Richard Clarke on Who Was Behind the Stuxnet Attack | History & Archaeology | Smithsonian Magazine

Richard Clarke on Who Was Behind the Stuxnet Attack

America’s longtime counterterrorism czar warns that the cyberwars have already begun—and that we might be losing

Richard Clarke

Clarke has seen the future of war and says it will be fought by hackers.

Khue Bui

The story Richard Clarke spins has all the suspense of a postmodern geopolitical thriller. The tale involves a ghostly cyberworm created to attack the nuclear centrifuges of a rogue nation—which then escapes from the target country, replicating itself in thousands of computers throughout the world. It may be lurking in yours right now. Harmlessly inactive…or awaiting further orders.

A great story, right? In fact, the world-changing “weaponized malware” computer worm called Stuxnet is very real. It seems to have been launched in mid-2009, done terrific damage to Iran’s nuclear program in 2010 and then spread to computers all over the world. Stuxnet may have averted a nuclear conflagration by diminishing Israel’s perception of a need for an imminent attack on Iran. And yet it might end up starting one someday soon, if its replications are manipulated maliciously. And at the heart of the story is a mystery: Who made and launched Stuxnet in the first place?

Richard Clarke tells me he knows the answer.

Clarke, who served three presidents as counterterrorism czar, now operates a cybersecurity consultancy called Good Harbor, located in one of those anonymous office towers in Arlington, Virginia, that triangulate the Pentagon and the Capitol in more ways than one. I had come to talk to him about what’s been done since the urgent alarm he’d sounded in his recent book, Cyber War. The book’s central argument is that, while the United States has developed the capability to conduct an offensive cyberwar, we have virtually no defense against the cyberattacks that he says are targeting us now, and will be in the future.

Richard Clarke’s warnings may sound overly dramatic until you remember that he was the man, in September of 2001, who tried to get the White House to act on his warnings that Al Qaeda was preparing a spectacular attack on American soil.

Clarke later delivered a famous apology to the American people in his testimony to the 9/11 Commission: “Your government failed you.”

Clarke now wants to warn us, urgently, that we are being failed again, being left defenseless against a cyberattack that could bring down our nation’s entire electronic infrastructure, including the power grid, banking and telecommunications, and even our military command system.

“Are we as a nation living in denial about the danger we’re in?” I asked Clarke as we sat across a conference table in his office suite.

“I think we’re living in the world of non-response. Where you know that there’s a problem, but you don’t do anything about it. If that’s denial, then that’s denial.”

As Clarke stood next to a window inserting coffee capsules into a Nespresso machine, I was reminded of the opening of one of the great espionage films of all time, Funeral in Berlin, in which Michael Caine silently, precisely, grinds and brews his morning coffee. High-tech java seems to go with the job.

But saying Clarke was a spy doesn’t do him justice. He was a meta-spy, a master counterespionage, counter­terrorism savant, the central node where all the most secret, stolen, security-encrypted bits of information gathered by our trillion-dollar human, electronic and satellite intelligence network eventually converged. Clarke has probably been privy to as much “above top secret”- grade espionage intelligence as anyone at Langley, NSA or the White House. So I was intrigued when he chose to talk to me about the mysteries of Stuxnet.

“The picture you paint in your book,” I said to Clarke, “is of a U.S. totally vulnerable to cyberattack. But there is no defense, really, is there?” There are billions of portals, trapdoors, “exploits,” as the cybersecurity guys call them, ready to be hacked.

“There isn’t today,” he agrees. Worse, he continues, catastrophic consequences may result from using our cyber­offense without having a cyberdefense: blowback, revenge beyond our imaginings.

“The U.S. government is involved in espionage against other governments,” he says flatly. “There’s a big difference, however, between the kind of cyberespionage the United States government does and China. The U.S. government doesn’t hack its way into Airbus and give Airbus the secrets to Boeing [many believe that Chinese hackers gave Boeing secrets to Airbus]. We don’t hack our way into a Chinese computer company like Huawei and provide the secrets of Huawei technology to their American competitor Cisco. [He believes Microsoft, too, was a victim of a Chinese cyber con game.] We don’t do that.”

