from the is-this-why-they're-so-afraid? dept
A new documentary is coming out by famed documentary filmmaker Alex Gibney called Zero Day. Big reports in Buzzfeed and the NY Times (both with additional reporting) note how it reveals that the famed Stuxnet attack by the NSA (with an assist from Israeli intelligence) was just a drop in the bucket of a massive cyberattack capability, under the code name NITRO ZEUS, that the US has built up in Iran as an “alternative” to nuclear war should diplomacy fail in negotiating Iran away from making nuclear weapons. The NY Times article focuses more on the geopolitical issues involved in the effort:
For the seven-year-old United States Cyber Command, which is still building its cyber ?special forces? and deploying them throughout the world, the Iran project was perhaps its most challenging program yet. ?This was an enormous, and enormously complex, program,? said one participant who requested anonymity to discuss a classified program. ?Before it was developed, the U.S. had never assembled a combined cyber and kinetic attack plan on this scale.?
Nitro Zeus had its roots in the Bush administration but took on new life in 2009 and 2010, just as Mr. Obama asked General John R. Allen, at United States Central Command, to develop a detailed military plan for Iran in case diplomacy failed. It was a time of extraordinary tension, as the Iranians accelerated their production of centrifuges and produced near-bomb-grade fuel and Western intelligence agencies feared they might be on the verge of developing a nuclear weapon. It was also a period of extraordinary tension with Israel, partly because of its presumed role in the assassination of Iranian nuclear scientists, and partly because of evidence that Mr. Netanyahu was preparing a pre-emptive strike against Iran, despite warnings from the United States.
Meanwhile the Buzzfeed story focuses more on how the program was a bit of a mess with uncertain results:
However, one confidential source expressed concerns to Gibney about the extent of NITRO ZEUS, saying some planners had ?no fucking clue? as to the consequences of some of the proposed attacks.
?You take down part of a grid,? they told him, ?you can accidentally take down electricity in the entire country.?
It also notes that the State Department was reasonably concerned about the program — both whether it was legal and how it might create some serious blowback:
The film?s supporting research material also reveals an array of concerns about such capabilities within the U.S. government and agencies. The State Department was seen by those in other agencies as a ?wet blanket? when it came to operations, for expressing concerns about violating the sovereignty of third-party nations? cyberspace, or about operations that could have significant impact on civilians.
Meanwhile, support for these concerns comes from a rather unexpected source: former NSA and CIA director Michael Hayden, normally quoted around these parts defending the intelligence community. However, here, he notes that massively broadening cyberattack efforts could come back to haunt the US:
?I know no operational details and don?t know what anyone did or didn?t do before someone decided to use the weapon, alright,? he said. ?I do know this: If we go out and do something, most of the rest of the world now thinks that?s a new standard, and it?s something they now feel legitimated to do as well.
?But the rules of engagement, international norms, treaty standards, they don?t exist right now.?
In public remarks, Hayden once noted of Stuxnet ?this has the whiff of 1945. Someone just used a new weapon.? He also said the secrecy around the U.S.?s cyber programs was stifling the ability to have a public debate about their consequences.
?This stuff is hideously over-classified and it gets into the way of a mature public discussion as to what it is we as a democracy want our nation to be doing up here in the cyber domain,? Hayden said.
I actually agree with Hayden. That doesn’t happen very often!
But, really, the main thing that gets me about this report is that we keep seeing Congress and the President going on and on and on about cybersecurity threats against the US — and yet basically the only significant examples all seem to be the US attacking other countries. The inbound attacks — such as the OPM hack or even the Sony hack — actually seem fairly minor in comparison. Those are just hacks to get at data, not to actually break stuff. Yes, it’s possible that US officials are freaking out because now they really understand the depth of what can be done thanks to the NSA doing it first, but maybe we should be thinking about dealing with that fact and shoring up our defenses (and not giving reasons to others to emulate us), rather than creating faux moral panics.