At just over 1.5MB in size, Stuxnet is smaller than an MP3 of a single song. Packed into this small amount of data is a complex and sophisticated code capable of infecting hundreds of thousands of computers and even causing physical harm to industrial facilities—including the centrifuges of Iran’s uranium enrichment plant.
In January 2010, investigators with the International Atomic Energy Agency, when inspecting the Iranian enrichment plant outside of the city of Natanz, were struck by the large number of centrifuges being decommissioned. Due to defects and other issues, Iran normally replaces a few hundred of its thousands of centrifuges installed at Natanz each year. On reviewing the footage from surveillance cameras, however, the IAEA inspectors estimated that the centrifuges were being replaced at an outstanding rate—between 1,000 and 2,000 in only a few months.
By the IAEA mandate, the inspectors were only there to ensure that no nuclear material was being removed with the damaged centrifuges. They, therefore, had no right to ask for a reason why so many centrifuges were in need of replacement.
It was not until September 2010 that it became widely known that the Atomic Energy Organization of Iran was working actively to try to remove a malicious computer code from industrial sites throughout the country. The worm—dubbed Stuxnet by an anti-virus team at Microsoft—was first discovered in July of that year and had since been found on computers around the world, particularly in Indonesia, India, and—most of all—Iran.
As reports, such as one from the Institute for Science and International Security, were published citing statistics saying that thousands of Iran’s centrifuges were decommissioned, speculation began to build that the source of the problem was Stuxnet. In November 2010, Iranian President Mahmoud Ahmadinejad stated that a computer virus had caused problems for a limited number of centrifuges.
With it largely confirmed that Stuxnet had at least partially succeeded in taking down Iran’s enrichment facilities, many wondered what were the virus’s target and origins. Ralph Langer, a computer security expert in Hamburg, Germany, was one of the first to reverse engineer the malware—gaining deep insight into the virus’s programming. Langer determined that Stuxnet was specifically designed to target Iranian centrifuges—and had most likely been created by a government with significant resources.
Many suspected either the U.S. or Israel, or some collaboration of the two was behind the attack, but nothing other than rumor could support the theories. In June 2012, David Sanger, chief Washington correspondent for the New York Times, published an article which described a number of significant revelations regarding America’s role in using cyber warfare against Iran. In particular, Sanger writes that Stuxnet was part of a joint program of Israel and the United States, coded name Olympic Games, which aimed to prevent—or at least delay—Iran from developing the ability to enrich uranium to weapons-grade.
According to Sanger, the cyberwar program began under President Bush in 2006 when, after negotiations between Iranian and American officials flailed, Iran restarted its uranium enrichment plants. The program was a joint effort of the National Security Agency and Israel’s top secret Unit 8200. By 2008, an early version of the bug was already attacking the Natanz facility. Under President Obama, the bug made even more complex and sophisticated, giving it the ability to disrupt a critical array of nearly a thousand centrifuges yet remain completely undetected.
Olympic Games experienced a significant setback when, in the summer 2010, it was discovered that the worm had spread beyond Natanz and could be found all over the internet. In a matter of weeks, the mainstream media was alive with discussion of the dangerous and enigmatic virus, deemed Stuxnet, lurking in computers around the world. Despite the breach, Obama order the program to go forward—soon succeeding in destroying around a fifth of Iran’s centrifuges.
As a tool for slowing down Iran’s nuclear program, Olympic Games was surely a success to some degree. It was not until late 2011 that according to some estimates Iran’s production had fully recovered from the attack. According to the official internal estimate of the United States, Stuxnet delayed Iran’s ability to reach weapons capability by at least a year and a half.
The question that many are now asking is whether the U.S. has opened Pandora’s box. According to Ralph Langer, the United States is not prepared to defend itself from a sophisticated cyber-attack on par with the one it chose to use. The threat is even greater because now that the weapon has been released it is readily available for download by anyone with programming knowledge and a nefarious agenda. Langer emphasizes that a small team of experts could develop a cyber-weapon for significantly less than the cost of the Olympic Games program. Most concerning, however, is the lack of defense: a nuclear power plant in the U.S. has less protection than the heavily secured Natanz facilities.
While these security concerns are significant, it is likely that they would have existed regardless of whether America chose to use cyber-warfare. James Lewis, of the Center for Strategic and International Studies in Washington, argues that there are four other countries—including Russia and China—that currently have cyber weapon capabilities, and that dozens of other nations are in the process of acquiring them.
What still remains to be seen is what effect Stuxnet will have on weapons proliferation. With Iran now convinced that Israel and the U.S. are behind the attack, it is an open question whether Iran will now further alienate itself from diplomatic discussions regarding its nuclear program. For now it seems that the era of cyber-warfare has begun to escalate. In May 2012, the computers of numerous top officials in Iran were attacked by a data-mining virus called Flame. With no organization or government having taken official credit for either Stuxnet or Flame, there are many more questions than answers.