Skip to main content

Book Review: “Confront and Conceal: Obama’s Secret Wars and Surprising Use of American Power” by David Sanger

Executive Summary

This book is an interesting read for foreign policy buffs but a must-read for cyber security professionals interested in the evolution of cyber warfare. It is the first published book that chronicles the current US government’s thinking about the merits of cyber attacks as a middle-ground diplomacy option between invading a country on one hand and sanctions or negotiations on the other. It is also the first book that gave the public details about operation “Olympic Games,” a multiyear covert operation that the governments of the United States and Israel directed against Iran that changed the cyber security landscape forever. Security pundits have been saying for years that cyber warfare is theoretically possible or, more precisely, that cyber weapons could cause physical damage on a massive scale. Olympic Games demonstrated conclusively that hackers can use a cyber vector alone, without the aid of other kinetic weapons, to destroy components of a country’s critical infrastructure. Regardless of how successful Olympic Games ultimately was in slowing down the Iranian nuclear program, using cyber tools to inflict physical damage against your adversaries is now a viable option. Operation Olympic Games represents the world crossing the line between theory and practice, and this book is your guide to understanding that decision. This book is part of the canon, and you should have read it by now.

Introduction

In June 2012, David E. Sanger published an article[1] in The New York Times proclaiming for the first time that the United States, in conjunction with Israel, was indeed behind the infamous Stuxnet malware attacks that targeted the Iranian nuclear enrichment plant at Natanz. He published his article as a teaser to advertise his new book, Confront and Conceal: Obama’s Secret Wars and Surprising Use of American Power.[2]

In both the article and the book, Sanger demonstrated an unprecedented level of access to President Obama’s former staff members that provides insight into how leadership made important changes to American policy around offensive cyber operations. The book is a fascinating look at the inner machinery of how two presidents made decisions that changed US foreign policy; away from President George W. Bush’s [See Note] “You are with us or against us” mentality into something Sanger calls the Obama Doctrine.[2] I originally picked up the book because of chapter 8, “Olympic Games.” For the cyber security professionals in the crowd, this chapter alone is worth the price of admission.

The Story

Olympic Games is the now-declassified US code name for the cyber initiatives aimed at degrading Iran’s nuclear enrichment capability.[2] Many international leaders are afraid of what Iranian leadership might do if they were to get their hands on a nuclear bomb.[3] Iranian leadership claims that their nuclear program is peaceful and is designed to provide electric power to Iran’s citizens.[4] In the past, the only options Western governments had to dissuade Iranian officials from their nuclear ambitions were economic sanctions and military strikes. According to Sanger, as Iran got closer to its goal of building a working nuclear bomb during President Bush’s time in office, Israeli leadership became more and more anxious to pursue the military option since they believed Israel might be one of the first targets of such a bomb.[2] President Bush was not keen on starting a fight with yet another Middle Eastern country. He was already fully engaged with Iraq and Afghanistan. He needed a different way to deal with the problem. Olympic Games became the in-between option.[2]

Sanger fills in a lot of details about Olympic Games that many suspected were true at the time but had no evidence to prove. He explains how the operation grew out of military channels under President Bush and how President Obama moved it over to intelligence channels during the first weeks of his administration for legal reasons. Sanger describes how at least as much work went into the legal justification for a covert action to destroy critical infrastructure in a country with which the United States was not at war as the amount of work that the coders did when they planned, built, and tested the actual cyber weapons. He describes how the operation used unwitting Siemens employees who were working at Natanz to transfer the malware into the facility, a facility that had no connection to the Internet. Siemens is the company that builds the supervisory control and data acquisition (SCADA) devices used at the plant to control the Iranian centrifuges that Olympic Games was meant to destroy.[2]

All of this is fascinating detail, and Sanger’s book,[2] along with his preceding New York Times article,[1] was the first time that the public became aware of it. More importantly though, Sanger’s book puts a line in the sand marking the exact spot where cyber warfare moved from a theoretical idea to practical implementation. According to Richard Clarke, author of Cyber Warfare: The Next Threat to National Security and What to Do about It,

“The term ‘cyber war’ … refers to actions by a nation-state to penetrate another nation’s computers or networks for the purposes of causing damage or disruption.”[5]

In my review of Jeffrey Carr’s book, Inside Cyber Warfare: Mapping the Cyber Underworld, I tweaked Clarke's definition a bit to be more precise:

“Cyber Warfare involves one or more nation states using cyber weapons to destroy each other’s national treasure to achieve some political purpose.”[10]

Before operation Olympic Games, security pundits only pontificated about the possibilities of cyber warfare. We would point to real-world examples like Estonia[6] and Georgia[7] that did not quite meet Clarke’s definition but were, from our point of view, clear indicators of where this was heading. Some estimates claim that the damage done by operation Olympic Games caused Iranian engineers to replace more than 4,000 damaged centrifuges out of the 9,000 that were on site at Natanz.[8] For the first time in our short cyber security history, we had a publicly known event that precisely met Clarke’s definition, and my definition too for that matter. The world changed, and you cannot put that genie back in the bottle. 

