Watchman Newsletter

Column one: The lessons of Stuxnet

The Jerusalem Post (Link) - Caroline Glick (October 1, 2010)

There�s a new cyber-weapon on the block. And it�s a doozy. Stuxnet, a malicious software, or malware, program was apparently first discovered in June.

Although it has appeared in India, Pakistan and Indonesia, Iran�s industrial complexes � including its nuclear installations � are its main victims.

Stuxnet operates as a computer worm. It is inserted into a computer system through a USB port rather than over the Internet, and is therefore capable of infiltrating networks that are not connected to the Internet.

Hamid Alipour, deputy head of Iran�s Information Technology Company, told reporters Monday that the malware operated undetected in the country�s computer systems for about a year.

After it enters a network, this super-intelligent program figures out what it has penetrated and then decides whether or not to attack. The sorts of computer systems it enters are those that control critical infrastructures like power plants, refineries and other industrial targets.

Ralph Langner, a German computer security researcher who was among the first people to study Stuxnet, told various media outlets that after Stuxnet recognizes its specific target, it does something no other malware program has ever done. It takes control of the facility�s SCADA (supervisory control and data acquisition system) and through it, is able to destroy the facility.

No other malware program has ever managed to move from cyberspace to the real world. And this is what makes Stuxnet so revolutionary. It is not a tool of industrial espionage. It is a weapon of war.


From what researchers have exposed so far, Stuxnet was designed to control computer systems produced by the German engineering giant Siemens. Over the past generation, Siemens engineering tools, including its industrial software, have been the backbone of Iran�s industrial and military infrastructure. Siemens computer software products are widely used in Iranian electricity plants, communication systems and military bases, and in the country�s Russian-built nuclear power plant at Bushehr.

The Iranian government has acknowledged a breach of the computer system at Bushehr. The plant was set to begin operating next month, but Iranian officials announced the opening would be pushed back several months due to the damage wrought by Stuxnet. On Monday, Channel 2 reported that Iran�s Natanz uranium enrichment facility was also infected by Stuxnet.

On Tuesday, Alipour acknowledged that Stuxnet�s discovery has not mitigated its destructive power.

As he put it, �We had anticipated that we could root out the virus within one to two months. But the virus is not stable and since we started the cleanup process, three new versions of it have been spreading.�

While so far no one has either taken responsibility for Stuxnet or been exposed as its developer, experts who have studied the program agree that its sophistication is so vast that it is highly unlikely a group of privately financed hackers developed it. Only a nation-state would have the financial, manpower and other resources necessary to develop and deploy Stuxnet, the experts argue.

Iran has pointed an accusatory finger at the US, Israel and India. So far, most analysts are pointing their fingers at Israel. Israeli officials, like their US counterparts, are remaining silent on the subject.

While news of a debilitating attack on Iran�s nuclear installations is a cause for celebration, at this point, we simply do not know enough about what has happened and what is continuing to happen at Iran�s nuclear installations to make any reasoned evaluation about Stuxnet�s success or failure. Indeed, The New York Times has argued that since Stuxnet worms were found in Siemens software in India, Pakistan and Indonesia as well as Iran, reporting, �The most striking aspect of the fast-spreading malicious computer program... may not have been how sophisticated it was, but rather how sloppy its creators were in letting a specifically aimed attack scatter randomly around the globe.�

All that we know for certain is that Stuxnet is a weapon and it is currently being used to wage a battle. We don�t know if Israel is involved in the battle or not. And if Israel is a side in the battle, we don�t know if we�re winning or not.

But still, even in our ignorance about the details of this battle, we still know enough to draw a number of lessons from what is happening.

Stuxnet�s first lesson is that it is essential to be a leader rather than a follower in technology development. The first to deploy new technologies on a battlefield has an enormous advantage over his rivals. Indeed, that advantage may be enough to win a war.

But from the first lesson, a second immediately follows. A monopoly in a new weapon system is always fleeting. The US nuclear monopoly at the end of World War II allowed it to defeat Imperial Japan and bring the war to an end in allied victory.

Once the US exposed its nuclear arsenal, however, the Soviet Union�s race to acquire nuclear weapons of its own began. Just four years after the US used its nuclear weapons, it found itself in a nuclear arms race with the Soviets. America�s possession of nuclear weapons did not shield it from the threat of their destructive power.

