Who Leaked the Stuxnet Virus Story?

Military analysis.
June 28 2013 5:28 PM

Who Leaked the Stuxnet Virus Story?

Why retired Gen. James Cartwright is facing allegations—and could be the first higher-up to go down.

Gen. James E. Cartwright
Gen. James E. Cartwright

Photo by Hyungwon Kang/Reuters

In one way, it’s a big surprise that the Justice Department is investigating retired Gen. James “Hoss” Cartwright for allegedly leaking classified information about the Stuxnet computer virus, which briefly disabled Iran’s nuclear program a few years back.

In another way, though, it’s not a surprise at all.

It’s surprising because four-star generals, active or retired, aren’t the usual targets of such probes. This is especially so of a general like Cartwright, who, from 2007–11, was vice chairman of the Joint Chiefs of Staff—the U.S. military’s second-highest-ranking officer—and who, in his final years, was known as “Obama’s favorite general.” Officers of this stature tend to build layers of insulation around themselves.

Advertisement

But Cartwright was unusual in that respect. As one former senior defense official described him, he was “a lone wolf.” He was very smart, a policy intellectual on the level of Gens. David Petraeus and James Mattis, but he had no protective layers, no inner circle of loyalists, and no talent (or desire) for building alliances with his fellow officers. To the contrary, he would often work up his own ideas, his own position papers, and brief them to his civilian superiors outside the military chain of command. As vice chairman, several officials say, he would sometimes brief Obama himself—the two had a similar style of crisp, analytical thinking—then come back to the Pentagon without telling his boss, the chairman, Adm. Mike Mullen, what he’d said.

The big rupture came in the fall of 2009, during the National Security Council meetings on how to proceed with the war in Afghanistan. President Obama kept asking the chiefs for more options on troop levels, something in between Vice President Joe Biden’s pitch for just 10,000 more troops and Gen. Stanley McChrystal’s recommendation of at least 40,000 more. Mullen never provided them. Cartwright wrote a paper, on his own, for what could be done with 20,000 more and 30,000 more. Mullen suppressed the study and chewed Cartwright out for doing it. In an end-run, Cartwright gave the study to one of Biden’s aides. Mullen and the other chiefs were furious.

Two things drove Cartwright to take that step. First, he was a straight shooter (he was nicknamed “Hoss,” after an honest character named Hoss Cartwright on the old TV show Bonanza). He thought the military should respond to a president’s request, and since nobody else was doing it, he did it himself. But most other generals in his position would first try to get other officers, or maybe the secretary of defense, to buy in. Cartwright, the lone wolf, didn’t do that.

As a result, whenever Cartwright got into trouble, there was nobody who felt compelled to stand up for him. Around the same time as the flap over Afghanistan policy, the military’s inspector general investigated Cartwright on charges of having an affair with a female subordinate. The IG report accused him of misconduct. The secretary of the Navy, a civilian, took no disciplinary action, but the report alienated Cartwright still further from his military colleagues, many of whom regard such behavior as a serious breach of the military code.

When Mullen prepared to step down as JCS chairman in 2011, rumors flew that Obama would appoint Cartwright as his successor. But several advisers, including Secretary of Defense Robert Gates, warned the president that Cartwright had no support from the other chiefs and no ability to craft consensus on military policy. Obama appointed Gen. Martin Dempsey to be chairman instead. Cartwright retired from the Marine Corps after a 40-year career.

Here’s the biggest problem now with being the lone wolf: If the Justice Department continues its probe and winds up indicting Cartwright for violating his security oath, it’s unlikely that any officers will leap to his defense in this crisis either. It’s a fair guess, in fact, that some of those officers may have pointed prosecutors in his direction.

No evidence of his possible guilt or innocence has been publicized (Cartwright’s lawyer issued a no-comment on the news reports), but the charge is not implausible. Cartwright was chief of U.S. Strategic Command, in Omaha, Neb., from 2004–07. (For the story of how a Marine general came to be head of StratCom—an unprecedented appointment, since StratCom deals mainly with the nuclear arsenal and the Marines have no nuclear weapons—click here.) At the time, the military’s main cyber-warfare unit was embedded in StratCom. (In 2009, an independent U.S. Cyber Command was created at Fort Meade, Md., alongside the National Security Agency.) Operation Olympic Games, aka Stuxnet, was created in 2006. Cartwright was involved in its creation and briefed the program to Presidents Bush and, later, Obama.