“); bodyValue = bodyValue.replace(/\n/g,”
“); bodyValue = bodyValue.replace(/\r/g,”
“); document.getElementById(“field.body”).value = bodyValue; return true; } function maxlength(element, maxvalue) { var q = eval(“document.commentform.”+element+”.value.length”); var r = q – maxvalue; var msg = “We can only accept 2000 characters per comment. You have input “+q+” characters into the “+ “comment box. Please abbreviate “+ “your comment by at least “+r+” characters. Thank you.”; if (q > maxvalue) { alert(msg); element.focus(); } }

1 2 3 4 5 Next »

    Subscribe now for more of Smithsonian’s coverage on history, science and nature.

Related topics: Computer Science Internet Information Age

11diggsdigg inShare120


Comments (28)

+ View All Comments

Much of this gives one more reason to live “off the grid,” not so much as off the power grid (although that’s important if possible) but off the Internet grid. A few years ago a documentary was published which contains the usual warnings against modern society and it’s pitfalls. They had me going until the end of the piece with an interview of a native American chief, who said their legends included a prophecy that in modern times our very home appliances would rise up to attack us. What a preposterous notion, so I disregarded most of the doc. Now, manufacturers are planning to market common household appliances such as coffee makers and toasters that could be hacked to overheat (as could office printers, etc)! I’m planning on avoiding such connectivity, and yet here sits my WII happily connected to the Web. . .

Posted by Robin Burns on April 5,2012 | 05:25 PM

I remember Mr. Clarke’s heartfelt apology very clearly. I also believe that he said that he would be using the proceeds of a future book to help the families of the 9/11 victims. Could you please report on his efforts in this matter?

Posted by Glen Worthington on April 5,2012 | 01:52 PM

Nobody is perfect at telling the future, but Clarke is pretty good. Read his Cyber Wars book (April 2010) where he says: “Even though historians and national security officials know that there are numerous precedents for institutions thinking their communications are secure when they are not, there is still resistance to believing that it may be happening now, and to us. American military leaders today cannot conceive of the possibility that their Secret (SIPRNET) is compromised, but several experts I spoke to are convince that it is.” — then read about Bradley Manning and WikiLeaks in *all* the newspapers in November/December 2010. I think it would be prudent to consider what else Mr. Clarke has to say.

Posted by DoctorJava on April 4,2012 | 09:20 PM

Iranians aren’t producing bomb grade Uranium? Do the people who make such statements have any education at all? Are they just parroting what they see and hear on their favorite lame-stream media outlets? All it takes to know what’s going on is a basic chemistry class. All nuclear power plants use bomb grade Uranium (U-235). They must in order to start a chain reaction to produce energy. They also must keep the amount of U-235 below a certain level, known as critical mass, so that it cannot SUSTAIN a chain reaction and therefore be controlled rather than exploding. So if you are going to build a nuclear power plant you must have “bomb grade” Uranium or it won’t produce electricity. The key is the amount of U-235 and for anyone to build a nuclear power plant, how is anyone to know exactly HOW MUCH U-235 they are producing? Also, all you wanna-be genii out there might like to know that when U-235 undergoes fission it breaks down into Plutonimum 239 which is the primary ingredient in nuclear weapons. ALL NUCLEAR POWER PLANTS PRODUCE THE BEST ELEMENT FOR USE IN NUCLEAR WEAPONS AS THEIR WASTE PRODUCT!!!!

Posted by Klack Brognerstein on April 4,2012 | 03:45 PM

@frank de paola: Caine was in Funeral in Berlin and The Ipcress file. Richard Burton was in The Spy who came in from the cold.

Posted by rich on April 3,2012 | 02:20 PM

“The U.S. government doesn’t hack its way into Airbus and give Airbus the secrets to Boeing [many believe that Chinese hackers gave Boeing secrets to Airbus]. We don’t hack our way into a Chinese computer company like Huawei and provide the secrets of Huawei technology to their American competitor Cisco.” LOL. Seriously? Really Mr. Clarke? Are these the “insights” you’re providing to your clients? Maybe they’d do well to look else for the truth then, because when the EU went looking for a little system called ECHELON back in 2001, they filed a nice report that showed, miracle of miracles – the United States was quite actively intercepting communications from a variety of sources and relaying it back to interested parties. Anyone can search out the “EU report on ECHELON” and find the pdf – but here’s a hilarious rebuttal to this Mr. Clarke’s assertions – it’s in section 10.7 “Published Cases”. (source: Here’s the DIRECT QUOTE on the aim of the intercept note that it’s *exactly* what Clarke claims doesn’t happen: Forwarding of information to Airbus’s US competitors, Boeing and McDonnell-Douglas CONSEQUENCE : Boeing won the bid. I realize the massive intelligence failures of the American defense industry on a variety of levels, but this guy’s pedalling this stuff in the private sector now. At the very least, he shouldn’t humiliate himself by demonstrating his cluelessness on a subject even a grade schooler could discover and rebut.

