Security, fear and Stuxnet
Roman Poroshyn’s brief book (156 pages) provides an excellent overview of Stuxnet within the larger context of cyber-warfare and espionage in the Middle East. Unlike another book on the same topic, Kim Zetter’s Countdown to Zero, it is not based on extensive interviews, nor does it focus in as great a depth upon the process through which the virus was investigated by global cyber security firms. Instead, with Stuxnet: the true story of Hunt and Evolution, Poroshyn tries to place Stuxnet into a broader context of espionage and cyber-warfare directed against not only Iran, but also other institutions in the Middle East, such as the Lebanese banking system. The book is an engaging read (despite the awkward wording of its subtitle), and Poroshyn shares a number of intriguing insights, of which the most interesting was that Stuxnet’s creators ultimately may have allowed it to be revealed to the world as an act of psychological warfare (33-35, 154-155). One of Poroshyn’s other arguments is that Stuxnet is only one chapter in a much longer struggle, which is convincing given his detailed analysis of successive software tools (Flame, Gauss, Narilam, and perhaps Stars) that Israel and the United States likely used against Iran and other regional actors.
One of the book’s strengths is its ability to convey the intelligence of the software design behind this particular cyberweapon. For example, Stuxnet entered into the Iranian nuclear enrichment network through USB sticks, because the network was air-gapped (lacked an internet connection) to the outside world. The level of deceit entailed is chilling: “After the third infection the original Stuxnet worm commits suicide. It deletes itself from the USB stick without leaving a trace” (18). Perhaps most impressive was the fact that it used the very tools for securing machines to infect them: “The perfect match for all of Stuxnet’s requirements is a computer scan process, generated by antivirus software. Stuxnet injects its clone into a variety of processes generated by anti-virus programs from BitDefender, Kaspersky, McAfee, Symantec, and many others” (19). The program was so effective that it briefly shut down the entire Iranian enrichment program (22). Of course, the Iranians ultimately were able to return to significant production. What is impressive, however, was that it achieved this goals which would have been difficult to achieve even with a conventional airstrike against such a hardened site as the Iranian enrichment facility. It also had dangerous implications: “Russia, which is involved in the reconstruction of the Iranian nuclear reactor in Busher, immediately accused Stuxnet of problems associated with the reactor’s reconstruction, and blamed Stuxnet for all delays” (37). There seems to be little evidence for this allegation, but once the attack is made, other actors may also view themselves as being threatened (or that the attack represents a convenient excuse).
There is reason to believe, as Poroshyn suggests, that there are other versions of this particular weapon in existence, only biding their time to be unleashed (53). This book is currently in its third edition. It will be interesting to learn what has happened when the fourth edition is released.
If you are interested in cyber-warfare you might want to read my review of the novel Ghost Fleet.
Shawn Smallman, 2016