As a number of news outlets reported last night, retired Marine General James Cartwright is the latest government insider to be targeted by the Obama Administration’s aggressive pursuit of leakers. Cartwright, a four-star general who until 2011 served as Vice Chairman of the Joint Chiefs of Staff, reportedly received notice from the Department of Justice he is a target in the investigation into the source for David Sanger’s 2012 reports on the Stuxnet virus the U.S. and Israel used to sabotage Iran’s nuclear program.
Most reports on the news have focused on Cartwright’s seniority, though Cartwright is not the only high-ranking retired general under such investigation. (As recently as April, an investigation into retired CIA Director and four star General David Petraeus’ handling of classified information remained active.) Few, however, have considered how odd this particular leak investigation is. This investigation presumably is not about Stuxnet itself, nor about U.S. and Israeli involvement in it. So what is the secret Cartwright allegedly revealed?
The existence of Stuxnet, after all, did not need to be leaked.
Rather, it was discovered by an anti-virus company in Belarus. From that point on, the security community, well before journalists, raced to understand this powerful new worm — and they were able to do that largely based on the computer code that had revealed itself, not on any leaks from the perpetrators of the worm.
And even while Sanger’s reporting over several years did advance the story significantly, the precise reporting being investigated — both his June 1, 2012 front-page New York Times story and his book, Confront and Conceal — weren’t Sanger’s first notable stories on the virus.
Sanger and two colleagues had already published a front-page Times story on Stuxnet, almost a year and a half earlier. That one didn’t merit a leak investigation (at least not publicly). Yet even that earlier story reported: “By the accounts of a number of computer scientists, nuclear enrichment experts and former officials, the covert race to create Stuxnet was a joint project between the Americans and the Israelis.” It described how Siemens, the German industrial machinery company whose controllers were attacked as part of StuxNet, had first identified the vulnerabilities targeted in the attack in consultation with Idaho National Laboratory. It revealed the virus had been tested at Israel’s Dimona nuclear facility. “The reason the worm has been effective is that the Israelis tried it out,” the story quoted an American nuclear expert saying.
In short, the earlier story revealed several of the most important parts of the later story, notably the U.S. and Israeli role in the attack. Yet, as far as we know, the Justice Department made no efforts to learn who the “intelligence and military experts familiar with its operations” cited in the story were.
Perhaps that’s because that story also provided an opportunity for Israeli and U.S. figures to boast about how successfully Iran’s nuclear program had been set back (though the Times – not then-Israeli Mossad Chief Meir Dagan or then-Secretary of State Hillary Clinton, who were both quoted making proud statements about Iran’s setbacks — publicly attributed the delay to StuxNet).
So what was it about Sanger’s more recent reporting that now puts Cartwright at risk?
First, there was the bipartisan political uproar in response to the story. Senator John McCain, R-Ariz., accused the Obama Administration of leaking to Sanger to make “the President look strong and decisive on national security in the middle of his re-election campaign.” McCain was probably pointing to the lead of the story, which read, “Mr. Obama decided to accelerate the attacks — begun in the Bush administration and code-named Olympic Games — even after an element of the program accidentally became public in the summer of 2010” (though voters might ask whether that decision showed Obama to be strong, or reckless).
Whether or not the story was an election year stunt, even Democrats condemned the leak. John Kerry, then still a senator representing Massachusetts, said the story “begs retaliation” from America’s enemies. The chairs and ranking members of the Intelligence Committees also spoke out — vocally led by California Senator Dianne Feinstein. “I am deeply disturbed by the continuing leaks of classified information to the media, most recently regarding alleged cyber efforts targeting Iran’s nuclear program,” she wrote. “Disclosures of this type endanger American lives and undermine America’s national security.”
But again, why did Sanger’s 2012 story endanger America’s national security if his 2011 story hadn’t? And how could DOJ isolate Cartwright as a target, when Sanger sourced his story to “interviews over the past 18 months with current and former American, European and Israeli officials involved in the program, as well as a range of outside experts”?
We may never know, particularly if Cartwright is never charged (he remains only a target). But in addition to a lengthy historical description of how the attack worked (the idea for which the story attributed to Cartwright), the story provides direct quotes from the meeting in the White House Situation Room at which Obama decided to continue the attack even after Stuxnet was discovered. Two of those quotes are particularly inflammatory for the way they blame Israel for Stuxnet’s escape. The story (which had already identified Cartwright as one of the briefers in question, along with retiring CIA Deputy Director Mike Morell) read:
“We think there was a modification done by the Israelis,” one of the briefers told the president, “and we don’t know if we were part of that activity.”
Mr. Obama, according to officials in the room, asked a series of questions, fearful that the code could do damage outside the plant. The answers came back in hedged terms. Mr. Biden fumed. “It’s got to be the Israelis,” he said. “They went too far.”
Was it the diplomatically dangerous accusation from Biden —“It’s got to be the Israelis”— that DOJ now suspects Cartwright of sharing with Sanger, in addition to technical details that likely come from Sanger’s broad range of sources? (Sanger notes, as have others, that it remains unconfirmed who bears responsibility for the code that led Stuxnet to escape.)
Whether or not this accusation against Israel is the big secret that might get Cartwright in trouble, it’s worth noting that just weeks before this Stuxnet leak investigation started, the House tried to legally mandate investigations into leaks that “degrad[e] Israel’s ability to defend itself.”
“I recently traveled to the Middle East, where we met with senior Israeli officials,” said Congressman Tom Price, R-Georgia, who introduced the measure. “Their number one concern was that for the first time in our long relationship, the United States was releasing classified operational information and capabilities, willfully putting at risk the lives of Israeli people.”
Have we gotten to the point where America’s most fiercely guarded secrets — the kind that could put a retired general in legal jeopardy — concern not America, but Israel?