Review of the Countdown to Zero Day: Stuxnet and the Launch of the World’s First Digital Weapon

Countdown to Zero Day: Stuxnet and the Launch of the World’s First Digital Weapon

Rating: ⭐️⭐️⭐️⭐️⭐️

Zetter’s book engages in a heroic effort to summarize, describe, and explain the significance of the NSA’s and Israel’s first ‘cyber weapon’, named Stuxnet. This piece of malware was used to disrupt the production of nuclear material in Iran as part of broader covert efforts to delimit the country’s ability to construct a nuclear weapon. 

Multiple versions of Stuxnet were created, as were a series of complementary or derivative malware species with names such as Duqu and Flame. In all cases the malware was unusually sophisticated and relied on chains of exploits or novel techniques that advanced certain capabilities from academic theory to implementable practice. The reliance on zero-day vulnerabilities, or those for which no patches are available, combined with deliberate efforts to subvert the Windows Update system as well as use fraudulently signed digital certificates, bear the hallmarks of developers being willing to compromise global security for the sake of a specific American-Israeli malware campaign. In effect, the decision to leave the world’s computers vulnerable to the exploits used in the creation of Stuxnet demonstrate that offence was prioritized over defence by the respective governments and their signals intelligence agencies which authored the malware.

The book regales the reader with any number of politically sensitive tidbits of information: the CIA was responsible for providing some information on Iran’s nuclear ambitions to the IAEA, Russian antivirus researchers were monitored by Israeli (and perhaps other nations’) spies, historically the CIA and renown physicists planted false stories in Nature, the formal recognition as cyberspace as the fifth domain of battle in 2010 was merely formal recognition of work that had been ongoing for a decade prior, the shift to a wildly propagating version of Stuxnet likely followed after close access operations were no longer possible and the flagrancy of the propagation was likely an error, amongst many other bits of information.

Zetter spends a significant amount of time unpacking the ways in which the United States government determines if a vulnerability should be secretly retained for government use as part of a vulnerabilities equities process. Representatives from the Department of Homeland Security who were quoted in the book noted that they had never received information from the National Security Agency of a vulnerability and, moreover, that in cases where the Agency was already exploiting a reported vulnerability it was unlikely that disclosure would happen after entering the vulnerability into the equities process. As noted by any number of people in the course of the book, the failure by the United States (and other Western governments) to clearly explain their vulnerabilities disclosure processes, or the manners in which they would respond to a cyber attack, leaves unsettled the norms of digital security as well as leaves unanswered the norms and policies concerning when (and how) a state will respond to cyber attacks. To date these issues remain as murky as when the book was published in 2014.

The Countdown to Zero Day, in many respects, serves to collate a large volume of information that has otherwise existed in the public sphere. It draws in interviews, past technical and policy reports, and a vast quantity of news reports. But more than just collating materials it also explains the meanings of them, draws links between them that had not previously been made in such clear or straightforward fashions, and explains the broader implications of the United States’ and Israel’s actions. Further, the details of the book render (more) transparent how anti-virus companies and malware researchers conduct their work, as well as the threats to that work in an era when a piece of malware could be used by a criminal enterprise or a major nation-state actor with a habit of proactively working to silence researchers. The book remains an important landmark in the history of security journalism, cybersecurity, and the politics of cybersecurity. I would heartily recommend it to a layperson and expert alike.

Don’t Risk Model for Aged, Wealthy, Americans

Data security and communicative privacy matters. The boons of the contemporary computer era has led to people across the world using common services for security, for data processing, and for communications generally despite users’ radically different risk profiles. Few users are savvy enough to engage in code-level audits, fewer to ascertain the validity of improperly issued security certificates, and likely even fewer to guarantee that programs’ and operating systems’ updates are from the actual developers. These are problems – important problems – that need to be directly addressed by developers.

It’s always been morally wrong to be cavalier about your software’s security profile, and to just discount the potential vulnerabilities or bugs linked to your tools. Things aren’t getting better, however, on account of state actors becoming more and more sophisticated in how they target and monitor their citizens’ and residents’ communications. Consequently, the blasé attitude towards security that has (largely) focused on successful engineering over successful security in depth is a larger and larger problem. This attitude, especially when it comes to anti-circumvention and encryption software, is leading to individual users ending up seriously hurt, imprisoned, or dead.

Security is important. Speech is important. And ensuring that secure, private, speech is possible is an increasingly critical issue for parties throughout the world. Developers and companies and individuals ought to take the severity of the consequences of their actions to heart, or risk having very real blood on their hands.

Quote

The actors that represent the majority of users today, stakeholders from the South, the developing world, and the non-English segments of the net, will do more to shape the future of cyberspace than any discussions at the Pentagon or in policy circles in North America and Europe. To understand how and in what ways cyberspace will be characterized in years to come we need to think beyond the beltway, beyond Silicon Valley, and into the streets of Shanghai, Nairobi, and Tehran. The contests occurring in those spaces deserve our attention today, if for no other reason than that they provide a glimpse of the types of global issues that will drive cyberspace governance in the future.

