Posts

StuxNet: Covert Op-Exposing Code In, Covert Op-Exposing Code Out

/87 Comments/in , , /by

In this interview between David Sanger and Jake Tapper, Sanger makes a striking claim: that he doesn’t know who leaked StuxNet.

I’ll tell you a deep secret. Who leaked the fact? Whoever it was who programmed this thing and made a mistake in it in 2010 so that the bug made it out of the Natanz nuclear plant, got replicated around the world so the entire world could go see this code and figure out that there was some kind of cyberattack underway. I have no idea who that person was. It wasn’t a person, it wasn’t a person, it was a technological error.

At one level, Sanger is just making the point I made here: the age of cyberwar may erode even very disciplined Administration attempts to cloak their covert operations in secrecy. Once StuxNet got out, it didn’t take Administration (or Israeli) sources leaking to expose the program.

But I’m amused that Sanger claims he doesn’t know who leaked the information because he doesn’t know who committed the “technological error” that allowed the code to escape Natanz. I find it particularly amusing given that Dianne Feinstein recently suggested Sanger misled her about what he would publish (while not denying she might call for jailing journalists who report such secrets).

What you have are very sophisticated journalists. David Sanger is one of the best. I spoke–he came into my office, he saw me, we’ve worked together at the Aspen Strategy Institute. He assured me that what he was publishing he had worked out with various agencies and he didn’t believe that anything was revealed that wasn’t known already. Well, I read the NY Times article and my heart dropped because he wove a tapestry which has an impact that’s beyond any single one thing. And he’s very good at what he does and he spent a year figuring it all out.

Sanger claims, now that DiFi attacked him, he doesn’t know who made this “technological error.”

But that’s not what he said in his article, as I noted here. His article clearly reported two sources–one of them a quote from Joe Biden–blaming the Israelis.

An error in the code, they said, had led it to spread to an engineer’s computer when it was hooked up to the centrifuges. When the engineer left Natanz and connected the computer to the Internet, the American- and Israeli-made bug failed to recognize that its environment had changed. It began replicating itself all around the world. Suddenly, the code was exposed, though its intent would not be clear, at least to ordinary computer users.

“We think there was a modification done by the Israelis,” one of the briefers told the president, “and we don’t know if we were part of that activity.”

Read more

Is Administration Admitting It Is Lying about Drones?

/26 Comments/in , /by

I’ll have far, far more on the leak investigations tomorrow or Monday. But for the moment I want to lay out certain implications suggested by this Jack Goldsmith post.

Goldsmith asks what the scope of the leak investigation is and cites reports that the investigation is only investigating the UndieBomb 2.0 and StuxNet leaks.

However, the Wall Street Journal reports that the two relevant FBI leak investigations concern (1) “leaks about the cyberattack program” and (2) “leaks about a double agent who infiltrated al Qaeda’s Yemen affiliate.”  If the WSJ is right, it would appear that the investigations do not concern leaks about drone attacks and related matters that, like leaks about the Iranian cyber-operation and the AQAP infiltration, have been the subject of recent congressional complaint.

And he cites DOJ saying they can’t tell us the scope of the investigation because it would confirm whether or not reports were correct.

According to the New York Times, DOJ was silent on the subject matter of the investigations because revealing their subject matter “would implicitly confirm that certain reports contained accurate classified information.”

Put these two details together. If DOJ will only investigate leaks of accurate classified information, and if DOJ is really investigating the UndieBomb 2.0 leaks and StuxNet leaks but not the drone stories, one possible explanation (though not the only one) is that the UndieBomb 2.0 and StuxNet stories were accurate, but not the drone stories.

I have suggested the NYT and Klaidman stories came out when they did and in the form they did to distract from earlier reporting on signature strikes run from the NSC. Is the Administration admitting–with the scope of their leak investigations–that those leaks were not the truth?

Gang Warfare to Protect Israel’s Secrets

/33 Comments/in , /by

Easily the most overlooked line in David Sanger’s story on StuxNet is this one:

Mr. Obama concluded that when it came to stopping Iran, the United States had no other choice.

If Olympic Games failed, he told aides, there would be no time for sanctions and diplomacy with Iran to work. Israel could carry out a conventional military attack, prompting a conflict that could spread throughout the region.

It’s a sentiment he repeats in this worthwhile interview:

FP: There haven’t been thoughtful discussions about the consequences or the ethics or the international legal ramifications of this approach. Let’s imagine for a moment that you’re [Iranian President] Mahmoud Ahmadinejad and you are confronted with this. Isn’t your first reaction, “How is them blowing up Natanz with a code any different from them blowing up Natanz with a bomb? And doesn’t that justify military retaliation?”

