U.S. admits cyberattacks on Iran, others

Since late in the Bush administration the United States has been conducting cyberwar operations intended to slow, disrupt or damage Iran's effort to enrich nuclear material for either nuclear power plants or nuclear weapons, depending on whose interpretation you believe.

Under the Obama administration those cyberwar efforts – code-named Olympic Games – accelerated, eventually exposing part of its operations after a programming error allowed the Stuxnet malware to spread beyond Iran's Natanz nuclear-material refinement plant and infect servers in other countries, according to a New York Times story published this morning.

Stuxnet was developed as a joint project between the United States and Israel, as Iranian officials and critics of U.S. policy have charged, according to the Times, which credits no specific source for the first-ever confirmation.

The story credits interviews with American, Israeli and European officials who were actually involved in the program that distributed Stuxnet and other malware, but would not allow their names to be used because the whole project is still classified.

The report is based on a forthcoming book by NYT reporter David Sanger, who has covered the issue all along, but never had on-the-record confirmations from U.S. officials that they were working on cyberweapons or conducting cyberwarfare until a series of frank admissions made during the past two months:

• In April British newspaper The Guardian reported that the U.S. and China run periodic cyberwar games to help both prepare for attacks from third parties and to let each become familiar with the capabilities of the other to minimize the potential for military escalation in case of real cyberattacks from another superpower.
• An April 9 story in the Washington Post made public a Pentagon report to Congress urging the rapid development of new cyberweapons that could be deployed in days to counter quickly escalating threats.
• A more clear admission that the U.S. was already launching cyberattacks came following the admission in May by Secretary of State Hillary Clinton that the U.S. had hacked Al-Queda web sites to hose them down with American propaganda and attacking web sites in Yemen to take down messaged advocating the killing of Americans, according to a story in The Telegraph May 24.
• Three days later, Defense Secretary Leon Panetta told ABCNews that a major cyberattack on U.S. electrical or other infrastructure would be considered an act of war on a par with the Japanese sneak attack on Pearl Harbor.

He named both China and Russia as potential attackers, but reiterated that major powers had to share information and de-mythologize cyberwar to avoid the potential for nuclear-armed countries to overreact to major attacks.

Adding less-than-lethal options to international confrontations

"We've got to engage other countries in an effort to try to develop some kind of standards that will assure that …we can take steps to prevent a mistake that could be damaging to our security," Panetta said in the interview.

Neither the U.S. nor Israel has admitted publicly any responsibility for Stuxnet, Duqu or the Flame malware attacks on Iran, though Israeli officials seem to be admitting their involvement with the same non-answer affirmations it has long used to avoid admitting it has nuclear weapons without reassuring its enemies that it does not.

"Israel neither admits to nor denies having nuclear weapons," according to an analysis of the cyberwar strategy in the Jerusalem Post. "Instead, Israeli leaders wink, smile, give a pat on the back and say something about how Israel knows how to protect itself whenever they are asked about these purported capabilities."

After the revelation that the Flame Trojan had been stealing data from Iranian systems, possibly for as long as five years, Israeli Vice Premier and Minister of Strategic Affairs Moshe Ya’alon "fueled speculation of Israeli involvement by praising Israeli technological prowess" during a radio interview.

Israel's considerable home-grown technological capabilities "open all kinds of possibilities for us," he said.

He backpedalled the following day, by saying most industrialized countries have the technical potential to create and direct cyberweapons.

On the same day Israeli Defense Force officials assured reporters that Israeli networks were safe from the Flame virus, partly due to the IDF's advanced security, though their level of confidence again hinted Israel had a hand in directing Flame and other cyberweapons, not merely a defense against them.

U.S. officials still haven't admitted on the record to being involved in Stuxnet, though the level of detail in Sanger's NYT story makes clear he had the goods on the U.S. cyberweapons program from bosses of the agencies involved, not just leakers among the hoi polloi.

Among the factual and ironic tidbits:

• U.S. officials discussed several times the irony that having U.S. officials acknowledge drone and cyberware programs would help other countries justify similar attacks on the U.S.
• Stuxnet came out of a joint effort of the NSA and its Israeli equivalent, the IDF's Unit 8200.
• Stuxnet was designed to infect the Natanz facility and stay resident. Modifications, apparently by the Israelis, gave it the opportunity to escape and infect systems in other countries.
• Kaspersky Labs, which discovered the Flame malware two weeks ago, concludes that Duqu, Stuxnet and Flame share enough significant features to conclude they were written by the same state-sponsored cyberwar program.
• Flame was first identified in 2007 by the Hungarian Laboratory of Cryptography and Systems Security that also discovered Duqu; Flame may have been active for five to eight years before then.

US admits covert cyberattacks, effort to develop more powerful cyberweapons

Flame was not part of the U.S. campaign code-named Olympic Games, according to Sanger's interviews with U.S. officials; however none would say whether the U.S. was involved in developing or deploying it.

U.S. officials have admitted on the record individual attacks on single computers or web servers such as those owned by Al-Queda, Sanger reported. None have previously admitted anything like the scope, sophistication or aggressive character of Olympic Games. Panetta's comments alone make it clear that if another country had launched a similar campaign against the U.S., it would be considered an act of war that would justify a response involving war in the real world, not just the virtual one.

Sanger's report makes clear that, though revelation of Stuxnet was a mistake, it was one that let the world know the U.S. intelligence community – if not its cyber-impaired military – had introduced a whole new kind of warfare based on malware and remote-controlled drones.

By confirming orders to accelerate development and use of cyberweapons came from the top – President Obama – Sanger also confirmed that the Stuxnet and Duqu attacks were strategic decisions to use cyberwar far more aggressively than any country had before to " cripple another country’s infrastructure, achieving, with computer code, what until then could be accomplished only by bombing a country or sending in agents to plant explosives."

Read more of Kevin Fogarty's CoreIT blog and follow the latest IT news at ITworld. Follow Kevin on Twitter at @KevinFogarty. For the latest IT news, analysis and how-tos, follow ITworld on Twitter and Facebook.

cyberwar lab_reuters_thumb.jpg