This was a midterm paper I did for a class at NYU. The brief was to write a critique of media coverage of an important political or historical development in the region.
In the summer of 2010, software experts began to analyze a new computer worm that had appeared around the world. The virus targeted a vulnerability in Microsoft Windows and was aimed at Iran, in the hopes of delaying the country’s nuclear proliferation. The virus was named ‘Stuxnet’ by researchers who analyzed how it worked.
This paper will examine coverage of the Stuxnet virus as it first appeared in several newspapers around the world. Centering on a number of articles published between September 1 and October 31, 2010, it will look at how coverage differed between the New York Times and two Iranian newspapers: Iran News and the Tehran Times. The differences in coverage include the number of articles and their length, word choice, type of source used and how the reporters chose to express what they know. The fact that the Iranian newspapers published so many more short news pieces is reflective of their over-reliance on official sources and the fact that they talked to fewer third-party sources, relying instead on quoting other pieces published online, such as blogposts posted by security firms. The New York Times lived up to its journalistic reputation on this subject, providing readers with deeper coverage despite publishing fewer articles. Having said that, the coverage from both countries fell short of consistent, in-depth reporting on the technical aspects of the virus. In addition, I found that Iranian papers covered computer viruses very differently when the accused perpetrator was Iran, such as in 2012 when Saudi Arabian computers were struck by a virus thought to have originated from Iran itself. Despite Iranian coverage not being as technically detailed as The New York Times articles, I found that they were the only opportunity I had to hear what Iranian officials were saying. It is a mistake to rely too heavily on officials, but their relative absence is a fault in The New York Times’s coverage. Overall, the Iranian newspapers produced more articles on Stuxnet, but these articles fell short of the comprehensiveness and depth of The New York Times’s coverage. The paper of repute did a good job of informing its readers of the matter at hand, even if the finer points of the technical reporting was lacking from both Iranian and New York Times coverage.
During the 2-month period between September 1 and October 31, the three Iranian newspapers ran 18 articles. In comparison, The New York Times ran eight articles: six in print and two online. The Iranian newspapers focused on official reaction, often reporting an official statement or leading with the warnings of anonymous computer experts. The New York Times made more of an effort to contextualize the news, publishing news analyses and pieces in the Week In Review section. This depth is reflected in the fact that The New York Times published 6,200 words in 8 articles compared to 4,800 words across 18 articles from Iran.
Stuxnet targeted programmable-logic controllers (P.L.C.s) — small computers that control machinery, used in power plants and other infrastructural buildings. Once it infected a machine, the virus would check to see if a specific piece of machinery was connected. If the virus found a specific type of computer operating under certain specific conditions, it would inject malicious code and change how the related machinery would function. If the virus didn’t find the conditions it was looking for, it would do nothing, which is how it was able to infect so many computers without notice. (The virus was thought to have infected some 50,000 computers around the world, from Canada to Cambodia.) The virus was discovered to be operating at Natanz, Iran’s central enrichment facility, where it was reportedly slowing the uranium centrifuges. The ostensible aim of such an attack was to delay Iran’s nuclear program — a goal that was apparently successful, as former president Ahmadinejad admitted in November 2010 that Iran’s nuclear program had been delayed. It is thought that the virus entered the Natanz plant when someone plugged an infected USB drive into the network. The virus was discovered in the summer of 2010, but according to a 2011 Vanity Fair article, media outlets such as The New York Times were unwilling to cover Stuxnet without concrete information about the source or purpose of the attack, and so it does not appear in The New York Times until the end of September.
Stuxnet’s debut in The New York Times came on September 24, 2010, in an online article titled “Malware Hits Computerized Industrial Equipment” on the New York Times BITS (Business of Technology) blog. It describes how the tech industry was being “rattled” by a software program that was infiltrating factory computers. Iran is not mentioned until the fourth paragraph down; the article focuses instead on the potential effects of the virus, including its alleged ability to steal documents. (Given that the Afghan and Iraq War Logs were both released by Wikileaks in 2010, this emphasis is perhaps unsurprising). The first news stories that appear in Iranian coverage are cross-posted from Reuters and the Daily Telegraph. This is the first core difference in the coverage: no Iranian newspaper wrote an original news story about Stuxnet until September 26 — as far as the nuclear story goes, The New York Times scooped them by almost two full days. The Tehran Times did run an article in July 2010, two months before the worm’s first mention in The New York Times However, this article does not mention Iran’s nuclear program specifically. Instead, it reports Stuxnet in the context of it being a vulnerability in Windows Microsoft. Given The New York Times’s reluctance to report on the virus before reporters knew what it did, this is particularly interesting.
