Posts

Are Escaped Zoo Animals Autonomous?

/15 Comments/in /by

Back when David Sanger revealed new details of how StuxNet broke free of Natanz, he used the metaphor of an escaped zoo animal actively unlocking its cage.

In the summer of 2010, shortly after a new variant of the worm had been sent into Natanz, it became clear that the worm, which was never supposed to leave the Natanz machines, had broken free, like a zoo animal that found the keys to the cage. It fell to Mr. Panetta and two other crucial players in Olympic Games — General Cartwright, the vice chairman of the Joint Chiefs of Staff, and Michael J. Morell, the deputy director of the C.I.A. — to break the news to Mr. Obama and Mr. Biden.

An error in the code, they said, had led it to spread to an engineer’s computer when it was hooked up to the centrifuges. When the engineer left Natanz and connected the computer to the Internet, the American- and Israeli-made bug failed to recognize that its environment had changed. It began replicating itself all around the world. [my emphasis]

This zoo animal found the keys to its cage, broke free, spread to an engineer’s computer, failed to recognize its new environment, and then began replicating itself all around the world.

That is, Sanger used the language of a cognizant being, acting as an agent to spread itself. That’s not inapt. After all, viruses do spread themselves (though they don’t actually go seek out keys to do so).

Which is why this detail, noted in Obama’s other pre-Thanksgiving document dump, is so stunning. (h/t Trevor Timm)

The Defense Department does not require developers of computer systems that launch cyber operations to implement the same safeguards required of traditional arms makers to prevent collateral damage.

[snip]

directive, released Nov. 21, mandated that automated and semi-autonomous weaponry — such as guided munitions that independently select targets — must have human machine interfaces and “be designed to allow commanders and operators to exercise appropriate levels of human judgment over the use of force.” The mandate called for “rigorous hardware and software verification and validation” to ensure that engagements could be terminated if not completed in a designated time frame. The goal is to minimize “unintended engagements,” the document states.

The Pentagon is permitting less human control over systems that deploy malware, exploits and mitigation tools, highlighting Defense’s focus on agile responses to computer threats. The document, signed by Deputy Secretary of Defense Ashton Carter, explicitly states that the directive “does not apply to autonomous or semi-autonomous cyberspace systems for cyberspace operations.”

We have already lost control of one our semi-autonomous cyberspace operations. The potential danger from its “escape” could be tremendous.

And yet DOD specifically exempts similar operations in the future? So we can commit the same error again?

Blowback: Stuxnet and the Ongoing Risk to Manufacturing Worldwide

/29 Comments/in /by

Dear Chevron: Thanks for letting us know you’ve been infected with Stuxnet. It’s difficult to muster sympathy for your management or shareholders, because you were warned.This guy quite clearly warned your industry, as did other firms specializing in technology security.

Every single manufacturer around the world using supervisory control and data acquisition (SCADA) driven equipment in their processes was warned. Businesses at particular risk are those relying on certain ubiquitous applications in a networked environment.

Perhaps you heeded the warning months ago but didn’t disclose widely that your business was working on eliminating the exposures. If your business has been hardening your systems, great. However, the public does have a right to know know if your plant located in their backyard might blow up or release toxic chemicals because your firm was exposed to cyber warfare elements our country sponsored in some fashion.

This goes for any other firms out there that are dealing with the same exposure. Perhaps you believe it’s a business intelligence risk to let your competitors know you’ve got a problem– frankly, we’re way past that. The potential risks to the public outweigh your short-term profitability, and if your plant blows up/dumps chemicals/produces unsafe or faulty products because of Stuxnet, our public problem becomes your public relations/long-term shareholder value problem anyhow.

