Iran Gets Spy and Nuclear Technology Despite Embargo

Iran Gets Spy and Nuclear Technology Despite Embargo

Stephen Bryen Summer 2012

Although Iran is at the top of the list of countries hostile to the West, and although the United States and its allies claim to be embargoing technology in an effort to slow Iran’s nuclear program, the regime is still getting its hands on both nuclear-related technology and spy technology from the West. The embargo on Iran and export controls have failed because these controls are poorly enforced and the United States lacks leadership willing to crackdown on this dangerous trade.

Iran’s Nuclear Program: A Product of the West

A centrifuge is a complex piece of machinery that requires special materials available only from a limited number of sources. The centrifuge is needed to enrich uranium, and enriched uranium (90 percent or more U-235) is needed for nuclear weapons. The original goal of the West was to keep centrifuge technology out of the hands of the Iranians. Today there are more than 9,000 centrifuges spinning in Iranian facilities and more on the way.

Pakistan obtained its centrifuge technology from Europe, the design coming from Urenco, which is owned in equal parts by Ultra-Centrifuge Nederland NV (owned by the Government of the Netherlands), Uranit GmbH (owned equally by German energy companies E.ON and RWE), and Enrichment Holdings Ltd (owned by the Government of the United Kingdom and managed by the Shareholder Executive). Urenco operates in Europe and in the United States; its centrifuge designs are all based on the work of Gernot Zippe, an Austrian-German mechanical engineer.

Pakistani nuclear scientist A.Q. Khan has taken credit for stealing the centrifuge design from Urenco while he was an employee. He also takes credit for spreading the technology around the world with the apparent blessing and support of the Government of Pakistan. Iran was one of the beneficiaries.

The Zippe centrifuge has been changed and improved over time, and Iran has taken great advantage of those improvements. It is unknown precisely how these improvements reached Iran, but the continuous leakage of technology from Europe in related sectors suggests that Europe’s nuclear technology continues to spread far and wide. The most important centrifuge upgrades in Iran required specialized materials including carbon fiber tubes, composites, maraging steel, and gas bearings. Maraging steel and the carbon fiber tubes that make up the rotor of the centrifuge are spun at very high speeds and operate for long periods of time. Stability of speed is very important, and centrifuge cascades require reliable, filtered power controllers, and sophisticated electronics.

The electronic controller and controller software for the centrifuges, known as the model S7-300, was designed by the German engineering firm Siemens as was its software package, Simatic Step 7. The frequency converter drives that work with the S7-300 are based on a design that comes from the Vacon company of Finland.

The Siemens S7-300 is distributed in Iran by a company named Pcsromo. Investigators think they are only doing final assembly work and that the circuit boards, software, and other components are imported. Pcsromo announces its relationship with Siemens unequivocally: “We can offer very attractive prices for Siemens S7 series PLC and I/O Modules, ranging from S7-200, S7-300 to S7-400. We are currently supplying Siemens S5 and S7 parts to USA, Europe, South-East Asia, India, Pakistan, Middle East and etc. Please contact us for more details.” Its website says that Pcsromo is linked to a number of companies including Siemens, PCS Automation, Allen Bradley, Mitsubishi, Toshiba, and others.

At least some of the frequency converters were supplied by a small Iranian company called Fararo Paya. As in the case of the controllers, it is not clear they are manufactured in Iran. According to the Institute for Science and International Security (ISIS), “It is unlikely that Fararo Paya makes frequency converters from scratch for Iran’s enrichment plants. It likely either makes them from major subcomponents acquired abroad or purchases them intact from overseas suppliers. The latter is difficult to accomplish successfully since frequency converters with a range of 600-2,000 Hz are considered nuclear-related dual-use goods controlled for export by Nuclear Suppliers Group (NSG) guidelines.”

The international embargo on Iran is supposed to be working, but clearly the Iranian nuclear program continues to expand as Iran puts more centrifuges on line. This means that the supply of components to Iran from Western countries continues. The so-called embargo has failed to work because Western governments are not enforcing it.

Both the Siemens controller/controller software and the Vacon/Fararo Paya frequency converters were directly targeted by the Stuxnet worm, which changed the spin rate of the centrifuges so they were unable to separate U-235. Someone knew precisely the equipment used by the Iranians, if not where it came from. Reportedly the same equipment was set up at Israel’s Dimona nuclear facility and Stuxnet was test-driven to ensure its functionality.

Spying on the Iranian People

Not only is the Iranian nuclear program flourishing thanks to Western technology, but its effort to suppress dissent and smash political opposition is also receiving help from European and American companies.

Consider the International Mobile Subscriber Identity (IMSI) “catcher.” In Iran, as in Europe and in the U.S. (AT&T and T-Mobile), the IMSI systems authenticate users and allow one GSM-type mobile phone to talk to another using the standard built in encryption chip known as the A5. The A5 offers a moderate degree of security to users, which the IMSI “catcher” is designed to circumvent. The “catcher” is essentially a police-run mobile phone tower that pretends to authenticate the user’s phone but in fact turns the encryption off, opening the network to instant police spying. IMSI catchers can be installed just about anywhere and thus offer a convenient way for police and secret services to listen in.