Posted by Torsten Mueller on April 3,2012 | 10:39 AM

Why would China go through all the trouble? All our bleeding edge technology is already there. Don’t believe me? Go look where Applied Materials has set up shop. Just one of many. TSMC is now advising managers in the US to shut down their design teams and let their people do it for a fraction of the cost. They claim their people understand how to properly design chips for TSMC’s advanced fab, and ours don’t and won’t because they are not inclined to tell us.

Posted by Keith Ackermann on April 3,2012 | 09:49 AM

@Frank De Paola… In matters like this it is important to be precise, and correct: both films starred Michael Caine.

Posted by Nicholas Arno on April 3,2012 | 08:36 AM

All of the R & D info China can steal does them no good without a market for they produce. China is getting rich off manufacturing products developed by other countries, products which they then sell back, at a profit, to the countries whose expensive R & D developed those products to begin with. Why would they want to change that equation when it is working so well for them? R & D is expensive and manufacturing is cheap when you have China’s most important asset, which is a large and still growing population.

Posted by Phoenix on April 2,2012 | 03:50 PM

United States’ intelligence agencies have determined that Iran does not have a nuclear weapons program and that it is complying with the Nonproliferation Treaty, which allows it to enrich uranium, but not to weapons-grade. Yet, Rosenbaum ignores the findings of the intelligence community and the IAEA, which has inspected Iran’s nuclear facilities, to claim that, at Iran’s nuclear plant in Natanz, “gas centrifuges spin like whirling dervishes, separating bomb-grade uranium-235 isotopes from the more plentiful U-238.” Imagine my dismay at finding such blatant disinformation in the first article I read in my new subscription to the Smithsonian magazine. I suppose I should thank Rosenbaum for giving our household a new, useful catchphrase. When my wife entered the kitchen and said, “Somebody ate half the apple pie,” I said “your pulling a Smithsonian.”

Posted by John on April 1,2012 | 11:39 AM

I was once told (by a consultant) that there are three kinds of consultants: 1) the ones who tell you that you have a problem, 2) the ones who also tell you what the problem is, 3) the ones who also tell you how to fix the problem. Based on this story, I’d rate Richard no higher than 1.5. Seems to me he’s got some ideas about what the problem is that are half-right, and I think I’m being generous. One of the root causes of the cybersecurity problems he’s pointing out is that, to paraphrase an expression used in Venice about water, “bits have no bones” — they can go through just about any medium that’ll pass data, carrying malware with them. People in a position of trust are today handed software that’s inadequately prepared to protect data once malware is present, and the people themselves are not really trained to be aware of how easy it is to slip malware through most any filter that’s put in place (think about it — how did Stuxnet make it into Natanz?). There are quite a few people around who can tell you many of the properties that any real cybersecurity solution would have, and I don’t hear him talking about any of them. But anyone who claims to have “the” solution is unlikely to be completely right either — this is a complicated situation we’re in, and no simple solution will get us out of it. And of course, we also have the hawks coming out to help. Counterattacks? You first need a defensible position or your attacks will just spur your competition to imaginative new heights. Oh, wait, we already have.

Posted by StevenearChicago on April 1,2012 | 08:57 AM

The Michael Caine movie was The Ipcress File. Author may be confusing it with Funeral in Berlin starring Richard Burton.

Posted by frank de paola on March 29,2012 | 04:21 PM

“The U.S. government doesn’t hack its way into Airbus and give Airbus the secrets to Boeing” She doesn’t?

Posted by Jan Jansen on March 29,2012 | 04:20 PM

According to the media, Iran centrifuges are not producing bomb grade Uranium. At best the produce 20% and bomb grade is 90%. If Iran gets that close, we will attack them.

Again that is all according to the media. So are the media reports a lie and Iran already has weapons grade uranium? And hence we already have our excuse to attack Iran?

Or did you get something wrong? Or just making the story an interesting read on purpose?

Posted by Alexander Higgins on March 28,2012 | 10:26 PM


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s