Modern Warfare, Too

The Stuxnet worm is said to have negatively impacted computer systems in Iranian nuclear facilities such as the Bushehr reactor and the Natanz uranium enrichment plant, although the depth and breadth of its impact at these facilities are unclear. About Bushehr, Hamid Alipour, deputy head of Iran’s Information Technology Company, was quoted by the Iranian News Agency as saying, “The attack is still ongoing and new versions of this virus (sic) are spreading.” On September 26, Mahmoud Jafari, the project manager at the Bushehr plant, said the worm “has not caused any damage to major systems of the plant,” yet on September 29 Iran announced that the Bushehr plant would not go on line for at least another three months. A link between Stuxnet and a slow-down in uranium enrichment at Natanz is just as speculative but not unrealistic, given Stuxnet’s capabilities.

Two themes have emerged in media coverage of Stuxnet: that it is a “cyber weapon” designed to disable critical infrastructure computer systems, and that its sophistication is such that only a powerful nation-state could have created it. The reality is that Stuxnet is something special, but not in the way that most observers have noted.

The weaponization of computer code and the targeting of adversary computer systems is not a new phenomenon. It is simply an extremely rare one. What is significant is that the Stuxnet code focuses on critical infrastructure systems, which for a long time were thought to be too arcane and obscure to be targeted by online subversives.

Some background: Stuxnet is a worm, which is a subset of a larger body of computer programs called malicious software, or “malware.” You are probably already familiar with the most common form of malware: the computer virus. Worms differ from viruses in that worms operate independently of other programs; a virus must attach itself to some legitimate program in order to spread. A worm may not damage a computer or network, but its replication may degrade bandwidth and consume CPU power to the detriment of legitimate uses; viruses inevitably corrupt or otherwise modify legitimate programs to do things other than what their creators intended or their users desire.

There is no evidence that Stuxnet targeted the Bushehr nuclear facility specifically. What it does is look for systems that contain a particular kind of Siemens Supervisory Control and Data Acquisition (SCADA) software: specialized software that interacts with mechanical controls, used to operate things like power plants, water treatment facilities, and oil pipelines. The Siemens equipment targeted by Stuxnet happens to be installed at facilities in Iran, as well as in Germany (where most of the infections have been reported), the United States, and other parts of the world.

Stuxnet was probably not created in response to any recent developments in Iran. Earliest indications are that it was first seen in the wild in the summer of 2009. Does that coincide with the delivery and installation of Siemens software in Bushehr? That information is not likely to be in the public domain, and it’s something that Siemens, which does a lot of business with Iran, would not want to divulge. But Siemens officials have been quick to point out that the company has nothing to do with Bushehr, which suggests that any Siemens software running at the facility is unlicensed. If that’s the case, the only way Bushehr became a specific target of Stuxnet would be if someone who knew Bushehr is running Siemens software passed that information to Stuxnet’s creator or creators.

Siemens also does a fair bit of business in Israel, in both the public and private sectors, which would make Israeli access to the information needed to create Stuxnet fairly straightforward. Would Siemens work cooperatively with an Israeli organization that wanted to impact Siemens systems in specific Iranian locations? Software companies come to all sorts of arrangements with nations in order to do business with them. The alternative to not cooperating is often the inability to do business overseas. You could make the argument that such an arrangement is coercion, or in the case of trying to prevent a regime like Iran from obtaining nuclear weapons, you could say it was the right thing to do.

Creating malware is like creating other types of computer programs: You have a specific goal for what you want the program to accomplish, and you write instructions in a language that the computer will understand to accomplish those goals. Libraries of pre-written code exist so that you don’t have to write common functions from scratch. There is actually a market for malicious code—like modern Willie Suttons, criminals know that cybercrime is where the money is. Successful malware of this sort is fairly sophisticated, as evidenced by how often it sneaks past anti-virus products and how much money their masters are able to obtain from both individuals and large financial institutions.

Stuxnet is not run-of-the-mill malware, which is why so many are attributing its creation to a sophisticated, well-funded, probably state-sponsored organization. But building malware that stands out from the run-of-the-mill is not a particularly expensive or herculean effort. The assembly of such parts is not for amateurs, but the necessary skills are not as scarce as some would lead you to believe. What leads people to think that a very powerful actor is behind Stuxnet is that so many amateurs churn out so much crappy malware on a daily basis that anything sufficiently unique is a rarity and treated as such.

