Cyberwar Enters a New Phase: Stuxnet and Iran
DEVELOPMENTS
The Stuxnet worm has sounded the alarm of cybersecurity professionals around the world. Stuxnet is the first known malware designed to attack an industrial control system – such systems assist in managing equipment found in critical infrastructure facilities, like power plants, gas pipelines, and dams. Moreover, it appears Stuxnet was created specifically to sabotage Iran’s nuclear program. “Stuxnet is really a paradigm shift,” states Dr. Udo Helmbrecht, Executive Director of the European Network and Information Security Agency, “as [it] is a new class and dimension of malware.”
Stuxnet was unleashed amidst the West’s growing concerns about Iran’s uranium enrichment effort. While Iran has repeatedly asserted that its nuclear program is only for peaceful purposes, suspicions that Iran aims to develop a nuclear weapon persist. The U.S. maintains Tehran is, at a minimum, pursuing the capability to produce nuclear weapons; Israel insists Tehran is actively developing them.
Although it is probable that one or more of the countries most worried about Iran’s nuclear ambitions released Stuxnet, given the nature of cyberwar, the worm’s actual origin and true target may never be definitively determined. What is clear, however, is that revelations about Stuxnet are coming to light at a time when many countries’ defense establishments, including those of the U.S. and Iran, are expanding their cyber capabilities. Stuxnet highlights many of the issues surrounding cyberattacks and will thus undoubtedly inform the debate over the future of cyber operations.
BACKGROUND
A Belarusian security firm first reported Stuxnet in June 2010. Analysts examining the malware since have concluded its initial target was likely an infrastructure site in Iran. In combination, two pieces of information support that finding. First, the concentration of infected devices was highest in Iran – over 60% of the approximately 100,000 infections were located there.
Second, the worm was designed to deliver its payload only where a particular Siemens industrial control system was attached to a frequency converter drive manufactured by two companies – Fararo Paya of Iran or Varon NX of Finland. Frequency converter drives control the speeds of other equipment, such as the centrifuges used in enriching uranium.
The worm can gain access to systems via an ordinary USB drive, which is important because, for security reasons, information systems at critical infrastructure sites are usually not connected to the internet. Stuxnet uses an incomparable number of weak points – “zero-day vulnerabilities” – to penetrate the Windows operating system. Next, using the secret digital signatures of two genuine companies, it installs drivers that allow it to send “safe” messages to security software. Then it propagates itself, moving across local networks through print spoolers and spreading with the use of infected USB drives – because any USB drive plugged into an infected machine becomes a carrier of the malware. Finally, wherever the specified combination of industrial control system and frequency converter drive is found, Stuxnet reprograms the system so that the speed of the equipment it is controlling increases and decreases abruptly — without alerting the system’s operator.
According to nuclear experts, if Stuxnet infiltrated a system regulating centrifuges, the changes in speed it commands would cause the centrifuges to break apart. It is not known whether this actually occurred at Iran’s uranium enrichment facilities. There have been indications, however, that the worm disrupted the country’s enrichment program. In November 2010, Iranian President Mahmoud Ahmadinejad stated, “They succeeded in creating problems for a limited number of our centrifuges with the software they had installed in electronic parts.” An unnamed senior diplomat suggested that Stuxnet may have caused a shutdown of the centrifuge facility at Natanz that month. And, figures demonstrate there were significant delays and breakdowns involving centrifuges at the Natanz facility that correspond with the period during which Stuxnet was operational.
Considering the knowledge and financial resources needed to design Stuxnet, and its apparent purpose, suspicion of its creation centers on the U.S. and Israel, and falls to a lesser extent on Great Britain and Germany. Microsoft estimates Stuxnet took 10,000 man work days to create. In addition to highly sophisticated programming skills, the malware’s developer had to possess an advanced understanding of nuclear engineering and the espionage abilities to acquire the secret digital signatures and plant a USB drive near persons associated with Iran’s nuclear program. Of note, both Presidents George W. Bush and Barrack Obama have authorized efforts to undermine the electrical, computer, and network systems serving Iran’s nuclear program.
ANALYSIS
Determining Stuxnet’s impact on international relations is difficult, because the precise goals and effects of the worm’s release remain unknown. To the extent Stuxnet disrupted or degraded an Iranian effort to build a nuclear weapon, or leads Iran to halt its uranium enrichment program and cooperate more fully with the International Atomic Energy Agency, it may be seen as having been a positive development. The malware may also be viewed as having been a negative force, however, if it ends up redoubling Iran’s commitment to its nuclear program or leading Iran to retaliate in a particularly damaging way.
More immediately, Stuxnet’s destructive potential brings to the fore broader issues about the use of cyberweapons. Because cyberwar is asymmetric, cyberattacks can be difficult to attribute; and as code becomes available for others to reformulate once it is released, it is vital that countries with more advanced cyber capabilities consider the longer-term impacts of their operations. It may very well be that a revised version of Stuxnet is used to attack the critical infrastructure of the U.S. and its allies in the future. Additionally, the offensive aspect of cyberattacks must be reviewed – Stuxnet’s potency creates an argument that similar cyber weapons should be subject to the principles of military necessity, discrimination, and proportionality. Although, if they were, there would have to be a new focus placed on the precision targeting of cyberweapons, and the containment of their effects.
Last year, as its new Cyber Command was preparing to become fully operational, the U.S. military formally recognized cyberspace as the fifth domain of warfare, acknowledging that it has become as critical to security operations as land, sea, air, and space. Iran, meanwhile, claimed to have the world’s second largest cyberarmy and set aside $500 million dollars for cyber operations. In that environment, Stuxnet heralded the arrival of a new phase in cyberwar, one that is certain to have profound implications for relations between Iran and the West, and foreign affairs more generally.
Jason Fisher is an attorney living in the San Francisco Bay Area. He holds graduate and law degrees from the University of California, Berkeley, and his professional interests include foreign affairs, national security, and international law.
