Saturday, February 7, 2015

Book Review: Countdown to Zero Day: Stuxnet and the Launch of the World's First Digital Weapon (2014) by Kim Zetter

Executive Summary

Operation Olympic Games is the US military code name that refers to the first ever act of real cyber warfare. Many journalists have told bits and pieces of the story since the attacks became public in 2010, but none have come close to telling the complete story. In Countdown to Zero Day: Stuxnet and the Launch of the World's First Digital Weapon, Kim Zetter changes that situation. She takes an extremely complicated subject in terms of technical detail, political fallout, and philosophical conundrums and makes it easy for the security practitioner to understand. It is a masterful bit of juggling and story telling. It is cyber-security-canon worthy, and you should have read it by now.

Introduction

Kim Zetter has been at WIRED magazine since 2003 and has become one of the cyber security community’s go-to journalists to explain what is really happening within the space. When I heard that she was writing a book about the Stuxnet attacks, I was thrilled. I knew if anybody could take on this complicated subject, Zetter could. One of the annoying truisms of keeping up with cyber security events in the news is that journalists rarely go back and attempt to tell a complete story. When cyber security events occur —like the Target breach, the Sony breach, and the Home Depot breach to name three — news organization print the big headlines initially and then trickle out new information over the next days and weeks as it becomes available. For cyber security professionals trying to keep up to date on industry news, we rarely get the opportunity to see the big picture in one lump sum. We are not going to get that kind of story in a news article. You need a book to cover the detail, and there have been some good ones in the past. Mark Bowden’s Worm — about the Conficker worm and the cabal that tried to stop it — is one good example.[1] Another is The Cuckoo’s Egg, which is about the first publicly documented cyber espionage attack in the late 1980s.[2] Zetter’s book Countdown to Zero Day: Stuxnet and the Launch of the World's First Digital Weapon is the latest in the line, and it is really good.[3]

The Story

Operation Olympic Games is the US military code name that refers to the first ever act of real cyber warfare. Many journalists have told bits and pieces of the story since the attacks became public in 2010, but none have come close to telling the complete story. In June 2012, David E. Sanger published an article in The New York Times proclaiming for the first time that the United States, in conjunction with Israel, was indeed behind the infamous Stuxnet malware attacks that targeted the Iranian nuclear enrichment plant at Natanz.[4] Sanger followed that article, along with others, with his book Confront and Conceal: Obama’s Secret Wars and the Surprising Use of American Power.[5] In his articles and this book, he gave details about the cyber operation called Operation Olympic Games, which I consider to be the first act of cyber warfare in the world. Because the story was so new and so complicated, many of the technical details surrounding the attacks did not fully emerge until well after Sanger published his book. I have tried to keep up with the story myself over the years and even presented versions of it at DEF CON[6] and RSA,[7] but I do not have the journalistic chops to tell the complete story, and this is where Zetter’s book shines. Whereas Sanger’s book focused on the US foreign policy implications of offensive cyber warfare using government insiders as the main source, Zetter’s book fills in the technical story behind the attacks by interviewing everybody in the public space who was involved in unraveling the Stuxnet mystery. Zetter writes clearly and succinctly about the timing of key researchers discovering new facts, describes how the researchers determined when the attackers first used key pieces of the attack code, and then feathered those technical events with what was happening in the political arena at the same time. It is a masterful bit of juggling and storytelling.

The Code

Because of Countdown to Zero, we now have a complete picture of how the attack code worked. Zetter goes into great detail about how the malware proliferated within the Iranian power plant at Natanz and after it escaped into the wild. She puts to bed the question of how may zero-day exploits the attackers used in the complete code set, what they were, and how effective they all were. She covers all of the versions of the malware from Stuxnet, to DuQu, to Flame, and to Wiper. She even covers some of the tools of the trade that the researchers used to decipher the code base.

SCADA

In Countdown to Zero, Zetter explains the significance of the critical and mostly unsecured supervisory control and data acquisition (SCADA) environments deployed in the United States today. These systems automatically control the flow of all power, water, and gas systems used within the United States and throughout most of the world. According to Zetter, 

“There are 2,800 power plants in the United States and 300,000 sites producing oil and natural gas. Another 170,000Bottom of Form facilities form the public water system in the United States, which includes reservoirs, dams, wells, treatment facilities, pumping stations, and pipelines. But 85 percent of these and other critical infrastructure facilities are in the hands of the private sector, which means that aside from a few government-regulated industries—such as the nuclear power industry—the government can do little to force companies to secure their systems.”[3]

In my experience, the SCADA industry has always been at least 10 to 15 years behind the rest of the commercial sector in adopting modern defensive techniques, and Zetter provides a possible explanation for this delay:

“Why spend money on security, they argued, when none of their competitors were doing it and no one was attacking them?”[3]

The significance of that statement becomes obvious when you realize that the same kinds of programmable logic controllers, or PLCs, that the United States exploited to attack Iran are deployed in droves to support the world’s own SCADA environments. The point is that if the United States can leverage the security weaknesses of these systems, then it is only a matter of time before other nation-states do the same thing and the rest of the world is no better defended against them than the Iranians were.

