Instead, he ordered an all-out cyber attack on Iran’s nuclear program, according to a new book by a New York Times reporter.
The book says work on the Stuxnet computer worm was started under President George W. Bush and put into high gear by Obama. The point of Stuxnet was not to destroy Iranian centrifuges, as many have assumed, but instead to cause constant vexing problems so the Islamic Republic would slow its enrichment program in an effort to find out what was wrong and assume that its design was bad.
US controllers only ordered Stuxnet to destroy about a thousand centrifuges when the worm was transferred to other computers and was about to be exposed. With its days numbered, the US told Stuxnet to go out with a blast.
Major details never before published about Stuxnet appeared last Friday in The New York Times in a 3,300-word extract from a new book by the Times’ David E. Sanger, “Confront and Conceal: Obama’s Secret Wars and Surprising Use of American Power.” The book went on sale Tuesday.
The effort to make Iran think it had badly designed its centrifuge program worked very well, officials told Sanger. “We soon discovered they fired people.”
The hope was that Stuxnet would continue fooling Iran for years and constantly send technicians chasing what they would assume to be a new problem. The grand effort came to a halt, however, when someone at the Natanz centrifuge plant did what he never should have done—transfer some information from the computer controlling the centrifuges. That took Stuxnet out of the one computer it had been designed for and into a personal computer, from which it began to spread elsewhere, eventually being detected.
The US program was codenamed “Olympic Games.”
A key point that Sanger’s book does not answer clearly is exactly how the United States got Stuxnet into the Natanz computer to begin with. It appears likely that the Americans had an agent inside Natanz who quietly inserted the Stuxnet worm.
The Sanger report has been largely confirmed and expanded on in succeeding days by other newspapers, such as The Washington Post.
Stuxnet was a joint effort, the reports say, of three US agencies—the Central Intelligence Agency; the National Security Agency, which handles communications intelligence and has long conducted advanced computer work; and the Idaho National Laboratory, part of the Energy Department, which works on nuclear projects and several years ago got heavily into computer security issues—plus the Israeli government.
The role Israel played is not clear. It appears from Sanger’s text that the United States enlisted Israel mainly for political purposes, so it would see that the United States was expending a huge effort to stop Iran’s nuclear program and thus discourage Israel from taking unilateral military action.
As to how Stuxnet actually got inserted into the Natanz control system, which is stand-alone system not tied to the Internet, The Washington Post said that “depended on spies and unwitting accomplices—engineers, plant technicians.”
Sanger makes clear that Stuxnet was inserted by the United States only in the Natanz control computer. Previous reports spoke as if Stuxnet was set free in Iran with the hope it would eventually reach Natanz. But the United States did not want Stuxnet circulating elsewhere. It was designed only to work on the Natanz control computer, so it would do no harm elsewhere—but it would become visible elsewhere and eventually be exposed. And that is just what happened in the end.
Sanger says Obama has been personally involved in decisions on the use of Stuxnet. It was not just a product of other hands deep down in the bureaucracy.
Sanger writes that Obama “was acutely aware that with every attack he was pushing the United States into new territory, much as his predecessors had with the first use of atomic weapons in the 1940s, of intercontinental missiles in the 1950s and of drones in the past decade. He repeatedly expressed concerns that any American acknowledgment that it was using cyberweapons — even under the most careful and limited circumstances — could enable other countries, terrorists or hackers to justify their own attacks.”
Sanger quotes an unnamed presidential aide as saying the Administration was resistant to developing a “grand theory for a weapon whose possibilities they were still discovering.” But Obama concluded that when it came to stopping Iran, the United States had no other choice.
If Olympic Games failed, Sanger said Obama told aides, there would be no time for sanctions and diplomacy with Iran to work. Israel could carry out a conventional military attack, prompting a conflict that could spread throughout the region.
Olympic Games was started in 2006, when President Bush felt stymied. Europe was reluctant to adopt serious sanctions, fearing the impact on their own economies. And, having falsely accused Saddam Hussein of reconstituting his nuclear program in Iraq, Bush had little credibility in talking about Iran’s nuclear ambitions.
Several times, Sanger says, the Administration reviewed military options and concluded they would only further inflame a region already at war, and would have uncertain results.
