Secrecy & Leaks

Richard Clarke Says Stuxnet was a U.S. Operation

By Jack Goldsmith
Thursday, March 29, 2012, 4:36 AM

The former counterterrorism czar reaches this conclusion because the operation had lawyers’ fingerprints on it.  From an interview with Ron Rosenbaum in Smithsonian Magazine:

“I think it’s pretty clear that the United States government did the Stuxnet attack,” [Clarke] said calmly.

This is a fairly astonishing statement from someone in his position.

“Alone or with Israel?” I asked.

“I think there was some minor Israeli role in it.  Israel might have provided a test bed, for example.  But I think that the U.S. government did the attack and I think that the attack proved what I was saying in the book [which came out before the attack was known], which is that you can cause real devices—real hardware in the world, in real space, not cyberspace—to blow up.”

Isn’t Clarke coming right out and saying we committed an act of undeclared war?

“If we went in with a drone and knocked out a thousand centrifuges, that’s an act of war,” I said. “But if we go in with Stuxnet and knock out a thousand centrifuges, what’s that?”

“Well,” Clarke replied evenly, “it’s a covert action. And the U.S. government has, ever since the end of World War II, before then, engaged in covert action. If the United States government did Stuxnet, it was under a covert action, I think, issued by the president under his powers under the Intelligence Act. Now when is an act of war an act of war and when is it a covert action?

“That’s a legal issue. In U.S. law, it’s a covert action when the president says it’s a covert action. I think if you’re on the receiving end of the covert action, it’s an act of war.”

When I e-mailed the White House for comment, I received this reply: “You are probably aware that we don’t comment on classified intelligence matters.” Not a denial. But certainly not a confirmation. So what does Clarke base his conclusion on?

One reason to believe the Stuxnet attack was made in the USA, Clarke says, “was that it very much had the feel to it of having been written by or governed by a team of Washington lawyers.”

“What makes you say that?” I asked.

“Well, first of all, I’ve sat through a lot of meetings with Washington [government/Pentagon/CIA/NSA-type] lawyers going over covert action proposals. And I know what lawyers do.

“The lawyers want to make sure that they very much limit the effects of the action. So that there’s no collateral damage.” He is referring to legal concerns about the Law of Armed Conflict, an international code designed to minimize civilian casualties that U.S. government lawyers seek to follow in most cases.

Clarke illustrates by walking me through the way Stuxnet took down the Iranian centrifuges.

“What does this incredible Stuxnet thing do? As soon as it gets into the network and wakes up, it verifies it’s in the right network by saying, ‘Am I in a network that’s running a SCADA [Supervisory Control and Data Acquisition] software control system?’ ‘Yes.’ Second question: ‘Is it running Siemens [the German manufacturer of the Iranian plant controls]?’ ‘Yes.’ Third question: ‘Is it running Siemens 7 [a genre of software control package]?’ ‘Yes.’ Fourth question: ‘Is this software contacting an electrical motor made by one of two companies?’” He pauses.

“Well, if the answer to that was ‘yes,’ there was only one place it could be. Natanz.”

“There are reports that it’s gotten loose, though,” I said, reports of Stuxnet worms showing up all over the cyberworld. To which Clarke has a fascinating answer:

“It got loose because there was a mistake,” he says. “It’s clear to me that lawyers went over it and gave it what’s called, in the IT business, a TTL.”

“What’s that?”

“If you saw Blade Runner [in which artificial intelligence androids were given a limited life span—a “time to die”], it’s a ‘Time to Live.’” Do the job, commit suicide and disappear. No more damage, collateral or otherwise.

“So there was a TTL built into Stuxnet,” he says [to avoid violating international law against collateral damage, say to the Iranian electrical grid]. And somehow it didn’t work.”