Iran and the Stuxnet worm: cypher war in cyberspace
William Gibson made his name writing science-fiction of a weirdly prophetic character. Starting with Neuromancer in 1984, he published a string of novels which anticipated, among other things, the internet, reality television and the rise of ever more baffling forms of industrial espionage. Then he abandoned the future, claiming, as Luke Kennard reminds us in his review of Gibson's latest novel, Zero History, that the present had become bizarre enough to let him tell any story he wanted. It's difficult to read about the Stuxnet computer programme without tending to agree with him. We are, for better or worse, living in a William Gibson world.
At the beginning of the week, Iranian news organisations reported that the nation was trying to disable a powerful piece of malware which had infected tens of thousands of computers in the republic. The Stuxnet worm had been showing up in other countries for several months but around 60 per cent of infections had occurred within Iran. The program was very large, intricate and heavily encrypted. Nonetheless, analysts were able to determine that it possessed several remarkable capabilities.
Firstly, it was highly contagious. If one inserted an infected memory stick into a USB port, the worm would copy itself across unbidden, without so much as a mouse click on the part of the user. Secondly, it didn't for the most part do very much. It appeared to have been tailored to attack one specific kind of system, a certain configuration of industrial control software made by Siemens. Thirdly, and quite unusually for malware, it wasn't set up to steal or manipulate information. It seemed instead to have been designed to take over the running of whatever industrial process the Siemens program was regulating. The intention, presumably, was sabotage, and the fact that Iran seemed to be at the epicentre of the outbreak suggested that its nuclear programme was the target.
That would appear to be Iran's view, in any case. Mahmud Liai of the Ministry of Industry and Mines was quoted as saying that Stuxnet was "part of the electronic war against Iran". That there is such a thing is, of course, highly plausible. In 2009 The New York Times reported that George W Bush had authorised a campaign to undermine Iran's nuclear programme by means of covert and hi-tech interventions. America is only the most eager of Iran's enemies, and there's a long list.
All the same, parts of this picture don't make sense. If Iran was the target, why has Stuxnet shown up all over the rest of the world? Siemens claims that of the 15 actual industrial facilities where it has been detected, the majority are in Germany. It may be that the bulk of reported instances are fall-out from the original attack, a side-effect of the worm's remarkable contagiousness. In that case, has it already struck its target? How would we know if it had? Iran insists that its nuclear programme remains unaffected.
Other, more troubling questions present themselves. What reason, besides the sophistication of the code, do we have to believe that Stuxnet was created by a government agency? The particularity of its operating conditions suggest that its developers had access to detailed intelligence about their target. Then again, if we're still waiting for a bang that never came, we must consider the possibility that its specification was random after all. And if this worm wasn't, what about the next one? Stuxnet is out in the world now. Its code could be analysed and customised by amateurs of any political or psychiatric persuasion. As a commenter on the customarily whimsical technology blog Boing Boing observed: "The truly scary thing about this kind of compromise is that you don't need to be a nuclear power to have access to nuclear technology. You just need a computer and a high-bandwidth connection." If that's a fair summary of the case, then William Gibson's futuristic present could seem a lot less rich in possibility.
Published: October 1, 2010 04:00 AM