Posts

The Bankrupt Attribution of WannaCry

/22 Comments/in /by

I’ve been puzzling through this briefing, purportedly attributing the WannaCry hack to North Korea, which followed last night’s Axis of CyberEvil op-ed (here’s the text). The presser was … perhaps even more puzzling than the Axis of CyberEvil op-ed.

Unlike the op-ed, Homeland Security Czar Tom Bossert provided hints about how the government came to attribute this attack.

Bossert makes much of the fact that the Five Eyes plus Japan all agree on this.

We do so with evidence, and we do so with partners.

Other governments and private companies agree.  The United Kingdom, Australia, Canada, New Zealand, and Japan have seen our analysis, and they join us in denouncing North Korea for WannaCry.

He also points to the Microsoft and (unnamed — because it’d be downright awkward to name Kaspersky in the same briefing where you attack them as a cybersecurity target) security consultant attributions from months ago.

Commercial partners have also acted.  Microsoft traced the attack to cyber affiliates of the North Korean government, and others in the security community have contributed their analysis.

Here are the specific things he says about how the US, independent of Microsoft and villains like Kaspersky, made an attribution.

What we did was, rely on — and some of it I can’t share, unfortunately — technical links to previously identified North Korean cyber tools, tradecraft, operational infrastructure.  We had to examine a lot.  And we had to put it together in a way that allowed us to make a confident attribution.

[snip]

[I]t’s a little tradecraft, to get to your second question.  It’s hard to find that smoking gun, but what we’ve done here is combined a series of behaviors.  We’ve got analysts all over the world, but also deep and experienced analysts within our intelligence community that looked at not only the operational infrastructure, but also the tradecraft and the routine and the behaviors that we’ve seen demonstrated in past attacks.  And so you have to apply some gumshoe work here, not just some code analysis.

Nevertheless, Bossert alludes to people launching this attack from “keyboards all over the world,” but says because these “intermediaries … had carried out those types of attacks on behalf of the North Korean government in the past,” they were confident in the attribution.

People operating keyboards all over the world on behalf of a North Korean actor can be launching from places that are not in North Korea.  And so that’s one of the challenges behind cyber attribution.

[snip]

[T]here were actors on their behalf, intermediaries, carrying out this attack, and that they had carried out those types of attacks on behalf of the North Korean government in the past.  And that was one of the tradecraft routines that allowed us to reach that conclusion.

Taking credit for stuff the private sector did

In his prewritten statement, Bossert provides on explanation for the timing of all this. One of the reasons the US is attributing the WannaCry attack now — aside from the need to gin up war with North Korea — is that Facebook and Microsoft, “acting on their own initiative last week,” took action last week against North Korean targets.

We applaud our corporate partners, Microsoft and Facebook especially, for acting on their own initiative last week without any direction by the U.S. government or coordination to disrupt the activities of North Korean hackers.  Microsoft acted before the attack in ways that spared many U.S. targets.

Last week, Microsoft and Facebook and other major tech companies acted to disable a number of North Korean cyber exploits and disrupt their operations as the North Koreans were still infecting computers across the globe.  They shut down accounts the North Korean regime hackers used to launch attacks and patched systems.

Yet even while acknowledging that Microsoft and Facebook are busy keeping the US safe, he demands that the private sector … keep us safe.

We call today — I call today, and the President calls today, on the private sector to increase its accountability in the cyber realm by taking actions that deny North Korea and the bad actors the ability to launch reckless and disruptive cyber acts.

Golly how do you think the US avoided damage from the attack based on US tools so well?

Then Bossert invites Assistant Secretary for Cybersecurity and Communications at DHS Jeanette Manfra to explain not how the US attributed this attack (the ostensible point of this presser), but how the US magically avoided getting slammed — by an attack based on US tools — as badly as other countries did.

By midafternoon, I had all of the major Internet service providers either on the phone or on our watch floor sharing information with us about what they were seeing globally and in the United States.  We partnered with the Department of Health and Human Services to reach out to hospitals across the country to offer assistance.  We engaged with federal CIOs across our government to ensure that our systems were not vulnerable.  I asked for assistance from our partners in the IT and cybersecurity industry.  And by 9:00 p.m. that night, I had over 30 companies represented on calls, many of whom offered us analytical assistance throughout the weekend.

By working closely with these companies and the FBI throughout that night, we were able to issue a technical alert, publicly, that would assist defenders with defeating this malware.  We stayed on alert all weekend but were largely able to escape the impacts here in this country that other countries experienced.

Managing to avoid getting slammed by an attack that the US had far more warning of (because it would have recognized and had 96 days to prepare) is proof, Manfra argues, of our preparation to respond to attacks we didn’t write the exploit for.

[T]he WannaCry attack demonstrated our national capability to effectively operate and respond.

Ix-Nay on the AdowBrokers-Shay

Which brings us to the dramatic climax of this entire presser, where Tom Bossert plays dumb about the fact that his this attack exploited an NSA exploit. In his first attempt to deflect this question, Bossert tried to distinguish between vulnerabilities and the exploits NSA wrote for them.

Q    Had they not been able to take advantage of the vulnerabilities that got published in the Shadow Brokers website, do you think that would have made a significant difference in their ability to carry out the attack?

MR. BOSSERT:  Yeah.  So I think what Dave is alluding to here is that vulnerabilities exist in software.  They’re not — almost never designed on purpose.  Software producers are making a product, and they’re selling it for a purpose.

Pretending a vulnerability is the same thing as an exploit, Bossert pointed to the (more visible but still largely the same) Vulnerabilities Exploit Process Trump has instituted.

When we find vulnerabilities, the United States government, we generally identify them and tell the companies so they can patch them.