Perhaps the most important feature of Stuxnet has nothing to do with its construction, technical capabilities, or its speculative link to a contentious real-world situation, but the fact that it is much more in-line with traditional military or intelligence thinking than most malicious activity noted online to date. Malicious online activity linked to a real-world political-military situation is not new. Whether it’s a plane crash, an accidental bombing, or an all-out war, such attacks almost never cause any irreparable damage, and in most cases it becomes clear that the attackers targeted any system they could find; they did not take the time to identify and focus their energies on what is commonly referred to as a “legitimate military target.” Stuxnet does nothing but seek out legitimate targets, in the context of total war. It is an indicator that, at a minimum, confirms what observers of the information warfare field have suspected for some time: When the enemy comes, he’ll turn out the lights first. The worst-case scenario is that the ability to negatively impact critical infrastructure is becoming democratized, and claims about being able to do things like shut down the Internet won’t be far-fetched but instead commonplace.

It is not unrealistic to think that the authors of Stuxnet are Israeli. Like the United States, Israel has long been interested in developing and deploying cyber capabilities in its war-fighting arsenal. Like the United States, it also has seen those with advanced technical talent migrate from the armed forces and intelligence services into the private sector. It is also not unrealistic to think that Israel has access to the kind of information that would be required to target Siemens SCADA software. So, we have the means and the opportunity, now we need to look at the question of motive.

If the existence, much less the successful operation, of Bushehr is unacceptable to Israel, the means available to destroy, disable, or delay its launch must be evaluated. I cannot speak to the effectiveness of Israel’s capabilities in the first two categories, but Stuxnet is an excellent way to delay—even if briefly—activity at Bushehr.

For all its sophistication, though, Stuxnet is not really that effective a digital weapon. Digital weapons are not analogous to just any physical weapons; they’re disposable sniper rifles, not cluster bombs. They are meant to perform specific tasks, and because the arms race between cyber defenders and attackers is so close, attackers go into battle assuming that their weapons will work only once. To that end, Stuxnet may not have been designed to kill, but simply to disorient: cyber tear gas, if you will. It is also sophisticated enough, it is targeted enough, to make the sufficiently suspicious in Iran wonder if there is in fact not someone on the inside who has passed information about Bushehr’s SCADA systems to Israel.

Stuxnet may be Israeli-by-proxy. It is not clear to me that enough data exists to point to the ethnicity or country of origin of Stuxnet’s author or authors, but it is not unheard of for malware to have words, phrases, or names written inside the code that suggest its author wrote in a given language. Linguistic clues like the inclusion of the word “Myrtus” in Stuxnet’s code are an interesting hint, but it almost seems too obvious by half. Regardless, it would not be the first time that a nation had contracted out its offensive cyber capabilities.

The strategic advantages Israel gains via Stuxnet—regardless of whether or not it has any connection to it at all—are significant. Without launching a single aircraft, without firing a shot, without endangering the life of a single soldier, Stuxnet has provided Israel with a means to slow down activities at Bushehr, a means to occupy the time and energy of the Iranian intelligence and security apparatus, and a means to enhance its reputation—deserved or not—as a player in the realm of cyber conflict.

That is what we are really witnessing here in the Stuxnet case: the evolution of conflict. Nations do not have friends or enemies, they have allies and adversaries. The more connected we all become at local, national, and global levels, the more the destruction brought on by conventional war becomes undesirable. Effects-Based Operations, the early 1990s idea that military and nonmilitary methods had to be combined for a desired effect, has lost its luster in military circles, but the reasoning is sound enough: If you’re not actually going to bomb your adversaries back into the Stone Age, you don’t want to destroy the power plant, you just want to turn it off, because eventually you want the lights to come back.

To a large extent it doesn’t matter who was behind the creation and release of Stuxnet; that it compromised computer systems at Bushehr is almost beside the point. Its mere existence provides both sides interested in Bushehr with ammunition to support their own agendas. The Iranians get to feel both smug and scared in that Stuxnet probably won’t neutralize activity at Bushehr (Stuxnet will naturally not be the cause of any delays, and the resumption of work will be quickly and loudly promoted), but the fact that it looks for systems they have may be enough to convince their security apparatus that someone on the inside cannot be trusted. Adversaries of Iran—whether they wrote Stuxnet or not—get to look alternately very scary in their ability to know what sort of systems are running in Bushehr and fairly inept in that they let a digital weapon get loose in public. Both the mullahs and their adversaries get a boogie man; both also get plausible deniability.

Michael Tanji is a former supervisory intelligence officer who worked on information warfare issues at the Defense Intelligence Agency. He is the editor of Threats in the Age of Obama.