Defense
Secretary Leon E. Panetta warned Thursday that the United States was facing the
possibility of a “cyber-Pearl Harbor” and was increasingly vulnerable to foreign
computer hackers who could dismantle the nation’s power grid, transportation
system, financial networks and government.
In a speech at the Intrepid Sea, Air and Space Museum in New York, Mr. Panetta
painted a dire picture of how such an attack on the United States might unfold.
He said he was reacting to increasing aggressiveness and technological advances
by the nation’s adversaries, which officials identified as China, Russia, Iran
and militant groups.
“An aggressor nation or extremist group could use these kinds of cyber tools to
gain control of critical switches,” Mr. Panetta said. “They could derail
passenger trains, or even more dangerous, derail passenger trains loaded with
lethal chemicals. They could contaminate the water supply in major cities, or
shut down the power grid across large parts of the country.”
Defense officials insisted that Mr. Panetta’s words were not hyperbole, and that
he was responding to a recent wave of cyberattacks on large American financial
institutions. He also cited an attack in August on the state oil company Saudi
Aramco, which infected and made useless more than 30,000 computers.
But Pentagon officials acknowledged that Mr. Panetta was also pushing for
legislation on Capitol Hill. It would require new standards at critical
private-sector infrastructure facilities — like power plants, water treatment
facilities and gas pipelines — where a computer breach could cause significant
casualties or economic damage.
In August, a cybersecurity bill that had been one of the administration’s
national security priorities was blocked by a group of Republicans, led by
Senator John McCain of Arizona, who took the side of the U.S. Chamber of
Commerce and said it would be too burdensome for corporations.
The most destructive possibilities, Mr. Panetta said, involve “cyber-actors
launching several attacks on our critical infrastructure at one time, in
combination with a physical attack.” He described the collective result as a
“cyber-Pearl Harbor that would cause physical destruction and the loss of life,
an attack that would paralyze and shock the nation and create a profound new
sense of vulnerability.”
Mr. Panetta also argued against the idea that new legislation would be costly
for business. “The fact is that to fully provide the necessary protection in our
democracy, cybersecurity must be passed by the Congress,” he told his audience,
Business Executives for National Security. “Without it, we are and we will be
vulnerable.”
With the legislation stalled, Mr. Panetta said President Obama was weighing the
option of issuing an executive order that would promote information sharing on
cybersecurity between government and private industry. But Mr. Panetta made
clear that he saw it as a stopgap measure and that private companies, which are
typically reluctant to share internal information with the government, would
cooperate fully only if required to by law.
“We’re not interested in looking at e-mail, we’re not interested in looking at
information in computers, I’m not interested in violating rights or liberties of
people,” Mr. Panetta told editors and reporters at The New York Times earlier on
Thursday. “But if there is a code, if there’s a worm that’s being inserted, we
need to know when that’s happening.”
He said that with an executive order making cooperation by the private sector
only voluntary, “I’m not sure they’re going to volunteer if they don’t feel that
they’re protected legally in terms of sharing information.”
“So our hope is that ultimately we can get Congress to adopt that kind of
legislation,” he added.
Mr. Panetta’s comments, his most extensive to date on cyberwarfare, also sought
to increase the level of public debate about the Defense Department’s growing
capacity not only to defend but also to carry out attacks over computer
networks. Even so, he carefully avoided using the words “offense” or “offensive”
in the context of American cyberwarfare, instead defining the Pentagon’s
capabilities as “action to defend the nation.”
The United States has nonetheless engaged in its own cyberattacks against
adversaries, although it has never publicly admitted it. From his first months
in office, Mr. Obama ordered sophisticated attacks on the computer systems that
run Iran’s main nuclear enrichment plants, according to participants in the
program. He decided to accelerate the attacks, which were begun in the Bush
administration and code-named Olympic Games, even after an element of the
program accidentally became public in the summer of 2010.
In a part of the speech notable for carefully chosen words, Mr. Panetta warned
that the United States “won’t succeed in preventing a cyberattack through
improved defenses alone.”
“If we detect an imminent threat of attack that will cause significant physical
destruction in the United States or kill American citizens, we need to have the
option to take action against those who would attack us, to defend this nation
when directed by the president,” Mr. Panetta said. “For these kinds of
scenarios, the department has developed the capability to conduct effective
operations to counter threats to our national interests in cyberspace.”
The comments indicated that the United States might redefine defense in
cyberspace as requiring the capacity to reach forward over computer networks if
an attack was detected or anticipated, and take pre-emptive action. These same
offensive measures also could be used in a punishing retaliation for a
first-strike cyberattack on an American target, senior officials said.
Senior Pentagon officials declined to describe specifics of what offensive
cyberwarfare abilities the Defense Department has fielded or is developing. And
while Mr. Panetta avoided labeling them as “offensive,” other senior military
and Pentagon officials have recently begun acknowledging their growing focus on
these tools.
The Defense Department is finalizing “rules of engagement” that would put the
Pentagon’s cyberweapons into play only in case of an attack on American targets
that rose to some still unspecified but significant levels. Short of that, the
Pentagon shares intelligence and offers technical assistance to the F.B.I. and
other agencies.
Cybersecurity efforts in the United States have largely
centered on defending computer networks against attacks by hackers, criminals
and foreign governments, mainly China. Increasingly, however, the focus is on
developing offensive capabilities, on figuring out how and when the United
States might unleash its own malware to disrupt an adversary’s networks. That is
potentially dangerous territory.
Such malware is believed to have little deterrent value against criminals who
use computers to steal money from banks or spies who pilfer industrial secrets.
But faced with rising intrusions against computers that run America’s military
systems and its essential infrastructure — its power grid, for instance, and its
telecommunications networks — the military here (and elsewhere) sees disruptive
software as an essential new tool of war. According to a study by the Center for
Strategic and International Studies, the 15 countries with the biggest military
budgets are all investing in offensive cyber capabilities.
