Summary: Five years after Stuxnet first appeared we have a detailed analysis of its origin (at least, what’s known to the public) in Kim Zetter’s Countdown To Zero Day. Here C. Thomas reviews it, explaining Stuxnet’s importance.
Stuxnet is another American triumph (with Israel’s help). We’re now the first to use both of the revolutionary tools of modern war: nukes and cyberweapons. Also, we’ve copied the fascist powers of WWII by not bothering with a declaration of war against Iran. American exceptionalism! How long until the next such cyberattack? Will we be the aggressor, or the victim? {2nd of 2 posts today.}
“Countdown to Zero Day” is a must-read!
By C. Thomas
This article originally appeared on the Tenable Blog. Reposted here with their generous permission.
Recently there have been several great books that illustrate the importance of information security in today’s world, including Kevin Mitnick’s Ghost in the Wires: My Adventures as the World’s Most Wanted Hacker
The book is engaging to read and meticulously researched. Zetter not only examines the intricacies of this nation-state sponsored espionage tool but also delves deeply into the finer workings of uranium enrichment centrifuges and their industrial control systems. Along with these technical details, she adds the personal stories of the people who discovered Stuxnet and devoted countless hours in deciphering not just Stuxnet but also its relatives Duqu, Flame, and Gauss. Despite the highly technical subject matter, Zetter weaves an engaging narrative that succeeds in explaining complex systems in ways that can be easily understood without being condescending.
This book is an absolute must read for anyone even remotely involved in the information security industry because it looks at an adversary that is seldom seen: the nation-state. Unlike cyber criminals, “hacktivists” or bored teenagers whose online activities are somewhat easy to discover and decipher, the online operations and capabilities of nation-states have been shrouded in rumor, myth and superstition. It is amazing that Zetter was able to obtain this much detail about what was most likely a top secret government operation and that is arguably less than 5 years old. Thanks to Zetter and “Countdown to Zero Day,” we now have a baseline from which to forecast potential nation-state capabilities today and into the future.
While reading the book, I was initially dismayed with the reverence she has for the anti-virus companies involved. But then I realized that it was the anti-virus companies, and their willingness to delay work on other malware, that allowed the researchers to discover exactly what Stuxnet was trying to do.
Stuxnet was obviously not a random piece of banking malware designed to siphon off credit card numbers; but beyond developing a signature to add to their anti-virus products, the AV companies were under no obligation to reverse engineer Stuxnet and its relatives to the level that they did. Without the willingness of these companies and dogged determination of their researchers, we may still be blissfully unaware of what digital lengths governments will go to for accomplishing their goals.
Zetter makes extensive use of footnotes throughout the book, illustrating just how much work went into peeling back the layers of this intricate story. On the one hand, I appreciate her detailed documentation of facts and sources, but in several cases a footnote becomes more than just a source citation and fills half a page with a full explanation. I found this level of footnoting to be distracting to the story; I had to stop reading the main page to read the small print of the footnote. I wish that the information contained in the longer footnotes was integrated into the main story. But I am glad that I read the actual paper version of the book; if I had listened to the audio book, I would have missed much of this important detail.
When news of Stuxnet first broke, many people dismissed it as not important. Even when evidence indicated that Stuxnet had to have been sponsored by a government, many people just shrugged and said, “Well, we figured they were doing that anyway.” Such a lackadaisical attitude greatly oversimplifies the competencies and resolve that went into making Stuxnet — competencies and resolve that happened at least 5 years ago.
As professionals working in the information security industry, we must now ask ourselves just how much further have governments come in the last 5 years, and where will they be 5 years from now? So little is known about the online activities of nation-states, but the examination of Stuxnet and its relatives now gives us a solid baseline from which we can extrapolate potential future activities.
And what about the next time? It has been almost 5 years since Stuxnet was first discovered, and while there have been additional discoveries of Stuxnet-related malware, no further samples of different nation-state sponsored malware have been found. It would be naive to think that Stuxnet was a one and done type of operation. Countries are constantly accusing other countries of attacking their electronic infrastructure. Either the information security industry has gotten really bad at finding this type of malware, or governments have gotten really good at hiding it.
As industry professionals, we must ask: what is our role in all of this? The researchers interviewed by Zetter said that they were never pressured to withhold their information or slow their research by any government. Will that be the case the next time around? Are industry professionals obligated to protect our customers or our governments? Is it our duty to search for and find government electronic espionage tools, potentially blowing the cover off top secret multi-million dollar operations? Or should we leave geopolitics to the spies and politicians, and just keep our focus on the cyber criminals, “hacktivists” and bored teenagers?
Further reading: If you are interested in nuclear proliferation, the story of how we got to where we are now, and how we have almost blown ourselves up several dozen times, I highly recommend Eric Schlosser’s “Command and Control.” It makes a great introductory piece to Zetter’s “Countdown to Zero Day.”
