The American Bear

Sunshine/Lollipops

Legal Experts: Stuxnet Attack on Iran Was Illegal 'Act of Force' | Threat Level

A cyberattack that sabotaged Iran’s uranium enrichment program was an “act of force” and was likely illegal, according to research commissioned by NATO’s cyberwarfare center.

“Acts that kill or injure persons or destroy or damage objects are unambiguously uses of force” and likely violate international law, according to the Tallinn Manual on the International Law Applicable to Cyber Warfare, a study produced by international legal experts at the request of NATO’s Cooperative Cyber Defense Center of Excellence in Estonia.

Acts of force are prohibited under the United Nations charter, except when done in self-defense, Michael Schmitt, professor of international law at the U.S. Naval War College in Rhode Island and lead author of the study, told the Washington Times.

The 20 experts who produced the study were unanimous that Stuxnet was an act of force, but were less clear about whether the cyber sabotage against Iran’s nuclear program constituted an “armed attack,” which would entitle Iran to use counterforce in self-defense. An armed attack constitutes a start of international hostilities under which the Geneva Convention’s laws of war would apply. [++]

As officials debate — largely in secret — how to apply traditional concepts such as imminence to modern warfare, they say that in cyberspace, a clear line is virtually impossible to draw between a justified strike in self-defense and a preemptive one that is considered an unprovoked act of aggression.

In cyberwarfare, rules of engagement still hard to define | The Washington Post

You mean like Stuxnet, Duqu and Flame, the malware the US unleashed to attack Iranian industrial controllers at the Natanz enrichment facility? It seems that attack could fairly be labeled as an “unprovoked act of aggression”.

Welcome to the Malware-Industrial Complex

jayaprada:

Every summer, computer security experts get together in Las Vegas for Black Hat and DEFCON, conferences that have earned notoriety for presentations demonstrating critical security holes discovered in widely used software. But while the conferences continue to draw big crowds, regular attendees say the bugs unveiled haven’t been quite so dramatic in recent years.

One reason is that a freshly discovered weakness in a popular piece of software, known in the trade as a “zero-day” vulnerability because the software makers have had no time to develop a fix, can be cashed in for much more than a reputation boost and some free drinks at the bar. Information about such flaws can command prices in the hundreds of thousands of dollars from defense contractors, security agencies and governments.

This trade in zero-day exploits is poorly documented, but it is perhaps the most visible part of a new industry that in the years to come is likely to swallow growing portions of the U.S. national defense budget, reshape international relations, and perhaps make the Web less safe for everyone.

Zero-day exploits are valuable because they can be used to sneak software onto a computer system without detection by conventional computer security measures, such as antivirus packages or firewalls. Criminals might do that to intercept credit card numbers. An intelligence agency or military force might steal diplomatic communications or even shut down a power plant.

It became clear that this type of assault would define a new era in warfare in 2010, when security researchers discovered a piece of malicious software, or malware, known as Stuxnet. Now widely believed to have been a project of U.S. and Israeli intelligence (U.S. officials have yet to publicly acknowledge a role but have done so anonymously to the New York Times and NPR), Stuxnet was carefully designed to infect multiple systems needed to access and control industrial equipment used in Iran’s nuclear program. The payload was clearly the work of a group with access to government-scale resources and intelligence, but it was made possible by four zero-day exploits for Windows that allowed it to silently infect target computers. That so many precious zero-days were used at once was just one of Stuxnet’s many striking features.

Since then, more Stuxnet-like malware has been uncovered, and it’s involved even more complex techniques (see “The Antivirus Era Is Over”). It is likely that even more have been deployed but escaped public notice. Meanwhile, governments and companies in the United States and around the world have begun paying more and more for the exploits needed to make such weapons work, says Christopher Soghoian, a principal technologist at the American Civil Liberties Union.

“On the one hand the government is freaking out about cyber-security, and on the other the U.S. is participating in a global market in vulnerabilities and pushing up the prices,” says Soghoian, who says he has spoken with people involved in the trade and that prices range from the thousands to the hundreds of thousands. Even civilian law-enforcement agencies pay for zero-days, Soghoian says, in order to sneak spy software onto suspects’ computers or mobile phones.

