Book Review: Countdown to Zero Day (Stuxnet)

Countdown to Zero Day: Stuxnet and the Launch of the World’s First Digital Weapon, by Kim Zetter covers in detail the discovery, exposure, and detailing of the Stuxnet virus.  It is a fascinating, educational, and important read.  Relevant to anyone interested in cyber security, war, foreign affairs, and election integrity.  There is also a new documentary, ZER0DAYS.

I read the book and then watched the movie.  I recommend the book over the documentary, although it is complementary.  The book covers Stuxnet and its discovery in much more detail.  Yet, the book is accessible to everyone. After reading the book, even the non-technical reader, will have an understanding of what Stuxnet could do, its wider implications for security, and foreign affairs.  I am not convinced those that watch the movie will have an anywhere equivalent understanding. Here are some of the highlights and implications:

  • Stuxnet represents the 1st documented act of cyber aggression by one nation against another.  The U.S. has unlocked Pandora’s Box as we did with nuclear weapons in 1945.  It is an actual attack, distinct from cyber spying and information theft.
  • Stuxnet was used, undetected to randomly destroy Iran’s nuclear centrifuges.  It demonstrated the capability for almost any system controlled by software to be incapacitated or destroyed by software virus alone:  Power systems, the power grid, manufacturing systems, gas lines, banking systems, refineries, elections etc.
  • At the time of Stuxnet, Iran was at minimum playing cat-and-mouse with their nuclear activities, likely they were attempting to hide their aggressive program to prepare for creating nuclear weapons. It is quite possible that is no longer true or a possibility.  Part of the U.S. goal was to hold Israel off from an actual and risky attack on Iran of questionable value.
  • Zero Day refers to holes in software/hardware security which are unknown to software vendors and anti-virus security firms.  Knowing and exploiting a zero day hole gives a powerful capability to exploit systems of those with the latest and most extensive security measures, such as sensitive/strategic government programs.
  • Stuxnet is clearly attributed to a joint effort of the U.S. and Israel.  It was very sophisticated with several zero days, complex attack mechanisms, complex virus spreading, and targeted/limited to avoid detection.  The movie does a fine job of driving this point home with insider and outsider interviews.
  • Stuxnet attacked and spread without the requirement that any equipment be connected to the Internet. Disconnected systems are safer, yet far from safe from virus or insider attack.
  • Stuxent was intended to wipe itself out and remove itself making detection more difficult. Its apparent failure to focus its spread as much as intended led to its discovery.
  • If a foreign power 0r hackers had discovered Suxtnet they could have been a long way toward attacking almost any control system.  They could attack any target, U.S., worldwide, or random; they could have easily made an error that caused a much wider, much more dangerous attack than they intended.
  • When the Government withholds publication of zero days from vendors and virus protection firms, it leaves our government and business systems open to attack through those holes.  Through disclosure to foreign governments and criminals through attack on our government and its vendors.  (Sound impossible?  The U.S. government is still at it and the World is exposed.  See <NSA hacked, exposing new hacking tools> Partially like Stuxnet this was an attack via vendor/contractor facilities. Unlike Stuxnet it could be classified as spying, not aggression.)

What this means for elections:

  • Elections can be hacked.  Any election equipment can be hacked, including proprietary equipment and equipment not connected to the Internet.
  • Hacking can go on undetected or undetected for months and years.
  • We can worry about Russia, yet we need to worry about all governments (including U.S. agencies), partisans, and insiders everywhere.
  • Elections are managed by local governments and local officials with orders of magnitude less cable, less funded, and less knowledgeable than super sensitive corporate, government, and military operations (can you say Sitting Ducks?)
  • It is more important than ever that we not remain complacent  and assume that just because we know most local officials are of high integrity that nothing can go awry.
  • We need paper ballots and sufficient ballot security, recounts. and audits of the entire election process.

Leave a Reply

You must be logged in to post a comment.