Sex and Stuxnet

 .

By Alex Pasternack and Dan Stuckey


The former Vice Chairman of the Joint Chiefs of Staff, General James "Hoss" Cartwright, took his nickname from Bonanza's loveable, warm giant, Eric "Hoss" Cartwright. Lovable and warm do not describe the feelings the Justice Department has towards him. They've reportedly singled him out for leaking information to a New York Times journalist about Stuxnet, the cyber-attack that debilitated Iran's uranium enrichment facilities at Natanz, setting back its nuclear program by years.

While it's hard to imagine Cartwright, a 40-year military veteran, having to share a figurative cell with Pfc. Bradley Manning, his alleged involvement in Stuxnet and his resignation from the military in 2011 had made him a possible "target" since at least last year.

In the summer of 2012, an article by the Times' David Sanger — whose phone calls and emails were subpoened by the government over an investigation about his reporting—named Cartwright as a strategic architect of the Stuxnet operation, codenamed Olympic Games. It was Cartwright who in 2006 reportedly convinced President Bush to take a less conventional approach to Iran's nuclear capabilities, an issue that, given Israel's concerns, threatened to incite war in the Middle East. Sanger described Cartwright and the significance of this new weapon, which was reportedly developed by the NSA and the CIA with help from Israel:

General James E. Cartwright, who had established a small cyberoperation inside the United States Strategic Command, which is responsible for many of America’s nuclear forces, joined intelligence officials in presenting a radical new idea to Mr. Bush and his national security team. It involved a far more sophisticated cyberweapon than the United States had designed before... 

“Previous cyberattacks had effects limited to other computers,” Michael V. Hayden, the former chief of the C.I.A., said, declining to describe what he knew of these attacks when he was in office. “This is the first attack of a major nature in which a cyberattack was used to effect physical destruction [...] Somebody crossed the Rubicon,” he said.

Though highly respected, Cartwright was also considered a feather-rufffler in some circles, unafraid to urge more attention to less conventional, more high tech strategy and to use terms like "semantic interoperability." He pushed new institutional thinking within the Pentagon, urged better immigration policy, and supported the repeal of "don't ask, don't tell."

His aggressive, progressive approach to war even made him, according to Bob Woodward, Obama's "favorite general."

In “Obama’s Wars,” Woodward describes General Cartwright as being candid with the President. “I’m just not in the business of withholding options," Woodward quotes him as saying. "I have an oath, and when asked for advice I’m going to provide it.”

But in 2011, when Cartwright was nominated to succeed Admiral Mike Mullen as Chairman of the Joint Chiefs, a whisper campaign against him had already begun. Apparently, many top brass hadn't forgiven him for bypassing Adm. Mullen and recommending to the President a smaller U.S. footprint in Afghanistan. There were also concerns about Mullen's adversarial relationship with his wife. And there was another issue too, reports the Washington Post:

Cartwright, a four-star general, was cleared in February 2011 of misconduct involving a young aide. An anonymous accuser had claimed Cartwright acted inappropriately during a 2009 overseas trip on which the aide traveled as a military assistant. Several sources confirmed that the former aide was a young woman. The Pentagon inspector general quickly cleared Cartwright of the most serious allegations, which involved claims that he may have had an improper physical relationship with the woman.

The report did find that Cartwright mishandled an incident in which the aide, drunk and visibly upset, visited his Tbilisi, Georgia, hotel room alone and either passed out or fell asleep on a bench at the foot of his bed. Cartwright denied any impropriety and was later cleared of all wrongdoing.

Cartwright won his battle, but he wasn't ultimately confirmed, and in August 2011, he resigned from the military. He would stay on the Defense Policy Board, an elite Pentagon advisory panel with top-secret national security clearance. But in January, he resigned due to health problems, just as reports emerged a Justice Dept. Stuxnet investigation had begun to focus on him.

On Friday, following new reports he was being investigated for being one of the "current and former American, European and Israeli officials involved in the program" cited by the Times' David Sanger in his reporting last year and in 2010, his attorney, former Obama White House counsel Greg Craig, described his client as "an American hero.'' "Any suggestion that he could have betrayed the country he loves is preposterous,'' Craig said.

