Flame Thrower

Stuxnet was a monster computer virus. Flame is 20 times larger -- and it's been out there, listening, for years.

Welcome to the new frontier of cyber-espionage, and remember this name: "Flame" -- a mysterious new cyber spy tool that hit the headlines on Monday, May 28. Its code is 20 times larger than Stuxnet, the mysterious computer worm that temporarily crippled Iran's Siemens nuclear centrifuges, and it "might be the most sophisticated cyber weapon yet unleashed" according to Kaspersky Lab, a Russian-based cybersecurity firm. Kaspersky published the findings of its analysis on Monday in addition to the Iranian Computer Emergency Response Team (CERT) and Budapest University. Most of the infected systems are located in the Middle East, with Iran, Israel, Palestine, Sudan, Syria, Lebanon, and Hungary topping the list. Flame stands out in the various ways through which it "exfiltrates" data, including surreptitiously recorded audio data captured by internal microphones. However, unlike Stuxnet, Flame was designed to spy -- not destroy.

The variety of spy tools that Flame employs is astonishing. According to Kaspersky, "of course, other malware exists which can record audio, but key here is Flame's completeness -- the ability to steal data in so many different ways." It also takes snapshots of instant messages and records a user's keystrokes. Flame is remotely controlled through a command and control server and it's highly dynamic. In other words, it has been updated remotely since it was first launched at least as early as March 2010 and its "creators are constantly introducing changes into different modules" which expand its functionality. Now that it has been detected, the Iranian CERT apparently offers infected users a removal tool.

According to the Washington Post, some analysts see the United States and Israel behind Flame. Kaspersky will only go so far as to say that it's likely the work of a nation-state rather than a private entity or hacking group because of the sophistication and the geographic location of the infected systems, For now, the perpetrator's identity remains unknown. Flame was designed to avoid being detected, hiding in large amounts of code and using a programming language unusual for malware. Victims include individuals, private companies, educational institutions, and state-related organizations. Other details are also unclear at this point, however, such as how Flame accesses a system in the first place. Kaspersky considers Flame an operation likely to have been run in tandem with Stuxnet.

Unlike Stuxnet, Flame was designed for a non-destructive purpose. That said, both types of code essentially consist of three elements, according to Herb Lin, chief scientist at the National Research Council: a vulnerability, access, and payload. Think of a computer system as a walled-in garden. The first objective is to find a hole in the wall to get into the garden. A vulnerability in the computer system -- the hole -- will allow that access to the system. Once inside the garden, there are basically two ways it plays out determined by the payload. A cyber-espionage payload -- like Flame -- walks around making copies and taking pictures of what's in the garden. By contrast, a cyber-warfare payload -- like Stuxnet -- destroys what's in the garden. 

But cyber-espionage tools differ in terms of their payload though. Stuxnet's cousin, Duqu, was designed (like Flame) to spy, not destroy. The security firm, Symantec, considered Duqu "a threat nearly identical to Stuxnet, but with a completely different purpose ... Duqu's purpose is to gather intelligence data and assets from entities such as indus­trial infrastructure and system manufacturers, amongst others not in the industrial sector." Duqu and Stuxnet were therefore very similar in the vulnerabilities exploited but differed in the payloads used. In other words, Duqu and Stuxnet used the same hole in the wall but behaved differently once inside, whereas Duqu and Flame accessed the garden differently but were sent with a similar mission. There is another important difference between Duqu and Flame. As Kaspersky highlights, the "intelligence gathering operation behind Duqu was rather small-scale and focused. We believe there were less than 50 targets worldwide for Duqu -- all of them, super-high profile. Flame appears to be much, much more widespread than Duqu, with probably thousands of victims worldwide."

This shows that while cyber-espionage and cyber-warfare differ in intent, the gap is very small. Replace a non-destructive payload with a destructive one using the same vulnerability and access and the story changes very quickly. In fact, Symantec, also described Duqu as "the precursor to a future Stuxnet-like attack ... looking for information such as design documents that could help them [the attackers] mount a future attack on various industries, including industrial control system facilities." This also explains why Michael Hayden, former director of the National Security Agency and the Central Intelligence Agency, has called them "operationally indistinguishable."

But Flame is not the new Stuxnet, and it's important not to lump them together. However, as Stuxnet and Duqu have showcased, the question about Flame is whether the information-sharing was an end in itself or only the means to a future attack that remains yet to be discovered or launched.

The answer to this question might take a while to uncover. "Consider this: it took us several months to analyze the 500k code of Stuxnet," notes Kaspersky. "It will probably take year [sic] to fully understand the 20MB of code of Flame."

Adam Berry/Getty Images


The Conservative Defense Revolution

Or, how the Tea Party learned to love the Pentagon.

What a difference a year makes.

On Memorial Day 2011, many not only paused to remember the fallen, but lamented the fall of the American military. The perennial question about defense spending -- "How much is enough?" -- had been supplanted by "How low can you go?" This Memorial Day, the consensus that Washington is ready to reap another "peace dividend" is under assault.

How we got here from there matters. America became a different nation after 1945. The United States emerged from the ashes of World War II as a global power with global interests and responsibilities. That meant it would have to think about defense differently. So a nation that had averaged spending about 1 to 2 percent of its national wealth on defense began spending, on average, about 8.5 percent during the Cold War. A good chunk of that went to confronting the Soviet Union.

No one, however, had really done the math to figure out how big a military would have been required to secure U.S. global interests if the standoff with the Soviets had never happened. Consequently, when the wall fell, nobody knew the answer to that question -- except that it had to be "less." And, so, U.S. defense spending headed to under 3 percent of GDP, and U.S. defense capabilities began to contract.

