Olympic Games are Just the Beginning for Cyberwarfare
Headlines staff really appreciate how one article can change your whole week. Last Friday, we focused on the President’s Council of Advisors on Science and Technology’s spectrum report released a week earlier while pointing – ever-so-briefly – to a breaking story on President Barack Obama’s order to attack computer systems that run Iran’s main nuclear enrichment facilities. Today we focus on that story and the resulting fallout.
On June 1, the New York Times reported on President Obama’s decision to accelerate cyberattacks begun by the Bush administration, attacks aimed at slowing the progress of Iran’s efforts to develop the ability to build nuclear weapons.
The United States government only recently acknowledged developing cyberweapons, and it has never admitted using them. There have been reports of one-time attacks against personal computers used by members of Al Qaeda, and of contemplated attacks against the computers that run air defense systems, including during the North Atlantic Treaty Organization (NATO)-led air attack on Libya last year. But this effort, code named Olympic Games, was of an entirely different type and sophistication.
It appears to be the first time the United States has repeatedly used cyberweapons to cripple another country’s infrastructure, achieving, with computer code, what until then could be accomplished only by bombing a country or sending in agents to plant explosives. The code itself is 50 times as big as the typical computer worm, Carey Nachenberg, a vice president of Symantec, one of the many groups that have dissected the code, said at a symposium at Stanford University in April. Those forensic investigations into the inner workings of the code, while picking apart how it worked, came to no conclusions about who was responsible.
President Obama came to office with an interest in cyberissues, but he had discussed them during the campaign mostly in terms of threats to personal privacy and the risks to infrastructure like the electrical grid and the air traffic control system. He commissioned a major study on how to improve America’s defenses and announced it with great fanfare in the East Room. What he did not say then was that he was also learning the arts of cyberwar. The architects of Olympic Games would meet him in the Situation Room, often with what they called the “horse blanket,” a giant foldout schematic diagram of Iran’s nuclear production facilities. President Obama authorized the attacks to continue, and every few weeks — certainly after a major attack — he would get updates and authorize the next step. Sometimes it was a strike riskier and bolder than what had been tried previously.
In 2010, a variant of the American- and Israeli-made bug broke free and began replicating itself all around the world. Suddenly, the code was exposed, though its intent would not be clear, at least to ordinary computer users. The question facing President Obama was whether the rest of Olympic Games was in jeopardy, now that a variant of the bug was replicating itself “in the wild,” where computer security experts can dissect it and figure out its purpose. He decided the cyberattacks should continue believing they were his best hope of disrupting the Iranian nuclear program unless economic sanctions began to bite harder and reduced Iran’s oil revenues.
Writing for the Associated Press, Richard Lardner pointed out that the Obama Administration was warning American businesses about the unusually potent computer virus that infected Iran's oil industry even as suspicions persist that the United States is responsible for secretly creating and unleashing cyberweapons against foreign countries. The government's dual roles of alerting U.S. companies about these threats and producing powerful software weapons and eavesdropping tools underscore the risks of an unintended, online boomerang. Unlike a bullet or missile fired at an enemy, a cyberweapon that spreads across the Internet may circle back accidentally to infect computers it was never supposed to target. It's one of the unusual challenges facing the programmers who build such weapons, and presidents who must decide when to launch them.
Apparently, there is pressure for some to use cyberattacks more broadly – against North Korea, the Chinese military, forces in Syria on the way to suppress the uprising there, and Qaeda operations around the world. But the Administration’s focus of attention so far has been on Iran. President Obama has repeatedly told his aides that there are risks to using — and particularly to overusing — the weapon. In fact, no country’s infrastructure is more dependent on computer systems, and thus more vulnerable to attack, than that of the United States. It is only a matter of time, most experts believe, before it becomes the target of the same kind of weapon that the Americans have used, secretly, against Iran.
Obviously, there’s always lots of reaction to news this big.
The Christian Science Monitor’s editorial staff focused on the impact of cyberwarfare on peacemaking of all things. “The concept of war itself has become a moving target,” the editorial reads. “Peacemakers must move with it.”
On June 1, Politico published an article noting that the Constitution gives Congress the sole power to declare war — but it's silent on cyberwar. For some lawmakers, the new York Times report offered further evidence that the White House has taken too much war-making power from Congress. The revelation about the Olympics Game operation renews questions about the scope of congressional oversight when it comes to clandestine attacks launched in cyberspace — as well as the authority of the executive branch to secretly unleash weapons in the digital versus physical world. Modern-day operations, from cyberwarfare to drone strikes, lie somewhere in the gray area between espionage and war, giving the president wide latitude to order and execute them while informing only a handful of members of Congress.
The Los Angeles Times explored the subject as an evolution in warfare. "You're seeing an evolution of warfare that's really intriguing," said Phil Lieberman, a security consultant and chief executive of Lieberman Software in Los Angeles. "Warfare where no one is dying." Cyber missiles are evolving and becoming more sophisticated, targeted and devastatingly effective. And, when done properly and under the radar, you get "outcome without attribution," he said. "That's the beauty of it." What we're talking about is not your typical click-and-disturb computer virus that most of us update to guard against. It is sophisticated malware that can camouflage itself with the "signature" of innocuous files already in the computer, adjust tactics and adapt their DNA, said Leonid Shtilman, chief executive of Viewfinity.
A Washington Post editorial noted, “We are now at the dawn of another rapid change in weapons and technology, the rise of cyber conflict.” A cyber arms race is underway, although it often draws less attention than the related surge of cyber theft, espionage and hacking. The digital revolution has transformed global commerce, communications and culture, but also provided a new avenue for destruction — attacks on computer networks and critical infrastructure that are at the heart of modern society. The Post editorial staff concludes:
“The offensive cyber arms race makes it even more urgent to think about defenses. The United States is still seriously vulnerable, as are other nations. We have deeply embedded network technology in every facet of our economy and our lives, and it has been under constant assault in recent years. So far, the attacks have been largely aimed at theft, disruption and spying, but it will get worse. We live in a mammoth glass house and ought to be mindful of the dangers when we throw stones.”
