Blowback: Stuxnet and the Ongoing Risk to Manufacturing Worldwide

/29 Comments/in /by

Dear Chevron: Thanks for letting us know you’ve been infected with Stuxnet. It’s difficult to muster sympathy for your management or shareholders, because you were warned.This guy quite clearly warned your industry, as did other firms specializing in technology security.

Every single manufacturer around the world using supervisory control and data acquisition (SCADA) driven equipment in their processes was warned. Businesses at particular risk are those relying on certain ubiquitous applications in a networked environment.

Perhaps you heeded the warning months ago but didn’t disclose widely that your business was working on eliminating the exposures. If your business has been hardening your systems, great. However, the public does have a right to know know if your plant located in their backyard might blow up or release toxic chemicals because your firm was exposed to cyber warfare elements our country sponsored in some fashion.

This goes for any other firms out there that are dealing with the same exposure. Perhaps you believe it’s a business intelligence risk to let your competitors know you’ve got a problem– frankly, we’re way past that. The potential risks to the public outweigh your short-term profitability, and if your plant blows up/dumps chemicals/produces unsafe or faulty products because of Stuxnet, our public problem becomes your public relations/long-term shareholder value problem anyhow.

By the way: perhaps it might be worthwhile to actively recruit American citizens who qualify for security clearance when hiring SCADA application analysts to fix your Stuxnet problems. Why compound your problem for lack of foresight with regard to national security risks? We can see you’re hiring. Ahem. Read more

Breaking: Panetta Equating Crude Iranian Cyberattacks with Pearl Harbor, Iran Infiltrated Aramco

/10 Comments/in , , /by

Today, the NYT–serving its role as spokesperson for the Cold War against Iran–confirms what blabby Joe Lieberman told CSPAN last month: the government suspects Iran was behind a series of crude cyberattacks on US banks.

Or to put it differently, Leon Panetta wants us to be more afraid of crude DNS attacks on US online banking sites than he wants us to be of the orders of magnitude greater damage the banks cause all by themselves. Because … Iran!

More interesting is the widely reported speculation we think Iran was behind the more serious attack on Aramco.

The attack under closest scrutiny hit Saudi Aramco, the world’s largest oil company, in August. Saudi Arabia is Iran’s main rival in the region and is among the Arab states that have argued privately for the toughest actions against Iran. Aramco, the Saudi state oil company, has been bolstering supplies to customers who can no longer obtain oil from Iran because of Western sanctions.

The virus that hit Aramco is called Shamoon and spread through computers linked over a network to erase files on about 30,000 computers by overwriting them. Mr. Panetta, while not directly attributing the strike to Iran in his speech, called it “probably the most destructive attack that the private sector has seen to date.”

Until the attack on Aramco, most of the cybersabotage coming out of Iran appeared to be what the industry calls “denial of service” attacks, relatively crude efforts to send a nearly endless stream of computer-generated requests aimed at overwhelming networks. But as one consultant to the United States government on the attacks put it several days ago: “What the Iranians want to do now is make it clear they can disrupt our economy, just as we are disrupting theirs. And they are quite serious about it.”

That’s interesting not because the attack did real damage–it didn’t, because it hit the business, not the production, computers.

Saudi Aramco has said that only office PCs running Microsoft Windows were damaged. Its oil exploration, production, export, sales and database systems all remained intact as they ran on isolated and heavily protected systems.

“All our core operations continued smoothly,” CEO Khalid Al-Falih told Saudi government and business officials at a security workshop on Wednesday.

“Not a single drop of oil was lost. No critical service or business transaction was directly impacted by the virus.”

It’s interesting because the malware was introduced into the Aramco network by an insider.

One or more insiders with high-level access are suspected of assisting the hackers who damaged some 30,000 computers at Saudi Arabia’s national oil company last month, sources familiar with the company’s investigation say.

[snip]

The hackers’ apparent access to a mole, willing to take personal risk to help, is an extraordinary development in a country where open dissent is banned.

