Stuxnet, the world's first publicly identified cyber superweapon, was unleashed against Iran's nuclear fuel-enrichment facility as part of a joint US-Israel cybersabotage operation, according to press reports Friday citing anonymous administration officials.
While it had long been assumed that the US and Israel were the most likely states to have organized such an attack, the implications of pinning responsibility squarely on the two states could be considerable.
The news reports, which seem to remove any fig leaf of plausible deniability, could in the near term undermine ongoing nuclear talks with Iran. It could even provide Iran with internal justification for a cyber counterstrike against the US.
In the longer run, however, it also raises questions about how a US national policy of using powerful digital weapons could impact American security. Of particular concern is the possibility that such attacks could provide a digital copy of the cyberweapon to rogue nations or that hacktivists could reverse-engineer the weapon for use against the power grid or other key US infrastructure.
"Certainly we have thought Stuxnet was very likely to be a US-Israel operation – and that assumption has now turned out to be the case," says Stewart Baker, a lawyer and former senior official at the National Security Agency and the Department of Homeland Security. "In some ways, I do feel as though we've been living in a glass house for years and now we've decided we're going to invent rocks."
In the New York Times account, the cyberweapon was developed under a program initiated by President George W. Bush. President Obama then gave the go-ahead for a cyberweapon dubbed "the bug" to be unleashed in an attempt to derail Iran's bid to make nuclear-weapons fuel. The thrust of the account was separately confirmed by administration officials in a Washington Post report Friday.
But in summer 2010, after it became clear to the White House that "the bug" had inadvertently escaped the isolated network of Iran's Natanz uranium-enrichment plant and spread to computers worldwide, top administration officials held a "tense meeting" in the White House Situation Room, the Times said.
“Should we shut this thing down?” Obama asked, according to sources. It was unclear how much the Iranians knew about the code, and there was evidence that it was still vexing the Iranians, he was told. "Mr. Obama decided that the cyberattacks should proceed," the Times reported.
By late summer 2010, cybersecurity companies and the trade press were actively analyzing and debating the purpose of the strange piece of malicious software, dubbed "Stuxnet" after a file name inside the software. On Sept. 21, 2010, Ralph Langner, a German industrial-control systems cybersecurity expert from Hamburg, publicly identified Stuxnet as the world's first cyberweapon and named its likely target as Iran's nuclear facilities, as first reported and confirmed with other systems experts by the Monitor. Not long after, he postulated that the US and likely Israel, too, were behind the attacks.
Although Stuxnet is estimated to have eventually destroyed as many as 1,000 high-speed Iranian gas centrifuges designed to enrich uranium, its importance was far larger than that, Mr. Langner warned. It demonstrated that a cyberweapon could physically destroy critical infrastructure, and that process could also work in reverse.
"One important difference between a cyber offensive weapon and some kind of advanced bomb, for example, is that when the bomb blows up you can't examine or reverse-engineer it," says Joel Brenner, a former national counterintelligence executive in the Office of the Director of National Intelligence.
"Once you find the malware, on the other hand, once you find the code, you can see how it was done," he says. "So we are going to see more operations of this kind – and the US's critical infrastructure is undoubtedly going to be targeted. I still don't think that the owners and operators of most of that infrastructure understand the gravity of this threat."
According to the Times, participants in the many Situation Room meetings say Obama "was acutely aware that with every attack he was pushing the United States into new territory, much as his predecessors had with the first use of atomic weapons in the 1940s, of intercontinental missiles in the 1950s and of drones in the past decade. He repeatedly expressed concerns that any American acknowledgment that it was using cyberweapons – even under the most careful and limited circumstances – could enable other countries, terrorists or hackers to justify their own attacks."
In the end, Obama concluded the US had little choice, the presidential aides told the Times. The alternative could be a nuclear Iran. But the attacks could also provoke Iran to retaliate.
"There are real risks here," Mr. Baker says. "The most immediate and obvious one is that the Iranians will feel even more motivated to respond in kind. This is not a particularly restrained Iranian administration. It's used terrorists and terrorist proxies for years. It may feel that [Stuxnet] gives them one free shot at the American industrial-control system of their choice. And the consequences might not be 10 years down the road either. It might be next week."
Another key takeaway is that cyberwar is unlikely to remain anonymous.
"The world we're moving into is one where attribution for such attacks will not be a problem," says James Lewis, director of the Technology and Public Policy Program at the Center for Strategic and International Studies in Washington. "A nation might not be able to block an attack immediately, but you will be able to find out who's responsible."