Details about Stuxnet were first revealed on June 1, 2012, in a New York Times story by David Sanger. Cartwright was one of the few officials involved in the program that Sanger identified by name. In a book that Sanger subsequently wrote, Confront and Conceal: Obama’s Secret Wars and Surprising Use of American Power, this intriguing passage appears on Page 269:

One of the creators of the government’s offensive cyber strategy, Gen. James Cartwright, makes a compelling case that the secrecy [of the cyber program] may be working against American interests. “You can’t have something that’s a secret be a deterrent,” he argued shortly after leaving his post as vice chairman of the Joint Chiefs of Staff. “Because if you don’t know it’s there, it doesn’t scare you.”

This doesn’t prove that Cartwright was a source—and certainly not that he was the sole, or even main, source. In fact, Sanger wrote that his Times story was “based on interviews over the past 18 months with current and former American, European and Israeli officials involved in the program, as well as a range of outside experts.”

Nor is it clear what impact the Times story had on U.S. security. Jane Harman, a former California congresswoman who served on the House Intelligence Committee, said at the time that the leak was “very damaging” and had “devastating consequences.” It is true, the Iranians eventually discovered and disabled the bug. More than that, they unleashed a retaliatory cyber-strike, known as the Shamoon virus, which destroyed the hard drives of 30,000 computers at the headquarters of Aramco, the global oil company based in Saudi Arabia, and beamed on all of its computer screens an image of a burning American flag.

But did the Iranians find the Stuxnet bug and unleash their own strike as a result of the Times story, whoever its source or sources might have been? Doubtful.

First, Sanger reports in his book that, as the result of an Israeli programming error, the Stuxnet virus leaked out across the global Internet in the summer of 2010—two years before the Times story. Second, right after the intriguing passage in Sanger’s book, where Cartwright says the cyber program shouldn’t be kept secret, there is the following, equally intriguing paragraph:

An intelligence officer disagreed [with Cartwright]: “Everybody who needs to know what we can do, knows,” he said. “The Chinese know.” And the Iranians, he added, “are probably figuring it out.”

One former cybersecurity official told me today, in response to a question about the impact of the leak, “Iran already figured it out”—that is, the Iranians knew about Stuxnet and figured out how to defeat it—before the Times story appeared.

The chronology tends to support that view. The Iranians launched the Shamoon virus on Aug. 15, 2012, only two and a half months after the Times story. It’s possible that they could have found the Stuxnet bug, deactivated it, and planned an ambitious counterpunch in that short time span—but not likely.

None of this speaks to Cartwright’s legal situation. If he did what the Justice Department suspects him of doing, he’s in trouble, regardless of whether his actions damaged national security.

However, the whole episode should raise serious questions—it should prompt a real national debate—about the larger subject of leaks. As every Washington insider knows, the government runs on leaks. They operate on various levels. Presidents and their aides leak to float balloons or rally support for their positions. (Many people thought at the time that the Stuxnet leak came from the White House, to show that Obama was wrecking Iran’s nuclear program without having to drop bombs.) Opponents leak to dampen support for those programs. Mid- to high-level bureaucrats leak to push their programs over competing programs. Finally, whistle-blowers or low-level functionaries, with no links in the power chain, leak for personal reasons or to call attention to activities that they think are wrong.

The whistle-blowers tend to get prosecuted. The higher-ups almost never do. If Cartwright is indicted, that will change, and it will mean that you can have power and still get hammered for freelance leaking. The key term here, though, is “freelance.” The highest-level leaks will still get a pass, will still be a vital tactic in the Washington power games. Should the bar be raised higher? Should it be lowered? Should the whole enterprise be reassessed?

One thing that everyone knows: Way too much information is classified, and way too many people have clearances. Rosa Brooks, a former Pentagon official, recently wrote in Slate sister publication Foreign Policy that she once asked a colleague why some innocuous memo he’d written was classified Top Secret. He replied that if it weren’t, no one would read it. This is the culture that’s stifling debate, that’s keeping the cloak of secrecy on matters that should be open—or at least open to discussion on whether they should be kept secret, and on what really is vital to national security and what isn’t.