“It was someone who had inside knowledge and inside privileges within the company,” said a source familiar with the ongoing forensic examination.

Once you translate the NYT’s spin, here’s what we’re left with:

  • We’re supposed to treat cyberattacks by Iran as an existential threat, even though they expose Iran’s relative impotence in the cyber sphere.
  • We’re supposed to get panicked about computers here at home because Iran succeeded in human espionage with Aramco.

And while Panetta cries wolf over and over, the banksters and the oil companies continue to real damage he ignores.

Panetta Misses Underlying Problem with Cyberwhines

/12 Comments/in , /by

We can play a game we often play here at emptywheel with Leon Panetta’s address on cybersecurity last night. For each major attack he discusses or potential threat he envisions, there is an equivalent one that has or could easily happen without the cyber component.

Panetta talks about the Shamoon malware that hit Aramco infecting 30,000 computers.

But even more alarming is an attack that happened two months ago when a very sophisticated virus called Shamoon infected computers in the Saudi Arabian State Oil Company Aramco. Shamoon included a routine called a ‘wiper’, coded to self-execute. This routine replaced crucial systems files with an image of a burning U.S. flag. But it also put additional garbage data that overwrote all the real data on the machine. More than 30,000 computers that it infected were rendered useless and had to be replaced. It virtually destroyed 30,000 computers.

But how did that do more damage than the Richmond Refinery fire and subsequent spike in gas prices, likely caused by a corroded pipe neglected in a recent turnaround? How did that do more damage than the damage BP, Transocean, and Halliburton did when their negligence led to the Deepwater Horizon spill, which still appears to be leaking 31 months later?

Panetta talks about DDS attacks on banks that disrupted customer websites.

In recent weeks, as many of you know, some large U.S. financial institutions were hit by so-called Distributed Denial of Service attacks.  These attacks delayed or disrupted services on customer websites.  While this kind of tactic isn’t new, the scale and speed with which it happened was unprecedented.

How is this worse than the damage done by repeated flash crashes and other irregularities caused by high frequency trading? To say nothing of the damage done by reckless gambling during the housing crisis, which wiped out trillions of dollars in wealth?

Panetta talks about passenger or transport trains derailing.

They could, for example, derail passenger trains or even more dangerous, derail trains loaded with lethal chemicals.

Apparently Panetta is unaware that trains derail all the time, and even spill dangerous chemicals, often because of operational or maintenance issues.

To some degree we could continue this game indefinitely, always finding an equivalent threat to the imagined or real threat posed by a cyberattack.

But there is a logic to the game: it reveals not only that Panetta is fearmongering while ignoring the reality of equally or more dangerous non-cyber threats.

It suggests that he–and frankly, the rest of government trying to address this problem–misunderstands why corporations are not responding to the serial fearmongering about cyber. If corporations refuse to take obvious precautions against cyberthreats, but also refuse to take obvious precautions against non-cyberthreats, it suggests the problem is not the cyber component in the least.

The problem is that these corporations don’t want to–and in many cases refuse to–take obvious precautions against risk in general.

This suggests, then, that these corporations have not been given the sufficient combination of carrot and stick generally to mitigate obvious risks. And giving them immunity for cyber-negligence is likely not going to mitigate the threat reckless, negligent corporations pose to our society, whether because our enemies cause them to do things, or whether they do them of their own accord.

The problem is a culture that encourages corporations to skirt all accountability. No amount of fancy programmers are going to change that by themselves.

Chris Hedges et. al Win Another Round On the NDAA

/12 Comments/in , , , , , , , , , /by

You may remember back in mid May Chris Hedges, Dan Ellsberg, Jennifer Bolen, Noam Chomsky, Alexa O’Brien, Kai Wargalla, Birgetta Jonsdottir and the US Day of Rage won a surprising, nee stunning, ruling from Judge Katherine Forrest in the Southern District of New York. Many of us who litigate felt the plaintiffs would never even be given standing, much less prevail on the merits. But, in a ruling dated May 16, 2012, Forrest gave the plaintiffs not only standing, but the affirmative win by issuing a preliminary injunction.

