A Virus Altered the Face of Security in Iran
Originally published in Takepart by Nicole Pasulka. http://www.takepart.com/article/2016/07/25/zero-days-stuxnet-iran
For more than 30 years, the United States took widely publicized, drastic measures to hinder nuclear development in Iran. But amid sanctions and diplomatic efforts and under pressure from Israel, the U.S. government secretly launched an unprecedented weapon at Iran’s nuclear facilities.
“The Iranian nuclear program was a national issue for the Iranian people, and once the industrial sabotage happened, Iran developed a very proactive presence in cyber domain,” says Emad Kiyaei, executive director of the American Iranian Council. He is talking about Stuxnet, a self-replicating computer virus that disrupted 20 percent of Iran’s nuclear centrifuges. Discovered in 2010, it was the first highly public instance of state-supported cyberwarfare and is one of the subjects of filmmaker Alex Gibney’s new documentary, Zero Days.
While the Stuxnet virus and its consequences aren’t often discussed in the United States these days, the virus has had a lasting and significant impact on industry, politics, and culture in Iran. A large and complicated piece of code, Stuxnet was programmed to exploit a vulnerability in Microsoft Windows. It spread through USB sticks, and its target was one of Iran’s nuclear power plants. Stuxnet didn’t stop at the nuclear facility. Though it wasn’t supposed to spread beyond the power plant, it traveled to computers across Asia before a malware analyst discovered it in June 2010. Cybersecurity experts and journalists later uncovered evidence to suggest Stuxnet was a result of a cyber weapons collaboration between the U.S. and Israeli governments aimed at Iran’s growing nuclear enrichment program.
In November 2010, the then Iranian president, Mahmoud Ahmadinejad, acknowledged publicly that the malware disrupted the centrifuges. “They succeeded in creating problems for a limited number of our centrifuges with the software they had installed in electronic parts,” he reportedly said during a news conference.
Ahmadinejad made that announcement after an assassination attempt killed one of Iran’s top nuclear scientists and wounded another, saying that “undoubtedly the hand of the Zionist regime and Western governments is involved.” There’s some debate about the extent to which Stuxnet and the assassinations affected Iranian nuclear infrastructure, but there’s no question that it opened civilian and government eyes to the scope, danger, and possibility of cyberwar.
Stuxnet “shocked the world,” David Kennedy, founder and principal security consultant of cybersecurity company TrustedSec, tells TakePart. “It was a whole new avenue of attack, military-wise.” Because cyber attacks don’t require boots on the ground or physical confrontations, Iran—along with a number of other countries that can’t hold their own against world powers militarily—“took this and ran with it,” says Kennedy.
“When Iran’s nuclear program came under attack, specifically from a foreign source, it increased the number of people [in Iran] who wanted to be involved,” says Kiyaei, who appears in Zero Days. The mind-set in the country after Stuxnet was “How do we gear up in self-defense against future attacks?”
Thanks to strong science, engineering, technology, and math education—along with indignation over the covert and overt policies of Israel and the United States—Iran’s cybersecurity and nuclear security forces are “large now,” says Kiyaei, “and pretty badass.”
The Iranian army recruited 120,000 people to work in cybersecurity in 2012, and the country invested $1 billion in cyber infrastructure, technology, and expertise in late 2011, according to the Strategic Studies Institute, which conducts research for the U.S. Army. Even before Iranians felt the need for sophisticated cybersecurity protection against foreign attacks, “knowing how to circumvent barriers and hack was ingrained in Iranian societal psyche early on because of the Iranian government’s censorship of the internet,” says Kiyaei. “[Today] a very robust domestic capability of circumventing sanctions and state censorship has resulted in helping the state defend against cyber attacks.”
Using information gathered from U.S. drones that had crashed or been shot down in Iran, Iranian military engineers hijacked a sophisticated American drone and reprogrammed it in 2011. “Technologically, our distance from the Americans, the Zionists, and other advanced countries is not so far to make the downing of this plane seem like a dream for us,” a deputy commander of Iran’s armed forces said at the time.
“Stuxnet was a catalyst for that,” says Kennedy.
As the strain of sanctions and the threat of shadowy cyberwarfare grew, the United Nations Security Council and the European Union made a deal with Iran to remove some sanctions if Iran limited its nuclear capabilities in 2015. While many Iranians welcomed the deal, the pain of sanctions lingers. The economy hasn’t rebounded the way many hoped it would, and mistrust of the United States persists. Many Iranians still expect another wave of sanctions to hit the country at some point. “Bilateral relations between the United States and Iran are still in trouble,” says Kiyaei. “Until that is resolved, Iranian people will always see a level of threat coming from outside.”
Iranians living in the United States tend to closely follow the issue of nuclear power, and Kiyaei thinks they would have been more aware than other Americans about Stuxnet and efforts to curb nuclear development in Iran. Attacks on Iranian nuclear facilities and personnel were viewed negatively by both Iranians and those living abroad, including Iranian Americans. “The nuclear issue was a rare occasion where Iranians of all political stripes and those living abroad overwhelmingly agreed—namely for Iran to be steadfast in its peaceful nuclear energy,” Kiyaei says.
Some American officials are concerned that as Iran’s investment in nuclear development wanes, cybersecurity and warfare will blossom and Iranian hackers will continue to target U.S. industry and military infrastructure. “They’re good at what they do,” says Kennedy. In March, the federal government unsealed indictments against seven Iranian computer programmers who allegedly conducted cyber attacks on U.S. banks and tried to seize control of a dam in upstate New York on behalf of the Iranian army.
Though governments in countries including Iran, Russia, China, and the United States are hacking to disrupt corporations and infrastructure and infiltrate informational systems, cyber weapons are still launched in the shadows. Unlike with other forms of warfare, there is no international convention or coalition regulating the use of cyber weapons. “We need some level of responsibility, transparency, and accountability for the actions of state-functioning cyber armies,” says Kiyaei. “The discussion has to start.”
Zero Days is playing in select theaters and available on demand and on iTunes and Amazon Video.