Saturday, November 23, 2013

Turkey: How Conscription Reform Will Change the Military

Turkey: How Conscription Reform Will Change the Military
Turkish soldiers commemorate the anniversary of Victory Day in Ankara on Aug. 30. (ADEM ALTAN/AFP/Getty Images)

Summary

A large, conscripted military may no longer be the most appropriate way for Turkey to protect its interests and defend against external threats. Ankara appears to have acknowledged as much Oct. 21, when it voted to reduce the length of time conscripted soldiers are required to serve. The measure, which will take effect Jan. 1, 2014, will effectively shrink the military by 70,000 members. This is no small diminution, considering that Turkey, with its 750,000 soldiers, has the second-largest military among NATO members. Political and economic considerations may have informed Ankara's decision, but ultimately the move was made to reflect the changing geopolitical conditions under which Turkey now finds itself.

Analysis

Historically, Turkey's location and geography has necessitated a robust military. Located at the crossroads between Asia and Europe, the country was critical terrain during the Cold War. In 1952, Turkey became a member of NATO, serving as the southwestern bulwark against the Warsaw Pact. It mustered a large standing military by establishing compulsory service for all Turkish men. Though the Cold War ended two decades ago, Turkey has maintained this practice.


Conscription is mandated by the Turkish Constitution, but the legislature determines how it will be enacted. Currently, a healthy Turkish man with no college education serves for 15 months. Prior to 2003, the minimum requirement was 18 months. The upcoming change will reduce this term to 12 months. Of course, there are some exceptions to the mandate. Men with college education have a shorter commitment of six to 12 months, and men over the age of 30 can buy their way out of service for a fee.
Exemptions notwithstanding, conscripts constitute the majority of Turkish service members, comprising some 500,000 soldiers. With such a short service time, many conscripts fail to gain experience after their basic training. As a result, the Turkish military has a small professional core that is augmented by lightly trained forces.

Old Structures, New Threats

This structure made sense during the Cold War, when Turkey was facing similarly structured Soviet and Soviet-backed militaries. Mobilizing an entire population of even lightly trained service members, should the need arise, certainly has its advantages. But times have changed, as have Turkey's primary strategic threats. Whereas once the country was confronted with the prospect of a Soviet ground invasion, it now contends with domestic terrorismKurdish insurgents and, more recently, border issues with neighboring Syria, still in the throes of civil war. Smaller, more agile professional forces, along with Turkey's paramilitary forces, are better suited to address these security concerns.
However, force structures are not determined by threats alone. For decades, the Turkish military acted as the guardian of the Kemalist principles upon which the country was founded. Maintaining a large standing army helped the military extend its influence into the political affairs of the state. But the rise and political consolidation of the ruling Justice and Development Party over the past decade has severely undermined the Turkish military's political influence. The mere sight of once-invulnerable Turkish generals in jail confirms that Turkey's civilian political leadership has supplanted the military establishment.
Clearly, there is a political element to the conscription reform, as evidenced by the Justice and Development Party's political consolidation and its imperative to curb the military's influence. Equally important, a presidential election will take place in 2014 and general elections in 2015. A circumscribed military service requirement will likely buy the ruling party considerable political capital among voters, many of whom would rather study, work and earn a living than perform an increasingly archaic social service.
Aside from political considerations, military modernization and increasingly capable military technology demand that force structures maintain highly trained, professional personnel. New technologies and the requisite personnel operating them require more time and more money. The current conscription model does not address these requirements sufficiently. Therefore, the military is being reconfigured as a smaller, better-trained and more expensive per capita professional force supported by higher-end technological platforms.
This transformation likely will continue for the foreseeable future. Conscription will be modified to the point that it faces elimination, which would probably require a constitutional amendment. Other countries that have undergone similar reconfigurations, including former Warsaw Pact members that later joined NATO, have learned that this process can take decades to complete and that a smaller military is not necessarily a cheaper military.


Read more: Turkey: How Conscription Reform Will Change the Military | Stratfor
Follow us: @stratfor on Twitter | Stratfor on Facebook


German Armor For Indonesia

by Nicholas Fiorenza

Rheinmetall is supplying Indonesia with upgraded Leopard 2 tanks and Marder armored infantry fighting vehicles under a December 2012 contract with the Indonesian Ministry of Defense, the German company announced earlier this week. The contract, which took nearly a year to come into force after legal formalities were completed, is worth €216 million (over $291 million).

blog post photo

Between 2014 and 2016, Rheinmetall will deliver 103 modernized Leopard 2s, 42 upgraded Marder 1A3s, 11 armored recovery and engineering vehicles, training equipment, logistical support, and an initial supply of practice and service ammunition.

blog post photo

With this contract, Indonesia becomes the 18th Leopard 2 user nation.

Rheinmetall photos of Leopard 2A4s and Marder 1A3s on parade in Jakarta on 5 October 2013

Source: http://www.aviationweek.com/

50 Shades Of Sukhoi

by Bill Sweetman

T-50-5, fifth development aircraft in Russia's stealth fighter program, has turned up at the Zhukovsky flight test center in a new two-tone blue-grey paint scheme. 

blog post photo

blog post photo

It looks a bit like an early-World War 2 US Navy scheme, the bane of a young model-builder because Humbrol paints were not formulated for easy merging. I don't think it has anything to do with a carrier-based T-50, however. 