Late yesterday came even better news for Hedges and friends, the issuance of a permanent injunction. I will say this about Judge Forrest, she is not brief as the first ruling was 68 pages, and todays consumes a whopping 112 pages. Here is the setup, as laid out by Forrest (p. 3-4):

Plaintiffs are a group of writers, journalists, and activists whose work regularly requires them to engage in writing, speech, and associational activities protected by the First Amendment. They have testified credibly to having an actual and reasonable fear that their activities will subject them to indefinite military detention pursuant to § 1021(b)(2).

At the March hearing, the Government was unable to provide this Court with any assurance that plaintiffs’ activities (about which the Government had known–and indeed about which the Government had previously deposed those individuals) would not in fact subject plaintiffs to military detention pursuant to § 1021(b)(2). Following the March hearing (and the Court’s May 16 Opinion on the preliminary injunction), the Government fundamentally changed its position.

In its May 25, 2012, motion for reconsideration, the Government put forth the qualified position that plaintiffs’ particular activities, as described at the hearing, if described accurately, if they were independent, and without more, would not subject plaintiffs to military detention under § 1021. The Government did not–and does not–generally agree or anywhere argue that activities protected by the First Amendment could not subject an individual to indefinite military detention under § 1021(b)(2). The First Amendment of the Read more

Appeals Court Treats Commissary Gatorade Supplies as a “Clear and Present Danger”

/5 Comments/in , , , /by

Navy v. Egan–the SCOTUS case Executive Branch officials always point to to claim unlimited powers over classification authority–just got bigger.

Berry v. Conyers extends the national security employment veto over commissary jobs

The original 1988 case pertained to Thomas Egan, who lost his job as a laborer at a naval base when he was denied a security clearance. He appealed his dismissal to the Merit Systems Protection Board, which then had to determine whether it had authority to review the decision to fire him based on the security clearance denial. Ultimately, SCOTUS held that MSPB could not review the decision of the officer who first fired Egan.

The grant or denial of security clearance to a particular employee is a sensitive and inherently discretionary judgment call that is committed by law to the appropriate Executive Branch agency having the necessary expertise in protecting classified information. It is not reasonably possible for an outside, nonexpert body to review the substance of such a judgment, and such review cannot be presumed merely because the statute does not expressly preclude it.

Unlike Egan, the plaintiffs in this case did not have jobs that required they have access to classified information. Nevertheless, plaintiffs Rhonda Conyers (who was an accounting clerk whose “security threat” pertained to personal debt) and Devon Haughton Northover (who worked in a commissary and also charged discrimination) were suspended and demoted, respectively, when the government deemed them a security risk.

In a decision written by Evan Wallach and joined by Alan Lourie, the Federal Circuit held that the Egan precedent,

require[s] that courts refrain from second-guessing Executive Branch agencies’ national security determinations concerning eligibility of an individual to occupy a sensitive position, which may not necessarily involve access to classified information.

That is, the Federal government can fire you in the name of national security if you have a “sensitive” job, whether or not you actually have access to classified information.

As Timothy Dyk’s dissent notes, the effect of this ruling is to dramatically limit civil service protections for any position the government deems sensitive, both within DOD–where both Conyers and Northover work–and outside it.

Under the majority’s expansive holding, where an employee’s position is designated as a national security position, see 5 C.F.R. § 732.201(a), the Board lacks jurisdiction to review the underlying merits of any removal, suspension, demotion, or other adverse employment action covered by 5 U.S.C. § 7512.

[snip]

As OPM recognizes, under the rule adopted by the majority, “[t]he Board’s review . . . is limited to determining whether [the agency] followed necessary procedures . . . [and] the merits of the national security determinations are not subject to review.”

In doing so, the dissent continues, it would gut protection against whistleblower retaliation and discrimination.

