In summer 2013, I attended a conference on cybersecurity at Tel Aviv University. It was there that I learned for the first time that Stuxnet — the super-sophisticated computer virus that the US and Israel allegedly managed to insert into Iran’s Natanz enrichment facility in 2010, there to play havoc with the centrifuges — had come to be regarded in the world of cyber-warfare as a terrible mistake.
Several speakers at the conference made this assertion, branding as a failure what had been widely regarded in Israel as a dazzling success — a nonmilitary strike that had set the Iranian program back by a good few months, and had planted all kinds of uncertainty in the minds of their nuclear technicians.
On the sidelines of that conference, therefore, when I interviewed Richard A Clarke, the counterterrorism chief for both Bill Clinton and George W. Bush, I asked him whether he too thought Stuxnet had been, to put it mildly, counterproductive. Absolutely, Clarke made clear.
For one thing, “the attack code was supposed to die and not get out onto the internet,” he noted, but it did. “It got out, and ran around the world.” It couldn’t harm anything else, because it had been programmed only to strike at Iran’s centrifuges, but “nonetheless it tried to attack things and people therefore grabbed it and decompiled it, so it’s taught a lot of people how to attack,” said Clarke.
In other words, the alleged US-Israel cyber-warfare breakthrough became common knowledge in that dark world, enabling others — including, it would transpire, the Iranians themselves — to learn how to conduct similar attacks.
Worse still, Clarke indicated, the fact that the attack had been discovered constituted a kind of legitimation of that form of warfare — if the US was doing it, it could hardly complain if its enemies did the same. And this in an era when defenses against cyber warfare were playing constant catch-up to try to foil attackers.
As Clarke put it, “No one really knows how to do defensive systems. The technology right now doesn’t work as well on the defense as it does on the offense. Historically, there’s this phenomenon in military science called ‘offense preference,’ where certain circumstances are created where the offense always wins… Right now and for some time now, we have been in this period of offense preference in cyber, where the offense usually wins.”
As the fascinating documentary “Zero Days,” released earlier this year, makes clear, we are still emphatically living in an era when “the technology doesn’t work as well on the defense as it does on the offense.”
Alex Gibney’s riveting film includes the devastating accusation that Israel blew Stuxnet by utilizing it too aggressively, so that the Iranians could hardly help realize that they were being attacked. It also details how Iran responded to Stuxnet.
For a start, the Iranians themselves got hold of the code and figured out how it worked. And then, once they had cleaned out their computers, and recovered from what, relatively speaking, was the minor setback of the attack, they hit back. Twice.
In the wake of Stuxnet, “Zero Days” reported, Iran set up a “cyber army” to wage computer warfare. And in August 2012, the Iranians targeted Saudi Aramco, the world’s biggest oil company, in a massive cyber attack that wiped out “every piece of software, every line of code, on 30,000 computers.” A month later, they targeted a series of US banks online, in an unprecedented attack that impacted millions of customers.
The unstated message from Tehran to its adversaries: You try to wage cyber warfare against us? We’re more than capable of doing the same, and worse, to you.
Quoting CIA and National Security Agency sources, “Zero Days” asserted that Stuxnet was actually only a small part of an immensely wider anti-Iranian mission — a full-scale cyber-war, essentially designed to bring Iran to a complete halt. This mission, known as “Nitro Zeus,” was initiated amid US fears that Israel might attack Iran’s nuclear sites, and that if it did, the US would be drawn into the conflict.
At a cost of hundreds of millions, maybe billions, the sources said, the American government’s cyber-warriors developed the capabilities to infiltrate Iran’s military computer systems. They learned how to attack Iran’s military command-and-control system, “so the Iranians couldn’t talk to each other in a fight.” They developed the ability to take control of Iran’s air defenses, “so they couldn’t shoot down our planes if we flew over.”
Far, far beyond that, however, the US also developed the capability to infiltrate Iran’s civilian computer control networks. “We also went after their civilian support systems, power grids, transportation, communications, financial systems,” the CIA and NSA sources said. “We were inside, watching, waiting, ready to disrupt, degrade and destroy those systems with cyber attacks.” By comparison, said the sources, “Stuxnet was a back alley operation.” Nitro Zeus provided for “a full-scale cyber war, with no attribution… The science fiction cyber war scenario is here.”
What the US developed, in short, was the capacity to close down Iran at the flick of a switch.
What has become of that dazzling, terrifying capability? There is no reason whatsoever to believe that the US would have dismantled it. And, meanwhile, according to one of the experts at the Symantec cybersecurity firm, which broke much of the ground in understanding Stuxnet, other nations, unsurprisingly, have been working to develop their own, parallel, full-scale cyber-war capabilities — their own programs to shut down the enemy with the flick of a switch.
Since the “Zero Days” documentary was made, “we’ve seen multiple campaigns from potentially multiple different state actors all doing very similar things — basically placing their implants, their malicious code, in key places in the infrastructure of different countries,” said Symantec’s Eric Chien in an interview with the Daily Beast just last month. They’re “just waiting,” he warned. “So potentially some political event happens and then they can literally flip the switch.”
What would happen if you did flip the switch? As the NSA and CIA sources told Gibney in “Zero Days,” “When you shut down a country’s power grid, it doesn’t just pop back up” afterwards. “It’s more like Humpty Dumpty. And if all the king’s men can’t turn the lights back on or filter the water for weeks, then lots of people die. And something we can do to others, they can do to us too.”
If other countries have now caught up with that US’s Nitro Zeus capability, if the free world and its enemies have both now developed the capability to shut down entire countries, we would seem to have reached the cyber equivalent of mutually assured destruction.
Stuxnet was intended by its designers to play havoc with Iran’s nuclear enrichment capabilities, as a step toward ensuring that the ayatollahs never attain the bomb. The cyber-warfare race that it unleashed would appear to have massively complicated that challenge. It’s no surprise the experts have long since drawn their bleak conclusions about Stuxnet. And one can only wonder how the cyber-warfare advances that followed its discovery have complicated the vital ongoing imperative to halt Iran’s march to the bomb.