Richard Clarke on Who Was Behind the Stuxnet Attack
April 3, 2012
America’s longtime counterterrorism czar warns that the cyberwars have already begun—and that we might be losing
The story Richard Clarke spins has all the suspense of a postmodern geopolitical thriller. The tale involves a ghostly cyberworm created to attack the nuclear centrifuges of a rogue nation—which then escapes from the target country, replicating itself in thousands of computers throughout the world. It may be lurking in yours right now. Harmlessly inactive…or awaiting further orders.
A great story, right? In fact, the world-changing “weaponized malware” computer worm called Stuxnet is very real. It seems to have been launched in mid-2009, done terrific damage to Iran’s nuclear program in 2010 and then spread to computers all over the world. Stuxnet may have averted a nuclear conflagration by diminishing Israel’s perception of a need for an imminent attack on Iran. And yet it might end up starting one someday soon, if its replications are manipulated maliciously. And at the heart of the story is a mystery: Who made and launched Stuxnet in the first place?
Richard Clarke tells me he knows the answer.
Clarke, who served three presidents as counterterrorism czar, now operates a cybersecurity consultancy called Good Harbor, located in one of those anonymous office towers in Arlington, Virginia, that triangulate the Pentagon and the Capitol in more ways than one. I had come to talk to him about what’s been done since the urgent alarm he’d sounded in his recent book, Cyber War. The book’s central argument is that, while the United States has developed the capability to conduct an offensive cyberwar, we have virtually no defense against the cyberattacks that he says are targeting us now, and will be in the future.
Richard Clarke’s warnings may sound overly dramatic until you remember that he was the man, in September of 2001, who tried to get the White House to act on his warnings that Al Qaeda was preparing a spectacular attack on American soil.
Clarke later delivered a famous apology to the American people in his testimony to the 9/11 Commission: “Your government failed you.”
Clarke now wants to warn us, urgently, that we are being failed again, being left defenseless against a cyberattack that could bring down our nation’s entire electronic infrastructure, including the power grid, banking and telecommunications, and even our military command system.
“Are we as a nation living in denial about the danger we’re in?” I asked Clarke as we sat across a conference table in his office suite.
“I think we’re living in the world of non-response. Where you know that there’s a problem, but you don’t do anything about it. If that’s denial, then that’s denial.”
As Clarke stood next to a window inserting coffee capsules into a Nespresso machine, I was reminded of the opening of one of the great espionage films of all time, Funeral in Berlin, in which Michael Caine silently, precisely, grinds and brews his morning coffee. High-tech java seems to go with the job.
But saying Clarke was a spy doesn’t do him justice. He was a meta-spy, a master counterespionage, counterterrorism savant, the central node where all the most secret, stolen, security-encrypted bits of information gathered by our trillion-dollar human, electronic and satellite intelligence network eventually converged. Clarke has probably been privy to as much “above top secret”- grade espionage intelligence as anyone at Langley, NSA or the White House. So I was intrigued when he chose to talk to me about the mysteries of Stuxnet.
“The picture you paint in your book,” I said to Clarke, “is of a U.S. totally vulnerable to cyberattack. But there is no defense, really, is there?” There are billions of portals, trapdoors, “exploits,” as the cybersecurity guys call them, ready to be hacked.
“There isn’t today,” he agrees. Worse, he continues, catastrophic consequences may result from using our cyberoffense without having a cyberdefense: blowback, revenge beyond our imaginings.
“The U.S. government is involved in espionage against other governments,” he says flatly. “There’s a big difference, however, between the kind of cyberespionage the United States government does and China. The U.S. government doesn’t hack its way into Airbus and give Airbus the secrets to Boeing [many believe that Chinese hackers gave Boeing secrets to Airbus]. We don’t hack our way into a Chinese computer company like Huawei and provide the secrets of Huawei technology to their American competitor Cisco. [He believes Microsoft, too, was a victim of a Chinese cyber con game.] We don’t do that.”
“What do we do then?”
“We hack our way into foreign governments and collect the information off their networks. The same kind of information a CIA agent in the old days would try to buy from a spy.”
“So you’re talking about diplomatic stuff?”
“Diplomatic, military stuff but not commercial competitor stuff.”
As Clarke continued, he disclosed a belief we’re engaged in a very different, very dramatic new way of using our cyberoffense capability—the story of the legendary cyberworm, Stuxnet.
Stuxnet is a digital ghost, countless lines of code crafted with such genius that it was able to worm its way into Iran’s nuclear fuel enrichment facility in Natanz, Iran, where gas centrifuges spin like whirling dervishes, separating bomb-grade uranium-235 isotopes from the more plentiful U-238. Stuxnet seized the controls of the machine running the centrifuges and in a delicate, invisible operation, desynchronized the speeds at which the centrifuges spun, causing nearly a thousand of them to seize up, crash and otherwise self-destruct. The Natanz facility was temporarily shut down, and Iran’s attempt to obtain enough U-235 to build a nuclear weapon was delayed by what experts estimate was months or even years.
The question of who made Stuxnet and who targeted it on Natanz is still a much-debated mystery in the IT and espionage community. But from the beginning, the prime suspect has been Israel, which is known to be open to using unconventional tactics to defend itself against what it regards as an existential threat. The New York Times published a story that pointed to U.S.-Israeli cooperation on Stuxnet, but with Israel’s role highlighted by the assertion that a file buried within the Stuxnet worm contained an indirect reference to “Esther,” the biblical heroine in the struggle against the genocidal Persians.
Would the Israelis have been foolish enough to leave such a blatant signature of their authorship? Cyberweapons are usually cleansed of any identifying marks—the virtual equivalent of the terrorist’s “bomb with no return address”—so there is no sure place on which to inflict retaliatory consequences. Why would Israel put its signature on a cybervirus?
On the other hand, was the signature an attempt to frame the Israelis? On the other, other hand, was it possible the Israelis had indeed planted it hoping that it would lead to the conclusion that someone else had built it and was trying to pin it on them?
When you’re dealing with virtual espionage, there is really no way to know for sure who did what.
Unless you’re Richard Clarke…