Modern field guide to security and privacy

Opinion: The troubling Stuxnet effect

The computer virus used against the Iranian nuclear program did not help seal the nuclear deal with Tehran. It did, however, launch a global cyberarms race.

Reuters/File
A general view of the Bushehr nuclear power plant in Iran.

The nonproliferation movement is still celebrating the formal adoption of the nuclear deal between the US and Iran. And it should be.

But if anyone thinks that the Stuxnet virus, which damaged or destroyed critical components of Iran’s nuclear program in 2010, somehow prodded both sides to the negotiating table, that's a mistake.

The Iran nuclear deal is a diplomatic success for the Obama administration – and there are strong reasons to believe that the Stuxnet virus, which damaged or destroyed part of Iran’s nuclear program, played an important role in delaying the Iranian enrichment efforts long enough for diplomats to reach a negotiated solution.

While the true impact of Stuxnet, and the larger "Olympic Games" campaign it was a part of, may have momentarily delayed the Iranian enrichment efforts, we won’t actually know whether this was meaningful until all the relevant documents are declassified. In the interim, we are coping with the Pandora’s Box of reciprocated evils unleashed by this first nation-state cyberattack.

With Stuxnet, the US set off an arms race in cyberspace – creating a virtual Wild West where industrialized nations have the most to lose. The Stuxnet virus was a highly sophisticated cyberweapon that exploited four previously unreported zero-day exploits in widely used software to seek out and infect the industrial control systems used by Iran in its Natanz nuclear enrichment facility. The cyberweapon was unprecedented at the time of its discovery.

Most viruses give hackers unauthorized access to computers and networks in order to surveil targets, shut down systems, steal information, or manipulate data. Stuxnet, however, subtly changed the speeds that the Iranian nuclear centrifuges spun, damaging or destroying the carefully calibrated machines. And while doing so, it fed the Iranian scientists incorrect data, so that enrichment was repeatedly interrupted while they tried to discover the source of the problem.

Stuxnet was one of the first cyberweapons discovered that targeted and destroyed physical infrastructure in the real world. By legitimizing destructive cyberattacks, the US has created the opportunity for significant blowback in the coming decades. To borrow a phrase from information security, the attack surface of the US and its allies is incomparably larger than the rogue nations and terrorist organizations that we fight. Cyberspace cannot be secured through offensive means.

Rather than treating cyberspace as a neutral realm of information exchange and innovation, Stuxnet opened the doors for ongoing cyberwar – a siege that puts critical civilian infrastructure at substantial risk. Governmental cyberattacks make it harder for the US to argue against economic spying and to advocate for norms that create a safer Internet for everyone.

While direct war with the US is inconceivable for other nation states, cyberwarfare represents a "safe" new avenue to hit US services, information storehouses, and civilian infrastructure.

Unlike kinetic weapons, cyberweapons do not require a large industrial base or massive amount of raw materials to build. And by their very nature, the use of cyberweapons is directly responsible for proliferating them.

Without substantial intervention, this cyberarms race will prove to be much more difficult to ameliorate than conventional and nuclear arms races of earlier decades.

Jeff Landale is the executive assistant at X-Lab, a venture focusing on tech policy interventions. Follow Jeff on Twitter @JeffLandale. Sascha Meinrath is X-Lab's director and a Passcode columnist. Follow him on Twitter @saschameinrath.

You've read  of  free articles. Subscribe to continue.

Dear Reader,

About a year ago, I happened upon this statement about the Monitor in the Harvard Business Review – under the charming heading of “do things that don’t interest you”:

“Many things that end up” being meaningful, writes social scientist Joseph Grenny, “have come from conference workshops, articles, or online videos that began as a chore and ended with an insight. My work in Kenya, for example, was heavily influenced by a Christian Science Monitor article I had forced myself to read 10 years earlier. Sometimes, we call things ‘boring’ simply because they lie outside the box we are currently in.”

If you were to come up with a punchline to a joke about the Monitor, that would probably be it. We’re seen as being global, fair, insightful, and perhaps a bit too earnest. We’re the bran muffin of journalism.

But you know what? We change lives. And I’m going to argue that we change lives precisely because we force open that too-small box that most human beings think they live in.

The Monitor is a peculiar little publication that’s hard for the world to figure out. We’re run by a church, but we’re not only for church members and we’re not about converting people. We’re known as being fair even as the world becomes as polarized as at any time since the newspaper’s founding in 1908.

We have a mission beyond circulation, we want to bridge divides. We’re about kicking down the door of thought everywhere and saying, “You are bigger and more capable than you realize. And we can prove it.”

If you’re looking for bran muffin journalism, you can subscribe to the Monitor for $15. You’ll get the Monitor Weekly magazine, the Monitor Daily email, and unlimited access to CSMonitor.com.