In this particular case, I’m fairly proud of that process, so I’d like to elaborate.  Under this President’s leadership and under the leadership of Rob Joyce, who’s serving as my deputy now and the cybersecurity coordinator, we have led the most transparent Vulnerabilities Equities Process in the world.

Hey, by the way, why isn’t Rob Joyce at this presser so the person in government best able to protect against cyber attacks can answer questions?

Oh, never mind–let’s continue with this VEP thing.

And what that means is the United States government finds vulnerabilities in software, routinely, and then, at a rate of almost 90 percent, reveals those.  They could be useful tools for us to then exploit for our own national security benefit.  But instead, what we choose to do is share those back with the companies so that they can patch and increase the collective defense of the country.  It’s not fair for us to keep those exploits while people sit vulnerable to those totalitarian regimes that are going to bring harm to them.

So, in this particular case, I’m proud of the VEP program.  And I’d go one step deeper for you:  Those vulnerabilities that we do keep, we keep for very specific purposes so that we can increase our national security.  And we use them for very specific purposes only tailored to our perceived threats.  I think that they’re used very carefully.  They need to be protected in such a way that we don’t leak them out and so that bad people can get them.  That has happened, unfortunately, in the past.

Hell! Let’s go for broke. Let’s turn the risk that someone can steal our toys and set off a global worm into the promise that we’ll warn people they’ve been hacked.

But one level even deeper.  When we do use those vulnerabilities to develop exploits for the purpose of national security for the classified work that we do, we sometimes find evidence of bad behavior.  Sometimes it allows us to attribute bad actions.  Other times it allows us to privately call — and we’re doing this on a regular basis, and we’re doing it better and in a more routine fashion as this administration advances — we’re able to call targets that aren’t subject to big rollouts.  We’re able to call companies, and we’re able to say to them, “We believe that you’ve been hacked.  You need to take immediate action.”  It works well; we need to get better at doing that.  And I think that allows us to save a lot of time and money.

We’re not yet broke yet, though! When Bossert again gets asked whether WannaCry was based off a US tool, he tried to argue the only tool involved was the final WannaCry one, not than the underlying NSA exploit.

Q    So you talked about the 90 percent of times when you guys share information back with companies rather than exploit those vulnerabilities.  Was this one of the 10 percent that you guys had held onto?

MR. BOSSERT:  So I think there’s a case to be made for the tool that was used here being cobbled together from a number of different sources.  But the vulnerability that was exploited — the exploit developed by the culpable party here — is the tool, the bad tool.

This soon descends into full-on Sergeant Schultz.

I don’t know what they got and where they got it, but they certainly had a number of things cobbled together in a pretty complicated, intentional tool meant to cause harm that they didn’t entirely create themselves.

MalwareTech took a risk doing what he always does [er, did, before the US government kidnapped him] with malware?

Then there’s weird bit — one of those Bossert moments (like when he said WannaCry was spread by phishing) that makes me think he doesn’t know what he’s talking about. When asked if this North Korean attribution changed the government’s intent to prosecute MalwareTech (Marcus Hutchins), Bossert dodged that tricksy question (the answer is, yes, the prosecution is still on track to go to trial next year) but then claimed that Hutchins “took a risk” doing something he has repeatedly said he always does when responding to malware.

I can’t comment on the ongoing criminal prosecution or judicial proceedings there.  But I will note that, to some degree, we got lucky.  In a lot of ways, in the United States we were well-prepared.  So it wasn’t luck — it was preparation, it was partnership with private companies, and so forth.  But we also had a programmer that was sophisticated, that noticed a glitch in the malware, a kill-switch, and then acted to kill it.  He took a risk, it worked, and it caused a lot of benefit.  So we’ll give him that.  Next time, we’re not going to get so lucky.

After dodging the issue of why the government is prosecuting the guy whose “luck” Bossert acknowledges saved the world, he has the gall to say — in the very next breath!! — we need to do the kind of information sharing that Hutchins’ prosecution disincents.

So what we’re calling on here today is an increased partnership, an increased rapidity in routine speed of sharing information so that we can prevent patient zero from being patient 150.

Whatever you do, don’t follow the lack of money

All that was bad enough. But then things really went off the rail when a journalist asked about what one of the poorest countries on earth — a country with a severe exchangeable currency shortage — did with the money obtained in this ransomware attack.

Q    Tom, the purpose of ransomware is to raise money.  So do you have a sense now of exactly how much money the North Koreans raised as a result of this?  And do you have any idea what they did with the money?  Did it go to fund the nuclear program?  Did it go just to the regime for its own benefit?  Or where did that money go?

MR. BOSSERT:  Yeah, it’s interesting.  There’s two conundrums here.  First, we don’t really know how much money they raised, but they didn’t seem to architect it in the way that a smart ransomware architect would do.  They didn’t want to get a lot of money out of this.  If they did, they would have opened computers if you paid.  Once word got out that paying didn’t unlock your computer, the payment stopped.

And so I think that, in this case, this was a reckless attack and it was meant to cause havoc and destruction.  The money was an ancillary side benefit.  I don’t think they got a lot of it.

Wow. A couple things here. First, of one of the poorest countries in the world, Bossert said with a straight face: “They didn’t want to get a lot of money out of this.”

He has to do that, because he has just said that, “They’ve got some smart programmers.” So he has to treat the attack, as implemented, as the attack that the perpetrators wanted. That apparently doesn’t mean he feels bound to offer some explanation for why North Korea would forgo the money that their smart programmers could have earned. Because he never offers that, without which you have zero credible attribution.

