A few years ago, Israeli and American intelligence developed a computer virus with a specific military objective: damaging Iranian nuclear facilities. Stuxnet was spread via USB sticks and settled silently on Windows PCs. From there it looked into networks for specific industrial centrifuges using Siemens SCADA control devices spinning at highspeed to seperate Uranium-235 (the bomb stuff) from Uranium-238 (the non-bomb stuff).
Iran, like many other countries, has a nuclear program for power generation and the production of isotopes for medical applications. Most countries buy the latter from specialists like the Netherlands that produces medical isotopes in a special reactor at ECN. The western boycott of Iran makes it impossible to purchase isotopes on the open market. Making them yourself is far from ideal, but the only option that remains as import blocked.
Why the boycott? Officially, according to the U.S. because Iran does not want to give sufficient openness about its weapons programs. In particular, military applications of nuclear program is an official source of concern. This concern is a fairly recent and for some reason has only been reactivated after the US attack on Iraq (a lot of the original nuclear equipment in Iran was supplied by American and German companies with funding from the World Bank before the 1979 revolution). The most curious of all allegations of Western governments about Iran is that they are never more than vague insinuations. When all 16 U.S. intelligence agencies in 2007 produced a joint study there was a clear conclusion: Iran is not developing a nuclear weapon (recent speech by the leader of this study here).
And that's strange.
For if the 16 American intelligence services and their Israeli colleagues, the famous Mossad, can all agree that Iran is not making nuclear weapons, how do you justify an attack against civilian industrial infrastructure? And that this is the equivalent of a military attack is clear when you consider what would happen if Iran had been caught in a cyber attack on 'our' instalations in Borssele or Indian Point.
Stuxnet is designed for a single purpose: the damage of nuclear enrichment facilities in Iran. This is a country that just may perform these activities in accordance with the international agreements stipulated in the Non Proliferation Treaty. Iran, like most other countries in the world (except Israel, India, Pakistan, S Sudan and N Korea) signed this Convention. Nuclear weapons are not allowed but civil nuclear industry is, a detail that sometimes escapes the attention of editors. Like the reason why Iran is not a democracy. I'm not saying the Iranian government are darlings, but the country has not attacked anyone in the past 200 years, unlike several of our NATO partners.
But Stuxnet has made some things very clear to Iran and the rest of the non-Western world. It does not matter that you abide by established agreements and treaties. It does not matter that you're not a threat to the West. It does not matter that the countries that accuse you most of violating the non-proliferation agreements (U.S. and Israel) arethemselves the most egregious violators; USA by delivering plutonium to Israel and Israel by not even signing the treaty and secretly stashing 100-200 nuclear bombs in the basement.
So there is no reason for you to stick to agreements or treaties because it does not guarantee that the parties on the other side will do the same and it may offer a strategic disadvantage. And if you going to have the disadvantage of alleged conduct (boycotts, threats of bombing), it is logical that you also want the benefits. It is almost rational for Iran to develop a military nuclear program. Certainly North Korea seems to get away with it. As a bonus, is now has a few nuclear weapons and that is still the best guarantee that the U.S. will not be bringing unsolicited packages of "democracy" (although a lack of oil wells also seems to help).
Like the attack on Iraq, which was carried out based on deliberate lies (The US and UK knew Saddam had no WMDs), the U.S. again does not comply with the standards that it happily tries to impose on others. With the result that no-one takes such standards seriously anymore and the world (and cyberspace) becomes a wild west shooting gallery.
And that's exactly what you do not want in a world where a handful of angry Chinese / Russian / Iranian / Iraqi / <insert other country> can completely anonymously and in secret take down your critical infrastructure. Western countries are much more vulnerable due to their high degree of automation than countries that have just outgrown their third world status. Cyber weapons are relatively inexpensive and developing them is more difficult to detect than the construction of missiles and aircraft carriers. The best defense against it is the prevention of an arms race. Like a nuclear war everybody loses in a cyber war. Safety in such a context is created by moral leadership (starting with: follow your own rules) and actively working at de-escalation. And that is exactly what the U.S. and Israel have not done.
With such friends, we are assured of a continuous stream of new enemies in countries that mainly want to be left alone, but that arm themselves just in case the "free West" is on the prowl in their region.
Setting up a Cyber Army while the sluices and pumping stations are equipped with factory-default passwords in their SCADA controllers seems pretty stupid. If you live in a glass house, not throwing stones and not motivating others to do so, is the smarter move.
Follow Arjen Kamphuis on Twitter: www.twitter.com/ArjenKamphuis