Stuxnet: A violation of US computer security law
By Wayne Madsen
If a January 15 report in The New York Times, which has a dubious past in reporting on computer security and hacking issues, is true — that the United States Department of Homeland Security, Department of Energy — via the Idaho National Laboratory — Siemens (which has a long-standing intelligence relationship with the National Security Agency), the CIA, Britain's intelligence services, Germany, and Israel's Mossad cooperated to develop the Stuxnet computer worm to disable Iranian nuclear program centrifuges, the U.S. government violated a number of federal computer security laws that prohibit the development of malicious computer programs that damage ″federal interest″ computers. The Stuxnet worm, which, according to the Times, was tested at Israel's Dimona nuclear weapons development facility in the Negev, not only infected Iranian nuclear program computers but spread to computers in other countries, including the United States. Stuxnet code was discovered through computer forensics to contain key words from the Jewish Old Testament Book of Esther, further establishing Israeli fingerprints on the malicious code. The malicious code's file name, Myrtus, is the Hebrew word for Esther. According to myth, Esther saved the Jews from a Persian plot to exterminate them.
The New York Times article by William Broad, John Markoff, and David Sanger, three reporters who have their own questionable ties to Israeli interests, states that when Stuxnet first appeared around the world in June last year, it did little harm and did not slow computer networks. However, this is merely an attempt to let the U.S. and Israeli governments off the hook by falsely claiming that the only damage done by Stuxnet was to the centrifuge systems used by Iran to enrich uranium. Although Stuxnet likely did disable Iran's centrifuges, causing a set-back to its nuclear program, the Stuxnet worm, contrary to The New York Times report, resulted in computer down time and disruption far beyond Iran. The disruption by a digital version of a U.S. and Israeli military first strike makes the United States government and Israel civilly liable for the damage and disruption caused by Stuxnet.
The involvement of the Homeland Security Department, which includes the U.S. government's National Cyber Security Division that is tasked to protect U.S. ″federal interest″ computer systems from attack, makes the department and Secretary Janet Napolitano criminally culpable in permitting the Development and launch of malicious software that affected U.S. computer systems. If President Obama authorized the Stuxnet deployment through a classified Presidential Finding, he, too, may have committed a crime, an impeachable offense.
As Stuxnet propagated around the world last year, the Homeland Security Department's Industrial Control System-Cyber Emergency Response Team (ICS-CERT) posted a series of alerts and bulletins about the worm. Either ICS-CERT was unaware of its own department's involvement in creating the worm it was warning people about or it was part of a clever disinformation program is unknown, however, some computer security specialists suspected that ICS-CERT was putting out stale information on Stuxnet. On October 3, 2010, the Christian Science Monitor reported that Dale Peterson, the CEO of Digital Bond, a SCADA control systems security company, stated on his blog on September 20, ″It [ICS-CERT's warning alerts] seems to me to have been a delayed clipping service.″
The possible involvement of computer security officials, like Sean McGurk, the DHS's director of the Control System Security Program, in covering up the true origin of Stuxnet, cannot be overlooked. As a founding board member of the International Information System Security Certification Consortium (ISC2), this editor warned against the infiltration of NSA and other intelligence operatives into the computer security profession. The warnings were backed by colleagues from other nations, including Finland and Australia. Placing intelligence operatives inside computer security management positions can always result in the use of computers for sabotage and intelligence. Stuxnet may be the culmination of such infiltration of the computer security profession. In 2000, this editor resigned from the ISC2 board over the acquiescence of the board and consortium to dictates from NSA and other problematic U.S. government agencies. This editor and a minority of board members also disagreed with offering professional certifications to employees of foreign intelligence agencies in countries with abominable human rights and civil liberties records.
Stuxnet was specifically designed to attack supervisory control and data acquisition (SCADA) computer systems. These systems control everything from electrical power grids and chemical processing plants to the computers that operate traffic light and rail systems. Stuxnet disabled SCADA systems not only in Iran but also in India (where India's satellite program may have been severely impacted), Pakistan, Indonesia, Germany, Canada, China, Malaysia, South Korea, Russia, Kazakhstan, United Kingdom, Finland, Saudi Arabia, United Arab Emirates, Qatar, Brazil, Australia, Brunei, Netherlands, Taiwan, Myanmar, Bangladesh, Thailand, Belarus, Denmark, Bahrain, Oman, Kuwait, and the United States. Stuxnet was found on 63 computers in Japan. New Zealand, Japan, and Hong Kong issued alerts about Stuxnet's impact on their SCADA systems. Britain's integrated national rail transport network was reported to be particularly vulnerable to Stuxnet. Turkey reacted to Stuxnet by mandating a ″National Virtual Environment Security Policy.″
By the end of September of last year, over 100,000 computers worldwide had been infected by Stuxnet. So much for The New York Times' specious report that the worm did little damage. Industrial control system security specialists from the chemical, oil, and gas industries expressed concern that the U.S. government was less-than-forthcoming about the effects of Stuxnet on their industries. The computer security firm Symantec appears to have been laundering information to private industry from the government.