* Ronald Deibert and Rafal Rohozinski, “Contesting Cyberspace and the Coming Crisis of Authority”
Link

How foreign firms tried to sell spy gear to Iran

Steve Stecklow is one of the few reporters that has continued to write about Iran’s acquisition of surveillance equipment for the past several years. At this point he has a good grasp of how the technology gets into the country, what’s done with it, and why and how vendors are evading sanctions. His article earlier this year provides a good look at how Huawei and ZTE alike have sold ‘lawful intercept’ equipment to the Iranian government. I’d highly recommend taking a look at what he’s written.

Quote

Iranian officials have been assuring the public that the establishment of the [National Information Network] NIN will not cut them off from the Internet. The NIN, according to the government, will provide a “faster, safer, and more reliable” network for domestic purposes, in addition to the global Internet for daily usage.

What the officials have been less vocal about is that the NIN will make it easier for them to monitor user activities and carry out surveillance. Moreover, the establishment of the NIN as an independent network from the Internet will provide officials with the option of cutting off access without affecting the country’s administration. Shutting down the Internet in the aftermath of the contested 2009 elections, for example, was problematic since it interrupted banking and government operations. With the establishment of the NIN, a similar outage will not interrupt internal network traffic.

Quote

The problem … was that the surveillance technology sold to Iran in 2008 is standard “lawful intercept” functionality required by law in Europe, so that police can track criminals. Unfortunately, with the same technology in the hands of a regime that defines “crime” broadly to include political dissent and “blasphemy,” the result is an efficient antidissident surveillance machine.

Rebecca MacKinnon, Consent of the Networked: The Worldwide Struggle for Internet Freedom
Link

Surprise: American Equipment Spies on Iranians

Steve Stecklow, for Reuters, has an special report discussing how Chinese vendor ZTE was able to resell American network infrastructure and surveillance products to the Iranian government. The equipment sold is significant;

Mahmoud Tadjallimehr, a former telecommunications project manager in Iran who has worked for major European and Chinese equipment makers, said the ZTE system supplied to TCI was “country-wide” and was “far more capable of monitoring citizens than I have ever seen in other equipment” sold by other companies to Iran. He said its capabilities included being able “to locate users, intercept their voice, text messaging … emails, chat conversations or web access.”

The ZTE-TCI documents also disclose a backdoor way Iran apparently obtains U.S. technology despite a longtime American ban on non-humanitarian sales to Iran – by purchasing them through a Chinese company.

ZTE’s 907-page “Packing List,” dated July 24, 2011, includes hardware and software products from some of America’s best-known tech companies, including Microsoft Corp, Hewlett-Packard Co, Oracle Corp, Cisco Systems Inc, Dell Inc, Juniper Networks Inc and Symantec Corp.

ZTE has partnerships with some of the U.S. firms. In interviews, all of the companies said they had no knowledge of the TCI deal. Several – including HP, Dell, Cisco and Juniper – said in statements they were launching internal investigations after learning about the contract from Reuters.

The sale of Western networking and surveillance equipment/software to the Iranian government isn’t new. In the past, corporate agents for major networking firms explained to me the means by which Iran is successfully importing the equipment; while firms cannot positively know that this is going on, it’s typically because of an intentional willingness to ignore what they strongly suspect is happening. Regardless, the actual sale of this specific equipment – while significant – isn’t the story that Western citizens can do a lot to change at this point.

Really, we should be asking: do we, as citizens of Western nations, believe that manufacturing of these kinds of equipment is permissible? While some degree of surveillance capacity is arguably needed for lawful purposes within a democracy it is theoretically possible to design devices such that they have limited intercept and analysis capability out of the box. In essence, we could demand that certain degrees of friction are baked into the surveillance equipment that is developed, and actively work to prevent companies from producing highly scaleable and multifunctional surveillance equipment and software. Going forward, this could prevent the next sale of significant surveillance equipment to Iran on grounds that the West simply doesn’t have any for (legal) sale.

In the case of government surveillance inefficiency and lack of scaleability are advantageous insofar as they hinder governmental surveillance capabilities. Limited equipment would add time and resources to surveillance-driven operations, and thus demand a greater general intent to conduct surveillance than when authorities have access to easy-to-use, advanced and scalable, surveillance systems.

Legal frameworks are insufficient to protect citizens’ rights and privacy, as has been demonstrated time and time again by governmental extensions or exploitations of legal frameworks. We need a normatively informed limitation of surveillance equipment that is included in the equipment at the vendor-level. Anything less will only legitimize, rather than truly work towards stopping, the spread of surveillance equipment that is used to monitor citizens across the globe.