The Philosophical Conundrum

In a broader context, Countdown to Zero highlights some philosophical conundrums that the cyber security community is only now starting to wrestle with. We have known about these issues for years, but Zetter’s telling of the story makes us reconsider them. Operation Olympic Games proved to the world that cyber warfare is no longer just a theoretical construct. It is a living and breathing option in the utility belt for nation-states to use to exercise political power. With Operation Olympic Games, the United States proved to the world that it is possible to cause physical destruction of another nation-state’s critical infrastructure using nothing but a cyber weapon alone. With that comes a lot of baggage. 

The first is the intelligence dilemma. At what point do network defenders stop watching adversaries misbehave within their networks before they act to stop them? By acting, we tip our hand that we know what they are doing and how they are doing it. This will most likely cause the adversary team to change its tactics. Intelligence organizations want to watch adversaries as long as possible. Network defenders only want to stop the pain. This is an example of classic information theory. I first learned about information theory when I read about the code breakers at Bletchley Park during WWII. Because the allies had broken the Enigma cipher, the Bletchley Park code breakers collected German war plans before the German commanders in the field received them, but the Allies couldn’t act on all of the information because the Germans would suspect that the cipher had been broken. The Allies had to pick and choose what to act on. This is similar to what the Stuxnet researchers were wrestling with too. Many of them had discovered this amazing and dangerous new piece of malware. When do they tell the world about it?

The next conundrum involves the national government and vulnerability discovery. Zetter discusses the six zero-day exploits used by Operation Olympic Games in the attacks against Iran. That means that the US government knew about at least six high-impact vulnerabilities within common software that the entire nation depends upon and did nothing to warn the nation about them. If another attacker decided to leverage those vulnerabilities against the United States’ critical infrastructure in the same way that the United States leveraged them against Iran, the results could have been devastating. The nation’s ethical position here is murky at best and criminal at worst. Added to that is the well-known practice of the private sector selling zero-day exploits to the government. Should the government even be in the business of buying weapons-grade software from private parties? Zetter offers no solutions here, but she definitely gives us something to think about.

Conclusion

Zetter fills in a lot of holes in the Stuxnet story. In a way, it is a shame that it has taken five years to get to a point that the security community feels like it understands what actually happened. On the other hand, without Zetter putting the pieces together for us, we might never have gotten there. I have said for years that the Stuxnet story marked the beginning of a new era for the cyber security community. In the coming years, when it becomes common practice for nations-states to lob cyber attacks across borders with the intent to destroy another nation’s critical infrastructure, we will remember fondly how simple defending the Internet was before Stuxnet. Zetter’s book helps us understand that change. She takes a complicated subject and makes it easy to understand. Her book Countdown to Zero Day: Stuxnet and the Launch of the World's First Digital Weapon is cyber-security-canon worthy, and you should have read it by now.

Sources

[1] “The Cybersecurity Canon: Worm,” by Rick Howard, Unit 42, 4 February 2014, last visited 25 January 2015,

[2] “The Cybersecurity Canon: The Cuckoo’s Egg,” by Rick Howard, Unit 42, 24 December 2013, last visited 25 January 2015,

[3] “Countdown to Zero Day: Stuxnet and the Launch of the World's First Digital Weapon,” by Kim Zetter, Published by Crown, 11 November 2014, last visited 25 January 2015,

[4] “Obama Order Sped Up Wave of Cyberattacks Against Iran,” by David E. Sanger, The New York Times, 1 June 2012, last visited 25 January 2015,

[5] “The Cybersecurity Canon: Confront and Conceal,” by Rick Howard, Unit 42, 7 January 2014, last visited 25 January 2015,

[6] “Defcon-19-an-insiders-look-at-international-cyber-security-threats-and-trends,” by Rick Howard, DEF CON 19, 6 August 2011, last visited 25 January 2015,

[7] “Operation Olympic Games Is the Tom Clancy Spy Story that Changed Everything,” by Richard Howard, RSA Conference 2014, 28 February 2014, last visited 25 January 2015,

No comments:

Post a Comment