In a recent Foreign Policy article, Ralph Langner summarizes his 36 page report that in turn was the result of three years of analysis on Stuxnet and the much more sophisticated attack that preceded it – and the result of all of this was the surprising information that the cyber attacks on Iran’s nuclear program were actually much more sophisticated and more consequential for cybersecurity than most seem to think. The impact of this attack according to the report is very real; Langer estimates that the Iranian nuclear program lost up to two years of progress in particular areas as a result.

One of the most interesting thing that Langner points out about the Stuxnet attack is that while it was clearly the result of a coordinated effort by a nation-state, future attacks don’t necessarily have to be. He says that a lot of the expensive constraints on the Stuxnet attack were self-imposed by its makers; they weren’t aiming just for widespread damage, but specifically for damage that could be concealed as resulting from reliability problems inherent to the technology Iranian engineers were using. Absent the constraint of trying to conceal the presence of a cyber attack, a potential attacker would face much lower costs than those behind Stuxnet did. Furthermore, other potential attackers would probably focus on civilian rather than state-controlled infrastructure, which has the advantage of being more standardized and less protected. Essentially, the Stuxnet attack was a highly sophisticated, almost surgical operation, and other attacks may very well have no reason to be. Future attackers might just aim for indiscriminate destruction, and may even want their attacks to be immediately identifiable as cyberwarfare unlike the secretive nature of Stuxnet.

Langer also has particular insight into the place of the Stuxnet revalations in raising the profile of cyberwarfare in the 21st century. At some point in the development of the campaign, it became clear that “digital weapons work”. In the face of this growing understanding, it would have become important for the United States to identify themselves as dominant players in the world of cyberwarfare in the same way that they are in traditional warfare. The side-effect of revealing the true extent of Stuxnet is global recognition of the continuing preeminence of the United States in cyberwarfare, and this particular side-effect is probably not one that the United States would mind much. No matter what one’s opinion is of the idea of cyberwarfare, it is clear that military establishments around the world think that something big is happening, and the side effects for the rest of us will likely be consequential.