Obama ordered Stuxnet cyberattack, reports say. Did it leave US vulnerable?

A New York Times report claims that President Obama used the Stuxnet cyberweapon to set back Iran's nuclear program. But experts caution that the worm could be reverse-engineered. 

|
Ebrahim Norouzi/IIPA/AP/File
A worker stands at the entrance of the reactor of Bushehr nuclear power plant in Iran in this file photo. The facility was hit by the Stuxnet cyberweapon.

Stuxnet, the world's first publicly identified cyber superweapon, was unleashed against Iran's nuclear fuel-enrichment facility as part of a joint US-Israel cybersabotage operation, according to press reports Friday citing anonymous administration officials.

While it had long been assumed that the US and Israel were the most likely states to have organized such an attack, the implications of pinning responsibility squarely on the two states could be considerable.

The news reports, which seem to remove any fig leaf of plausible deniability, could in the near term undermine ongoing nuclear talks with Iran. It could even provide Iran with internal justification for a cyber counterstrike against the US.

In the longer run, however, it also raises questions about how a US national policy of using powerful digital weapons could impact American security. Of particular concern is the possibility that such attacks could provide a digital copy of the cyberweapon to rogue nations or that hacktivists could reverse-engineer the weapon for use against the power grid or other key US infrastructure.

"Certainly we have thought Stuxnet was very likely to be a US-Israel operation – and that assumption has now turned out to be the case," says Stewart Baker, a lawyer and former senior official at the National Security Agency and the Department of Homeland Security. "In some ways, I do feel as though we've been living in a glass house for years and now we've decided we're going to invent rocks."

In the New York Times account, the cyberweapon was developed under a program initiated by President George W. BushPresident Obama then gave the go-ahead for a cyberweapon dubbed "the bug" to be unleashed in an attempt to derail Iran's bid to make nuclear-weapons fuel. The thrust of the account was separately confirmed by administration officials in a Washington Post report Friday.

But in summer 2010, after it became clear to the White House that "the bug" had inadvertently escaped the isolated network of Iran's Natanz uranium-enrichment plant and spread to computers worldwide, top administration officials held a "tense meeting" in the White House Situation Room, the Times said.

“Should we shut this thing down?” Obama asked, according to sources. It was unclear how much the Iranians knew about the code, and there was evidence that it was still vexing the Iranians, he was told. "Mr. Obama decided that the cyberattacks should proceed," the Times reported.

By late summer 2010, cybersecurity companies and the trade press were actively analyzing and debating the purpose of the strange piece of malicious software, dubbed "Stuxnet" after a file name inside the software. On Sept. 21, 2010, Ralph Langner, a German industrial-control systems cybersecurity expert from Hamburg, publicly identified Stuxnet as the world's first cyberweapon and named its likely target as Iran's nuclear facilities, as first reported and confirmed with other systems experts by the Monitor. Not long after, he postulated that the US and likely Israel, too, were behind the attacks.

Although Stuxnet is estimated to have eventually destroyed as many as 1,000 high-speed Iranian gas centrifuges designed to enrich uranium, its importance was far larger than that, Mr. Langner warned. It demonstrated that a cyberweapon could physically destroy critical infrastructure, and that process could also work in reverse. 

"One important difference between a cyber offensive weapon and some kind of advanced bomb, for example, is that when the bomb blows up you can't examine or reverse-engineer it," says Joel Brenner, a former national counterintelligence executive in the Office of the Director of National Intelligence.

"Once you find the malware, on the other hand, once you find the code, you can see how it was done," he says. "So we are going to see more operations of this kind – and the US's critical infrastructure is undoubtedly going to be targeted. I still don't think that the owners and operators of most of that infrastructure understand the gravity of this threat."

According to the Times, participants in the many Situation Room meetings say Obama "was acutely aware that with every attack he was pushing the United States into new territory, much as his predecessors had with the first use of atomic weapons in the 1940s, of intercontinental missiles in the 1950s and of drones in the past decade. He repeatedly expressed concerns that any American acknowledgment that it was using cyberweapons – even under the most careful and limited circumstances – could enable other countries, terrorists or hackers to justify their own attacks."

In the end, Obama concluded the US had little choice, the presidential aides told the Times. The alternative could be a nuclear Iran. But the attacks could also provoke Iran to retaliate.  

"There are real risks here," Mr. Baker says. "The most immediate and obvious one is that the Iranians will feel even more motivated to respond in kind. This is not a particularly restrained Iranian administration. It's used terrorists and terrorist proxies for years. It may feel that [Stuxnet] gives them one free shot at the American industrial-control system of their choice. And the consequences might not be 10 years down the road either. It might be next week."

Another key takeaway is that cyberwar is unlikely to remain anonymous. 

"The world we're moving into is one where attribution for such attacks will not be a problem," says James Lewis, director of the Technology and Public Policy Program at the Center for Strategic and International Studies in Washington. "A nation might not be able to block an attack immediately, but you will be able to find out who's responsible."

You've read  of  free articles. Subscribe to continue.
Real news can be honest, hopeful, credible, constructive.
What is the Monitor difference? Tackling the tough headlines – with humanity. Listening to sources – with respect. Seeing the story that others are missing by reporting what so often gets overlooked: the values that connect us. That’s Monitor reporting – news that changes how you see the world.

Dear Reader,

About a year ago, I happened upon this statement about the Monitor in the Harvard Business Review – under the charming heading of “do things that don’t interest you”:

“Many things that end up” being meaningful, writes social scientist Joseph Grenny, “have come from conference workshops, articles, or online videos that began as a chore and ended with an insight. My work in Kenya, for example, was heavily influenced by a Christian Science Monitor article I had forced myself to read 10 years earlier. Sometimes, we call things ‘boring’ simply because they lie outside the box we are currently in.”

If you were to come up with a punchline to a joke about the Monitor, that would probably be it. We’re seen as being global, fair, insightful, and perhaps a bit too earnest. We’re the bran muffin of journalism.

But you know what? We change lives. And I’m going to argue that we change lives precisely because we force open that too-small box that most human beings think they live in.

The Monitor is a peculiar little publication that’s hard for the world to figure out. We’re run by a church, but we’re not only for church members and we’re not about converting people. We’re known as being fair even as the world becomes as polarized as at any time since the newspaper’s founding in 1908.

We have a mission beyond circulation, we want to bridge divides. We’re about kicking down the door of thought everywhere and saying, “You are bigger and more capable than you realize. And we can prove it.”

If you’re looking for bran muffin journalism, you can subscribe to the Monitor for $15. You’ll get the Monitor Weekly magazine, the Monitor Daily email, and unlimited access to CSMonitor.com.

QR Code to Obama ordered Stuxnet cyberattack, reports say. Did it leave US vulnerable?
Read this article in
https://www.csmonitor.com/USA/2012/0601/Obama-ordered-Stuxnet-cyberattack-reports-say.-Did-it-leave-US-vulnerable
QR Code to Subscription page
Start your subscription today
https://www.csmonitor.com/subscribe