StratCom and Stuxnet
By: Loring Wirbel- Citizens for Peace in Space, Colorado Springs, Colorado
Lost amid the rash of media reports on the protests engulfing the Middle East and North Africa was a little February news item noting that the Bushehr nuclear power plant in Iran was at risk of a nuclear meltdown. The predicted danger, it turns out, was not the result of poor construction or the fault of an ill-trained crew. It was instead an unintended ‘side effect’ of an attack launched by Israel with the help of StratCom’s “Cyber Command” to cripple Iran’s nuclear capabilities with a computer worm—a rogue program similar to a virus.
The so-called “Stuxnet” worm was specifically designed to interrupt the operation of centrifuges at the Natanz uranium enrichment plant, but now has been confirmed to have spread to other Iranian nuclear facilities, including Bushehr.
Given that a major nuclear accident carries the potential to kill dozens, if not hundreds, of Iranians, it is odd that some people regard an offensive cyber attack using the Stuxnet worm as a preferable alternative to an Israeli military air strike on Iranian nuclear sites. But that’s the funny thing about the U.S.’s alleged ‘defensive’ military capabilities. Time and again—with chemical weapons, missile defense and now with cyber-warfare, capabilities that are considered defensive and somewhat benign wind up being used in very offensive ways. And the end result may not be that much different than a full-frontal military assault.
Stuxnet was one of the first worms in history designed to attack computers used in factories, instead of desktop and laptop computers used by consumers. In fact, Stuxnet’s malicious payload was specific enough that it only caused harm when it encountered computers built by Siemens for industrial-process control. Even when Siemens computers are present, Stuxnet only disrupts operations of certain kinds of pumps and motors that might be used in a uranium enrichment plant. One analyst called this a “highly-targeted sniper type of computer attack.”
So we shouldn’t expect much collateral damage, right?
It is all too common for military planners working on covert, offensive and ‘deniable’ operations to minimize or ignore the danger of unintended consequences. In the case of Stuxnet’s authors (who are believed to be computer experts in Israel’s “Unit 8200” signals-intelligence agency), the focus on the design of the Iranian enrichment plant was so single-minded, programmers failed to consider how it might spread to other facilities with dangerous results.
While the primary impetus for the Stuxnet attack appears to have come from Israel, cables from WikiLeaks and internal Air Force sources suggest an important support role was played by the new U.S. Cyber Command. Since StratCom exercises indirect authority over Cyber Command as one of its ‘component commands,’ the development of this worm is unlikely to have taken place without the awareness—if not outright direction—of commanders in Omaha. A series of reports in The New York Times and Wired suggests that the Department of Energy’s “Idaho National Laboratory” (formerly known as INEL), also helped the team in identifying the architecture of the Siemens components used in the Iranian lab.
Waging war by computer has been an important part of U.S. doctrine since at least the early 1990s, when the disparate activities waged in secret by the “National Security Agency” (NSA) were given a more public home at the Colorado operation then known as “U.S. Space Command.” For the 40 years prior to that time, the NSA had been involved in highly-covert efforts to disrupt the computers of foreign nations—the clandestine flip side of the Agency’s public efforts to protect the computer networks of the U.S. Even after StratCom’s new component command for Space took over the role of cyber-warfare management from U.S. Space Command in 2002, the NSA remained responsible for defining computer security for both the government’s own computers, and the larger computer networks used by private industry.
The efforts conducted in the 1990s by both U.S. Space Command and the NSA to secretly control the computer networks run by both allies and adversaries remains one of the most classified elements of U.S. cyber warfare operations. Over the past two decades, rumors have circulated about how everything from desktop computers to weapon systems have been shipped to foreign nations containing computer chips for ‘Trojan Horse’ programs that would make systems malfunction, report the operations of the system back to U.S. government officials, or otherwise implement secret actions that would work to the benefit of U.S. agencies. Often, however, these computer ‘black operations’ were only called cyber warfare if the computers adversely affected the operations of the military systems of adversary governments. For example, the U.S.’s reported success in disabling the Iraqi military’s air-defense networks during the opening days of the “Shock and Awe” bombing campaign in March 2003 clearly fit the definition of cyber warfare.
