Jeffrey Carr was working for Microsoft as a business analyst and blogging after-hours about the shadowy realm of intelligence analysis when war between Russia and Georgia broke out in 2008. At the behest of his readers in the intelligence community, Carr made a foray into their world, leading a successful crowdsourced project that determined the Russian government had been behind a series of hacks of Georgian websites. Since then Carr has started a digital security firm, Taia Global; written an authoritative overview of hack attacks, “Inside Cyber Warfare”; and become an adjunct professor at George Washington University, where he will teach a course on cyberconflict this year. With a rash of cyberattacks in the Middle East and U.S. Defense Secretary Leon Panetta warning of a possible “cyber Pearl Harbor,” Carr was in constant demand last year. DISCOVER reporter Valerie Ross spoke with him about the rapidly evolving global digital threat.
Stuxnet, the computer worm that damaged uranium centrifuges in Iran in 2010, was back in the news last year. Why is it so significant?
Nobody had ever launched that kind of targeted cyberattack before. At first Stuxnet just looked like a piece of malware that had compromised a Windows product. It took several months to understand that it was a highly sophisticated piece of code. Stuxnet had found four vulnerabilities that allowed it to take over the system and make it do something that it wasn’t originally programmed to do. Stuxnet was also designed to work in stages. The initial infection could occur in many systems, but it was only active in a specific type of system with a certain configuration, or else it just sat there and did nothing. Looking back, we now know exactly what it was designed to sabotage: the Iranian nuclear fuel enrichment plant at Natanz, which uses centrifuges to enrich uranium.
What have we learned about who created Stuxnet?
Last year [New York Times] reporter David Sanger took all of the available material about Stuxnet and organized it into a very convincing argument that the United States was behind it. Someone with access to classified information spoke with Sanger and leaked the name of the operation: Olympic Games.
What are the consequences of knowing that the United States was responsible?
There was deniability before that it might not have been this country. Now there’s not really any deniability, and that weakens our negotiating posture. You have the United States at least one time—possibly multiple times—attacking Iranian networks. So how do we feel justified in warning Iran not to attack U.S. networks? It’s as if I’m standing there slapping someone and they slap me back, and then I’m outraged that they had the audacity to do that.
You have studied another attack on Iran—a virus nicknamed Flame that struck last May and eventually spread to half a dozen countries. What do we know about it?
It was like a tool kit, with lots of different modules that did different things. With Flame you could record video or voice calls, monitor Bluetooth access, copy data, or erase all the data on a server. Because of the security it was able to break, it was clear that some very smart engineers with access to a supercomputer must have been involved. Also, there are some similarities in the code between Flame and Stuxnet, and that means that the people who created Flame would probably be, if not the same people who created Stuxnet, then allies of those people.
On the other side, the Saudi Arabian oil company Saudi Aramco suffered a devastating cyberattack last fall. What happened there?
The scale of that attack was big. It involved about 30,000 workstations and 2,000 servers. Saudi Aramco had to replace all those hard drives. That hardware alone would be a multimillion-dollar bill.
Who was behind it?
I was contacted by people from Saudi Aramco who said this was an insider attack. Whoever was involved worked for Saudi Aramco in one of its offices in the West or in Asia. If you want to infect a company, you don’t need to go into headquarters. You just need to go into some local office with computers on the network and have somebody plug in a spoiled USB drive. And there’s reason to believe that Iran was involved at a distance, because they wanted to send a message to Saudi Aramco not to increase their oil production.
What is the evidence that Iran may have been involved?
It seemed like the attack was reverse engineered from Wiper, a program used in April against the Iranian Oil Ministry to extract data from and then destroy its servers. No one outside of Iran, not even researchers, had a copy of Wiper, because it would infect a server and then destroy itself and the server.
In a much-discussed speech last October, Defense Secretary Panetta warned of a cyberattack on the scale of Pearl Harbor that could damage America’s infrastructure and lead to human casualties. How plausible is that?
Theoretically it’s certainly possible to cause huge amounts of chaos and destruction. But no rational actor is going to bring that much harm to the United States. With globalization, with multinational companies that do business around the world, no one who’s rational wants that. The only people who want that are what I would call irrational actors, especially religious fanatics, and that includes extremist groups that live right here in this country. Fortunately, none of those groups currently have the capability of initiating these attacks. There was an Al Qaeda video released earlier last year in which they were actively recruiting software engineers to attack critical infrastructure. The good news is, this means they don’t have any right now. But it’s just a matter of time.
What cybersecurity threats do you see looming this year?
I’ve noticed a trend: Every year, around the New Year, there’s an announcement of a major breach. You had an attack on Google by the Chinese government announced in January 2010. In March 2011 there was an attack on RSA, an Internet security company. In December 2011 there was a breach of the Stratfor Global Intelligence Service. Each time it’s been getting bigger and more dramatic. Who knows what attack will kick off the New Year? But there certainly will be one.