Authors: Fred Kaplan
What the Iranians didn't know was that the hackers of TAO had long ago figured out how to leap across air gaps. First, they'd penetrated a network near the air-gapped target; while navigating its pathways, they would usually find some link or portal that the security programmers had overlooked. If that path led nowhere, they would turn to their partners in the CIA's Information Operations Center. A decade earlier, during the campaign against Serbian President Slobodan Milosevic, IOC spies gained entry to Belgrade's telephone exchange and planted devices, which the NSA's SIGINT teams then hacked, giving them full access to the nation's phone system. These sorts of joint operations had blossomed with the growth of TAO.
The NSA also enjoyed close relations with Israel's Unit 8200, which was tight with the human spies of Mossad. If it needed access to a machine or a self-contained network that wasn't hooked up to the Internet, it could call on any of several collaboratorsâIOC, Unit 8200, the local spy services, or certain defense contractors in a number of allied nationsâto plant a transmitter or beacon that TAO could home in on.
In Olympic Games, someone would install the malware by physically inserting a thumb drive into a computer (or a printer that several computers were using) on the premisesâin much the same way that, around this same time, Russian cyber warriors hacked into U.S. Central Command's classified networks in Afghanistan, the intrusion that the NSA detected and repelled in Operation Buckshot Yankee.
Not only would the malware take over the Natanz reactor's valve pumps, it would also conceal the intrusion from the reactor's overseers.
Ordinarily, the valve controls would send out an alert when the flow of uranium rapidly accelerated. But the malware allowed TAO to intercept the alert and to replace it with a false signal, indicating that everything was fine.
The worm could have been designed to destroy every centrifuge, but that would arouse suspicions of sabotage. A better course, its architects figured, would be to damage just enough centrifuges to make the Iranians blame the failures on human error or poor design. They would then fire perfectly good scientists and replace perfectly good equipment, setting back their nuclear program still further.
In this sense, Operation Olympic Games was a classic campaign of information warfare: the target wasn't just the Iranians' nuclear program but also the Iranians' confidenceâin their sensors, their equipment, and themselves.
The plan was ready to go, but George Bush's time in office was running out. It was up to Barack Obama.
To Bush, the plan, just like the one to send fake email to Iraqi insurgents, was a no-brainer. It made sense to Obama, too. From the outset of his presidency, Obama articulated, and usually followed, a philosophy on the use of force: he was willing to take military action, if national interests demanded it and if the risks were fairly low; but unless
vital
interests were at stake, he was averse to sending in thousands of American troops, especially given the waste and drain of the two wars he inherited in Afghanistan and Iraq. The two secret programs that Bush pressed him to continueâdrone strikes against jihadists and cyber sabotage of a uranium-enrichment plant in Iranâfit Obama's comfort zone: both served a national interest, and neither risked American lives.
Once in the White House, Obama expressed a few qualms about the plan: he wanted assurances that, when the worm infected the Natanz reactor, it wouldn't also put out the lights in nearby power plants, hospitals, or other civilian facilities.
His briefers conceded that worms could spread,
but this particular worm was programmed to look for the specific Siemens software; if it drifted far afield, and the unintended targets didn't have the software, it wouldn't inflict any damage.
Gates, who'd been kept on by Obama and was already a major influence on his thinking, encouraged the new president to renew the go-ahead. Obama saw no reason not to.
Not quite one month after he took office, the worm had its first success: a cascade of centrifuges at Natanz sped out of control, and several of them shattered.
Obama phoned Bush to tell him the covert program they'd discussed was working out.
In March, the NSA shifted its approach. In the first phase, the operation hacked into the valves controlling the rate at which uranium gas flowed into the centrifuges. In the second phase, the attack went after the devicesâknown as frequency convertersâthat controlled how quickly the centrifuges rotated.
