Bamford has made his career as a muckraking journalist pulling back the curtains on the U.S. intelligence community, so he would have appeared to be well-suited to write this piece. And Bamford’s early summary of Alexander’s importance – “Never before has anyone in America’s intelligence sphere come close to his degree of power, the number of people under his command, the expanse of his rule, the length of his reign, or the depth of his secrecy” – is spot on.
Unfortunately, it all goes downhill from there.
Bamford subsequently implies that Alexander was responsible for the intelligence failure of 9/11 and the prisoner abuse scandal at Abu Ghraib prison, amongst other misdeeds. He castigates Alexander has being “militant about secrecy,” which, pardon my naivete, I thought was supposed to be a good thing in the head of a spy agency (?!?). He then identifies Alexander as the mastermind behind Stuxnet, the blowback from which Bamford somehow sees as being responsible for all cyber threats, which he implies Alexander has exaggerated in order to gain more funding (“despite the sequestration, layoffs, and furloughs in the federal government, it’s a boom time for Alexander,” Bamford reports) and, again completely through innuendo, personal wealth someday as an executive.
Now this could all be true, even if it begs the question of how somebody so outstandingly incompetent was confirmed as NSA Director and received a fourth star. For all I know, General Alexander could be a cross between Dr. Evil and Lord Voldemort who drives ten miles under the speed limit in the passing lane and hunts endangered animals on the weekends. But Bamford’s presentation of the history of cyberthreats is inaccurate enough to suggest this was never intended to be anything more than a hit piece.
Genearl Keith Alexander: The man responsible for all the deposed Nigerian prince emails you've ever received? |
Bamford also states that Stuxnet "proved that one successful cyberattack begets another," suggesting that the malware's discovery in July 2010 was starting point for all the cyberwar/cybersecurity threats we face today. Yet in April 2007 Estonian websites were disabled by a DDOS (distributed denial of service) attack from a Russian source in retaliation for the removal of a statue honoring Soviet forces killed in World War II, and when Georgia deployed troops to quell a violent separatist movement in South Ossetia in 2008, another DDOS attack crippled its government networks as Russian troops invaded Georgia. Similarly, in July 2009 North Korea launched a massive DDOS attack using hundreds of thousands of infected computers against U.S. and South Korean government websites. All these attacks (which don't include the plethora of cyberattacks by anonymous hackers, either criminal/individuals/organized collectives) predate Stuxnet's discovery. Thus, Bamford's implication that all of our cyber troubles can be laid at Alexander's doorstep is . . . well, bunk.
Moreover, even if one assumes the 2012 attacks on Saudi Aramco and Ras Gas by the Iranian-initiated Shamoon virus were direct retribution for Stuxnet (which is certainly possible), Bamford seems to assume that Iran would not be interested in cyberweapons if not for the cyber attack on the Natanz centrifuges. Again, this is ridiculous. Given the perceived vulnerability of U.S. military and/or governmental networks to cyber attack, any nation seeking an advantage against U.S. forces would naturally pursue cyber as an asymmetric strategy. For example, in 1999 Chinese strategists Qiao Lian and Wang Xiangsui wrote in Unrestricted Warfare that China could use cyber warfare to make up for its qualitative military deficiencies vis-a-vis the United States, and as Richard Clarke and Robert Knake note in Cyber War: "Since the late 1990s, China has systematically done all the things a nation would do if it contemplated having an offensive cyber war capability." (p.54) Similarly, since Desert Storm, Iran has concentrated on developing an asymmetric capabilities to counter U.S. forces (i.e. EFPs in Iraq; reliance on speed boats armed with torpedos conducting suicide attacks on larger ships in the Straits of Hormuz). So to claim, as Bamford does, that the only reason Iran now has a cyber capability is because of Stuxnet is either disingenuous or naive.
This is not to say there aren't legitimate questions to be asked regarding Alexander, including:
- How much access to domestic communications should an intelligence agency be permitted?Unfortunately, Bamford comes off either so misinformed or vindictive (i.e. directly comparing Alexander to J. Edgar Hoover) that this piece fails to shed much light on these issues.
- Should one man should head both the NSA and Cyber Command (particularly if Admiral Stavridis is correct that Cyber Command should be made a operational command)?
- Does the potential blowback of creating an expanding market in zero-day vulnerabilities because U.S. intelligence agencies are buying large quantities of zero-day vulnerabilities outweighs these vulnerabilities potential usefulness in offensive cyberwar?
No comments:
Post a Comment