Book Review: Countdown to Zero Day

Reviewed by Ross Johnson, CPP

01 January 2016

Print Issue: January 2016

Countdown to Zero Day: Stuxnet and the Launch of the World’s First Digital Weapon. By Kim Zetter. Crown Publishing Group; penguinrandomhouse.com; 448 pages; $16.

In June 2010, a computer security company in Belarus discovered a computer worm that attacked a specific industrial control system at the Natanz uranium enrichment facility in Iran. This worm was different from anything seen before. Because it could actually destroy equipment, the impact was felt around the world as the implications of its deployment became clear.

Although we all use information processing computers, we aren’t as aware of the industrial control systems that make life run smoothly. They run our kitchen appliances and furnaces, as well as power plants, water treatment facilities, factories, and air traffic control systems. They are also used in uranium enrichment facilities.

The risk to the public is that the specialized computers that run this equipment are vulnerable to malicious computer code. Prior to Stuxnet, security professionals were concerned that someone could hack into systems to destroy or degrade them, but the risk remained theoretical. Once Stuxnet was discovered, that risk became very real.

Journalist Kim Zetter’s account of the malware in Countdown to Zero Day is remarkable. It is a deeply interesting technological detective story; a detailed account of Iran’s nuclear enrichment capability; a forensic examination of Stuxnet and its associates DuQu, Gauss, and Flame; an excellent look at the vulnerabilities of industrial control systems; an accounting of the unacknowledged covert project by the United States (and possibly Israel) that created Stuxnet; and a hard look at the prospects and consequences of cyber warfare. The book is readable, flows quickly, and is astonishing for the level of detail through which the author skillfully leads the reader.

The book’s greatest value may lie not in what it says about Stuxnet, but its warnings about cyber warfare. Zetter points out, “When you launch a cyberweapon, you don’t just send the weapon to your enemies, you send the intellectual property that created it and the ability to launch the weapon back against you.”

She draws parallels with other weapons of mass destruction: cyber, biological, and chemical weapons that can spread to include unintended targets. Like the atomic bomb, this cyber weapon was first used with little understanding of its consequences and without a treaty limiting its use. The book ends on a cautiously optimistic note: five years later, Stuxnet appears to be the only known use of a cyber weapon, although that could change in an instant.

This book is recommended for anyone, beginner to advanced, interested in the protection of industrial control systems, cyber warfare, or critical infrastructure protection.

Reviewer: Ross Johnson, CPP, is the senior manager of security and contingency planning for Capital Power. He is an ASIS council vice president and the author of Antiterrorism and Threat Response: Planning and Implementation. He is an executive committee member of the North American Electric Reliability Corporation’s Critical Infrastructure Protection Committee, and recently visited Israel with a delegation from the Canadian Electricity Association to discuss cyber issues with Israel’s National Cyber Bureau.