DS: Blowing it up with computer code, rather than bombs, is different in one big respect: It very hard for the Iranians in real time to know who the attacker was, and thus to make a public case for retaliating. It takes a long time to figure out where a cyber attack comes from.

That was a big reason for the U.S. and Israel to attack Natanz in this way. But it wasn’t the only reason, at least from the American perspective. One of the main driving forces for Olympic Games was to so wrap the Israelis into a project that could cripple Natanz in a subtle way that Israel would see less of a motivation to go about a traditional bombing, one that could plunge the Middle East into a another war. [my emphasis]

A key purpose of StuxNet, according to Sanger, was not just to set back the Iranian nuke program. Rather, it was to set back the nuke program in such a way as to set back Israel’s push for war against Iran.

With that in mind, consider the way the article blamed the Israelis for letting StuxNet escape.

An error in the code, they said, had led it to spread to an engineer’s computer when it was hooked up to the centrifuges. When the engineer left Natanz and connected the computer to the Internet, the American- and Israeli-made bug failed to recognize that its environment had changed. It began replicating itself all around the world. Suddenly, the code was exposed, though its intent would not be clear, at least to ordinary computer users.

“We think there was a modification done by the Israelis,” one of the briefers told the president, “and we don’t know if we were part of that activity.”

Mr. Obama, according to officials in the room, asked a series of questions, fearful that the code could do damage outside the plant. The answers came back in hedged terms. Mr. Biden fumed. “It’s got to be the Israelis,” he said. “They went too far.”

After having explained that the whole point of StuxNet was to stop the Israelis from bombing Iran, the article then goes on to say that what alerted the Iranians to StuxNet’s presence in their systems–and effectively gave a very dangerous weapon to hackers around the world–was an Israeli modification to the code.

The Israelis went too far.

Those details are, IMO, some of the most interesting new details, not included the last time David Sanger confirmed the US and Israel were behind StuxNet on the front page of the NYT.

How very telling, then, that of all the highly revealing articles that have come out during this Administration–of all of the highly revealing articles that have come out in general, including Sanger’s earlier one revealing some of the very same details–Congress is going apeshit over this one.

Read more

Remember When WE Accused IRAN of Hacking?

/6 Comments/in /by

I meant to mention this in my earlier post about David Sanger’s StuxNet story, and this passage by Matthew Waxman reminded me.

As I’ve argued elsewhere, it’s likely that in many cyber-attack scenarios, both sides – the attacker and the attacked – will have great incentive to maintain very tight secrecy about it; among other reasons and aside from political considerations, the attacked will not want to disclose information about its vulnerabilities and responses.  In light of the “secrecy and low visibility of some states’ responsive actions [to cyber-attacks]… it will be difficult to develop consensus understandings even of the fact patterns on which states’ legal claims and counterclaims are based, assuming those claims are leveled publicly at all.”  In writing this, I may have underestimated how much information might leak from the attacking side.

While he sources this information to the public comments of an Iranian general, Sanger suggests Iran has started its own cyberwar unit.

Iran initially denied that its enrichment facilities had been hit by Stuxnet, then said it had found the worm and contained it. Last year, the nation announced that it had begun its own military cyberunit, and Brig. Gen. Gholamreza Jalali, the head of Iran’s Passive Defense Organization, said that the Iranian military was prepared “to fight our enemies” in “cyberspace and Internet warfare.” But there has been scant evidence that it has begun to strike back.

The thing is, while the US provided no detail to explain this claim, in February Treasury claimed that Iran’s Ministry of Intelligence and Security participated with Hezbollah on some hacking projects.

MOIS provides financial, material, or technological support for, or financial or other services to Hizballah, a terrorist organization designated under E.O. 13224. MOIS has participated in multiple joint projects with Hizballah in computer hacking.

I assume this is either an admission that Hezbollah has hit us or–perhaps more likely–Israel with attacks. (When I wrote this post, I wondered if the allegations that Hezbollah had hijacked Israeli drones–which quickly appeared to be Mossad sabotage instead–were the claimed hack.)

Whatever the basis for the claim, the US government, with a straight face, based part of its Iran sanctions on accusations that the mean old Persians have hacked … somebody.

 

Obama’s “Zoo Animal” Broke Free and “Crossed the Rubicon”

/24 Comments/in , , /by

At the bottom of it all has been the Bomb. For the first time in our history, the President was given sole and unconstrained authority over all possible uses of the Bomb.

[snip]

Every executive encroachment or abuse was liable to justification from this one supreme power.

