Book Report: Countdown to Zero Day

Kim Zetter's book on Stuxnet sheds light on esoteric areas like malware analysis, process automation, and cyber war.

When you work in the cybersecurity domain you face some daunting challenges. For one thing, cybersecurity is always changing – there are new offensive and defensive tactics, techniques, and procedures (TTPs) constantly that you try to keep up with.  Alternatively, cybersecurity is an extremely broad topic, spanning technology, regulations, law enforcement, geo-political conflict, critical infrastructure, etc. 

When people ask me how to learn about disparate cybersecurity topics, I reply with a single word – “read.”  More specifically, I recommend that they go to their public library and take out one of the many fantastic books written in the past few years on malware (Worm, by Mark Bowden), cybercrime (Kingpin, by Kevin Poulsen), hackers (We Are Anonymous, Parmy Olson), Cyberwar (Cyberwar, Richard Clarke), etc.  There are loads of others good books available by authors like James Bamford, Steven Levy, John Markoff, Kevin Mitnick, Bruce Schneier, and Cliff Stoll as well. 

Along these lines, I highly recommend that all cybersecurity professionals and students alike read, Countdown to Zero Day (Stuxnet and the launch of the world’s first digital weapon) by Kim Zetter.  By taking on Stuxnet, Countdown examines cybersecurity across technical, legal, geo-political, and critical infrastructure areas simultaneously.  Yes, this is an ambitious task, but Zetter pulls it off and sheds enough light in these incongruous areas to create a cohesive, insightful, and educational story.

Fair warning, Countdown meanders through some obscure topics that can be especially challenging to follow.  Since I’m not a nuclear physicist, there were details about centrifuges and Uranium enrichment that were all but Greek to me.  Furthermore, the book is chock full of footnotes (often several on each page) that can be distracting.  In spite of this, I learned a lot and really enjoyed Countdown.  Here are a few of my take-aways:

  1. Countdown provides a lot of detail about Stuxnet – its evolution, exploit techniques, payload, actions (i.e. how it slowly sabotaged the Iranian facilities), etc.  I knew some of these things before but learning more about Stuxnet made me realize the mad science nature involved.  Stuxnet is extremely impressive and frightening at the same time.  Countdown also explores Stuxnet’s kissing-cousins, Duqu and Flame. 
  2. Like Worm (by Mark Bowden), Countdown brings in the human element by following the malware research performed by individuals at Kaspersky Lab, Symantec, and a small German firm.  It tracks their progress as it evolves from intellectual curiosity to the realization that they has stumbled upon an act of cyber war.
  3. You can’t read Countdown without becoming more paranoid about a cyber-attack on critical infrastructure.  Yes, Stuxnet was an exceptionally sophisticated piece of code written by people who knew Windows, Siemen PLCs, and other details about the enrichment facility in Natanz (Iran).  Thus, Stuxnet operations required knowledge, resources, and tremendous skills.  That said, Stuxnet was designed to remain invisible so it could continually sabotage the facility for years without being detected.  You can’t help thinking that a less patient adversary could launch a Stuxnet-lite attack on critical infrastructure and achieve widespread physical damage in a short amount of time.
  4. Countdown takes you into the deep dark world of the zero-day vulnerabilities market and explores the legal and moral issues around this practice.  There is a fundamental conflict of interest that requires more public debate.  After all, how can President Obama push for $16 billion for cybersecurity in his 2016 budget when the U.S. government is actively hoarding zero-day vulnerabilities rather than working with software vendors to fix these problems? 

Finally, Countdown really makes you wonder just how aggressive the US and other nation-states are in terms of offensive cyber operations.  There are no Geneva Convention rules of engagement for cyberwar and I don’t see much on the horizon.  This books makes you wonder if there are those in Washington, the DOD, and NSA who remain dogmatically focused on cyberwar offense even as the US critical infrastructure remains extraordinarily vulnerable to attack. 

In summary, I found Zetter’s book both entertaining and educational – I learned a lot by reading this book.  If you are passionate about expanding your knowledge about the many facets of cybersecurity, you should read it too.

Cybersecurity market research: Top 15 statistics for 2017