The evidence is only circumstantial, but … there’s an awful lot of it.
Behind Dimona’s barbed wire, the experts say, Israel has spun nuclear centrifuges virtually identical to Iran’s at Natanz, where Iranian scientists are struggling to enrich uranium. They say Dimona tested the effectiveness of the Stuxnet computer worm, a destructive program that appears to have wiped out roughly a fifth of Iran’s nuclear centrifuges and helped delay, though not destroy, Tehran’s ability to make its first nuclear arms.
“To check out the worm, you have to know the machines,” said an American expert on nuclear intelligence. “The reason the worm has been effective is that the Israelis tried it out.”…
The worm itself now appears to have included two major components. One was designed to send Iran’s nuclear centrifuges spinning wildly out of control. Another seems right out of the movies: The computer program also secretly recorded what normal operations at the nuclear plant looked like, then played those readings back to plant operators, like a pre-recorded security tape in a bank heist, so that it would appear that everything was operating normally while the centrifuges were actually tearing themselves apart.
The attacks were not fully successful: Some parts of Iran’s operations ground to a halt, while others survived, according to the reports of international nuclear inspectors. Nor is it clear the attacks are over: Some experts who have examined the code believe it contains the seeds for yet more versions and assaults…
The project’s political origins can be found in the last months of the Bush administration. In January 2009, The New York Times reported that Mr. Bush authorized a covert program to undermine the electrical and computer systems around Natanz, Iran’s major enrichment center. President Obama, first briefed on the program even before taking office, sped it up, according to officials familiar with the administration’s Iran strategy. So did the Israelis, other officials said.
News stories on Stuxnet are typically so rich in fascinating cloak-and-dagger detail that there’s no way to blockquote all the key parts, and this one’s no exception. Read all of it, please, and take note of how the U.S. allegedly was first clued in to the critical vulnerabilities in Siemens’s centrifuge-controlling computer code. Theories about that have kicked around for awhile — including the possibility that Siemens is willingly cooperating in making its systems exploitable — but if you believe the Times, the U.S. was apparently approached by Siemens in 2008 for advice on how to make its system … more secure. I find that hard to believe just because the timing’s a bit too perfect: At the precise moment that America and Israel are scrambling for non-military means to disable the Iranian nuclear program, the company that holds the digital key to Iran’s enrichment facility comes knocking on our door for help on improving their code? Seriously?
As for the part linked in the blockquote, I had no idea that the Times or anyone else had reported in the past on any secret U.S. projects to target Iran’s centrifuges. To be sure, there were vague stories about unspecified covert action being taken, but in the past that typically meant targeting black-market suppliers of nuclear equipment and/or physically tampering with the goods while they were in transit to Iran. The cyberwar angle was something new and unexpected, but it was there long ago if you were paying attention. Spencer Ackerman of Danger Room flags this NYT report from all the way back on April 27, 2009, just three months after Obama was sworn in. Quote: “When President George W. Bush ordered new ways to slow Iran’s progress toward a nuclear bomb last year, he approved a plan for an experimental covert program — its results still unclear — to bore into their computers and undermine the project.” (emphasis mine) It’s no mystery who’s responsible for Stuxnet, in other words; the facts are hiding in plain sight, which is why I didn’t understand when a little current of outrage swept through Twitter yesterday at the Times for publishing this story. The U.S. and Israel are probably the only two countries with the means and the motive to drop this cyber-nuke on Iran (other colorful theories notwithstanding), so they’ll naturally be blamed — in which case, why hide it? In fact, at this point, the higher Stuxnet’s international profile becomes, the more useful it is to other nations as an excuse not to deal with Iran. Russia, for instance, is now insisting that it can’t proceed with its work on Iran’s nuclear power plant at Bushehr in case there’s some sort of Stuxnet infection in the system there too that might cause “another Chernobyl.” That makes no sense in light of the Times piece — the whole point about Stuxnet is that it’s very precisely targeted to disable centrifuges, not to mess with a nuclear power system — but it provides a handy excuse for Russia to back off.
Exit question: I’ve asked this before but I’m still mystified by it. If one of the two goals of Stuxnet was to hide its sabotage by making centrifuge operators believe that everything was running smoothly, why was it so easily discovered by cybersecurity experts? Ideally, this thing should have run on Iranian computer networks for years and years, spinning its centrifuges into oblivion at every turn until Iran simply gave up in utter befuddlement at what the problem might be. Instead, it looks as though it ran for about a year (maybe less) before being detected. Is that … deliberate? If so, why? If not, why weren’t stronger measures taken to keep the worm invisible? Surely if they could build something so ingenious as to commandeer Iranian centrifuges, they could build it to be undetectable by standard cybersecurity measures.