Foreign Policy In Focus

Richard Sale, author of Clinton’s Secret Wars, has written an article outlining the escalation of the joint U.S.-Israeli cyber attack on Iran's nuclear program. A new malware, apparently built off of the Stuxnet worm used against Iran's centrifuge systems between 2009 and 2010, is in development:

According to former and serving US intelligence officials, leaders of the three major software companies, Sergey Brin at Google, Steve Ballmer at Microsoft and Larry Ellison at Oracle have been working with Israel's top cyber warriors and have now come up with a new version of a Stuxnet-like worm that can bring down Iran's entire software networks if the Iranian regime gets too close to breakout, according to US intelligence sources.

[Snip]

This new Stuxnet worm is being advanced by administration and intelligence officials as a more powerful tool with a stronger range and capability than the previous version. Officials want this new cyber capability to derail any military action that could result in a regional war.

You have to ask, if it's that good, why stop at deterrence when you can aim for preemption? It would be far easier for Israeli, U.S. and UK warplanes to operate over Iran in the event of an attack if this "Super Stuxnet" scrambled Iran's air defense systems, rendering early warning and interception systems impotent. It opens up new scenarios for U.S. action -- covert or overt -- vis a vis Iran's nuclear program. Surely the UK military, which has committed to reinforcing the U.S. naval presence in the Gulf and whose officials spoke at length in the Guardian on what might be used to take out Iran's nuclear assets (Tomahawk cruise missile, airstrikes, commandos) will welcome this new tool. 



Far from being a deterrent, this new malware has the potential to be the software equivalent of the Strategic Defense Initiative. Yet while "Super Stuxnet" might turn into a U.S.-Israeli trump card, it also has the potential to become the electronic equivalent of Operation Fast and Furious.



Stuxnet, which entered the world wide web as early as 2009 and was discovered at work in Iran the next year, was built under U.S.-Israeli government auspices using stolen Taiwanese software certificates so that it could infect a widely-used "industrial control system made by the German conglomerate Siemens that was used to program controllers that drive motors, valves and switches," i.e., Iranian centrifuge components. According to Wired magazine, the sophistication of the device and its target befuddled security experts because no one could initially figure out why a hacker would want to sabotage these systems (the answer was that the hackers were government-backed cyber warfare experts).



Then again, this avenue of attack is not new. If certain Cold Warriors are to be believed, the U.S. has a thing for valve sabotage. Thomas C. Reed, a former Secretary of the Air Force and Reagan-era advisor affiliated with the nuclear-warhead manufacturer Lawrence Livermore National Laboratory, contends that in the 1980s, the U.S. discovered a KGB network that existed solely to steal and reverse engineer Western computer technology. Rather than expose the network, the U.S. used information from a KGB double agent's papers (the "Farewell" Dossier) to determine what companies the KGB was stealing from. The U.S. then slipped all manner of cyber ordinance into their products. One such "logic bomb" allegedly destroyed a key Soviet pipeline by scrambling the software that controlled the pressure and flow of oil. The story of this sabotage effort was publicized by William Safire in 2004, and by the CIA itself in 2007. 

Programming valves and motors to malfunction? Now doesn't that sound familiar?



If this "Super Stuxnet" does exist, then it represents a comprehensive sabotage plan with far grander goals than the original Stuxnet, or even the "Farewell" Dossier, which, for all its defense applications (launch silo shutters unable to be opened or closed due to a bug?) was only targeted at the Soviet economy. It essentially amounts to an internet kill switch + EMP that can be activated remotely -- or is already capable of activating itself at a preprogrammed time. 

Iran, like the USSR in the 1980s, presumably has no advanced cyber warfare capacity to retaliate with, despite its attempts to play up its own cyber warfare capacity. The USSR could not identify or isolate the electronic weapons used against it in the 1980s. Iran today would likely have a tough time doing anything more with "Super Stuxnet" than enduring it's machinations. But Iran has some friends who might be more adept at turning "Super Stuxnet" on its handlers.



Russia, of course, comes to mind. Revenge for "Farewell"? Poetic, but not pragmatic. Instead, Russia would presumably be interested in both the original and the new Stuxnets because of their security applications. Defensively, seeing how these worms work would help Russia enhance protection of its own nuclear production assets and protect its communications systems from being scrambled during a military action. Offensively, we saw Russia use cyber warfare in the 2008 Georgian conflict, targeting civilian, government and military internet assets. For all Russia's financial and technical problems, she does endeavor to stay on the cutting edge in every military arm.

The cutting edge is very important for Russia not just because of NATO, but because she shares a very long border with the world's leading cyber warfare aspirant, the People's Republic of China -- which also happen to be friends of Tehran's.