Still nuttier, at one level it cannot be true that “we don’t know how much money they raised.” Later in his presser he claims, “cryptocurrency might be difficult to track” and suggests the government only learned about how little they were making because, “targets seem to have reported to us, by and large, that they mostly didn’t pay. … So we were able to track the behavior of the targets in that case.”

Um. No. It was very public! We watched WannaCry’s perps collect $144,000 via the @Actual_ransom account, and we watched the account be cashed out in the immediate wake of the aforementioned MalwareTech arrest (as Hutchins noted, making it look like he had absconded with his Bitcoin rather than gotten arrested by the FBI).  That, too, is a detail that Bossert would have needed to address for this to be a marginally credible press conference.

But wait! There’s more! We also know that as soon as WannaCry’s perps publicly cashed out, Shapeshift blacklisted all its known accounts, making it impossible for WannaCry to launder the money, and adding still more transparency to the process. Which means Bossert should know well the answer to the question “how much did North Korea (or whatever perp) make off this?” is, zero. None. Because their money got cut off in the laundering process. (For some reason, Bossert gave Shapeshift zero credit here, which raises further questions I might return to at a later date.) Either attribution includes details about this process or … it’s not credible.

Bossert’s backflips to pretend Trump isn’t treating North Korea differently than Russia

Now, all this is before you get into the gymnastics Bossert performed to pretend that Trump isn’t treating North Korea — against whom this attribution will serve as justification for war — differently than Russia. After being asked about it, Bossert claimed,

President Trump not only continued the national emergency for cybersecurity, but he did so himself and sanctioned the Russians involved in the hacks of last year.

His effort to conflate last year’s hack-related sanctions with the sanctions imposed by Congress but not fully implemented looked really pathetic.

Q    Have all the sanctions been implemented?

MR. BOSSERT:  This was — yeah, this was the Continuation of the National Emergency with Respect to Significant Malicious Cyber-Enabled Activities.  President Trump continued that national emergency, pursuant to the International Emergency Economic Powers Act, to deal with the “unusual and extraordinary threat to the national security, foreign policy, and economy of the United States.”

Pivoting to one of the most important private companies

Immediately after which, perhaps in an act of desperation, Bossert pivoted to Kaspersky, one of the most important security firms in unpacking WannaCry and therefore utterly central to any claim the answer to cyberattacks is to share between the private and public sector. Bossert said this to defend the claim that the Trump administration is taking Russian threats seriously.

Now, look, in addition, if that’s not making people comfortable, this year we acted to remove Kaspersky from all of our federal networks.  We did so because having a company that can report back information to the Russian government constituted a risk unacceptable to our federal networks.

And then — in the same press conference where Bossert hailed cooperation, including with private security firms like Kaspersky, he boasted about how “in the spirit of cooperation” the US has gotten “providers, sellers, retail stores” to ban one of the firms that was critical in analyzing and minimizing the WannaCry impact.

In the spirit of cooperation, which is the second pillar of our strategy — accountability being one, cooperation being the second — we’ve had providers, sellers, retail stores follow suit.  And we’ve had other private companies and other foreign governments also follow suit with that action.

In case you’re counting, he has boasted about cooperation in the same breath as speaking of both MalwareTech and Kaspersky.

Whatever. From this we’re supposed to conclude we should go to war against North Korea and their non-NK keyboarders the world over and  that the way to defend ourselves against them is to simultaneously demand “cooperation” even while treating two of the most important entities who minimized the threat of WannaCry as outlaws.

The Special Sanger Cyber Unicorn: Iran Warmonger Edition

/3 Comments/in /by

I noted earlier that the reporting on the US not imposing cybersanctions on China appears to have credulously served its purpose in creating a narrative that may have helped create the environment for some kind of deal with China.

NYT’s David Sanger did his own version of that story which deserves special focus because it is so full of nonsense — and nonsense that targets Iran, not China.

Sanger starts his tale by quoting something President Obama said at Fort Meade over the weekend out of context. In response to a question about the direction of cybersecurity in the next 5-10 years, Obama spoke generally about both state and non-state actors.

Q Good afternoon, Mr. President. You alluded to in your opening remarks the threat that cyber currently is. And there’s been a lot of talk within the DOD and cyber community of the possibility of a separate branch of the military dedicated to cyber. I was wondering where you see cyber in the next five to ten years.

THE PRESIDENT: Well, it’s a great question. We initiated Cyber Command, anticipating that this is going to be a new theater for potential conflict. And what we’ve seen by both state and non-state actors is the increasing sophistication of hacking, the ability to penetrate systems that we previously thought would be secure. And it is moving fast. So, offense is moving a lot faster than defense.

Part of this has to do with the way the Internet was originally designed. It was not designed with the expectation that there would end up being three or four or five billion people doing commercial transactions, et cetera. It was thought this was just going to be an academic network to share papers and formulas and whatnot. And so the architecture of the Internet makes it very difficult to defend consistently.

We continue to be the best in the world at understanding and working within cyber. But other countries have caught up. The Russians are good. The Chinese are good. The Iranians are good. And you’ve got non-state hackers who are excellent. And unlike traditional conflicts and aggression, oftentimes we don’t have a return address. If somebody hacks into a system and goes after critical infrastructure, for example, or penetrates our financial systems, we can’t necessarily trace it directly to that state or that actor. That makes it more difficult as well. [my emphasis]

Sanger excised all reference to “excellent” non-state hackers, and instead made this a comment about hacking by state actors.

“Offense is moving a lot faster than defense,” Mr. Obama told troops on Friday at Fort Meade, Md., home of the National Security Agency and the United States Cyber Command. “The Russians are good. The Chinese are good. The Iranians are good.” The problem, he said, was that despite improvements in tracking down the sources of attacks, “we can’t necessarily trace it directly to that state,” making it hard to strike back.