As the Board points out, the principle adopted by the majority not only precludes review of the merits of adverse actions, it would also “preclude Board and judicial review of whistleblower retaliation and a whole host of other constitutional and statutory violations for federal employees subjected to otherwise appealable removals and other adverse actions.” Board Br. at 35. This effect is explicitly conceded by OPM, which agrees that the agency’s “liability for damages for alleged discrimination or retaliation” would not be subject to review. OPM Br. at 25. OPM’s concession is grounded in existing law since the majority expands Egan to cover all “national security” positions, and Egan has been held to foreclose whistleblower, discrimination, and other constitutional claims.

Tracking Gatorade supplies can now represent a “clear and present danger”

There are a couple of particularly troubling details about how Wallach came to his decision. In a footnote trying to sustain the claim that a commissary employee might be a national security threat, Wallach argues that Northover could represent a threat in the commissary by observing how much rehydration products and sunglasses service members were buying.

The Board goes too far by comparing a government position at a military base commissary to one in a “Seven Eleven across the street.”

[snip]

Commissary employees do not merely observe “[g]rocery store stock levels” or other-wise publicly observable information. Resp’ts’ Br. 20. In fact, commissary stock levels of a particular unclassified item – sunglasses, for example, with shatterproof lenses, or rehydration products – might well hint at deployment orders to a particular region for an identifiable unit. Read more

Latest StuxNet Incarnation Resembles Alleged Project of Murdered GCHQ Officer

/9 Comments/in , /by

Kaspersky Labs has found a new incarnation of StuxNet malware, which they’ve called Gauss. As Wired summarizes, the malware is focused geographically on Lebanon and has targeted banks.

A newly uncovered espionage tool, apparently designed by the same people behind the state-sponsored Flame malware that infiltrated machines in Iran, has been found infecting systems in other countries in the Middle East, according to researchers.

The malware, which steals system information but also has a mysterious payload that could be destructive against critical infrastructure, has been found infecting at least 2,500 machines, most of them in Lebanon, according to Russia-based security firm Kaspersky Lab, which discovered the malware in June and published an extensive analysis of it on Thursday.

The spyware, dubbed Gauss after a name found in one of its main files, also has a module that targets bank accounts in order to capture login credentials. The malware targets accounts at several banks in Lebanon, including the Bank of Beirut, EBLF, BlomBank, ByblosBank, FransaBank and Credit Libanais. It also targets customers of Citibank and PayPal.

I find that interesting for a number of reasons. First, every time banks have squawked about our government’s access of SWIFT to track terrorist financing, the spooks have said if they don’t use SWIFT they’ll access the information via other means; it appears this malware may be just that. And the focus on Lebanon fits, too, given the increasing US claims about Hezbollah money laundering in the time since Gauss was launched. I’m even struck by the coincidence of Gauss’ creation last summer around the same time that John Ashcroft was going through the Lebanese Canadian Bank to find any evidence of money laundering rather than–as happens with US and European banks–crafting a settlement. I would imagine how that kind of access to a bank would give you some hints about how to build malware.

But the other thing the malware made me think of, almost immediately, was the (I thought) bogus excuse some British spooks offered last summer to explain the murder of Gareth Williams, the GCHQ officer–who had worked closely with NSA–who was found dead in a gym bag in his flat in August 2010. Williams was murdered, the Daily Mail claimed, because he was working on a way to track the money laundering of the Russian mob.

The MI6 agent found dead in a holdall at his London flat was working on secret technology to target Russian criminal gangs who launder stolen money through Britain.

[snip]

But now security sources say Williams, who was on secondment to MI6 from the Government’s eavesdropping centre GCHQ, was working on equipment that tracked the flow of money from Russia to Europe.

The technology enabled MI6 agents to follow the money trails from bank accounts in Russia to criminal European gangs via  internet and wire transfers, said the source.

‘He was involved in a very sensitive project with the highest security clearance. He was not an agent doing surveillance, but was very much part of the team, working on the technology side, devising stuff like software,’ said the source.

He added: ‘A knock-on effect of this technology would be that a number of criminal groups in  Russia would be disrupted.

