Posted by Virus Bulletin on Dec 18, 2014
Kim Zetter's book on Stuxnet is a must-read for anyone interested in malware - or in 21st century geopolitics.
There is a tendency among the media to call every hack 'advanced', to blame every attack on a nation state, and to label every industrial failure as 'cyber'. It is good to approach such stories with a healthy dose of scepticism, yet that doesn't mean that such cases only exist in the realm of fantasy.
Enter Stuxnet: malware written by the NSA, probably with the help of Israel's intelligence agencies, which found its way onto the air-gapped computer systems of a nuclear plant in Iran, where it did serious damage to the centrifuges and thus ultimately to the country's uranium enrichment program.
It was Mikko Hyppönen who said that, with Stuxnet, computer science lost its innocence - like nuclear science had done in August 1945 when nuclear bombs were dropped on Hiroshima and Nagasaki. After that day, the atom bomb was no longer something that could happen: it was something that actually had happened. Likewise, a destructive malware attack on an industrial facility isn't something that could theoretically happen: it is something that has happened, and Stuxnet was the first time we learned about it.
It was thus with much eagerness that I looked forward to reading Kim Zetter's book on Stuxnet, Countdown to Zero Day, which came out last month.
In her book, the Wired journalist tells the story of Stuxnet from its discovery by Sergey Ulasen (then of VirusBlokAda) and takes us through the slow unravelling of the malware by security researchers, who gradually discovered Stuxnet's purpose.
In doing so, the book focuses not only on the technical details, but it also takes a human interest view by focusing on the researchers themselves. As such, we're taken to Liam O'Murchu's birthday party and to the apartment belonging to Costin Raiu's parents, which was nearly blown up by a young Costin's chemistry experiments (leading to his parents buying him a PC instead, which ultimately led to him becoming one of the world's most brilliant anti-virus researchers).
For that reason alone, the book is worth reading. Stuxnet remains unique among known cases of malware, and understanding what happened is as essential for those working in IT security as the stories of Hiroshima and Nagasaki are for nuclear physicists.
Yet unique as it may be (or not, as there is a real possibility that there are other 'Stuxnets' out there that have not yet been discovered), Stuxnet doesn't exist in a void. Countdown to Zero Day also tells the broader story, providing a number of contexts in which the malware exists.
First, there were the worries of Western nations - in particular those of the United States and Israel - about Iran's nuclear ambitions. I am not the biggest fan of United States foreign policy, but after reading the book I came to understand the challenges US intelligence was facing - wanting to prevent Iran from building nuclear weapons, yet trying to avoid dropping bombs on uranium enrichment facilities. At least I came to understand why the decision to build Stuxnet was made.
While Stuxnet was designed only to target one specific facility, the principle of the malware can easily be turned around and it would be possible for rogue actors to use malware to target 'our' industrial control systems, for various definitions of 'our'. Zetter's book contains a chapter on the history of the security (or, often, lack thereof) of industrial control systems, as well as possible attacks on them.
Those who have followed the story of Stuxnet will know of Duqu ('son of Stuxnet') and related attacks such as Flame and Gauss, each of which gets ample attention in the book. Yet what made Stuxnet stand out, even from these equally advanced pieces of malware, was that it was actually destructive - making it one of the few cases for which that so often misused term 'cyberwar' can be used with some justification.
Zetter describes the long history of cyberwar, which goes back more than two decades, and doesn't fail to mention the heated debate surrounding the sale of zero-day vulnerabilities. Stuxnet contained four such vulnerabilities.
I had high expectations of this book, given both the subject matter and Zetter's reputation as a journalist covering cybersecurity. Yet these expectations were easily surpassed, not just because the book puts Stuxnet in a very broad context, but also because of the style in which it is written, which makes it read like a novel. I was reading the book on a plane and I was the last person to get up from my seat when it landed, I was so eager to learn what happened next.
What helps make it such a good read is the fact that the book contains many footnotes that provide background information to the story, without interrupting the text.
To paraphrase the book's final words: now that Pandora's digital box has been opened, other cases of destructive cyber attacks may appear at any time. If only because of this, Countdown to Zero Day is essential reading for anyone interested in cybersecurity. Or, for that matter, in geopolitics.
Countdown to Zero Day is published by The Crown Publishing Group, a subsidiary of Random House.