by Kim Zetter
But any Stuxnet gains have to be weighed against the negative residual effects as well. At a time when the United States was battling an epidemic of cyber espionage attacks from China, attacking Iran made it harder to condemn other nations for cyber transgressions against the United States. As the party that fired the first known digital weapon, the United States was no longer in a position to preach abstinence to others.
One final and more lasting consequence of Stuxnet also had to be weighed against its limited and uncertain benefits: the malware’s release had launched a digital arms race among countries big and small that will alter the landscape of cyberattacks forever. Stuxnet’s authors had mapped a new frontier that other hackers and nation-state attackers will inevitably follow; and when they do, the target for sabotage will eventually one day be in the United States.
* * *
1 David Albright, Paul Brannan, and Christina Walrond, “Did Stuxnet Take Out 1,000 Centrifuges at the Natanz Enrichment Plant? Preliminary Assessment,” Institute for Science and International Security, December 22, 2010, available at isis-online.org/isis-reports/detail/did-stuxnet-take-out-1000-centrifuges-at-the-natanz-enrichment-plant.
2 William J. Broad, John Markoff, and David E. Sanger, “Israeli Test on Worm Called Crucial in Iran Nuclear Delay,” New York Times, January 15, 2011.
3 Yossi Melman, “Outgoing Mossad Chief: Iran Won’t Have Nuclear Capability Before 2015,” Ha’aretz, January 7, 2011.
4 Mark Landler, “U.S. Says Sanctions Hurt Iran Nuclear Program,” New York Times, January 10, 2011.
5 Ivanka Barzashka, “Are Cyber-Weapons Effective?” Royal United Services Institute for Defense and Security Studies, July 23, 2013, available at tandfonline.com/doi/pdf/10.1080/03071847.2013.787735. It should be noted that Barzashka only examined the IAEA reports for 2009 and did not take into consideration other rounds of attack by Stuxnet in 2008 and 2010.
6 David Albright and Christina Walrond, “Performance of the IR-1 Centrifuge at Natanz,” Institute for Science and International Security, October 18, 2011, available at isis-online.org/isis-reports/detail/test1.
7 Olli J. Heinonen, “Iran Ramping Up Uranium Enrichment,” Power and Policy blog, July 20, 2011, published by the Belfer Center at Harvard Kennedy School, July 20, 2011, available at powerandpolicy.com/2011/07/20/Iran-ramping-up-uranium-enrichment/#.UtM6Z7SYf8M.
8 Barzashka, “Are Cyber-Weapons Effective?”
9 David Albright, Jacqueline Shire, and Paul Brannan, “Enriched Uranium Output Steady: Centrifuge Numbers Expected to Increase Dramatically; Arak Reactor Verification Blocked,” Institute for Science and International Security, November 19, 2008, available at isis-online.org/publications/iran/ISIS_analysis_Nov-IAEA-Report.pdf.
10 Author interview with Heinonen, June 2011.
11 Heinonen left the IAEA in October 2010 before the centrifuges were removed, therefore he didn’t have access to the inspector reports themselves to see the exact numbers, but he was certain the number of damaged centrifuges exceeded 1,000.
12 A July 2010 letter from the IAEA to Iran referenced “a number of incidents” involving broken seals at the plant. See IAEA Board of Governors, “Implementation of the NPT Safeguards Agreement and Relevant Provisions of Security Council Resolutions in the Islamic Republic of Iran” (report, September 6, 2010), 3; available at iaea.org/Publications/Documents/Board/2010/gov2010-46.pdf. The report does not specify whether the references are to seals placed on the walls or seals placed on gas canisters and other equipment, but an IAEA source told me they referred to wall seals.
13 An IAEA source told me that it was Iran who alerted inspectors to the broken seals, rather than the inspectors finding them on their own. The IAEA investigated the broken seals and found no wrongdoing on Iran’s part. But the investigation, he said, focused only on whether Iran might have broken the seals to remove nuclear material from the rooms out of the view of cameras, not on whether centrifuges might have been secretly removed from the rooms. When inspectors found that all of the uranium was accounted for, they concluded that the seals had not been intentionally broken for illicit purposes, but they left unexplored the possibility that they had been intentionally broken to remove broken centrifuges.