Clearly, someone in Russia has been doing some thinking about visual camouflage - which, unlike radar camouflage, has not often been the subject of intense, consistent scientific study. A few years ago, the Su-35 appeared with a jagged dazzle pattern that recalled at World War 1 warship. 

blog post photo

Like those schemes, and like some of the camouflage schemes that U.S. Navy Cdr. C.J. "Heater" Heatley developed with the aid of artist Keith Ferris, the aim is to deceive rather than to conceal. The idea of dazzle on ships, for example, was to make it hard for a submarine commander to discern how fast his target was going, or even in which direction. 

The T-50-5 scheme seems to be influenced by two theories of vision. First, at long distances, visual perception is dominated by monochrome: the eye can see colors but is cued by light and dark. Second, contrast is important to perception, and a sharp-edged object is seen most easily. Consequently, a grayish color is the best camouflage whether the background is earth or sky, and deliberately blurring edges makes the aircraft less visible. 

One engineer who had worked with Heatley, by the way, told me that the camouflage was too effective: the risk of collision during training was unacceptable. Another interesting observation is that it took a long time for anyone to realize that the most visible color in daylight is black. That's why RAF trainers are painted black. What about the F-117? It was painted black because when it was introduced, a senior USAF commander did not believe that it could survive in daylight, and consequently ordered the jets to be painted black to make sure nobody tried it. 

DUBAI: Airbus reveals long-term forecast for A400M

  CRAIG HOYLE DUBAI

Airbus Military’s Dubai debutant A400M might have reached the international market too late to vie for the Middle East region’s recent investment in large transport aircraft, but the company hopes to “reverse this situation very soon”.
Revealing a new long-term sales forecast at the show, head of market development Gustavo Garcia Miranda says around 330 military transports – including 130 in the A400M’s size class – are likely to be sold in the Middle East and North Africa (MENA) region by 2042. “We would like to take maybe half of it,” he says of the expected business.
The European company isn’t saying which nations are considered the most likely prospects to buy the A400M, but Miranda says it has discussed the type with “many operators” of Lockheed Martin’s legacy C-130 Hercules. The company has previously sold a combined 66 medium transports and tankers in the MENA region, he adds.
Asset Image
Head of defence capability marketing Ian Elliott points to the A400M’s in-built potential to also be used as an air-to-air refueller as a possible attraction to new customers. “The days of buying one aeroplane to do one job are gone,” he claims.
Qatar and the UAE have already acquired Boeing’s C-17 strategic transport, which will end production in 2015, while Lockheed has sold new-generation C-130Js to Kuwait, Oman, Qatar and Saudi Arabia.
Meanwhile, Miranda says new sales of the A330-200-based multirole tanker/transport are expected “within a few weeks or months”. The company is close to finalising contract discussions with India for six examples, while he says it is also “very confident” of landing an order in Asia soon. Singapore has been considering the type for a six-unit requirement.

DUBAI: Bahrain moves closer to Typhoon deal

  CRAIG HOYLE DUBAI

Bahrain’s interest in acquiring the Eurofighter Typhoon appears to be building further, with UK defence secretary Philip Hammond having met with King Hamad bin Isa Al Khalifah at the Dubai air show to discuss the potential deal.
“We continue to have very fruitful discussions with Bahrain about Typhoon, and we very much hope that Bahrain will decide soon to join the Typhoon family,” Hammond told journalists after their meeting on 17 November. “I think those discussions are very positive, and I look forward to a good outcome in due course.”
Asset Image
The King of Bahrain met UK prime minister David Cameron earlier this year to discuss a possible purchase of the Typhoon as a replacement for its air force’s Northrop F-5 fighters. The UK government and national Eurofighter partner company BAE Systems are leading a campaign to sell the type to the Gulf Cooperation Council member.
A potential opportunity to conclude a deal could come as soon as mid-January, when the Bahrain international air show will take place.
Asked about the UK’s willingness to do business with Bahrain, following its measures to quell political opposition within its borders, Hammond says: “This is nothing to do with the internal situation. Jet aircraft are about the external defence of the country, and allowing Bahrain to contribute to the defence of the GCC countries collectively.”

South Korea to obtain 40 F-35As

  GREG WALDRON SINGAPORE

South Korea will obtain 40 Lockheed Martin F-35A fighters under its F-X III requirement.
A report by state news agency Yonhap quotes the country’s Joint Chiefs of Staff (JCS) as saying thatSeoul will obtain 40 F-35s starting in 2018, with an option to buy 20 more aircraft.
The deal will be conducted through the US government’s Foreign Military Sales mechanism.
"The F-35A will be used as a strategic weapon to gain a competitive edge and defeat the enemy in the early stage of war," Yonhap quotes the JCS as saying. "The South Korean military will also use the aircraft to effectively deal with provocations."
Asset Image
Deliveries will begin in 2018, says Yonhap.
"We will continue to work closely with the US government to meet the Republic of Korea Air Force's fighter requirements," says Lockheed. "we greatly appreciate that the Republic of Korea is pursuing a fifth-generation solution to meet their demanding security needs." The company confirms that is can supply aircraft in time to meet Seoul's 2018 objective, and in the F-35's Block 3F software configuration.
Seoul will also obtain an additional 20 fighter aircraft of unspecified type, but the timeframe and details of this acquisition are not clear.
This additional requirement would appear to leave room for Boeing and Eurofighter, which pitched theF-15 Silent Eagle and Typhoon in the original 60 aircraft F-X III competition, to make a significant sale in South Korea.
Asset Image
At a recent defence exhibition in South Korea, Boeing dropped its F-15SE proposal in favour of an aircraft it dubs the “Advanced F-15” (above). Eurofighter continued pitching the Typhoon.
Asset Image
An industry source familiar with South Korean defence requirements says today’s F-35A announcement stems from a 30-man team recently established by the air force to push its case with the country’s JCS, which has ultimate authority over force improvement decisions.
The JCS will submit this recommendation to the Defence Acquisition Program Administration (DAPA), which will negotiate the final contract. The air force team will also play a role in the acquisition of South Korea’s indigenous KFX fighter and a four-aircraft tanker requirement.
This should have the effect of reducing DAPA’s say over platform capabilities and relegate it to a contract negotiation role.
The original F-X III requirement called for Seoul to obtain 60 new fighters. The only aircraft to come in under the DAPA’s budget of won (W) 8.3 trillion ($7.7 billion) was Boeing’s proposed F-15SE, an upgraded version of the venerable type with low observable features and other improvements.
In September, however, Seoul decided to re-tender the competition following the air force’s reiteration that it wants a stealth aircraft to fill the requirement, and a public relations backlash in South Korean media against the selection of the F-15SE.

