Reliable Security Information

The Exciting Story of Stuxnet and Received Wisdom

By now you have heard of or read the exciting story of Stuxnet as a joint Israeli-US cyberweapon. The first of its kind, setting back Iran's nuclear program for years, Stuxnet ushers in a new and glorious age of cyberwar, the world is forever changed. Victory through the highest of tech braininess. And so on.

Actually, the new ages of cyberwar have been coming for awhile -- well over a decade. But they have never quite arrived. Or they have in various ways, just not as billed and conflict remains pretty much as always. That is, one needs to make a computer program physically damaging.

Which is where Stuxnet has fit the bill.

Briefly, the received wisdoms, collected by the Times for a cracking good read, describes Stuxnet as actually causing Iran's uranium centrifuges to tear themselves apart. That is, by taking over the controlling software and forcing an unbalanced operation while reporting that all was OK at the front desk. Cool!

The fly in the ointment, and apparently one weak link in Iran's nuclear program, is the centrifuge in question, called the P-1, sold to Iran by Pakistan.

It's a crap piece of highly-engineered kit required to work reliably under a great deal of physical stress. However, one doesn't read this in the NY Times piece until almost at the end of the story.

Reports the Times:

But the United States and its allies ran into the same problem the Iranians have grappled with: the P-1 is a balky, badly designed machine. When the Tennessee laboratory shipped some of its P-1's to England, in hopes of working with the British on a program of general P-1 testing, they stumbled, according to nuclear experts.

"They failed hopelessly," one recalled, saying that the machines proved too crude and temperamental to spin properly.

The New York Times news is presented with the same authoritative finality as something one might see or read from Alex Jones and his many exposes on conspiracy. (Well, maybe it lacks some of the latter's brio.)

Weaving together the lore on Stuxnet, which has been building for months, it employs intelligence from unnamed sources. It tells of a plan -- jointly run by Israel and the US, to install their own P-1 centrifuge cascades so as to study the shortcomings of the Iranian production facillities. And eventually glomming onto the idea, a little serendipitously, that controller software could be subverted in an attack on them.

At which point, work went forward to put Stuxnet together and test it on the Israeli P-1 centrifuge cascade secretly installed at Dimona.

Now, here's the thing: A named expert on Israel's nuclear program told the times that "Israel succeeded -- with great difficulty -- in mastering the [P-1] centrifuge technology."

So, reiterating, the P-1 is a crap centrifuge which needs a lot of work to sustain. It has a good failure rate all by itself. The United States could not make them work. But the Israeli's, after a great deal of effort, did.

According to the New York Times, the Iranians have had a great deal of P-1 centrifuge failure. Which might be expected after reading the material on the nature of the machine.

Circumstantially, the New York Times story, in sources and tone, attributes virtually all of it to Stuxnet.

Maybe it's absolutely true. Or maybe only partially so. And perhaps the P-1 centrifuges have bedeviled the Iranian bomb program all along because they are rubbish, with or without state-operated malware added.

If some Iranian nuclear scientists could be persuaded to send material to WikiLeaks ...

For current purposes it's good to look at the story from the perspective that it is all true. Or that all the people who count will believe it so. And as time goes on, it will always grow in stature and mythic proportion. The narrative will be cited time after time in every news story and paper on cyberwar ever written. And because of this it will have a continuing effect on secret military policy on the development of more malware cyberweapons, which will always be greenlighted, no matter how bad the ideas are.

I have argued that there's no deterrent to nations like the US or Israel tossing a cyberweapon at the world network. If your national rep is already not so hot there is nothing to be lost.

In this case, all the justifications are about stopping the Iran bomb program. What's not to like? Nothing.

But the art of virus-writing, even from its crudest days when done by kids, has always been loaded with justifications. In fact, the kids are now all grown up.

Our justifications will just be better or sound that way. If they are not better, they'll be more secret and impossible to influence. Trust us. We're responsible. And never bad international neighbors. Only those who have it coming will get it. Bad ideas with consequences unforeseen well down the road never go to our heads.

If one believes all of the New York Times story there is also some good news in it. And it's not necessarily the part about knocking out 1,000 centrifuges.

It's that the development of Stuxnet, as reported, is beyond the capabilities of those who routinely write worms for criminal purposes. That coterie doesn't have the resources to build something like a mock centrifuge facility and then test things on it.

However, since the history of malware distribution shows that whatever gets put on the world network gets to contribute its various bits and pieces to everyone else writing bad stuff.

This post appeared in an earlier version on the very perceptive and fascinating Dick Destiny blog.

Subscribe to SitRep: SitRep RSS Feed SitRep ATOM Feed