The Blog

Does Stuxnet Mean Cyberwar?

If so, are we ready?

5:30 PM, Oct 4, 2010 • By LEE SMITH
Widget tooltip
Single Page Print Larger Text Smaller Text Alerts

If it’s still unclear exactly what the Stuxnet worm was meant to target, it’s possible that we won’t entirely understand the consequences of this now notorious malware attack for many years to come. Maybe it will turn out that Stuxnet was little more than the over-hyped tech version of the recent hurricane that left a path of destruction everywhere it touched down over large parts of Asia – or maybe we’ll see that it ushered in a new era whose anxieties and terrors surpassed the most maudlin and morose predictions of futurists and Hollywood directors.

Does Stuxnet Mean Cyberwar?

First reports showed that the Stuxnet worm had targeted the industrial control systems, also called SCADA, at Iran’s Bushehr nuclear reactor, but others contended that a different Iranian nuclear facility at Natanz was the destination. Centrifuge production at Natanz is down 23 percent since May 2009, which is roughly when the earliest version of the Stuxnet worm was first noticed. However, just last week the Iranians announced that the Bushehr site was not going to go on line for at least three more months. But, says Tehran, the delays have nothing to do with Stuxnet – even as the Iranians acknowledge that some personal computers belonging to staff at the Bushehr plant have been affected.

Some are wondering why a regime as opaque and paranoid as the Islamic Republic’s has admitted to suffering any effects at all. One reason is that the Iranians’ complaints of sabotage serve to highlight the contention that theirs is a civilian nuclear program – which Tehran’s adversaries are violating international laws in order to subvert. Then there’s simply the fact that the Iranians apparently can’t stop talking about their nuclear program, like a proud first-time father showing off pictures of his child.

Compare Iran’s nuclear logorrhea to Israel’s nuclear ambiguity. For Jerusalem, the nuclear program is strictly a matter of national security. For Tehran the program is not just a strategic asset, but also a token of prestige: A state bearing a legacy as great and as ancient as Persia’s deserves a nuclear program. However, Stuxnet may have shut the door to technological modernity right in Tehran’s face – at least for the time being.

The atomic age isn’t exactly over, but it seems we may have entered a new phase of it. In the age of cyberwarfare, what does it mean to have a nuclear weapon if someone else may own your command and control systems – and you may not even know that they do? If the Iranians do manage to build a bomb, can they now risk embarrassment, not to say a nuclear catastrophe, by testing it? And even if they test it successfully, what’s its strategic worth if they don’t know whether or not they can actually use it? Even concepts like nuclear deterrence will have to be reviewed. The relative stability of the Cold War was a function of clarity: Deterrence is a strategy premised on clear red-lines, warnings and threats. Cyberwarfare is precisely the opposite, where no one has to own anything and there is little, if any, accountability.

“One of the things that we are trying to reason through is what are the rules for using weapons in cyberspace,” says former CIA director Gen. Michael Hayden. The U.S. discussion, explains Hayden, is in terms of distinction and proportionality. “You only want to hit who or what you’re mad at, and then you need to decide if the good done outweighs the evil. I look at the amount of collateral damage from Stuxnet and it strikes me that this would be a challenging policy question for us, whether it meets what Americans would describe as distinction and proportionality.”

Recent Blog Posts