If the President has the sole authority to launch nation-destroying weapons, he has license to use every other power at his disposal that might safeguard that supreme necessity. If he says he needs other and lesser powers, how can Congress or the courts discern whether he needs them when they have no supervisory role over the basis of the claim he is making? To challenge his authority anywhere is to threaten the one great authority.

–Garry Wills, Bomb Power

I suppose I’ll eventually get around to discussing how the series of condoned leaks portraying President Obama as the Deciderer all rest on the pathetic but true fact that he is only borrowing George Bush’s claim to that title.

But for now, I want to focus on the one part of David Sanger’s mixed-metahpor saturated installment in the Deciderer 2.0 series that rings most true:

Mr. Obama, according to participants in the many Situation Room meetings on Olympic Games, was acutely aware that with every attack he was pushing the United States into new territory, much as his predecessors had with the first use of atomic weapons in the 1940s, of intercontinental missiles in the 1950s and of drones in the past decade. He repeatedly expressed concerns that any American acknowledgment that it was using cyberweapons — even under the most careful and limited circumstances — could enable other countries, terrorists or hackers to justify their own attacks.

“We discussed the irony, more than once,” one of his aides said. Another said that the administration was resistant to developing a “grand theory for a weapon whose possibilities they were still discovering.” Yet Mr. Obama concluded that when it came to stopping Iran, the United States had no other choice.

With cyberwar, with drones, and (to a lesser extent) with the embrace of the terrorists’ transnational methods to fight terrorists, Obama has crossed into uncharted territory of the sort Wills explored in his book, Bomb Power. These changes are likely a step beyond the Bomb Power paradigm, whatever that entails.

Yet Obama has only barely begun to think through the ramifications of these tools. He has, instead, focused on the near and overblown threats of Iran and AQAP, not seeing both the strategic implications of even those choices, much less the implications of the sort Wills describes arose in the wake of our use of a nuclear bomb.

The President has embraced waging extralegal war using drones from the Oval Office. The President has embraced using easily manipulable code to wage physical war. What are the implications of these decisions?

Oh sure, Obama started paying attention after the fact. A year ago, he rolled out a “National Strategy for Cyberspace,” calling for international cooperation to enforce responsible behavior of the sort we have already violated.  Even more recently, DOD has been tinkering with our rules of engagement.

But there are signs it is already too late, the battle lines have been drawn. Read more

Treasury Accuses Iran of Hacking

/8 Comments/in , /by

The Treasury Department just added the Iranian Ministry of Intelligence and Security (MOIS) to the other Iranian entities listed as Specially Designated National (other entities already covered include Quds Force and the National Police and their leaders). It sanctioned MOIS for a laundry list of reasons generally categorized as support for Syria’s human rights abuses, Iran’s own human rights abuses, and support for terrorism. Under the latter section, Treasury lists the following:

  • MOIS provides financial, material, or technological support for, or financial or other services to Hizballah, a terrorist organization designated under E.O. 13224. MOIS has participated in multiple joint projects with Hizballah in computer hacking.
  • MOIS provides financial, material, or technological support for, or financial or other services to HAMAS, a terrorist group also designated under E.O. 13224.
  • MOIS has facilitated the movement of al Qa’ida operatives in Iran and provided them with documents, identification cards, and passports.
  • MOIS also provided money and weapons to al Qa’ida in Iraq (AQI), a terrorist group designated under E.O. 13224, and negotiated prisoner releases of AQI operatives.

It is the official position of our government that Iran has facilitated the travel of al Qaeda operatives (this accusation may, in fact, date to pre-9/11 transiting of Iran on the same terms as others). And, not surprising, the government says Iran helped Hamas and Al Qaeda in Iraq.

But it’s the Hezbollah claim I’m most intrigued by. Treasury says that Iran’s intelligence service “participated in multiple joint projects with Hizballah in computer hacking.”

Hacking? We’re declaring hacking a terrorist act now? Like the StuxNet project we engaged in with Israel.

And what, precisely, is Iran alleged to have hacked? Because the most public allegations pertain to … drones. You know, the drones violating Iran and Lebanon’s airspace?

We’ve made that a terrorist act now?

Foreign Policy’s “False Flag”

/24 Comments/in , /by

Wikipedia defines “false flag operations” as “covert operations designed to deceive the public in such a way that the operations appear as though they are being carried out by other entities.” Unpacking such an operation would require explaining clearly the target audience(s) of the deception and the purpose of it.

But Mark Perry doesn’t describe that structure in his Foreign Policy story, titled “False Flag,” asserting that members of Jundallah were recruited by Mossad agents pretending to be CIA officers.