Although StratCom officially gained control of computer ‘attack-and-defense’ activities when the U.S. Space Command was folded into StratCom at the end of 2002, the NSA has remained the agency of expertise in this relationship. Granting StratCom command authority for these cryptic cyber activities has been valuable ‘window dressing’ for the NSA—establishing a layer of deniability for this agency that, throughout its 60 years of existence, has operated in such secrecy its NSA initials were cynically said to stand for “Never Say Anything” or “No Such Agency.”
When the Secretary of Defense asked StratCom in 2009 to create a dedicated component command for computer warfare, it was no surprise that the resulting Cyber Command would be based at Fort Meade, Maryland, headquarters of the NSA—or that Cyber Command’s new chief would be General Keith Alexander, director of the NSA. There are two reasons why StratCom’s relationship with NSA represents a unique opportunity for the Pentagon. First, the NSA is the intelligence agency with the closest ties to the military, going back to the NSA’s founding in 1952. Most of the NSA’s secret electronic listening posts worldwide are staffed by uniformed military personnel, not civilians. Second, the NSA has been involved in various types of ‘dirty tricks’ throughout its history, ranging from ‘black bag jobs’ to steal codes at foreign embassies, to participation in the overthrow of governments in Australia in 1975 and Turkey in 1980. The StratCom-NSA link realized through Cyber Command thus becomes StratCom’s closest involvement to ‘plausibly deniable’ secret activities in the intelligence community—and most computer warfare, by definition, falls under the label of deniable activity.
In theory, any computer attacks targeting consumers or commercial enterprises occurring inside the territorial borders of the U.S. must be handled by the White House’s civilian cyber advisor. But the NSA and Cyber Command would like to change that. In a speech in Colorado Springs to the “Armed Forces Communications and Electronics Association” on February 9, General Alexander said, “I do not have the authority to stop an attack against Wall Street or industry, and that’s a gap I need to fix.” The NSA, he said, should be able to work on computer attack and defense strategies within U.S. borders that involve consumers and industry.
In his confirmation hearings for Cyber Command before Congress last year, Alexander said that the purpose of Cyber Command was not “about militarizing cyberspace, but about safeguarding military assets.” It’s a funny thing about StratCom’s component commands, however: while they are created with the intent of avoiding all-out warfare, the so-called ‘defensive’ structures they create can end up being just as aggressive in practice as a first-strike military assault.
This is nothing new for the U.S. military. For decades, its research efforts in chemical and biological warfare were deemed to be entirely defensive in nature, until critics pointed out that the very talents required to create an effective defense against a WMD attack would be the talents that could be used to fine-tune first-strike chemical and biological weapons. The same could be said for StratCom’s oversight of the newer WMD center, of ballistic missile defense, of drone warfare, of cyber war, or now—thanks to the Bush/Cheney Administration—the command’s offensive nuclear weapons component. What is claimed as a tool to defend the nation invariably becomes a weapon for offensively waging war.
Northrop Grumman’s top vice president for missile defense, Russell Anarde (a former director of plans at Air Force Space Command), revealed the common Pentagon thinking in a January 2011 media interview, when he said that “offense and defense sometimes go together.” That is certainly true in the area of Anarde’s expertise, missile defense. The weapon systems under StratCom’s oversight are touted to be missiles that are only used to defend against other missiles. Yet the sea-based missile-defense systems used by both Bush and Obama are carried on Aegis cruisers that sail directly into the territorial waters of nations such as North Korea and China. They are used in ways to provoke exchanges, even while StratCom calls such weapons ‘defensive.’
