Modern field guide to security and privacy

Opinion: The troubling Stuxnet effect

The computer virus used against the Iranian nuclear program did not help seal the nuclear deal with Tehran. It did, however, launch a global cyberarms race.

A general view of the Bushehr nuclear power plant in Iran.

The nonproliferation movement is still celebrating the formal adoption of the nuclear deal between the US and Iran. And it should be.

But if anyone thinks that the Stuxnet virus, which damaged or destroyed critical components of Iran’s nuclear program in 2010, somehow prodded both sides to the negotiating table, that's a mistake.

The Iran nuclear deal is a diplomatic success for the Obama administration – and there are strong reasons to believe that the Stuxnet virus, which damaged or destroyed part of Iran’s nuclear program, played an important role in delaying the Iranian enrichment efforts long enough for diplomats to reach a negotiated solution.

While the true impact of Stuxnet, and the larger "Olympic Games" campaign it was a part of, may have momentarily delayed the Iranian enrichment efforts, we won’t actually know whether this was meaningful until all the relevant documents are declassified. In the interim, we are coping with the Pandora’s Box of reciprocated evils unleashed by this first nation-state cyberattack.

With Stuxnet, the US set off an arms race in cyberspace – creating a virtual Wild West where industrialized nations have the most to lose. The Stuxnet virus was a highly sophisticated cyberweapon that exploited four previously unreported zero-day exploits in widely used software to seek out and infect the industrial control systems used by Iran in its Natanz nuclear enrichment facility. The cyberweapon was unprecedented at the time of its discovery.

Most viruses give hackers unauthorized access to computers and networks in order to surveil targets, shut down systems, steal information, or manipulate data. Stuxnet, however, subtly changed the speeds that the Iranian nuclear centrifuges spun, damaging or destroying the carefully calibrated machines. And while doing so, it fed the Iranian scientists incorrect data, so that enrichment was repeatedly interrupted while they tried to discover the source of the problem.

Stuxnet was one of the first cyberweapons discovered that targeted and destroyed physical infrastructure in the real world. By legitimizing destructive cyberattacks, the US has created the opportunity for significant blowback in the coming decades. To borrow a phrase from information security, the attack surface of the US and its allies is incomparably larger than the rogue nations and terrorist organizations that we fight. Cyberspace cannot be secured through offensive means.

Rather than treating cyberspace as a neutral realm of information exchange and innovation, Stuxnet opened the doors for ongoing cyberwar – a siege that puts critical civilian infrastructure at substantial risk. Governmental cyberattacks make it harder for the US to argue against economic spying and to advocate for norms that create a safer Internet for everyone.

While direct war with the US is inconceivable for other nation states, cyberwarfare represents a "safe" new avenue to hit US services, information storehouses, and civilian infrastructure.

Unlike kinetic weapons, cyberweapons do not require a large industrial base or massive amount of raw materials to build. And by their very nature, the use of cyberweapons is directly responsible for proliferating them.

Without substantial intervention, this cyberarms race will prove to be much more difficult to ameliorate than conventional and nuclear arms races of earlier decades.

Jeff Landale is the executive assistant at X-Lab, a venture focusing on tech policy interventions. Follow Jeff on Twitter @JeffLandale. Sascha Meinrath is X-Lab's director and a Passcode columnist. Follow him on Twitter @saschameinrath.

of stories this month > Get unlimited stories
You've read  of  free articles. Subscribe to continue.

Unlimited digital access $11/month.

Get unlimited Monitor journalism.