Exploits for mobile operating systems are particularly valued, says Soghoian, because unlike desktop computers, mobile systems are rarely updated. Apple sends updates to iPhone software a few times a year, meaning that a given flaw could be exploited for a long time. Sometimes the discoverer of a zero-day vulnerability receives a monthly payment as long as a flaw remains undiscovered. “As long as Apple or Microsoft has not fixed it you get paid,” says Soghioan.

No law directly regulates the sale of zero-days in the United States or elsewhere, so some traders pursue it quite openly. A Bangkok, Thailand-based security researcher who goes by the name “the Grugq” has spoken to the press about negotiating deals worth hundreds of thousands of dollars with government buyers from the United States and western Europe. In a discussion on Twitter last month, in which he was called an “arms dealer,” he tweeted that “exploits are not weapons,” and said that “an exploit is a component of a toolchain … the team that produces & maintains the toolchain is the weapon.”

The Grugq contacted MIT Technology Review to state that he has made no “public statement about exploit sales since the Forbes article.”

Some small companies are similarly up-front about their involvement in the trade. The French security company VUPEN states on its website that it “provides government-grade exploits specifically designed for the Intelligence community and national security agencies to help them achieve their offensive cyber security and lawful intercept missions.” Last year, employees of the company publicly demonstrated a zero-day flaw that compromised Google’s Chrome browser, but they turned down Google’s offer of a $60,000 reward if they would share how it worked. What happened to the exploit is unknown.

No U.S. government agency has gone on the record as saying that it buys zero-days. But U.S. defense agencies and companies have begun to publicly acknowledge that they intend to launch as well as defend against cyberattacks, a stance that will require new ways to penetrate enemy computers.

General Keith Alexander, director of the National Security Agency and commander of the U.S. Cyber Command, told a symposium in Washington last October that the United States is prepared to do more than just block computer attacks. “Part of our defense has to consider offensive measures,” he said, making him one of the most senior officials to admit that the government will make use of malware. Earlier in 2012 the U.S. Air Force invited proposals for developing “Cyberspace Warfare Attack capabilities” that could “destroy, deny, degrade, disrupt, deceive, corrupt, or usurp the adversaries [sic] ability to use the cyberspace domain for his advantage.” And in November, Regina Dugan, the head of the Defense Advanced Research Projects Agency, delivered another clear signal about the direction U.S. defense technology is heading. “In the coming years we will focus an increasing portion of our cyber research on the investigation of offensive capabilities to address military-specific needs,” she said, announcing that the agency expected to expand cyber-security research from 8 percent of its budget to 12 percent.

Defense analysts say one reason for the shift is that talking about offense introduces an element of deterrence, an established strategy for nuclear and conventional conflicts. Up to now, U.S. politicians and defense chiefs have talked mostly about the country’s vulnerability to digital attacks. Last fall, for example, Defense Secretary Leon Panetta warned frankly that U.S. infrastructure was being targeted by overseas attackers and that a “digital Pearl Harbor” could result (see “U.S. Power Grids, Water Plants a Hacking Target”).

Major defense contractors are less forthcoming about their role in making software to attack enemies of the U.S. government, but they are evidently rushing to embrace the opportunity. “It’s a growing area of the defense business at the same time that the rest of the defense business is shrinking,” says Peter Singer, director of the 21st Century Defense Initiative at the Brookings Institution, a Washington think tank. “They’ve identified two growth areas: drones and cyber.”

Large contractors are hiring many people with computer security skills, and some job openings make it clear there are opportunities to play more than just defense. Last year, Northrop Grumman posted ads seeking people to “plan, execute and assess an Offensive Cyberspace Operation (OCO) mission,” and many current positions at Northrop ask for “hands-on experience of offensive cyber operations.” Raytheon prefaces its ads for security-related jobs with language designed to appeal to stereotypical computer hackers: “Surfboards, pirate flags, and DEFCON black badges decorate our offices, and our Nerf collection dwarfs that of most toy stores. Our research and development projects cover the spectrum of offensive and defensive security technologies.”

The new focus of America’s military and defense contractors may concern some taxpayers. As more public dollars are spent researching new ways to attack computer systems, some of that money will go to people like The Grugq to discover fresh zero-day vulnerabilities. And an escalating cycle of competition between U.S and overseas government agencies and contractors could make the world more dangerous for computer users everywhere.

