Encouraging news from Jeff Goldberg:
With Iran, you never really know what’s what (remember the National Intelligence Estimate a few years ago telling us that Tehran had stopped developing nuclear weapons?) but I think it is fair to say that the combination of sanctions and subterfuge has definitively set back Iran’s nuclear program by at least one and perhaps as many as four years.
Then comes the interesting part:
Much credit in delaying Iran goes to the unknown inventor of Stuxnet, the miracle computer virus, which has bollixed-up Iran’s centrifuges; much credit goes to the Mossad and the CIA and the Brits and God knows who else, who are working separately and in tandem to subvert the Iranian program, and a great deal of credit must go to, yes, President Barack Obama, who has made stopping Iran one of his two or three main foreign policy priorities over the past two years.
While I’m quite happy to give President Obama credit, I’m particularly intrigued by the role of Stuxnet. When we think of rogue non-state actors intervening in international affairs, we tend to think of al Qaeda and its affiliates, and other terrorist organization. But here we have a rogue non-state actor intervening on behalf of the good guys. One wonders if we’ll see more of this: self-appointed high-tech vigilantes taking action that governments can’t or won’t.
My friend Graeme Wood has speculated about whether or when a rogue billionaire might take it upon herself to launch a one-person geoengineering effort by using, say, stratospheric sulfate aerosols to cause global dimming. Strangers thing have happened, and will happen.
P.S. No, I’m not a CIA mole, I promise! We don’t know much about the origins of Stuxnet, but it does appear to have been government-sponsored in some sense. As Bruce Schneier has written:
We don’t know who wrote Stuxnet. We don’t know why. We don’t know what the target is, or if Stuxnet reached it. But you can see why there is so much speculation that it was created by a government.
Stuxnet doesn’t act like a criminal worm. It doesn’t spread indiscriminately. It doesn’t steal credit card information or account login credentials. It doesn’t herd infected computers into a botnet. It uses multiple zero-day vulnerabilities. A criminal group would be smarter to create different worm variants and use one in each. Stuxnet performs sabotage. It doesn’t threaten sabotage, like a criminal organization intent on extortion might.
Stuxnet was expensive to create. Estimates are that it took 8 to 10 people six months to write. There’s also the lab setup–surely any organization that goes to all this trouble would test the thing before releasing it–and the intelligence gathering to know exactly how to target it. Additionally, zero-day exploits are valuable. They’re hard to find, and they can only be used once. Whoever wrote Stuxnet was willing to spend a lot of money to ensure that whatever job it was intended to do would be done.
So it does seem very likely that a government was involved, though, as Schneier later suggests, it could also have been a research project spun out of control.
But what if Stuxnet was created by a gentleman hacker? Now there’s a Hollywood thriller I’d love to write.