Thursday, November 21, 2013

Letter from Tangier

By Reva Bhalla
Morocco rarely figures into international news headlines these days, something of a virtue in this restive part of the world. The term Maghreb, which translates as "land of the setting sun," eventually came to denote a stretch of land starting in the Western Sahara and running through the Atlas Mountains and ending before the Nile River Valley, encompassing modern-day Morocco, Algeria, Tunisia and Libya. However, the Maghreb originally meant the lands that define Morocco, where the setting sun marked the Western frontier of the Islamic empire.
This evening in Tangier, I watch as ribbons of intense red and orange weave through plum-tinted clouds and settle behind the mountains on the Spanish coastline. Those mountains that almost seem a stone's throw away are where a Moroccan general, Tariq ibn Ziyad, massed his troops for a conquest ordered by the sixth Umayyad caliph in the early 8th century to expand the frontier of the caliphate to the Iberian Peninsula. Jebel al Tariq, Arabic for "the mountain of Tariq," eventually came to be known as Gibraltar, the highly strategic narrow strait where the Atlantic and the Mediterranean meet. When the light is just right, you can see cerulean waters of the Mediterranean sharply contrasting with the dark moody waters of the Atlantic in a strategic aqua-hued borderland.


Tangier and the Spanish-controlled city of Ceuta slightly to the east are the closest Africa gets to Europe. Consequently, this prized tip of the Maghreb was rarely held by Morocco's local inhabitants, who were too weak and outnumbered to compete effectively with the seafaring powers of the Mediterranean that were more interested in building trading outposts en route to Iberia than in venturing into the Maghrebi hinterland. But Morocco is also much more than its coastline. The country is defined by its mountainous spine, flanked by the coastline to the north and the Sahara Desert to its south. The Atlas chain starts south of Marrakech and runs northeast into Algeria, breaking only at the Taza Gap, a narrow access point to the Atlantic.
The highlands are inhabited by Morocco's local natives, given the name Berbers by Greeks and Romans who regarded them as "barbari," Greek for "barbarians," who refused to adapt to their ways. In contrast, Berbers often use the term "Imazighen," which translates as "freemen," to describe their tribal community that is defined by their fighting prowess and raw, independent spirit. Stuck between entrenched and defiant Berbers in the mountains and a coastline that frequently fell prey to the Europeans, early Muslim settlers focused on the plains and mountain passages in the interior, where the ancient cities of Fez and Marrakech developed as the political and cultural hubs of the Maghreb and linked trans-Saharan trade with maritime commerce in the Mediterranean.

The Virtue of Distance

Unlike in many of its ill-defined neighbors to its east and south, there is a geographic logic to Morocco's boundaries that has allowed it to develop a strong identity over the centuries. With Islamic power centers far away to the east in Baghdad and Damascus, Morocco was able to cultivate a much more experimental relationship with Islam. The territory's large Berber population was slow to adapt to the religion when it arrived in the 7th century, eventually developing their own heterodox interpretation of Islamic teachings. Early Moroccan dynasties meanwhile swung between dry literalist and philosophical Sufi interpretations of Islam. In the 12th century under the Almohad dynasty, Muhammad ibn Rushd, known as Averroes in Europe, founded a philosophical movement in the Maghreb that both popularly and controversially infused rational Aristotelian philosophy with Islamic theology. This tradition of liberalism in theology continues to this day as contemporary religious-political movements in Morocco espouse a postmodern Islamist model to attract youth who are semi-fluent in Western philosophy but who, out of frustration, are searching for an alternative to the current system.
Indeed, distance is a virtue for Morocco. Overstretched politically, financially and militarily, the Ottomans, nominal overlords from the 16th to 19th century, fell short of claiming Morocco as part of their empire and attempted instead to outsource control of the Maghrebi coastline to seafaring pirates. Not surprisingly, that strategy had its limitations and Turkish influence over the centuries failed to penetrate Morocco.
Distance also enabled Morocco to develop a uniquely cooperative relationship with Israel. As one older Berber man with leathery skin and kind eyes told me over mint tea, "You cannot dance to music that you cannot hear." In other words, enough land lies between Morocco and Israel to insulate Morocco from the more vitriolic relationships Israel has with its Arab neighbors. Jews came after the Berbers and remain an influential community today. Even as contemporary Moroccan leaders have given token support to Pan-Arab conflicts with Israel, they relied on Moroccan Jewish links to the Israeli government to maintain a quiet and cooperative relationship behind the scenes.

