Cyber Warfare
The Weapon That Destroyed Centrifuges Without Firing a Shot
In 2010, a piece of software quietly dismantled Iran's nuclear programme — and the world didn't find out until it was already over.
The Idea
War has always evolved around a central question: how do you degrade an enemy's capacity to fight without exposing your own forces to risk? Cyber warfare is the latest answer — and Stuxnet, the malicious code discovered in 2010, is the moment it became undeniable. What makes Stuxnet so conceptually important isn't just that it worked. It's that it crossed a threshold that had never been crossed before: a piece of software designed to cause physical destruction in the real world. Previous cyberattacks had stolen data, disrupted websites, or crashed systems. Stuxnet made centrifuges — the machines used to enrich uranium — spin themselves to pieces. It was, in effect, a guided missile that travelled through USB drives and industrial control systems instead of air. The implications run deep. Cyber weapons are cheap to develop relative to conventional arms, leave ambiguous fingerprints, and can be deployed without a formal declaration of war. They occupy a strange legal and moral grey zone: is sabotaging another nation's infrastructure an act of war? What counts as retaliation? These questions remain genuinely unresolved in international law. What Stuxnet revealed is that the battlefield had expanded — invisibly — into the software running power grids, water systems, financial networks, and hospitals. Every connected system is now, in some sense, a potential theatre of war.
In the World
The Natanz nuclear facility in central Iran was physically isolated — no internet connection, no obvious vulnerability. Its operators believed air-gapping the network was enough. They were wrong. Stuxnet, believed to be a joint operation by the United States and Israel (neither government has officially confirmed this), was introduced via infected USB drives — possibly slipped to unsuspecting contractors who worked at the facility. Once inside, it behaved with extraordinary patience. It monitored the centrifuges for weeks, learning normal operating patterns, before subtly altering their spin speeds — fast enough to cause wear and eventual failure, slow enough that operators saw nothing obviously wrong on their displays. Stuxnet fed false readings back to the control panels while the machines tore themselves apart. Technicians replaced centrifuge after centrifuge, baffled. Estimates suggest Iran lost roughly a fifth of its operational centrifuges before the code was eventually detected — not by Iranian engineers, but by a Belarusian cybersecurity firm called VirusBlokAda, working on an apparently unrelated computer crash. By the time the full scale of Stuxnet became public knowledge, the operation had already run its course. It had set Iran's nuclear timeline back by years, and it had shown every government and military in the world that this kind of operation was not only possible, but had already happened.
Why It Matters
The Stuxnet story isn't just a fascinating Cold War-style thriller — it genuinely reshapes how you might think about conflict, security, and the infrastructure that surrounds you. Critical systems — the kind that keep cities lit, hospitals running, and water drinkable — are largely managed by software that wasn't designed with warfare in mind. That gap between physical consequence and digital vulnerability is where modern conflict increasingly lives. Understanding this doesn't require technical expertise. What it requires is recognising that the boundaries of warfare have shifted in ways that most institutions, legal frameworks, and public conversations haven't fully caught up with. When you hear about a hospital hit by ransomware, or a power grid flickering after a geopolitical escalation, these aren't anomalies — they're the logical extension of what Stuxnet demonstrated. Knowing this history also sharpens your scepticism about the apparent cleanliness of cyber operations. 'No boots on the ground' doesn't mean no harm done. The question of what constitutes an act of war — and who gets to decide — may be the defining strategic puzzle of the next fifty years.
A Question to Ponder
If a cyberattack can destroy physical infrastructure without a single soldier crossing a border, what should actually trigger the right to self-defence under international law — and who should decide?
Get a new one of these every morning.
Start learning with Thinkable