Was U.S. Government's Stuxnet Brag A Mistake?
Some lawmakers accuse Obama administration of failing to manage its secrets, but Stuxnet now stands as a warning of America's cyber-warfare capabilities.
That's the playground-taunt version of what anonymous sources in the Obama administration last week essentially said to Iran, after they confirmed that the U.S. government developed and launched Stuxnet, in a bid to delay Iran's nuclear weapons program.
More Security Insights
- How Attackers Identify and Exploit Software and Network Vulnerabilities
- Getting a Grip on Mobile Malware
- The 451 Group Impact Report: Skybox Enters Vulnerability Management Space
- Ransomware: Hijacking Your Data
The Stuxnet credit-taking--if not warning to Iran--has prompted both Republican and Democratic lawmakers to accuse the Obama administration of failing to manage its secrets, as well as divulging crucial capabilities about the nation's offensive capabilities.
"This is the most highly classified information and has now been leaked by the administration at the highest levels of the White House. That's not acceptable," said Sen. John McCain (R-Ariz.), the top Republican on the Senate Armed Services Committee, on CBS news. McCain, who was Obama's opponent in the 2008 presidential election, also accused the White House of having leaked the information--including details of the drone-strike program--simply to make the president look good.
[Will Google warn about attacks by the U.S. government? Read Google Issues Warnings For State-Sponsored Attacks.]
As a result, "our enemies now know much more than they even did the day before they came out about important aspects of the nation's unconventional offensive capability and how we use them," he recently said on the Senate floor.
Similarly, the top members of both the Senate Intelligence Committee and the House Select Committee on Intelligence decried that information relating to Stuxnet and drone strikes had become public. "In recent weeks, we have become increasingly concerned at the continued leaks regarding sensitive intelligence programs and activities including specific details of sources and methods," reads a joint statement issued by Sens. Dianne Feinstein (D-Calif.) and Saxby Chambliss (R-Ga.), respectively the chair and ranking Republican on the Senate Intelligence Committee, and Reps. Mike Rogers (R-Mich.) and C.A. "Dutch" Ruppersberger (D-Md.), respectively the chair and ranking Democrat on the House Intelligence Committee.
"The accelerating pace of such disclosures, the sensitivity of the matters in question, and the harm caused to our national security interests is alarming and unacceptable," reads their statement. "Each disclosure puts American lives at risk, makes it more difficult to recruit assets, strains the trust of our partners, and threatens imminent and irreparable damage to our national security in the face of urgent and rapidly adapting threats worldwide."
But did the "leaks" really put lives at risk or are lawmakers' statements merely an attempt at flexing political muscle after not being consulted over the disclosures? "Keeping these programs secret may have a value," Jack Goldsmith, a Harvard law professor who served as a Justice Department official in the Bush administration, told The New York Times. "But there's another value that has to be considered, too--the benefit of transparency, accountability, and public discussion."
In the interests of open discussion, let's acknowledge that the identities of Stuxnet's creators were an open secret. After an extensive teardown of the malware, multiple researchers concluded that it had been built by the United States, as well as by Israel. Whether either government would confirm the finding, and whether or not the program was classified, was academic: everyone knew.
Technologically speaking, Stuxnet was also a marvel. Facing stiff competition from Anonymous (for its HBGary Federal Hack), as well as LulzSec (not least for its wit), Stuxnet even bagged the "Epic 0wnage" award at the Black Hat 2011 Pwnie awards ceremony in Las Vegas.
Of course, it's best to not fetishize any type of weapon, but does Stuxnet even qualify as such? Pwnie judge Mark Dowd memorably described the malware as "a non-violent protest against the Iranian nuclear program, allegedly done by a government with some pretty advanced intelligence capabilities." The malware apparently hurt no one, but did send a clear political signal, not least about the extent to which the United States would go to compromise Iran's nuclear program--preferably through non-violent means.
What are the negatives of Stuxnet, or taking credit for it? One line of Stuxnet thinking has been that Stuxnet changed the malware rules, by setting a precedent that other governments will be free to follow. And there's ample room for debate about whether any entity--governments, organized crime syndicates, anti-Anonymous hacktivists--should be lobbing malware at anyone. But did taking credit for Stuxnet cause "irreparable damage to our national security," as lawmakers have asserted?
In response to McCain's criticism, notably, White House press secretary Jay Carney Wednesday said: "This administration takes all appropriate and necessary steps to prevent leaks of classified information or sensitive information that could risk ongoing counterterrorism or intelligence operations." The "ongoing operations" caveat is key, because from a malware standpoint, security experts agree that the Stuxnet malware is played out. At this point, taking credit for it arguably strengthens national security, by serving as a further deterrent.
More than 900 IT and security professionals responded to InformationWeek’s 2012 Strategic Security Survey. Our results cover a variety of areas critical to information risk management, including cloud, mobility, and software development. Download the 2012 Strategic Security report now. (Free registration required.)