China, which feared Stuxnet could infect its SCADA systems, issued a national security report about the worm, especially its impact on oil drilling systems. WMR has learned from its Beijing sources that China is growing tired of Israelis, in general, and international banks like Goldman Sachs having strong ties to Israel, in particular, over what it sees as an attempt by Israel and certain international banks to undermine China's new strong industrial and financial position in the world. Representatives of the People's Bank of China, China's central bank, are wary of their contacts with Israelis and bankers and WMR has learned that Japanese central bankers shared the concerns of their Chinese counterparts when it comes to Israel and firms like Goldman Sachs. Chinese authorities were particularly incensed over initial disinformation reports, distributed by the Pentagon-linked media, that China created Stuxnet.
U.S. government involvement in the creation and first strike deployment of a destructive cyber-weapon like Stuxnet and its "bounce back" to "protected" U.S. systems and networks, including SCADA systems, is a violation of the Computer Fraud and Abuse Act (CFAA), 18 U.S.C.§ 1030. The CFAA imposes criminal and civil penalties for anyone who disrupts a "protected computer." A protected computer is defines as one:
"exclusively for the use of a financial institution or the United States Government, or, in the case of a computer not exclusively for such use, used by or for a financial institution or the United States Government and the conduct constituting the offense affects that use by or for the financial institution or the Government;" or
"which is used in interstate or foreign commerce or communication."
Criminal activity under the law applies to anyone who ″knowingly transmits a program, code or instruction, and as a result, intentionally causes damage, without authorization, to a protected computer.″ Thus, anyone in the U.S. government or acting as a government contractor, or a foreign national acting on behalf of a foreign government like Israel, who participated in the creation and deployment of the Stuxnet worm could be fined and sentenced to prison. In 2002, New Jersey programmer David L. Smith, the creator of the Melissa worm in 1999, which brought down computer systems across North America in 1999, was sentenced to 20 months in federal prison and a $5000 fine. The chief federal prosecutor of Smith was Chris Christie, now the governor of New Jersey. Under federal law Smith faced a maximum of five years in prison and a $250,000 fine but Christie argued for a lighter sentence because Smith cooperated with prosecutors.
The National Information Infrastructure Protection Act of 1996 further codified the CFAA to address new technologies and criminal activity.
On February 29, 2000, the Deputy Attorney General testified before the House Judiciary Committee subcommittee on crime about the danger posed by malicious computer programs. He said, ″We are seeing more 'pure' computer crimes, that is, crimes where the computer is used as a weapon to attack other computers, as we saw in the distributed denial of service attacks I just spoke about, and in the spread of malicious code, like viruses. Our vulnerability to this type of crime is astonishingly high – it was only this past December that a defendant admitted, when he plead guilty in federal and state court to creating and releasing the Melissa virus, that he caused over 80 million dollars in damage . . . These crimes not only affect our financial well-being and our privacy; they also threaten our nation's critical infrastructure. Our banking system, the stock market, the electricity and water supply, telecommunications networks, and critical government services, such as emergency and national defense services, all rely on computer networks. For a real-world terrorist to blow up a dam, he would need tons of explosives, a delivery system, and a surreptitious means of evading armed security guards. For a cyber terrorist, the same devastating result could be achieved by hacking into the control network and commanding the computer to open the floodgates.″
That Deputy Attorney General was Eric Holder, now President Obama's Attorney General. Holder has, either through ignorance or involvement, permitted the U.S. and Israeli governments to release a destructive malicious computer program, the very type Holder warned against in 2000.
John P. Wheeler III, the former assistant of the Secretary of the Air Force during the Bush administration, was one of the Pentagon's top experts on cyber-warfare. On December 31, Wheeler's body was found in a Wilmington, Delaware landfill. Wheeler worked for the MITRE Corporation, which has intelligence agency and Pentagon cyber-warfare contracts. Wheeler publicly stated his opposition of locating the new US Cyber Command with NSA at Fort Meade, Maryland. With more information being revealed about the offensive information warfare first strike by the United States and Israel, and the role of NSA in that first strike, the age-old question in Washington, DC still pertains: ″What did Wheeler know and when did he know it?″