US Cyber Attacks Against Iran

The New York Times reports that the US and Israel have launched cyber attacks against Iran’s nuclear facilities, just as Iran has accused them of doing.

That includes the Stuxnet computer worm that became public last year.

Anchor Aaron Schachter speaks with James Lewis who follows cyber-security matters at Center for Strategic and International Studies in Washington.

Read the Transcript
The text below is a phonetic transcript of a radio story broadcast by PRI’s THE WORLD. It has been created on deadline by a contractor for PRI. The transcript is included here to facilitate internet searches for audio content. Please report any transcribing errors to theworld@pri.org. This transcript may not be in its final form, and it may be updated. Please be aware that the authoritative record of material distributed by PRI’s THE WORLD is the program audio.

Aaron Schachter: I’m Aaron Schachter, and this is The World, a coproduction of the BBC World Service, PRI, and WGBH Boston. Iran has long accused the United States and Israel of launching cyber attacks against Iranian nuclear facilities and infrastructure. Well, it appears the Iranians were right. A story in today’s New York Times reports that the U.S. and Israel have indeed launched such attacks, using weapons like Stuxnet. That’s the destructive computer worm that targeted Iran, and accidentally became public last year. Even after that setback, according to the Times, President Obama ordered an increase of cyber attacks against Iran. James Lewis follows cyber security matters at the Center For Strategic and International Studies in Washington D.C. James, one of the really amazing things about this story, if the New York Times article is true, is how this worm got into the infrastructure in Iran. Can you explain how that worked?

James Lewis: The problem for the people who designed Stuxnet was how to get into a secure Iranian system, so that means you needed to have a human element — a human person — go and use what is one of my favorite techniques, a thumb drive. Put the malware on a thumb drive, you get some unsuspecting character to plug that thumb drive into the network, and you’ve just beaten all their defenses.

Schachter: It just seems to implausible.

Lewis: It’s a really good trick, you can go and…this has happened in the U.S. People will throw thumb drives in a parking lot, and you know, some good Samaritan will pick it up and plug it into their computer to see if they can return it to the owner. The second you do that, you’re gotten.

Schachter: I have this impression of sort of a secret agent parachuting in and handing it off to another secret agent, but that’s not what happened.

Lewis: No. This will make a good sequal to Mission Impossible, but it was probably something simple, like an Iranian scientist is in a European hotel, he has a thumb drive, and somebody replaces it with the infected one.

Schachter: But, it just seems such a chance way of doing such a huge operation.

Lewis: You can always count on humans to make a mistake. One of the things where it’s consistent with traditional espionage is you’re counting on the ability to trick humans, or get them to react in a predictable way that you can take advantage of, and that worked really well with Stuxnet. Behind that, of course, was some very sophisticated engineering, some relatively sophisticated programming, a deep understanding of how control systems worked, and an ability, for the first time, to cause damage. And so, altogether, it’s a great package, great operation.

Schachter: Now, you’re callling this relatively sophisticated programming. If it’s only relatively sophisticated, why isn’t this being done a whole lot more?

Lewis: Because you have to put it together in a whole package that involves human espionage. You need to get the thumb drive to somebody; you need to have engineers who can take apart industrial control systems and figure out how they work; you need to be able to mimic — to steal — credentials. Stuxnet was more than the code that people found on the Internet. It was many, many parts, some of which only a high-end nation-state could carry out right now. Over time, sure, this is going to become more common, but right now, there’s probably only a half-dozen countries in the world that could do this.

Schachter: Yeah, this is a question that we’ve been having here. Is this something that requires the resources of a government to do, or could we see it as…China has been accused of doing…sort of farming out this kind of programming to college graduates, and so on.

Lewis: Collecting data, espionage, is easy, and so you can farm that out. Causing physical damage is hard, but it’s getting less hard every year. What everyone worries about is that…you know, the trend in computing is…you know, in year one, it’s high end, and in year ten, it’s a commodity, and that’s the kind of path we’re on for this kind of attack.

Schachter: Now, James Lewis, this is your business, following cyber security. Is there any fallout from what’s going on now? Is there a debate…a greater debate on cyber attacks and what we do next?

Lewis: There’s a big international discussion among governments on how do we deal with this new kind of warfare, and of course, when you have a negotiating landscape, and you drop stories like this into it, the landscape changes. So we’re going to have to wait and see. I mean, if the U.S. wants to go in and say, “We need to control this kind of thing, we need to build confidence and trust,” stories like this might have changed the game a little bit, so watch the negotiating front.

Schachter: James Lewis is a senior fellow at the Center For Strategic and International Studies in Washington D.C. James, thank you so much.

Lewis: Thanks very much.

Copyright ©2009 PRI’s THE WORLD. All rights reserved. No quotes from the materials contained herein may be used in any media without attribution to PRI’s THE WORLD. This transcript may not be reproduced, in whole or in part, without prior written permission. For further information, please email The World’s Permissions Coordinator at theworld@pri.org.