The Peril of Proximity

While Morocco enjoys the distance from the main Muslim power centers to its east, it sits uncomfortably close to powerful European neighbors to the north. With no navigable rivers to facilitate inland development, Morocco has been and remains a capital-poor territory. The religious community compounded the fiscal restraints on the sultans, limiting their power to tax. And the risks of triggering unrest from raising taxes were too great in any case.
Moroccan leaders instead tried to consolidate control over the corsairs, whose piracy along the Mediterranean generated substantial profits. But that drew the wrath of the Spanish, French, Italian, English and Austrians, among others, who saw an imperative to control the Maghrebi coastline to secure their own wealth from sea predators and rival Mediterranean powers. As Morocco fell more and more in debt to the Europeans, it saw its sovereignty erode, a trend that culminated in the French and Spanish protectorates of the early 20th century.
Morocco's vulnerability to Europe marked the foundation of its relationship with the United States. While the Europeans were busy fighting among themselves, Morocco looked eagerly across the Atlantic at 13 colonies developing along North America's eastern seaboard. Morocco was desperate for a patron and ally with enough power, strategic interest -- and enough distance from Morocco -- to effectively balance against its European neighbors, and it found one in the United States.
As a sign of Morocco's geopolitical foresight, the sultan ensured that Morocco was the first country to recognize the United States in December 1777, allowing American troops to dock at Moroccan ports without paying duties or tariffs. By 1797, the U.S. government had set up a consulate in Tangier, at the mouth of the Mediterranean, to ensure safe passage for American ships to and from the Mediterranean.

A Strategic Relationship

The world will be reminded of this strategic relationship when Morocco's youthful King Mohammad VI makes an official visit to Washington on Nov. 22. With Libya overrun by militias, the Egyptian military reverting to repression to control its Islamist opposition, Tunisia in political paralysis and Mali and the surrounding Saharan region trying to fend off jihadists, Morocco stands out for its relative stability. As one of the last standing monarchies of the region, Morocco enjoys strong support from the Gulf Arab monarchies that are deeply unnerved by the U.S. pursuit of a strategic detente with Iran. Morocco does not have a significant Shiite population and is far enough away from Iran that it doesn't need to form an opinion on the issue at this time. And with a healthy, albeit quiet, relationship with Israel, Morocco is one Arab country that the United States can look to in trying to demonstrate that its politics in the region are anything but zero-sum as it tries to simultaneously negotiate a deal with Iran and an Israeli-Palestinian peace settlement.
Morocco is also a country that the United States can look to as a political model for managing the stresses of the hangover from the Arab Spring. Morocco's Alaouite dynasty, dating back to the late 1600s, claims descent from the Prophet Mohammed, a legacy that gives the current Moroccan monarch a strong base of religious legitimacy as the Amir al Mu'minin, or Commander of the Faithful. At the same time, Morocco's historically flexible interpretation of Islam engendered a more dynamic relationship between Moroccan rulers and their constituencies. Moroccan sultans were subject to removal by the religious community if they were unable or unwilling to impose the religious community's definition of justice. The idea that sultans were not invincible laid the groundwork for constitutional monarchy in Morocco. Though Morocco's constitutional monarchy is still very much a work in progress, something to which the number of constitutions Morocco has had attests, the country is much further along than its royal counterparts in Jordan and the Gulf in trying to negotiate a balance between maintaining an outdated monarchy with demands for representative government.
After a power vacuum that lasted three months, Morocco's parliament is now split between the moderate Islamist Justice and Development Party and the National Rally of Independents, a party that was created by the monarchy in the 1970s and can be expected to pursue policies in line with the king's wishes. While the king appears able to manage the parliament, he knows Morocco shares many of the economic problems plaguing much of North Africa.
Youth unemployment is believed to be as high as 30 percent, and the government has succumbed to economic pressure to cut subsidies and raise energy and food prices to cope with slowing growth in Europe. At the same time, Morocco's bloated state bureaucracy and a burgeoning illicit economy help cushion the economic blowback. Morocco's occupation of a strategic transit point between Atlantic and Mediterranean commerce applies to the drug trade as well. As taxi drivers and local officials alike quietly comment, many of the newly built yet uninhabited condominiums that line the main avenue along the Tangier coastline are financed by drug money as a vehicle for money laundering. European businessmen looking for low-wage labor to maintain competitiveness are meanwhile increasingly eyeing Morocco as a place to send their manufacturing plants at the same time that North African immigrants and Syrian refugees continue attempts to cross illegally into Europe in search of a better life. Morocco cannot escape its economic pressures, but it does retain the tools and legitimacy to manage them, unlike many of its neighbors.
One tactic for managing these pressures is to employ nationalism, and for Morocco, the pre-eminent nationalist issue is Western Sahara. King Mohammed VI will be looking for U.S. backing for Morocco's claim to Western Sahara when he visits Washington. In a fervently nationalist campaign that distracted from the country's political and economic pressures, Morocco annexed the former Spanish colony in 1975, setting off a 12-year insurgency led by the Algerian-backed Polisario Front.
As economic stresses are redeveloping in the Maghreb, it is little wonder that the Western Sahara issue is experiencing a revival along with Algerian-Moroccan tensions. Morocco recently withdrew its ambassador from Algeria after Algiers called for a U.N. observer mission in the region to include human rights monitoring. A Moroccan man made the news when he tore down an Algerian flag from the Algerian Consulate in Casablanca amid cheering crowds. The state-owned Moroccan press is meanwhile issuing articles that allege Algerian imperialist ambitions in the region. As Algeria tries to simultaneously insulate itself from militancy on its borders and to project influence into neighboring Tunisia and Libya, distrust will grow in Morocco over Algiers' intentions, and the Moroccan leadership will look again to Washington for support.
This is where the Moroccan strategic relationship with the United States faces limitations. Morocco's claims to the Western Sahara do not figure into Washington's priorities for the region. Taking sides in this issue now would only complicate the U.S. relationships with Algeria and other African countries without providing any clear benefit in return. As Morocco will learn from this visit, Washington is trying to avoid precisely these kinds of localized entanglements in pursuit of a broader balance of power in the region.
At the same time, Washington will learn that Morocco's example cannot be easily replicated in the more restive parts of the region. Morocco is a strategic and oft-overlooked ally of the United States that embodies many of the traits that Washington hopes to engender in the Middle East. The view from Tangier is a reminder, however, that this country's slow-developing liberalism and insulation from the region's hottest conflicts stem from a geographic reality unique to Morocco.
Editor's Note: Writing in George Friedman's stead this week is Reva Bhalla, vice president of Global Analysis.


