Amid the mass of published analysis of the Stuxnet virus, Iran’s most obvious vulnerability to cyber-war has drawn little comment: much of the Islamic Republic runs on pirated software. The programmers who apparently cracked Siemens’ industrial control code to plant malware in Iran’s nuclear facilities needed a high degree of sophistication. Most Iranian computers, though, run on stolen software obtained from public servers sponsored by the Iranian government. It would require far less effort to bring about a virtual shutdown of computation in Iran, and the collapse of the Iranian economy. The information technology apocalypse that the West feared on Y2K (the year 2000) is a real possibility.
On August 25, before the Stuxnet story broke, Brandon Boyce reported on the website Neowin.net:
The Iranian Research Organization for Science and Technology (IROST), an organization directly connected to the Iranian government, is charged with evaluating and advising policymakers on science and technology issues. They are also host to a large FTP server full of pirated software. Searching the FTP you will be able to find a wide range of applications all legal to download and use if you are an Iranian citizen. The FTP server, which was discovered by TorrentFreak, was open to anyone around the world, but shortly after being discovered access was cut off. Initially, they password-protected the FTP and then they cut off access completely to anyone outside of Iran. The server was host to multiple versions of software applications, including Microsoft Office 97 to 2010 or Photoshop 5.5 through CS3, along with appropriate serial numbers, cracks and keygens.
Even the software that the Iranian authorities use to block Internet access is apparently stolen. Wikipedia reports, “The primary engine of Iran’s censorship is the content-control software SmartFilter, developed by San Jose firm Secure Computing. However, Secure denies ever having sold the software to Iran, and alleges that Iran is illegally using the software without a license.”
For all the Iranians know, every word-processing document and Power Point presentation in the country is loaded with malware created by hostile intelligence services. Sabotage of industrial controls using Siemens’ specialized software is only one possible target of cyber-war. Israel reportedly hacked Syrian air defenses in the course of the September 2007 attack on a nuclear reactor site. The spook site Debka.com, not always a reliable source, reports that malware already may have been planted in Iranian, Syrian and Hezbollah missiles. But the most devastating effects of cyber-war may be felt in ordinary life.
Iranians, to be sure, can learn to program as well as anyone else. But a software industry depends on such preconditions as enforceable patents. The only success story for Iranian software to reach the Western media recently involves the California-trained programmers in Tehran who built the “Garshasp” video game.
As the Washington Post reported on May 21, though, the “Garshasp” project is an exception that proves the rule. “For Iranians, who live with double-digit inflation, unemployment and constant political and judicial uncertainty, enterprises that do not yield almost instant results are typically regarded as lost undertakings. There are no copyright laws, and music, movies and computer games can be freely copied, distributed and sold.”
A country that steals its software cannot build its own, even if the sort of individual who excels at software development wanted to live in Iran. Most of those who can, leave. A 2002 study reported that four out of five Iranians who received rewards in international science competitions subsequently left Iran; too few Iranians have won international awards since then to gather comparable data. In 2006, the International Monetary Fund noted that Iran had the worst brain drain of 90 countries surveyed.
Iran has so few skilled programmers that it could be that the security services do not have the capacity to distinguish sabotage from incompetence. That may explain why Tehran blames foreign intelligence services for a recent succession of economic reverses, including the near-collapse of the local markets for gold and foreign exchange.
Iran’s economy has teetered towards disaster since early 2008, as I reported at the time (Worst of times for Iran Asia Times Online, June 24, 2008). Official data at the time reported that Iranian households spent 10% more per month than they earned, a rough gauge of the size of the underground economy (smuggled consumer goods, alcohol, opium, prostitution and so forth).
Iranians coped with inflation in the 20% range by fiddling. Tehran’s decision to lift fuel subsidies last month will put poorer households under water, and Iranian authorities have warned of possible riots. A run by foreign-exchange dealers on the Iranian rial reportedly led to street fighting between currency traders and police last week. After refusing to sell dollars to the market, Iranian banks on October 10 flooded the market with foreign currency to break the run.
How much of the country’s economic and financial chaos is due to incompetence and theft, and how much reflects economic sabotage, may never be known, if the Cold War is any guide.
A number of commentators have mentioned the precedent of the “Farewell Dossier,” an American intelligence operation that in 1982 lead to catastrophic damage to the Soviet Union’s Siberian gas pipeline.
My old boss, Norman A Bailey, was then head of plans at the Reagan National Security Council, and deeply involved in the operation. Russia did not have the software engineers to design the required control software, and sent spies to steal it from a Canadian firm. The Central Intelligence Agency (CIA) learned of Russia’s efforts and arranged for the Russians to steal doctored software. A pumping station exploded with a force equivalent to three kilotons of TNT.
I am personally aware of other instances of successful economic sabotage. Russia managed to “steal” American spy cameras that had been doctored by the CIA. They were turned over to engineers at Zeiss, East Germany’s great optics firm, but they never quite worked properly.
After the Berlin Wall came down in 1989, the Zeiss team met with the American intelligence officer who designed the scam. “We thought that if only we could get copies of the original manuals, or talk to the American engineers, we could fix the problem” on the sensitive equipment. To my knowledge, the spy-camera story has never surfaced. Neither have numerous other instances of sabotage that American intelligence has no interest in revealing, and which the Russians are too embarrassed to talk about.
Russia at the height of the Cold War could not handle sophisticated programming and chip-making problems, despite its vast pool of skilled engineers and scientists. It is doubtful that the Iranians have the capacity to program a money-transfer system for a retail bank, or the traffic lights in Tehran, or an electricity distribution grid, or other commonplaces of modern life.
The rancor and disaffection of Iran’s diminishing educated class is so great that the government will find very few local technicians whom it can trust, and even fewer capable of diagnosing a bug buried in thousands of lines of code, most of it written years ago by programmers who long since emigrated. Anyone who has managed large-scale information technology projects for corporations knows that the fog of war is nothing compared to the cloud of computation. And that is true under the most benign circumstances.
Tehran cannot be sure how any of its foreign-purchased weapons systems will perform, much less the nuclear reactor it sourced from Russia. Recently, I remonstrated with a Russian friend about his country’s sale of nuclear technology to Iran. He said, “You know, sometimes Russian technology isn’t so good. There are little problems with quality control, and accidents happen. Remember Chernobyl,” he said, referring to the nuclear disaster on April 26, 1986, at the Chernobyl nuclear power plant in Ukraine (then part of the Soviet Union).
The only weapons on which Iran can rely are unguided missiles that require no electronic controls and simply shoot in the general direction of a target. At relatively short range and in very large number, these are very effective weapons against Israeli cities, for example.
After the Stuxnet humiliation, and with great uncertainty about the usability of more sophisticated weapons, Iran is likely to risk a demonstration of its power through Hezbollah. The more successful the cyber-war attack on Iran’s nuclear capacities, therefore, the more dangerous becomes southern Lebanon.