When Eugene Kaspersky, the founder of Europe’s largest antivirus company, discovered the Flame virus that is afflicting computers in Iran and the Middle East, he recognized it as a technologically sophisticated virus that only a government could create. The New York Times reports that he also recognized that the virus, which he compares to the Stuxnet virus built by programmers employed by the United States and Israel, adds weight to his warnings of the grave dangers posed by governments that manufacture and release viruses on the Internet. “Cyberweapons are the most dangerous innovation of this century,” he told a gathering of technology company executives, called the CeBIT conference, last month in Sydney, Australia. While the United States and Israel are using the weapons to slow the nuclear bomb-making abilities of Iran, they could also be used to disrupt power grids and financial systems or even wreak havoc with military defenses.
Kaspersky said this week that only a global effort could stop a new era of "cyber terrorism." "It's not cyber war, it's cyber terrorism and I'm afraid it's just the beginning of the game ... I'm afraid it will be the end of the world as we know it," Kaspersky told reporters at a cyber security conference in Tel Aviv. "I'm scared, believe me," he said.
German researcher Ralph Langner said his ongoing concern is that governments and industry are not doing enough to protect themselves against cyber-threats like Stuxnet that could be used to damage real-world infrastructure. And he sees a danger that, the longer Stuxnet’s code remains in the wild, the more likely someone will adapt it for more malicious purposes. He wrote an op-ed for the New York Times saying, “Almost two years ago, I wrote that Iran seemed to be begging for a cyberattack. I did not imagine that the same could become true for the United States or other industrialized countries, but it appears like we're getting there.
Of course, the revelation of the US’s cyberattacks didn’t occur in a vacuum. The 112th Congress has been considering various cybersecurity proposals for months. On June 4, Rep Jim Langevin (D-RI) prodded Congress to pass comprehensive cybersecurity legislation, warning that "time is running out." He acknowledged that there is still "a gulf in opinions" about the government's role in protecting private computer networks — a divide that has become "an increasingly daunting barrier" to passing comprehensive reforms. But he urged lawmakers to redouble their efforts. "The consequences of inaction are perilously high," Rep Langevin said.
In April, the House passed the Cyber Intelligence Sharing and Protection Act (CISPA), a measure that would remove legal barriers that prevent companies from sharing information about cyberattacks with each other and with the government. Rep Langevin said the federal government should have the authority to require critical infrastructure to meet minimum cybersecurity standards. But House Republican leaders oppose cybersecurity mandates, saying they would impose unnecessary burdens on businesses. Rep Langevin said the controversy over mandates is "one of the primary stumbling blocks" for cybersecurity legislation.
This week, former top military and intelligence officials from both Democratic and Republican administrations called on Senate leaders to bring up cybersecurity legislation that includes protections for critical infrastructure. The leaders did not endorse any specific proposal, but noted that legislation championed by Senate Homeland Security Chairman Joe Lieberman (I-CT) "has received the most traction." Lieberman's bill would increase government oversight over some critical infrastructure operated by the private sector.
News also broke this week of a potential compromise in the Senate. Sens Sheldon Whitehouse (D-RI) and Jon Kyl (R-AZ) are circulating a draft cybersecurity bill on Capitol Hill that they hope will win over two competing camps on the issue. The proposal would put the Department of Homeland Security in charge of developing a program to pressure, but not force, critical infrastructure companies to better protect their computer systems. Under their legislation, companies that meet "baseline performance goals" would receive liability protections, advantages in securing government funding and eligibility for technical cybersecurity assistance. But unlike the Lieberman proposal, the bill would not force any company to meet the standards. The measure is currently only a six-page draft that is not written in legislative language. Industry officials and staffers on Capitol Hill said they would need to see a more detailed version to reach a conclusive opinion about it. But an aide to Sen Lieberman said the senator feels the proposal is "encouraging" because "it recognizes the importance of protecting the cyber systems of our most critical infrastructure."
Jamil Jaffer, Senior Counsel for the House Permanent Select Committee on Intelligence, said this week that the House is “ready to go to conference and find the middle ground that both houses can agree to and pass.”
Past possible legislation, the discussion about the Administration’s efforts also hit up against issues of secrecy and how the program came to public attention. After the New York Times article, Congressional Republicans accused the Obama Administration of leaking classified information for political advantage and Democrats lodged their own protests about high-level disclosures. Republican and Democratic leaders of the House and Senate intelligence committees issued a joint statement urging the Administration “to fully, fairly and impartially investigate” the recent disclosures and vowing new legislation to crack down on leaks. “Each disclosure puts American lives at risk, makes it more difficult to recruit assets, strains the trust of our partners and threatens imminent and irreparable damage to our national security,” said the statement, a rare show of unity.
On June 5, we learned that the Federal Bureau of Investigation opened an investigation into who disclosed information about the Olympic Games program. On June 7, New York Times managing editor Dean Baquet said the paper takes the prospect of an investigation very seriously, noting that it already has two reporters involved in cases involving leaks. “We don’t relish this,” he said. He vowed to charge ahead with coverage of developments in US national security - and denying that the paper is on the receiving end of silver-platter leaks from the Obama Administration. “These are some of the most significant developments in national security in a generation,” he said. “We’re going to keep doing these stories.” Baquet said his reporters came by the stories “strenuously.” “I can’t believe anybody who says these are leaks. Read those stories. They are so clearly the product of tons and tons of reporting.”