Kim Zetter. Countdown to Zero Day: Stuxnet and the Launch of the World’s First Digital Weapon. Crown/Archetype, Nov 11, 2014. Hardcover. 448 pages. $25.00.
Review by Shane Halton
Hollywood has been trying like hell to make cyber sexy. We’ve already had a Die Hard movie about cyber terrorism and soon we’ll have an international cyber thriller starring Thor, certainly the tannest hacker in film history. These types of movies have a long pedigree and all use the same basic template: there’s a group of heroes running around trying to catch a hacker before he uses his hacker skills to either blow something up (Live Free or Die Hard) or steal a lot of money (Goldeneye). This is the Cyber Warfare as Action Movie model.
The story of the Stuxnet Worm, as told by Kim Zetter in her fantastic book, Countdown to Zero Day: Stuxnet and the Launch of the World’s First Digital Weapon, could have continued this well-trodden path. The story has explosions (!) and the release of poisonous gas (!) but largely eschews the action movie format in favor of something of a cross between a more cerebral version of CSI and a 70s conspiracy thriller. Zetter wisely channels her narrative through the perspective of private sector forensic cyber researchers at Kaspersky Labs, Symantec, and VirusBlokAda, the Belarussian cyber security company that first detected Stuxnet in the wild and attempted to dissect it. These researchers worked the Stuxnet case (and the related ‘Flame’ Worm) on and off for years, always trying to tease out the answer to its central mystery– who created this thing and for what purpose?
Once the culprits and their nefarious intentions are ‘revealed’ (Zetter’s best guess is that Stuxnet was developed by the NSA and the Israelis, both of whom unsurprisingly failed to confirm or deny ownership), Ms. Zetter succinctly explains why releasing a Worm as powerful and potentially dangerous as Stuxnet might have been the least worst option available to the West when it was confronted with the looming threat of an Iranian nuclear weapons program. The author states that Stuxnet originally started out as a reconnaissance program designed to map the contours of the secret Iranian enrichment program. Later versions of the virus were more geared towards industrial sabotage- randomly altering the speed of centrifuges, opening and closing critical valves and reporting bad data back to the control system all in an effort to degrade the Iranians’ ability to enrich uranium. Though the required repairs to the program were costly and time-consuming, Iran was able to invest the time and resources necessary to overcome the damage caused by Stuxnet.
Once the big mystery is revealed, all that is left are the ramifications. Ms. Zetter spends the final third of the book expanding the aperture of her story in ways that are as compelling as they are unsettling. She delves into the ‘grey market’ of zero day vulnerabilities (software vulnerabilities that haven’t been publicized yet), in which individuals and hacker groups discover, catalogue and sell off software vulnerabilities to the highest bidder. Some of the buyers are software companies, others are security companies and some are hacker groups and nation states. Why would nation states be interested in software vulnerabilities? Ms. Zetter convincingly argues that organizations like the NSA, Mossad, and equivalent agencies in Russia and China use these vulnerabilities both to protect themselves from attacks and create offensive cyber weapons. Ms. Zetter describes how this process has likely increased exponentially since Stuxnet was first discovered in 2010.
The author goes on to describe the dilemma facing the NSA with regard to such vulnerabilities — to patch or not to patch? If you rigorously push out patches to software vulnerabilities you can help protect everyone. But if your goal is to gain access to and subvert enemy computer system the opposite logic is at least as compelling – patch nothing and exploit everything. Ms. Zetter quotes an analyst who describes this as akin to withholding a vaccine from everyone in order to ensure your enemy is infected with a disease. This discussion is extremely timely as well. During his May 2015 filibuster of the renewal of the Patriot Act, Senator Rand Paul (R-Ky.) cited documents leaked by the NSA contractor Edward Snowden discussing this dilemma and other instances where the NSA has been accused of deliberately watering down encryption standards in order to ensure it maintained its ability to access every computer system in the world.
Perhaps the most disturbing part of the story is the uncertain fate of Stuxnet itself. It is important to think of Stuxnet as being composed of two parts: the missile and the warhead. Zetter says Stuxnet’s designers spent a lot of time developing a ‘missile’ that could exploit vulnerabilities and avoid detection long enough to get its ‘warhead’ to the part of the system it’s targeting. When Stuxnet was released into the world it accidentally ended up on tens of thousands of computers across the globe. When the private sector researchers discovered and dissected it they published their findings (including the Stuxnet source code) online. Remember, every copy of Stuxnet contains the plans to build another Stuxnet, with the option to modify the missile or warhead portions as required. This means that since 2010 the plans to build your own copy of the most dangerous cyber weapon in history have been available for free online. One cyber security expert interviewed in the book likens the release of Stuxnet to following up the bombing of Hiroshima with an air drop of leaflets describing how to build an atomic bomb.
This book does two important things well. First, it tells the origin story of a dangerous new class of weapon in a way that is accessible to the educated lay reader. PW Singer, in his book on cyber security, describes ‘the glaze’ which is ‘the unmistakable look of profound confusion and disinterest that takes hold whenever conversation turns to workings of a computer.’ By keeping the focus on the human drama of the researchers unpacking the mystery of Stuxnet, Ms. Zetter never lets readers fall victim to the glaze. Second, the book serves as an excellent practical guide to the language and concepts of the cyber world; language and concepts that will undoubtedly play an ever larger role in our national dialogue as time goes by.
Lieutenant Junior Grade Shane Halton is a naval intelligence officer currently stationed at the Joint IED Defeat Organization. He served as an enlisted intelligence specialist before commissioning through the STA-21 program. He has written about global air defense modernization trends and the effects of big data on intelligence analysis for Proceedings magazine. The views above are the author’s and do not represent those of the US Navy or the US Department of Defense.