Just this year, cyber attackers destroyed the data residing on 32,000 computers from a number of Korean companies, including Shinhan Bank, Nonghyup Bank, Munhwa Broadcasting Corp., YTN, and Korea Broadcasting System. Public attribution is unclear, but the South Koreans believe the attacks came from North Korea.[9] If that’s true, the attack represents the first example of another nation taking its cues from the United States and Israel and operation Olympic Games. I expect that this is just the beginning.

The Tech

Sanger details the three phases of the operation. The first step was to build and deploy a “beacon” designed to map the network at Natanz and get the information back to the United States. The second phase was to build and test the “bug,” the malware that would destroy the centrifuges. The last phase was to deploy and upgrade the bug on the fly to seek new and better targets.[2] According to Sanger, the intent of Olympic Games was not to destroy the plant completely but to play mind games with the Iranian technicians, to cause confusion within the technical ranks, and to add time on the clock for the inevitable day when Iran would succeed in making enough nuclear material to build a bomb.[2] The jury is still out on whether Olympic Games succeeded, but Sanger uses the operation to make a larger point about the change in US foreign policy under President Obama.

I am not a foreign policy expert by any means. I vaguely understand that all presidents spend huge chunks of time trying to manage US interests abroad, but it seems to me, after reading Sanger’s description, that President Obama had to deal with an inordinate number of varied and complex international issues in his first term compared to other presidents. Regardless if you are a President Obama fan or not, after reading Sanger’s account, you have to agree that Obama’s first term was quite a ride. Let me just touch on the highlights:

  • Reducing US military forces in Iraq
  • Surging US military forces in Afghanistan
  • Negotiating with an on-again, off-again Pakistani alliance
  • Assassinating Osama Bin Laden without Pakistani buy-in
  • Managing the Arab Spring: Tunisia
  • Managing the Arab Spring: Libya
  • Managing the Arab Spring: Syria
  • Managing the growing Chinese power in the East
  • Managing the seemingly instability of North Korea [2]

Out of all of this, Sanger opines that a new US foreign policy emerged. By the end of his first term, President Obama was finally acting on foreign policy interests that he did not inherit from President Bush. The international events mentioned above schooled President Obama on the limits of US power. He refocused his approach by narrowing the scope of America’s strategic objectives, showed restraint with his willingness to use the middle option with drone technology and cyber attacks, found a wedge to use with China in the form of growth boundaries versus isolation, and decided that he is totally fine with the idea that other nations can take the lead during international crisis situations. From my reading of Sanger’s thesis, it was a new beginning for a now-seasoned president.[2]

Conclusion

The book is an interesting read for foreign policy enthusiasts, but the Olympic Games chapter is a must-read for every cyber security professional interested in the evolution of cyber warfare. More importantly though, Sanger’s book puts a line in the sand marking the exact spot where cyber warfare moved from a theoretical idea to practical implementation. Security pundits have been saying for years that cyber warfare is theoretically possible or, more precisely, that cyber weapons could cause physical damage on a massive scale. Olympic Games demonstrated conclusively that hackers can use a cyber vector alone, without the aid of other kinetic weapons, to destroy components of a country’s critical infrastructure. Regardless of how successful Olympic Games ultimately was in slowing down the Iranian nuclear program, using cyber tools to inflict physical damage against your adversaries is now a viable option. Operation Olympic Games represents the world crossing the line between theory and practice, and this book is your guide to understanding that decision. This book is part of the canon, and you should have read it by now.

Note: 

All references to President Bush in this essay refer to President George W. Bush, the 43d President of the United States and not his father, President George H. W. Bush, the 41st President of the Unites States.

Sources:

[1] "Obama Order Sped Up Wave of Cyberattacks Against Iran," by David E. Sanger, The New York Times, 1 June 2012, last visited 14 December 2013,
http://www.nytimes.com/2012/06/01/world/middleeast/obama-ordered-wave-of-cyberattacks-against-iran.html?pagewanted=all

[2] Confront and Conceal: Obama’s Secret Wars and Surprising Use of American Power, by David E. Sanger, published by Crown Publishing Group, June 2012

[3] “The west fears the Iranian nuclear research program,” by Carol J. Williams, The Los Angeles Times, 4 July 2012, last visited 19 December 2013,
http://latimesblogs.latimes.com/world_now/2012/07/tightened-sanctions-on-iran-trigger-threats-defiance.html 