IMSI catchers have been sold to Iran and, according to the group Privacy International, once the Iranian state has unimpeded access to a targeted cell phone, not only are the police and security forces listening to “live” phone conversations, but they also can put malware on the user’s phone so that the phone can be tracked and all its messages and emails read, and its off-line conversations heard.

Privacy International says some 30 UK companies and at least 50 U.S. companies have been exporting surveillance technology to Iran (and to Syria). While the EU and the U.S. have recently “banned” the sale of such equipment to Iran and Syria, the ban is largely meaningless because it only targets sales directly to the Iranian and Syrian governments; so-called B-to-B sales (business to business) are not blocked. In the U.S. case, the equipment is believed to be exported to a middle country and then re-exported to Iran and Syria.

Spyphone software is a huge problem for the Iranian dissident movement, as it allows authorities to steal data from a smartphone, listen in on “live” phone–to-phone conversations, turn on a phone’s microphone and camera even if the user thinks the phone is turned off, and much more. Spyphone software is sold freely without any export license in the U.S. and Europe. Once planted on a phone, it is very hard to discover and even more difficult to erase.

A wide range of surveillance technology from reputable companies is flowing to the Iranian regime. Technologies to monitor personal computers and tablets, to listen in on Skype calls, and to do cluster analysis to link together dissidents, along with face recognition and other video surveillance systems helps the regime keep a finger on dissent in the country.

Stopping Iran Late in the Game

Perhaps the best hope to stop Iran from acquiring nuclear weapons and threatening, if not using, them against Israel or Saudi Arabia (two potential targets) is regime change. If the Iranian regime could be replaced with a more moderate government, one that does not want to annihilate Israel, there is reasonable hope that the nuclear program would be shut down.

Unfortunately the spyware and surveillance equipment pouring into Iran are making it hard for dissidents to operate. Many people complain that they, or their friends and colleagues, have been arrested by the regime after being tracked by Iranian internal security. Some say lives have already been lost because calls, SMS messages, and location data have fallen into the hands of the police and security services.

The lack of enforcement of export controls is what led the U.S. and Israel to try cyber attacks against Iran’s nuclear infrastructure with tools such as the Stuxnet worm and the Flame virus. Cyber warfare is, as the name says, a form of warfare. A cyber attack against a military-type target requires a great deal of expense and effort, as well as coordination with industry.

Was there coordination with industry in the case of Stuxnet? It is difficult to say with certainty. It is true that Siemens eventually offered a solution to their clients that was widely propagated, and at least one high ranking Iranian general accused Siemens of being complicit in helping design the Stuxnet attack. Meanwhile other companies jumped in offering ways to clean the Stuxnet worm although it seems the worm actually only had an impact on the Iranian centrifuges and did little or nothing to machines performing other industrial functions.

Because the U.S. and Israel denied any involvement in Stuxnet, it appears that both governments kept quiet, meaning that some of the fixes got out perhaps too quickly. Nevertheless, in recent weeks the Obama administration, through leaks, claimed cooperation with Israel on both Stuxtnet and Flame.

In fact, some firms, such as Kaspersky Labs, which focuses on building anti-virus software, provided assistance to Iran and continue to do so now. As Eugene Kaspersky said on June 14, “Being a global company with a primary mission to care about our customers’ security, we state officially that we will fight any cyber weapons irrespective of the country of origin and any attempts to force us to ‘collaborate.’ We consider any compromise on this score to be incompatible with our ethical and professional principles.”

While Kaspersky is a Moscow-based company, it does business in the United States, providing the U.S. with a lot of leverage. Thus the U.S. has a big stick in the closet but there is no sign that the White House is even contemplating using it.

Likewise, the U.S. government, its allies and friends, also need to understand that supplying surveillance technology is self-defeating and risks the lives of those who are challenging the harsh and reckless Iranian regime. Surveillance technology including intercept systems should be strongly controlled by listing the technology under munitions laws. This would help a great deal in creating some discipline in this uncontrolled area.

There are two main types of export control laws in the United States and Europe—export regulations on dual-use products and items controlled as munitions. Armament laws (the U.S. uses the International Traffic and Arms Regulations—ITAR) are far tougher than dual-use export controls. Surveillance equipment should be put under the ITAR and similar regulations in Europe, Japan, and elsewhere (including Israel). Not only would ITAR controls stop much of the export of surveillance equipment directly to rogue regimes, it would require exporters to certify the end user of its products and impose strong penalties on the originating company—penalties that can include an export ban, fines, and even criminal prosecution. In essence the exporting company is made responsible.

Supporting the Opposition

There was no excuse for Western complicity in Pakistan obtaining nuclear weapons just as there is no excuse today in regard to Iran’s nuclear plans. The U.S. has shown minimal leadership so far, and the results are abysmal. While serious damage has been done, there are still chances to hinder the Iranian nuclear program and give regime opponents a chance to operate more effectively.

Dr. Stephen Bryen, President of SDB Partners, LLC, was Deputy Undersecretary of Defense and the first Director of the Defense Technology Security Administration.