The Stuxnet virus — the computer worm designed to subvert tiny computers known as programmable logic controllers that regulate industrial systems — was co-developed by the U.S. and Israel, deployed against Iran’s nuclear facilities, but was never supposed to escape into the wild. That’s according to a new and detailed report from the New York Times, adapted from David Sanger’s forthcoming book Confront and Conceal: Obama’s Secret Wars and Surprising Use of American Power.
According to Sanger, the plans for Stuxnet were laid in 2006 under the auspices of a program dubbed “Olympic Games,” as the Bush administration was grappling with ways to deal with Iran’s burgeoning nuclear program. After concluding a military strike would have “uncertain results,” the administration began exploring the possibility of cyber-attacking Iran’s Natanz nuclear plant and crippling the systems that controlled its underground centrifuges. The trick: how to introduce the virus to the plant by slipping past the “air gap” — the barrier physically separating the plant’s electronic equipment from the outside world.
(MORE: Iran: ‘Flame’ Virus Fight Began with Oil Attack)
The first step reportedly involved mapping the Natanz plant’s industrial setup. After successfully planting “beacon” computer code that essentially blueprinted the Natanz plant’s control systems and phoned the information home, the U.S. National Security Agency — working with “a secret Israeli unit” — began developing an “enormously complex computer worm” to sabotage the plant’s centrifuges, according to the Times. The U.S.-Israeli joint effort came about in part to tap Israeli technical expertise, but also to dissuade Israel from conducting a preemptive strike against Iran’s nuclear facilities, writes Sanger.
Once the computer worm (Sanger says it was simply called “the bug”) was built, it was tested on replicas of Iran’s centrifuges, acquired when Libya’s Col. Muammar el-Qaddafi turned over his own similar versions when he forfeited his nuclear program in 2003. The tests were successful almost from the outset: The rogue code instructed the replica centrifuges to speed up or slow down in ways that destroyed their fragile internal mechanisms. Toward the end of George W. Bush’s first term, the “bug” was reportedly certified ready to be deployed against Iran’s Natanz plant.
But the U.S. and Israel still faced their biggest challenge: getting the worm into the Natanz plant surreptitiously. The solution? Thumb drives, apparently:
… The United States and Israel would have to rely on engineers, maintenance workers and others — both spies and unwitting accomplices — with physical access to the plant. “That was our holy grail,” one of the architects of the plan said. “It turns out there is always an idiot around who doesn’t think much about the thumb drive in their hand.”
At first, the Iranians had no idea why their centrifuges were failing, blaming it on “bad parts, or bad engineering, or just incompetence,” according to one of Sanger’s sources.
Moreover, the code would lurk inside the plant for weeks, recording normal operations; when it attacked, it sent signals to the Natanz control room indicating that everything downstairs was operating normally. “This may have been the most brilliant part of the code,” one American official said.
But by the time the Bush presidency was over, little damage had been done. As Bush was leaving office, writes Sanger, he urged Obama to continue the program — Obama obliged, continuing and eventually stepping up the cyberattacks against the Iranians.
“From his first days in office, he was deep into every step in slowing the Iranian program — the diplomacy, the sanctions, every major decision,” a senior administration official said. “And it’s safe to say that whatever other activity might have been under way was no exception to that rule.”
But by summer 2010, a new version of the worm deployed against Natanz did something it was never supposed to: escape into the wild. The reason, writes Sanger, was a coding “error,” allegedly introduced by Israeli engineers, that allowed the worm to infect an Iranian engineer’s computer connected to the centrifuges. When the computer was later connected to the Internet, the virus hopped ship and began spreading across the globe, where it was quickly discovered by security researchers, dubbed “Stuxnet” (based on keywords found in the code) and the security industry debate about its origins and intent began.
Sanger says his account is “based on interviews over the past 18 months with current and former American, European and Israeli officials involved in the program, as well as a range of outside experts,” and that the reason no specific names are mentioned is “because the effort remains highly classified, and parts of it continue to this day.”
The U.S. position on cyber-warfare in documents like the White House’s “International Strategy for Cyberspace” is that it reserves the right to respond in kind to cyberattacks:
… All states possess an inherent right to self-defense, and we recognize that certain hostile acts conducted through cyberspace could compel actions under the commitments we have with our military treaty partners. We reserve the right to use all necessary means—diplomatic, informational, military, and economic—as appropriate and consistent with applicable international law, in order to defend our Nation, our allies, our partners, and our interests. In so doing, we will exhaust all options before military force whenever we can; will carefully weigh the costs and risks of action against the costs of inaction; and will act in a way that reflects our values and strengthens our legitimacy, seeking broad international support whenever possible.
Did the U.S. violate its own strategy (and international law) by attacking Iran first? Was it reacting to unspecified attacks staged by Iran against “military treaty partners”? It’s not clear from Sanger’s piece, but Sanger writes that while Obama has “repeatedly told his aides that there are risks to using — and particularly to overusing — the weapon,”
…no country’s infrastructure is more dependent on computer systems, and thus more vulnerable to attack, than that of the United States. It is only a matter of time, most experts believe, before it becomes the target of the same kind of weapon that the Americans have used, secretly, against Iran.
MORE: European Businesses Attacked by Son of ‘Stuxnet’ Virus