Copyright © 2015, Tenable Network Security, Inc. All rights reserved.
——————————————
About the author
With more than two decades of experience, C. Thomas commands an uncanny ability to link disparate events, read between the lines and distill complex, technical information into readily understandable, accessible and actionable intelligence.
Eager to share his wealth of knowledge on security trends, he has testified before the U.S. Senate Committee on Homeland Security and Governmental Affairs, and has been interviewed by media organizations such as Wired, MSNBC and even MTV. Before joining Tenable, he produced the SpiderLabs Radio weekly news podcast and served as editor for the Hacker News Network (now down).
As a Strategist with Tenable Network Security, he helps clients understand how to apply the unique advantages of continuous monitoring as well as how to meet compliance and security challenges.
See his website Space Rogue.
For More Information about the book
Here’s an excerpt from the book: “An Unprecedented Look at Stuxnet, the World’s First Digital Weapon” at Wired, 3 November 2014. Also see this excerpt from The Economist’s review:
But the book deserves a wider audience for its sobering message about the vulnerability of the systems — train lines, water-treatment plants, electricity grids — that make modern life possible. These industrial control systems are increasingly hooked up to the internet, allowing remote access. Passwords are seldom changed from the systems’ defaults. Security updates are rare. Firewalls and network logs are inconsistent. Warnings are ignored. Little surprise, then, that researchers have been able to simulate shutting down energy grids, infiltrating water plants and destroying generators. A 14-year-old in Poland derailed four trams in 2008. Another teenager took down communications at a Massachusetts airport. Utilities today encourage the use of internet-connected “smart meters” in homes. The attackers of tomorrow could very well use them to black out entire cities.
Despite the opportunity, the world has yet to see a sequel to Stuxnet. But “given the varied and extensive possibilities for conducting such attacks,” Ms Zetter writes, “…it is only a matter of time until the lure of the digital assault becomes too irresistible for someone to pass up.” Containing this new proliferation will be even harder. It takes money, raw materials and large facilities to develop nuclear weapons. A cyberwarrior needs only a computer and an internet connection to wreak havoc.
Other reviews of this book: Washington Post, Wall Street Journal, International Affairs Review. For a better perspective read this March 2003 PBS interview with John Arquillapq (Assoc Prof, Naval Postgraduate School), who coined the term “cyber war”. He describes us only as a target. Did it occur to him that we might unleash the first major cyberattack?
For more information about Stuxnet
See Marcus Ranum’s analysis: Cyberwar: About Stuxnet, the next generation of warfare? (and the useful references at the end) Also see the Wikipedia entry.
See all posts about cyber-war, cyber-espionage, and cyber-crime., including those about the Sony hack plus series by Edwin Covert and Marcus Ranum.
See the posts describing the facts and lies about Iran’s nuclear program.
Cyberwar is war.
Wars often start small amidst dreams of easy victory, but end differently.
Why are you surprised, this is old news. Plus the implications are worse for the US than just about anywhere else in the world..
This is so much like Kerry getting together wth the Saud’s (now multiple confirmed) to lower the price of oil and hurt Iran and Russia….own goal they will survive far longer than the shale/.fracking/etc oil in the US.
Does kerry care, or the neo-cons, or Obama? Nope. Does Wall St (as long as it gets a heads up to make money out of it) nope.
Arguably the US is the most vulnerable place on the planet for this sort of attack. US corporations, being corporations, will use the cheapest methods possible for coms. yes they could use dedicated lines, yes they could use this and that and be far safer…but if it affects a CEO’s money..it will not happen.
So when Stuxnet, redoubled, hits the US (and that can’t be long now) there will be havok….I think ‘idiots’…but collateral damage on US citizens seens to be a long standing desire amongst the M/I/.economic/etc elites..as Boyd said keep the money flowing., if that means a few proles get th bulet ..whi cares..
I will expand on this later: what happens when the economic elites pay nothing towards the M/I ones ( reality now, you are all just thick cheap thugs as far as they are concernced)? Where will they find their money from when the whole ponzie scheme dies?
Lisa,
“This is so much like Kerry getting together wth the Saud’s (now multiple confirmed)”
What are these “multiple confirmations”? The reliable accounts I’ve seen such as <a href="http://www.wsj.com/articles/deal-with-saudis-paved-way-for-syrian-airstrikes-1411605329?mod=WSJ_hp_LEFTTopStories&cb=logged0.8915510241132036" title="WSJ" target="_blank"the WSJ and Financial Times, either don’t mention oil or do so only slightly.
Pingback: Prepare for Cyberwar | Bill Totten's Weblog
Pingback: Prepare for CyberWar | TRUTH TIME
Pingback: Washington Jingoism Gone Wild——The 2 US Navy Boats Were The Provocateur, Not Iran | David Stockman's Contra Corner