Because the Iranian nuclear program’s computers are not connected to the Internet, the worm couldn’t have been introduced to them online. It’s presumed to have come from a USB thumb drive that the user may or may not have known was infected: Stuxnet was designed to do nothing to computers that didn’t connect with the control mechanisms it targeted. And then, depending on where it found itself, Stuxnet was supposed to self-destruct. According to Chien, different components of the virus have different “time to live” mechanisms. A USB key inserted into a newly infected computer can’t carry the worm for more than 21 days. After that, it disappears. The worm is programmed to quit exploiting one particular weakness in Microsoft’s software after June 1, 2011, and the worm’s overall time to live runs out in June 2012.
Why bother with an expiration date at all? The answer supplied by Clarke is so very Washington-centric that it’s almost a dead giveaway. “All that suggests to me a nation-state actor with a series of lawyers involved in looking at the covert action,” says Clarke, whose latest book is Cyber War: The Next Threat to National Security and What to Do About It. “I’ve never seen or heard of a worm before that limited its spread.” One explanation, of course, is that the creators of the virus hoped it would self-destruct before it was discovered. Another, however, is that the creators and their government hoped to limit their liability if they were ever exposed. A former senior intelligence official in the U.S. government has doubts the CIA could have vetted such an attack. “The applicable presidential findings we had in this arena did not cover this kind of activity,” he says. If the United States were involved, he adds, it would have had to be a Defense Department operation.