By the way: perhaps it might be worthwhile to actively recruit American citizens who qualify for security clearance when hiring SCADA application analysts to fix your Stuxnet problems. Why compound your problem for lack of foresight with regard to national security risks? We can see you’re hiring. Ahem. Read more

Breaking: Panetta Equating Crude Iranian Cyberattacks with Pearl Harbor, Iran Infiltrated Aramco

/10 Comments/in , , /by

Today, the NYT–serving its role as spokesperson for the Cold War against Iran–confirms what blabby Joe Lieberman told CSPAN last month: the government suspects Iran was behind a series of crude cyberattacks on US banks.

Or to put it differently, Leon Panetta wants us to be more afraid of crude DNS attacks on US online banking sites than he wants us to be of the orders of magnitude greater damage the banks cause all by themselves. Because … Iran!

More interesting is the widely reported speculation we think Iran was behind the more serious attack on Aramco.

The attack under closest scrutiny hit Saudi Aramco, the world’s largest oil company, in August. Saudi Arabia is Iran’s main rival in the region and is among the Arab states that have argued privately for the toughest actions against Iran. Aramco, the Saudi state oil company, has been bolstering supplies to customers who can no longer obtain oil from Iran because of Western sanctions.

The virus that hit Aramco is called Shamoon and spread through computers linked over a network to erase files on about 30,000 computers by overwriting them. Mr. Panetta, while not directly attributing the strike to Iran in his speech, called it “probably the most destructive attack that the private sector has seen to date.”

Until the attack on Aramco, most of the cybersabotage coming out of Iran appeared to be what the industry calls “denial of service” attacks, relatively crude efforts to send a nearly endless stream of computer-generated requests aimed at overwhelming networks. But as one consultant to the United States government on the attacks put it several days ago: “What the Iranians want to do now is make it clear they can disrupt our economy, just as we are disrupting theirs. And they are quite serious about it.”

That’s interesting not because the attack did real damage–it didn’t, because it hit the business, not the production, computers.

Saudi Aramco has said that only office PCs running Microsoft Windows were damaged. Its oil exploration, production, export, sales and database systems all remained intact as they ran on isolated and heavily protected systems.

“All our core operations continued smoothly,” CEO Khalid Al-Falih told Saudi government and business officials at a security workshop on Wednesday.

“Not a single drop of oil was lost. No critical service or business transaction was directly impacted by the virus.”

It’s interesting because the malware was introduced into the Aramco network by an insider.

One or more insiders with high-level access are suspected of assisting the hackers who damaged some 30,000 computers at Saudi Arabia’s national oil company last month, sources familiar with the company’s investigation say.

[snip]

The hackers’ apparent access to a mole, willing to take personal risk to help, is an extraordinary development in a country where open dissent is banned.

“It was someone who had inside knowledge and inside privileges within the company,” said a source familiar with the ongoing forensic examination.

Once you translate the NYT’s spin, here’s what we’re left with:

  • We’re supposed to treat cyberattacks by Iran as an existential threat, even though they expose Iran’s relative impotence in the cyber sphere.
  • We’re supposed to get panicked about computers here at home because Iran succeeded in human espionage with Aramco.

And while Panetta cries wolf over and over, the banksters and the oil companies continue to real damage he ignores.

Latest StuxNet Incarnation Resembles Alleged Project of Murdered GCHQ Officer

/9 Comments/in , /by

Kaspersky Labs has found a new incarnation of StuxNet malware, which they’ve called Gauss. As Wired summarizes, the malware is focused geographically on Lebanon and has targeted banks.

A newly uncovered espionage tool, apparently designed by the same people behind the state-sponsored Flame malware that infiltrated machines in Iran, has been found infecting systems in other countries in the Middle East, according to researchers.

The malware, which steals system information but also has a mysterious payload that could be destructive against critical infrastructure, has been found infecting at least 2,500 machines, most of them in Lebanon, according to Russia-based security firm Kaspersky Lab, which discovered the malware in June and published an extensive analysis of it on Thursday.

The spyware, dubbed Gauss after a name found in one of its main files, also has a module that targets bank accounts in order to capture login credentials. The malware targets accounts at several banks in Lebanon, including the Bank of Beirut, EBLF, BlomBank, ByblosBank, FransaBank and Credit Libanais. It also targets customers of Citibank and PayPal.

