By Kim Zetter
Crown. 433 pp. $25
Dina Temple-Raston is the counterterrorism correspondent at NPR. She has written four books and just returned from a Nieman fellowship at Harvard University, where she studied the intersection of big data and intelligence, and its effects on privacy.
As you turn the last page of Kim Zetter’s new book about the worm and virus that sabotaged Iran’s nuclear program, don’t be surprised if you find yourself starting to mull over a career change. Is it too late to leave radio journalism or accounting or (you fill in the blank) to become someone who not only discovers a new breed of digital weapon but also reverse-engineers it? In this case, the digital weapon is Stuxnet, a malware virus let loose in an Iranian nuclear facility four years ago. And the mere fact that I contemplated going from journalist to computer nerd should tell you something about Zetter’s ability to turn a complicated and technical cyber- story into an engrossing whodunit.
Zetter is a senior writer at Wired magazine, and in her capable hands readers of “Countdown to Zero Day” will find themselves rooting for the guys everyone loved to hate — or at least I loved to hate. (You remember them: those high school mathletes who handed their completed calculus tests to the teacher while the rest of us were still struggling with the first problem set.)
Exhibit A: a 39-year-old biology and genetics major out of UCLA named Eric Chien, one of Zetter’s international cyber-detectives. As he describes it, the job came to him by accident. In the 1990s, he decided to follow a few friends to a fledgling computer security firm called Symantec. The company was in the forefront of the effort to find those viruses that attached themselves to programs to infect a computer.
“Cybersecurity was still a nascent field and it was easy to get a job without training or experience,” Zetter writes about Chien’s early career choice. “Chien knew nothing about viruses at the time but he taught himself X86 assembly, the programming language most malware is written in, and that was enough.” The best analysts weren’t computer engineers anyway, Zetter maintains. Engineers built things. Virus sleuths tore things apart.
In the late 1990s, malware or virus analysts were like the Maytag repairman, just waiting for something to break down. Malware, viruses and worms (a worm is a kind of virus that copies itself and travels quickly from computer to computer) were rare.
What a difference a decade can make — by 2009, there were not enough hours in the day for Chien and a small team at Symantec to decipher malware programs bent on stealing information from unprotected computers. The company now has security researchers throughout the world working around the clock.
Initially, what made Stuxnet different from other malware programs was that it used a “zero-day exploit,” which is like a back door into a computer. It is a virus or a worm that can take advantage of a vulnerability in software that others, including the software’s creators, have not discovered yet. Zero-day exploits are rare because software creators work hard to ensure they release programs that don’t have those kinds of vulnerabilities. That’s why the discovery of one sends a frisson through security analyst networks. What’s more, zero-day exploits can fetch hundreds of thousands of dollars on the black market, depending on what they might allow a hacker to do. So when one is discovered in malware, it suggests a higher purpose, something beyond a cyber-criminal hoping to vacuum up credit card numbers.
Eventually Chien and other analysts around the world found not just one zero-day exploit in Stuxnet but a handful of them. That only intrigued them more. They had no idea who had written it, or why, but they were determined to find out. That’s the story at the heart of “Countdown to Zero Day” — how analysts from Belarus to California collaborated to piece together who created and launched the world’s first digital weapon.
To readers of David Sanger’s “Confront and Conceal,” a lot of this material will seem familiar. In fact, Zetter footnotes and quotes from Sanger’s Stuxnet coverage liberally. Like Sanger, Zetter was on the front lines of the Stuxnet story as it was unfolding. But her book goes beyond simply explaining how the worm came to life.
Before Stuxnet, most of America’s military and intelligence cyber-operations focused on stealing or distorting data, or used cyber-tools to help direct U.S. weapons. Stuxnet was envisioned by U.S. officials as a replacement for a conventional weapon. Using a computer virus or worm to gum up the works of something from within would provide an alternative to, say, destroying a nuclear facility from the air. Stuxnet appears to have done that. “Stuxnet stands alone as the only known cyberattack to have caused physical destruction to a system,” Zetter writes.
Cyber-geeks will tell you that the computer code behind Stuxnet was a thing of beauty. The worm targeted specific Siemens industrial control systems loaded with a particular software package. It would initially spread indiscriminately, but if it didn’t find the specific software application it was looking for, it would turn itself off and move on to the next machine.
Zetter says the lead architect of Stuxnet was Gen. James “Hoss” Cartwright when he was the head of U.S. Strategic Command. (Known as President Obama’s “favorite general,” Cartwright lost his security clearance in 2013 amid allegations that he leaked national security information.) According to Zetter, programmers at the National Security Agency who later worked with Israel Defense Forces Unit 8200, known as Israel’s functional equivalent of the NSA, developed the code. Once the code was put together, it was passed to the CIA for implementation.
Zetter writes that there was some hand-wringing from George W. Bush administration officials about implementing the program. But the wariness had less to do with the sabotage they hoped to inflict on Iran than with the possibility that the NSA’s offensive cyber-capability might, for the first time, be exposed. “The problem with using a cyberweapon,” Zetter writes, quoting a former CIA agent, is that “once it’s out there, its like using your stealth fighter for the first time — you’ve rung that bell and you can’t pretend that the stealth fighter doesn’t exist anymore.”
Which leads to the biggest surprise in the book — that there haven’t been more cyberattacks like Stuxnet. Zetter believes that the worm was so successful that other, similar cyberattacks may be only a matter of time. But as far as we know, they haven’t happened yet. That said, after reading the immensely enjoyable “Countdown to Zero Day,” whenever I run across a news account of a computer malfunction, I wonder, might it be a zero-day attack in disguise?
In a top-secret October 2012 presidential directive leaked by former NSA contractor Edward Snowden, Obama ordered senior national security and intelligence officials to produce a list of foreign targets — systems, processes and infrastructures — for possible cyberattack in the future. The age of digital warfare may well have begun.