The United States and Israel were indeed behind Stuxnet, the military-grade computer worm that sabotaged an Iranian nuclear-fuel processing facility in 2010.
That's according to a long, well-researched but anonymously sourced report in the New York Times today (June 1). The report, by chief Washington correspondent David E. Sanger, claims that President George W. Bush first authorized the use of cyberweapons against Iran in 2006, and that President Barack Obama accelerated the program after he took office in 2009.
Obama decided against suspending the program, which was code-named "Olympic Games," even after a programming error allowed Stuxnet to escape the Iranian processing facility at Natanz in the summer of 2010 and "go wild" on the Internet, leading to its discovery by anti-virus researchers.
"Should we shut this thing down?" Obama asked Vice President Joseph Biden and then-CIA director Leon Panetta during a meeting in the White House Situation Room soon after Stuxnet's discovery, unnamed witnesses told the Times.
Biden blamed Israeli programmers, who had collaborated with their U.S. counterparts in creating Stuxnet, for inserting code that made the worm too aggressive in spreading. The report itself does not assign blame for the programming error.
Instead of shutting down the program, Obama authorized further work on Stuxnet. Two modifications of the worm made it more effective, causing confusion within the Iranian nuclear program and destroying about 1,000 centrifuges used to separate particles of weapons-grade uranium from a mix of mostly weaker isotopes.
Hint at Duqu?
Bush authorized the Olympic Games program in 2006 as a desperate measure to hamper Iran's nuclear efforts, according to the Times, but also to dampen Israel's — and then-Vice President Dick Cheney's — desire to launch military strikes against Iran. Other Bush administration officials had concluded that military strikes would be counterproductive at best.
The first stage of the program introduced a "beacon," sophisticated spyware that got into computer systems at Natanz and mapped out the entire facility's networks and industrial-processing control systems, the Times says.
Sanger provides few details of this stage, including how the spyware managed to bridge the "air gap" into Natanz, which is not connected to the Internet, and how it managed to get the information it collected back to U.S. intelligence.
Nor does Sanger link that initial stage to Duqu, a piece of malware discovered last fall that shares much code with Stuxnet and possesses many of the abilities that the first stage of Olympic Games is purported to have had, or to Flame/Skywiper, a even more powerful piece of military-grade spyware discovered only this week.
Either piece of malware, both of which appear to have been created before Stuxnet sabotaged the Natanz centrifuges, could have been the "beacon" that Sanger briefly discusses. Malware experts mostly agree that the same team that developed Stuxnet also created Duqu — but that Flame was a separate project of still-unknown origin.
Sanger briefly mentions Flame at the end of his piece. He does not mention Duqu at all.
Help from Israel — and from Gadhafi
The Times piece says crucial assistance came willingly from Israel, which had extensive intelligence about Iran's nuclear program, and inadvertently from Libyan dictator Moammar Gadhafi, who had given the U.S. centrifuges of the type used at Natanz when he abandoned his own nuclear program in 2003.
Israel was also looped in because the Bush administration feared the Jewish state would unilaterally launch airstrikes against Iran unless concrete progress was made in the effort to sabotage the Natanz facility. Coders from the Israel Defense Forces' Unit 8200 cyberwarfare department worked alongside their U.S. colleagues in developing the malware.
As detailed in a previous Times story authored by Sanger and his Times colleagues William Broad and John Markoff, the U.S. and Israel built mock-ups of Natanz centrifuge arrays and used to them to test what became Stuxnet.
In fact, today's Times story says, the first deployment of Stuxnet took place in 2008, while Bush was still in office, not in 2010, as has been thought until now. As researchers later independently concluded, Stuxnet entered Natanz via USB thumb drives, and successfully caused centrifuges to spin out of control. But by the time Bush left office, it had not caused destruction of the kind that the U.S. and Israel wanted.
Bush and Obama had a meeting during the presidential transition in which Bush urged Obama to continue the Olympic Games program, the Times reports. Obama accelerated the program, while appreciating the irony that even as his administration took the lead in American cyberdefenses, it was actively creating the world's first true cyberweapon.
No current administration official would go on the record for the Times' story, but the extensive details that Sanger unearthed make it clear that he had at least tacit approval from the White House to report on the story.
The publication of the report is timed to coincide with the imminent release of Sanger's book, "Confront and Conceal: Obama's Secret Wars and Surprising Use of American Power," to be published Tuesday (June 5), by Crown Books.
At least one cybersecurity expert saw a political motive in the timing of the story.
"Obama wanted to get credit for Stuxnet, as that makes him look tough against Iran," tweeted F-Secure chief research officer Mikko Hypponen this morning. "And he needs that as Presidential elections are coming."
Last night, the two men who apparently authorized the creation of Stuxnet were together again for a rare reunion. Former President Bush and his wife Laura, along with his father former President George H.W. Bush, were welcomed to the White House by Obama for the unveiling of the younger Bush's official presidential portrait.