“Every country makes weapons: unfortunately, cyberspace is like that too,” says Sujeet Shenoi, who leads the U.S.-government-sponsored Cyber Corps Program at the University of Tulsa. His program trains students for government jobs defending against attacks, but he fears that defense contractors, also eager to recruit these students, are pushing the idea of offense too hard. Developing powerful malware introduces the dangerous temptation to use it, says Shenoi, who fears the consequences of active strikes against infrastructure. “I think maybe the civilian courts ought to get together and bar these kinds of attacks,” he says.

The ease with which perpetrators of a computer attack can hide their tracks also raises the risk that such weapons will be used, Shenoi points out. Worse, even if an attack using malware is unsuccessful, there’s a strong chance that a copy will remain somewhere on the victim’s system—by accident or design—or accidentally find its way onto computer systems not targeted at all, as Stuxnet did. Some security firms have already identified criminal malware that uses methods first seen in Stuxnet (see “Stuxnet Tricks Copied by Criminals”).

“The parallel is dropping the atomic bomb but also leaflets with the design of it,” says Singer. He estimates that around 100 countries already have cyber-war units of some kind, and around 20 have formidable capabilities: “There’s a lot of people playing this game.”

Secret Rules to Let Obama Start Cyber Wars | Jason Ditz

A secret legal review of the even more secret “rules” of the US cyberwarfare capabilities has concluded that President Obama has virtually limitless power to start cyber wars in the name of “pre-emption” of potential attacks coming out of another nation.

The reports come from officials involved in the review, and are impossible to verify since the rules themselves are classified, and the review is being conducted entirely in secret.

The current rules, to the extent anyone understands them, say that the Pentagon can openly attack targets in nations during wartime, but that doesn’t explain things like Stuxnet, the US-made computer worm that attacked Iran and subsequently much of the planet, doing massive damage to industry when it escaped Iranian computers and went worldwide.

The US sees “pre-emptive” attacks on nations like Iran in a cyber-context much as they do in a military context, although without all of the questions asked afterwards since the attack and indeed much of the cyber war can be conducted in relative secrecy. The 2003 US invasion of Iraq, and its calamitous occupation are being used as a model for the president being able to unilaterally start not just physical wars, but wars involving attacks on industrial computers of rival nations.

Broad Powers Seen for Obama in Cyberstrikes | NYT

More powers for the president, new and exciting military-industrial markets, and, likely, legal cover for the cyberweapons that have already been unleashed:

A secret legal review on the use of America’s growing arsenal of cyberweapons has concluded that President Obama has the broad power to order a pre-emptive strike if the United States detects credible evidence of a major digital attack looming from abroad, according to officials involved in the review.

That decision is among several reached in recent months as the administration moves, in the next few weeks, to approve the nation’s first rules for how the military can defend, or retaliate, against a major cyberattack. New policies will also govern how the intelligence agencies can carry out searches of faraway computer networks for signs of potential attacks on the United States and, if the president approves, attack adversaries by injecting them with destructive code — even if there is no declared war.

The rules will be highly classified, just as those governing drone strikes have been closely held. John O. Brennan, Mr. Obama’s chief counterterrorism adviser and his nominee to run the Central Intelligence Agency, played a central role in developing the administration’s policies regarding both drones and cyberwarfare, the two newest and most politically sensitive weapons in the American arsenal.

Cyberweaponry is the newest and perhaps most complex arms race under way. The Pentagon has created a new Cyber Command, and computer network warfare is one of the few parts of the military budget that is expected to grow. Officials said that the new cyberpolicies had been guided by a decade of evolution in counterterrorism policy, particularly on the division of authority between the military and the intelligence agencies in deploying cyberweapons. Officials spoke on condition of anonymity because they were not authorized to talk on the record.

Under current rules, the military can openly carry out counterterrorism missions in nations where the United States operates under the rules of war, like Afghanistan. But the intelligence agencies have the authority to carry out clandestine drone strikes and commando raids in places like Pakistan and Yemen, which are not declared war zones. The results have provoked wide protests.