I find that interesting for a number of reasons. First, every time banks have squawked about our government’s access of SWIFT to track terrorist financing, the spooks have said if they don’t use SWIFT they’ll access the information via other means; it appears this malware may be just that. And the focus on Lebanon fits, too, given the increasing US claims about Hezbollah money laundering in the time since Gauss was launched. I’m even struck by the coincidence of Gauss’ creation last summer around the same time that John Ashcroft was going through the Lebanese Canadian Bank to find any evidence of money laundering rather than–as happens with US and European banks–crafting a settlement. I would imagine how that kind of access to a bank would give you some hints about how to build malware.

But the other thing the malware made me think of, almost immediately, was the (I thought) bogus excuse some British spooks offered last summer to explain the murder of Gareth Williams, the GCHQ officer–who had worked closely with NSA–who was found dead in a gym bag in his flat in August 2010. Williams was murdered, the Daily Mail claimed, because he was working on a way to track the money laundering of the Russian mob.

The MI6 agent found dead in a holdall at his London flat was working on secret technology to target Russian criminal gangs who launder stolen money through Britain.

[snip]

But now security sources say Williams, who was on secondment to MI6 from the Government’s eavesdropping centre GCHQ, was working on equipment that tracked the flow of money from Russia to Europe.

The technology enabled MI6 agents to follow the money trails from bank accounts in Russia to criminal European gangs via  internet and wire transfers, said the source.

‘He was involved in a very sensitive project with the highest security clearance. He was not an agent doing surveillance, but was very much part of the team, working on the technology side, devising stuff like software,’ said the source.

He added: ‘A knock-on effect of this technology would be that a number of criminal groups in  Russia would be disrupted.

‘Some of these powerful criminal networks have links with, and employ, former KGB agents who can track down people like  Williams.’

Frankly, I always thought that explanation was bogus–I suggested that the Brits could just partner with the US to access such data via SWIFT. And whatever it means, I haven’t seen such an explanation since.

But I do find it rather interesting that one of the most prominent unsolved murders of a spook was blamed–at around the time the StuxNet people were working on Gauss–on a plan to track money laundering.

“Dear John Brennan: You’re Being Investigated”

/4 Comments/in , , , /by

A number of people have pointed to Scott Shane’s story on the leak witch hunt for the details it gives on the increasing concern about leak witch hunts among journalists and national security experts.

But this paragraph includes the most interesting news in the article.

The F.B.I. appears to be focused on recent media disclosures on American cyberattacks on Iran, a terrorist plot in Yemen that was foiled by a double agent and the so-called “kill list” of terrorist suspects approved for drone strikes, some of those interviewed have told colleagues. The reports, which set off a furor in Congress, were published by The New York Times, The Associated Press, Newsweek and other outlets, as well as in recent books by reporters for Newsweek and The Times. [my emphasis]

That’s because prior reporting had indicated that the Kill List stories were not being investigated.

Recent revelations about clandestine U.S. drone campaigns against al Qaeda and other militants are not part of two major leak investigations being conducted by federal prosecutors, sources familiar with the inquiries said.

[snip]

The CIA has not filed a “crime report” with the Justice Department over reports about Obama’s drone policy and a U.S. “kill list” of targeted militants, an action which often would trigger an official leak investigation, two sources familiar with the matter said. They

So Shane’s revelation that the Kill List stories are being investigated amounts to the author of one of the Kill List stories reporting that some people who have been interviewed by the FBI told colleagues they got asked about the Kill List. Which might go something like, “Scott, they’re asking about your story, too.”

All without Shane acknowledging that Shane wrote one of the main Kill List Shiny Object stories.