Read more: Letter from Tangier | Stratfor
Follow us: @stratfor on Twitter | Stratfor on Facebook


Stuxnet's Secret Twin

The real program to sabotage Iran's nuclear facilities was far more sophisticated than anyone realized.


BY RALPH LANGNER | NOVEMBER 19, 2013



Three years after it was discovered, Stuxnet, the first publicly disclosed cyberweapon, continues to baffle military strategists, computer security experts, political decision-makers, and the general public. A comfortable narrative has formed around the weapon: how it attacked the Iranian nuclear facility at Natanz, how it was designed to be undiscoverable, how it escaped from Natanz against its creators' wishes. Major elements of that story are either incorrect or incomplete.

That's because Stuxnet is not really one weapon, but two. The vast majority of the attention has been paid to Stuxnet's smaller and simpler attack routine -- the one that changes the speeds of the rotors in a centrifuge, which is used to enrich uranium. But the second and "forgotten" routine is about an order of magnitude more complex and stealthy. It qualifies as a nightmare for those who understand industrial control system security. And strangely, this more sophisticated attack came first. The simpler, more familiar routine followed only years later -- and was discovered in comparatively short order.
With Iran's nuclear program back at the center of world debate, it's helpful to understand with more clarity the attempts to digitally sabotage that program. Stuxnet's actual impact on the Iranian nuclear program is unclear, if only for the fact that no information is available on how many controllers were actually infected. Nevertheless, forensic analysis can tell us what the attackers intended to achieve, and how. I've spent the last three years conducting that analysis -- not just of the computer code, but of the physical characteristics of the plant environment that was attacked and of the process that this nuclear plant operates. What I've found is that the full picture, which includes the first and lesser-known Stuxnet variant, invites a re-evaluation of the attack. It turns out that it was far more dangerous than the cyberweapon that is now lodged in the public's imagination.
***
In 2007, an unidentified person submitted a sample of code to the computer security siteVirusTotal. It later turned out to be the first variant of Stuxnet -- at least, the first one that we're aware of. But that was only realized five years later, with the knowledge of the second Stuxnet variant. Without that later and much simpler version, the original Stuxnet might still today sleep in the archives of anti-virus researchers, unidentified as one of the most aggressive cyberweapons in history. Today we now know that the code contained a payload for severely interfering with the system designed to protect the centrifuges at the Natanz uranium-enrichment plant.
Stuxnet's later, and better-known, attack tried to cause centrifuge rotors to spin too fast and at speeds that would cause them to break. The "original" payload used a different tactic. It attempted to overpressurize Natanz's centrifuges by sabotaging the system meant to keep the cascades of centrifuges safe. "Protection systems" are used anywhere where abnormal process conditions can result in equipment damage or threaten the health of operators and the environment. At Natanz, we see a unique protection system in place to enable sustained uranium enrichment using obsolete and unreliable equipment: the IR-1 centrifuge. This protection system is a critical component of the Iranian nuclear program; without it, the IR-1s would be pretty much useless.
The IR-1 centrifuge is the backbone of Iran's uranium-enrichment effort. It goes back to a European design from the late 1960s and early 1970s that was stolen and slightly improved by Pakistani nuclear trafficker A.Q. Khan. The IR-1 is an all-metal design that can work reliably. That is, if parts are manufactured with precision and critical components such as high-quality frequency converters and constant torque drives are available. But the Iranians never managed to get a high degree of reliability from the obsolete design. So they had  to lower the operating pressure of the centrifuges at Natanz. Lower operating pressure means less mechanical stress on the delicate centrifuge rotors, thereby reducing the numbers of centrifuges that have to be put offline because of rotor damage. But less pressure means less throughput -- and thus less efficiency. At best, the IR-1 was half as efficient as its ultimate predecessor.
As unreliable and inefficient as the IR-1 is, it offered a significant benefit: Iran managed to produce the antiquated design at industrial scale. Iran compensated reliability and efficiency with volume, accepting a constant breakup of centrifuges during operation because they could be manufactured faster than they crashed. But to make it all work, the Iranians needed a bit of a hack. Ordinarily, the operation of fragile centrifuges is a sensitive industrial process that doesn't tolerate even minor equipment hiccups. Iran built a cascade protection system that allows the enrichment process to keep going, even when centrifuges are breaking left and right.
At the centrifuge level, the cascade protection system uses sets of three shut-off valves, installed for every centrifuge. By closing the valves, centrifuges that run into trouble -- indicated by vibration -- can be isolated from the rest of the system. Isolated centrifuges are then run down and can be replaced by maintenance engineers while the process keeps running.
Then-President Mahmoud Ahmadinejad looks at SCADA screens in the control room at Natanz in 2008. The screen facing the photographer shows that two centrifuges are isolated, indicating a defect, but that doesn’t prevent the respective cascade from continuing operation.
But the isolation valves can turn into as much of a problem as a solution. When operating basically unreliable centrifuges, one will see shut-offs frequently, and maintenance workers may not have a chance to replace damaged centrifuges before the next one in the same enrichment stage gets isolated. Once multiple centrifuges are shut off within the same stage, operating pressure -- the most sensitive parameter in uranium enrichment using centrifuges -- will increase, which can and will lead to all kinds of problems.
