While the wages of sin are reputed to be death, the wages of Stuxnet will be unforeseen havoc for years to come. Several interesting reports out about the cyberweapon, which outgoing Israeli chief of staff Gabi Ashkenazi took credit for in his farewell party yesterday. Those who read my blog carefully may remember two points I tried to make about Stuxnet at the height of the attack. First, no matter how much damage was done, the relative impact would be short-term and not severe. Just to be clear, I wrote this not because I want Iran to have a nuclear weapon, but rather because I thought the idea of sabotaging its nuclear program was wrong in ways moral as well as pragmatic.
Second, I wrote that the model of cyberattack represented by Stuxnet would let loose a whirlwind of potentially destructive attacks against any party responsible for it. In a way, Stuxnet is like the proverbial gun in a play, about which Chekhov says: if you see a gun in the first act it will be fired by the third. In other words, the damage wrought by Stuxnet might be confined to Iran’s nuclear program at first, but there is no possible way to prevent that gun from being fired again once you’ve seen it used.
The N.Y. Times published a story a few weeks ago revealing that Israel and the U.S. collaborated on creating Stuxnet. I’d say that we live in an industrial-technological glass house. So why we threw that rock at Iran’s nuclear program is beyond me. Did we think that some smart set of hackers or a foreign intelligence agency might not use the mojo against us sometime? Do we think that our nuclear power plants, electric grid and industrial systems are so secure that someone might not arrange for our own comeuppance?
Personally, I think whoever originally derived this concept and approved it wasn’t thinking straight. They were going for immediate, short-term gain (damaging Iran’s nuclear facilities) and giving short-or even no-shrift to the far-range implications.
Returning to my first point above, the Washington Post reveals a new study by the Institute for Science and International Security, which uses video footage compiled by IAEA cameras inside Iran’s nuclear facilities, to confirm that Stuxnet did a relatively small amount of damage overall to Iran’s plants at Bushehr and Natanz. At most, 10% of the centrifuges were destroyed and these were rapidly replaced. Iran’s overall output of enriched uranium in 2010 didn’t even decline. So you remember Meir Dagan crowing about how Iran’s nuclear ambitions had been humbled by his brilliant cyberploy, and the Iranian bomb had been pushed back to 2015? Forget about it.
While the majority of the ISIS report sounded extremely persuasive to me, this bit of magical thinking didn’t:
…The worm almost certainly exacted a psychological toll, as Iran’s leaders discovered that their most sensitive nuclear facility had been penetrated by a computer worm whose designers possessed highly detailed knowledge of Natanz’s centrifuges and how they are interconnected, said David Albright, a co-author of the report.
“If nothing else, it hit their confidence,” said Albright, ISIS’s president, “and it will make them feel more vulnerable in the future.”
I have no idea why Albright would say this. While Stuxnet certainly was a crisis for Iran’s nuclear program, given how successfully it defended against the crisis and recovered from it, why would Iranian scientists or security experts be quaking in their boots? If anything, it will make them even more determined not to allow such a breach in the future.
And on the contrary, I’d say that now it is the U.S. and Israel who will have to be looking over their shoulders knowing they’ve unleashed the god of cyberdestruction on the world. Iran has already been hit and absorbed the worst of it. But we haven’t and our security experts should be runnin’ pretty scared I’d think imaging ways in which our own industrial processes could be compromised and the immense damage it could cause us. This October, 2010 article from the Post delves into some of the ways in which the worm and its descendants could bring us to our knees.
Finally, FoxNews notes that a group of sophisticated computer hackers, angry at a security firm which supposedly attempted to infiltrate its ranks, penetrated the company’s e-mail system and exposed a modified version of Stuxnet, which they promptly unleashed online. Don’t worry, our electrical power grid is not about the go down. The version of the worm they released is not an exact duplicate of the real thing and probably can’t do much immediate damage to anyone. But my point is that once you let this genie out of the bottle you’ll never get him back in it. You don’t know who will get hold of Stuxnet next and what they might to with it. And the article makes very clear that there are versions of Stuxnet out there and that some very enterprising hacker or foreign computer intelligence agent will be able to make use of it–someday. And we’ll have only ourselves to blame because we thought we were being oh so clever when we birthed Stuxnet and bestowed in on our Iranian friends
Remember karma? What you do comes back to you. And in ways unforeseen. Oh, and incidentally, you won’t hear about any of this in Clarion Fund’s new ‘hit’ movie, Iranium…