Sanger then took this comment very specifically directed at the upcoming Xi visit and China,

And this is something that we’re just at the infancy of.  Ultimately, one of the solutions we’re going to have to come up with is to craft agreements among at least state actors about what’s acceptable and what’s not.  And so, for example, I’m going to be getting a visit from President Xi of China, a state visit here coming up in a couple of weeks.  We’ve made very clear to the Chinese that there are certain practices that they’re engaging in that we know are emanating from China and are not acceptable.  And we can choose to make this an area of competition — which I guarantee you we’ll win if we have to — or, alternatively, we can come to an agreement in which we say, this isn’t helping anybody; let’s instead try to have some basic rules of the road in terms of how we operate.

And suggested it was directed at other states more generally.

Then he issued a warning: “There comes a point at which we consider this a core national security threat.” If China and other nations cannot figure out the boundaries of what is acceptable, “we can choose to make this an area of competition, which I guarantee you we’ll win if we have to.”

Sanger then spends six paragraphs talking about how hard a time Obama is having “deterring” cyberattacks even while reporting that China and the US have forged some kind of deal that would establish norms that are different than deterrence but might diminish attacks. He also, rather curiously, talks (again) about “unprecedented” theft of personal information in the OPM hack that we need to deter — even though James Clapper has repeatedly said publicly that we do the same thing (and by some measures, on a much bigger scale).

Read more

Amano, Sanger Still Trying to Disrupt P5+1 Deal With Iran

/5 Comments/in /by

Monday is the deadline set by the P5+1 group of nations and Iran for achieving a final agreement on steps to assure the world that Iran’s nuclear program is only aimed at the civilian uses of producing electricity and providing isotopes for medical use. With that deadline rapidly approaching, those who take a more hawkish view toward Iran and wish to see no agreement are doing their best to disrupt the negotiations as they enter the home stretch to an agreement or another extension of the interim agreement, which is nearing a year under which Iran has met all of its obligations.

A primary tool used by those who prefer war with Iran over diplomacy is Yukiya Amano, the Director General of the International Atomic Energy Agency. Keeping right on schedule, Amano has interjected himself into the story on the final stage P5+1 talks (in which IAEA has no role) and one of his chief transcribers, Fredrik Dahl of Reuters, has fulfilled his usual role of providing an outlet for those wishing to disrupt a deal. Today’s emission from Amano [Note: During the time that this post was being written, Reuters changed the Fredrik Dahl piece that is being referenced. Here is an upload of the version of the story as it appeared with an 8:09 am Eastern time stamp. Usually, Reuters just sends new stories out with new url’s, but the url under which the 8:09 version loaded for me now loads a 10:09 story by different reporters discussing a likely extension of negotiations to March.]:

Iran has yet to explain suspected atomic bomb research to the U.N. nuclear agency, its head said on Thursday, just four days before a deadline for a comprehensive deal between Iran and six world powers to end the 12-year-old controversy.

After nearly a year of difficult diplomacy, Washington is pushing for agreement on at least the outline of a future accord and U.S. Secretary of State John Kerry will attend talks with Iran, France, Germany, Britain, Russia and China on Friday.

But Yukiya Amano, director general of the International Atomic Energy Agency, made clear it was far from satisfied, saying it was not in a position to provide “credible assurance” Iran had no undeclared nuclear material and activities.

It comes as no surprise that Amano would try to disrupt the talks at such a critical juncture. Recall that he replaced Nobel Peace Prize winner Mohammad elBaradei in 2009. Amano laid low for a while, but in 2011 came out swinging against Iran. By moving in such a politically motivated way, I noted at that time that Amano was doing huge damage to the credibility of the IAEA after its terrific work under elBaradei.

Amano was carefully chosen and groomed for his role at IAEA.

Wikileaks documents revealed in 2010 showed how Amano assured US “diplomats” that he would be solidly in the US camp when it came to pursuing charges against Iran’s nuclear program:

Amano reminded [the] ambassador on several occasions that he would need to make concessions to the G-77 [the developing countries group], which correctly required him to be fair-minded and independent, but that he was solidly in the U.S. court on every key strategic decision, from high-level personnel appointments to the handling of Iran’s alleged nuclear weapons program.

More candidly, Amano noted the importance of maintaining a certain “constructive ambiguity” about his plans, at least until he took over for DG ElBaradei in December.

And what of these “possible military dimensions” of Iran’s nuclear work that Amano is holding against Iran? They are based on a total fabrication known as the laptop of death. Further, IAEA is not structured or staffed in a way for it to be the appropriate vehicle for determining whether work in Iran is weapons-related. It is, however, built for monitoring and accounting for enrichment of uranium, where it has found Iran to divert no material from its declared nuclear power plant fuel cycle.

Amano is far from alone in his campaign to disrupt the talks. Recall that a couple of weeks ago, David Sanger took to the front page of the New York Times to plant the erroneous idea the Iran was nearing an agreement to outsource its enrichment of uranium to Russia. The Times never noted nor corrected the error, which, conveniently for Sanger and other opponents of a deal, could give hardliners in Iran another opening for opposing any deal.

Sanger returned to the front page of the Times on Monday to gleefully list the forces he sees arrayed against any deal with Iran. Remarkably, Sanger did at least make an offhand correction to his earlier error (but of course there still is no note or change on the original erroneous report). He only does this, though, while also describing how he thinks Russia could undermine the breakthrough in which they have played a huge role:

Perhaps the most complex political player is Russia. It has remained a key element of the negotiating team, despite its confrontations with the West over Ukraine. It has been a central player in negotiating what may prove the key to a deal: a plan for Iran to ship much of its low-enriched uranium to Russian territory for conversion into fuel for the Bushehr nuclear power plant.