Meanwhile, I find his reference to the outlets involved very interesting. Using the principle of parallelism, the passage seems to suggest the FBI is investigating the NYT for David Sanger’s sources on StuxNet, the AP for Adam Goldman and Matt Apuzzo’s sources on the UndieBomb 2.0 plot, and Newsweek for Daniel Klaidman’s sources on the Kill List. But of course the NYT also wrote a Kill List story, the AP wrote what is probably the most interesting Kill List story (which reported that the Kill List is now run by John Brennan). “And other outlets.” Which might include ABC for revealing that the UndieBomb 2.0 plotter was actually an infiltrator (ABC got the story indirectly from John Brennan, though Richard Clarke). Or the WaPo for Greg Miller’s original story on drone targeting, revealing that we were going to use signature strikes in Yemen. Or the WSJ, reporting that we had started using signature strikes.

In other words, it presents a rather interesting group of potential stories and sources.

Now I don’t know that John Brennan was the source for all this or that he’s really being investigated. I’m not saying Shane is being manipulative by reporting on this (though seriously, it’s another example of the NYT having a reporter report on a story that he is really a part of).

But I do find it rather interesting that a reporter targeted in this leak witch hunt just made news about the scope of the leak witch hunt.

Lamar Smith’s Futile Leak Investigation

/4 Comments/in , , , , , /by

Lamar Smtih has come up with a list of 7 national security personnel he wants to question in his own leak investigation. (h/t Kevin Gosztola)

House Judiciary Committee Chairman Lamar Smith, R-Texas, told President Obama Thursday he’d like to interview seven current and former administration officials who may know something about a spate of national security leaks.

[snip]

The administration officials include National Security Advisor Thomas Donilon, Director of National Intelligence James Clapper, former White House Chief of Staff Bill Daley, Assistant to the President for Homeland Security and Counterterrorism John Brennan, Deputy National Security Advisor Denis McDonough, Director for Counterterrorism Audrey Tomason and National Security Advisor to the Vice President Antony Blinken.

Of course the effort is sure to be futile–if Smith’s goal is to figure out who leaked to the media (though it’ll serve its purpose of creating a political shitstorm just fine)–for two reasons.

First, only Clapper serves in a role that Congress has an unquestioned authority to subpoena (and even there, I can see the Intelligence Committees getting snippy about their turf–it’s their job to provide impotent oversight over intelligence, not the Judiciary Committees).

As for members of the National Security Council (Tom Donilon, John Brennan, Denis McDonough, Audrey Tomason, and Antony Blinken) and figures, like Bill Daley, who aren’t congressionally approved? That’s a bit dicier. (Which is part of the reason it’s so dangerous to have our drone targeting done in NSC where it eludes easy congressional oversight.)

A pity Republicans made such a stink over the HJC subpoenaing Karl Rove and David Addington and backed Bush’s efforts to prevent Condi Rice from testifying, huh?

The other problem is that Smith’s list, by design, won’t reveal who leaked the stories he’s investigating. He says he wants to investigate 7 leaks.

Smith said the committee intends to focus on seven national security leaks to the media. They include information about the Iran-targeted Stuxnet and Flame virus attacks, the administration’s targeted killings of terrorism suspects and the raid which killed Usama bin Laden.

Smith wants to know how details about the operations of SEAL Team Six, which executed the bin Laden raid in Pakistan, wound up in the hands of film producers making a film for the president’s re-election. Also on the docket is the identity of the doctor who performed DNA tests which helped lead the U.S. to bin Laden’s hideout.

But his list doesn’t include everyone who is a likely or even certain leaker.

Take StuxNet and Flame. Not only has Smith forgotten about the programmers (alleged to be Israeli) who let StuxNet into the wild in the first place–once that happened, everything else was confirmation of things David Sanger and security researchers were able to come up with on their own–but he doesn’t ask to speak to the Israeli spooks demanding more credit for the virus.

