Book review: Countdown to Zero Day

Posted by   Virus Bulletin on   Dec 18, 2014

Kim Zetter's book on Stuxnet is a must-read for anyone interested in malware - or in 21st century geopolitics.

There is a tendency among the media to call every hack 'advanced', to blame every attack on a nation state, and to label every industrial failure as 'cyber'. It is good to approach such stories with a healthy dose of scepticism, yet that doesn't mean that such cases only exist in the realm of fantasy.

Enter Stuxnet: malware written by the NSA, probably with the help of Israel's intelligence agencies, which found its way onto the air-gapped computer systems of a nuclear plant in Iran, where it did serious damage to the centrifuges and thus ultimately to the country's uranium enrichment program.

It was Mikko Hyppönen who said that, with Stuxnet, computer science lost its innocence - like nuclear science had done in August 1945 when nuclear bombs were dropped on Hiroshima and Nagasaki. After that day, the atom bomb was no longer something that could happen: it was something that actually had happened. Likewise, a destructive malware attack on an industrial facility isn't something that could theoretically happen: it is something that has happened, and Stuxnet was the first time we learned about it.

It was thus with much eagerness that I looked forward to reading Kim Zetter's book on Stuxnet, Countdown to Zero Day, which came out last month.

Kim Zetter - Countdown to Zero Day

In her book, the Wired journalist tells the story of Stuxnet from its discovery by Sergey Ulasen (then of VirusBlokAda) and takes us through the slow unravelling of the malware by security researchers, who gradually discovered Stuxnet's purpose.

In doing so, the book focuses not only on the technical details, but it also takes a human interest view by focusing on the researchers themselves. As such, we're taken to Liam O'Murchu's birthday party and to the apartment belonging to Costin Raiu's parents, which was nearly blown up by a young Costin's chemistry experiments (leading to his parents buying him a PC instead, which ultimately led to him becoming one of the world's most brilliant anti-virus researchers).

For that reason alone, the book is worth reading. Stuxnet remains unique among known cases of malware, and understanding what happened is as essential for those working in IT security as the stories of Hiroshima and Nagasaki are for nuclear physicists.

Yet unique as it may be (or not, as there is a real possibility that there are other 'Stuxnets' out there that have not yet been discovered), Stuxnet doesn't exist in a void. Countdown to Zero Day also tells the broader story, providing a number of contexts in which the malware exists.

First, there were the worries of Western nations - in particular those of the United States and Israel - about Iran's nuclear ambitions. I am not the biggest fan of United States foreign policy, but after reading the book I came to understand the challenges US intelligence was facing - wanting to prevent Iran from building nuclear weapons, yet trying to avoid dropping bombs on uranium enrichment facilities. At least I came to understand why the decision to build Stuxnet was made.

While Stuxnet was designed only to target one specific facility, the principle of the malware can easily be turned around and it would be possible for rogue actors to use malware to target 'our' industrial control systems, for various definitions of 'our'. Zetter's book contains a chapter on the history of the security (or, often, lack thereof) of industrial control systems, as well as possible attacks on them.

Those who have followed the story of Stuxnet will know of Duqu ('son of Stuxnet') and related attacks such as Flame and Gauss, each of which gets ample attention in the book. Yet what made Stuxnet stand out, even from these equally advanced pieces of malware, was that it was actually destructive - making it one of the few cases for which that so often misused term 'cyberwar' can be used with some justification.

Zetter describes the long history of cyberwar, which goes back more than two decades, and doesn't fail to mention the heated debate surrounding the sale of zero-day vulnerabilities. Stuxnet contained four such vulnerabilities.

I had high expectations of this book, given both the subject matter and Zetter's reputation as a journalist covering cybersecurity. Yet these expectations were easily surpassed, not just because the book puts Stuxnet in a very broad context, but also because of the style in which it is written, which makes it read like a novel. I was reading the book on a plane and I was the last person to get up from my seat when it landed, I was so eager to learn what happened next.

What helps make it such a good read is the fact that the book contains many footnotes that provide background information to the story, without interrupting the text.

To paraphrase the book's final words: now that Pandora's digital box has been opened, other cases of destructive cyber attacks may appear at any time. If only because of this, Countdown to Zero Day is essential reading for anyone interested in cybersecurity. Or, for that matter, in geopolitics.

Countdown to Zero Day is published by The Crown Publishing Group, a subsidiary of Random House.

  Symantec's Liam O'Murchu on stage during VB2010 demonstrating Stuxnet with the help of a balloon. Photo: Andreas Marx.

Posted on 18 December 2014 by Martijn Grooten


Latest posts:

VB2017 paper: The life story of an IPT - Inept Persistent Threat actor

At VB2017 in Madrid, Polish security researcher and journalist Adam Haertlé presented a paper about a very inept persistent threat. Today, we publish both the paper and the recording of Adam's presentation.

Five reasons to submit a VB2018 paper this weekend

The call for papers for VB2018 closes on 18 March, and while we've already received many great submissions, we still want more! Here are five reasons why you should submit a paper this weekend.

First partners of VB2018 announced

We are excited to announce the first six companies to partner with VB2018.

VB2018: looking for technical and non-technical talks

We like to pick good, solid technical talks for the VB conference programme, but good talks don't have to be technical and we welcome less technical submissions just as much.

Partner with VB2018 for extra visibility among industry peers

Partnering with the VB conference links your company to a successful and well-established event, demonstrates your commitment to moving the industry forward, allows you to meet potential clients, be visible to industry peers and build lasting…