or who ever was working with the movie makers gave the name of one of the SEAL leaders. More heads need to roll!
This has been going on since Pres Bush. These clowns in the US govt need to seriously get their act together!
Quote from: KRonn on June 01, 2012, 05:58:40 PM
How the hell did this get leaked out? An investigation better be done and some heads need to roll!
:mad:
Also, leaks about the Yemeni agent's identity. The one who found out about the new bomb process the radicals were going to use. That agent had to be pulled out, of course, and probably his and his family's safety compromised. I don't know if this was a US, UK or some other leak though. But if a US then the US has a lot of work to do, and more heads to be rolled! :mad:
Also, for the movie on the OBL raid, someone, the Pentagon or who ever was working with the movie makers gave the name of one of the SEAL leaders. More heads need to roll!
This has been going on since Pres Bush. These clowns in the US govt need to seriously get their act together!
Not sure if serious. :hmm:
I'm serious. All of those were leaks, and intel leaks seem to be a real problem with the US govt. Some of those intel programs were good ones to have, real coups, but now the world knows of them. Leaks that give away an agent's identity make it harder to recruit more people in the future, for instance. This isn't an anti-Obama issue; it's a problem with how the US does intel and keeps its secrets.
Quote from: KRonn on June 01, 2012, 09:36:49 PM
I'm serious. All of those were leaks, and intel leaks seem to be a real problem with the US govt. Some of those intel programs were good ones to have, real coups, but now the world knows of them. Leaks that give away an agent's identity make it harder to recruit more people in the future, for instance. This isn't an anti-Obama issue; it's a problem with how the US does intel and keeps its secrets.
One thing, particularly with government and military higher-ups that otherwise never get the attention, is the compelling need to shine and be noticed. For example, look at McCrystal and
Rolling Stone; they just loooove the attention, and they talk before they think.
Hell, then again, that's practically in any organization; bureaucracies, police departments, mega-corporations. Executives just love to preen for the camera, for the reporter, anybody who's paying them their rapt attention. Leaks make people feel important.
The ID leak is a concern, yeah, but my gut's telling me the Stuxnet leak is sanctioned. Part of that is the obvious propaganda tool in espousing cyberwarfare. It might be cheap, it might grant plausible deniability, but it's also incredibly "disposable" in that as soon as a vulnerability is patched, the attacker's back to square one.
From a hacking standpoint, the development of Stuxnet was incredibly stupid. There were over 28 zero days. That's called "putting all of the eggs in one basket." One fully-analyzed rogue sample later, all of those zero days have been used up. That's up to 27 wasted opportunities to keep the heat on.
Right, leaks make them feel important. I can understand that, and see that as part of the motivation. But that leaked info causes quite a mess, in some cases people die or operations are compromised, so they must feel the fools or much worse then. And they know the consequences of their actions. Totally irresponsible. And if caught they certainly look the contemptible fools, aside from criminal charges being brought.
I wonder how bad the stuxnet virus will be, if others are able to replicate it, figure it out. I assume it's been captured on some computers, and people who don't like us now have access to try and figure it out, use it against us.
Quote from: KRonn on June 01, 2012, 09:54:07 PM
I wonder how bad the stuxnet virus will be, if others are able to replicate it, figure it out. I assume it's been captured on some computers, and people who don't like us now have access to try and figure it out, use it against us.
Not bad, actually. Stuxnet has a very specific target in that every bit of the code is tailored to attack antique centrifuges via Siemens SCADA systems and zero days ID'ed as unique to the Iranians (a zero day that wasn't unique to the setup is how this thing got publicly released and then patched in the first place). A hostile would need to ID a point of insertion, US-unique zero days, and completely rewrite pointers based on US hardware and software configurations. In other words, they'd need to rewrite it from scratch.
Quote from: KRonn on June 01, 2012, 09:54:07 PM
I wonder how bad the stuxnet virus will be, if others are able to replicate it, figure it out. I assume it's been captured on some computers, and people who don't like us now have access to try and figure it out, use it against us.
It's a little more complicated than people think, especially if you're targeting specific ICS and SCADA networks in a closed RPN environment.
Here's Symantec's white paper on Stuxnet and Duqut: http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_duqu_the_precursor_to_the_next_stuxnet.pdf
Interesting reading.
Ok, sounds better as far as the virus not being reverse engineered.
SO this could have been just as fairly titled: GW Bush, CyberWarrior.
Quote from: Berkut on June 01, 2012, 10:30:09 PM
SO this could have been just as fairly titled: GW Bush, CyberWarrior.
Just like your post could've been just as fairly titled: Berkut, LOLWUT Asshat Fartbag.
Quote from: KRonn on June 01, 2012, 09:54:07 PM
I wonder how bad the stuxnet virus will be, if others are able to replicate it, figure it out. I assume it's been captured on some computers, and people who don't like us now have access to try and figure it out, use it against us.
Here, check this out. Whoops.
QuoteWASHINGTON — The Obama administration is warning American businesses about an unusually potent computer virus that infected Iran's oil industry even as suspicions persist that the United States is responsible for secretly creating and unleashing cyberweapons against foreign countries.
The government's dual roles of alerting U.S. companies about these threats and producing powerful software weapons and eavesdropping tools underscore the risks of an unintended, online boomerang.
Unlike a bullet or missile fired at an enemy, a cyberweapon that spreads across the Internet may circle back accidentally to infect computers it was never supposed to target. It's one of the unusual challenges facing the programmers who build such weapons, and presidents who must decide when to launch them.