It is very obvious how much this strategy is at play in the U.S.’s efforts to expand drone warfare in Afghanistan and Pakistan. Armed drones—under the nominal control of StratCom alongside the CIA—allow the U.S. to minimize the use of troops and Air Force bombing operations that rely on human pilots. Some analysts say that heavy use of drones leads to fewer civilian deaths than might be encountered with widespread, indiscriminate use of aerial bombing. Yet an over-reliance on drones still can lead to hundreds of deaths per year. And when drones are used to pinpoint individuals, they raise a series of problems explicitly through their accuracy. As the ACLU has charged in a recent lawsuit, using drones to target individuals is essentially performing the same function as the CIA’s former practice of assassinating foreign leaders—which was banned decades ago. Conducting targeted assassinations, from a height invisible from the ground, in nations with which we are not officially at war, with operatives who are not in uniform, constitutes what is legally termed “killing without warning” and is illegal under international law. International rule of law, however, has not proven able to restrain the U.S. government. The opportunity to liquidate small groups of troublemakers without risking U.S. lives has not only made drone warfare too attractive to resist—it’s made this seemingly sterilized form of war susceptible to over-use (as demonstrated by the Obama Administration’s increasing reliance on these robotic killers the last two years).
The nominal success seen in the Stuxnet assault on Iran is likely to place cyber warfare on the same dangerous course. If the U.S. can offensively bring down a communications network, an electrical grid, or a specific vertical industry in a foreign nation by using computer warfare—with no loss of U.S. life—you can bet that weapon has a dazzling future. The apparently painless success of computer attack all but ensures that we’ll be seeing it again. As the expansion of Stuxnet from Natanz to Bushehr shows, however, we should never be duped into believing a military assault is free of victims—even a computer one. In the decade preceding the Iraq War, when both the Clinton and Bush Administrations were both relying on widespread economic sanctions against Saddam Hussein, critics of the sanctions pointed to the deaths of the very young, very elderly, and infirm. Clinton’s Secretary of State Madeleine Albright notoriously called such deaths the price one needed to pay for waging a successful sanctions effort, if one wanted spare Americans the bloodshed and expense of war.
Under StratCom, the face of warfighting has changed. The Pentagon and the State Department project force nowadays in ways far beyond ordering ground troops into Afghanistan, menacing the world with nuclear weapons of mass destruction and deploying a Missile ‘Defense’ system in Europe. Even as you read this, StratCom’s spy satellites are tracking potential targets for assassination and simulating (and maybe conducting) cyber attacks on prospective enemies—all in the name of “Providing Global Security for America” and preserving our status on the world’s military superpower.
At StratCom, the U.S. is engaged a perpetual state of war. Our military personnel may be thousands of miles away from the actual field of battle—sitting in a trailer in New Mexico flying a drone over Pakistan or waging cyber war against Iran from a computer in Fort Meade, Maryland, home of the NSA. But even if our men and women in uniform aren’t in harm’s way, there are victims and fatalities from this new style of warfighting. If computer assault brings down a utility network in a targeted nation, who can even begin to calculate how many people will suffer from the disruption such an attack would cause? Schools, hospitals, fire and police, railroads, airports, grocery stores—all without power, all disabled…In terms of military significance, Stuxnet is literally “the shot heard round the world.” With this worm, traveling at the speed of light, we have opened a hideous and scary new chapter in the story of human warfare. And it’s got a Nebraska electronic signature.
A small scandal erupted in mid-February when Associated Press reported that CIA officers who chose the wrong targets for extraordinary rendition were not fired, but instead were promoted inside the agency. This lack of accountability for deniable activities in the intelligence community is precisely what is worrisome about Cyber Command. If the Stuxnet worm spreads to any Iranian factory or energy plant with a Siemens computer, will programmers in Israel and the U.S. be penalized or promoted? If a future Cyber Command computer attack spreads to hospitals or police and firefighter emergency networks, will anyone inside StratCom or NSA be held accountable?
Obviously, the efforts by Iran to gain nuclear power capabilities may well be hiding a real nuclear weapons effort. A Stuxnet success does indeed keep hostilities at a lower level than an Israeli Air Force assault on Natanz would. But StratCom’s management of military efforts ‘short of war’—missile defense, drone attacks and cyberwar—should never be seen as victimless. The consequences of relying on such slow-motion covert war alternatives can end up being just as deadly, particularly if the quiet successes they experience make military leaders rely on these silent-warfare methods too often.