Mr. Obama is known to have approved the use of cyberweapons only once, early in his presidency, when he ordered an escalating series of cyberattacks against Iran’s nuclear enrichment facilities. The operation was code-named Olympic Games, and while it began inside the Pentagon under President George W. Bush, it was quickly taken over by the National Security Agency, the largest of the intelligence agencies, under the president’s authority to conduct covert action.

As the process of defining the rules of engagement began more than a year ago, one senior administration official emphasized that the United States had restrained its use of cyberweapons. “There are levels of cyberwarfare that are far more aggressive than anything that has been used or recommended to be done,” the official said.

The attacks on Iran illustrated that a nation’s infrastructure can be destroyed without bombing it or sending in saboteurs.

While many potential targets are military, a country’s power grids, financial systems and communications networks can also be crippled. Even more complex, nonstate actors, like terrorists or criminal groups, can mount attacks, and it is often difficult to tell who is responsible. Some critics have said the cyberthreat is being exaggerated by contractors and consultants who see billions in potential earnings.

One senior American official said that officials quickly determined that the cyberweapons were so powerful that — like nuclear weapons — they should be unleashed only on the direct orders of the commander in chief.

[…] Under the new guidelines, the Pentagon would not be involved in defending against ordinary cyberattacks on American companies or individuals, even though it has the largest array of cybertools. Domestically, that responsibility falls to the Department of Homeland Security, and investigations of cyberattacks or theft are carried out by the F.B.I.

But the military, barred from actions within the United States without a presidential order, would become involved in cases of a major cyberattack within the United States. To maintain ambiguity in an adversary’s mind, officials have kept secret what that threshold would be …

Read on

FBI is increasing pressure on suspects in Stuxnet inquiry | The Washington Post

Federal investigators looking into disclosures of classified information about a cyberoperation that targeted Iran’s nuclear program have increased pressure on current and former senior government officials suspected of involvement, according to people familiar with the investigation.

The inquiry, which was started by Attorney General Eric H. Holder Jr. last June, is examining leaks about a computer virus developed jointly by the United States and Israel that damaged nuclear centrifuges at Iran’s primary uranium enrichment plant. The U.S. code name for the operation was Olympic Games, but the wider world knew the mysterious computer worm as Stuxnet.

Prosecutors are pursuing “everybody — at pretty high levels, too,” said one person familiar with the investigation. “There are many people who’ve been contacted from different agencies.”

The FBI and prosecutors have interviewed several current and former senior government officials in connection with the disclosures, sometimes confronting them with evidence of contact with journalists, according to people familiar with the probe. Investigators, they said, have conducted extensive analysis of the e-mail accounts and phone records of current and former government officials in a search for links to journalists.

The people familiar with the investigation would speak only on the condition of anonymity because of the sensitivity of the matter. The Justice Department declined to comment.

The Obama administration has prosecuted six officials for disclosing classified information, more than all previous administrations combined. But the Stuxnet investigation is arguably the highest-profile probe yet, and it could implicate senior-level officials. Knowledge of the virus was likely to have been highly compartmentalized and limited to a small set of Americans and Israelis.

The proliferation of e-mail and the advent of sophisticated software capable of sifting through huge volumes of it have significantly improved the ability of the FBI to find evidence. A trail of e-mail has eased the FBI’s search for a number of suspects recently, including John Kiriakou, the former CIA officer who was sentenced Friday to 30 months in prison for disclosing to a journalist the identity of a CIA officer who had spent 20 years under cover.

Late last year, retired Gen. David H. Petraeus resigned as CIA director after the FBI discovered e-mails in one of his private accounts showing that he had an extramarital affair with his biographer.

Holder appointed Rod J. Rosenstein, the U.S. attorney for Maryland, to lead the Stuxnet inquiry after a New York Times article about President Obama ordering cyberattacks against Iran using a computer virus developed in conjunction with Israel. Other publications, including The Washington Post, followed with similar reports about Stuxnet and a related virus called Flame. [++]

What’s missing from the story is that by the White House’s own rules, unleashing Stuxnet, Flame, and Duqu against Iran was an “act of war" (and that Stuxnet is out on the open internet now), but, of course, when the U.S. does something, it is done only with benevolent intent.

Better to focus on scaring potential whistleblowers and journalists away from providing any information to the public about our defense activities. Plausible deniability is all that matters.

