Amid the mass of published analysis of the Stuxnet virus, Iran's most obvious
vulnerability to cyber-war has drawn little comment: much of the Islamic
Republic runs on pirated software. The programmers who apparently cracked
Siemens' industrial control code to plant malware in Iran's nuclear facilities
needed a high degree of sophistication. Most Iranian computers, though, run on
stolen software obtained from public servers sponsored by the Iranian
government. It would require far less effort to bring about a virtual shutdown
of computation in Iran, and the collapse of the Iranian economy. The
information technology apocalypse that the West feared on Y2K (the year 2000)
is a real possibility.
On August 25, before the Stuxnet story broke, Brandon Boyce
reported on the website Neowin.net:
The Iranian Research Organization
for Science and Technology (IROST), an organization directly connected to the
Iranian government, is charged with evaluating and advising policymakers on
science and technology issues. They are also host to a large FTP server full of
pirated software. Searching the FTP you will be able to find a wide range of
applications all legal to download and use if you are an Iranian citizen. The
FTP server, which was discovered by TorrentFreak, was open to anyone around the
world, but shortly after being discovered access was cut off. Initially, they
password-protected the FTP and then they cut off access completely to anyone
outside of Iran. The server was host to multiple versions of software
applications, including Microsoft Office 97 to 2010 or Photoshop 5.5 through
CS3, along with appropriate serial numbers, cracks and keygens.
Even the software that the Iranian authorities use to block Internet access is
apparently stolen. Wikipedia reports, "The primary engine of Iran's censorship
is the content-control software SmartFilter, developed by San Jose firm Secure
Computing. However, Secure denies ever having sold the software to Iran, and
alleges that Iran is illegally using the software without a license."
For all the Iranians know, every word-processing document and Power Point
presentation in the country is loaded with malware created by hostile
intelligence services. Sabotage of industrial controls using Siemens'
specialized software is only one possible target of cyber-war. Israel
reportedly hacked Syrian air defenses in the course of the September 2007
attack on a nuclear reactor site. The spook site Debka.com, not always a
reliable source, reports that malware already may have been planted in Iranian,
Syrian and Hezbollah missiles. But the most devastating effects of cyber-war
may be felt in ordinary life.
Iranians, to be sure, can learn to program as well as anyone else. But a
software industry depends on such preconditions as enforceable patents. The
only success story for Iranian software to reach the Western media recently
involves the California-trained programmers in Tehran who built the "Garshasp"
As the Washington Post reported on May 21, though, the "Garshasp" project is an
exception that proves the rule. "For Iranians, who live with double-digit
inflation, unemployment and constant political and judicial uncertainty,
enterprises that do not yield almost instant results are typically regarded as
lost undertakings. There are no copyright laws, and music, movies and computer
games can be freely copied, distributed and sold."
A country that steals its software cannot build its own, even if the sort of
individual who excels at software development wanted to live in Iran. Most of
those who can, leave. A 2002 study reported that four out of five Iranians who
received rewards in international science competitions subsequently left Iran;
too few Iranians have won international awards since then to gather comparable
data. In 2006, the International Monetary Fund noted that Iran had the worst
brain drain of 90 countries surveyed.
Iran has so few skilled programmers that it could be that the security services
do not have the capacity to distinguish sabotage from incompetence. That may
explain why Tehran blames foreign intelligence services for a recent succession
of economic reverses, including the near-collapse of the local markets for gold
and foreign exchange.
Iran's economy has teetered towards disaster since early 2008, as I reported at
the time (Worst of
times for Iran Asia Times Online, June 24, 2008). Official data at the
time reported that Iranian households spent 10% more per month than they
earned, a rough gauge of the size of the underground economy (smuggled consumer
goods, alcohol, opium, prostitution and so forth).
Iranians coped with inflation in the 20% range by fiddling. Tehran's decision
to lift fuel subsidies last month will put poorer households under water, and
Iranian authorities have warned of possible riots. A run by foreign-exchange
dealers on the Iranian rial reportedly led to street fighting between currency
traders and police last week. After refusing to sell dollars to the market,
Iranian banks on October 10 flooded the market with foreign currency to break
How much of the country's economic and financial chaos is due to incompetence
and theft, and how much reflects economic sabotage, may never be known, if the
Cold War is any guide.
A number of commentators have mentioned the precedent of the "Farewell
Dossier", an American intelligence operation that in 1982 lead to catastrophic
damage to the Soviet Union's Siberian gas pipeline.
My old boss, Norman A Bailey, was then head of plans at the Reagan National
Security Council, and deeply involved in the operation. Russia did not have the
software engineers to design the required control software, and sent spies to
steal it from a Canadian firm. The Central Intelligence Agency (CIA) learned of
Russia's efforts and arranged for the Russians to steal doctored software. A
pumping station exploded with a force equivalent to three kilotons of TNT.
I am personally aware of other instances of successful economic sabotage.
Russia managed to "steal" American spy cameras that had been doctored by the
CIA. They were turned over to engineers at Zeiss, East Germany's great optics
firm, but they never quite worked properly.
After the Berlin Wall came down in 1989, the Zeiss team met with the American
intelligence officer who designed the scam. "We thought that if only we could
get copies of the original manuals, or talk to the American engineers, we could
fix the problem" on the sensitive equipment. To my knowledge, the spy-camera
story has never surfaced. Neither have numerous other instances of sabotage
that American intelligence has no interest in revealing, and which the Russians
are too embarrassed to talk about.
Russia at the height of the Cold War could not handle sophisticated programming
and chip-making problems, despite its vast pool of skilled engineers and
scientists. It is doubtful that the Iranians have the capacity to program a
money-transfer system for a retail bank, or the traffic lights in Tehran, or an
electricity distribution grid, or other commonplaces of modern life.
The rancor and disaffection of Iran's diminishing educated class is so great
that the government will find very few local technicians whom it can trust, and
even fewer capable of diagnosing a bug buried in thousands of lines of code,
most of it written years ago by programmers who long since emigrated. Anyone
who has managed large-scale information technology projects for corporations
knows that the fog of war is nothing compared to the cloud of computation. And
that is true under the most benign circumstances.
Tehran cannot be sure how any of its foreign-purchased weapons systems will
perform, much less the nuclear reactor it sourced from Russia. Recently, I
remonstrated with a Russian friend about his country's sale of nuclear
technology to Iran. He said, "You know, sometimes Russian technology isn't so
good. There are little problems with quality control, and accidents happen.
Remember Chernobyl," he said, referring to the nuclear disaster on April 26,
1986, at the Chernobyl nuclear power plant in Ukraine (then part of the Soviet
The only weapons on which Iran can rely are unguided missiles that require no
electronic controls and simply shoot in the general direction of a target. At
relatively short range and in very large number, these are very effective
weapons against Israeli cities, for example.
After the Stuxnet humiliation, and with great uncertainty about the usability
of more sophisticated weapons, Iran is likely to risk a demonstration of its
power through Hezbollah. The more successful the cyber-war attack on Iran's
nuclear capacities, therefore, the more dangerous becomes southern Lebanon.