SVG
Commentary
Wall Street Journal

Hacking the Ayatollahs

Gabriel Schoenfeld on the lessons of Stuxnet

Uranium conversion facility, Isfahan, Iran, March 30, 2005 (Getty Images).
Caption
Uranium conversion facility, Isfahan, Iran, March 30, 2005 (Getty Images).

In early 2010, inspectors from the International Atomic Energy Agency noticed a problem at Iran’s nuclear facility at Natanz, Iran. The centrifuges employed to separate enriched uranium—the precursor to bomb-grade material—from uranium hexafluoride gas were breaking down at a startling rate. What the inspectors did not know was that the facility was under attack by Stuxnet, a computer virus designed by American and Israeli intelligence agencies under the code name Operation Olympic Games. “Countdown to Zero Day” by Kim Zetter, a reporter for the technology magazine Wired, gives a full account of this “hack of the century,” as the operation has been called. Exhaustively researched, the book goes well beyond its ostensible subject to offer a hair-raising introduction to the age of cyber warfare.

Among much else, Ms. Zetter chronicles just how the world came to learn of Stuxnet. Obscure computer-security firms in locations like Belarus and Slovakia first detected the virus in 2010. Before long, it began appearing on thousands of computers world-wide, and powerhouses like the antivirus software firm Symantec set to work trying to solve the riddle posed by the mysterious code.

Conventional viruses aim to steal passwords or accomplish some other criminal purpose. Stuxnet was different. Despite its complexity, it appeared to do nothing at all beyond attempting to spread and replicate itself. After the digital sleuthing of far-flung investigators, it emerged that the code was narrowly tailored to come to life only when it encountered certain industrial-control devices containing proprietary software produced by the German firm Siemens. The devices running that software were installed in only one location: the heavily fortified Iranian facility in Natanz.

The first thing Stuxnet did upon invading a computer was to “phone home”—i.e., send a signal to a server (based in Malaysia) that operated as its command post. The signal reported key details about the computer, such as where it was located, what its IP address was and, critically, whether it contained the Siemens software. If it did not, the virus became inert—end of story. If the virus hit pay dirt, the fun began.

The fun seems to have included opening and closing valves on Iranian centrifuges and adjusting their power supply. The objective was to cause pressure to build up to dangerous levels and force the precious uranium gas into a “dump line,” where it went to waste. At the same time, the virus fed false normal readings to the Iranian operators, who were left clueless as their interlinked centrifuges quietly went haywire. Ms. Zetter suggests that Stuxnet might have also altered spin speeds, leading centrifuges to wobble, break free from their moorings and fly apart, not so quietly destroying entire production chains.

Ms. Zetter marshals evidence suggesting that these high jinks slowed down Iran’s nuclear effort. It is not a criticism of her book to note that this assessment, like many of its observations and conclusions, is at best well-informed conjecture. Operation Olympic Games remains shrouded in secrecy. The interviews and public sources upon which Ms. Zetter draws yield no definitive information. Perhaps only the Iranians themselves know for certain what happened, and they are not telling.

Whatever Stuxnet did or did not accomplish, “Countdown to Zero Day” has the virtue of putting the attack into a broader context. The epoch of cyber warfare inaugurated by Stuxnet promises to be no less unnerving than the nuclear-weapons age that began in 1945. The problem is familiar: What goes around comes around. We may hope that the virus damaged the ayatollahs’ nuclear program, but given the degree to which Internet connectivity has expanded into every corner of American life, we ourselves are susceptible to attack by the same kind of stealth weapon.

Though recent headlines have focused on the cyber-penetration of retail outlets, financial institutions and government systems, Ms. Zetter reminds us that our physical infrastructure is vulnerable as well. In 1997 a teenager hacked into a Bell Atlantic computer system and for six hours turned off the runway lights and crippled the control tower of the Worcester, Mass., airport. In 2000 in Australia, a disgruntled former employee of a water-treatment firm evaded safeguards to cause 750,000 gallons of raw sewage to pour into public waterways. In 2003 the SoBig virus attacked train-signaling equipment on the Eastern Seaboard and brought rail traffic to a halt. That same year, the Slammer worm disabled critical safety systems at the Davis-Besse nuclear power plant in Ohio.

If individuals or small groups of amateurs can perpetrate attacks of this magnitude, imagine what nation-states might do. With the advent of Stuxnet, state-sponsored attacks are no longer hypothetical. In military and intelligence establishments the world over, the race is on to find the exploitable security holes in widely used software—called “zero days” because programmers have had zero time to plug the holes—that make cyber warfare a mounting threat.

What can we do to better guard against the dire possibilities that may lie ahead? Advocates of arms control call for a treaty that would limit or abolish digital warfare. But if it has been difficult to verify treaty compliance with physical weapons, doing so with intangible computer code may be well-nigh impossible. Noting the “obvious problems” with the treaty approach, Ms. Zetter is rightly dismissive of it, but she does not suggest an alternative. The reason may be that there is none. In the cyber battle ahead, the only true winners may be the hackers and computer engineers who increasingly hold our future in their hands.