According to two U.S. intelligence officials, the Israelis, flush with American dollars and toting U.S. passports, posed as CIA officers in recruiting Jundallah operatives — what is commonly referred to as a “false flag” operation.

The memos, as described by the sources, one of whom has read them and another who is intimately familiar with the case, investigated and debunked reports from 2007 and 2008 accusing the CIA, at the direction of the White House, of covertly supporting Jundallah — a Pakistan-based Sunni extremist organization. Jundallah, according to the U.S. government and published reports, is responsible for assassinating Iranian government officials and killing Iranian women and children.

But while the memos show that the United States had barred even the most incidental contact with Jundallah, according to both intelligence officers, the same was not true for Israel’s Mossad. The memos also detail CIA field reports saying that Israel’s recruiting activities occurred under the nose of U.S. intelligence officers, most notably in London, the capital of one of Israel’s ostensible allies, where Mossad officers posing as CIA operatives met with Jundallah officials. [my emphasis]

Explaining that structure would seem all the more important in a story–apparently in the works for a year and a half–published at the precise moment the Americans are trying to deny any involvement in the ongoing assassinations of Iranian scientists.

The problem is all the more real given the ambiguity of Perry’s language. When he says the Israelis were “flush with American dollars,” does he mean they got the dollars from America, or only that they were–as dollars are in common usage–American? When he notes that the recruitment “occurred under the nose of U.S. intelligence officers,” is that meant to suggest that it did so with their assent?

The ambiguity in Perry’s article is more significant given that, while he describes George Bush “going ballistic” when he was briefed on the op, Perry also provides evidence that at least some at the top officials in Bush’s Administration didn’t seem to care all that much.

A senior administration official vowed to “take the gloves off” with Israel, according to a U.S. intelligence officer. But the United States did nothing — a result that the officer attributed to “political and bureaucratic inertia.”

“In the end,” the officer noted, “it was just easier to do nothing than to, you know, rock the boat.” Even so, at least for a short time, this same officer noted, the Mossad operation sparked a divisive debate among Bush’s national security team, pitting those who wondered “just whose side these guys [in Israel] are on” against those who argued that “the enemy of my enemy is my friend.”

Furthermore, while Perry references earlier stories covering Jundallah, he doesn’t even consider the role of JSOC in this false flag operation, even though one of them–Sy Hersh’s–specifically describes the involvement of JSOC in such ops.

And as for the suggestion that since Obama took over, such cooperation between the US and Israel has been dramatically curtailed? The claim that the US and Israel have only been cooperating on operations that “are highly technical in nature and do not involve covert actions targeting Iran’s infrastructure or political or military leadership” would first of all seem to be a stretch given that StuxNet and Duqu are all about infrastructure. It would also seem to gloss the apparent role that drones have had in targeting these scientists (Iran has captured some Israeli drones, in addition to the American ones, but most of the airspace involved would require US acquiescence). Add in the recent border incident between Iran and Pakistan involving claimed Jundallah members (the border area isn’t exactly Israel’s backyard), it seems the Obama Administration is, at best, looking the other way.

Israelis and Americans have long hidden behind each other when working with Iranians, going back at least to the Iran-Contra ops that Dick Cheney had a fondness for. Hiding behind Israelis lets American officials pretend we’re not doing the taboo things we’re doing. Hiding behind Americans lets Iranian partners working with Israelis pretend they aren’t working with the Zionist enemy. That false flag business works in many different directions, after all.

Mind you, whatever the other purposes of this “false flag” story, its publication at this point in time just stripped Jundallah partners of the ability to deny they’re working with Israel, with all the probably dangerous consequences that will have.

Ahmed Warsame and StuxNet

/8 Comments/in , , /by

Back in November, I suggested one intended purpose of the detainee provisions in the Defense Authorization is to require a paper trail that would make it a little harder for the Administration to disappear detainees on floating prisons. The bill:

  • Requires written procedures outlining how the Administration decides who counts as a terrorist
  • Requires regular briefings on which groups and individuals the Administration considers to be covered by the AUMF
  • Requires the Administration submit waivers whenever it deviates from presumptive military detention

These are imperfect controls, certainly. But they do seem like efforts to bureaucratize the existing, arbitrary, detention regime, in which the President just makes shit up and tells big parts of Congress–including the Armed Services Committees, who presumably have an interest in making sure the President doesn’t make the military break the law–after the fact.

I suggested this effort to impose bureaucratic controls was, in part, a reaction to the Ahmed Warsame treatment, in which it appears that the Armed Services Committees learned Obama had declared war against parts of al-Shabaab and used that declaration as justification to float Warsame around on a ship for two months. (It appears that the Intelligence Committees, but not the Armed Services Committees, got briefed in this case, though Admiral McRaven was testifying about floating prisons as it was happening). [Update: I may be mistaken about what Lindsey Graham’s language about making sure the AUMF covered this action meant, so italicized language may be incorrect.]

