DAVID GREENE, Host:
About a year ago, a German cyber security expert named Ralph Langner announced he'd found a computer worm designed to sabotage a nuclear facility in Iran. It was called Stuxnet, and it was the most sophisticated worm he had ever seen. In the year since, Stuxnet has been analyzed as a cyber super weapon, one so dangerous it could even harm those who created it.
Last week, Ralph Langner sat down with NPR's Tom Gjelten to discuss his discovery.
TOM GJELTEN: Langner Communications is a little firm in Hamburg, Germany. But Ralph Langner and the two engineers with whom he works know a lot about industrial control systems. And in the summer of 2010, they went to work analyzing a malicious software program that was turning up in some equipment. Someone had dubbed the worm Stuxnet. Langner was flabbergasted.
RALPH LANGNER: I'm in this business for 20 years and what we saw in the lab when analyzing Stuxnet was far beyond everything we had ever imagined.
GJELTEN: It was a worm that could burrow its way into an industrial control system; the kind of system used in power plants, refineries, and nuclear stations. Amazingly, it ignored everything it found except the one piece of equipment it was seeking. When the worm reached its target, it would destroy it.
Langner was in Washington recently for a cyber security conference. In an interview on the sidelines, he told me the more his team analyzed the Stuxnet worm, they more they knew they were onto something big.
LANGNER: We were all pretty much working around the clock. Because after we had the first impression of the magnitude of this, we were just like on speed or something like that. It was just impossible to go back to sleep.
GJELTEN: Was it exciting?
LANGNER: Well, absolutely.
GJELTEN: Langner couldn't imagine who could have created it. Each day he was more impressed.
LANGNER: First time, well, this is a banger. Wow. That's fantastic. That's huge. And then, a couple of days later, the next experience like this, we were thinking, well, what's coming next? What are these guys? At what level are they? Are they aliens or what?
GJELTEN: But that would be science fiction. This was reality.
LANGNER: Thinking about it for another minute, well, if it's not aliens, it's got to be the United States.
(SOUNDBITE OF LAUGHTER)
GJELTEN: Another realization: by analyzing the Stuxnet code, Langner concluded it was designed to disable a particular nuclear facility in Iran. That's serious business, he figured. Some Iranian nuclear scientists, he remembered, had been mysteriously killed. But he published his findings anyway.
LANGNER: I wasn't actually scared, but this was just something I was thinking about. When you know this stuff must involved with intelligence services, who do some dirty work every now and then, and you can't just block that away from your personal situation when you are the guy who is the first to publish - yeah, this is a directed attack against the Iranian nuclear program. So there have been some frightening moments.
GJELTEN: The sophistication of the worm, plus the fact that the designer had inside intelligence on the Iranian facility, led Langner to conclude the United States had developed Stuxnet, possibly with the help of Israeli intelligence.
Langner isn't shy about naming the U.S. as the Stuxnet culprit. Here he is, speaking recently at the Brookings Institution.
LANGNER: I'm absolutely convinced that the United States is the leading force behind Stuxnet.
GJELTEN: In that Brookings speech, he also made a bigger point, that having developed Stuxnet as a computer weapon, the United States may in effect have introduced it into the world's cyber arsenal.
LANGNER: Cyber weapons proliferate by use, as we see in the case of Stuxnet. Several months or weeks or a year later, the code is available on the Internet for dissection by anybody who has the motivation and time to do so.
GJELTEN: It would have to be revised, Langner says, in order to target some other industrial control system besides the one in Iran; a U.S. power plant, for example. But it could be done, he said. And U.S. utility companies, he warned, are not yet prepared to deal with the threat Stuxnet represents.
The CIA declined comment on Langner's charge that the U.S. was the leading force behind Stuxnet. And Homeland Security officials insist measures are being taken to defend U.S. infrastructure against cyber attack.
Tom Gjelten NPR News, Washington.