Earlier this year I said that Stuxnet would delay the Iranian nuclear program probably by two years. What some people didn’t realize is that the attack started in summer 2009, so the estimate was that the effects would have faded out this fall. Which they obviously did, as anybody who followed the IAEA reports and the recently revived discussions about potential air strikes against Iran can tell.
So where’s Stuxnet 2.0? Well it’s certainly not Duqu. If there is a 2.0, it would better be on site already. However, we see the chances for success of an improved cyber weapon slim, and this assessment has nothing to do with the still existing vulnerabilities of the target, but with flawed strategy on the attackers’ side.
Contrary to what you might have heard, Stuxnet 1.0 was not crude and simple. It was oversophisticated. The complexity of attack details in the payload is overwhelming. I’m going to talk about this in January at S4 in Miami, and I’m sure the audience will have a hard time believing that the stuff I’m going to show is real. But it is. The overall approach of Stuxnet’s 417 digital warhead is like trying to stop a psychopathic killer from committing homicide by performing a multi-hour brain surgery on the perpetrator at the quickly evolving crime scene, keeping fingers crossed that he won’t notice (after all, you got that local anesthesia).
Some time ago at a conference where I had expressed my belief that Langley and the Department of Energy were the leading forces behind Stuxnet (just because this was a classic covert nuclear counter-proliferation operation), I was later approached in private by an official of the US military who said: “You’re right, we are simply not smart enough to do something like this.” If the Pentagon had developed Stuxnet, it might have been much more crude and brute-force. The irony is, it might also have been much more effective. It is obvious by forensic evidence that the given design and overall ops strategy placed priority on remaining undetected, gambling quick and clear mission success for stealthiness and long-term infiltration. It is not very difficult to determine the origins of this school of thought. They are written down by Catherine Collins and Douglas Frantz in their book FALLOUT: The true story of the CIA’s secret war on nuclear trafficking.
Unfortunately, there seems to be not enough time left for a 2.0 that would follow the same doctrine. So either we’re going to see an updated version 2.0 soon that goes straight for a simultaneous catastrophic destruction of as many centrifuges as possible (which had been, and maybe still is technically possible), or the problem has to be delegated to the Air Force.