But Russian officials may want an extension of the talks that keeps any real agreement in limbo — and thus keeps Iranian oil off the market, so that it cannot further depress falling prices.

So, yes, Sanger finally admits the deal would be for Russia to convert low enriched uranium to fuel rods, not to do the enrichment itself, but only while also cheering on what he sees as a path for Russia keep Iranian oil off international markets.

Missing from Sanger’s list of forces lined up against a deal with Iran are those working behind the scenes in the US intelligence and “diplomatic” communities. Those forces gave state secrets to United Against Nuclear Iran to be used in false allegations against a Greek shipping firm providing goods to Iran that were not subject to sanctions. We still don’t know what that information was nor how UANI came into its possession because the Justice Department has intervened to quash disclosure in the lawsuit resulting from the false allegations.

As we enter what is slated to be the final weekend of the negotiations, the stakes are clear. Barack Obama has gladly jumped on board with most neocon dreams of open war in many of their target nations. Iran remains a huge prize for them, but so far Obama has shown remarkable resolve in pushing for an agreement that could avert a catastrophic war that would make the current ones look only like small skirmishes. I’m hoping for the best this weekend, but I also worry about what opponents of the negotiations may have in store for their final move.

Glaring Front Page Error by David Sanger, New York Times as Iran Nuclear Negotiations Near Deadline

/17 Comments/in , /by

See the update below, as of about 2:45 pm, the Times has changed the wording of the erroneous paragraph without adding a note of the correction. Oops. I got off on the wrong paragraph when I checked back. See the comment from Tony Papert below.

For someone who has written on a range of technical issues for many years, the error committed last night by David Sanger could not be worse nor come at a worse time for the important events he is attempting to cover. In an article put up last night on the New York Times website and apparently carried on page A1 of today’s print edition, Sanger and the Times have garbled a key point at the heart of the negotiations between Iran and the P5+1 group of nations as they near the critical November 24 deadline for achieving a full agreement on the heels of last year’s interim agreement.

The article ostensibly was to announce a major breakthrough in the negotiations, although Gareth Porter had worked out the details of the progress last week. Here is what Porter deduced:

The key to the new approach is Iran’s willingness to send both its existing stockpile of low enriched uranium (LEU) as well as newly enriched uranium to Russia for conversion into fuel for power plants for an agreed period of years.

In the first official indication of the new turn in the negotiations, Iranian Foreign Ministry spokesperson Marzieh Afkham acknowledged in a briefing for the Iranian press Oct. 22 that new proposals combining a limit on centrifuges and the transfer of Iran’s LEU stockpile to Russia were under discussion in the nuclear negotiations.

The briefing was translated by BBC’s monitoring service but not reported in the Western press.

Undersecretary of State Wendy Sherman, who heads the U.S. delegation to the talks, has not referred publicly to the compromise approach, but she appeared to be hinting at it when she said on Oct. 25 that the two sides had “made impressive progress on issues that originally seemed intractable.”

As Porter goes on to explain, such an arrangement would allow Iran to maintain a large number of centrifuges continuing to enrich uranium, but because there would be no stockpile of low enriched uranium (LEU), the “breakout time” (time required to highly enrich enough uranium for a nuclear weapon) would remain at about a year. By having Russia convert the LEU to fuel rods for Iran’s nuclear power plant, that LEU would be removed from any easy pathway to a weapon. This would provide Iran the “win” of maintaining its present level of around 10,000 operational centrifuges but give the P5+1 its goal of a longer breakout time. The key here is that unlike a proposal in 2005 where Russia would take over enrichment for Iran, this new proposal would allow Iran to continue its enrichment program while shipping virtually all of of its LEU to Russia for conversion to fuel rods.

Sanger appears to start off on the right track with his article:

Iran has tentatively agreed to ship much of its huge stockpile of uranium to Russia if it reaches a broader nuclear deal with the West, according to officials and diplomats involved in the negotiations, potentially a major breakthrough in talks that have until now been deadlocked.

Under the proposed agreement, the Russians would convert the uranium into specialized fuel rods for the Bushehr nuclear power plant, Iran’s only commercial reactor. Once the uranium is converted into fuel rods, it is extremely difficult to use them to make a nuclear weapon. That could go a long way toward alleviating Western concerns about Iran’s stockpile, though the agreement would not cut off every pathway that Tehran could take to obtain a nuclear weapon.

But about halfway through the article, Sanger displays a shocking ignorance of the real points of recent negotiations and somehow comes to the conclusion that Russia would be taking over enrichment for Iran rather than converting LEU into fuel rods:

For Russia, the incentives for a deal are both financial and political. It would be paid handsomely for enriching Iran’s uranium, continuing the monopoly it has in providing the Iranians with a commercial reactor, and putting it in a good position to build the new nuclear power reactors that Iran has said it intends to construct in the future. And it also places President Vladimir V. Putin at the center of negotiations that may well determine the future of the Middle East, a position he is eager to occupy.

Somehow, Sanger and his New York Times editors and fact-checkers are stuck in 2005, suggesting that Iran would negotiate away its entire enrichment program. Such a drastic move would never be contemplated by Iran today and we are left to wonder whether this language found its way into the Times article through mere incompetence or more nefarious motives meant to disrupt any possible deal by providing false information to hardliners in Iran.