Read more

The House Judiciary Committee Preens in Full Ignorance at Leaks Hearing

/5 Comments/in , /by

The headline that has come out of yesterday’s House Judiciary Committee hearing on leaks is that the Committee may subpoena people. As US News correctly reports, one push for subpoenas came from a John Conyers ploy trying to call Republican members’ bluff; he basically asked how they could be sure who leaked the stories in question and if they were they should just subpoena those people to testify to the committee.

It’s a testament to the thin knowledge of these stories that none of the Republicans responded, “John Brennan.” But then, even if they had, the committee would quickly get into trouble trying to subpoena Brennan as National Security Advisors (and Deputy NSAs) have traditionally been excused from Congressional subpoena for deliberation reasons, a tradition reinforced by Bush’s approach with Condi Rice.

Ah well. I’m sure we’re going to have some amusing theater of Jim Sensenbrenner trying to force Conyers to come up with some names now.

The other big push for subpoenas, though, came from Trey Gowdy. Partly because he wanted to create an excuse to call a Special Prosecutor and partly because, just because, he was most interested in subpoenaing some journalists. And in spite of the way that former Assistant Attorney General Ken Wainstein patiently explained why there are good, national security, reasons why DOJ is hesitant to subpoena journalists, Gowdy wouldn’t let up.

But what concerned me more is that no one–not a single person on the House committee that oversees DOJ–explained that DOJ doesn’t need to subpoena journalists to find out who they’ve been talking to. They’ve given themselves the authority to get journalist call records in national security cases without Attorney General approval.

That’s a detail every member of the committee should know, particularly if they’re going to hold hearings about whether DOJ can adequately investigate leaks. And while I expect Trey Gowdy to be ignorant, it seems they all are ignorant of this detail.

There was another display of ignorance I find troubling for a different reason. Dan Lungren suggested that he learned of what we’re doing with StuxNet from David Sanger’s reports. He rightly noted that–as the Chair of the House Homeland Security Subcommittee on Cybersecurity–he ought to learn these things from the government, not the NYT. And while his ignorance of StuxNet’s escape may be due to the timing of his ascension to the Subcommittee Chair (most members of the Gang of Four, except Dianne Feinstein, would not have gotten briefed on early stages of StuxNet, when someone should have told the government what a boneheaded plan it was), the Subcommittee still should be aware that our own recklessness has made us vulnerable in dangerous new ways.

Perhaps the most telling detail of the hearing, though, came from retired Colonel Kenneth Allard. He was brought on, I guess, to label what we did with StuxNet an act of war (without, of course, considering whether that is the problem rather than the exposure that both Republican and Democratic Administrations are engaging in illegal war without telling anyone). In his comments, he went so far as to say that “What Mr. Sanger did is equivalent of having KGB operation run against White House.”

Someone had to accuse the journalists of being enemy spies.

But Allard’s statement reveals where all this comes from: personal pique against the NYT for coverage they’ve done on him. Not only did he complain that David Sanger’s publisher didn’t give the New York Journal of Books, for which he writes reviews, an advance copy, but also that the NYT reported on the scam the Pentagon set up to give select Generals and Colonels inside information to spin favorably on TV.

Third, I have personally experienced what it feels like when the NYT deliberately distorts national security information, even to the point of plagiarism. On April 20, 2008, the NYT published an inflammatory expose: “Behind Analysts, Pentagon’s Hidden Hand” by David Barstow. The Times’ article charged that over 70 retired officers, including me, had misused our positions while serving as military analysts with the broadcast and cable TV networks. Read more

Failed Overseers Prepare to Legislate Away Successful Oversight

/16 Comments/in , , , /by

Before I talk about the Gang of Four’s proposed ideas to crack down on leaks, let’s review what a crop of oversight failures these folks are.

The only one of the Gang of Four who has stayed out of the media of late–Dutch Ruppersberger–has instead been helping Mike Rogers push reauthorization of the FISA Amendments Act through the House Intelligence Committee with no improvements and no dissents. In other words, Ruppersberger has delivered for his constituent–the NSA–in spite of the evidence the government is wiretapping those pesky little American citizens Ruppersberger should be serving.