The Iranians found a creative solution for this problem -- basically another workaround on top of the first workaround. For every enrichment stage, an exhaust valve is installed that allows pressure to be relieved if too many centrifuges within that stage get isolated, causing pressure to increase. For every enrichment stage, pressure is monitored by a sensor. If the pressure exceeds a certain threshold, the exhaust valve is opened, and overpressure is released.
The system might have keep Natanz's centrifuges spinning, but it also opened them up to a cyberattack that is so far-out, it leads one to wonder whether its creators might have been on drugs.
Natanz's cascade protection system relies on Siemens S7-417 industrial controllers to operate the valves and pressure sensors of up to six cascades, or groups of 164 centrifuges each. A controller can be thought of as a small embedded computer system that is directly connected to physical equipment, such as valves. Stuxnet was designed to infect these controllers and take complete control of them in a way that previous users had never imagined -- and that had never even been discussed at industrial control system conferences.
A controller infected with the first Stuxnet variant actually becomes decoupled from physical reality. Legitimate control logic only "sees" what Stuxnet wants it to see. Before the attack sequence executes (which is approximately once per month), the malicious code is kind enough to show operators in the control room the physical reality of the plant floor. But that changes during attack execution.
One of the first things this Stuxnet variant does is take steps to hide its tracks, using a trick straight out of Hollywood. Stuxnet records the cascade protection system's sensor values for a period of 21 seconds. Then it replays those 21 seconds in a constant loop during the execution of the attack. In the control room, all appears to be normal, both to human operators and any software-implemented alarm routines.
Then Stuxnet begins its malicious work. It closes the isolation valves for the first two and last two enrichment stages. That blocks the outflow of gas from each affected cascade and, in turn, raises the pressure on the rest of the centrifuges. Gas centrifuges for uranium enrichment are extremely sensitive to increases of pressure above near vacuum. An increase in pressure will result in more uranium hexafluoride getting into the centrifuge, putting higher mechanical stress on the rotor. Rotor wall pressure is a function of velocity (rotor speed) and operating pressure; more gas being pressed against the rotor wall means more mechanical force against the thin tube. Ultimately, pressure may cause the gaseous uranium hexafluoride to solidify, thereby fatally damaging centrifuges.
The attack continues until the attackers decide that enough is enough, based on monitoring centrifuge status. Most likely, they would use vibration sensors, which let them abort a mission before the matter hits the fan. If catastrophic destruction is intended, one simply has to sit and wait. But in the Natanz case, causing a solidification of process gas would have resulted in simultaneous destruction of hundreds of centrifuges per infected controller. While at first glance this might sound like a goal worthwhile achieving, it would also have blown the attackers' cover; the cause of the destruction would have been detected fairly easily by Iranian engineers in postmortem analysis. The implementation of the attack with its extremely close monitoring of pressures and centrifuge status suggests that the attackers instead took great care to avoid catastrophic damage. The intent of the overpressure attack was more likely to increase rotor stress, thereby causing rotors to break early -- but not necessarily during the attack run.
Nevertheless, the attackers faced the risk that the attack would not work at all because the attack code is so overengineered that even the slightest oversight or any configuration change would have resulted in zero impact or, worse, in a program crash that would have been detected by Iranian engineers quickly.
The results of the overpressure attack are unknown. Whatever they were, the attackers decided to try something different in 2009.
This new Stuxnet variant was almost entirely different from the old one. For one thing, it was much simpler and much less stealthy than its predecessor. It also attacked a completely different component of the Natanz facility: the centrifuge drive system that controls rotor speeds.
This new Stuxnet spread differently too. The malware's earlier version had to be physically installed on a victim machine, most likely a portable engineering system, or it had to be passed on a USB drive carrying an infected configuration file for Siemens controllers. In other words, it needed to be disseminated deliberately by an agent of the attackers.
The new version self-replicated, spreading within trusted networks and via USB drive to all sorts of computers, not just to those that had the Siemens configuration software for controllers installed. This suggests that the attackers had lost the capability to transport the malware to its destination by directly infecting the systems of authorized personnel, or that the centrifuge drive system was installed and configured by other parties to which direct access was not possible.
What's more, Stuxnet suddenly became equipped with an array of previously undiscovered weaknesses in Microsoft Windows software -- so-called "zero day" flaws that can fetch hundreds of thousands of dollars on the open market. The new Stuxnet also came equipped with stolen digital certificates, which allowed the malicious software to pose as legitimate driver software and thus not be rejected by newer versions of the Windows operating system.
All this indicates that a new organization began shaping Stuxnet -- one with a stash of valuable zero days and stolen certificates. In contrast, the development of the overpressure attack can be viewed as the work of an in-group of top-notch industrial control system security experts and coders who lived in an exotic ecosystem quite remote from standard IT security. The overspeed attacks point to the circle widening and acquiring a new center of gravity. If Stuxnet is American-built -- and, according to published reports, it most certainly is -- then there is only one logical location for this center of gravity: Fort Meade, Maryland, the home of the National Security Agency.
But the use of the multiple zero days came with a price. The new Stuxnet variant was much easier to identify as malicious software than its predecessor was, because it suddenly displayed very strange and very sophisticated behavior. In comparison, the initial version looked pretty much like a legitimate software project for Siemens industrial controllers used at Natanz; the only strange thing was that a copyright notice and license terms were missing. The newer version, equipped with a wealth of exploits that hackers can only dream about, signaled to even the least vigilant anti-virus researcher that this was something big, warranting a closer look.
