In summer 2013, I attended a conference on cybersecurity at Tel Aviv University. It was there that I learned for the first time that Stuxnet ”” the super-sophisticated computer virus that the US and Israel allegedly managed to insert into Iran’s Natanz enrichment facility in 2010, there to play havoc with the centrifuges ”” had come to be regarded in the world of cyber-warfare as a terrible mistake.
Several speakers at the conference made this assertion, branding as a failure what had been widely regarded in Israel as a dazzling success ”” a nonmilitary strike that had set the Iranian program back by a good few months, and had planted all kinds of uncertainty in the minds of their nuclear technicians.
On the sidelines of that conference, therefore, when I interviewed Richard A Clarke, the counterterrorism chief for both Bill Clinton and George W. Bush, I asked him whether he too thought Stuxnet had been, to put it mildly, counterproductive. Absolutely, Clarke made clear.
For one thing, “the attack code was supposed to die and not get out onto the internet,” he noted, but it did. “It got out, and ran around the world.” It couldn’t harm anything else, because it had been programmed only to strike at Iran’s centrifuges, but “nonetheless it tried to attack things and people therefore grabbed it and decompiled it, so it’s taught a lot of people how to attack,” said Clarke.
The finger pointing over Stuxnet, while deserved for the failure to keep it a secret, is akin to the blame-game over the use of the atomic bomb in Hiroshima.
As murderous as the bomb was, the failure to concede to the life-saving effect of ending the war before invasion of the Japanese home islands creates a self-fulfilling argument.
Similarly, not looking at the other options available to ending the Iranian efforts at making bomb material makes it look like a stupid move. In fact, if Stuxnet hadn’t been used, or had been a failure, the need to switch off all of Iran’s cyber infrastructure would have been immediate – the paths of means to stop them led to military attacks on the nation. So, analysis of the issue should include the question: how many lives may the use of Stuxnet have saved?
Additionally, even before Stuxnet became public knowledge, other countries were working on their own programs to do essentially the same things. While, again, it would be better if the details of Stuxnet were still a secret, it is good that we are aware that other nations and actors are developing these capabilities and will use them as their national or egotistical interests require. It may also be good to let others know that we have such capabilities. You can’t solve a problem that you don’t believe is real.