China's interests in seeing how the Stuxnets work are basically similar to Russia's, with the added goal of surpassing the U.S.'s own cyber warfare capabilities as soon as possible. The People's Liberation is Army is tailoring cyber warfare assets towards an "Integrated Network Electronic Warfare" that can target U.S. civilian and military infrastructure, from satellites to stop lights. 



So, whatever success or deterrence "Super Stuxnet" brings Tel Aviv and Washington, I'd like to ask its creators what they think the Iranians did with the original Stuxnet-contaminated hardware after removing it?

A. Dumped it in an electronic graveyard 

B. Locked it in a heavily-guarded warehouse

C. Passed it onto the People's Republic of China and/or Russia



Of course, this presumes China and Russia have normal diplomatic relations with Iran, the kind of relations in which countries with some shared strategic objectives -- securing energy access, increasing their regional influence, undermining American hyperpower -- exchange military, financial and diplomatic support on a semi-regular basis.



It doesn't take much. One flash drive, a laptop or two. Maybe a server. All bundled off to bunkers in Moscow or Shanghai c/o the Iranian Revolutionary Guard. 



As Richard Sale quotes an unnamed U.S. official, cyberweapons are essentially electronic bioweapons. And when you want to see how your opponent's bioweapons work, you need infected tissue samples -- both to make a cure, and then to engineer your own, superior version.

Paul Mutter is a graduate student at the Arthur L. Carter Journalism Institute at NYU and a contributor to Foreign Policy In Focus.

Last week, in the Nation, Eric Alterman hailed Stuxnet, the computer virus that struck Iran's Russian-built reactor at Bushehr.

Now that a "number of technological challenges and difficulties" have beset Iran's program, Moshe Yaalon, Israel's minister of strategic affairs, explains, Iran's nuclear timetable has been "postponed." This development ought to be a cause for joy among all people outside the Iranian leadership's [foot-in-mouth alert -- RW] anti-Semitic, Holocaust-denying circles. A military attack, whether American or Israeli, might have postponed the timetable as well, but at a horrific cost in human and strategic terms. . . . The Stuxnet worm has helped to save the world from the horrific consequences [of Iran developing nuclear weapons and attacking Israel -- RW].

Fellow Nation writer Robert Dreyfuss responded:

. . . make no mistake, unleashing a computer worm against a country whose leaders have committed no aggressive act against either the United States or Iran's neighbors is an act of war

But is Stuxnet the neat, clean computer-killing machine that does no harm to humans -- sort of the opposite of a neutron bomb? Dreyfuss again:

. . . a worm—once created—can take on a life of its own. It can infect unintended locations, as Stuxnet already has, and even spread uncontrollably. And it can be copied and engineered by others, for other purposes. It's like biological warfare: once uncorked, there's no putting the germs back in the bottle. 

Last week we wrote about a Reuters article in which Dmitry Rogozin, Russia's ambassador to NATO, was quoted

"This virus, which is very toxic, very dangerous, could have very serious implications," he said, describing the virus's impact as being like explosive mines.

"These 'mines' could lead to a new Chernobyl," he said, referring to the 1986 nuclear accident at a plant in Ukraine, then part of the Soviet Union. 

Because of the role Russia played in constructing Bushehr, Rogozin was just fear-mongering to get the West to back off, right? Uh, maybe not. Yesterday the Associated Press reported that, according to "a foreign intelligence report," with

. . . control systems disabled by the virus, the reactor would have the force of a "small nuclear bomb," . . . "The minimum possible damage would be a meltdown of the reactor. . . . However, external damage and massive environmental destruction could also occur ... similar to the Chernobyl disaster." 

But then the AP quotes German cybersecurity expert Ralph Langner, "who has led research into Stuxnet's effects on the Siemens equipment running Iran's nuclear programs." 

"Bottom line: A thermonuclear explosion cannot be triggered by something like Stuxnet."

Whatever the case -- warning: dueling clichés ahead -- it's still uncharted waters and the West is playing with fire.

(Pictured: The virus's most likely mode of transmission.)

Reuters quotes Dmitry Rogozin, Russia's ambassador to NATO, on the Stuxnet computer virus that struck Iran's Russian-built reactor at Bushehr. 

"'This virus, which is very toxic, very dangerous, could have very serious implications,' he said, describing the virus's impact as being like explosive mines.

"'These 'mines' could lead to a new Chernobyl,' he said, referring to the 1986 nuclear accident at a plant in Ukraine, then part of the Soviet Union."