Sanger credits the birth of Olympic Games to General James E. Cartwright, then-commander of the US Strategic Command, who had established a small cyber operation. He suggested a far more sophisticated cyberweapon than the United States had ever designed before.
But The Washington Post says the technical effort that made Cartwright’s general ideas come true was the work of NSA Director Keith Alexander, who had technical know-how and oversaw the whole project.
The first step was to develop a bit of computer code called a “beacon” that could be inserted into the computers at Natanz to make a blueprint of the plant.
Sanger said Bush was skeptical, but, lacking any other options, he authorized the effort.
It took months for the beacons to do their work and report home. Then the NSA and a secret Israeli unit respected by American intelligence officials for its cyber skills set to work developing Stuxnet.
Beyond technical skills, Sanger said the United States had another reason for involving Israel—“to dissuade the Israelis from carrying out their own pre-emptive strike against the Iranian nuclear facilities. To do that, the Israelis would have to be convinced that the new line of attack was working. The only way to convince them, several officials said in interviews, was to have them deeply involved in every aspect of the program.”
Stuxnet was tested on some of the centrifuges that Libya had bought from the Pakistani nuclear ring, which had earlier sold the same centrifuge design to Iran. When Libya gave up its nuclear program, those primitive centrifuges were handed over to the United States.
Stuxnet was introduced into Natanz by a thumb drive sometime in 2008, according to Sanger. It would be there working for almost two years before it escaped from Natanz and was exposed to the world. Those were two years in which the Iranian program did not seem to advance much at all.
Sanger writes, “When the centrifuges began spinning out of control in 2008, the Iranians were mystified about the cause, according to intercepts that the United States later picked up. ‘The thinking was that the Iranians would blame bad parts, or bad engineering, or just incompetence,’ one of the architects of the early attack said.”
The Washington Post quoted a source as saying, “The idea was to string it out as long as possible. If you had wholesale destruction right away, then they generally can figure out what happened, and it doesn’t look like incompetence.” It was hoped that Stuxnet would keep operating for far more than the two years of life it eventually had.
No two Stuxnet attacks were exactly alike, which added to the confusion and mystification at Natanz. The worm would do nothing for weeks. When it attacked, it sent signals to the Natanz control room indicating that everything was operating normally. “This may have been the most brilliant part of the code,” one American official told Sanger.
The International Atomic Energy Agency (IAEA) learned that the Natanz operators had grown so distrustful of their own instruments that they had assigned people to sit in the centrifuge area and radio the control room what they were seeing.
“The intent was that the failures should make them feel they were stupid, which is what happened,” one participant in the program told Sanger. When a few centrifuges failed, the Iranians would close down whole cascades of 164 centrifuges each, looking for signs of sabotage in all of them. “They overreacted,” one official said. “We soon discovered they fired people.”
When Bush left office in January 2009, he met with Obama and urged him to preserve two classified programs—Olympic Games and the drone program in Pakistan. Obama took the advice.
Obama, in fact, got actively involved in both programs.
The architects of Olympic Games would meet him in the White House Situation Room. Obama authorized the attacks to continue, and every few weeks — certainly after a major attack — he would get updates and authorize the next step. Sometimes it was a strike riskier and bolder than what had been tried previously. To some, it sounded like President Lyndon Johnson picking bombing targets in Vietnam.
Sanger quotes a senior Obama Administration official as saying, “From his first days in office, he was deep into every step in slowing the Iranian program — the diplomacy, the sanctions, every major decision.”
But in the summer of 2010, it became clear the worm—which was never supposed to leave Natanz—had gotten loose. It is assumed Stuxnet leaped into an engineer’s personal computer when it was hooked up to the centrifuge control computer, in violation of basic security rules.
When the engineer later connected his computer to the Internet, Stuxnet began replicating itself all around the world. Suddenly, the code was exposed.
Obama ordered that the cyber attacks continue. Within a week, Stuxnet brought down just under 1,000 centrifuges.
Sanger said that Obama has repeatedly told his aides that there are risks to using—and particularly to overusing—cyber-weapons. In fact, no country is more dependent on computer systems, and thus more vulnerable to attack, than the United States.
One issue now is whether the Islamic Republic will retaliate with a cyber attack of its own on the United States. The political system in the Islamic Republic believes retaliation is right and proper. The question then is how will Obama respond if Iran, say, shuts down the national American electrical grid.
