The Cybersecurity Canon: Confront and Conceal

Rick Howard


cybersec canon red

For the past decade, I have had this notion that there must be a Cybersecurity Canon: a list of must-read books where the content is timeless, genuinely represents an aspect of the community that is true and precise and that, if not read, leaves a hole in cybersecurity professional’s education. I’ll be presenting on this topic at RSA 2014, and between now and then, I’d like to discuss a few of my early candidates for inclusion. I love a good argument, so feel free to let me know what you think.

Confront and Conceal: Obama’s Secret Wars and the Surprising Use of American Power (2012) by David E. Sanger

This book is an interesting read for foreign policy buffs but a must-read for cybersecurity professionals interested in the evolution of cyber warfare. It is the first published book that chronicles the current US government’s thinking about the merits of cyber attacks as a middle-ground diplomacy option between invading a country on one hand and sanctions or negotiations on the other.

It is also the first book that gave the public details about operation “Olympic Games,” a multiyear covert operation that the governments of the United States and Israel directed against Iran that changed the cybersecurity landscape forever. Security pundits have been saying for years that cyber warfare is theoretically possible or, more precisely, that cyber weapons could cause physical damage on a massive scale. Olympic Games demonstrated conclusively that hackers can use a cyber vector alone, without the aid of other kinetic weapons, to destroy components of a country’s critical infrastructure.

Regardless of how successful Olympic Games ultimately was in slowing down the Iranian nuclear program, the use of cyber tools to inflict physical damage against your adversaries is now a viable option. Operation Olympic Games represents the world crossing the line between theory and practice, and this book is your guide to understanding that decision.

In addition to my February 24 presentation on the Cybersecurity Canon, I’ll also be discussing Olympic Games and its implications during a February 28 presentation at RSA 2014. But let’s look here at some of the particulars.

Stuxnet Revealed

In June 2012, David E. Sanger published an article in The New York Times proclaiming for the first time that the United States, in conjunction with Israel, was indeed behind the infamous Stuxnet malware attacks that targeted the Iranian nuclear enrichment plant at Natanz. The article set up his then-new book, which is our subject today.

In both the article and the book, Sanger demonstrated an unprecedented level of access to President Obama’s former staff members that provides insight into how leadership made important changes to American policy around offensive cyber operations. The book is a fascinating look at the inner machinery of how two presidents made decisions that changed US foreign policy; away from President George W. Bush’s “You are with us or against us” mentality into something Sanger calls the Obama Doctrine. I originally picked up the book because of chapter 8, “Olympic Games.” For the cybersecurity professionals in the crowd, this chapter alone is worth the price of admission.

Understanding Olympic Games

Olympic Games is the now-declassified US code name for the cyber initiatives aimed at degrading Iran’s nuclear enrichment capability. Many international leaders are afraid of what Iranian leadership might do if they were to get their hands on a nuclear bomb. Iranian leadership claims that their nuclear program is peaceful and is designed to provide electric power to Iran’s citizens.

In the past, the only options Western governments had to dissuade Iranian officials from their nuclear ambitions were economic sanctions and military strikes. But according to Sanger, as Iran got closer to its goal of building a working nuclear bomb during President Bush’s time in office, Israeli leadership became more and more anxious to pursue the military option since they believed Israel might be one of the first targets of such a bomb. President Bush was not keen on starting a fight with yet another Middle Eastern country. He was already fully engaged with Iraq and Afghanistan. He needed a different way to deal with the problem. The short version of the story is that Olympic Games became the in-between option.

Sanger fills in a lot of details about Olympic Games that many professionals suspected were true at the time but had no evidence to prove. He explains how the operation grew out of military channels under President Bush and how President Obama moved it over to intelligence channels during the first weeks of his administration for legal reasons. Sanger describes how at least as much work went into the legal justification for a covert action to destroy critical infrastructure in a country with which the United States was not at war as the amount of work that the coders did when they planned, built, and tested the actual cyber weapons. He describes how the operation used unwitting Siemens employees who were working at Natanz to transfer the malware into the facility, a facility that had no connection to the Internet. Siemens is the company that builds the supervisory control and data acquisition (SCADA) devices used at the plant to control the Iranian centrifuges that Olympic Games was meant to destroy.

All of this is fascinating detail, and Sanger’s book, along with his preceding Times article, was the first time that the public became aware of it. More importantly though, Sanger’s book marks a spot where cyber warfare moved from a theoretical idea to practical implementation.

Before Olympic Games, security pundits only pontificated about the possibilities of cyber warfare. Some estimates claim that the damage done by operation Olympic Games caused Iranian engineers to replace more than 4,000 damaged centrifuges out of the 9,000 that were on site at Natanz. This is a true cybersecurity warfare event. The world has changed, and you cannot put that genie back in the bottle.

This past year, cyber attackers destroyed the data residing on 32,000 computers from a number of Korean companies, including Shinhan Bank, Nonghyup Bank, Munhwa Broadcasting Corp., YTN, and Korea Broadcasting System. Public attribution is unclear, but the South Koreans believe the attacks came from North Korea. If that’s true, the attack represents the first example of another nation taking its cues from the United States and Israel and operation Olympic Games. I expect that this is just the beginning.

The Tech

Sanger details the three phases of the operation. The first step was to build and deploy a “beacon” designed to map the network at Natanz and get the information back to the United States. The second phase was to build and test the “bug,” the malware that would destroy the centrifuges. The last phase was to deploy and upgrade the bug on the fly to seek new and better targets.

According to Sanger, the intent of Olympic Games was not to destroy the plant completely but to play mind games with the Iranian technicians, to cause confusion within the technical ranks, and to add time on the clock for the inevitable day when Iran would succeed in making enough nuclear material to build a bomb. The jury is still out on whether Olympic Games succeeded, but Sanger uses the operation to make a larger point about the change in US foreign policy under President Obama.

Conclusion

The book is an interesting read for foreign policy enthusiasts, but the Olympic Games chapter in particular is a must-read for every cybersecurity professional interested in the evolution of cyber warfare.

Security pundits have been saying for years that cyber warfare is theoretically possible or, more precisely, that cyber weapons could cause physical damage on a massive scale. Olympic Games demonstrated conclusively that hackers can use a cyber vector alone, without the aid of other kinetic weapons, to destroy components of a country’s critical infrastructure. Regardless of how successful Olympic Games ultimately was in slowing down the Iranian nuclear program, using cyber tools to inflict physical damage against your adversaries is now a viable option. Operation Olympic Games represents the world crossing the line between theory and practice, and this book is your guide to understanding that decision. This book is part of the canon, and you should have read it by now.

Got something to say?

Get updates: Unit 42

Sign up to receive the latest news, cyber threat intelligence and research from Unit42


SUBSCRIBE TO RSS