14 Author interview with Albright, February 2011.
15 Ulrike Putz, “Mossad Behind Tehran Assassinations, Says Source,” Spiegel Online, August 2, 2011, available at spiegel.de/international/world/sabotaging-iran-s-nuclear-program-mossad-behind-tehran-assassinations-says-source-a-777899.html. See also “Israel Responsible for Iran Killing: Report,” Global Security Newswire, August 2, 2011, available at nti.org/gsn/article/israel-responsible-for-iran-killing-report.
16 Roshan was given the title of “young nuclear martyr” after his death, and city streets and plazas were named after him. Saeed Kamali Dehghan and Julian Borger, “Iranian Nuclear Chemist Killed by Motorbike Assassins,” Guardian, January 11, 2012. See also Zvi Bar’el, “Iran Domestic Tensions Boil as West Battles Its Nuclear Program,” Ha’aretz, April 8, 2014. David Albright noted to me that when a scientist in the nuclear program is killed, the intent is to eliminate expertise and cripple the program. But killing someone involved in procurement for the program is meant to send a message and scare others from serving a similar role.
17 David E. Sanger and William J. Broad, “Blast That Leveled Base Seen as Big Setback to Iran Missiles,” New York Times, December 4, 2011.
18 Sheera Frenkel, “Second Blast ‘Aimed at Stopping Tehran’s Nuclear Arms Plans’,” Times (London), November 30, 2011. Iranian news agencies reported the blast initially, though the reports were later removed from websites, and officials retracted statements they had made confirming the blast. In February 2012, an Israeli ad joked about the explosion. The ad, for the Israeli cable TV company HOT, was later pulled offline. It featured members of an Israeli comedy series, Asfur, who sneak into Iran in drag dressed as Muslim women—likely a mock reference to the time former Palestinian leader Yasser Arafat was said to have escaped capture dressed as a Muslim woman. The three arrive in Esfahan, the site of the uranium conversion facility in Iran where the mysterious explosion occurred. As the comedians walk through town, a nuclear facility visible behind them, one of them spreads sunscreen on his face. When his companions look askance at him, he replies, “What? Don’t you know how much radiation there is here?” The bungling travelers then encounter a bored Mossad agent sitting at an outdoor café who tells them he’s been in town two months conducting surveillance and has been killing time watching on-demand episodes of Asfur on his Samsung Galaxy tablet, a gift his wife and he received for subscribing to HOT. “Nuclear reactor or no nuclear reactor, I’m not missing Asfur,” he says. One of the travelers reaches toward the tablet and asks, “What’s this application here?” As he presses something on the screen, a fireball explodes behind them at the nuclear facility. His companions look at him in shock and he replies, “What? Just another mysterious explosion in Iran.”
19 “Sources: Iran Exposed Spying Device at Fordo Nuke Plant,” Ynet (online news site for the Israeli newspaper Yediot Ahronot), September 23, 2012, available at ynetnews.com/articles/0,7340,L-4284793,00.html.
20 Fredrik Dahl, “Terrorists Embedded in UN Nuclear Watchdog May Be Behind Power Line Explosion,” Reuters, September 17, 2012, available at news.nationalpost.com/2012/09/17/terrorists-embedded-in-un-nuclear-watchdog-may-be-behind-power-line-explosion-iran. An Iranian official disclosed both incidents at the IAEA general conference in Vienna, accusing the IAEA of collusion. He noted that the day after the explosion that took out power lines feeding electricity to Fordow an IAEA inspector asked to conduct an unannounced inspection there. “Who other than the IAEA inspector can have
access to the complex in such a short time to record and report failures?,” the official asked.
21 Eli Lake, “Operation Sabotage,” New Republic, July 14, 2010.
22 George Jahn, “UN Reports Iran Work ‘Specific’ to Nuke Arms,” Associated Press, November 8, 2011, available at news.yahoo.com/un-reports-iran-specific-nuke-arms-184224261.html.