The Homeland Security Department's warning about the new virus, known as "Flame," assured U.S. companies that no infections had been discovered so far inside the U.S. It described Flame as an espionage tool that was sophisticated in design, using encryption and other techniques to help break into computers and move through corporate or private networks. The virus can eavesdrop on data traffic, take screenshots and record audio and keystrokes. The department said the origin is a mystery.
The White House has declined to discuss the virus.
Suspicions heightened
But suspicions about the U.S. government's role in the use of cyberweapons were heightened by a report in Friday's New York Times . Based on anonymous sources, it said President Barack Obama secretly had ordered the use of another sophisticated cyberweapon, known as Stuxnet, to attack the computer systems that run Iran's main nuclear enrichment facilities. The order was an extension of a sabotage program that the Times said began during the Bush administration.
Private security researchers long have suspected that the U.S. and Israeli governments were responsible for Stuxnet. But the newspaper's detailed description of conversations in the Oval Office among Obama, the vice president and the CIA director about the U.S. government's responsibility for Stuxnet is the most direct evidence of this to date. U.S. officials rarely discuss the use of cyberweapons outside of classified settings.
Stuxnet is believed to have been released as early as 2009. It was discovered in June 2010 by a Belarusian antivirus researcher analyzing a customer's infected computer in Iran. It targeted electronic program controllers built by Siemens AG of Germany that were installed in Iran. The U.S. government also circulated warnings to American businesses about Stuxnet after it was detected.
The White House said Friday it would not discuss whether the U.S. was responsible for the Stuxnet attacks on Iran.
"I'm not able to comment on any of the specifics or details," White House spokesman Josh Earnest said. "That information is classified for a reason, and it is kept secret. It is intended not to be publicized because publicizing it would pose a threat to our national security."
Uncharted territory
Cyberweapons are uncharted territory because the U.S. laws are ambiguous about their use, and questions about their effectiveness and reliability are mostly unresolved. Attackers online can disguise their origins or even impersonate an innocent bystander organization, making it difficult to identify actual targets when responding to attacks.
Viruses and malicious software, known as malware, rely on vulnerabilities in commercial software and hardware products. But it is hard to design a single payload that always will succeed because the target may have fixed a software vulnerability or placed computers behind a firewall.
On the Internet, where being connected is a virtue, an attack intended for one target can spread unexpectedly. Whether a cyberweapon can boomerang depends on its state of the art, according to computer security experts. On that point, there are deep divisions over Flame.
Russian digital security provider Kaspersky Lab, which first identified the virus, said Flame's complexity and functionality "exceed those of all other cybermenaces known to date." There is no doubt, the company said, that a government sponsored the research that developed it. Yet Flame's author remains unknown because there is no information in the code of the virus that would link it to a particular country.
Other experts said it wasn't as fearsome.
'No secret sauce'
Much of the code used to build the virus is old and available on the Internet, said Becky Bace, chief strategist at the Center for Forensics, Information Technology and Security at the University of South Alabama. Flame could have been developed by a small team of smart people who are motivated and have financial backing, she said, making it just as likely a criminal enterprise or a group working as surrogates could have been responsible.
"Here's the wake-up call as far as cyber is concerned: You don't have to be a nation-state to have what it would take to put together a threat of this particular level of sophistication," said Bace, who spent 12 years at the National Security Agency working on intrusion detection and network security. "There's no secret sauce here."
Stuxnet was far more complex.
Still, Stuxnet could not have worked without detailed intelligence about Iran's nuclear program that was obtained through conventional spycraft, said Mikko Hypponen, chief research officer at F-Secure, a digital security company in Helsinki, Finland. The countries with the motivation and the means to gather that data are the United States and Israel, he said.
"This is at the level of complexity that very few organizations in the world would even attempt," said Hypponen, who has studied Stuxnet and Flame. "Basically you have to have moles. Most of what they needed to pull this off was most likely collected with what we would characterize as traditional intelligence work."
Collateral damage?
The more intricately designed a cyberweapon is, the less likely it will boomerang. Stuxnet spread well beyond the Iranian computer networks it was intended to hit. But the collateral damage was minimal because the virus was developed to go after very specific targets.
"When some of these super sophisticated things spread, it's bad but it may not have the same impact because the virus itself is so complex," said Jacob Olcott, a senior cybersecurity expert at Good Harbor Consulting. "It's designed to only have its impact when it finds certain conditions."
Israel is a world leader in cybertechnology and senior Israeli officials did little to deflect suspicion about that country's involvement in cyberweapons. "Whoever sees the Iranian threat as a significant threat is likely to take various steps, including these, to hobble it," said Vice Premier Moshe Yaalon, a former military chief and minister of strategic affairs.
A senior defense official involved in Israel's cyberwarfare program said Friday that, "Israel is investing heavily in units that deal with cyberwarfare both for defense and offense." He would not elaborate. The official spoke on condition of anonymity because he is not allowed to speak with the media.
Isaac Ben-Israel, an adviser to Israeli Prime Minister Benjamin Netanyahu on cybersecurity issues, declined Friday to say whether Israel was involved with Stuxnet.
It could take years to know who is responsible, which is what is so unsettling about attacks in cyberspace. "We are very good as an industry at figuring out what a piece of malware does," said Dave Marcus, director of advanced research and threat intelligence at digital security giant McAfee. "But we are less accurate when it comes to saying what group is responsible for it, or it came from this country or that organization."
Yeah CDM. I had seen something like this on the news yesterday so that's why I brought it up. Things could get "interesting" if this thing does make the rounds of businesses. But it may all be speculation or a cover story to try and say it isn't the work of US intel.