NY Times Stuxnet Article

The NY Times published an enhanced excerpt from David Sangers’ new book Confront and Conceal: Obama’s Secret Wars and Surprising Use of American Power. The long article focuses on the US and Israeli efforts to use Stuxnet to delay the Iranian nuclear program, which they say was called “Olympic Games”.

The article is plausible in most aspects and could be highly accurate. It is what most people have speculated has happened. In fact, it is very similar to what I would have produce if asked to write a story of what happened.  Unfortunately there is not a single named source, provided document or other hard evidence.

This account of the American and Israeli effort to undermine the Iranian nuclear program is based on interviews over the past 18 months with current and former American, European and Israeli officials involved in the program, as well as a range of outside experts. None would allow their names to be used because the effort remains highly classified, and parts of it continue to this day.

It is understandably difficult to get anyone on the record about such sensitive information, but there should have been some document or other hard evidence available over an 18 month research effort.

The non-tech media does not have a good track record of using unnamed sources in ICS security reporting. The MO is they have something they want to write, talk to a lot of smart and connected people, and if they get enough to speculate the same thing happened, treat it as fact. They have reported about an attack on Brazil’s electric network and INL creating Stuxnet with unnamed sources previously. Unfortunately, once it appears in the NY Times it is treated as fact. The most ludicrous example was President Obama referencing a NY Times article about the Brazilian electric hack as reason why the US needed to focus on critical infrastructure security … when the source for this information was supposedly the US Government.

It is normal to find technical flaws in a mainstream article or book. In many cases it would take too many words and bore the audience to describe it accurately. In this case, there is something very wrong with the idea that Stuxnet got out of Natanz because of an error in the code.

An error in the code, they said, had led it to spread to an engineer’s computer when it was hooked up to the centrifuges. When the engineer left Natanz and connected the computer to the Internet, the American- and Israeli-made bug failed to recognize that its environment had changed. It began replicating itself all around the world. …

“We think there was a modification done by the Israelis,” one of the briefers told the president, “and we don’t know if we were part of that activity.”

The propagation was clearly not an “error in the code”. One of the impressive features about Stuxnet was its ability to propagate in many ways and stay present. The creators likely wanted it to infect whatever it ran across just in case the target changed the workstations or the intel was wrong. Perhaps this propagation was added in later versions or the implications not understood by high level officials. It was not an error.

At this point we have to treat the Stuxnet items in this article and book as historical fiction.

Image by Intel Photos