Just like its predecessor, the new attack operated periodically, about once per month, but the trigger condition was much simpler. While in the overpressure attack various process parameters were monitored to check for conditions that might occur only once in a blue moon, the new attack was much more straightforward.
The new attack worked by changing rotor speeds. With rotor wall pressure being a function of process pressure and rotor speed, the easy road to trouble is to overspeed the rotors, thereby increasing rotor wall pressure. And this is what Stuxnet did. The normal operating speed of the IR-1 centrifuge is 63,000 revolutions per minute (rpm). Stuxnet increased that speed by a good one-third to 84,600 rpm for 15 minutes. The next consecutive run brought all centrifuges in the cascade basically to a stop (120 rpm), only to speed them up again, taking a total of 50 minutes. The IR-1 is a supercritical design, meaning that the rotor has to pass through so-called critical speeds before reaching normal operating speed. Every time a rotor passes through these critical speeds, also called harmonics, it can break.
If a single rotor did crack during an attack sequence, the cascade protection system would kick in to isolate and run down the respective centrifuge. But if multiple rotors were to crash -- a likely possible outcome -- Iranian operators would be left with the question of why all of a sudden so many centrifuges broke at once. Not that they didn't have enough new ones in stock for replacement, but unexplained problems like this are among any control system engineer's most frustrating experiences, usually referred to as chasing a demon in the machine.
At some point the attacks should have been recognizable by plant floor staff just by the old eardrum. Bringing 164 centrifuges or multiples thereof from 63,000 rpm to 120 rpm and getting them up to speed again would have been noticeable -- if experienced staff had been cautious enough to remove protective headsets in the cascade hall. It's another sign that the makers of this second Stuxnet variant had decided to accept the risk that the attack would be detected by operators.
***
Much has been written about the failure of Stuxnet to destroy a substantial number of centrifuges or to significantly reduce Iran's enriched-uranium production. While that is undisputable, it doesn't appear that either was the attackers' intention. If catastrophic damage had been caused by Stuxnet, that would have been by accident rather than on purpose. The attackers were in a position where they could have broken the victim's neck, but they chose continuous periodical choking instead. Stuxnet is a low-yield weapon with the overall intention of reducing the lifetime of Iran's centrifuges and making the Iranians' fancy control systems appear beyond their understanding.
Reasons for such tactics are not difficult to identify. When Stuxnet was first deployed, Iran had already mastered the production of IR-1 centrifuges at industrial scale. During the summer of 2010, when the Stuxnet attack was in full swing, Iran operated about 4,000 centrifuges, but kept another 5,000 in stock, ready to be commissioned. A one-time destruction of the Iranians' operational equipment would not have jeopardized that strategy, just like the catastrophic destruction of 4,000 centrifuges by an earthquake back in 1981 did not stop Pakistan on its way to getting the bomb. By my estimates, Stuxnet set back the Iranian nuclear program by two years; a simultaneous catastrophic destruction of all operating centrifuges wouldn't have caused nearly as big a delay.
The low-yield approach also offered added value. It drove Iranian engineers crazy, up to the point where they might have ultimately ended up in total frustration about their capabilities to get a stolen plant design from the 1970s running and to get value from their overkill digital protection system. When comparing the Pakistani and Iranian uranium-enrichment programs, one cannot fail to notice a major performance difference. Pakistan basically managed to go from zero to successful low-enriched uranium production within just two years during shaky economic times, without the latest in digital control technology. The same effort took Iran over 10 years, despite the jump-start from Pakistan's A.Q. Khan network and abundant money from sales of crude oil. If Iran's engineers didn't look incompetent before, they certainly did during the time when Stuxnet was infiltrating their systems.
Legend has it that in the summer of 2010, while inflicting its damage on Natanz, Stuxnet "escaped" from the nuclear facility due to a software bug that came with a version update. While that is a good story, it cannot be true. Stuxnet propagated only between computers that were attached to the same local network or that exchanged files though USB drives. In other words, Stuxnet must have spread largely by human hands. But in these days of remote access by modem or via Internet virtual private networks, human hands can extend across continents.
Contractors serving at Natanz worked for other clients as well. And those contractors most likely carried their Stuxnet-infected laptop computers to their secondary clients and connected their laptops to the clients' "local" networks. Let's say they spread it to a cement plant. That cement plant then had other contractors, who in turn connected their mobile computers to the infected "local" network. Those computers carried the malware farther -- to another cement plant, maybe in another country. At some link in the chain, infected contractors or employees remotely accessed their machines, allowing the virus to travel over continents. All of a sudden, Stuxnet has made its way around the globe -- not because of the fact that billions of systems are connected to the Internet, but because of the trusted network connections that tunnel through the Internet these days. For example, remote maintenance access often includes the capability to access shared folders online, giving Stuxnet a chance to traverse through a secure digital tunnel. My colleagues and I saw exactly that when we helped Stuxnet-infected clients in industries completely unrelated to the nuclear field back in 2010.