Then there’s Rogers himself, who has been blathering to the press about how these leaks are the most damaging in history. He supported such a claim, among other ways, by suggesting people (presumably AQAP) would assume for the first time we (or the Saudis or the Brits) have infiltrators in their network.

Some articles within this “parade” of leaks, Rogers said late last week, “included at least the speculation of human source networks that now — just out of good counterintelligence activities — they’ll believe is real, even if its not real. It causes huge problems.”

Which would assume Rogers is unaware that the last time a Saudi infiltrator tipped us off to a plot, that got exposed too (as did at least one more of their assets). And it would equally assume Rogers is unaware that Mustafa Alani and other “diplomatic sources” are out there claiming the Saudis have one agent or informant infiltrated into AQAP regions for every 850 Yemeni citizens.

In short, Rogers’ claim is not credible in the least.

Though Rogers seems most worried that the confirmation–or rather, reconfirmation–that the US and Israel are behind StuxNet might lead hackers to try similar tricks on us and/or that the code–which already escaped–might escape.

Rogers, who would not confirm any specific reports, said that mere speculation about a U.S. cyberattack against Iran has enabled bad actors. The attack would apparently be the first time the U.S. used cyberweapons in a sustained effort to damage another country’s infrastructure. Other nations, or even terrorists or hackers, might now believe they have justification for their own cyberattacks, Rogers said.

This could have devastating effects, Rogers warned. For instance, he said, a cyberattack could unintentionally spread beyond its intended target and get out of control because the Web is so interconnected. “It is very difficult to contain your attack,” he said. “It takes on a very high degree of sophistication to reach out and touch one thing…. That’s why this stuff is so concerning to me.”

Really, though, Rogers is blaming the wrong people. He should be blaming the geniuses who embraced such a tactic and–if it is true the Israelis loosed the beast intentionally–the Israelis most of all.

And while Rogers was not a Gang of Four member when things started going haywire, his colleague in witch hunts–Dianne Feinstein–was. As I’ve already noted, one of the problems with StuxNet is that those, like DiFi, who had an opportunity to caution the spooks either didn’t have enough information to do so–or had enough information but did not do their job.The problem, then, is not leaks; it’s inadequacy of oversight.

In short, Rogers and Ruppersberger and Chambliss ought to be complaining about DiFi, not collaborating with her in thwarting oversight.

Finally, Chambliss, the boss of the likely sources out there bragging about how unqualified they are to conduct intelligence oversight, even while boasting about the cool videogames they get to watch in SCIFs, appears to want to toot his horn rather the conduct oversight.

Which brings me back to the point of this post, before I got distracted talking about how badly the folks offering these “solutions” to leaks are at oversight.

Their solutions:

Discussions are ongoing over just how stringent new provisions should be as the Senate targets leakers in its upcoming Intelligence Authorization bill, according to a government source.

Read more

Ron Wyden: “An Obvious Question I Have Not Answered”

/13 Comments/in , , /by

In the background of the larger drama of the leak witch hunts is a paragraph that, to me, summarizes where the balance between secrecy and sanity is in our country.

An obvious question that I have not answered here is whether any warrantless searches for Americans’ communications have already taken place. I am not suggesting that any warrantless searches have or have not occurred, because Senate and committee rules regarding classified information generally prohibit me from discussing what intelligence agencies are actually doing or not doing. However, I believe that we have an obligation as elected legislators to discuss what these agencies should or should not be doing, and it is my hope that a majority of my Senate colleagues will agree with that searching for Americans’ phone calls and emails without a warrant is something that these agencies should not do.

This is the language Ron Wyden used to attempt to persuade his colleagues to join his opposition to the reauthorization of the FISA Amendments Act without first including protections for Americans’ communications. A very similar paragraph appeared at the end of Wyden and Mark Udall’s dissent from the Senate Intelligence Report on the legislation.

