6 mysteries about Stuxnet

By now, you've probably heard of Stuxnet, the mysterious computer worm that infects Windows computers running software designed by Siemens, the German industrial giant. The software, Simatic WinCC, is what's known as a SCADA system -- "supervisory control and data acquisition" -- and it's used to help run everything from traffic systems and pipelines to nuclear plants.

Siemens has known about Stuxnet for some time, and has been tracing the worm's spread on its website. In July 2010, the company knew of only one industrial facility affected. By September 7, it was reporting that 15 systems had been hit worldwide. (The worm was first discovered in June by VirusBlokAda, a little-known Belarussian security firm.)

For months, the discussion about the virus stayed within the cybersecurity community, but once speculation began to mount that it was aimed at Iran's nuclear facilities, the news went, er, viral. Amid the uproar last week, Iranian officials admitted that their facilities had indeed been hit, though they didn't specify which ones.

Even with all the media attention, much remains mysterious about Stuxnet. We know it's a sophisticated piece of malware, one that experts say could only be produced by a high-powered team with insider knowledge of industrial software. We know it was spread using USB thumb drives. But there's a lot we don't know. Here's my attempt to lay out some of the big open questions.

1. What was the target? Although the worm has affected computers in Indonesia, India, Pakistan, and elsewhere in addition to Iran, security researchers who have been pouring over Stuxnet for months say it appears aimed at a very specific target. According to Siemens, "The behavioral pattern of Stuxnet suggests that the virus is apparently only activated in plants with a specific configuration. It deliberately searches for a certain technical constellation with certain modules and certain program patterns which apply to a specific production process." Two German experts, Ralph Langner and Frank Rieger, have offered competing theories as to what that target might be, both of them in Iran, where most of the affected machines are.

Langner guesses that Stuxnet is aimed at Bushehr, Iran's civilian nuclear power plant, which is slated to go online this fall. Langner's case rests largely on the fact that Bushehr runs Siemens software and that Russian contractors would have had access to the facility -- and that they would have used USB drives to set up the system.

Rieger counters that Natanz, Iran's uranium enrichment plant, is a more likely target. Not only is it more of a proliferation threat, there's suggestive evidence that it actually may have been affected by sabotage. (More on this later.) He also points out that Natanz is more likely to have the kinds of identical nodes, in this case "cascades" or groups of centrifuges, that would be susceptible to an attack.

2. Who did it? The obvious culprit is Israel, which has both the sophisticated technology and the motive to sabotage Iran's nuclear program, which it deems a mortal threat. An eerily prescient Reuters article published in July 2009 quotes Scott Borg, a U.S. cybersecurity expert, speculating that Israel might want to do so, adding that "a contaminated USB stick would be enough" to cause real damage to Iranian facilities.

Other countries, such as the United States, China, and Russia, probably have the capability, but only one -- the United States -- has a clear motive (some might add France and Germany to this list). One could spin complicated theories as to why Russia would want to sabotage its own facility, but Occam's Razor probably applies here -- and other reporting has indicated that the United States and Israel have, in fact, approved a covert sabotage campaign that may include a cyber component.

3. Did it work? Who knows? Outside analysts have been speculating for years that Western intelligence agencies have been sabotaging Iranian enrichment efforts, but they're usually talking about false-flag operations to sell Iran damaged centrifuge components. They point to signs that the number of centrifuges Iran is operating dropped precipitously last year, or unconfirmed reports of nuclear accidents, or the sudden and unexplained resignation last year of Gholam Reza Aghazadeh, the head of the Iranian nuclear program. For what it's worth, Iran denies encountering any problems as a result of Stuxnet, and there's little evidence to the contrary. But there could be hidden issues that pop up later on, or Iran could simply be lying.

4. What does it do? The reporting on this question has been maddeningly vague. Siemens says that Stuxnet "can theoretically influence specific processes and operations in a very specific automation environment or plant configuration in addition to passing on data," though it has been unable to verify that finding in testing. Supposedly, the worm was designed to send data to a server in Malaysia, which may or may not have been a "command center" that could seize control of PLCs or Programmable Logic Controllers, components used to operate and monitor industrial machinery. The consensus among people who've studied the code seems to be that its aim is sabotage, not simply espionage. But exactly how that was supposed to work remains unclear.

5. Why did it spread so widely? John Markoff, the longtime tech reporter for the New York Times, takes on this question in today's paper. "If Stuxnet is the latest example of what a government organization can do, it contains some glaring shortcomings," he writes. "The program was splattered on thousands of computer systems around the world, and much of its impact has been on those systems, rather than on what appears to have been its intended target, Iranian equipment." He only offers one theory, however: "One possibility is that they simply did not care. Their government may have been so eager to stop the Iranian nuclear program that the urgency of the attack trumped the tradecraft techniques that traditionally do not leave fingerprints, digital or otherwise."

A couple points here. One is that Stuxnet does not seem to have had an "impact" on all those systems, for the reason noted in #1 above: It wasn't aimed at them. Second, it may be that the worm's designers needed it to spread within Iran to be effective -- i.e. from one computer to another within the same facility, or between facilities -- but that there was no way to prevent it from propagating further. Finally, there's some debate among researchers as to whether the virus was programmed to "expire" on a certain date, supposedly in January 2009. In other words, it wasn't supposed to spread, but somehow it did anyway, possibly through Russian contractors.

6. Why would anyone run a nuclear plant using Windows? I've got no answer for this one.


Obama: Tough commander in chief or insecure armchair general?

Barack Obama's White House aides have been furiously spinning Bob Woodward's new book as one that paints a positive image of the president, a wartime leader making touch decisions in the interest of the American people.

Some may see that image in Woodward's first of three adaptations of the book, published in today's Washington Post. But once could also see a president who doesn't trust his military advisors and treats them a little bit like the help. Consider this anecdote about the Afghan strategy review:

He was looking for choices that would limit U.S. involvement and provide a way out. His top three military advisers were unrelenting advocates for 40,000 more troops and an expanded mission that seemed to have no clear end. When his national security team gathered in the White House Situation Room on Veterans Day, Nov. 11, 2009, for its eighth strategy review session, the president erupted.

"So what's my option? You have given me one option," Obama said, directly challenging the military leadership at the table, including Defense Secretary Robert M. Gates, Joint Chiefs Chairman Adm. Mike Mullen and Army Gen. David H. Petraeus, then head of U.S. Central Command.

"We were going to meet here today to talk about three options," Obama said sternly. "You agreed to go back and work those up."

Mullen protested. "I think what we've tried to do here is present a range of options."

Obama begged to differ. Two weren't even close to feasible, they all had acknowledged; the other two were variations on the 40,000.

Silence descended on the room. Finally, Mullen said, "Well, yes, sir."

Later on, we find Obama telling Gates that 30,000 more troops was his final answer:

"I've got a request for 4,500 enablers sitting on my desk," Gates said. "And I'd like to have another 10 percent that I can send in, enablers or forces, if I need them."

"Bob," Obama said, "30,000 plus 4,500 plus 10 percent of 30,000 is" - he had already done the math - "37,500." Sounding like an auctioneer, he added, "I'm at 30,000."

Obama had never been quite so definitive or abrupt with Gates.

"I will give you some latitude within your 10 percentage points," Obama said, but under exceptional circumstances only.

"Can you support this?" Obama asked Gates. "Because if the answer is no, I understand it and I'll be happy to just authorize another 10,000 troops, and we can continue to go as we are and train the Afghan national force and just hope for the best."

"Hope for the best." The condescending words hung in the air.

So which is it? Tough commander in chief or insecure armchair general? I suspect this will be a question for history to answer.