Cartwright kept a laser-like focus on cyberwar. A 2012 keynote address by ex-General Cartwright's plays vaguely like a Bruce Sterling speech.

"My job will probably be to depress you... but my job, as it sits today, as the Vice Chairman, is really to worry about the future war fighter... you look at the financial crisis that we're going through and the interdependence that has occurred as a result of this ubiquitous ability to exchange and to be interconnected around the world... it has its strengths and it has its weaknesses... In 2006 we stored and processed 40 hexabytes of unique information. I don't know what an hexabyte is, but that's essentially 300,000 Libraries of Congress... Within a year, were seeing that within a year we'll do that amount in a month, on the battlefield. Not as a nation, on the battlefield."

In a 2011 parting speech, according to a Dept. of Defense dispatch, "the vice chairman acknowledged that he is known as someone who embraces technology," and he praised those who took scientific and technological risks, “whether it was to shoot down a satellite or to take the night time away from the enemy with night-vision goggles … [or] with radar.”

And while he was also in command of America's nuclear arsenal, Cartwright often seemed more interested in another, more virtual set of weapons.

How we hack

Earlier this year, Cartwright told a small student-run security conference at Georgetown University that wireless, not desktop systems, are a top target for the US military, according to BreakingDefense.com: “the reality of it is the wireless side is far more likely” an avenue for attack. “All I need is a willing aperture to let me in and I can start to create havoc,” he warned.

“One of the beautiful parts about cyber [is] it goes from influence all the way to destruction with a lot of points in between,” he said. “Cyber allows you to have a much broader set of activity and tools short of war.” He noted that in addition to the traditional tools of sanctions, spies, and public statements, the US can now spread online propaganda — or break governments' firewalls, to enable more free communication — and attack the bad guys with viruses not bombs.

He did not mention Stuxnet of course. The operation — like most of the country's offensive cyber apparatus, including recently revealed NSA programs — has never been publicly acknowledged by any government agency. Days before Obama took office, Sanger reported, President Bush recommended the incoming President keep two programs secret: the drone operation in Pakistan and Olympic Games, the project that built Stuxnet. Obama heeded his advice.

Without touching upon offensive cyber operations however, Cartwright downplayed the threat to the US from Chinese hackers.

“Everyone is talking about 'China is hacking into this, that and the other thing, they’re stealing this, that and the other thing, they’re terrible people.' Got it.” But two hundred years ago, when the young United States was playing catch-up to Britain’s Industrial Revolution, “we went to England and stole every manufacturing secret we could find,” he said. “Rising states do that."
“We can hate it, we can not like it, but it is basically in the human pattern,” Cartwright said. What the US really needs to keep up with China, he argued, is a new immigration policy to keep talented risk-takers coming from all corners of the world.

Cartwright embraced technology as a tool for democracy, for instance in the Arab Spring, and praised one experiment in which the US distributed a thousand smartphones to Afghans of various sects and tribes — many of them illiterate — and encouraged them to use the technology with an Afghan version of American Idol.

“[In] two months, they were texting, they were using the phones, very comfortably going across all the social barriers that for the last five thousand years have defined their culture [...] Quite frankly, when we leave next year, just like all the conquerors that have gone to in Afghanistan in the past, we’ll be forgotten very quickly. That phone will not.”

But with the benefits of iPhones also come the kind of cybersecurity threats that Cartwright and his hacker soldiers were building, and a host of important questions about the moral costs of those weapons. One attendee asked him how cyberwar would jibe with existing standards of warfare. Cartwright warned against restrictive laws.

“Much of what we are doing today or could do in cyber could be handled by existing law or policy,” he said. “Very little of it is going to require new standing law.” In fact, he went on, the real danger is “people rushing to pour cement on new policy and law in a world where things last 18 months.”

“Our legislative bodies are very happy to say, we passed it, it’s done, it will last forever,” he warned.

In his parting speech, Cartwright quoted from an address by Teddy Roosevelt that a mentor of his had once cited. Delivered at the Sorbonne in April 1910, "Citizenship in a Republic" celebrated the fighter over the critic.

