The Washington Post is enjoying another one of those sneaky-leaky moments thanks to willing sources in the Obama administration who both sought to reinforce U.S. involvement with anti-Iran cyberwarfare, and distinguish between it and the meshuga Israelis who are using the weapons in indiscreet ways. The Post reports, as just about every cyber-security expert worth his or her salt already knew, that the computer mega-virus, Flame, was another joint product of Israeli and U.S. cyberwarriors:
There has been speculation that Washington had a role in developing Flame, but the collaboration on the virus between the United States and Israel has not been previously confirmed.
On the Israeli side it was undoubtedly cooked up by the IDF’s Unit 8200 and on the U.S. side by the National Security Agency.
Though some aspects of this story were either already known or surmised, I’d never heard about this aspect of Flame’s capabilities:
Experts said the program was designed to replicate across even highly secure networks…
In other words, though the initial infection may’ve been caused by an indiscretion or infected USB stick, once inside the code was so deftly designed that it could conceal itself from any detection and spread to other computers and systems which were supposedly equally secure.
Here’s another new piece of data:
Flame masquerad[ed] as a routine Microsoft software update…[and] evaded detection for several years by using a sophisticated program to crack an encryption algorithm.
One interesting phenomenon of such warfare which I learned from this article is that if successful, the victim doesn’t even know his computer has been compromised. In that sense, you want to break into a system and patiently explore all the parameters of the network to learn all you can. In other words, you’re not looking for a quick fix. You’re looking for slow, incremental intelligence gains that bear fruit over the long-term.
That’s where Israeli and U.S. security world views diverge. Israel is all about the quick fix and short-term, which is why it surprised the U.S. when it allowed Flame to disable several Iranian oil depots. This episode exposed Flame and put the Iranians on to the whole operation. Thus five years of intelligence work evaporated (Flame was first created in 2007 and has presumably been operatives since around that time).
Not to worry though, because another purpose of this leak is to play mind games with Iran by telling it that we have yet more worms and viruses likely infecting their systems:
“This is about preparing the battlefield for another type of covert action,” said one former high-ranking U.S. intelligence official, who added that Flame and Stuxnet were elements of a broader assault that continues today. “Cyber-collection against the Iranian program is way further down the road than this.”
…Although Stuxnet and Flame infections can be countered, “it doesn’t mean that other tools aren’t in play or performing effectively,” he said.
What I “love” about the hubris of statements like this is that the speaker appears to believe his own PR, thinking that he has some deft surprises in store for the Iranians. But unless Israel or the U.S. is willing to fully commit to knocking Iran out of the nuclear game, they simply won’t be able to do so with cyber-sabotage. It’s a screw that gets stuck in the cogs of the machine. But the machine can be fixed and brought back online and bring Iran to whatever its ultimate goal might be. To believe otherwise, as some in the U.S. and Israel appear to do, is a neat bit of self-deception.
Flame, according to this account, was meant as a cyber-scout:
Flame…shows the importance of mapping networks and collecting intelligence on targets as the prelude to an attack, especially in closed computer networks. Officials say gaining and keeping access to a network is 99 percent of the challenge.
“It is far more difficult to penetrate a network, learn about it, reside on it forever and extract information from it without being detected than it is to go in and stomp around inside the network causing damage,” said Michael V. Hayden, a former NSA director and CIA director…
It infected particular computers of individuals in the Iranian nuclear hierarchy and from there scoped out the entire Iranian network to find out how it was structured and to identify weaknesses to be exploited. Flame, in that sense, served as the precursor to Stuxnet, which infected the industrial control systems of Iran’s Natanz and Bushehr plants. The latter sabotaged 1,000 centrifuges (20% of the total), which were enriching uranium presumably for Iran’s nuclear program.
In this instance as well, the Israelis erred in allowing Stuxnet to migrate out of the Iranian system, where it infected computers around the world. In this case, Israeli indiscretion alerted the Iranians to their vulnerability. Instead of running around like chickens with their heads cut off trying to figure out why their centrifuges were self-destructing as they had previously, the Iranians could lay blame squarely where it belonged, on the U.S. and Israelis, who’d embraced a new, potentially lethal form of warfare.
A few days ago, Antiwar Radio interviewed me about Stuxnet, Flame and cyberwarfare. Here’s the audio. One of the issues I advocated was an international treaty to monitor and regulate cyberwarfare. Happily, Bruce Schneier, the noted cyber-security specialist, wrote a piece about this that’s well worth reading. Here are some of his main arguments:
…It [Stuxnet and Flame] damaged the U.S.’s credibility as a fair arbiter and force for peace in cyberspace. Its effects will be felt as other countries ramp up their offensive cyberspace capabilities in response. For that reason, Stuxnet was a destabilizing and dangerous course of action.
Here Schneier distinguishes between cyber-intelligence that is defensive in nature (eavesdropping, etc.) and more acceptable, and activity that is offensive in nature and which should be impermissible:
There is a fundamental difference between passive eavesdropping attacks and more active attacks that delete or overwrite data.
This is one of the most cogent arguments I’ve read on the importance of an international cyberwar treaty:
As to arms control agreements, I think it is vital for both society and cyberspace that we begin these discussions now. We’re in the early years of a cyberwar arms race, an arms race that will be expensive, destabilizing, and dangerously damaging. It will lead to the militarization of cyberspace, and the transformation of the Internet into something much less free and open. Perhaps it’s too late to reverse this trend — certainly you can argue that military grade cyberweapons like Stuxnet and Flame have already destroyed the U.S.’s credibility as a leader for a free and open Internet — but the only chance we have are cyberweapons treaties.
…I think there is enormous value in the treaty process — and in the treaties themselves. I think we need to proceed by starting the dialogue. We made a mistake with Stuxnet: We traded a small short-term gain for a large longer-term loss…
Changing the subject a bit, yesterday Israel announced that it had arrested an IDF non-commissioned officer working in military intelligence. He directed an IT unit that monitored and fixed computer glitches in the military computer network. This might’ve meant he worked in Unit 8200. There is a gag on the identity of the soldier who’s been charged. The gist of the story as being reported in the Israeli press is that when he moved jobs he took a hard drive from his secured computer containing top-secret data, and then transferred those files to his new work computer. He then took transferred some of these files outside his IDF facility (I presume this means he put them on his personal computer, though that’s not clear). It’s somewhat similar to speculation that Iran’s Natanz facility was compromised by a USB stick introduced into its computer system.
Because his computer in his first job used a secure military network and his new job used a civilian computer network, his actions allegedly compromised the entire IDF military network. They could’ve enabled an enemy accessing the civilian network to discover what programs were being used on the military network and how they were being used, in addition to exploiting weaknesses that would permit the same sort of penetration that allowed Stuxnet and Flame to sabotage the Iranian computer networks. Though he’s not under formal arrest, he is confined to his home (shades of Anat Kamm!).
Isn’t it a delicious irony that Israel, master of cyberweapons quakes in fear of the very compromises it exploited against Iran. Make no mistake, no matter how vigilant it is, someone somewhere will get the better of Israel despite all its brilliant minds working full tilt in Unit 8200. Then many in the world will say: “As ye have sown, so shall ye reap.”