At the time of this writing (just before 9 am on November 4), the Times still has not added any correction or clarification to the article, despite the error being pointed out on Twitter just after 10:30 pm last night (be sure to read the ensuing Twitter conversation where Laura Rozen and Cheryl Rofer work out the nature of the error).

Update: And now, around 2:45 in the afternoon, I see that the Times has changed the erroneous paragraph. So far, I don’t see a note that a correction has been made. Here is the edited paragraph:

Russia’s calculus is also complex. It stands to gain financially from the deal, but it also has an incentive to see the nuclear standoff between Iran and the rest of the world continue, because an embargo keeps Iranian oil off the market. With oil prices falling, a flood of exports from Iran could further depress prices.

Will they ever get around to adding a note? I’ll keep an eye out. Well dang, this is embarrassing. I went to the wrong paragraph when I looked back. The article is still unchanged. Thanks to Tony Papert in comments for catching my bone-headedness.

Warrick Selectively Edits Amano Remarks to CFR

/3 Comments/in , /by

[youtube]http://www.youtube.com/watch?v=Dfr8NQXmYKM[/youtube]

Yukiya Amano, Director General of the IAEA,  appeared on the record yesterday at the Council on Foreign Relations. He presented a very brief statement and then the bulk of his time was spent in a wide-ranging question and answer session. The lineup of questioners included Barbara Slavin leading off, David Sanger near the middle and Gareth Porter getting in just before questioning was brought to a close.

Joby Warrick took advantage of Slavin’s question to present Iran in the worst possible light:

International Atomic Energy Agency Director General Yukiya Amano said the nuclear watchdog would try again next week to visit the Parchin military base, a sprawling complex where Iran is thought to have conducted tests on high-precision explosives used to detonate a nuclear bomb.

Iran has repeatedly refused to let IAEA inspectors visit the base, on the outskirts of Tehran. Instead, in the months since the agency requested access, satellite photos have revealed what appears to be extensive cleanup work around the building where tests are alleged to have occurred.

“We are concerned that our capacity to verify would have been severely undermined,” Amano told a gathering of the Council on Foreign Relations in Washington. He noted Iran’s “extensive” cleanup effort at the site, which has included demolishing buildings and stripping away topsoil.

“We cannot say for sure that we would be able find something,” Amano said.

Notice the careful way in which Warrick has excerpted parts of what Amano said and inserted his own spin into the statements. If you listen carefully to what Amano says in response to Slavin’s question around the 27 minute mark of the video, you will see that Amano never characterizes the activities by Iran as sanitizing the site (as said in Warrick’s headline) or even that it was cleanup work, as Warrick says in the body of the article. Amano does mention removal of soil, demolition of buildings and extensive use of water, but maintains that access to the site is necessary in order to have a clear understanding of both past and current activities there.

Amano sits in a a position of high tension. He must deal with the Wikileaks disclosures showing that he is much more aligned with the US than his predecessor, Mohamed ElBaradei. Perhaps helping him to navigate this delicate position, the host of the CFR event, George Perkovich of the Carnegie Endowment for International Peace, provided some background comments and posed questions to Amano aimed at allowing Amano to voice his overall goal of resolving issues diplomatically. Despite this claim by Amano that his goal is diplomatic solutions, he must deal with the fact that the issues his organization has been raising are cited (often in an embellished way, as Warrick does above) as grounds for an attack on Iran. Perkovich also used these comments as a way to provide an endorsement of sorts for a second term for Amano.

One of the better questions posed by Perkovich related to whether it is possible to come to agreement with Iran regarding boundaries for future activities while leaving unresolved questions about what may have taken place in the past. Read more

The House Judiciary Committee Preens in Full Ignorance at Leaks Hearing

/5 Comments/in , /by

The headline that has come out of yesterday’s House Judiciary Committee hearing on leaks is that the Committee may subpoena people. As US News correctly reports, one push for subpoenas came from a John Conyers ploy trying to call Republican members’ bluff; he basically asked how they could be sure who leaked the stories in question and if they were they should just subpoena those people to testify to the committee.

It’s a testament to the thin knowledge of these stories that none of the Republicans responded, “John Brennan.” But then, even if they had, the committee would quickly get into trouble trying to subpoena Brennan as National Security Advisors (and Deputy NSAs) have traditionally been excused from Congressional subpoena for deliberation reasons, a tradition reinforced by Bush’s approach with Condi Rice.

Ah well. I’m sure we’re going to have some amusing theater of Jim Sensenbrenner trying to force Conyers to come up with some names now.

The other big push for subpoenas, though, came from Trey Gowdy. Partly because he wanted to create an excuse to call a Special Prosecutor and partly because, just because, he was most interested in subpoenaing some journalists. And in spite of the way that former Assistant Attorney General Ken Wainstein patiently explained why there are good, national security, reasons why DOJ is hesitant to subpoena journalists, Gowdy wouldn’t let up.

But what concerned me more is that no one–not a single person on the House committee that oversees DOJ–explained that DOJ doesn’t need to subpoena journalists to find out who they’ve been talking to. They’ve given themselves the authority to get journalist call records in national security cases without Attorney General approval.

That’s a detail every member of the committee should know, particularly if they’re going to hold hearings about whether DOJ can adequately investigate leaks. And while I expect Trey Gowdy to be ignorant, it seems they all are ignorant of this detail.

There was another display of ignorance I find troubling for a different reason. Dan Lungren suggested that he learned of what we’re doing with StuxNet from David Sanger’s reports. He rightly noted that–as the Chair of the House Homeland Security Subcommittee on Cybersecurity–he ought to learn these things from the government, not the NYT. And while his ignorance of StuxNet’s escape may be due to the timing of his ascension to the Subcommittee Chair (most members of the Gang of Four, except Dianne Feinstein, would not have gotten briefed on early stages of StuxNet, when someone should have told the government what a boneheaded plan it was), the Subcommittee still should be aware that our own recklessness has made us vulnerable in dangerous new ways.