Cybersleuths Uncover 5-Year Spy Operation Targeting Governments, Others | Threat Level

An advanced and well-orchestrated computer spy operation that targeted diplomats, governments and research institutions for at least five years has been uncovered by security researchers in Russia.

The highly targeted campaign, which focuses primarily on victims in Eastern Europe and Central Asia based on existing data, is still live, harvesting documents and data from computers, smartphones and removable storage devices, such as USB sticks, according to Kaspersky Lab, the Moscow-based antivirus firm that uncovered the campaign. Kaspersky has dubbed the operation “Red October.”

While most of the victims documented are in Eastern Europe or Central Asia, targets have been hit in 69 countries in total, including the U.S., Australia, Ireland, Switzerland, Belgium, Brazil, Spain, South Africa, Japan and the United Arab Emirates. Kaspersky calls the victims “high profile,” but declined to identify them other than to note that they’re government agencies and embassies, institutions involved in nuclear and energy research and companies in the oil and gas and aerospace industries.

“The main purpose of the operation appears to be the gathering of classified information and geopolitical intelligence, although it seems that the information-gathering scope is quite wide,” Kaspersky notes in a report released Monday. “During the past five years, the attackers collected information from hundreds of high-profile victims, although it’s unknown how the information was used.”

The attackers, believed to be native Russian-speakers, have set up an extensive and complex infrastructure consisting of a chain of at least 60 command-and-control servers that Kaspersky says rivals the massive infrastructure used by the nation-state hackers behind the Flame malware that Kaspersky discovered last year.

But the researchers note that the Red October attack has no connection to Flame, Gauss, DuQu or other sophisticated cyberspy operations Kaspersky has examined in recent years.

The attack also shows no signs yet of being the product of a nation-state and may instead be the work of cybercriminals or freelance spies looking to sell valuable intelligence to governments and others on the black market, according to Kaspersky Lab senior security researcher Costin Raiu. [++]

New Cyber-Espionage System Called “Red October” Identified

matthewaid:

January 15, 2013

Kaspersky Lab announced yesterday that it had identified a new cyber-espionage malware system called “Red October,” which had infected a number of governmental, diplomatic and scientific research institute computer networks and related telecommunications systems in the Russian Federation, the former Soviet republics of Central Asia, and certain countries in Eastern Europe.

According to Kaspersky, Red October has been actively collecting intelligence information for more than five years without detection, with the first indication of its existence turning up in filenames written in May 2007. The system is still active today. It goes without saying that no one knows who wrote the “Red October” programs or who has been receiving the intelligence information collected by the system

Kaspersky Lab’s forensic analysis of the Red October system can be read here.

The NSA has turned over documents on the controversial ‘Perfect Citizen’ program to EPIC in response to a FOIA request. ‘Perfect Citizen’ is an NSA program that monitors private networks in the United States. The redacted documents obtained from the federal agency by EPIC state that ‘[t]he prevention of a loss due to a cyber or physical attack [on Sensitive Control Systems, like large-scale utilities], or recovery of operational capability after such an event, is crucial to the continuity of the [Department of Defense] , the [Intelligence Community], and the operation of SIGNIT systems.’ The NSA claims that Perfect Citizen is merely a research and development program. The documents obtained by EPIC suggest that the program is operational.

EPIC Obtains Documents on NSA’s “Perfect Citizen” Program

From another post on the program at EPIC:

When asked for further information, NSA and Raytheon spokespeople declined to comment. The WSJ obtained access to internal Raytheon emails; one which stated “Perfect Citizen is Big Brother.” Raytheon refused to comment.

Obama’s Secret Directive Keeps Evolving Cybersecurity Policy Concealed | Kevin Gosztola

President Barack Obama has issued and signed a secret presidential directive that the Washington Post reports is “the most extensive White House effort to date to wrestle with what constitutes an ‘offensive’ and a ‘defensive’ action in the rapidly evolving world of cyberwar and cyberterrorism.”

The directive—Presidential Policy Directive 20—will reportedly make it possible for the United States military to respond more aggressively to “thwart cyberattacks on the nation’s web of government and private computer networks. It “establishes a broad and strict set of standards to guide the operations of federal agencies.” And, according to Ellen Nakashima, “For the first time, the directive explicitly makes a distinction between network defense and cyber operations to guide officials charged with making often rapid decisions when confronted with threats.”

