The Worm Turns

Countdown to Zero Day: Stuxnet and the Launch of the World's First Digital Weapon BY Kim Zetter. Crown. Hardcover, 448 pages. $25.

ON MARCH 4, 2007, the Idaho National Laboratory conducted an unsettling experiment in digital sabotage. Federal engineers attacked an industrial electric generator—“the size of a small bus”—using a novel weapon: a twenty-one-line computer virus.

For the experiment, they set up their own five-thousand horsepower diesel machine and set it running. The virus was designed to target the relays that controlled the generator’s circuit breaker: It would turn them rapidly on and off to throw them out of sync with each other, disturbing the normal spin of the turbine. The effect was speedy and dramatic. Minutes after the virus attacked the generator, observers heard “a loud snap, like a heavy chain slapping against a metal drum.” Another forceful snap followed, and then the generator—which weighed twenty-seven tons—began shuddering and bouncing around, and “bolts and bits of rubber grommet ejected from its bowels.” After a final loud bang, the generator finally shut down completely as “a plume of angry black smoke billowed from its chambers.”

An enormous piece of real-world equipment had been destroyed, not by bombs or physical attacks, but by a piece of computer code injected from miles away.

This, argues Kim Zetter, is a hair-raising glimpse of the future. In Countdown to Zero Day (which features the edifying case study above), she writes that we’ll soon see attacks like this outside of the laboratory, because our physical world is increasingly vulnerable to digital intrusion.

Most people think of the Internet as a bunch of connected computers. But there are millions of other things connected to it as well, including ones crucial for everyday life, like electrical generators, water-treatment plants, and car-assembly robots. They’re all run by “programmable logic controllers,” or PLCs, which in turn are hooked up to computers and the Internet. Anyone who wants to cause havoc can thus—with a bit of work and ingenuity—do so from afar, via a computer virus rather than a pipe bomb.

One might be tempted to write this scenario off as high-tech paranoia—the reveries of excitable defense hawks or of ordinary nerds who’ve read too many sci-fi thrillers. But we already have an example of just such a cyberattack: “Stuxnet,” a computer virus that the United States and Israel created to infiltrate—and then destroy—centrifuges that Iran was using to manufacture fissionable nuclear materials. Cyberweapons not only exist in our time; they’re beginning to tweak the calculus of geopolitics. Countdown to Zero Day documents just how messy things have become.

Zetter’s book fits squarely into a modern literary genre: tales of the “white hat” hackers who uncover criminal activity online. It began with The Cuckoo’s Egg (1989), Clifford Stoll’s account of how he tracked down a German man who was remotely stealing info from US systems and selling it to the KGB; it includes Takedown (1996), Tsutomu Shimomura’s story of his quest to apprehend the hacker Kevin Mitnick. The action in these books, rather like the drawing-room mysteries of John Dickson Carr, takes place entirely in the heads of the detectives. The cybersleuths sit at cubicles, pondering viruses—not exactly the breathless stuff of international intrigue. In order to keep readers engaged, authors in this niche need to transform numbingly arcane details about computer languages into a whodunit.

Fortunately, Zetter is a master of the genre. Her book ultimately isn’t about hunting down Stuxnet’s individual creators. (They’ve never been identified; the US and Israel, though widely reported to have engineered the virus, have never officially confirmed their involvement.) Instead, Zetter re-creates, in delightful detail, the race to figure out simply what Stuxnet was—and what it did.

There had been plenty of computer worms and viruses before Stuxnet, of course. But they were created out of curiosity or mischief—or in order to perpetrate a theft. The 1988 “Morris Worm,” one of the first, was crafted by the Cornell student Robert Morris in an attempt to measure the size of the Internet, but to his horror it replicated itself so rapidly that it clogged online networks to the freezing point. In the aughts, criminals worldwide began releasing worms designed not to crash computers but to intrude quietly and snoop around, stealing passwords and credit-card numbers. This is still, as Zetter shows, a booming business. Anyone who discovers a previously unknown vulnerability in popular software—called a zero-day exploit—can sell that secret, sometimes to criminals and other times back to the companies that made the software (and thus want to know where it’s weak). Or, most interestingly, they can sell it to international spy agencies that want to amass their own lists of little-known vulnerabilities, the better to sneak into computers in enemy states. A single “zero day” can command $50,000 on the black market, or twice that amount from a defense agency.