Perhaps the most telling detail of the hearing, though, came from retired Colonel Kenneth Allard. He was brought on, I guess, to label what we did with StuxNet an act of war (without, of course, considering whether that is the problem rather than the exposure that both Republican and Democratic Administrations are engaging in illegal war without telling anyone). In his comments, he went so far as to say that “What Mr. Sanger did is equivalent of having KGB operation run against White House.”

Someone had to accuse the journalists of being enemy spies.

But Allard’s statement reveals where all this comes from: personal pique against the NYT for coverage they’ve done on him. Not only did he complain that David Sanger’s publisher didn’t give the New York Journal of Books, for which he writes reviews, an advance copy, but also that the NYT reported on the scam the Pentagon set up to give select Generals and Colonels inside information to spin favorably on TV.

Third, I have personally experienced what it feels like when the NYT deliberately distorts national security information, even to the point of plagiarism. On April 20, 2008, the NYT published an inflammatory expose: “Behind Analysts, Pentagon’s Hidden Hand” by David Barstow. The Times’ article charged that over 70 retired officers, including me, had misused our positions while serving as military analysts with the broadcast and cable TV networks. Read more

StuxNet: Covert Op-Exposing Code In, Covert Op-Exposing Code Out

/87 Comments/in , , /by

In this interview between David Sanger and Jake Tapper, Sanger makes a striking claim: that he doesn’t know who leaked StuxNet.

I’ll tell you a deep secret. Who leaked the fact? Whoever it was who programmed this thing and made a mistake in it in 2010 so that the bug made it out of the Natanz nuclear plant, got replicated around the world so the entire world could go see this code and figure out that there was some kind of cyberattack underway. I have no idea who that person was. It wasn’t a person, it wasn’t a person, it was a technological error.

At one level, Sanger is just making the point I made here: the age of cyberwar may erode even very disciplined Administration attempts to cloak their covert operations in secrecy. Once StuxNet got out, it didn’t take Administration (or Israeli) sources leaking to expose the program.

But I’m amused that Sanger claims he doesn’t know who leaked the information because he doesn’t know who committed the “technological error” that allowed the code to escape Natanz. I find it particularly amusing given that Dianne Feinstein recently suggested Sanger misled her about what he would publish (while not denying she might call for jailing journalists who report such secrets).

What you have are very sophisticated journalists. David Sanger is one of the best. I spoke–he came into my office, he saw me, we’ve worked together at the Aspen Strategy Institute. He assured me that what he was publishing he had worked out with various agencies and he didn’t believe that anything was revealed that wasn’t known already. Well, I read the NY Times article and my heart dropped because he wove a tapestry which has an impact that’s beyond any single one thing. And he’s very good at what he does and he spent a year figuring it all out.

Sanger claims, now that DiFi attacked him, he doesn’t know who made this “technological error.”

But that’s not what he said in his article, as I noted here. His article clearly reported two sources–one of them a quote from Joe Biden–blaming the Israelis.

An error in the code, they said, had led it to spread to an engineer’s computer when it was hooked up to the centrifuges. When the engineer left Natanz and connected the computer to the Internet, the American- and Israeli-made bug failed to recognize that its environment had changed. It began replicating itself all around the world. Suddenly, the code was exposed, though its intent would not be clear, at least to ordinary computer users.

“We think there was a modification done by the Israelis,” one of the briefers told the president, “and we don’t know if we were part of that activity.”

Read more

Transcribing Obama Administration Iran Spin, Sanger Advances False “Breakout” Capability

/7 Comments/in , /by

Marcy will be along later to discuss the shiny thong thing aspect of David Sanger’s New York Times article where he was awarded today’s transcription prize by the Obama administration and allowed to “break” the story in which the US for the first time admitted its role in cyberwarfare against Iran’s nuclear program. What I want to concentrate on here is how in putting forward the cyberwarfare story, Sanger unquestioningly accepts the administration’s framing that Iran is just a short “breakout” away from having multiple nuclear weapons.

Consider this key paragraph:

These officials gave differing assessments of how successful the sabotage program was in slowing Iran’s progress toward developing the ability to build nuclear weapons. Internal Obama administration estimates say the effort was set back by 18 months to two years, but some experts inside and outside the government are more skeptical, noting that Iran’s enrichment levels have steadily recovered, giving the country enough fuel today for five or more weapons, with additional enrichment.

All Iran needs is “additional enrichment” for “five or more weapons”. That assumption is false on many levels. First, because Iran’s enrichment activities are closely monitored by onsite IAEA inspectors, any activity aimed at above the 20% level which is their current upper bound would be detected quickly. That statement is backed up even by David Albright, who has been busy fanning the anti-Iran rhetoric on the Parchin front. Adding further doubt to a rapid breakout of enrichment is that even in this same article, Sanger notes that Iran’s centrifuge technology is old and unreliable. Albright supports that observation as well, and notes that installation of additional capability has been slowed by technical issues that don’t seem related to cyberattacks.

The second major flaw in Sanger’s transcription above is that more than just “additional enrichment” is needed. The whole cat and mouse game at Parchin is playing out because in addition to enrichment of uranium to weapons grade, Iran will need technology for initiating the nuclear chain reaction that results in the weapon being detonated. Sanger makes no mention at all of this technical barrier for which there is no evidence that Iran has made an appropriate breakthrough.

