Count Down to Zero Day: Stuxnet Book Review

Kim Zetter does her job very well with Countdown to Zero Day, (with the exception of that title). Zetter’s work is so well researched and analyzed that she has taken one of the most unapproachable, and to many boring topics, cybersecurity, and has made it…dare I say it…sexy? With the pulse and tempo of a James Bond film, complete with shadowy villains, larger than life heros, and international espionage, but as her innumerable sources and footnotes attest, this is no movie. Zetter tells an exciting and engaging tale that she is uniquely qualified to tell. Her journalistic career began at the Jerusalem Post, speaks Hebrew and English, and has been reporting on the world of computer hacking and technology since 2003.

Like any good spy novel, it starts off slow, introducing the characters and providing background to give you context. Zetter creates a slow buildup by starting in the middle of the story, and in the middle of Netanz Uranium Enrichment. The IAEA inspectors are seeing an unaccountable number of centrifuges failing. Fast-forward six-months and an unrelated computer virus found in another part of Iran is being dissected by a Belarussian firm that only knew that the code they were looking at was incredibly complex, but soon learned that what they had stumbled upon was the world’s-first cyber weapon. The first shot in an ongoing clandestine cyber war.

The author goes on to detail the work of numerous teams across the world, from Kaspersky, Symantec, and others at times working in parallel, at other times against one another, uncovered the truth. That multiple teams with the expertise and resources of a nation-state(s). Developed numerous versions of a precision cyber weapon that could spread endlessly thanks to the inclusion of 5 distinct ZERO DAY, unpatchable vulnerabilities at the core of the function of the Windows operating system.

It is fascinating how Zetter connects the planning, development, and deployment of the Stuxnet attack to both the Bush and Obama White House, and less directly to the NSA, CIA, and Israeli Defense Force Unit 8200. As a not-so-casual observer I would LOVE to know more about the TOP SECRET development of this code and how it was clandestinely deployed, despite its target being on an air-gapped, non-internet connected network. But Zetter does such an astute job of connecting so many of the previously unreported details, I cannot complain.

One of the great values with which Zetter leaves the reader is the danger inherent in the dark and murky world of the cyber vulnerability and exploit trade. The ramifications of the governments of the world competing to purchase and keep secret vulnerabilities in software used by billions of consumers, millions of private companies, and every piece of critical infrastructure that enables the electrical production, fuel distribution, and telecommunication of our modern society cannot be overstated. She advocates for a more robust national discussion on the subject, with such a rational and common-sense argument, it is difficult to formulate a counter-argument.

We standby as security professionals to protect and defend it all. It would be nice if our governments did not passively maintain vulnerabilities to enable their intelligence and military goals in cyberspace, but I understand why they are hesitant to cead their advantages.