The latest step occurred last month when the United States sent out bids for
technologies “to destroy, deny, degrade, disrupt, corrupt or usurp” an
adversary’s attempt to use cyberspace for advantage. The Air Force asked for
proposals to plan for and manage cyberwarfare, including the ability to launch
superfast computer attacks and withstand retaliation.
The United States, China, Russia, Britain and Israel began developing basic
cyberattack capabilities at least a decade ago and are still figuring out how to
integrate them into their military operations. Experts say cyberweapons will be
used before or during conflicts involving conventional weapons to infect an
adversary’s network and disrupt a target, including shutting down military
communications. The most prominent example is the Stuxnet virus deployed in 2010
by the United States and Israel to set back Iran’s nuclear program. Other
cyberattacks occurred in 2007 against Syria and 1998 against Serbia.
Crucial questions remain unanswered, including what laws of war would apply to
decisions to launch an attack. The United States still hasn’t figured out what
impact cyberweapons could have on actual battlefield operations or when an
aggressive cyber response is required. Nor has Washington settled on who would
authorize an attack; experts see roles for both the president and military
commanders. There is also the unresolved issue of how to minimize collateral
damage — like making sure malware does not cripple a civilian hospital.
Another big concern is China, which is blamed for stealing American military
secrets. Washington has not had much success persuading Beijing to rein in its
hackers. There is a serious risk of miscalculation if, for example, there is a
confrontation in the South China Sea. China could misinterpret a move, unleash a
cyberattack and trigger a real cyberwar. What’s clearly needed are new
international understandings about what constitutes cyber aggression and how
governments should respond. Meanwhile, the United States must do what it can to
protect its own networks.
August 1, 2012
The New York Times
By ASHTON B. CARTER
and JANE HOLL LUTE
Washington
OVER the last decade, the United States has built a sophisticated security
system to protect the nation’s seaports against terrorists and criminals. But
our nation’s critical infrastructure is not similarly secured from cyberattack.
Although we have made progress in recent years, Congressional action is needed
to ensure that our laws keep pace with the electronically connected world we
live in. The bipartisan Cybersecurity Act of 2012, currently before the Senate,
offers a way forward.
A disruption of our electric grid or other critical infrastructure could
temporarily cripple the American economy. What’s less well known is that such an
attack could threaten the nation’s defense as well.
Ninety-nine percent of the electricity the military uses comes from civilian
sources. Ninety percent of military voice and Internet communications travel
over commercial networks. Much of the country’s military logistics are handled
by commercial shippers who rely, in turn, on privately managed networks.
As we protect our ports and coastlines, so must we marshal resources and
techniques to mount an adequate defense of our networks. Our port security is
ensured by a combination of the Coast Guard, Customs and Border Protection,
state and local governments, and private shipping companies and port operators,
with the support of the Navy and the intelligence agencies. Together, they
patrol American waters, scan cargo, analyze and share information about threats
to our coastlines, and report suspicious behavior to the proper authorities. If
any of these layers were to be removed, our defenses would be weakened.
Effective cybersecurity requires a similar multilevel approach. We have a final
line of cyberdefense in the Defense Department’s Cyber Command, which defends
the nation against advanced cyberattacks, and we have a strong cyberintelligence
system in the National Security Agency, which detects cyberthreats from
overseas. But we need additional levels of defense to protect the nation’s
critical infrastructure.
Collective problems require collaborative solutions. The government and private
sector must work together to prevent cyberdisruption, cyberdestruction and theft
of intellectual property. This requires robust sharing of information between
the government and private sector, aggressive prosecution of cybercriminals, and
cooperation among federal agencies.
Simply put, the Cybersecurity Act would help by enabling the government to share
information about cyberthreats with industry. The legislation would also permit
the private sector to report cyberintrusions to the government or private
companies. That ability would increase awareness of cyberthreats, while leaving
the private sector in control of which information is shared. It would do all of
this while protecting privacy and civil liberties, through robust oversight and
accountability measures.
None of us want to see heavy government regulation, especially of the Internet,
the fount of so much innovation and economic productivity. The legislation would
provide meaningful baseline cybersecurity standards for industry, developed and
adopted through a joint industry-government process.
Although the American economy needs effective cybersecurity measures to function
and prosper, many providers of critical infrastructure have not invested in
basic strategies to defend themselves against cyberthreats. Meaningful standards
will help drive companies to invest and help fill the gaps in our nation’s
cyberdefenses.
Finally, the Cybersecurity Act would ensure that the Department of Homeland
Security has the ability to protect federal networks and assist the private
sector effectively and efficiently, by strengthening the department’s legal
authority.
The Department of Defense stands ready to support the Department of Homeland
Security and any other agency in protecting the nation’s critical
infrastructure. Together, our two departments can bring our technical ability to
bear and improve the nation’s stock of cybersecurity tools and technology.
This legislation is a critical step for defending America’s infrastructure
against the clear and present cyberthreats we face. We’re not going to solve
this problem overnight; it will involve a learning experience for both the
private sector and the government, but we must learn fast, and develop solutions
as quickly as possible. The legislation will help pave the way to American
security and prosperity in the information age. It deserves the full support of
Congress and the American people.
Relentless assaults on America’s computer networks by China and other foreign
governments, hackers and criminals have created an urgent need for safeguards to
protect these vital systems. The question now is whether the Senate will provide
them. Senator John McCain, a Republican of Arizona, and the Chamber of Commerce
have already exacted compromises from sponsors of a reasonably strong bill, and
are asking for more. Their demands should be resisted and the original bill
approved by the Senate.
Officials and experts have warned about cybersecurity dangers for years; now the
alarms are more insistent. On Thursday, Gen. Keith Alexander, the chief of the
United States Cyber Command and the director of the National Security Agency,
said intrusions against computers that run essential infrastructure increased
17-fold from 2009-11 and that it’s only a matter of time before an attack causes
physical damage. He has also called the loss of industrial information and
intellectual property through cyberespionage “the greatest transfer of wealth in
history.”
American officials say businesses already lose billions of dollars annually.
Hundreds of major companies, defense contractors and government agencies have
been affected. Attacks on power plants, electric grids, refineries,
transportation networks and water treatment systems present an even greater
threat. Last year, there were at least 200 attempted or successful cyberattacks
on those facilities.
Yet defenses are dangerously thin. On a scale of 1 to 10, General Alexander
rated preparedness for a large-scale cyberattack — shutting down the stock
exchange, for instance — as “around a 3.” That is why President Obama and others
have argued for mandatory minimum standards that would require companies to
share information and harden computer protections.
Bipartisan legislation drafted by Senator Joseph Lieberman, a Connecticut
independent and the chairman of the homeland security committee, and Senator
Susan Collins of Maine, the ranking Republican member, met that bar. But faced
with strong opposition from Mr. McCain and the business community, the sponsors
compromised. Under the revised bill, industry will develop the standards for
addressing threats and compliance will be voluntary.
This has not satisfied Mr. McCain or the chamber, which insists the bill would
still be too costly and cumbersome. Last year, a survey of more than 9,000
executives in more than 130 countries by the PricewaterhouseCoopers consulting
firm found that only 13 percent of those polled had taken adequate defensive
action against cyberthreats.
Not all companies share that aversion to the bill. Microsoft and Symantec, among
others, have supported the original Lieberman-Collins legislation. And civil
liberties groups say their earlier privacy concerns have been addressed. It’s
time for the endless talk of cyberthreats to be met by action. The
Lieberman-Collins bill should be voted by the Senate this week and then merged
with the House version so a law can be enacted this year. If not, and a
catastrophic cyberattack occurs, Americans will be justified in asking why their
lawmakers, mired in election-year partisanship, failed to protect them.
June 1,
2012
The New York Times
By DAVID E. SANGER
WASHINGTON
— From his first months in office, President Obama secretly ordered increasingly
sophisticated attacks on the computer systems that run Iran’s main nuclear
enrichment facilities, significantly expanding America’s first sustained use of
cyberweapons, according to participants in the program.
Mr. Obama decided to accelerate the attacks — begun in the Bush administration
and code-named Olympic Games — even after an element of the program accidentally
became public in the summer of 2010 because of a programming error that allowed
it to escape Iran’s Natanz plant and sent it around the world on the Internet.
Computer security experts who began studying the worm, which had been developed
by the United States and Israel, gave it a name: Stuxnet.
At a tense meeting in the White House Situation Room within days of the worm’s
“escape,” Mr. Obama, Vice President Joseph R. Biden Jr. and the director of the
Central Intelligence Agency at the time, Leon E. Panetta, considered whether
America’s most ambitious attempt to slow the progress of Iran’s nuclear efforts
had been fatally compromised.
“Should we shut this thing down?” Mr. Obama asked, according to members of the
president’s national security team who were in the room.
Told it was unclear how much the Iranians knew about the code, and offered
evidence that it was still causing havoc, Mr. Obama decided that the
cyberattacks should proceed. In the following weeks, the Natanz plant was hit by
a newer version of the computer worm, and then another after that. The last of
that series of attacks, a few weeks after Stuxnet was detected around the world,
temporarily took out nearly 1,000 of the 5,000 centrifuges Iran had spinning at
the time to purify uranium.
This account of the American and Israeli effort to undermine the Iranian nuclear
program is based on interviews over the past 18 months with current and former
American, European and Israeli officials involved in the program, as well as a
range of outside experts. None would allow their names to be used because the
effort remains highly classified, and parts of it continue to this day.
These officials gave differing assessments of how successful the sabotage
program was in slowing Iran’s progress toward developing the ability to build
nuclear weapons. Internal Obama administration estimates say the effort was set
back by 18 months to two years, but some experts inside and outside the
government are more skeptical, noting that Iran’s enrichment levels have
steadily recovered, giving the country enough fuel today for five or more
weapons, with additional enrichment.
Whether Iran is still trying to design and build a weapon is in dispute. The
most recent United States intelligence estimate concludes that Iran suspended
major parts of its weaponization effort after 2003, though there is evidence
that some remnants of it continue.
Iran initially denied that its enrichment facilities had been hit by Stuxnet,
then said it had found the worm and contained it. Last year, the nation
announced that it had begun its own military cyberunit, and Brig. Gen.
Gholamreza Jalali, the head of Iran’s Passive Defense Organization, said that
the Iranian military was prepared “to fight our enemies” in “cyberspace and
Internet warfare.” But there has been scant evidence that it has begun to strike
back.
The United States government only recently acknowledged developing cyberweapons,
and it has never admitted using them. There have been reports of one-time
attacks against personal computers used by members of Al Qaeda, and of
contemplated attacks against the computers that run air defense systems,
including during the NATO-led air attack on Libya last year. But Olympic Games
was of an entirely different type and sophistication.
It appears to be the first time the United States has repeatedly used
cyberweapons to cripple another country’s infrastructure, achieving, with
computer code, what until then could be accomplished only by bombing a country
or sending in agents to plant explosives. The code itself is 50 times as big as
the typical computer worm, Carey Nachenberg, a vice president of Symantec, one
of the many groups that have dissected the code, said at a symposium at Stanford
University in April. Those forensic investigations into the inner workings of
the code, while picking apart how it worked, came to no conclusions about who
was responsible.
A similar process is now under way to figure out the origins of another
cyberweapon called Flame that was recently discovered to have attacked the
computers of Iranian officials, sweeping up information from those machines. But
the computer code appears to be at least five years old, and American officials
say that it was not part of Olympic Games. They have declined to say whether the
United States was responsible for the Flame attack.
Mr. Obama, according to participants in the many Situation Room meetings on
Olympic Games, was acutely aware that with every attack he was pushing the
United States into new territory, much as his predecessors had with the first
use of atomic weapons in the 1940s, of intercontinental missiles in the 1950s
and of drones in the past decade. He repeatedly expressed concerns that any
American acknowledgment that it was using cyberweapons — even under the most
careful and limited circumstances — could enable other countries, terrorists or
hackers to justify their own attacks.
“We discussed the irony, more than once,” one of his aides said. Another said
that the administration was resistant to developing a “grand theory for a weapon
whose possibilities they were still discovering.” Yet Mr. Obama concluded that
when it came to stopping Iran, the United States had no other choice.
If Olympic Games failed, he told aides, there would be no time for sanctions and
diplomacy with Iran to work. Israel could carry out a conventional military
attack, prompting a conflict that could spread throughout the region.
A Bush Initiative
The impetus for Olympic Games dates from 2006, when President George W. Bush saw
few good options in dealing with Iran. At the time, America’s European allies
were divided about the cost that imposing sanctions on Iran would have on their
own economies. Having falsely accused Saddam Hussein of reconstituting his
nuclear program in Iraq, Mr. Bush had little credibility in publicly discussing
another nation’s nuclear ambitions. The Iranians seemed to sense his
vulnerability, and, frustrated by negotiations, they resumed enriching uranium
at an underground site at Natanz, one whose existence had been exposed just
three years before.
Iran’s president, Mahmoud Ahmadinejad, took reporters on a tour of the plant and
described grand ambitions to install upward of 50,000 centrifuges. For a country
with only one nuclear power reactor — whose fuel comes from Russia — to say that
it needed fuel for its civilian nuclear program seemed dubious to Bush
administration officials. They feared that the fuel could be used in another way
besides providing power: to create a stockpile that could later be enriched to
bomb-grade material if the Iranians made a political decision to do so.
Hawks in the Bush administration like Vice President Dick Cheney urged Mr. Bush
to consider a military strike against the Iranian nuclear facilities before they
could produce fuel suitable for a weapon. Several times, the administration
reviewed military options and concluded that they would only further inflame a
region already at war, and would have uncertain results.
For years the C.I.A. had introduced faulty parts and designs into Iran’s systems
— even tinkering with imported power supplies so that they would blow up — but
the sabotage had had relatively little effect. General James E. Cartwright, who
had established a small cyberoperation inside the United States Strategic
Command, which is responsible for many of America’s nuclear forces, joined
intelligence officials in presenting a radical new idea to Mr. Bush and his
national security team. It involved a far more sophisticated cyberweapon than
the United States had designed before.
The goal was to gain access to the Natanz plant’s industrial computer controls.
That required leaping the electronic moat that cut the Natanz plant off from the
Internet — called the air gap, because it physically separates the facility from
the outside world. The computer code would invade the specialized computers that
command the centrifuges.
The first stage in the effort was to develop a bit of computer code called a
beacon that could be inserted into the computers, which were made by the German
company Siemens and an Iranian manufacturer, to map their operations. The idea
was to draw the equivalent of an electrical blueprint of the Natanz plant, to
understand how the computers control the giant silvery centrifuges that spin at
tremendous speeds. The connections were complex, and unless every circuit was
understood, efforts to seize control of the centrifuges could fail.
Eventually the beacon would have to “phone home” — literally send a message back
to the headquarters of the National Security Agency that would describe the
structure and daily rhythms of the enrichment plant. Expectations for the plan
were low; one participant said the goal was simply to “throw a little sand in
the gears” and buy some time. Mr. Bush was skeptical, but lacking other options,
he authorized the effort.
Breakthrough, Aided by Israel
It took months for the beacons to do their work and report home, complete with
maps of the electronic directories of the controllers and what amounted to
blueprints of how they were connected to the centrifuges deep underground.
Then the N.S.A. and a secret Israeli unit respected by American intelligence
officials for its cyberskills set to work developing the enormously complex
computer worm that would become the attacker from within.
The unusually tight collaboration with Israel was driven by two imperatives.
Israel’s Unit 8200, a part of its military, had technical expertise that rivaled
the N.S.A.’s, and the Israelis had deep intelligence about operations at Natanz
that would be vital to making the cyberattack a success. But American officials
had another interest, to dissuade the Israelis from carrying out their own
pre-emptive strike against the Iranian nuclear facilities. To do that, the
Israelis would have to be convinced that the new line of attack was working. The
only way to convince them, several officials said in interviews, was to have
them deeply involved in every aspect of the program.
Soon the two countries had developed a complex worm that the Americans called
“the bug.” But the bug needed to be tested. So, under enormous secrecy, the
United States began building replicas of Iran’s P-1 centrifuges, an aging,
unreliable design that Iran purchased from Abdul Qadeer Khan, the Pakistani
nuclear chief who had begun selling fuel-making technology on the black market.
Fortunately for the United States, it already owned some P-1s, thanks to the
Libyan dictator, Col. Muammar el-Qaddafi.
When Colonel Qaddafi gave up his nuclear weapons program in 2003, he turned over
the centrifuges he had bought from the Pakistani nuclear ring, and they were
placed in storage at a weapons laboratory in Tennessee. The military and
intelligence officials overseeing Olympic Games borrowed some for what they
termed “destructive testing,” essentially building a virtual replica of Natanz,
but spreading the test over several of the Energy Department’s national
laboratories to keep even the most trusted nuclear workers from figuring out
what was afoot.
Those first small-scale tests were surprisingly successful: the bug invaded the
computers, lurking for days or weeks, before sending instructions to speed them
up or slow them down so suddenly that their delicate parts, spinning at
supersonic speeds, self-destructed. After several false starts, it worked. One
day, toward the end of Mr. Bush’s term, the rubble of a centrifuge was spread
out on the conference table in the Situation Room, proof of the potential power
of a cyberweapon. The worm was declared ready to test against the real target:
Iran’s underground enrichment plant.
“Previous cyberattacks had effects limited to other computers,” Michael V.
Hayden, the former chief of the C.I.A., said, declining to describe what he knew
of these attacks when he was in office. “This is the first attack of a major
nature in which a cyberattack was used to effect physical destruction,” rather
than just slow another computer, or hack into it to steal data.
