In Countdown to Zero Kim Zetter describes a 2010 cyberattack on the Iranian nuclear program. In a brilliant piece of computer engineering, the control units for centrifuges that enriched uranium were forced to slow and fail. The attack was so carefully planned that even after it began the Iranians were initially unable to diagnose the problem. The book itself is well written and carefully researched. Zetter did extensive interviews in the cybersecurity community, to understand how people identified and studied this particular worm. This work is detailed in extensive footnotes, which will lead a curious reader down interesting paths. Zetter carefully describes the technical issues involved in the attack, without letting this detail impede the storyline. Overall, this is a masterful work of narrative non-fiction, which engages the reader in a highly complex topic.
One of the book’s strengths is that it focuses not only on the actual attack itself, but also the geopolitical context that pushed its designers (almost certainly the United States and Israel) to turn to cyber-warfare. The Iranian centrifuges were buried under rock in hidden and heavily guarded locations. For this reason, the actual code was spread by USB sticks, which targeted one particular piece of German-made equipment. The precision of the attack was amazing, and it accomplished what it would have been very challenging to do by conventional military means. In light of the recent Iranian nuclear deal, one can also argue that the attack was a success, in that delayed Iranian work long enough for diplomacy to take place.
At the same time, Zetter spends a great deal of time not only on the attack, but also on its implications for the future. Digital Globalization is remaking the security landscape. The Syrian Army and the North Koreans have hacked their opponents’ websites. China has allegedly undertaken extensive hacking attacks against U.S. targets, with the intent not only to conduct industrial espionage, but also to obtain information on specific individuals. Wikileaks absorbed an immense amount of Secretary of State Clinton’s time, and showed the power that a small non-state actor could have.
Still, Stuxnet was different in that it constituted an attack that harmed or destroyed physical objects. We are moving into a new era of the digital age with the Internet of Things, as more appliances, machinery and objects are connected to the net, from refrigerators to power systems. What this means is that objects like cars may be vulnerable to hacking, as two hackers recently proved when they remotely took over a car’s brakes and other systems while an intrepid reporter was driving it. From this perspective, traditional attacks in which information is stolen or destroyed may prove to be less dangerous than attacks in which turbines explode or furnaces are set to continually heat their homes.
This engaging study provides a window into the lives of cyber-security experts, and their complex relationships with nation-states. It also draws back the curtain on U.S. cyber-espionage and warfare. Any topic related to cyberwarfare can be prone to exaggeration and hyperbole. This careful study of an actual attack provides a preview of what realistically may become more common in the future. Highly recommended.
Shawn Smallman, Portland State University