This morning, The
New York Times published a report detailing how the Bush and Obama
administrations created the cyberweapon known as Stuxnet and used it to disrupt Iran’s uranium enrichment
program.
Much has been written about Stuxnet,
which, as ProPublica
recently reported, remains a threat beyond
Iran. But the Times account, based on interviews with unnamed U.S. and Israeli
officials, is the most extensive account to date of U.S. cyberwarfare capabilities. Here’s
our cheat sheet on what’s new and the fallout:
- Because of Stuxnet’s
complexity, cybersecurity analysts have long
suspected it was a U.S.-Israeli effort. The Times story confirms this for the
first time, disclosing that the project was code-named “Olympic Games.” - Olympic Games began under the Bush
administration, and during development, it was known as “the bug.” - President Obama has repeatedly expressed concern
that if the U.S. acknowledges it is behind Stuxnet, it
would give terrorists and enemy states a justification for their own attacks. - Stuxnet was introduced
into Iran’s enrichment facility at Natanz by an
unwitting Iranian. “It turns out there is always an idiot around who doesn’t
think much about the thumb drive in their hand,” a source told the Times. - To test the bug in secret Department of Energy
labs, the U.S. used aging centrifuges handed over in 2003 by Libyan dictator
Col. Muammar el-Qaddafi, making them into replicas of the nuclear enrichment facilities
Iran used. - The attack on Iran became the first known
instance of the U.S. using computer code to physically damage another country’s
infrastructure. Obama, the Times writes, “was acutely aware that with every
attack he was pushing the United States into new territory, much as his
predecessors had with the first use of atomic weapons in the 1940s, of
intercontinental missiles in the 1950s and of drones in the past decade.” - The
Israeli role in the attack came from a military unit called Unit 8200 that had “technical
expertise that rivaled” the U.S. National Security Agency’s as well as
significant intelligence about Iran’s nuclear facilities. - When a programming error made Stuxnet’s code public in 2010, Obama considered halting Olympic
Games altogether. But in the end, the administration decided to accelerate the
attacks. - It’s unclear who was responsible for the programming
error, but some in the Obama administration blamed the Israelis. The Times
names Vice President Joe Biden:
“Mr. Biden fumed. ‘It’s got to be the Israelis,’ he said. ‘They went too
far.’ ” - American officials claim that Flame,
an even more complex piece of computer malware that has also attacked Iranian
infrastructure, is not part of Olympic Games — but they didn’t explicitly
deny it was an American project. - Opinion is divided as to whether Olympic Games
was successful in slowing uranium enrichment in Iran. Administration officials
said they had set the Iranians back 18 months to two years, but other experts
say enrichment
levels quickly recovered and that Iran today has enough fuel for five or
more weapons with additional enrichment.
The Obama administration has long emphasized the importance
of domestic cybersecurity, but recent statements show
an increasing openness about offensive capabilities. Secretary of State Hillary
Clinton acknowledged
last month that government hackers had attacked Al Qaeda propaganda sites
in Yemen, changing information in ads that talked about killing Americans to
show how many Yemenis had died in Al Qaeda attacks.
For years, the Iranians had no idea they were being
attacked, blaming their own workers or faults in their facilities, The Times
said. But because Stuxnet was inadvertently released,
any government— not to mention any hacker with spare time and a malicious
streak — can create their own mutation of the weapon.
As the Times points out, “No country’s infrastructure is more dependent on computer
systems, and thus more vulnerable to attack, than that of the United States.”
Siemens makes specialized industrial controllers that were targeted by the
Olympic Games attacks. As Siemens confirmed to ProPublica, the same hardware and
software holes Stuxnet took advantage of in Iran
exist in thousands of locations in the U.S. and worldwide. The vulnerable equipment
controls everything from natural gas pipelines to refineries and power
transmission lines.
American
cybersecurity experts have long warned that it’s only
a matter of time before someone turns an equally destructive cyberweapon on our own systems. Now that Stuxnet’s origins are clear, the odds of that happening
might be even higher.
Contributing:
Peter Maass of ProPublica