Now, I have already shown that even leak witch hunt convert Dianne Feinstein (who supports reauthorization without telling citizens what the legislation really does) made it clear that while NSA may not target Americans under FAA, the agency does query information collected under FAA to find the communications of Americans. That is, DiFi herself made it clear that the communications collected “incidentally” are fair game for review. And both the Wyden/Udall dissent and the exchange Wyden had with Director of National Intelligence James Clapper last year–which he re-released in conjunction with his hold–make it more clear that the government is reviewing Americans’ communications it collects in the guise of “targeting” non-US persons.

Everyone–Wyden, DiFi, DNI Clapper–admit that the government is accessing Americans’ communications under FAA; it’s just the latter two are pretending they’re not doing so by hiding behind the magic word “targeting.”

With that said, let’s look at Wyden’s paragraph closely and what it says about democracy in the age of secrecy. The first sentence reads like CYA, insulation against any accusation that Wyden has revealed classified information.

An obvious question that I have not answered here is whether any warrantless searches for Americans’ communications have already taken place.

Yet at the same time, Wyden defines the question that DiFi refuses to answer clearly: whether or not the government is using FAA to conduct warrantless searches of Americans’ communications.

It’s an obvious question, Wyden continues, but he’s not legally permitted to answer it.

I am not suggesting that any warrantless searches have or have not occurred, because Senate and committee rules regarding classified information generally prohibit me from discussing what intelligence agencies are actually doing or not doing.

That said, Wyden makes it clear he knows the answer. Read more

DiFi Admits She Okayed Unleashing 21st Century WMD with Inadequate Details

/14 Comments/in , , /by

The reason Dianne Feinstein is so torqued about the StuxNet story, according to this SFChron piece, is because she learned things from it that she didn’t know as a Gang of Four member.

Feinstein declared, “This has to stop. When people say they don’t want to work with the United States because they can’t trust us to keep a secret, that’s serious.”

A week later, Feinstein is more than halfway through New York Times reporter David E. Sanger’s book, “Confront and Conceal: Obama’s Secret Wars and Surprising Use of American Power.” She told me Wednesday, “You learn more from the book than I did as chairman of the intelligence committee, and that’s very disturbing to me.”

Now, as a threshold matter, I think DiFi and others are underestimating how much our foreign partners are leaking on these stories; not only did foreign sources serve as early confirmation on UndieBomb 2.0, but the Saudis and Yemenis exposed the last infiltrator the Saudis put into AQAP.  And as for StuxNet, the Israelis are now complaining that Sanger didn’t give them enough credit.

The Israeli officials actually told me a different version. They said that it was Israeli intelligence that began, a few years earlier, a cyberspace campaign to damage and slow down Iran’s nuclear intentions. And only later they managed to convince the USA to consider a joint operation — which, at the time, was unheard of. Even friendly nations are hesitant to share their technological and intelligence resources against a common enemy.

Plus, if and when Israel bombs Iran and has to deal with the retaliation, I can assure you the Israelis will be happy to work with us.

And there’s a far bigger problem here. DiFi was not a Gang of Four member when this program started under Bush (Jay Rockefeller would have been the Democrat from the Senate Intelligence Committee). But she seems to say she got what passed for briefing on StuxNet.

Yet she’s learning new details from Sanger.

StuxNet is, both because it can be reused by non-state actors and because of the ubiquity of the PLCs they affected, the 21st Century version of a WMD. And all that’s before we learned Flame was using Microsoft’s update function.

Now from the sounds of things, DiFi never had the opportunity to authorize letting StuxNet free; the Israelis don’t have to brief the Gang of Four. But the possibility StuxNet would break free on its own always existed. One reason we have Congressional overseers is to counterbalance spooks whose enthusiasm for an op might cloud any judgment about the wisdom of pursuing that op.

The US, in partnership with Israel, released a WMD to anyone who could make use of it. And the people in charge of overseeing such activities got fewer details about the WMD than you could put in a long-form newspaper article.

And DiFi thinks there’s too little secrecy?