“Somebody crossed the Rubicon,” he said.
Getting the worm into Natanz, however, was no easy trick. The United States and
Israel would have to rely on engineers, maintenance workers and others — both
spies and unwitting accomplices — with physical access to the plant. “That was
our holy grail,” one of the architects of the plan said. “It turns out there is
always an idiot around who doesn’t think much about the thumb drive in their
hand.”
In fact, thumb drives turned out to be critical in spreading the first variants
of the computer worm; later, more sophisticated methods were developed to
deliver the malicious code.
The first attacks were small, and when the centrifuges began spinning out of
control in 2008, the Iranians were mystified about the cause, according to
intercepts that the United States later picked up. “The thinking was that the
Iranians would blame bad parts, or bad engineering, or just incompetence,” one
of the architects of the early attack said.
The Iranians were confused partly because no two attacks were exactly alike.
Moreover, the code would lurk inside the plant for weeks, recording normal
operations; when it attacked, it sent signals to the Natanz control room
indicating that everything downstairs was operating normally. “This may have
been the most brilliant part of the code,” one American official said.
Later, word circulated through the International Atomic Energy Agency, the
Vienna-based nuclear watchdog, that the Iranians had grown so distrustful of
their own instruments that they had assigned people to sit in the plant and
radio back what they saw.
“The intent was that the failures should make them feel they were stupid, which
is what happened,” the participant in the attacks said. When a few centrifuges
failed, the Iranians would close down whole “stands” that linked 164 machines,
looking for signs of sabotage in all of them. “They overreacted,” one official
said. “We soon discovered they fired people.”
Imagery recovered by nuclear inspectors from cameras at Natanz — which the
nuclear agency uses to keep track of what happens between visits — showed the
results. There was some evidence of wreckage, but it was clear that the Iranians
had also carted away centrifuges that had previously appeared to be working
well.
But by the time Mr. Bush left office, no wholesale destruction had been
accomplished. Meeting with Mr. Obama in the White House days before his
inauguration, Mr. Bush urged him to preserve two classified programs, Olympic
Games and the drone program in Pakistan. Mr. Obama took Mr. Bush’s advice.
The Stuxnet Surprise
Mr. Obama came to office with an interest in cyberissues, but he had discussed
them during the campaign mostly in terms of threats to personal privacy and the
risks to infrastructure like the electrical grid and the air traffic control
system. He commissioned a major study on how to improve America’s defenses and
announced it with great fanfare in the East Room.
What he did not say then was that he was also learning the arts of cyberwar. The
architects of Olympic Games would meet him in the Situation Room, often with
what they called the “horse blanket,” a giant foldout schematic diagram of
Iran’s nuclear production facilities. Mr. Obama authorized the attacks to
continue, and every few weeks — certainly after a major attack — he would get
updates and authorize the next step. Sometimes it was a strike riskier and
bolder than what had been tried previously.
“From his first days in office, he was deep into every step in slowing the
Iranian program — the diplomacy, the sanctions, every major decision,” a senior
administration official said. “And it’s safe to say that whatever other activity
might have been under way was no exception to that rule.”
But the good luck did not last. In the summer of 2010, shortly after a new
variant of the worm had been sent into Natanz, it became clear that the worm,
which was never supposed to leave the Natanz machines, had broken free, like a
zoo animal that found the keys to the cage. It fell to Mr. Panetta and two other
crucial players in Olympic Games — General Cartwright, the vice chairman of the
Joint Chiefs of Staff, and Michael J. Morell, the deputy director of the C.I.A.
— to break the news to Mr. Obama and Mr. Biden.
An error in the code, they said, had led it to spread to an engineer’s computer
when it was hooked up to the centrifuges. When the engineer left Natanz and
connected the computer to the Internet, the American- and Israeli-made bug
failed to recognize that its environment had changed. It began replicating
itself all around the world. Suddenly, the code was exposed, though its intent
would not be clear, at least to ordinary computer users.
“We think there was a modification done by the Israelis,” one of the briefers
told the president, “and we don’t know if we were part of that activity.”
Mr. Obama, according to officials in the room, asked a series of questions,
fearful that the code could do damage outside the plant. The answers came back
in hedged terms. Mr. Biden fumed. “It’s got to be the Israelis,” he said. “They
went too far.”
In fact, both the Israelis and the Americans had been aiming for a particular
part of the centrifuge plant, a critical area whose loss, they had concluded,
would set the Iranians back considerably. It is unclear who introduced the
programming error.
The question facing Mr. Obama was whether the rest of Olympic Games was in
jeopardy, now that a variant of the bug was replicating itself “in the wild,”
where computer security experts can dissect it and figure out its purpose.
“I don’t think we have enough information,” Mr. Obama told the group that day,
according to the officials. But in the meantime, he ordered that the
cyberattacks continue. They were his best hope of disrupting the Iranian nuclear
program unless economic sanctions began to bite harder and reduced Iran’s oil
revenues.
Within a week, another version of the bug brought down just under 1,000
centrifuges. Olympic Games was still on.
A Weapon’s Uncertain Future
American cyberattacks are not limited to Iran, but the focus of attention, as
one administration official put it, “has been overwhelmingly on one country.”
There is no reason to believe that will remain the case for long. Some officials
question why the same techniques have not been used more aggressively against
North Korea. Others see chances to disrupt Chinese military plans, forces in
Syria on the way to suppress the uprising there, and Qaeda operations around the
world. “We’ve considered a lot more attacks than we have gone ahead with,” one
former intelligence official said.
Mr. Obama has repeatedly told his aides that there are risks to using — and
particularly to overusing — the weapon. In fact, no country’s infrastructure is
more dependent on computer systems, and thus more vulnerable to attack, than
that of the United States. It is only a matter of time, most experts believe,
before it becomes the target of the same kind of weapon that the Americans have
used, secretly, against Iran.
November 28, 2011
The New York Times
By ROGER COHEN
LONDON — The Obama administration has a doctrine. It’s called the doctrine of
silence. A radical shift from President Bush’s war on terror, it has never been
set out to the American people. There has seldom been so big a change in
approach to U.S. strategic policy with so little explanation.
I approve of the shift even as it makes me uneasy. One day, I suspect, there may
be payback for this policy and this silence. President Obama has gone
undercover.
You have to figure that one day somebody sitting in Tehran or Islamabad or Sana
is going to wake up and say: “Hey, this guy Obama, he went to war in our country
but just forgot to mention the fact. Should we perhaps go to war in his?”
In Iran, a big explosion at a military base near Tehran recently killed Gen.
Hassan Tehrani Moghaddam, a central figure in the country’s long-range missile
program. Nuclear scientists have perished in the streets of Tehran. The Stuxnet
computer worm has wreaked havoc with the Iranian nuclear facilities.
It would take tremendous naïveté to believe these events are not the result of a
covert American-Israeli drive to sabotage Iran’s efforts to develop a military
nuclear capacity. An intense, well-funded cyberwar against Tehran is ongoing.
Simmering Pakistani anger over a wave of drone attacks authorized by Obama has
erupted into outright rage with the death of at least 25 Pakistani soldiers in a
NATO attack on two military outposts near the Afghan border.
The Pakistani government has ordered the Central Intelligence Agency to end
drone operations it runs from a base in western Pakistan within 15 days. Drone
attacks have become the coin of Obama’s realm. They have killed twice as many
suspected Taliban and Al Qaeda members as were ever imprisoned in Guantánamo.
One such drone attack, of course, killed an American citizen, the Al Qaeda
propagandist Anwar al-Awlaki, in Yemen a few weeks ago.
The U.S. government says precious little about these new ways of fighting
enemies. But the strategic volte-face is clear: America has decided that
conventional wars of uncertain outcome in Iraq and Afghanistan that may,
according to a Brown University study, end up costing at least $3.7 trillion are
a bad way to fight terrorists and that far cheaper, more precise tools for
eliminating enemies are preferable — even if the legality of those killings is
debatable.
The American case for legality rests on the 2001 Authorization for Use of
Military Force act, which allows the president to use “all necessary and
appropriate force” against persons, organization or nations linked to the 9/11
attack, and on various interpretations of the right to self-defense under
international law.
But killing an American citizen raises particular constitutional concerns; just
how legal the drone attacks are remains a vexed question. And Iran had no part
in 9/11.
In general, it’s hard to resist the impression of a tilt toward the
extrajudicial in U.S. foreign policy — a kind of “Likudization” of the approach
to dealing with enemies. Israel has never hesitated to kill foes with blood on
their hands wherever they are.
This is a development about which no American can feel entirely comfortable.
So why do I approve of all this? Because the alternative — the immense cost in
blood and treasure and reputation of the Bush administration’s war on terror —
was so appalling. In just the same way, the results of a conventional bombing
war against Iran would be appalling, whether undertaken by Israel, the United
States or a combination of the two.
Political choices often have to be made between two unappealing options. Obama
has done just that. He has gone covert — and made the right call.
So why am I uneasy? Because these legally borderline, undercover options —
cyberwar, drone killings, executions and strange explosions at military bases —
invite repayment in kind, undermine the American commitment to the rule of law,
and make allies uneasy.
Obama could have done more in the realm of explanation. Of course he does not
want to say much about secret operations. Still, as the U.S. military prepares
to depart from Iraq (leaving a handful of embassy guards), and the war in
Afghanistan enters its last act, he owes the American people, U.S. allies and
the world a speech that sets out why America will not again embark on this kind
of inconclusive war and has instead adopted a new doctrine that has replaced
fighting terror with killing terrorists. (He might also explain why Guantánamo
is still open.)
Just because it’s impossible to talk about some operations undertaken within
this doctrine does not mean the entire doctrine can remain cloaked in silence.
Foreign policy has been Obama’s strongest suit. He deserves great credit for
killing Osama bin Laden, acting for the liberation of Libya, getting behind the
Arab quest for freedom, winding down the war in Iraq, dealing repeated blows to
Al Qaeda and restoring America’s battered image.
But the doctrine of silence is a failing with links to his overarching failure
on the economy: it betrays a presidential reticence, coolness and aloofness that
leave Americans uncomfortable.
June 13, 2009
The New York Times
By THOM SHANKER and DAVID E. SANGER
WASHINGTON — A plan to create a new Pentagon cybercommand is raising
significant privacy and diplomatic concerns, as the Obama administration moves
ahead on efforts to protect the nation from cyberattack and to prepare for
possible offensive operations against adversaries’ computer networks.
President Obama has said that the new cyberdefense strategy he unveiled last
month will provide protections for personal privacy and civil liberties. But
senior Pentagon and military officials say that Mr. Obama’s assurances may be
challenging to guarantee in practice, particularly in trying to monitor the
thousands of daily attacks on security systems in the United States that have
set off a race to develop better cyberweapons.
Much of the new military command’s work is expected to be carried out by the
National Security Agency, whose role in intercepting the domestic end of
international calls and e-mail messages after the Sept. 11, 2001, attacks, under
secret orders issued by the Bush administration, has already generated intense
controversy.
There is simply no way, the officials say, to effectively conduct computer
operations without entering networks inside the United States, where the
military is prohibited from operating, or traveling electronic paths through
countries that are not themselves American targets.
The cybersecurity effort, Mr. Obama said at the White House last month, “will
not — I repeat, will not — include monitoring private sector networks or
Internet traffic.”
But foreign adversaries often mount their attacks through computer network hubs
inside the United States, and military officials and outside experts say that
threat confronts the Pentagon and the administration with difficult questions.
Military officials say there may be a need to intercept and examine some e-mail
messages sent from other countries to guard against computer viruses or
potential terrorist action. Advocates say the process could ultimately be
accepted as the digital equivalent of customs inspections, in which passengers
arriving from overseas consent to have their luggage opened for security, tax
and health reasons.
“The government is in a quandary,” said Maren Leed, a defense expert at the
bipartisan Center for Strategic and International Studies who was a Pentagon
special assistant on cyberoperations from 2005 to 2008.
Ms. Leed said a broad debate was needed “about what constitutes an intrusion
that violates privacy and, at the other extreme, what is an intrusion that may
be acceptable in the face of an act of war.”
In a recent speech, Gen. James E. Cartwright, vice chairman of the Joint Chiefs
of Staff and a chief architect of the new cyberstrategy, acknowledged that a
major unresolved issue was how the military — which would include the National
Security Agency, where much of the cyberwar expertise resides — could legally
set up an early warning system.
Unlike a missile attack, which would show up on the Pentagon’s screens long
before reaching American territory, a cyberattack may be visible only after it
has been launched in the United States.
“How do you understand sovereignty in the cyberdomain?” General Cartwright
asked. “It doesn’t tend to pay a lot of attention to geographic boundaries.”
For example, the daily attacks on the Pentagon’s own computer systems, or probes
sent from Russia, China and Eastern Europe seeking chinks in the computer
systems of corporations and financial institutions, are rarely seen before their
effect is felt inside the United States.
Some administration officials have begun to discuss whether laws or regulations
must be changed to allow law enforcement, the military or intelligence agencies
greater access to networks or Internet providers when significant evidence of a
national security threat was found.
Ms. Leed said that while the Defense Department and related intelligence
agencies were the only organizations that had the ability to protect against
such cyberattacks, “they are not the best suited, from a civil liberties
perspective, to take on that responsibility.”
Under plans being completed at the Pentagon, the new cybercommand will be run by
a four-star general, much the way Gen. David H. Petraeus runs the wars in
Afghanistan and Iraq from Central Command in Tampa, Fla. But the expectation is
that whoever is in charge of the new command will also direct the National
Security Agency, an effort to solve the turf war between the spy agency and the
military over who is in charge of conducting offensive operations.
While the N.S.A.’s job is chiefly one of detection and monitoring, the agency
also possesses what Michael D. McConnell, the former director of national
intelligence, called “the critical skill set” to respond quickly to
cyberattacks. Yet the Defense Department views cyberspace as its domain as well,
a new battleground after land, sea, air and space.
The complications are not limited to privacy concerns. The Pentagon is
increasingly worried about the diplomatic ramifications of being forced to use
the computer networks of many other nations while carrying out digital missions
— the computer equivalent of the Vietnam War’s spilling over the Cambodian
border in the 1960s. To battle Russian hackers, for example, it might be
necessary to act through the virtual cyberterritory of Britain or Germany or any
country where the attack was routed.
General Cartwright said military planners were trying to write rules of
engagement for scenarios in which a cyberattack was launched from a neutral
country that might have no idea what was going on. But, with time of the
essence, it may not be possible, the scenarios show, to ask other nations to act
against an attack that is flowing through their computers in milliseconds.
“If I pass through your country, do I have to talk to the ambassador?” General
Cartwright said. “It is very difficult. Those are the questions that are now
really starting to emerge vis-à-vis cyber.”
Frida Berrigan, a longtime peace activist who is a senior program associate at
the New America Foundation’s arms and security initiative, expressed concerns
about whether the Obama administration would be able to balance its promise to
respect privacy in cyberspace even as it appeared to be militarizing
cybersecurity.
“Obama was very deliberate in saying that the U.S. military and the U.S.
government would not be looking at our e-mail and not tracking what we do
online,” Ms. Berrigan said. “This is not to say there is not a cyberthreat out
there or that cyberterrorism is not a significant concern. We should be vigilant
and creative. But once again we see the Pentagon being put at the heart of it
and at front lines of offering a solution.”
Ms. Berrigan said that just as the counterinsurgency wars in Iraq and
Afghanistan had proved that “there is no front line anymore, and no
demilitarized zone anymore, then if the Pentagon and the military services see
cyberspace as a battlefield domain, then the lines protecting privacy and our
civil liberties get blurred very, very quickly.”
WASHINGTON (AP) -- The U.S. military must reorganize its offensive and
defensive cyber operations and will use a new command at a Maryland Army
facility to create a digital warfare force for the future, the director of the
National Security Agency says.
Lt. Gen. Keith Alexander, also the Pentagon's leading cyber warfare commander,
said the U.S. is determined to lead the global effort to use computer technology
to deter or defeat enemies, while still protecting the public's constitutional
rights.
In testimony prepared for delivery Tuesday to a House Armed Services
subcommittee, Alexander and other military leaders in cyber matters outlined the
challenges to keeping up with rapidly changing technologies and the need for
more resources and training. In blunt comments, Alexander acknowledged that
cyber training for the Pentagon's work force is inadequate and must be improved.
In separate prepared testimony, Lt. Gen. William Shelton, the Air Force's chief
of warfighting integration, said the Pentagon relies heavily on industry efforts
to respond to cyber threats. That approach, he said, does not keep pace with the
threat.
The testimony comes as the Obama administration prepares to release its review
of the nation's cybersecurity, and on the heels of a critical report by the
National Research Council. The independent group's report concluded that the
government's policies on how and when to wage cyber warfare are ill-formed, lack
adequate oversight and require a broad public debate.
Alexander said the military's new cyber command at Fort Meade, Md., will be a
sub-unit of U.S. Strategic Command, and would be designed to ''defend vital
networks and project power in cyberspace.''
Defense Department networks are probed repeatedly every day and the number of
intrusion attempts have more than doubled recently, officials have said.
Military leaders said earlier this month that the Pentagon spent more than $100
million in the past six months responding to and repairing damage from cyber
attacks and other computer network problems.
(Bernd Debusmann is a Reuters columnist.
The opinions expressed are his own)
WASHINGTON (Reuters) - At the height of the Cold War, a Soviet oil pipeline blew
up in an explosion so huge that the American military suspected a nuclear blast.
A quarter of a century later, the incident serves as an object lesson in
successful cyber warfare.
The pipeline blew up, with disastrous consequences for the Soviet economy,
because its pumps, valves and turbines were run by software deliberately
designed to malfunction. Made in the U.S. and doctored by the CIA, it passed
into Soviet hands in an elaborate game of deception that left them unaware they
had acquired "bugged" software.
"The pipeline software...was programmed to go haywire, after a decent interval,
to reset pump speeds and valve settings to produce pressures far beyond those
acceptable to pipeline joints and welts. The result was the most monumental
non-nuclear explosion ever seen from space," Thomas C. Reed, a former air force
secretary, wrote in his 2004 memoir.
The pipeline explosion was probably the first major salvo in what has since
become known as cyber warfare. The incident has been cropping up in increasingly
urgent discussions in the U.S. on how to cope with attacks on military and
civilian computer networks and control systems - and how and when to strike
back.
Air traffic control, power plants, Wall Street trading systems, banks, traffic
lights and emergency responder communications could all be targets of attacks
that could bring the U.S. to its knees. As Michael McConnell, the Director of
National Intelligence, put it in recent testimony to a Senate committee:
"Our information infrastructure - including the Internet, telecommunications
networks, computer systems and embedded processors and controllers in critical
industries - increasingly is being targeted...by a growing array of state and
non-state adversaries." Cyber attacks, he said, had grown more sophisticated and
more serious.
The Pentagon says it detects three million attempts to infiltrate its computer
networks every day. There are no estimates of how many probes are successful but
last year the Pentagon had to take 1,500 computers off line because of a
concerted attack from unknown hackers.
POOR SECURITY, DEVASTATING CONSEQUENCES
How tight are the U.S. government's defenses? Not very, according to the
Government Accountability Office, the audit and investigative arm of the U.S.
Congress. In a report last week, it said an audit of 24 government agencies -
including Defense and Homeland Security - had shown that "poor information
security is a widespread problem with potentially devastating consequences."
Striking back at cyber attackers poses a raft of tricky questions, chiefly
because cyber war cannot be waged without involving civilians. Private companies
own more than 80 percent of the infrastructure McConnell talked about and
without close public-private coordination, effective counter-strikes are next to
impossible.
"Unlike traditional defense categories (i.e. land, sea and air), the military
capabilities required to respond to an attack on U.S. infrastructure will
necessarily involve infrastructure owned and operated by the private sector,"
according to Jody R. Westby, CEO of the Washington consulting firm Global Cyber
Risk and a champion of better public-private coordination to cope with cyber
attacks.(http://www.globalcyberrisk.com/Pubs_psc.htm)
Coordination between the military and civilians has yet to be tested. The
military stayed away from an exercise this month that brought together experts
from the U.S., Canada, Britain, New Zealand and Australia, 18 U.S. federal
agencies and around 40 companies, including Microsoft and Cisco Systems. The
game featured mock attacks against computer networks, pipelines and railroads.
(The exercise was described as the biggest of its kind. But "big" is relative.
To get the scale into perspective: There are 233 countries connected to the
Internet today, with an estimated 1.2 billion users. More than 120 countries are
estimated to be developing cyber warfare capabilities).
As things stand, could the U.S. or its allies become victim of an attack similar
to the Soviet pipeline blast? Probably yes. The threat comes from China, which
has been placing heavy emphasis on what it calls "informationized war," and a
motley array of hackers and terrorists.
Among the most potent weapons in their arsenal: "bots," malicious software
robots that are the digital equivalent of terrorist sleeper cells that lie
dormant for months or years before springing into destructive action. In
testimony to Congress, Homeland Security's top scientist on cyber security, W.
Douglas Maugham, has said that there is currently no effective antidote to bots.
BLEAK SCENARIO
How much damage could they do? Here is a scenario drawn from an interview with
Westby, who is a member of the World Federation of Scientists' Permanent
Monitoring Panel on Information Security. Her outline is based on the assumption
that China has already implanted bots in millions of public and private computer
systems.
"Bot herders" around the world unleash their malicious software bots to attack
U.S. government, financial, oil and gas systems. One early victim: the U.S.
Department of Commerce, which loses all communications because its internet and
telephone communications use Voice over Internet Protocol networks. That means
if the Internet goes down, all communications go down.
As Commerce is cut off, the U.S. collection point for inter-bank financial
transactions discovers that bogus data are being inserted from both the sending
and confirming side of the SWIFT (Society for Worldwide Interbank Financial
Telecommunication) system. Chaos ensues in financial markets.
The New York Stock Exchange shuts down after massive "denial of service" attacks
similar to those that last year forced Estonia to close down websites run by
government ministries, banks and telecommunications companies.
At the same time, systems controlling the valves of oil and gas pipelines come
under attack as bogus instructions override system controls and false data is
sent to control room screens. The pipelines are shut. Some explode. There are
casualties.
The government decides it must block the malicious traffic and come to the
assistance of the financial, gas and oil companies under cyber attack. This
involves deploying classified solutions and counter attacks through the networks
of various U.S. communication providers.
The problem: There is no agreement between the Pentagon and the private sector
on transferring private networks to military control. Owners are reluctant to
turn over their systems to the military for fear their networks and their
reputation might be damaged as a result of cyber war actions not under their
control. The problem could be solved by the government declaring martial law, a
step it is hesitant to take.
And what about the foreign-owned networks that would have to be used to launch
an effective counter attack? Does the U.S. have to ask permission before sending
cyber war actions across foreign networks? Would NATO have to be involved? (The
50-year-old treaty does not cover cyber warfare). Should the U.N. charter be
amended to apply to cyber war rather than only "armed attacks?"
These are all questions that require urgent answers if the U.S., more dependent
on computers and the Internet than most countries, wants to protect what a
writer in the latest issue of the Armed Forces Journal aptly describes as
"America's digital Achilles' heel."