Additionally, the secret policy maps out a process for vetting “operations outside government and defense networks” and ensuring “US citizens’ and foreign allies’ data and privacy are protected and international laws of war are followed.” As one senior administration official told the Post, “What it does, really for the first time, is it explicitly talks about how we will use cyber operations … Network defense is what you’re doing inside your own networks. … Cyber operations is stuff outside that space, and recognizing that you could be doing that for what might be called defensive purposes.”

The secret directive updates a 2004 presidential directive issued and signed by President George W. Bush that remains secret.

There are a few key points to make here: First, Obama ordered cyber attacks on Iran before this policy was established. That was acceptable and carried out mostly without question from anyone in the establishment or press. It definitely was not a campaign issue. Secondly, this information was classified. It was leaked to the Post. If it was not for a leak, the public would not know Obama had signed and issued a directive containing evolving cybersecurity policy. [continue]

Google report reveals sharp increase in government requests for users' data | guardian.co.uk

Government surveillance of citizens’ online lives is rising sharply around the world, according to Google’s latest report on requests to remove content and hand over user data to official agencies.

In the first six months of this year, authorities worldwide made 20,939 requests for access to personal data from Google users, including search results, access to Gmail accounts and removal of YouTube videos. Requests have risen steeply from a low of 12,539 in the last six months of 2009, when Google first published its Transparency Report.

Authorities made 1,791 requests for Google to remove 17,746 pieces of content in the first half of 2012, almost twice as many as the 949 requests made in the same period last year, and up from 1,048 requests made in the last six months of 2011.

“This is the sixth time we’ve released this data, and one trend has become clear: government surveillance is on the rise,”Google said in a blogpost.

One of the sharpest rises came in requests from Turkey, which held an election on 12 June 2011. Google reported a 1,013% rise in requests from Turkish authorities in the latest reporting period, including 148 requests to remove 426 YouTube videos, Blogger blogs, one Google document and one search result. The contested items allegedly criticised Mustafa Kemal Atatürk (the first president of Turkey), the government or “national identity and values”. Google restricted Turkish users from accessing 63% of the YouTube videos. It did not remove the other content.

The US accounted for the most requests, as it has consistently since the report was launched. US authorities asked for private details of Google users on 7,969 occasions, up from 6,321 in the last reporting period. The number is more than a third of the 20,938 requests for users’ details worldwide. Google fully or partially complied with 90% of those requests.

Blowback: Stuxnet and the Ongoing Risk to Manufacturing Worldwide | emptywheel (2)

Dear Senate Intelligence Committee: You are in way over your heads when it comes to technology. You need to rethink how you handle anything involving software and the hardware on which it runs as well as any technology attached to a network. That includes phones.

You let this thing loose when you signed off on it–you signed off on a weapon payload that was inherently insecure, or designed deliberately to be insecure, because it relied on delivery applications requiring security and upgrade patches every frigging month, delivered via network in nearly all cases. It’s laughable that you think there was a leak requiring investigation when this insecure cyberweapon of mass destruction was released with your blessing.

What was it you thought you were authorizing? Did you not realize that this bug could spread because its was designed for delivery via an insecure application? Or did you permit an undisclosed quid pro quo to some unidentified entity so that all SCADA-based manufacturing could be affected at will at some point in the future?

There were at least three countries involved in this process, too. Did you rely too heavily on one of the two partners to keep a leash on the other? Have you asked how one of the partners is protecting its own manufacturing environment from exposure? Or did it never occur to you that they are our competitor for manufacturing jobs and have less exposure to this weapon because they don’t rely as much on a private corporation’s inherently buggy applications in their manufacturing? Did it ever occur to ask if there were secondary agendas on the part of any participant in the design, development, and distribution of this weapon?

And now that we the public know your little xenomorph has gone rogue and into the wild, when are you going to mitigate the risks of proliferation by ensuring manufacturers as well as SCADA users like utility companies, mass transportation providers, and any site requiring physical maintenance and security controlled by computers are informed of the risks and take action to limit potential failures? Recall Congress’ reaction to the risks from Y2K; Stuxnet and its precursors and variants may pose a far bigger risk than Y2K, worthy of deeper consideration.

