Earlier this week, the New York Times raised the alarm -- and vivid Stuxnet imagery -- about hackers targeting US nuclear facilities. The DHS raised its own alarm -- one with a specific color -- about the same hacking attempts.
Among the companies targeted was the Wolf Creek Nuclear Operating Corporation, which runs a nuclear power plant near Burlington, Kan., according to security consultants and an urgent joint report issued by the Department of Homeland Security and the Federal Bureau of Investigation last week.
The joint report was obtained by The New York Times and confirmed by security specialists who have been responding to the attacks. It carried an urgent amber warning, the second-highest rating for the sensitivity of the threat.
Later in the article, the New York Times brings up Stuxnet, despite undermining such speculative comparisons in earlier paragraphs. According to the documents the Times saw, hackers don't appear to be attempting to control the facilities.
The report did not indicate whether the cyberattacks were an attempt at espionage — such as stealing industrial secrets — or part of a plan to cause destruction. There is no indication that hackers were able to jump from their victims’ computers into the control systems of the facilities, nor is it clear how many facilities were breached.
Wolf Creek officials said nothing sensitive had been breached and the evidence trail suggests something not nearly as concerted as an "attack." Instead, it appears the breaches have been the result of watering holes and spearfishing, not a concentrated assault on nuclear plant control systems. It's not that there's nothing to be worried about, but that there's nothing to be worried about on an "amber" level, to use the DHS's own color-coded Map of Worries.
The DHS's amber alert is mostly baseless… according to the DHS itself.
In a joint statement with the F.B.I., a spokesman for the Department of Homeland Security said, “There is no indication of a threat to public safety, as any potential impact appears to be limited to administrative and business networks.”
One paragraph after that, an official at the agency all 99 US nuclear facilities report to said no facility had reported any breaches of operational systems.
So, there's apparently some "targeting," but nothing aimed at operational systems and certainly no Stuxnet-equivalent roaming around plants in search of a nuclear catastrophe. Instead, these "attacks" appear to be something the US considers to be perfectly acceptable hacking… at least when we do it. Here's Marcy Wheeler on what the hacking revelations actually reveal:
There is spying — the collection of information on accepted targets. And there is sabotage — the disruption of critical processes for malicious ends.
This is spying, what our own cyber doctrine calls “Cyber Collection.”
Cyber Collection: Operations and related programs or activities conducted by or on behalf of the United States Government, in or through cyberspace, for the primary purpose of collecting intelligence – including information that can be used for future operations – from computers, information or communications systems, or networks with the intent to remain undetected. Cyber collection entails accessing a computer, information system, or network without authorization from the owner or operator of that computer, information system, or network or from a party to a communication or by exceeding authorized access. Cyber collection includes those activities essential and inherent to enabling cyber collection, such as inhibiting detection or attribution, even if they create cyber effects. ( C/NF)
This isn't to say the US shouldn't be engaged in these activities. This isn't to say the US should be completely OK with other countries doing the same thing. What does need to be said is the US government needs to be completely clear about what it has observed, rather than raise alerts about cyber attacks that portray intelligence gathering by foreign operatives as attacks on crucial (and potentially dangerous) systems.
That doesn’t mean Russian spying on how our nuclear facilities work is not without risk. It does carry risks that they are collecting the information so they can one day sabotage our facilities.
But if we want to continue spying on North Korea’s or Iran’s nuclear program, we would do well to remember that we consider spying on nuclear facilities — even by targeting the engineers that run them — squarely within the bounds of acceptable international spying. By all means we should try to thwart this presumed Russian spying. But we should not suggest — as the NYT seems to be doing — that this amounts to sabotage, to the kinds of things we did with StuxNet, because doing so is likely to lead to very dangerous escalation.
This is where the DHS fell down in its "sharing" of internal documents with the New York Times. No one bothered to correct the Times when it went off on a Stuxnet tangent. This could give some government officials the wrong idea about what's happening -- both here and in foreign nations. There are many people in power who get much of their information from the press. This leads to bad bills being hurriedly crafted and public calls to action based on hearsay from a document someone else viewed. And that's just here in the US.
On top of that, there's how we behave and how we expect others to behave. We're going to do this sort of thing. So are our adversaries. Both sides will continue to play defense. But going from 0-to-Stuxnet in the DHS's Ambermobile isn't a great idea. And it allows US officials to further distance themselves from actions we condone as part of our national security efforts.