The Stuxnet Story Is Full of Holes
by Cyrus Safdari

Some "facts" on Iran that everyone takes for granted are narratives that, despite factual inadequacies, have become conventional wisdom through mere repetition, largely as a result of media hype, marketed through screaming headlines stripped of any inconvenient nuances.  The narrative of the Stuxnet virus is one of the latest examples of "truthiness" thus manufactured.

The Stuxnet narrative claims that (1) the virus was a brilliant piece of programming; (2) it set back Iran's nuclear program significantly by damaging its centrifuges or the Bushehr reactor; and (3) it was the work of Israel and/or the United States.  However, all three points are very much open to a lot of dispute.

First, far from being a brilliant piece of programming, it turns out that the virus is "full of errors," characterized by poor command-and-control mechanisms unsuitable for targeted sabotage and outdated code-obfuscation techniques leading to early detection.  A cyberweapon for a surgical strike?  I think not.

Second, according to an analysis published by the Federation of American Scientists, Iran's enrichment program has actually progressed over the last year:

Calculations using IAEA data show that the total enrichment capacity at Iran's commercial-scale enrichment facility at Natanz has grown during 2010 relative to previous years.  The boost in capacity is due to an apparent increase in centrifuge performance.  The effective separative power of the IR-1 during 2010 is estimated to be 0.77 kg-SWU/yr -- a 60 percent increase from 2009. . . .  While the reasons behind fluctuations in machine numbers at FEP are unknown, it is clear that Iran continues to operate centrifuges and overall to add new machines.

When the media do report on this progress, however, they shift their frame -- from the newly minted frame of "the US/Israeli success in setting back Iran's nuclear program" back to the perennial one of "Iran on a quick march to nuclear weapons."  Needless to say, they don't bother mentioning that the latter frame contradicts the Stuxnet narrative about a damaged enrichment program.

Third, the very notion that Iran was the target of Stuxnet is speculative, not to mention the idea that the Bushehr reactor was being attacked by it.  As Bruce Schneier pointed out in Forbes:

Best I can tell, this rumor was started by Ralph Langner, a security researcher from Germany.  He labeled his theory "highly speculative," and based it primarily on the facts that Iran had an usually high number of infections (the rumor that it had the most infections of any country seems not to be true), that the Bushehr nuclear plant is a juicy target, and that some of the other countries with high infection rates -- India, Indonesia, and Pakistan -- are countries where the same Russian contractor involved in Bushehr is also involved.  This rumor moved into the computer press and then into the mainstream press, where it became the accepted story, without any of the original caveats.

And Russian officials deny that Bushehr was infected at all, contrary to claims about how it could have created "another Chernobyl."

As for the supposedly "brilliant" investigative reporting by the New York Times linking the virus to Israel: the article in question, while quite dramatic, is remarkably evidence-free.  Considering the New York Times' record on Iran coverage -- most recently its highly selective and deliberately misleading presentation of Wikileak documents regarding supposed North Korean missiles in Iran -- I hope that the reading public has learned to never take its gossip at face value.  After all, let's not forget that, before their latest "brilliant" piece of reporting on Stuxnet, the same New York Times had an article linking Stuxnet to Israel and Iran solely on the basis that the code employed a file name "Myrtus," which, according to the analysis presented by the newspaper, can be (through some significant mental gymnastics) linked to the two countries merely because myrtle has something to do with Esther.  Leaving aside the tenuous nature of this connection, the problem is that there is a more prosaic explanation for the word "Myrtus" -- one that, given Occam's razor, should take precedence over the elaborate narrative of a biblical connection spun by the paper of record: according to one writer on computer viruses, "Myrtus could also easily be construed as My RTUs.  In SCADA environments, RTU is a commonly used term for remote terminal unit."

The truth is that no one knows who wrote Stuxnet or why, nor is its impact on Iran's nuclear program clear.  The standard narrative that it was produced by Israel and/or the US and targeted Iran's nuclear program is not established.  So why is it being hyped this much?  That's also open to question.  If I had to speculate, I'd say that's because it makes for a dramatic story that sells papers.  I'm sure there will be a Hollywood movie about Stuxnet coming out soon, if not a computer game or two.  But one cannot but notice that the story also serves as a vindication of the current US policies with respect to Iran, specifically the policy of non-engagement, and so can be used as a justification for the continuation of the same.

Cyrus Safdari is an independent Iranian analyst.  Visit his Web site Iran Affairs:
| Print