This doesn’t prove that Cartwright was a source—and certainly not that he was the sole, or even main, source. In fact, Sanger wrote that his Times story was “based on interviews over the past 18 months with current and former American, European and Israeli officials involved in the program, as well as a range of outside experts.”
Nor is it clear what impact the Times story had on U.S. security. Jane Harman, a former California congresswoman who served on the House Intelligence Committee, said at the time that the leak was “very damaging” and had “devastating consequences.” It is true, the Iranians eventually discovered and disabled the bug. More than that, they unleashed a retaliatory cyber-strike, known as the Shamoon virus, which destroyed the hard drives of 30,000 computers at the headquarters of Aramco, the global oil company based in Saudi Arabia, and beamed on all of its computer screens an image of a burning American flag.
But did the Iranians find the Stuxnet bug and unleash their own strike as a result of the Times story, whoever its source or sources might have been? Doubtful.
First, Sanger reports in his book that, as the result of an Israeli programming error, the Stuxnet virus leaked out across the global Internet in the summer of 2010—two years before the Times story. Second, right after the intriguing passage in Sanger’s book, where Cartwright says the cyber program shouldn’t be kept secret, there is the following, equally intriguing paragraph:
An intelligence officer disagreed [with Cartwright]: “Everybody who needs to know what we can do, knows,” he said. “The Chinese know.” And the Iranians, he added, “are probably figuring it out.”
One former cybersecurity official told me today, in response to a question about the impact of the leak, “Iran already figured it out”—that is, the Iranians knew about Stuxnet and figured out how to defeat it—before the Times story appeared.
The chronology tends to support that view. The Iranians launched the Shamoon virus on Aug. 15, 2012, only two and a half months after the Times story. It’s possible that they could have found the Stuxnet bug, deactivated it, and planned an ambitious counterpunch in that short time span—but not likely.
None of this speaks to Cartwright’s legal situation. If he did what the Justice Department suspects him of doing, he’s in trouble, regardless of whether his actions damaged national security.
However, the whole episode should raise serious questions—it should prompt a real national debate—about the larger subject of leaks. As every Washington insider knows, the government runs on leaks. They operate on various levels. Presidents and their aides leak to float balloons or rally support for their positions. (Many people thought at the time that the Stuxnet leak came from the White House, to show that Obama was wrecking Iran’s nuclear program without having to drop bombs.) Opponents leak to dampen support for those programs. Mid- to high-level bureaucrats leak to push their programs over competing programs. Finally, whistle-blowers or low-level functionaries, with no links in the power chain, leak for personal reasons or to call attention to activities that they think are wrong.
The whistle-blowers tend to get prosecuted. The higher-ups almost never do. If Cartwright is indicted, that will change, and it will mean that you can have power and still get hammered for freelance leaking. The key term here, though, is “freelance.” The highest-level leaks will still get a pass, will still be a vital tactic in the Washington power games. Should the bar be raised higher? Should it be lowered? Should the whole enterprise be reassessed?
One thing that everyone knows: Way too much information is classified, and way too many people have clearances. Rosa Brooks, a former Pentagon official, recently wrote in Slate sister publication Foreign Policy that she once asked a colleague why some innocuous memo he’d written was classified Top Secret. He replied that if it weren’t, no one would read it. This is the culture that’s stifling debate, that’s keeping the cloak of secrecy on matters that should be open—or at least open to discussion on whether they should be kept secret, and on what really is vital to national security and what isn’t.