Reading Kim Zetter’s “Countdown to Zero Day”

You might not find it shocking news there is a digital weapons race going on between secret service agencies of nation-states like the US and other countries. Either you knew, or you expected it, or you wondered why you should care about this stuff at all. In all three cases I think you should read Kim Zetter’s Countdown to Zero Day. It is the trademark of a good nonfiction book that it takes something which is unjustly in the fringe of public attention and puts it in the spotlight. Zetters page-turner does this for cyber warfare and, almost in passing, she unpacks many questions we should have been asking for a long time. Recognizing the cliché, Zetter calls Stuxnet,  the computer program that takes the lead role in her book a game changer. It is my best hope her book will be just that for the public debate about digital warfare and the cyber security of our physical world. Contains spoilers.

Hackers call a previously undiscovered security vulnerability which is used by a virus a ‘Zero Day’. A Zero Day goes undetected by virus scanners, but they are rare. It takes much time and effort to develop them or a lot of money to buy them on the black market. Most creators of malware do not bother to go through this effort, they simply hunt for victims that did not update their virus scanners yet. However, as it turns out there are new players in cyberspace that have both the reasons and the means to create them.

The book revolves around the discovery of Stuxnet, a sophisticated worm that was discovered by antivirus agencies in 2007. It soon turned out that Stuxnet did not exploit just one, but four zero days; a vertiginous number, considering just how rare zero days are. In the book we get a peek over the shoulders of the Symantec team that studied Stuxnet for several months. They slowly unmasked the mindboggling virus as a subtle sabotage tool, aimed at slowing down Iran’s uranium enrichment program. Worse, it turned out to be part of a suite of digital weapons, created by the US and Israeli government. Stuxnett formed the opening shot of a completely new type of warfare starting in the digital realm, but perfectly capable of doing a lot of damage in the real world. It was a program of many firsts; and of many wakeup calls.

How can a virus cause physical damage to an industrial uranium enrichment plant? Well such plants are controlled by computers. The computers that control power plants and production faculties are specialised industrial systems (called PLC’s). Nevertheless, Stuxnet was able to feed those PLC’s malicious code. Such code can disrupt measurement and control loops managing for example gas pressure and temperature in a chemical factory, thus causing serious industrial accidents, blowing up machines or destroying a factory in another way. With Stuxnets disruption of Iran’s uranium enrichment program the sabotage had to be much more subtle. Stuxnet changed the frequency of the centrifuges used to enrich uranium gas, disrupting the enrichment process, and increasing their chances of breaking.

Stuxnet proof of principle of digital physical sabotage should make us think about how safe our own (nuclear) power plants, chemical factories and other partly computerized systems are. The sobering answer is: very unsafe. Subtle sabotage like Stuxnet did require detailed knowledge of both the programing language of the specific PLC’s as the real world processes these control. But a brute force attack is much, much easier and PLC security has not been a priority of the companies that produce them, as PLC viruses are new to the world. In other words: the safety of much of our heavy industry and public transport is reliant on control processes that can be disturbed easily.

But it doesn’t stop at industrial sites. It doesn’t take much imagination to see where this is heading with the internet of things becoming reality. One of the side stories in Zetter’s book, for example, deals with smart electricity meters. A virus can shut them down and disable the possibility of remote updates. The effect could be a city out of power, which can only be remedied by replacing smart meters in a door-to-door program. As more and more of our equipment gets digital control and network capacities, it is becoming vulnerable to cyber attacks. Anything ‘smart’ can be hacked. It is likely to be a matter of time until we see hacked electricity meters, traffic lights, tv-sets, cars, coffeemakers, toothbrushes and lightbulbs. A foreign  government will not likely be the one creating those attacks, but others can, – and will.

What should we think of hacking governments? Zetter’s book effectively debunks the myth that hacking is the domain of Russian criminals, seeking a quick buck. The sophistication of Stuxnet showed digital weaponry is a ‘power game’, for which only governments currently have the knowledge and resources. Digital weapons have a risky vulnerability though: they can be copied. It didn’t take long before other malware stared using Stuxnet’s zero days and the same can be done with the sabotage code. The Stuxnet virus has been difficult to create, but compared with a missile thrower or atomic rockets, it much easier to copy, adapt and remix a digital warrior into a different one. Besides, anyone infected has access to the code. So while the creation of a novel (type) of digital warrior requires much specialized knowledge, time and effort, making a ripoff is easy, at least in comparison.

So, Zetter probes in the ethics of digital espionage, sabotage and warfare and asks what ends might justify the means. What justifies hurting the trust of the customers of Microsoft, Siemens and anti-virus software sellers? Of releasing something that could boomerang back to the own state? Of opening an arms race in digital-physical warfare, considering the most networked countries are those who have most to fear and loose in case of total cyberwar? Zetter presents a balanced view of these questions and leaves them open for debate.

My answer would be a simple no, though. The risk of others developing a weapon is often used to justify creating something much worse, the atomic bomb is a vivid example. If cyber weapons can be used by any skilled hacker the drawbacks of a digital arms race will most certainly outweigh its benefits. In this sense it is telling and ironic that the first digital warrior was created to provide military backing to the nonproliferation treaty.


Reading more

If this wasn’t clear yet: I certainly recommend to read the book Countdown to Zero Day

I wrote about a more innocent digital arms race, in my post Collateral Damage of the Robots Race on the Web. Other book reviews include those of The Information, Simians, Cyborgs and Women and Metaphors We Live By.

No Responses Yet to “Cyberwariors”

  1. Leave a Comment

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: