The threat of cyber attack has gone from an obscure concept to household issue just in the last decade, and although this ominous issue has far-ranging impacts from a global to an individual level, the vast majority of people have no idea what cyber warfare is or how it works. Countdown To Zero Day remedies this.
With detailing the first use of a modern cyber weapon, the Stuxnet virus that attacked Iran’s nuclear enrichment program, the book fills out your knowledge-base about this growing battlefield. It is both a terrifying and fascinating read all at the same time.
I have to confess, I read this book last Winter, and it has taken me months to get my head around the information it unveils. Kim Zetter’s manuscript it quite thick and is not the easiest thing to read at times, but it is absolutely impressive in its scope and ambition. The book is partially a bewilderingly detailed “who-dunnit” where software security geniuses play the intrepid detectives following a ridiculously complex trail of clues. The story recounts in almost painful detail the genesis, execution and mysterious aftermath of the Stuxnet virus. Coiled around this primary narrative is fantastic information that anyone who is interested in military technology, strategy or geopolitics really needs to know. This includes background on the history of cyber weapons, how they are built, how they are implemented and their potentially devastating effects.
The center of the story (as you can tell by the title) is also the key to most cyber weapons: the zero-day vulnerability. As such we must go over what a zero-day is. Wikipedia’s primary definition works well for our purposes:
A zero-day (also known as zero-hour or 0-day) vulnerability is an undisclosed and uncorrected computer application vulnerability that could be exploited to adversely affect the computer programs, data, additional computers or a network. It is known as a “zero-day” because once a flaw becomes known, the programmer or developer has zero days (before disclosure) to fix it.
Zero-day exploits are attempted before or on the day notice of the vulnerability is released to the public; sometimes before the author is aware or has developed and made available corrected code (patches). Zero-day attacks are a severe threat.
With this in mind, and not including the amazing story of Stuxnet’s creation and aftermath, these are just some of the amazing things I took away about cyber warfare after reading Countdown To Zero Day:
- We are not talking about a new battlefield, but almost a whole new dimension of combat when it comes to cyber warfare. It is such a fast developing, dangerous, accessible and exotic form of warfare that we need people capable of totally thinking outside of traditional military contexts in order to defend against it and/or have offensive supremacy within its realm.
- Cyber weapons feature many of the same components of traditional weapons. These including timers, fuses, seekers, decoys, stealth characteristics, spoofing abilities, communications capabilities and even a headquarters to report to. Even simpler, they can be metaphorically broken down into a delivery system and a warhead.
- Cyber weapons can be designed to metaphorically carpet bomb an opposing force’s computers and networks or they can work like precision guided bombs, only affecting targeted computers based on a strict criteria. They can also work as smart mines, laying dormant until the circumstances and timing is just perfect to strike.
- Zero-day exploits are traded on a gray-world arms bazaar. Companies whose software is affected are buyers, other governments including the U.S. government are buyers, hackers and organized crime syndicates are buyers, even defense contractors are buyers. This largely unknown marketplace is virtually unregulated.
- A whole ecosystem of hackers, middlemen and buyers facilitate the zero-day exploit marketplace.
- Cyber weapons are unique in that they often deliver a blueprint of themselves with every infection. Like an intact drone falling into enemy hands, they can be reverse engineered and a mutated version of the same weapon could be used against its original user or less advanced targets that are unprepared for such an attack. With every known highly-distributed cyber weapon discovery, the world’s combined knowledge of how to build better cyber weapons increases.
- Governments, hackers and criminals can keep zero-day exploits in their arsenal to use against targets in the future, although someone else may discover it in the mean time, including the software developer. As such, a highly prized exploit that takes advantage of software used on many computers may be discovered by the software’s manufacture and the security hole patched without them ever knowing anyone else has created a weapon to exploit it. Software developers often buy exploits for their own software from programmers and companies that find them, just as governments and criminals do.
- Cyber weapons can have massive effects with little consequences as their place of origination can be very hard to trace. As such, governments could use them to mold the geopolitical sphere through “black flag” attacks or by weakening other countries financially without having to own up to doing so. They can even build the cyber weapon to make it look like it originated form somewhere else. They are the ultimate stealth weapons.
- Reverse engineering something as complex as an advanced cyber weapon is like peeling an onion. Each layer or component has to be disassembled digitally and inspected to understand how it fits into the weapon’s bigger picture.
- Those countries that are most heavily automated and industrially developed are the most vulnerable to cyber attacks
- Safety via distance and separation from the threat does not exist in cyber warfare.
- Cyber weapons are among the cheapest, most accessible, yet most destructive weapons available today
- There can be obscure but somewhat telling “easter eggs” buried deep within cyber weapons. Stuxnet had these.
- There is often a trade-off between targeting large quantities of machines in hopes of hitting the right ones, against the time till the cyber weapon’s presence is detected and the zero-day exploit is patched rendering it useless.
- Designers of industrial cyber security software have to learn how to defend not just against infiltration, but slight attacks on individual commands that could destroy hardware if they were hijacked. In other words, you do not have to destroy the whole generator by sending its entire operating program into disarray. Instead you just have to command one key element to operates slightly out of spec over time, thus bringing the whole system to its knees through a single pinpoint attack.
- The potential for corporate warfare using cyber weapons exists on many levels.
- Like nuclear weapons, we are naive or even in denial of just how big of a game-changer cyber warfare is, and a cyber arms race is already fully underway.
In the book, Kim Zetter debriefs what one would think is almost un-debriefable. So much information and sourcing is put in front of the reader regarding Stuxnet that it is as bewildering as it is impressive. The book could almost be made in two versions, an abbreviated one that truncates the Stuxnet story to its conceptual elements, as well as featuring the rich background on cyber warfare, and the full version for those who want every detail about Stuxnet’s development and dismantling.
Still, the Stuxnet story is like reading the history of the Manhattan Project just a few years after the first two nuclear weapons were used in Japan. It is an amazing accomplishment and some of the details are fascinating, such as how we built an exact physical copy of Iran’s nuclear research site in order to learn how to exploit it. Or how the U.S. and Israel were behind developing what would become the world’s first advanced cyber weapon.
In the end this book is a must read, even if you skim through some of the more detailed parts to get to the conceptual ones. It serves as both a fascinating history lesson, a conceptual explainer of cyber warfare and as an ominous warning of what may be in our not so distant, ever more automated future.
Rogoway’s Reviews “g-meter” for greatness: 7G out of 9G
It would have been a 8G if it had the Stuxnet story accelerated a bit, allowing it to be cut down by about 25%.
Top graphic credit: Brian Senic