[4] “Tighter sanctions on Iran trigger threats and defiance,” by Carol Williams, Los Angeles Times, 4 July 2012, Last Visited 26 December 2013,

[5] "Book Review: ‘Cyber Warfare: The Next Threat to National Security and What to Do about It (2010)’ by Richard Clarke and Robert Knake," by Richard Howard, Terebrate, 21 January 2013, last visited 19 December 2013,

[6] "Estonia's Lessons in Cyberwarfare," by Scheherazade Rehman, US News & World Report, 14 January 2014, last visited 19 December 2013,

[7] "Georgia accuses Russia of coordinated cyberattack," by Tom Espiner, CNET, 11 August 2008, last visited 19 December 2013,

[8] “The Stuxnet outbreak: A worm in the centrifuge: An unusually sophisticated cyber-weapon is mysterious but important,” The Economist, 30 September 2010, last visited 19 December 2013,

[9] "South Korea Says Chinese Code Used in Computer Attack," by Cynthia Kim, Jungah Lee and Saeromi Shin, Bloomberg, 21 March 2013, last visited 19 December 2013,

[10] "Book Review: “Inside Cyber Warfare: Mapping the Cyber Underworld (2009, 2010)” by Jeffrey Carr," by Rick Howard, Terebrate, 24 March 2013, Last Visited 26 December 2013,

References

"Ex-Pentagon general target of leak investigation, sources say," by Michael Isikoff, NBC News, 27 June 2013, last visited 14 December 2013,

"McCain slams White House for alleged security leaks," CBS This Morning, 6 June 2012, last visited 19 December 2013,

"The Long Shadow Of Saudi Aramco," by Kelly Jackson Higgins, darkReading, 14 October 2013, last visited 19 December 2013

"Who was behind Stuxnet?" by 60 Minutes, CBSNewsOnline, 4 March 2012, Last Visited 26 December 2013

“Who is behind Stuxnet?” by Tom Gjelten, NPR, 26 September 2011, last visited 19 December 2013,

"Why the Shamoon virus looms as destructive threat," by Byron Acohido, USA Today, 16 May 2013, last visited 19 December 2013,

Comments

Popular posts from this blog

Books You Should Have Read By Now

When I started Terebrate back in January 2010, I always intended it to be a place to put my book reviews on whatever I was reading. Since then, a lot has happened in my professional life. I changed jobs, twice. I presented my collection of cybersecurity book reviews at the annual RSA Conference and suggested that the cybersecurity community ought to have a list of books that we all should have read by now. My current employer, Palo Alto Networks, liked the idea so much that they decided to sponsor it. We ended up creating the the Rock and Roll Hall of Fame  for cybersecurity books. We formed a committee of cybersecurity experts from journalists, CISOs, researchers and marketing people who were all passionate about reading. My collection became the the candidate list and for the past two years, the committee, with the help of community voting, has selected books from the candidate list to be inducted into something we are calling the Cybersecurity Canon. It has be

Book Review: The Cuckoo's Egg: Tracking a Spy Through the Maze of Computer Espionage (1989) by Clifford Stoll

Executive Summary This book is a part of the cyber security canon. If you are a cyber security professional, you should have read this by now. Twenty years after it was published, it still has something of value to say on persistent cyber security problems like information sharing, privacy versus security, cyber espionage and the intelligence dilemma. Rereading it after 20 years, I was pleasantly surprised to learn how pertinent that story still is. If you are not a cyber security professional, you will still get a kick out of this book. It reads like a spy novel, and the main characters are quirky, smart, and delightful. Introduction The Cuckoo’s Egg is my first love. Clifford Stoll published it in 1989, and the first time I read it, I devoured it over a weekend when I should have been writing my grad school thesis. It was my introduction to the security community and the idea that somebody had to protect these new-fangled gadgets called computers. Back in those days, author

Book Review: Kingpin: How One Hacker Took Over the Billion-Dollar Cybercrime Underground by Kevin Poulsen (2011)

Executive Summary Kingpin tells the story of the rise and fall of a hacker legend: Max Butler. Butler is most famous for his epic, hostile hacking takeover in August 2006 of four of the criminal underground’s prominent credit card forums. He is also tangentially associated with the TJX data breach of 2007. His downfall resulted from the famous FBI sting called Operation Firewall where agent Keith Mularski was able to infiltrate one of the four forums Butler had hacked: DarkMarket. But Butler’s transition from pure white-hat hacker into something gray—sometimes a white hat, sometimes a black hat—is a treatise on the cyber criminal world. The author of Kingpin , Kevin Poulsen, imbues the story with lush descriptions of how Butler hacked his way around the Internet and pulls the curtain back on how the cyber criminal world functions. In much the same way that Cuckoo's Egg reads like a spy novel, Kingpin reads like a crime novel. Cyber security professionals might know the