We can be pretty sure Stuxnet targeted Iran’s Natanz uranium enrichment plant, and we know, because of its enormous complexity and sophistication, that large resources went into its development. But did those who built and launched it achieve their objective?
The New York Times concluded one of two recent articles on stuxnet with a skeptical assessment by Tom Parker, a computer security specialist at Securicon LLC, in Washington DC. He said the malware’s wide geographic dispersal and its detection indicated that it was a failed operation. “The end target is going to be able to know they were the target, and the attacker won’t be able to use the technique again,” Parker told the Times.
But according to the German cybersecurity specialist Frank Rieger, whose prescient analysis of stuxnet subsequently was confirmed in almost every detail by a major Symantec report, the malware had a built-in terminal time. It evidently was designed to disrupt the operations of its target for a matter of months, in mysterious ways that the operators would find impossible to diagnose or even recognize, and then disappear from view completely.* Its designers must have known that it would spread far beyond its main target, given its prodigious networking capabilities. They seem to have taken considerable care, indeed, to guarantee that stuxnet would cause little collateral damage when it infected innocent bystanders. By Symantec’s count, it spread to at least 100,000 other computers, evidently without causing much damage or disruption.
Oddly, the Times article that ends with Parker’s negative assessment of stuxnet opens with the observation that when Israeli officials are asked about who was behind the malware attack, they break into broad smiles. Are we to suppose they’re beaming because stuxnet shows how incredibly smart Israeli computer scientists are, even though they ultimately failed at what they were trying to do?
Put yourself in the shoes of the Iranian leadership. If Israeli fighters had attacked Natanz, they would have done some damage and set the program back, but indignant Iran would have reacted with added resolve; the attack would not be a huge blow to the country’s morale, and nor would it likely change anything basic.
Instead, Iran’s leaders learn that operations at the industrial facility they care most about have gone awry in ways impossible to understand. Then they discover the reason appears to be that their arch-enemy has figured out a way to infect the plant remotely, as if by magic.
It was would like losing your arm in an attack by a crazed mugger versus suffering a neurological breakdown, the work of a malicious mad scientist, that causes your body to disregard whatever your mind wants it to do.
Under the circumstances, you’ll do whatever you can to protect yourself from future attacks, but it won’t ever be easy again to feel really secure, even though you believe it’s now been figured out how the attack worked the first time around.
Under the circumstances it might make sense, instead of relying wholly on one huge enrichment plants, to create a network of smaller, fortified, electronically segregated enrichment plants–which is what Iran has admitted it’s now doing. But it might also make sense to resume negotiations with the IAEA, France, Germany, the UK and the US, and possibly even–heaven help us!–negotiate in good faith.
* As detailed in the Symantec report, stuxnet would reprogram the electronic devices regulating the Iranian centrifuges to spin at frequencies far outside their intended operating range. The expected result would be not merely a temporary decline in production but physical damage to the centrifuges, which would then have to be repaired. Possibly, to give Parker his due, the intent was to cause serious setbacks at the Natanz the plant, have stuxnet lie low for a time, and then set it to work again as Iranian production was ramping back up to the intended norm. Or possibly some other version of stuxnet malware was being held in reserve, to be deployed when the Iranian figured out how to counter stuxnet specifically. Stay tuned.