The first Iranian newspaper article, which appeared in Iran News on September 26, is much more explicit about the purpose of the attack, reporting that Stuxnet was a virus “created to target the controlling systems in Iran, mainly nuclear industry.” The New York Times, on the other hand, describes Stuxnet as a “sophisticated computer worm.” Viruses and worms differ on a technical level (and Stuxnet is, correctly, a worm) but non-technical writing uses the terms interchangeably. While The New York Times is more specific as to Stuxnet’s classification, it hedges its language when describing what the worm does: Iran News reports that it “targets” Iranian controlling systems, “mainly nuclear industry.” The New York Times lede is much softer:
The Iranian government agency that runs the country’s nuclear facilities, including those the West suspects are part of a weapons program, has reported that its engineers are trying to protect their facilities from a sophisticated computer worm that has infected industrial plants across Iran.
— “Iran Fights Malware Attacking Computers.”
The lede focuses on the engineers who are trying to mitigate the effects of a worm which has “infected” (not attacked) industrial plants. It hedges the link between the plants and Iran’s nuclear program in ill-defined and unsubstantiated Western suspicions.
Despite the reluctance of The New York Times to label Stuxnet as an attack early on, the reports show a somewhat typical Times-ian comprehensiveness. In all, the articles published by Iranian news sources in that ten-day period total 921 words. In comparison, The New York Times article on September 25, 2010, where Stuxnet is first mentioned in print, is 899 words long.
The first New York Times article to appear in print is also the first article to mention cyber war. “Iran Fights Malware Attacking Computers” appeared on page A4 on September 25. It immediately creates an oppositional mentality by noting in the first paragraph that the affected nuclear facilities are those “the West suspects are part of a weapons program.” While it does report that Natanz has been the subject of covert operations, the article does not ascribe a value judgment to this statement, continuing the practice of declining to label U.S. cyber offense tactics as terrorism. On the contrary, an Iran News article obliquely refers to Stuxnet as “cyber terrorism” in the very first line.
The New York Times article makes frequent reference to the opinion of experts, especially when talking about the possibility that Stuxnet could have been the work of a state government. On the one hand, this makes The New York Times article read as being far more authoritative than the Iran News article (for which the main sources are Iran’s I.T. and Communications Ministry and a statement from a European security firm). On the other hand, the repeated use of experts gives the impression of kite flying, that the reporter wants to make certain claims but keep the ability to personally distance himself from them if necessary: Anonymous computer experts say that Stuxnet is “a far cry from common computer malware,” in that it is far more targeted and sophisticated than cyber attacks we are already familiar with, such as distributed denial-of-service (D.D.O.S.) attacks.
Similarly, when The New York Times wants to mention the theory that the U.S. may be behind the attack, it allows “one of the leading experts on cyber war intelligence” to do so, and only mentions it over 600 words into an article that runs almost 900 words. On the contrary, the Iran News article quotes a European security firm’s hypothesis that “a state may have been involved in its creation” less than halfway into the 600 word article, quoting an earlier Reuters report. It is clear that, at least in the preliminary stages, both news organizations are unwilling to boldly hypothesize about the origin of the attack, even though neither shies away from referring to it as such.
Despite both publications being slow to blame governments for the attack, the heavy use of other experts on The New York Times’s part allow one theory to be raised in the relative safety of the source’s quotation marks: It is The New York Times, and not the Iran News, who first raises the possibility in readers’ minds that the U.S. could be behind the attack. Not only does The New York Times note that Natanz has been the subject of covert operations already, it goes several steps further:
Based on what he knows of Stuxnet, Mr. Lewis said, the United States is “one of four or five places that could have done it — the Israelis, the British and the Americans are the prime suspects, then the French and Germans, and you can’t rule out the Russians and the Chinese.”
Insofar as the technical aspects of the coverage were involved, I could not find any errors in the Iranian coverage, but a N.Y.T. piece contained two curious errors. On Sept. 26, a news analysis piece appeared on A6, titled “A Silent Attack, but Not a Subtle One”:
The program was splattered on thousands of computer systems around the world, and much of its impact has been on those systems, rather than on what appears to have been its intended target, Iranian equipment.