Sure, Rogozin's comments may be laughed off as hyperbole. But just how much control is party that initiates a virus attack (in this case, presumably Israel and/or the United States) able to exert over a virus, no matter how embedded it may be with commands informing it when and where to activate?

At the very least, Stuxnet sets off, or accelerates, a cyberwar "arms" race. Think the difficulty Iran has experienced subduing the virus (a computer expert advises them to throw out all Bushehr's computers) prevents it from upping the cyberwarfare ante? Consider all the contractors -- from China to Russia, even -- willing to sell Iran its services and thus enable it to strike back at the West.

The perfectly clean, collateral-damage-free weapon has yet to be invented.

As you may have heard, in response to the Stuxnet cyber attack on its nuclear program, Iran has been detaining Russian personnel working on Iran's first nuclear reactor at Bushehr. Hence, "dozens of Russian nuclear engineers, technicians and contractors are hurriedly departing Iran for home since local intelligence authorities began rounding up their compatriots as suspects of planting the Stuxnet malworm into their nuclear program," reports Israel's DEBKAfile.

Hold on there, Tehran, don't go off half-cocked. Chances are, if transmitted via the Russians, unless one was on the pad of the cyberwarring entity, that one of them is not to blame. Jason Fritz provides some perspective in Hacking Nuclear Command and Control, a paper commissioned by the ICNND (International Commission on Nuclear Nonproliferation and Disarmament) (emphasis added).

All computers which are connected to the internet are susceptible to infiltration and remote control. Computers which operate on a closed network may also be compromised by various hacker methods, such as privilege escalation, roaming notebooks, wireless access points, embedded exploits in software and hardward, and maintenance entry points. For example, e-mail spoofing targeted at individuals who have access to a closed network, could lead to the installation of a virus on an open network. This virus could then be carelessly transported on removable data storage between the open and closed network.

The Iranian computers were initially spread using flash drives, which anyone could have infected. Tehran: remember who your friends are. When it comes to "crippling sanctions" and even an attack on your nuclear facilities, you don't want to drive Russia into the full embrace of the West.

The computer worm Stuxnet didn't exactly bore into the computers of workers in Iran's nuclear program. In fact, whoever unleashed it -- Israel or another state --  sprayed it indiscriminately like machine gun fire. John Markoff of the New York Times reports:

The most striking aspect of the fast-spreading malicious computer program — which has turned up in industrial programs around the world and which Iran said had appeared in the computers of workers in its nuclear project — may not have been how sophisticated it was, but rather how sloppy its creators were in letting a specifically aimed attack scatter randomly around the globe. 

Thus, perhaps because of a perceived time crunch on the part of the creators, it created what Markoff called "collateral damage" as if it were a military attack. Now for a riddle: name the weapon which never causes collateral damage? Nuclear weapons. Civilians, of course, form the better part of their intended targeted and are in no sense of the word collateral. 

But cyberwarfare resembles nuclear weapons in other ways. Markoff also writes that cyberwarfare is . . .

. . . also raising fear of dangerous proliferation. . . . "Proliferation is a real problem, and no country is prepared to deal with it," said Melissa Hathaway, a former United States national cybersecurity coordinator. The widespread availability of the attack techniques revealed by the software has set off alarms among industrial control specialists, she said: "All of these guys are scared to death. We have about 90 days to fix this before some hacker begins using it."

Of course, with nuclear weapons, proliferation occurs at a glacial pace compared with malware. In other words, the dangers of proliferation, purely as a concept, are much greater with a worm. To a certain extent, the immediacy of the threat of worms and viruses makes up for the immensity of the threat from nuclear weapons. 

At War in Context, Paul Woodward called Stuxnet the Trinity test of Cyberwarfare. Which brings us to the most important similarity between nuclear war and cyberwarfare: love it or leave it -- deterrence. Woodward rhetorically asks what the implications of Stuxnet are.

1. Iran has been served notice that not only its nuclear facilities but its whole industrial infrastructure is vulnerable to attack. As Trevor Butterworth noted: "By demonstrating how Iran could so very easily experience a Chernobyl-like catastrophe, or the entire destruction of its conventional energy grid, the first round of the 'war' may have already been won."

2. The perception that it has both developed capabilities and shown its willingness to engage in cyberwarfare, will serve Israel as a strategic asset even if it never admits to having launched Stuxnet.

That's why Woodward compares the Stuxnet attack to Trinity, the first U.S. nuclear test. A demonstration of the weapon's power, it was intended to act as a deterrent to keep other states, such as Iran, from . . . what exactly? It might only motivate Iran to complete the nuclear-weapon development process. After all, it wouldn't want to be two weapon systems -- nuclear and cyber -- down on Israel, would it?