Ryoji Ikeda, data.tron, 2007, audiovisual installation, digital projector, computer, speakers, dimensions variable.

This is what made Stuxnet so unusual. The worm didn’t fit the profile of the earlier generation of mischief-seeking, data-stealing viruses. Indeed, the virus hunters who first stumbled across it in the summer of 2010—most of whom worked for antivirus firms like Symantec or Kaspersky Labs—couldn’t figure out what the heck the malware was doing. Stuxnet seemed to be probing hardware controllers made by Siemens, and designed to manipulate all sorts of heavy machinery.

Slowly, over several months, the virus hunters began to piece the picture together. They discovered that Stuxnet targets only a very specific type of controller, one that seems to be used in nuclear centrifuges—the spinning devices that purify nuclear fuel to prepare it for energy plants or bombs. Then the virus sleuths realized that these controllers figured prominently in Iran’s nuclear project. And they found that Stuxnet wasn’t designed to quickly and obviously wreck Iran’s devices. On the contrary, the worm worked quietly and covertly. Like the malware that destroyed the Idaho generator, Stuxnet tweaked the spin rate of the centrifuges, gradually ruining their ability to process nuclear materials.

Most cleverly, the virus hid its activity. It fed inaccurate data back to the Iranian scientists who were monitoring the centrifuges—“like a Hollywood heist film where the thieves insert a looped video clip into surveillance camera feeds,” as Zetter writes. If the Iranians looked at their control panels, all seemed normal. But inside, the centrifuges were going nuts, flying apart. The virus was so successful that it probably set back the Iranian nuclear project several years.

The geopolitics of war and espionage have always been convoluted. Advanced technologies like drones have made them ever cloudier, blurring the line between the impersonal work of home-front technicians and death in foreign lands. And as Zetter notes, cyberwarfare also creates new moral and ethical dilemmas.

If you release a virus as a weapon, what happens when it attacks things you didn’t target? (You can’t easily control where a worm winds up; Stuxnet infiltrated controllers worldwide, not merely in Iran.) If you start attacking infrastructure, isn’t it likely that you’ll also be attacking citizens? If spy agencies and militaries have started buying zero-day exploits and using them against other countries, have they begun actively wanting our world of software to be more insecure? As many American military experts note with dismay, the United States has now lost any moral high ground in this area. It was the first country caught using a digital weapon to attack the physical world.

These are sobering enough issues in the realm of war. But the truth is, you’re just as likely to see the impact of Stuxnet in your coffeepot as your newspaper.

That’s because Silicon Valley is busily trying to build the “Internet of Things.” These are everyday objects that, like the electric generator in Idaho and the Iranian centrifuges, are connected to the Internet. On the upside, this lets you pull off some nifty tricks, like controlling household devices remotely from your smartphone or hearkening to your baby’s cries while on a business trip via, say, the WeMo baby monitor.

But as you may have guessed by now, most manufacturers of these gadgets have lazily neglected security, either tacking on shoddy, easily hackable protections as an afterthought or ignoring the issue entirely. Security experts have discovered that anyone who accesses the WeMo baby monitor once—for example, a babysitter—has access forever, making eavesdropping hilariously easy. Others have found they can turn off the lights in someone else’s house. Given that more and more of these devices are coming online—cars, fridges, clothing—one can imagine the gorgeous chaos of spying we’ll be enjoying for years to come. (I’ve talked to some early adopters of 3-D printers who predict that one day they’ll arrive home to discover that prankster friends have remotely controlled their devices and littered their offices with badly rendered sex toys.) Zetter does not discuss the Internet of Things much in her book, but the lessons from Stuxnet are applicable in cut-and-paste fashion to this new frontier of digital innovation.

If there’s any silver lining, it’s that, as yet, viruses like Stuxnet are rare. Why? Possibly, Zetter notes, they’re harder to pull off than we think, or the folks who most want to wreak the pertinent havoc don’t yet possess the skills. “One thing, however, seems certain,” she writes. Given “the proof of concept provided by Stuxnet, it is only a matter of time until the lure of the digital assault becomes too irresistible for someone to pass up.” After reading her evidence, I’m inclined to agree. Smart devices allow for some very dumb acts.

Clive Thompson is the author of Smarter Than You Think: How Technology Is Changing Our Minds for the Better (Penguin Press, 2013) and a contributing writer for the New York Times Magazine and Wired.