‘Some of these powerful criminal networks have links with, and employ, former KGB agents who can track down people like  Williams.’

Frankly, I always thought that explanation was bogus–I suggested that the Brits could just partner with the US to access such data via SWIFT. And whatever it means, I haven’t seen such an explanation since.

But I do find it rather interesting that one of the most prominent unsolved murders of a spook was blamed–at around the time the StuxNet people were working on Gauss–on a plan to track money laundering.

Nuke Site Breached Just Days After SSCI Moved to Eliminate Reporting on Nuke Site Security

/6 Comments/in , , , /by

I have been dawdling about writing this post, in which I explain that two of the reporting requirements the Senate Intelligence Committee rather stupidly, IMO, moved to eliminate last week pertain to the security of our nuclear labs.

Back when I criticized the plan to eliminate these reports in June, I wrote,

The bill would eliminate two reporting requirements imposed in the wake of the Wen Ho Lee scandal: that the President report on how the government is defending against Chinese spying and that the Secretary of Energy report on the security of the nation’s nuclear labs. Just last year, the Oak Ridge National Laboratory had to separate from the Internet because some entity–China would be a good candidate–had hacked the lab and was downloading data from their servers. Now seems a really stupid time to stop reporting on efforts to avoid such breaches.

In spite of these very obvious reasons, the Senate did indeed eliminate two reporting requirements pertaining to national labs (though they kept the one pertaining to Chinese spying).

(7) REPEAL OF REPORTING REQUIREMENT REGARDING COUNTERINTELLIGENCE AND SECURITY PRACTICES AT THE NATIONAL LABORATORIES.—Section 4507 of the Atomic Energy Defense Act (50 U.S.C. 2658) is repealed.

(8) REPEAL OF REPORTING REQUIREMENT REGARDING SECURITY VULNERABILITIES OF NATIONAL LABORATORY COMPUTERS.—Section 4508 of the Atomic Energy Defense Act (50 U.S.C. 2659) is repealed.

I’m glad I waited. Now I can use this story to demonstrate how vulnerable our nuclear labs remain.

The U.S. government’s only facility for handling, processing and storing weapons-grade uranium [Oak Ridge National Lab] was temporarily shut this week after anti-nuclear activists, including an 82-year-old nun, breached security fences, government officials said on Thursday.

[snip]

The activists painted slogans and threw what they said was human blood on the wall of the facility, one of numerous buildings in the facility known by the code name Y-12 that it was given during World War II, officials said.

While moving between the perimeter fences, the activists triggered sensors which alerted security personnel. However, officials conceded that the intruders still were able to reach the building’s walls before security personnel got to them.

When James Clapper’s office asked to throw these reports out, they justified it by saying they could just brief the information rather than report it regularly.

This reporting requirement should be repealed because it is over a decade old and the Secretary of Energy and the National Counterintelligence Executive can provide the information requested through briefings, as requested, if congressional interest persists.

Oak Ridge Lab has been breached twice in two years, once via its computer systems and now physically. I’m sure Congress will be getting a slew of briefings about the lab, but it really does seem like a little reporting requirement might help DOE to take this seriously.

“Dear John Brennan: You’re Being Investigated”

/4 Comments/in , , , /by

A number of people have pointed to Scott Shane’s story on the leak witch hunt for the details it gives on the increasing concern about leak witch hunts among journalists and national security experts.

But this paragraph includes the most interesting news in the article.

The F.B.I. appears to be focused on recent media disclosures on American cyberattacks on Iran, a terrorist plot in Yemen that was foiled by a double agent and the so-called “kill list” of terrorist suspects approved for drone strikes, some of those interviewed have told colleagues. The reports, which set off a furor in Congress, were published by The New York Times, The Associated Press, Newsweek and other outlets, as well as in recent books by reporters for Newsweek and The Times. [my emphasis]

That’s because prior reporting had indicated that the Kill List stories were not being investigated.

Recent revelations about clandestine U.S. drone campaigns against al Qaeda and other militants are not part of two major leak investigations being conducted by federal prosecutors, sources familiar with the inquiries said.

[snip]

The CIA has not filed a “crime report” with the Justice Department over reports about Obama’s drone policy and a U.S. “kill list” of targeted militants, an action which often would trigger an official leak investigation, two sources familiar with the matter said. They

So Shane’s revelation that the Kill List stories are being investigated amounts to the author of one of the Kill List stories reporting that some people who have been interviewed by the FBI told colleagues they got asked about the Kill List. Which might go something like, “Scott, they’re asking about your story, too.”

All without Shane acknowledging that Shane wrote one of the main Kill List Shiny Object stories.

Meanwhile, I find his reference to the outlets involved very interesting. Using the principle of parallelism, the passage seems to suggest the FBI is investigating the NYT for David Sanger’s sources on StuxNet, the AP for Adam Goldman and Matt Apuzzo’s sources on the UndieBomb 2.0 plot, and Newsweek for Daniel Klaidman’s sources on the Kill List. But of course the NYT also wrote a Kill List story, the AP wrote what is probably the most interesting Kill List story (which reported that the Kill List is now run by John Brennan). “And other outlets.” Which might include ABC for revealing that the UndieBomb 2.0 plotter was actually an infiltrator (ABC got the story indirectly from John Brennan, though Richard Clarke). Or the WaPo for Greg Miller’s original story on drone targeting, revealing that we were going to use signature strikes in Yemen. Or the WSJ, reporting that we had started using signature strikes.

In other words, it presents a rather interesting group of potential stories and sources.

Now I don’t know that John Brennan was the source for all this or that he’s really being investigated. I’m not saying Shane is being manipulative by reporting on this (though seriously, it’s another example of the NYT having a reporter report on a story that he is really a part of).

But I do find it rather interesting that a reporter targeted in this leak witch hunt just made news about the scope of the leak witch hunt.

Lamar Smith’s Futile Leak Investigation

/4 Comments/in , , , , , /by

Lamar Smtih has come up with a list of 7 national security personnel he wants to question in his own leak investigation. (h/t Kevin Gosztola)

House Judiciary Committee Chairman Lamar Smith, R-Texas, told President Obama Thursday he’d like to interview seven current and former administration officials who may know something about a spate of national security leaks.

[snip]

The administration officials include National Security Advisor Thomas Donilon, Director of National Intelligence James Clapper, former White House Chief of Staff Bill Daley, Assistant to the President for Homeland Security and Counterterrorism John Brennan, Deputy National Security Advisor Denis McDonough, Director for Counterterrorism Audrey Tomason and National Security Advisor to the Vice President Antony Blinken.

Of course the effort is sure to be futile–if Smith’s goal is to figure out who leaked to the media (though it’ll serve its purpose of creating a political shitstorm just fine)–for two reasons.

First, only Clapper serves in a role that Congress has an unquestioned authority to subpoena (and even there, I can see the Intelligence Committees getting snippy about their turf–it’s their job to provide impotent oversight over intelligence, not the Judiciary Committees).

As for members of the National Security Council (Tom Donilon, John Brennan, Denis McDonough, Audrey Tomason, and Antony Blinken) and figures, like Bill Daley, who aren’t congressionally approved? That’s a bit dicier. (Which is part of the reason it’s so dangerous to have our drone targeting done in NSC where it eludes easy congressional oversight.)

A pity Republicans made such a stink over the HJC subpoenaing Karl Rove and David Addington and backed Bush’s efforts to prevent Condi Rice from testifying, huh?

The other problem is that Smith’s list, by design, won’t reveal who leaked the stories he’s investigating. He says he wants to investigate 7 leaks.

Smith said the committee intends to focus on seven national security leaks to the media. They include information about the Iran-targeted Stuxnet and Flame virus attacks, the administration’s targeted killings of terrorism suspects and the raid which killed Usama bin Laden.