23 Ali Vaez, “It’s Not Too Late to Peacefully Keep Iran from a Bomb,” The Atlantic, November 11, 2011.
24 “Iran Says United and ‘Ready for War’ with Israel,” Ha’aretz, November 3, 2011.
25 Anne Gearan and Joby Warrick, “Iran, World Powers Reach Historic Nuclear Deal,” Washington Post, November 23, 2013, available at washingtonpost.com/world/national-security/kerry-in-geneva-raising-hopes-for-historic-nuclear-deal-with-iran/2013/11/23/53e7bfe6-5430-11e3-9fe0-fd2ca728e67c_story.html.
CHAPTER 19
DIGITAL PANDORA
On May 30, 2009, just days before a new version of Stuxnet was unleashed on computers in Iran, President Barack Obama stood before the White House press corps in the East Room to address the grave state of cybersecurity in the United States. “We meet today at a transformational moment,” he said, “a moment in history when our interconnected world presents us, at once, with great promise but also great peril.”
Just as we had failed in the past to invest in the physical infrastructure of our roads, bridges, and railways, we had failed to invest in the security of our digital infrastructure, Obama said. Cyber intruders, he warned, had already probed our electrical grid, and in other countries had plunged entire cities into darkness. “This status quo is no longer acceptable,” he said, “not when there’s so much at stake.”1
How ironic his words turned out to be a year later when Stuxnet was discovered spreading in the wild, and the public learned that the United States had not only violated the sovereign space of another nation in an aggressive cyberattack, but in doing so had invited similar attacks upon vulnerable US systems in retaliation.
While Obama and other officials sounded the alarm about adversaries lurking in US systems and laying the groundwork for future attacks against the power grid, US military and intelligence agencies had been penetrating foreign systems in Iran and elsewhere, building stockpiles of digital weapons, and ushering in a new age of warfare, all without public discussion about the rules of engagement for conducting such attacks or the consequences of doing so. Perhaps it was knowledge of what the United States was doing in Iran and elsewhere that prompted the president’s urgent warnings about the risks to US systems.
Michael V. Hayden, who was director of the CIA during the time Stuxnet was developed and unleashed, told a reporter after the digital weapon was exposed that “somebody had crossed the Rubicon” in unleashing it.2 That somebody, it turned out, was the United States. And, as noted, where the United States led, others would follow.
Today there’s a surge among nations around the world to expand existing cyber capabilities or build new ones. More than a dozen countries—including China, Russia, the UK, Israel, France, Germany, and North Korea—have digital warfare programs or have announced plans to build one. China began developing its offensive operations in the late ’90s, at the same time the United States made its first forays into this new fighting domain. Even Iran is developing a cyberwarfare program. In 2012, Ayatollah Ali Khamenei announced the creation of a defensive and offensive cyber program and told a group of university students that they should prepare for the coming age of cyberwarfare with Iran’s enemies.3
As for the United States, the Defense Department’s Cyber Command currently has an annual budget of more than $3 billion and plans to increase its workforce fivefold, from 900 people to 4,900—covering both defensive and offensive operations.4 The Defense Advanced Research Projects Agency, or DARPA, has also launched a $110 million research project called Plan X to develop cyberwarfare technologies to help the Pentagon dominate the digital battlefield. The technology wish list includes a continuously updated mapping system to track every system and node in cyberspace in order to chart the flow of data, identify targets to attack, and spot incoming assaults. The Pentagon also wants a system capable of launching speed-of-light strikes and counterstrikes using preprogrammed scenarios so that human intervention won’t be necessary.5
Of all the nations that have a cyberwarfare program, however, the United States and Israel are the only ones known to have unleashed a destructive cyberweapon against another sovereign nation—a nation with whom it was not at war. In doing so, it lost the moral high ground from which to criticize other nations for doing the same and set a dangerous precedent for legitimizing the use of digital attacks to further political or national security goals.
“This was a good idea,” Hayden told 60 Minutes about Stuxnet. “But I also admit this was a big idea too. The rest of the world is looking at this and saying, ‘Clearly, someone has legitimated this kind of activity as acceptable.’ ”6
Digital assaults could now be considered a viable option by other states for resolving disputes.
