Countdown to Zero Day: Stuxnet and the Launch of the World's First Digital Weapon

"Countdown to Zero Day is Kim Zetter’s book about Stuxnet, which is the virus that the United States and Israel designed to speed up the centrifuges in an Iranian uranium enrichment facility. It’s a really fascinating book because Stuxnet was one of the first examples of a piece of malware that had very concrete physical ramifications. There are test tubes breaking because the centrifuges are speeding up, and on top of that, it overrode the controls in place to warn that was happening. So, nobody who was monitoring was even aware until suddenly there were all these broken test tubes. As a book, Countdown to Day Zero is a stunning example of a case study, of really diving into a cyber security incident. She takes on very technical material—getting into malware and the question of how these SCADA machines work and how this piece of software compromises them—but then also brings in this really rich and complicated geopolitical conflict that this is happening as a part of. “There just aren’t good legal tools for dealing with these kinds of incidents” I also like this book because Stuxnet is a case that stands alone. In my cyber security book, I group the cases I write about according to motivation. Stuxnet doesn’t have any peers, because it’s so unlike anything we’ve seen before or since. She does a great job of drawing out all of the ways this is something a little new and a little different. It’s really richly reported and a fascinating narrative story that draws people into the idea that cyber security is, as you said at the beginning, not just about your antivirus program and annoying warnings on your computer, but actually about how countries and governments make decisions and use force against each other—and what that might look like in the future. In a weird way, I hope so. When I look at the Stuxnet story, I think, ‘Here’s a way that two governments in conflict were able to attack each other in a totally nonviolent way.’ If you think of the other ways we’ve thought about dealing with (or even dealt with) other countries’ nuclear programmes in the past—by dropping bombs on uranium enrichment plants—this, to me, seems an example of something very targeted. It was designed to do one very specific operation with fairly little collateral damage. It does end up infecting a lot of other machines, but it doesn’t do a lot to them. Stuxnet wasn’t perhaps quite as contained as we might have liked, and there are lots of things about it that are complicated and ethically fraught, but, to me, the model is one that I could see a lot of countries wanting to pursue, including the US. Instead of launching a very ostentatious public and potentially violent conflict you use computers to try and sabotage some very particular piece of an adversary’s infrastructure. Of course, if you shut down a country’s power grid, there would be more collateral damage, but I thought Stuxnet was a fairly well done operation in that regard. So, yes, I think we’re probably already seeing more of it and I would expect that to continue. It’s a little harder in North Korea because there’s much less internet infrastructure. What we have seen—and I write about this a little bit in the Sony Pictures case study—is the US basically cutting off North Korea’s access to the outside internet. If you wanted to cut the US off from the internet that would be very hard, because there are a lot of undersea cables and interconnection points. But for North Korea, it’s not hard to do because they only get access through a couple of points in China. You only have to cut off three access points and we have seen that done. I don’t know beyond that if there’s been a lot of deliberate sabotage of the North Korean infrastructure, not to my knowledge, but there could be lots of things going on I don’t know about. One of the things that’s interesting about Stuxnet is, on the one hand, they never officially acknowledged it. On the other hand, it’s very clear that they want credit for it, so they’re very deliberately leaking, ‘this was us and we want everyone to know we have this capability.’"