Smith wants to know how details about the operations of SEAL Team Six, which executed the bin Laden raid in Pakistan, wound up in the hands of film producers making a film for the president’s re-election. Also on the docket is the identity of the doctor who performed DNA tests which helped lead the U.S. to bin Laden’s hideout.

But his list doesn’t include everyone who is a likely or even certain leaker.

Take StuxNet and Flame. Not only has Smith forgotten about the programmers (alleged to be Israeli) who let StuxNet into the wild in the first place–once that happened, everything else was confirmation of things David Sanger and security researchers were able to come up with on their own–but he doesn’t ask to speak to the Israeli spooks demanding more credit for the virus.

Read more

Failed Overseers Prepare to Legislate Away Successful Oversight

/16 Comments/in , , , /by

Before I talk about the Gang of Four’s proposed ideas to crack down on leaks, let’s review what a crop of oversight failures these folks are.

The only one of the Gang of Four who has stayed out of the media of late–Dutch Ruppersberger–has instead been helping Mike Rogers push reauthorization of the FISA Amendments Act through the House Intelligence Committee with no improvements and no dissents. In other words, Ruppersberger has delivered for his constituent–the NSA–in spite of the evidence the government is wiretapping those pesky little American citizens Ruppersberger should be serving.

Then there’s Rogers himself, who has been blathering to the press about how these leaks are the most damaging in history. He supported such a claim, among other ways, by suggesting people (presumably AQAP) would assume for the first time we (or the Saudis or the Brits) have infiltrators in their network.

Some articles within this “parade” of leaks, Rogers said late last week, “included at least the speculation of human source networks that now — just out of good counterintelligence activities — they’ll believe is real, even if its not real. It causes huge problems.”

Which would assume Rogers is unaware that the last time a Saudi infiltrator tipped us off to a plot, that got exposed too (as did at least one more of their assets). And it would equally assume Rogers is unaware that Mustafa Alani and other “diplomatic sources” are out there claiming the Saudis have one agent or informant infiltrated into AQAP regions for every 850 Yemeni citizens.

In short, Rogers’ claim is not credible in the least.

Though Rogers seems most worried that the confirmation–or rather, reconfirmation–that the US and Israel are behind StuxNet might lead hackers to try similar tricks on us and/or that the code–which already escaped–might escape.

Rogers, who would not confirm any specific reports, said that mere speculation about a U.S. cyberattack against Iran has enabled bad actors. The attack would apparently be the first time the U.S. used cyberweapons in a sustained effort to damage another country’s infrastructure. Other nations, or even terrorists or hackers, might now believe they have justification for their own cyberattacks, Rogers said.

This could have devastating effects, Rogers warned. For instance, he said, a cyberattack could unintentionally spread beyond its intended target and get out of control because the Web is so interconnected. “It is very difficult to contain your attack,” he said. “It takes on a very high degree of sophistication to reach out and touch one thing…. That’s why this stuff is so concerning to me.”

Really, though, Rogers is blaming the wrong people. He should be blaming the geniuses who embraced such a tactic and–if it is true the Israelis loosed the beast intentionally–the Israelis most of all.

And while Rogers was not a Gang of Four member when things started going haywire, his colleague in witch hunts–Dianne Feinstein–was. As I’ve already noted, one of the problems with StuxNet is that those, like DiFi, who had an opportunity to caution the spooks either didn’t have enough information to do so–or had enough information but did not do their job.The problem, then, is not leaks; it’s inadequacy of oversight.

In short, Rogers and Ruppersberger and Chambliss ought to be complaining about DiFi, not collaborating with her in thwarting oversight.

Finally, Chambliss, the boss of the likely sources out there bragging about how unqualified they are to conduct intelligence oversight, even while boasting about the cool videogames they get to watch in SCIFs, appears to want to toot his horn rather the conduct oversight.

Which brings me back to the point of this post, before I got distracted talking about how badly the folks offering these “solutions” to leaks are at oversight.

Their solutions:

Discussions are ongoing over just how stringent new provisions should be as the Senate targets leakers in its upcoming Intelligence Authorization bill, according to a government source.

Read more