Thoughts on “Countdown to Zero Day”

Well, I finished Kim Zetter’s book, Countdown to Zero Day.

Overall a great story. Good read for anyone who wants to get an idea for the last eight or so years of action in the ICS security space. I’m recommending it to family members and friends who want to “get” what I do.

I had to wonder though about a couple of ideas/concepts/parts in the book.

1. DHS Capabilities

Within two days, [DHS] had catalogued some 4,000 functions in the code–more than most commercial software packages–and had also uncovered the four zero-day exploits that Symantec and Kaspersky would later find.” (p. 187)

Now, I’ve heard the Stuxnet story from DHS analysts before, but in contrast with Zetter’s descriptions of the Symantec effort, this seemed unrealistic. The idea (apparently expressed by DHS leadership at the time) is that what took Symantec’s brightest minds weeks of painstaking effort (see pp.52-54), DHS could whip out in two days?

I’m not saying it’s not possible, and maybe I am misinterpreting the story, but there seems to be a stark contrast there.

2. “Getting caught”

Perhaps the biggest consideration of all was the risk of tipping off Iran and other enemies to US cyber capabilities. ( p. 191)

This gets back to a fundamental difference between Zetter’s view and mine. I think in the end, what we know as “Stuxnet” was intended to get caught. It was (or at least included) an overt signal to Iran that the USA and perhaps Israel was all in their business.

Consider for example, that the worm recorded every computer it had infected. It’s payload was weakly encrypted. Some versions were released after the Natanz target was hit. The code included decipherable references to Iran and Israel and the USA. With several zero days and additional propagation vectors, the worm (at least the versions that were found) couldn’t and wouldn’t keep quiet for ever.

I don’t believe a highly professional and competent group could/would plan an operation like Stuxnet without carefully considering OPSEC and making intentional choices. I lean towards the idea that at some point Stuxnet’s “going public” wasn’t a surprise or a mistake, it was an intentional statement.