in 2009, the U.S. and Israel launched the Stuxnet virus to throw a wrench into the Iranian nuclear program. It might have backfired.
The virus was distributed in a social hack via thumbdrives scattered around the Iranian nuclear facilities at Natanz. The virus itself screwed with a system in large industrial computers, which caused the centrifuges used in refining uranium to overheat.
Common wisdom was that the Stuxnet worm had significantly delayed the Iranian’s production of nuclear weapons by causing the country to rebuild a large part of its nuclear power plants’ hardware and software.
According to a report by Britain’s Royal United Services Institute (RUSI) based on data gathered by the International Atomic Energy Commission, that was not the case.
“Are Cyber-Weapons Effective? Assessing Stuxnet's Impact on the Iranian Enrichment Programme” by Ivanka Barzashka of King’s College London answers its own titular question: Nope.
“While Stuxnet may have had the potential to seriously damage Iranian centrifuges,” reads the study’s abstract, “evidence of the worm’s impact is circumstantial and inconclusive. [Barzashka’s] analysis of the related data shows that the 2009 version of Stuxnet was neither very effective nor well-timed and, in hindsight, may have been of net benefit to Tehran.”
It was of benefit because it pointed out vulnerabilities in the Iranian system that might well have remained hidden and broken the progress of weapons development on its own. The rushed conclusion that Stuxnet had succeeded also prematurely diverted attention from the Iranian nuclear program.
The number of machines operational in Iranian nuclear plants has climbed since Stuxnet hit initially in 2009, and uranium enrichment has continued unremarked.
“Inspectors’ records,” wrote Barzashka, “show that between May and August that year, while the total number of operational centrifuges decreased by more than 300, the amount of machines being installed grew by almost twice that amount. ... It is clear that Iran's ability to successfully install and operate new centrifuges was not hindered.”
“Stuxnet was not very effective and was also ill-timed. If Iran had begun producing weapons-grade material, a cyber-attack could have bought concerned nations valuable time; it could have proved a crucial tactical advantage in dealing with the threat through other means. However, Iran was not on the brink of weaponising in 2009 and 2010, nor did Stuxnet considerably set back Iran's nuclear programme and bomb-making potential. If anything, the malware – if it did in fact infiltrate Natanz – has made the Iranians more cautious about protecting their nuclear facilities, making the future use of cyber-weapons against Iranian nuclear targets more difficult.”
It gets worse.
“Stuxnet was of net benefit to Iran if, indeed, its government wants to build a bomb or increase its nuclear weapons potential. Data presented here shows that Iran increased its enrichment capacity by improving its centrifuge performance and enriching to higher concentrations, consequently shortening its time to a bomb during the very time the worm was said to have attacked.”
In essence, the U.S. struck too soon, and it’s going to be all the more difficult for future cyberattacks to succeed because of it.