Given that Stuxnet reported Internet protocol addresses and hostnames of infected systems back to its command-and-control servers, it appears that the attackers were clearly anticipating (and accepting) a spread to noncombatant systems and were quite eager to monitor that spread closely. This monitoring would eventually deliver information on contractors working at Natanz, their other clients, and maybe even clandestine nuclear facilities in Iran.
Stuxnet also provided a useful blueprint to future attackers by highlighting the royal road to infiltration of hard targets. Rather than trying to infiltrate directly by crawling through 15 firewalls, three data diodes, and an intrusion detection system, the attackers acted indirectly by infecting soft targets with legitimate access to ground zero: contractors. However seriously these contractors took their cybersecurity, it certainly was not on par with the protections at the Natanz fuel-enrichment facility. Getting the malware on the contractors' mobile devices and USB sticks proved good enough, as sooner or later they physically carried those on-site and connected them to Natanz's most critical systems, unchallenged by any guards.
Any follow-up attacker will explore this infiltration method when thinking about hitting hard targets. The sober reality is that at a global scale, pretty much every single industrial or military facility that uses industrial control systems at some scale is dependent on its network of contractors, many of which are very good at narrowly defined engineering tasks, but lousy at cybersecurity. While experts in industrial control system security had discussed the insider threat for many years, insiders who unwittingly helped deploy a cyberweapon had been completely off the radar. Until Stuxnet.
And while Stuxnet was clearly the work of a nation-state -- requiring vast resources and considerable intelligence -- future attacks on industrial control and other so-called "cyber-physical" systems may not be. Stuxnet was particularly costly because of the attackers' self-imposed constraints. Damage was to be disguised as reliability problems. I estimate that well over 50 percent of Stuxnet's development cost went into efforts to hide the attack, with the bulk of that cost dedicated to the overpressure attack which represents the ultimate in disguise - at the cost of having to build a fully-functional mockup IR-1 centrifuge cascade operating with real uranium hexafluoride. Stuxnet-inspired attackers will not necessarily place the same emphasis on disguise; they may want victims to know that they are under cyberattack and perhaps even want to publicly claim credit for it.
And unlike the Stuxnet attackers, these adversaries are also much more likely to go after civilian critical infrastructure. Not only are these systems more accessible, but they're standardized. Each system for running a power plant or a chemical factory is largely configured like the next. In fact, all modern plants operate with standard industrial control system architectures and products from just a handful of vendors per industry, using similar or even identical configurations. In other words, if you get control of one industrial control system, you can infiltrate dozens or even hundreds of the same breed more.
***
Looking at the two major versions of Stuxnet in context leaves a final clue -- a suggestion that during the operation, something big was going on behind the scenes. Operation Olympic Games -- the multiyear online espionage and sabotage campaign against the Iranian nuclear program -- obviously involved much more than developing and deploying a piece of malware, however sophisticated that malware was. It was a campaign rather than an attack, and it appears that the priorities of that campaign shifted significantly during its execution.
When my colleagues and I first analyzed both attacks in 2010, we first assumed that they were executed simultaneously, maybe with the idea to disable the cascade protection system during the rotor-speed attack. That turned out to be wrong; no coordination between the two attacks can be found in the code. Then we assumed that the attack against the centrifuge drive system was the simple and basic predecessor after which the big one was launched, the attack against the cascade protection system. The cascade protection system attack is a display of absolute cyberpower. It appeared logical to assume a development from simple to complex. Several years later, it turned out that the opposite was the case. Why would the attackers go back to basics?
The dramatic differences between both versions point to changing priorities that most likely were accompanied by a change in stakeholders. Technical analysis shows that the risk of discovery no longer was the attackers' primary concern when starting to experiment with new ways to mess up operations at Natanz. The shift of attention may have been fueled by a simple insight: Nuclear proliferators come and go, but cyberwarfare is here to stay. Operation Olympic Games started as an experiment with an unpredictable outcome. Along the road, one result became clear: Digital weapons work. And different from their analog counterparts, they don't put military forces in harm's way, they produce less collateral damage, they can be deployed stealthily, and they are dirt cheap. The contents of this Pandora's box have implications much beyond Iran; they have made analog warfare look low-tech, brutal, and so 20th century.
In other words, blowing the cover of this online sabotage campaign came with benefits. Uncovering Stuxnet was the end of the operation, but not necessarily the end of its utility. Unlike traditional Pentagon hardware, one cannot display USB drives at a military parade. The Stuxnet revelation showed the world what cyberweapons could do in the hands of a superpower. It also saved America from embarrassment. If another country -- maybe even an adversary -- had been first in demonstrating proficiency in the digital domain, it would have been nothing short of another Sputnik moment in U.S. history. So there were plenty of good reasons not to sacrifice mission success for fear of detection.
We're not sure whether Stuxnet was disclosed intentionally. As with so many human endeavors, it may simply have been an unintended side effect that turned out to be critical. One thing we do know: It changed global military strategy in the 21st century.
Ralph Langner began his research on Stuxnet in 2010. He is a principal with the Langner Group, a cyberdefense consultancy, and a non-resident fellow with the Brookings Institution.
A longer version of this report, "To Kill a Centrifuge: A Technical Analysis of What Stuxnet's Creators Tried to Achieve," can be found here.