'Are cyber-weapons effective?' asks Ivanka Barzashka – a research associate at the Centre for Science and Security Studies of the Department of War Studies, King’s College London – in the RUSI Journal. Her purpose was to discover the real effect of Stuxnet on Iran’s nuclear program.
Barzashka analyzed the available public information on the Stuxnet incident. She found many claims that the malware attack had successfully crippled Iran’s centrifuges at Natanz, but little verifiable evidence that it actually did so. Kaspersky Lab said it ‘may have knocked off Iran’s progress towards a nuclear weapon by five years or more’; the Institute for Science and International Security suggested that it likely ‘destroyed about 1,000 IR-1 centrifuges out of 9,000 deployed at [Natanz]’. But, she says, “analysis presented in this article challenges claims that Stuxnet ever significantly set back Iranian nuclear efforts.”
Key to this conclusion is data from the International Atomic Energy Agency (IAEA) physical inventory, “which is the most credible information available regarding the Iranian centrifuge programme.” The simple reality is that performance at Iran’s Fuel Enrichment Plant has increased year on year, including during the period when Stuxnet was claimed to be damaging the centrifuges. “Perhaps growth could have occurred at an even faster rate,” says Barzashka, “but it is evident that there was no setback during that period.”
In fact, she goes on to conclude, “Stuxnet was of net benefit to Iran if, indeed, its government wants to build a bomb or increase its nuclear-weapons potential.” The reasons are complex. By wounding rather than crippling the nuclear program, it effectively turned the Iranian program into a more dangerous beast. It “has made the Iranians more cautious about protecting their nuclear facilities, making the future use of cyber-weapons against Iranian nuclear targets more difficult.” At the same time, she added, “the world believed that the Iranian nuclear programme had suffered a major setback, leaving Iran to progress quietly.”
In short, Barzashka believes that cyber-weapons have the potential to be effective, but Stuxnet was not. All it really did was make a diplomatic solution more difficult.