As far as I can tell, the statement that Stuxnet impacts computer systems that do not fit its designed criteria is simply untrue. According to a 2011 Vanity Fair piece, the virus becomes a non-functioning, dormant part of a computer’s infrastructure unless very definite conditions (the right type of PLC, the right peripherals) are met. The BBC, in an article published Sept. 23, corroborates this, saying that the virus remains “benign” if it doesn’t find the specific configuration. On a slightly more technical point, The New York Times article also erroneously claims that Stuxnet travels via the Internet, something which is disputed by the security researchers who studied Stuxnet in the early days. In a technical analysis published in November 2010, Ralph Langner reported that the virus propagated via “USB stick carrying an infected configuration file for Siemens controllers.” However, given that the Iranian newspapers did not approach this level of detail in their reporting — and these mistakes are quite minor — it is hard to fault The New York Times too strongly.
Another area of comparison is how The Tehran Times and The New York Times reporting differed when reporting a specific development in the Stuxnet story. In early October 2010, Iranian officials arrested an unknown number of nuclear spies in connection to the Stuxnet attack. The Tehran Times gives 162 words to Intelligence Minister Heydar Moslehi’s comments, repeating almost verbatim his assurance to Iranian citizens that officials are in control after Stuxnet. The New York Times, on the other hand, gives 371 words and gives a recap of the situation, even going as far as to repeat the fact that the U.S. and Israel have cyber-warfare programs, even though both governments did not comment on the allegations.
Moving beyond this two-month period, it is also interesting to compare coverage of cyberattacks that aren’t directly related to Stuxnet. In 2012, The New York Times reported that hackers had attacked the computer system of Saudi Aramco in Saudi Arabia, “[erasing] data on three-quarters of Aramco’s corporate PCs — documents, spreadsheets, e-mails, files — replacing all of it with an image of a burning American flag.” The coverage of this cyber-attack differed somewhat from their coverage of Stuxnet in that the language is more incendiary, using the word “hacker” and the phrase “inflicting damage” in the lede. In the two-month period of Stuxnet coverage in 2010, hackers are not mentioned when The New York Times discusses Stuxnet’s perpetrators, only in the comment that the attack seemed more likely to be the work of a state government rather than “independent hackers.” Despite this slight sensationalism, The New York Times’s coverage of the Aramco is largely consistent with the rest of their coverage: the reporting is thorough, experts are quoted and the article is balanced: despite the implication in the headline “In Cyberattack on Saudi Firm, U.S. Sees Iran Firing Back,” the reporter provides balance by noting that the hackers refer to the “Arabian Gulf” while “Iranians refer to that body of water as the Persian Gulf and are very protective of the name.”
The Tehran Times, conversely, leads with an official’s denial rather than a description of the attack, saying that Iran’s National Center of Cyberspace “dismissed” claims that Iran was behind the attack. The article does not give a description of the attack, but instead spends several paragraphs refuting U.S. officials.
Speaking about the possibility of cyber-attacks against the U.S., military chief Leon Panetta warned that the country was facing the possibility of “a cyber-Pearl Harbor.” Indeed, cyber-attacks are the 21st-century version of the atom bomb, in that conflict and war is irreversibly changed because of its existence. Never before has one teenager with a laptop had the ability to derail entire companies by hacking into their systems. If Stuxnet had not been discovered due to a programming error, we may never have known the perpetrator. Anonymous, decentralized warfare that stretches across space and time is now possible and cheap, an avenue open to anyone willing to invest in the technical expertise. In June 2012, The New York Times reported that the cyber-warfare campaign President Bush started — codenamed Olympic Games — has been continued by President Obama. The article mentions Stuxnet by name, describing it unequivocally as “the American and Israeli effort to undermine the Iranian nuclear program.”
Countries around the world are ramping up their cyber-warfare programs. In December 2014, North Korea was implicated in a cyberattack — unique in that it did not target a state company. The fact that these tactics are not just being used in international conflicts, but also as a means of economically damaging private companies or “sending a message” makes technical reporting all the more important. While it is obviously impossible to go into too much detail in a general newspaper, one of my main conclusions from examining this coverage is that neither the Iranian news sources nor The New York Times provided reporting that was technically detailed enough to properly encapsulate the Stuxnet virus or its immediate implications.
Both The New York Times and the Iranian newspapers discussed above relied heavily on quoting experts for their technical coverage, but journalists must go further than this. In the same vein that newspapers employ reporters on the economy or metro beat, they must actively seek to employ journalists with a deep knowledge of computer systems — more than simply working “the technology beat,” which often focusses on areas such as consumer electronics, papers should employ journalists who can understand something like Stuxnet well enough such that they do not have to rely so heavily on quotes from security researchers. After the Sony hack and the Snowden leaks, the minimum amount of technical literacy a journalist should possess has risen dramatically. If this happens, the Stuxnet coverage would not — at least in the case of the Iranian newspapers — have resembled a series of expert opinions stitched together with some rudimentary contextualization.