This is not to say the ASCs are going to limit what the President does–just make sure they know about it and make sure the military has legal cover for what they’re doing.

With that in mind, take a look at Robert Chesney’s review of the new cyberwar authorization in the Defense Authorization, which reads:

SEC. 954. MILITARY ACTIVITIES IN CYBERSPACE.

Congress affirms that the Department of Defense has the capability, and upon direction by the President may conduct offensive operations in cyberspace to defend our Nation, Allies and interests, subject to—

(1) the policy principles and legal regimes that the Department follows for kinetic capabilities, including the law of armed conflict; and

(2) the War Powers Resolution (50 U.S.C. 1541 et seq.).

Chesney’s interpretation of this troubling language is that by requiring a Presidential statement in some cases, it will force interagency consultation before, say, DOD launches a cyberwar on Iran. (Oh wait, too late.)

Read more

“This Isn’t the Assassination Surveillance Drone You’re Looking For”

/43 Comments/in , /by

[YouTube]vzcWPKAv2Ow[/YouTube]

Before you read this David Sanger/Scott Shane piece reporting that the RQ-170 Sentinel drone that just went down in Iran was, “among other missions, [] looking for tunnels, underground facilities or other places where Iran could be building centrifuge parts or enrichment facilities,” I invite you to review what David Sanger has been writing for the last few months. Sure, he’s been the key person orchestrating the IAEA Iran report story, going back months. There’s also this story, curiously mixing reporting on the capture of the drone with a report citing sources describing surveillance photos of the Iranian missile testing base conveniently blown up while Iran’s top missile expert was there.

And then there’s this story from last month, which is or was titled “The Secret War with Iran.” It suggests how the assassins targeting Iran’s nuclear scientists knew exact details of their daily commutes, and then went on to describe the centrality of drones to our surveillance efforts against Iran.

COMMUTING to work in Tehran is never easy, but it is particularly nerve-racking these days for the scientists of Shahid Beheshti University. It was a little less than a year ago when one of them, Majid Shahriari, and his wife were stuck in traffic at 7:40 a.m. and a motorcycle pulled up alongside the car. There was a faint “click” as a magnet attached to the driver’s side door. The huge explosion came a few seconds later, killing him and injuring his wife.

On the other side of town, 20 minutes later, a nearly identical attack played out against Mr. Shahriari’s colleague Fereydoon Abbasi, a nuclear scientist and longtime member of the Islamic Revolutionary Guards Corps. Perhaps because of his military training, Mr. Abbasi recognized what was happening, and pulled himself and his wife out the door just before his car turned into a fireball. Iran has charged that Israel was behind the attacks — and many outsiders believe the “sticky bombs” are the hallmarks of a Mossad hit.

[snip]

Iran may be the most challenging test of the Obama administration’s focus on new, cheap technologies that could avoid expensive boots on the ground; drones are the most obvious, cyberweapons the least discussed. It does not quite add up to a new Obama Doctrine, but the methods are defining a new era of nearly constant confrontation and containment. Drones are part of a tactic to keep America’s adversaries off balance and preoccupied with defending themselves. Read more

Explosion Reported Near Iranian Uranium Processing Facility

/15 Comments/in /by

Iranian nuclear facilities (Wkimedia Commons map)

According to Haaertz, the Iranian Fars News Agency is reporting (although I don’t see a story yet at their website or at Mehr News) an explosion in Isfahan, where an Iranian uranium processing facility is located:

A explosion rocked the western Iranian city of Isfahan on Monday, the semi-official Fars news agency reported, adding that the blast was heard in several parts of the city.

/snip/

It should be noted that Iran operates a uranium conversion plant near Isfahan, one with an important function in the chain of Iran’s nuclear program.

It first went into operation in 2004, taking uranium from mines and producing uranium fluoride gas, which then feeds the centrifuges that enrich the uranium.

The underground centrifuge facility at nearby Natanz was previously attacked by the Stuxnet virus and is seen as perhaps the most important Iranian enrichment facility.

When today’s explosion and the recent death of Hassan Moqaddam, the head of Iran’s missile program, in an explosion of dubious origin while hawks nattered on about the IAEA Iran report, are coupled with the Stuxnet attack, it appears that the Iranian nuclear program is being attacked simultaneously at all points along the path that could lead to a weapon on a missile.

Was today’s explosion an escalation of that battle?