Yet another reason to keep the lawyers out of cyberops

According to Richard Clarke,  government lawyers play such a large role in designing American covert cyber operations that by the time the lawyers are done messing with them, they’re anything but covert:

One reason to believe the Stuxnet attack was made in the USA, Clarke says, “was that it very much had the feel to it of having been written by or governed by a team of Washington lawyers.”

“What makes you say that?” I asked. Computer-Keyboard_web

“Well, first of all, I’ve sat through a lot of meetings with Washington [government/Pentagon/CIA/NSA-type] lawyers going over covert action proposals. And I know what lawyers do.

“The lawyers want to make sure that they very much limit the effects of the action. So that there’s no collateral damage.” He is referring to legal concerns about the Law of Armed Conflict, an international code designed to minimize civilian casualties that U.S. government lawyers seek to follow in most cases.

Clarke illustrates by walking me through the way Stuxnet took down the Iranian centrifuges.

“What does this incredible Stuxnet thing do? As soon as it gets into the network and wakes up, it verifies it’s in the right network by saying, ‘Am I in a network that’s running a SCADA [Supervisory Control and Data Acquisition] software control system?’ ‘Yes.’ Second question: ‘Is it running Siemens [the German manufacturer of the Iranian plant controls]?’ ‘Yes.’ Third question: ‘Is it running Siemens 7 [a genre of software control package]?’ ‘Yes.’ Fourth question: ‘Is this software contacting an electrical motor made by one of two companies?’” He pauses.

“Well, if the answer to that was ‘yes,’ there was only one place it could be. Natanz.”

“There are reports that it’s gotten loose, though,” I said, reports of Stuxnet worms showing up all over the cyberworld. To which Clarke has a fascinating answer:

“It got loose because there was a mistake,” he says. “It’s clear to me that lawyers went over it and gave it what’s called, in the IT business, a TTL.”

“What’s that?”

“If you saw Blade Runner [in which artificial intelligence androids were given a limited life span—a “time to die”], it’s a ‘Time to Live.’” Do the job, commit suicide and disappear. No more damage, collateral or otherwise.

“So there was a TTL built into Stuxnet,” he says [to avoid violating international law against collateral damage, say to the Iranian electrical grid]. And somehow it didn’t work.”

The last time I wrote about the restrictions that US government lawyers are piling on cyberweapons, I asked, “Lawyers don’t win wars. But can they lose one?” Clarke’s observation, however, suggests another problem.

If other nations decide that they can attribute attacks to the United States because our legal culture leaves such distinct fingerprints on our covert weapons, maybe the better question is whether American government lawyers will be responsible for causing the next war.

(Hat tip to Jack Goldsmith, who flagged the Clarke article in Lawfare. Photo credit: Freefoto)