It is not the critic who counts: not the man who points out how the strong man stumbles or where the doer of deeds could have done better. The credit belongs to the man who is actually in the arena, whose face is marred by dust and sweat and blood, who strives valiantly, who errs and comes up short again and again, because there is no effort without error or shortcoming, but who knows the great enthusiasms, the great devotions, who spends himself for a worthy cause; who, at the best, knows, in the end, the triumph of high achievement, and who, at the worst, if he fails, at least he fails while daring greatly, so that his place shall never be with those cold and timid souls who knew neither victory nor defeat.

Curiously, Julian Assange would also quote Roosevelt, as an epigraph to the first of a few philosophical essays he wrote in 2006, which laid out some of the philosophy behind WikiLeaks.

Behind the ostensible government sits enthroned an invisible government owing no allegiance and acknowledging no responsibility to the people... To destroy this invisible government, to befoul this unholy alliance between corrupt business and corrupt politics is the first task of statesmanship.

Of course, Cartwright wouldn't be the first high-ranking US official to leak intelligence to the public. Daniel Ellsburg, who disseminated the pentagon papers in 1971, worked for Rand Corp., previously beneath Robert McNamara. Mark Felt, who told Bob Woodward about a break-in at DNC headquarters on Nixon's behalf, was just second to J. Edgar Hoover at the FBI. If prosecuted, Cartwright could become the eighth person to be charged with violating the Espionage Act under the Obama administration for leaking information to the press. Prior to 2008, only three people had been charged, beginning with Ellsberg.

A 2011 address by Cartwright, courtesy of the IBM Center for the Business of Government

Given Cartwright's proximity to Stuxnet -- and his previous alleged transgressions -- it's not hard to see the DOJ's rationale for focusing on him. Harder to see is the basis on whicgovernment is conducting its investigation, and how it may have gathered evidence against him. It was through requests to read Gen. David Petraeus's Gmail account that the Justice Department learned of improprieties. It's not improbable that government investigators applied even more aggressive surveillance to Cartwright. Two sources told NBC that prosecutors managed to track him down without subpoenaing the phone records of Times reporters. So far no allegations of wrongdoing have been made against Cartwright, and the previous investigation of possible sexual misbehavior remains classified.

When he retired in 2011, Senator Diane Feinstein -- who heads the Senate Intelligence Committee -- praised the general for his candidness and his ideas. "General Cartwright’s commitment to providing his honest and blunt assessments go beyond nuclear forces and extend to all security threats facing our nation, and the best way to prepare and respond to them, even when it was not popular to do so."

While Stuxnet was intended to operate in secret and was only bound for Iran's Natanz facility, it was discovered in July 2009 by VirusBlokAda, a Belarussian computer security company, at least several months after it had been released. According to Sanger, code that had been added by Israeli's military hackers, who had collaborated with the NSA to create Stuxnet, caused it to leak to other systems. Sanger's first story on the malware, in 2010, confirmed suspicions that it had originated with the U.S. or Israel or both.

By then, however, the mysterious weapon -- which used an unprecedented four zero-day exploits -- had done its damage. In 2012, security researchers discovered an even more sophisticated piece of malware, called Flame, living onon computers in Iran and throughout the Middle East, and capable of in-depth computer espionage.

One curious irony about the leak investigation is some in Congress suspected that the White House leaked  the story about Stuxnet itself, in a bid to burnish the President's reputation as a hawk ahead of an election.  As Sanger told Gawker’s John Cook, while the White House didn’t actually leak the story, it didn’t protest its release either.

In a press conference earlier this month, amidst concerns about the government's treatment of whistleblowers and the journalists they speak to, Obama dismissed the idea that the White House had purposefully leaked intelligence.

"We're dealing with issues that can touch on the safety and security of the American people, our families or our military personnel or our allies, and so we don't play with that," he said. "We have mechanisms in place where if we can root out folks who have leaked, they will suffer consequences. In some cases, it's criminal. These are criminal acts when they release information like this."

http://motherboard.vice.com/blog/james-cartwright-stuxnet-leak-investigation