Perhaps the Permanent Subcommittee on Investigations should review this mess to prevent future snafus like the Stuxnet debacle. Perhaps if you can’t or won’t tell us, you’ll tell that committee what other monsters you’ve unleashed that might blow back on us all.

Blowback: Stuxnet and the Ongoing Risk to Manufacturing Worldwide | emptywheel

Dear Chevron: Thanks for letting us know you’ve been infected with Stuxnet. It’s difficult to muster sympathy for your management or shareholders, because you were warned.This guy quite clearly warned your industry, as did other firms specializing in technology security.

Every single manufacturer around the world using supervisory control and data acquisition (SCADA) driven equipment in their processes was warned. Businesses at particular risk are those relying on certain ubiquitous applications in a networked environment.

Perhaps you heeded the warning months ago but didn’t disclose widely that your business was working on eliminating the exposures. If your business has been hardening your systems, great. However, the public does have a right to know know if your plant located in their backyard might blow up or release toxic chemicals because your firm was exposed to cyber warfare elements our country sponsored in some fashion.

And also, via Stuxnet infected Chevron, achieved its objectives | ZDNet:

Stuxnet, which is alleged to be part of a US-led operation to stop [fuck with] Iran, … infiltrated nuclear enrichment facilities in Natanz, Iran, in 2010 and successfully modified its industrial grade equipment to malfunction. Stuxnet’s payload was specific to the systems in place in Iran, but its spreading mechanism was not as picky. As a result, the malware managed to escape from the facility and spread far beyond its initial target.

… Although Chevron wasn’t adversely affected by Stuxnet’s payload, the identification and removal of the malware does require action by all that are infected. This cost, while small, is significant when the total number of infected businesses is considered — an oversight that [Mark Koelmel, Chevron’s general manager of its earth sciences department] criticised the US government for.

“I don’t think the US government even realised how far it had spread,” he said. “I think the downside of what they did is going to be far worse than what they actually accomplished.”

This includes several subsequent iterations or modified copy-cats of Stuxnet, such as Duqu, Flame, and Gauss. Kaspersky believes that some of them may have been created by the original authors of Stuxnet.

Safety or surveillance: What is the NSA's Utah Data Center? | ksl.com

BLUFFDALE — One of the biggest and most mysterious construction projects in Utah history is roughly halfway completed near the Point of the Mountain. It’s a vast computer center for one of the nation’s most secretive agencies, the National Security Agency.

Critics joke that NSA really stands for “Never Say Anything.” The secrecy surrounding the project has led to speculation it will become a vast storehouse of personal communications of average Americans.

The facility is 1 million square feet of space, with a price tag well above $1 billion; and it will have an appetite for electricity that would embarrass Godzilla. Computers and cooling systems at the NSA’s Utah Data Center will reportedly consume $40 million worth of power each year. The power company won’t say if that widely reported estimate is valid.

“The information about customer use is private and so even if I knew, I wouldn’t be able to tell you,” said Dave Eskelsen, spokesman for Rocky Mountain Power.

Officials in Washington won’t say what the data center is for, but the NSA did issue a vague statement saying it will “strengthen and protect the nation’s cyber-security.” That’s a critical mission, according to NSA director General Keith Alexander.

“Whether it’s a nation-state or a hacker, somebody who finds a vulnerability in our infrastructure could cause tremendous problems,” Alexander said.

But a Washington whistleblower says that’s just a cover story for a serious threat to civil liberties. William Binney worked for the NSA for 32 years. He still lives by the highly secure headquarters near Baltimore.

… “It didn’t take but probably a week or so after 9/11 that they decided to start spying on the U.S. domestically, on all U.S. citizens they could get,” Binney said.

He now suspects the facility in Bluffdale will be used to store incredible amounts of communication data so the NSA can sift through it, whether it’s from foreign terrorists or law-abiding U.S. citizens. Emails, cellphone calls, Google searches; Binney calculated how much data such a huge facility could hold.

“That means at Bluffdale, if you divide it out, you could get 5 zetabytes,” he said.

That’s an incredible number that most of us can’t really understand, but Binney gave an idea of what it means.

“(It) pretty much means all the communications in the world, for roughly a hundred years,” he said. [++]