CYBER WARFARE: Countdown to Zero Day relates the story about Stuxnet, the world’s first public known digital weapon. The book raises important questions about warfare in which we all may become collateral damage.
In January 2010, inspectors from The International Atomic Energy Agency (IAEA) began to suspect something amiss in Iran’s fuel enrichment plant in Natanz. As summer drew closer, a new data virus surfaced at VirusBlokAda, an unheard of anti-virus company in Belarus. One year and a half would pass while information security experts from several countries plied until a connection between Stuxnet and the problems in Iran was detected. This was the first time an employed digital weapon had been uncovered. “Welcome to the cyber war”, Ralph Langner declared in his blog post, which eventually disclosed how Stuxnet functioned.
Kim Zetter: Countdown to Zero Day: Stuxnet and the Launch of the World’s first Digital Weapon, Crown Publishers, 2014
Waging war. Stuxnet was basically waging war, according to writer Kim Zetter. All the while the virus was likely employed in order to avoid an escalation involving conventional arms. In a heightened situation in which the Israelis grew more nervous and pressed for air raids targeting installations in Iran, Stuxnet befitted as a compromise still allowing for negotiations to remain an option. The virus aimed at the industrial control system in order to slowly, but firmly sabotage the centrifuges used to enrich uranium, and thus buying more time. The result was around 1,000 destroyed centrifuges. Zetter surmises that Iran’s nuclear program could have been delayed with approximately 18 months.
Kim Zetter has performed an impressive chunk of research, and imparts meticulously about the discovery of Stuxnet, vulnerable infrastructure and the build out of digital weapons. Still, the Countdown to Zero Day doesn’t quite hit the mark in its present book format. Zetter has attempted to combine technology history with a more thrillerish narrative revolving around security experts who deconstructed Stuxnet, but she gets lost in the details. Often she proves herself unable to contextualize the copious facts into a larger narrative during the process, and a great deal of the information appears detached and repetitive. The downright impression is that she failed to decide which type of book she wanted to write. With a more unsparing editing, this engaging story would have become more defendable. For those who wish to understand how contemporary digital weapons operate, the book is still worthwhile the read.
Makes everyone vulnerable. Digital warfare is essentially different in terms of conventional weapons. A classified Pentagon document from 2003 laid bare that the American armed forces intended to establish cyber warfare as a fifth field of competence, following ground, naval, air and special forces. The advantages can potentially be deemed ample: There are plenty of possible targets of digital attacks, geographic interspace isn’t an impediment, the costs are relatively low, and the methods may seem more palatable to the public resentful of deploying troops abroad. But digital warfare also has its own fallouts. In order to be able to attack an information system, an awareness of security bugs is required, which allows for programming viruses that exploits these bugs. A bug unknown to the manufacturer of the software, which, accordingly cannot be fixed through a software update, is called a “Zero Day”. To proliferate an arsenal of digital weapons, the NSA amasses zero days suitable for a whole range of systems.
The problem arising when collecting zero days is that all information system users become vulnerable targets. Sooner or later someone is bound to expose such security bugs and use them, be it foreign states, criminal hackers or individuals aiming to steal trade secrets. “It’s a model grounded in making everyone vulnerable in order to be able to attack the few – comparable to withhold a vaccine from a whole population in order to cause disease in a few individuals,” Zetter remarks in Countdown to Zero Day. Bearing in mind that digital weapons aren’t restrained by geographical boundaries, they could become widespread over the whole world, including the country that employed them for the first time. One of the idiosyncrasies with digital weapons is the fact that during an attack, the weapon’s code is surrendered. By then, anyone can put the weapon to use. Ralph Langner estimated that it would take around six months from Struxnet was known until an attack based on the replicated Struxnet code occurred.
Digital arms control? Despite Zetter’s thorough effort in documenting and displaying the history of digital weapons, she hardly brings out the discussions that evidently are required. We are talking about methods that perturb systems everyone uses, also crucial functions like hospitals, even though they aren’t intended targets. It will become far more unpredictable and difficult to define what counts as collateral damage following a military attack when digital weapons are used. Zetter relates that Stuxnet by incident may have caused gas explosions in other areas of Iran due to a compatibility problem. Stuxnet was regarded as highly sophisticated and tailored for its targets. If Struxnet caused such inadvertently results, what repercussions would less sophisticated digital weapons entail? And what degree of responsibility do the instigators hold if other operators devise duplicate attacks using the same code?
Export control, too, is a tricky subject insofar as digital weapons are concerned, but Zette bypasses this subject. To locate security bugs in software and make simple virus programs is easily performed by teenagers in their teen bedrooms. How is the border to be drawn between arms and non-arms? Recently a revolt occurred within the information security sphere due to an attempt to obtain knowledge on security bugs in the Wassenaar Arrangement, as it regulates international arms trade and would have damaged the exchange of knowledge and science whose purpose is to fix bugs to increase software security. Knowledge about bugs is an essential part of coding and can scarcely be legislated in the same manner as a tangible weapon. Overall, it’s difficult to envision a sustainable way of keeping the security bugs open and limit the knowledge about them to military forces and intelligence personnel. In any event, it is a debate that ought to take place in the open public, and not in the hallways of the military and intelligence agencies.