The risks of proliferation are the flipside to the advantage of deploying new technology. Warning of the new risks presented by Stuxnet, Melissa Hathaway, a former US national cybersecurity coordinator, told the Times, �Proliferation is a real problem, and no country is prepared to deal with it. All of these [computer security] guys are scared to death. We have about 90 days to fix this [new vulnerability] before some hacker begins using it.�

Then there is the asymmetry of vulnerability to cyberweapons. A cyberweapon like Stuxnet threatens nation-states much more than it threatens a non-state actor that could deploy it in the future. For instance, a cyber-attack of the level of Stuxnet against the likes of Hizbullah or al-Qaida by a state like Israel or the US would cause these groups far less damage than a Hizbullah or al-Qaida cyber-attack of the quality of Stuxnet launched against a developed country like Israel or the US.

In short, like every other major new weapons system introduced since the slingshot, Stuxnet creates new strengths as well as new vulnerabilities for the states that may wield it.

As to the battle raging today in Iran�s nuclear facilities, even if the most optimistic scenario is true, and Stuxnet has crippled Iran�s nuclear installations, we must recognize that while a critical battle was won, the war is far from over.

A war ends when one side permanently breaks its enemy�s ability and will to fight it. This has clearly not happened in Iran.

Iranian President Mahmoud Ahmadinejad made it manifestly clear during his visit to the US last week that he is intensifying, not moderating, his offensive stance towards the US, Israel and the rest of the free world. Indeed, as IDF Deputy Chief of Staff Maj.-Gen. Benny Ganz noted last week, �Iran is involved up to its neck in every terrorist activity in the Middle East.�

So even in the rosiest scenario, Israel or some other government has just neutralized one threat � albeit an enormous threat � among a panoply of threats that Iran poses. And we can be absolutely certain that Iran will take whatever steps are necessary to develop new ways to threaten Israel and its other foes as quickly as possible.

What this tells us is that if Stuxnet is an Israeli weapon, while a great achievement, it is not a revolutionary weapon. While the tendency to believe that we have found a silver bullet is great, the fact is that fielding a weapon like Stuxnet does not fundamentally change Israel�s strategic position. And consequently, it should have no impact on Israel�s strategic doctrine.

In all likelihood, assuming that Stuxnet has significantly debilitated Iran�s nuclear installations, this achievement will be a one-off. Just as the Arabs learned the lessons of their defeat in 1967 and implemented those lessons to great effect in the war in 1973, so the Iranians � and the rest of Israel�s enemies � will learn the lessons of Stuxnet.

So if we assume that Stuxnet is an Israeli weapon, what does it show us about Israel�s position vis-�-vis its enemies? What Stuxnet shows is that Israel has managed to maintain its technological advantage over its enemies. And this is a great relief. Israel has survived since 1948 despite our enemies� unmitigated desire to destroy us because we have continuously adapted our tactical advantages to stay one step ahead of them. It is this adaptive capability that has allowed Israel to win a series of one-off battles that have allowed it to survive.

But again, none of these one-off battles were strategic game-changers. None of them have fundamentally changed the strategic realities of the region. This is the case because they have neither impacted our enemies� strategic aspiration to destroy us, nor have they mitigated Israel�s strategic vulnerabilities. It is the unchanging nature of these vulnerabilities since the dawn of modern Zionism that gives hope to our foes that they may one day win and should therefore keep fighting.

Israel has two basic strategic vulnerabilities.

The first is Israel�s geographic minuteness, which attracts invaders. The second vulnerability is Israel�s political weakness both at home and abroad, which make it impossible to fight long wars.

Attentive to these vulnerabilities, David Ben- Gurion asserted that Israel�s military doctrine is the twofold goal to fight wars on our enemies� territory and to end them as swiftly and as decisively as possible. This doctrine remains the only realistic option today, even if Stuxnet is in our arsenal.

It is important to point this plain truth out today as the excitement builds about Stuxnet, because Israel�s leaders have a history of mistaking tactical innovation and advantage with strategic transformation. It was our leaders� failure to properly recognize what happened in 1967 for the momentary tactical advantage it was that led us to near disaster in 1973.

Since 1993, our leaders have consistently mistaken their adoption of the West�s land-for-peace paradigm as a strategic response to Israel�s political vulnerability. The fact that the international assault on Israel�s right to exist has only escalated since Israel embraced the land-for-peace paradigm is proof that our leaders were wrong. Adopting the political narrative of our enemies did not increase Israel�s political fortunes in Europe, the US or the UN.

So, too, our leaders have mistaken Israel�s air superiority for a strategic answer to its geographical vulnerability. The missile campaigns the Palestinians and Lebanese have waged against the home front in the aftermath of Israel�s withdrawals from Gaza and south Lebanon show clearly that air supremacy does not make up for geographic vulnerability. It certainly does not support a view that strategic depth is less important than it once was.

We may never know if Stuxnet was successful or if Stuxnet is Israeli. But what we do know is that we cannot afford to learn the wrong lessons from its achievements. �


America ~ Iran ~ Israel