Civil War general Robert E. Lee said famously that it was a good thing war was so terrible, “otherwise we should grow too fond of it.”7 The horrors and costs of war encourage countries to choose diplomacy over battle, but when cyberattacks eliminate many of these costs and consequences, and the perpetrators can remain anonymous, it becomes much more tempting to launch a digital attack than engage in rounds of diplomacy that might never produce results.
But the digital weapon didn’t just launch a new age of warfare, it altered the landscape for all cyberattacks, opening the door to a new generation of assaults from state and nonstate actors that have the potential to cause physical damage and even loss of life in ways never before demonstrated. “My prediction is that we are all going to become nostalgic for the days of fame-seeking mass mailers and network worms,” Symantec’s Kevin Haley wrote of the post-Stuxnet future.8 LoveLetter, the Conficker worm, and even the Zeus banking Trojan would become quaint reminders of the days when attacks were simpler and, by comparison, more innocent.
Stuxnet was a remarkable achievement, given its sophistication and single-minded focus. But it was also remarkably reckless. Because like the atomic bombs detonated over Hiroshima and Nagasaki, it introduced the use of a powerful technology that will have consequences for years to come. Kennette Benedict, executive director of the Bulletin of the Atomic Scientists, noted several parallels between Stuxnet and the first atomic bombs in an article she wrote for that publication about the lack of foresight that went into developing and unleashing both technologies. In both cases, government and scientific leaders raced to develop the weapons for the United States out of fear that adversaries would create and unleash them first. The long-term consequences of dropping the atomic bombs were also as poorly understood in the 1940s as the consequences of unleashing digital weapons are today—not only with regard to the damages they would cause, but to the global arms race they would create. “We have come to know how nuclear weapons can destroy societies and human civilization,” Benedict wrote. “We have not yet begun to understand how cyberwarfare might destroy our way of life.”
And in another parallel with atomic bombs, despite alarm bells sounded about their use, the United States continued to develop first atomic weapons and now digital ones without public discussion about how they should be used or their impact on global security and peace.9 How ironic then, Benedict noted, “that the first acknowledged military use of cyberwarfare is ostensibly to prevent the spread of nuclear weapons. A new age of mass destruction will begin in an effort to close a chapter from the first age of mass destruction.”
Despite the parallels, there is at least one crucial difference between the atomic bombs of the 1940s and Stuxnet. The bar was high for someone to build or obtain a nuclear weapon—or any conventional missile and bomb, for that matter. But cyberweapons can be easily
obtained on underground markets or, depending on the complexity of the system being targeted, custom-built from scratch by a skilled teenage coder, a task made simpler by the fact that every cyberweapon carries the blueprints for its design embedded within it. When you launch a cyberweapon, you don’t just send the weapon to your enemies, you send the intellectual property that created it and the ability to launch the weapon back against you.10 It would be comparable to a scenario where, if in 1945, it wasn’t just radioactive fallout that rained down from the bombs onto Hiroshima and Nagasaki but all of the scientific equations and schematics for constructing them as well.
The nations, of course, that are most at risk of a destructive digital attack are the ones with the greatest connectivity. Marcus Ranum, one of the early innovators of the computer firewall, called Stuxnet “a stone thrown by people who live in a glass house.”11
Stuxnet was proof that a digital attack, consisting of nothing more than binary commands, could achieve some of the same destructive results as a conventional bomb. But it also showed how even a powerful nation like the United States, with unmatched air and sea defenses, could be vulnerable to a similar assault from adversaries who never had to venture beyond their borders to launch an attack. As Mike McConnell, the former director of national intelligence, told a US Senate committee in 2011, “If the nation went to war today, in a cyberwar, we would lose. We’re the most vulnerable. We’re the most connected. We have the most to lose.”12
The targets most in danger from a digital attack in the United States are not just military systems but civilian ones—transportation, communication, and financial networks; food manufacturing and chemical plants; gas pipelines, water, and electric utilities; even uranium enrichment plants.13 “We now live in a world where industrial control systems can be attacked in the event of a crisis,” Stewart Baker, former DHS assistant secretary has said. “We do not have a serious plan for defending our industrial control systems even though our entire civil society depends on it.”14