Jan. 28, 2010 -- The leak prone governments of the United States and Israel seem to be competing to claim credit for a cyber war attack on Iran's nuclear weapons program, while officially refusing to confirm or deny their role in the "Stuxnet" computer worm.
Stuxnet, in case you have missed all the leaks, is the name the computer security companies have agreed on to denote the most sophisticated, most targeted computer attack ever seen. It was launched in late 2008 or early 2009 and became publicly known mid-way through 2010 when Iran hired a computer security company from Belarus to find out why the nuclear enrichment program was not working. The short version of the story that is now widely accepted is that a nation state (or two) had someone with a thumb drive deposit a very smart attack program on the computer network that runs Iran's nuclear centrifuges. The program stealthily caused the centrifuges to malfunction and may have thereby slowed the Iranian nuclear program by from one to three years. We appear to have avoided dropping Israeli bombs by infiltrating American bytes.
Richard Clarke appeared on "Brian Ross Investigates" to discuss Stuxnet and its implications. CLICK HERE to see the report.
Many politicians in Washington and Tel Aviv are now giving high fives to their friends in the intelligence business when they think no one will see it. Not so fast. Yes, the precision guided cyber attack was apparently successful at slowing the Iranian drive to get weapons grade uranium. It was, however, a major failure in two important regards.
First, it was discovered. It may have taken some hackers from Minsk to do it, but the stealthy attack code was identified. The attackers intent seems to have been to avoid detection, so that the Iranians might doubt their own skills at enrichment. Moreover, as a covert program, the attack was meant to be not only unknown, but unattributable. The Iranian government could avoid acknowledging publicly that it had been attacked. Therefore, they would not be under any internal pressure to retaliate. With the attack now the subject of international press attention and the Iranian president forced to admit it happened, we should be standing by for the retaliation. It need not be in cyberspace, but could instead come in the form of increased deaths of Americans in Iraq and Afghanistan from Tehran's vast supply of road side bombs. Or it could come in cyberspace, aided by the second failure of Stuxnet.
Second, the cyber agent Stuxnet was captured and successfully interrogated. That was not supposed to happen. The attack program had built in to it all sorts of collateral damage controls, including instructions to kill itself after a date certain in 2009. Those controls, most unusual in the world of hackers but common in certain countries covert action programs, failed apparently because the weapon's designers took the collateral damage controls less seriously than they did the ingenious attack. For a hacker, attacking is always more interesting than pleasing the lawyers. Thus, after laying low the Iranian nuclear enrichment centrifuges at Natanz, the worm made its way from that plant's supposedly isolated, internal computer network to freedom in cyberspace. Thousands of other computers in Iran were infected, as were many in countries such as Pakistan, India, Indonesia, and even a few in the United States.
Problem: Other Nations Likely Modifying Stuxnet For Different Attacks
The Stuxnet worm did not harm the other computers, because it was designed only to attack a network running a certain software program connected to specific kind of machine found only at Natanz. So unless you happened to be making an Iranian nuclear bomb, it let you off without hurting your computer. The problem lies in the fact that the worm ran freely through cyberspace and lots of people caught a copy. One can be sure that highly skilled hackers in several countries are even now taking it apart, modifying it, and getting it ready to destroy some other target. They are benefiting from free access to the most sophisticated computer attack weapon ever created. That would not be such a problem except for the fact that the thousands of computer networks that run our economy are essentially defenseless against sophisticated computer attacks.
Moreover, the Obama Administration's policy is that the hundreds of privately owned companies that run those networks have to defend them by themselves. Our new military Cyber Command is not allowed to protect our electric power grid, banking system, railroads, or pipelines. Nor is the Department of Homeland Security. Given the fact that Stuxnet may turn into a boomerang, we may want to rethink whether our tax dollars might buy us some defense of the computer networks that we need to make the country run.
Richard Clarke is a former White House counter-terrorism adviser, ABC News consultant and author of "Cyber War: The Next Threat to National Security and What To Do About It".