Heck, the “enough uranium for five bombs” framing requires us to count the material enriched to only 3.5%. That makes it surprising the US and Israel aren’t claiming that Iran has enough uranium for an unlimited number of bombs if you count the uranium in the ground that they haven’t mined yet.

Roja Heydarpour, writing at The Back Channel, brings us this bit of reassurance from David Albright that any Iranian attempts at enrichment to weapons grade would be caught quickly: Read more

Iraq Redux? Media Parroting Dubious IAEA Iran Claims

/11 Comments/in /by


In a remarkable column in the Guardian, Brian Whitaker points out both the uncritical way in which most of the press is merely parroting the accusations in the IAEA report on Iran’s nuclear technology and how this process feels very much like the propaganda campaign that led to the invasion of Iraq:

“One of the oldest tricks in the run-up to a war is to spread terrifying stories of things that the enemy may be about to do. Government officials plant these tales, journalists water them and the public, for the most part, swallow them.” I wrote this paragraph in December 2002, some three months before the US launched its invasion of Iraq, but it seems just as applicable today in relation to Iran.

The Iraq war of 2003 followed a long media build-up in which talk about Saddam Hussein’s imaginary weapons of mass destruction, simply by virtue of its constant repetition, led many prominent journalists to abandon their critical faculties. The Washington Post, for instance, devoted an extraordinary 1,800 words to an extremely flimsy (but scary) story suggesting Iraq had supplied nerve gas to al-Qaida. The paper later conceded that its coverage of the Iraqi WMD issue had been seriously defective, but by then it was too late to undo the damage.

Whitaker then goes on to cite a number of media stories that breathlessly cite the IAEA allegations without any meaningful evaluation of the claims therein.  He cites b’s work at Moon of Alabama on the nanodiamond alternative to the claims of an explosive trigger device as an example of how one would go about critically examining the claims in the report.

He then closes with this:

Of course, these are extremely murky waters and I’m not at all sure who to believe. There is probably a lot of deception taking place on both sides. But what seems to me extraordinary is the reluctance of journalists – especially in the US mainstream – to acknowledge the uncertainties and their willingness to accept what, as far as Iran is concerned, are the most incriminating interpretations.

In addition to the examples Whitaker cites in his column (please read the entire column), I would offer the video above, where Christiane Amanpour interviews David Sanger.  In this interview, as in most other media reports, there isn’t even acknowledgment that the report itself admits that there is no proof that an active nuclear weapons development program has indeed been restarted in Iran after it was halted in 2003.  Instead, Amanpour and Sanger go into speculative details of how the US can intervene and prevent full development of a nuclear weapon.  They do stop short of war, but certainly point out how it would not be surprising.

There is one more sadly ironic parallel between the current buildup of rhetoric over Iran and the buildup to war in Iraq.  Throughout this process it should be kept in mind that the CIA’s WMD program took a very big hit when Robert Novak Dick Cheney outed Valerie Plame on July 14, 2003 as the Bush administration madly tried to to justify the faulty intelligence it fabricated and spread prior to the March, 2003 Iraq invasion.  Had Plame not been outed, the CIA’s capability in gathering WMD intelligence could have continued unabated, rather than needing a major regrouping after one of its major operatives was outed.  Perhaps the current state of intelligence on what is happening in Iran would be much better had that not happened.

There are a number of posts at Moon of Alabama providing chapter and verse on the debunking of the IAEA report, so I won’t repeat those details and links here.  Instead, I would just note that the credibility of the report has been brought into question by a number of independent observers, but that is a very difficult piece of information to obtain if one is exposed only to the traditional media outlets.  Let’s hope that the Iraq 2003 parallel isn’t so complete that traditional media only realize the low quality of the current “intelligence” after a war has started.

Did the US Authorize Albright and Sanger to Publish the IAEA Iran Report?

/12 Comments/in , /by

Partial screengrab from ISIS website showing link for IAEA Iran report.

Major media organizations around the world are reacting to the IAEA’s report on Iran’s nuclear technology.

Okay, anyone who reads my posts knows that the sentence above should include a link to the IAEA’s website and its posting of the original report. But I can’t include that link, because the IAEA hasn’t posted the report yet.  The report is posted (pdf) at the website for David Albright’s Institute for Science and International Security, where it showed up early yesterday afternoon, and at the New York Times (pdf), in association with a story by David Sanger and William Broad.  I believe that the Times copy was posted several hours after the ISIS copy.

The IAEA’s website has this information about the report, on a page with the heading “Report On Iran Nuclear Safeguards Sent to IAEA Board”:

An IAEA report on nuclear verification in Iran was circulated on 8 November 2011 to the Agency’s Board of Governors and the UN Security Council.

The Agency’s 35-member Board of Governors will consider the report at its next meeting in Vienna from 17 November 2011. The document’s circulation is currently restricted to IAEA Member States and unless the IAEA Board decides otherwise the Agency cannot authorize its release to the public.

The report, Implementation of the NPT Safeguards Agreement and Relevant Provisions of Security Council Resolutions in the Islamic Republic of Iran, was issued by the IAEA Director General. It covers developments since the last report on 2 September 2011, as well as issues of longer standing.

Note that David Albright figured prominently in many media stories leading up to the appearance of the report.  He clearly had already read the report and was busy spreading his take on what the report means.

Given that Albright’s interpretation of the report fits so well with the Obama administration’s take, a question that comes to mind is whether the US authorized Albright to post the report. The IAEA information quoted above states that the IAEA is not authorized to release the report but that it was sent yesterday to the IAEA’s Board of Governors and to the UN Security Council.  The information also states that current circulation is “restricted to IAEA Member States”.  The US is a Member State of the IAEA.

Did the US authorize Albright’s release of the report? Read more