Recently there have been several great books that illustrate the importance of information security in today’s world, including Kevin Mitnick’s “Ghost in the Wires,” Andy Greenberg’s “This Machine Kills Secrets” and Brian Krebs’ “Spam Nation.” Joining the list at the top is Kim Zetter’s “Countdown to Zero Day.” The book tells the story (which you probably thought you already knew) of Stuxnet and the geopolitical maneuverings that brought it into existence. The book is engaging to read and meticulously researched. Zetter not only examines the intricacies of this nation-state sponsored espionage tool but also delves deeply into the finer workings of uranium enrichment centrifuges and their industrial control systems. Along with these technical details, she adds the personal stories of the people who discovered Stuxnet and devoted countless hours in deciphering not just Stuxnet but also its relatives Duqu, Flame, and Gauss. Despite the highly technical subject matter, Zetter weaves an engaging narrative that succeeds in explaining complex systems in ways that can be easily understood without being condescending.
This book is an absolute must read for anyone even remotely involved in the information security industry because it looks at an adversary that is seldom seen: the nation-state. Unlike cyber criminals, “hacktivists” or bored teenagers whose online activities are somewhat easy to discover and decipher, the online operations and capabilities of nation-states have been shrouded in rumor, myth and superstition. It is amazing that Zetter was able to obtain this much detail about what was most likely a top secret government operation and that is arguably less than five years old. Thanks to Zetter and “Countdown to Zero Day,” we now have a baseline from which to forecast potential nation-state capabilities today and into the future.
The book is engaging to read and meticulously researched
While reading the book, I was initially dismayed with the reverence she has for the anti-virus companies involved. But then I realized that it was the anti-virus companies, and their willingness to delay work on other malware, that allowed the researchers to discover exactly what Stuxnet was trying to do. Stuxnet was obviously not a random piece of banking malware designed to siphon off credit card numbers; but beyond developing a signature to add to their anti-virus products, the AV companies were under no obligation to reverse engineer Stuxnet and its relatives to the level that they did. Without the willingness of these companies and dogged determination of their researchers, we may still be blissfully unaware of what digital lengths governments will go to for accomplishing their goals.
Zetter makes extensive use of footnotes throughout the book, illustrating just how much work went into peeling back the layers of this intricate story. On the one hand, I appreciate her detailed documentation of facts and sources, but in several cases a footnote becomes more than just a source citation and fills half a page with a full explanation. I found this level of footnoting to be distracting to the story; I had to stop reading the main page to read the small print of the footnote. I wish that the information contained in the longer footnotes was integrated into the main story. But I am glad that I read the actual paper version of the book; if I had listened to the audio book, I would have missed much of this important detail.
When news of Stuxnet first broke, many people dismissed it as not important. Even when evidence indicated that Stuxnet had to have been sponsored by a government, many people just shrugged and said, “Well, we figured they were doing that anyway.” Such a lackadaisical attitude greatly oversimplifies the competencies and resolve that went into making Stuxnet—competencies and resolve that happened at least five years ago. As professionals working in the information security industry, we must now ask ourselves just how much further have governments come in the last five years, and where will they be five years from now? So little is known about the online activities of nation-states, but the examination of Stuxnet and its relatives now gives us a solid baseline from which we can extrapolate potential future activities.
What is our role in all of this?
And what about the next time? It has been almost five years since Stuxnet was first discovered, and while there have been additional discoveries of Stuxnet-related malware, no further samples of different nation-state sponsored malware have been found. It would be naive to think that Stuxnet was a one and done type of operation. Countries are constantly accusing other countries of attacking their electronic infrastructure. Either the information security industry has gotten really bad at finding this type of malware, or governments have gotten really good at hiding it.
As industry professionals, we must ask: what is our role in all of this? The researchers interviewed by Zetter said that they were never pressured to withhold their information or slow their research by any government. Will that be the case the next time around? Are industry professionals obligated to protect our customers or our governments? Is it our duty to search for and find government electronic espionage tools, potentially blowing the cover off top secret multi-million dollar operations? Or should we leave geopolitics to the spies and politicians, and just keep our focus on the cyber criminals, “hacktivists” and bored teenagers?
If you are interested in nuclear proliferation, the story of how we got to where we are now, and how we have almost blown ourselves up several dozen times, I highly recommend Eric Schlosser’s “Command and Control.” It makes a great introductory piece to Zetter’s “Countdown to Zero Day.”