The rise and fall of the Pentagon was, by and large, a bipartisan project -- albeit not always a pretty one. Robert Taft, the anti-New Deal Republican senator from Ohio, hated NATO, mostly because Truman was for it. Kennedy was more of a defense spending hawk than Eisenhower. Both the far-right and the far-left abandoned the war in Vietnam. It was not uncommon to find a hard-line "Scoop" Jackson who caucused with Democrats and an über-liberal Jacob Javits huddling in the Republican corner.

By the end of the 1990s, there was plenty of evidence that U.S. military capabilities were in the basement. "[O]ur forces are showing increasing signs of serious wear," Gen. Henry H. Shelton, chairman of the Joint Chiefs of Staff under Clinton, testified before Congress. "Anecdotal, initially, and now measurable evidence indicates that our readiness is frayed and that the long-term health of the total force is in jeopardy," he warned. But neither political party in Washington seemed terribly interested in doing anything about it.

Along came 9/11, boosting investments in the armed forces to a post-Cold War high. There was little doubt the tide had turned -- though challenges remained. The lion's share of additional spending went to fund military operations in Iraq and Afghanistan. The preponderance of military aircraft, ships, and vehicles, bought in the 1980s, were now pushing 30 years of service and needed to be replaced. Unfortunately, that bill is still unpaid.

As operations in Iraq and Afghanistan began winding down, it looked like a replay of That 90s Show. Republicans wanted a balanced budget. Democrats wanted a "peace dividend." Cutting the Pentagon was offered up as the principal means to get spending under control.

Under current projections, investments in defense will drop below what they were in the 1990s. If that happens, this Memorial Day could well go down in history as marking the post-Cold War high-water mark of U.S. military power. A case can be made that the United States has new military systems that are far more capable than what was available to our forces two decades ago. That may be true as far as speed, firepower, and other performance measures go, but the world is the same size. Even the most advanced stealth aircraft or missile-launching ship can only be in one place at a time. America's ability to cover its bets around the world will drop considerably.

The decline could accelerate rapidly if cuts required under the Budget Control Act of 2011 go into effect.

The military will have to absorb the single largest share of cutbacks, with estimates as high as $492 billion. It is difficult to see how the Pentagon could reduce spending on that scale without trimming capabilities even further. Last year, the House Armed Services Committee authored a report predicting that, if the automatic cuts took effect, the U.S. would have "[t]he smallest ground force since 1940; [a] fleet of fewer than 230 ships, the smallest level since 1915;[and] [t]he smallest tactical fighter force in the history of the Air Force."

Here, however, is where the story gets interesting. The bipartisan consensus on defense is collapsing. Just a year ago, it seemed like conservatives were pretty much prepared to go along with the "carry a small stick" approach to foreign policy. Even as liberals in Congress pilloried the rise of the Tea Party and a rambunctious conservative freshman class, they expected them to join in a common cause to trim defense -- just as Washington did in the 1990s. Their hopes were not unreasonable. Last year, the Republican-controlled House signed off on a budget proposal that pretty much just plugged in the president's defense numbers.

But somebody must have slipped some Wheaties into the congressional mess, because the conservative half of Congress seems to have undergone a sea change on defense. Rep. Paul Ryan (R-WI), chairman of the House Budget Committee, started talking as much about the need for a strong national defense as he did about reforming Medicare.

Ryan's budget, which passed the House with strong support from the Tea Party freshman, resisted further defense cuts. Ryan has pushed to have the Pentagon spared the pain of the automatic cuts that are required under the Budget Control Act of 2011. One of the most high-profile Tea Party first-termers, Rep. Allen West (R-FL), has emerged as an outspoken proponent for the Pentagon. And Rep. Randy Forbes (R-VA) has organized a multi-state series of "Defending the Defenders" town hall meetings -- with the blessing and support of the House leadership.

To top it off, the House passed a defense spending bill that bumped up the White House proposal by $4 billion. The House also approved a National Defense Authorization Act packed with  a number of demands for propping up the Pentagon. None of these initiatives could have happened unless the conservatives in the Congress had been committed to taking a different course from the White House on defense.

The Senate Armed Services Committee passed a defense bill that matched the president's request, but there is plenty evidence to suggest the "Defend Defense" mindset is spreading there as well. Sen. Mike Lee (R-UT) recently dropped a budget proposal calling for sustained increases in defense investment. It received only 17 votes, but that was 17 more than the president's budget got. Most tellingly, two serious skeptics on defense spending -- Sen. Rand Paul (R-KY) and Sen. Tom Coburn (R-OK) -- both voted for the Lee budget.

Why have conservatives in Congress gotten their defense mojo back? Lee's budget offers some hints. Modeled on a long-term budget proposal developed by the Heritage Foundation, Lee's plan sustains defense spending not just by realizing savings from internal defense reforms and efficiencies, but through holistic reform of the entire federal budget. Lee's budget constrains government growth by cutting back on non-defense discretionary spending and reforming entitlement programs. It also seeks to spur economic growth through tax and regulatory reform. This is a classic conservative agenda that allows members to be strong on national security while pursing other desirable goals.

In particular, the conservative countermarch may be driven by a desire not to relive the experience of the 1990s, when Washington used defense cuts to take pressure off efforts to balance the budget with systemic reforms to entitlement programs. That compromise, they now acknowledge, was a mistake.

The conservative leadership in the Congress does not accept that cutting defense is the right path restoring fiscal responsibility. The Republican candidate for president has already come out in favor of not cutting defense. Regardless of who wins in Washington in November, conservatives are unlikely to abandon their rediscovered commitment to defense -- as long as they also retain their commitment to low taxes and entitlement reform.

Washington's conventional wisdom -- that it is all downhill for the Pentagon -- might just be wrong. At the very least, there will be a substantial force in Washington putting the brakes on a steep slide.

Win McNamee/Getty Images