The normal speed ranged from about 800 to 1,200 cycles per second; the worm gradually sped them up to 1,410 cycles, at which point several of the centrifuges flew apart. Or, sometimes, it slowed down the converters, over a period of several weeks, to as few as 2 cycles per second: as a result, the uranium gas couldn't exit the centrifuge quickly enough; the imbalance would cause vibrations, which severely damaged the centrifuge in a different way.
Regardless of the technique, the worm also fed false data to the system's monitors, so that, to the Iranian scientists watching them, everything seemed normalâand, when disaster struck, they couldn't figure out what had happened.
They'd experienced technical problems with centrifuges from the program's outset; this seemedâand the NSA designed the worm to
make
it seemâlike more of the same, but with more intense and frequent disruptions.
By the start of 2010, nearly a quarter of Iran's centrifugesâabout 2,000 out of 8,700âwere damaged beyond repair. U.S. intelligence
analysts estimated a setback in Iran's enrichment program of two to three years.
Then, early that summer, it all went wrong.
President Obamaâwho'd been briefed on every detail and alerted to every success or breakdownâwas told by his advisers that the worm was out of the box: for reasons not entirely clear, it had jumped from one computer to another, way outside the Natanz network, then to another network outside that. It wouldn't wreak damageâas the briefers had told him before, it was programmed to shut down if it didn't see a particular Siemens controllerâbut it would get noticed: the Iranians would eventually find out what had been going on; Olympic Games was on the verge of being blown.
Almost at once, some of the world's top software security firmsâSymantec in California, VirusBlokAda in Belarus, Kaspersky Lab in Russiaâstarted detecting a strange virus randomly popping up around the world. At first, they didn't know its origins or its purpose; but probing its roots, parsing its code, and gauging its size, they realized they'd hit upon one of the most elaborate, sophisticated worms of all time.
Microsoft issued an advisory to its customers, and, forming an anagram from the first few letters on the code, called the virus “Stuxnet”âa name that caught on.
By August, Symantec had uncovered enough evidence to release a statement of its own, warning that Stuxnet was designed not for mischievous hacking or even for espionage, but rather for sabotage.
In September, a German security researcher named Ralph Langner inferred, from the available facts, that someone was trying to disable the Natanz nuclear reactor in Iran and that Israelis were probably involved.
At that point, some of the American software sleuths were horrified: Had they just helped expose a highly classified U.S. intelligence operation? They couldn't have known at the time, but their curiosityâand their professional obligation to inform the public
about a loose and possibly damaging computer virusâdid have that effect. Shortly after Symantec's statement, even before Langner's educated guess about Stuxnet's true aim, the Iranians drew the proper inference (so
this
was why their centrifuges were spinning out of control) and cut off all links between the Natanz plant and the Siemens controllers.
When Obama learned of the exposure at a meeting in the White House, he asked his top advisers whether they should shut down the operation. Told that it was still causing damage, despite Iranian countermeasures, he ordered the NSA to intensify the programâsending the centrifuges into wilder contortions, speeding them up, then slowing them downâwith no concerns about detection, since its cover was already blown.
The postmortem indicated that, in the weeks
after
the exposure, another 1,000 centrifuges, out of the remaining 5,000, were taken out of commission.
Even after Olympic Games came to an end, the art and science of CNAâComputer Network Attackâpushed on ahead. In fact, by the end of October, when U.S. Cyber Command achieved full readiness for operations, CNA emerged as a consuming, even dominant, activity at Fort Meade.
A year earlier, anticipating Robert Gates's directive creating Cyber Command, the chairman of the Joint Chiefs of Staff, General Peter Pace, issued a classified document,
National Military Strategy for Cyber Operations
, which expressed the need for
“offensive capabilities in cyber space to gain and maintain the initiative.”
