The University of UtahRedthread Home

Cyber Threat Projection and the Insider Threat: Stuxnet Edition


Experts who theorize about cyber conflict talk about the ability to “project” power in and through cyberspace. They also warn of the danger from the “insider threat,” a trusted individual with access to sensitive systems or information who either deliberately or accidentally compromises them. The New York Times reported this week the United States and Israel mounted the cyberattack that temporarily knocked out centrifuges Iran is using to enrich unranium. Yesterday’s revelations by the Times, which seem to lay to rest any remaining doubt about U.S. involvement in the Stuxnet cyber attack on Iranian nuclear facilities, suggest that “projection” and “insider threat” should take on new meaning in the context of cyber conflict.

In psychology, “projection” is the practice of seeing in others the thoughts, desires, feelings, beliefs, or actions that you yourself harbor but do not wish to acknowledge.

For years, the U.S. has been playing the cyber victim. We have been told repeatedly that others are developing cyber weapons to use against us and that they are stealing our secrets and getting an unfair advantage. When making these claims, one cyber attack incident more than any other has served to “prove” just how dangerous the threat is to the United States: Stuxnet.

In fact, other than Stuxnet there have been few if any instances of cyber attacks that caused physical damage. There have been no cyber attacks that come close to the kinds of doom scenarios that cyberwar proponents often use as a call to action. Thus, skeptics have raised the question: Why all the concern with something for which there is so little evidence?

Now we know that this is a case in which the U.S. doth protest too much! How do cyberwar proponents know that this is a real threat? They know because their warnings are a projection of their own thoughts and desires, as well as U.S. cyber capabilities and covert actions.

That the U.S. was behind Stuxnet is not a surprise. There have been good indicators of that for some time. The pattern of projection that we see in cyberwar proponents’ use of Stuxnet as evidence of an external threat to U.S. cybersecurity is also not new.

As I have argued previously, a key assertion by cyberwar proponents is that cyber bad guys, especially China, are eroding our economic competitiveness and even killing American jobs by using cyber attacks to steal our intellectual property. But there is plenty of evidence that the primary cause of our economic woes is not others stealing our secrets. It is our own lack of investment in education, research and development.

The same is true for failures of critical infrastructure, which are failing from lack of investment in repair, maintenance, and modernization, not as a result of malicious cyber attack by pesky outsiders.

The same is true of the 2008 financial crisis. Cyberwar proponents warn of hypothetical cyber attacks that could cripple the financial system. Do they mean attacks that will cost the U.S. government almost $8 trillion dollars, freeze credit markets, and leave many people without homes? Indeed, that would be bad! But we do not need to wait for a cyber attack. Plain old greed and lack of oversight led to these very results in 2008.

Now we see that the cyber threat is also a projection. Cyberwar proponents held up Stuxnet as proof of the danger we face. After all, as Gen. Michael Hayden as said, with Stuxnet “Someone crossed the Rubicon.” As it turns out, that “someone” was us.

But saying that the cyber threat is a projection does not mean that it is not real. It just means that the threat has a different origin. As with declining economic competitiveness, lost jobs, financial crisis, and failing infrastructure, we are dealing with an “insider threat” of a much more general kind. Jason Healey of The Atlantic Council has summed it up best. After noting that officials like NSA Director, Gen. Keith Alexander, point to Stuxnet as evidence that government needs to regulate private owners and operators of critical infrastructure systems, Healey writes,

The message to the US private sector therefore seems to be that they need to be regulated because they are not protecting themselves sufficiently against a weapon designed and launched by their own government. The arsonist wants to legislate better fire codes.

The bottom line is this: We are projecting onto others what we are doing to ourselves but do not wish to acknowledge.

[This post also appears at and]


  • Ellen Archer

    I really confused when I’ve seen articles about Microsoft patches some of Stuxnet’s vulnerabilites in 2015. Several years ago when I was working on a network security project I was researching about the mechanisms Stuxnet spreading through USB and networks I watched a video there one of Microsoft team member Bruce Dang mentioned in a conference we had knew about the Stuxnet but we weren’t allowed to talk about it till now (2010). but now days that everybody knows about the Stuxnet and its mission is finished, why Microsoft haven’t patched its vulnerabilities forever? is there something remained unmentioned about the Stuxnet mission?
    I searched a lot to find the exact video I had watched that time which contained much more knowledge about the role of Microsoft in responsibility of postponing patching the vulnerabilities Stuxenet was using but I couldn’t find it yet. however the above video contains some admissions from one of Microsoft members.