General Alexander, now CyberCom commander as well as the NSA director, was setting up forty
“cyber-offensive teams”âtwenty-seven for the U.S. combatant commands (Central Command, Pacific Command, European Command, and so forth) and thirteen
engaged in the defense of networks, mainly Defense Department networks, at home. Part of this latter mission involved monitoring the networks; thanks to the work of the previous decade, starting with the Air Force Information Warfare Center, then gradually extending to the other services, the military networks had so few access points to the Internetâjust twenty by this time, cut to eight in the next few yearsâthat Alexander's teams
could
detect and repel attacks across the transom. But defending networks also meant going on the offensive, through the deliberately ambiguous concept of CNE, Computer Network Exploitation, which could be both a form of “active defense” and preparation for CNAâComputer Network
Attack
.
Some officials deep inside the national security establishment were concerned about this trend. The militaryâthe nationâwas rapidly adopting a new form of warfare, had assembled and
used
a new kind of weapon; but this was all being done in great secrecy, inside the nation's most secretive intelligence agency, and it was clear, even to those with a glimpse of its inner workings, that no one had thought through the implications of this new kind of weapon and new vision of war.
During the planning for Stuxnet, there had been debates, within the Bush and Obama administrations, over the precedent that the attack might establish. For more than a decade, dozens of panels and commissions had warned that America's critical infrastructure was vulnerable to a cyber attackâand now
America
was launching the first cyber attack on
another
nation's critical infrastructure. Almost no one outright opposed the Stuxnet program: if it could keep Iran from developing nuclear weapons, it was worth the risk; but several officials realized that it
was
a risk, that the dangers of blowback were inescapable and immense.
The United States wasn't alone on this cyber rocket ship, after all. Ever since their penetration of Defense Department sites a decade
earlier, in Operation Moonlight Maze, the Russians had been ramping up their capabilities to exploit and attack computer networks. The Chinese had joined the club in 2001 and soon grew adept at penetrating sensitive (though, as far as anyone knew, unclassified) networks of dozens of American military commands, facilities, and laboratories.
In Obama's first year as president, around the Fourth of July, the North Koreansâwhose citizens barely had electricityâlaunched a massive denial-of-service attack, shutting down websites of the Departments of Homeland Security, Treasury, Transportation, the Secret Service, the Federal Trade Commission, the New York Stock Exchange, and NASDAQ, as well as dozens of South Korean banks, affecting at least 60,000, possibly as many as 160,000 computers.
Stuxnet spurred the Iranians to create their own cyber war unit, which took off at still greater levels of funding
a year and a half later, in the spring of 2012, when, in a follow-up attack, the NSA's Flame virusâthe massive, multipurpose malware from which Olympic Games had derivedâwiped out nearly every hard drive at Iran's oil ministry and at the Iranian National Oil Company.
Four months after that, Iran fired back with its own Shamoon virus, wiping out 30,000 hard drives (basically, every hard drive in every workstation) at Saudi Aramco, the joint U.S.-Saudi Arabian oil company, and planting, on every one of its computer monitors, the image of a burning American flag.
Keith Alexander learned, from communications intercepts, that the Iranians had expressly developed and launched Shamoon as retaliation for Stuxnet and Flame. On his way to a conference with GCHQ, the NSA's British counterpart, he read a talking points memo, written by an aide, noting that, with Shamoon and several other recent cyber attacks on Western banks, the Iranians had
“demonstrated a clear ability to learn from the capabilities and actions of others”ânamely, those of the NSA and of Israel's Unit 8200.
It was the latest, most dramatic illustration of what agency analysts and directors had been predicting for decades: what we can do to them, they can someday do to usâexcept that “someday” was
now
.
Alexander's term as NSA director was coinciding withâand Alexander himself had been fosteringânot only the advancement of cyber weapons and the onset of
physically
destructive cyber attacks, but also the early spirals of a cyber arms
race
. What to do about it? This, too, was a question that no one had thought through, at even the most basic level.
When Bob Gates became secretary of defense, back at the end of 2006, he was so stunned by the volume of attempted intrusions into American military networksâhis briefings listed dozens, sometimes hundreds, every
day
âthat he wrote a memo to the Pentagon's deputy general counsel.
At what point, he asked, did a cyber attack constitute an act of war under international law?