Book Review: Countdown to Zero Day, by Kim Zetter

When it was first spotted in the wild, Stuxnet was a nearly indecipherable puzzle: user and kernel mode rootkits, vague religio-historic references, and a staggering number of zero-day exploits (attacks targeting unknown and unpatched vulnerabilities) were all contained in an attack on a specific series of Siemens Programmable Logic Controllers. It seemed an odd choice of target and methodology, with the lack of data exfiltration and precise configuration requirements contained in the code enticing competing teams of researchers worldwide to unlock the mysteries of a historic shot across the bow in cyberwarfare. Wired journalist Kim Zetter was among the first to cover the Stuxnet attacks and became the influential tech magazine’s beat reporter for the story, following up on minute developments until Symantec’s fateful report insinuated Israeli responsibility for the attack. With confirmation of joint American involvement from anonymous sources and the Snowden leaks once again thrusting the U.S. cyber presence into the milieu, Zetter revisited Stuxnet and its implications in Countdown to Zero Day. Yet despite the book’s wealth of information, its valuable content is degraded by lapses into jargon, poor structure, and a predisposition to treat an increasingly aggressive National Security Agency and Cyber Command with deference.It is easy to forgive the first point, as crafting a full-length work on the intricacies of malware forensics without losing many readers somewhere along the way borders on impossible. It is far easier to eschew complex technical definitions when adhering to a magazine article’s length restrictions than in a book detailing how investigations into Stuxnet’s complexities led researchers to conclude that only a nation could have been responsible for it. As a reader with a moderate degree of exposure to the book’s technical issues, I found Zetter’s foray into the weeds far better pleasure reading than Symantec’s report; however, mileage may vary considerably for those who have little background knowledge of concepts central to the latter.The structure, though, threatens to put off experienced and novice alike: Wired articles often read like thrilling novellas, bouncing between subjects and physical locations in a manner that would be disorienting in longer forms. Yet Zetter does just that in Countdown to Zero Day: her reporting becomes as convoluted as Stuxnet’s code itself as she skips between Symantec’s Southern California offices to small Belarusian security firms, only to derail that with another tangent involving Stuxnet’s relatives Duqu and Flame. Combined with a brief exploration of the business end of cyberwarfare, where firms compete to supply governments with a steady stream of zero-day exploits, the book could and arguably should have been three separate written works. Zetter’s desire to bite off more than she can chew is the mark of a voracious reporter with a great passion for her subject, and that enthusiasm shows on paper. Unfortunately, her broad scope prevented deeper examination of the issues’ implications and ethics by limiting the book to mere acknowledgement of controversies that surround the firms peddling zero-days and of cyberweapons as one of the ultimate double-edged swords. The final chapters read like a sales pitch for Keith Alexander’s million-dollar-a-month cybersecurity consulting firm. Alarmist views of catastrophic attacks on critical infrastructure and of looming digital terrorism far outweigh the cautionary voices resting upon fact: attacks of Stuxnet’s scale and impact are rare and difficult, and no nation wants to tip its hand and open itself up to retaliatory attacks unless the target is of exceptional priority.Leaving cyber alarmists relatively unchallenged is a questionable choice in an era defined by dubiously legal over-eagerness to exploit new technologies. If you pick up Countdown to Zero Day, temper it with Shane Harris’ @War, the ongoing cyber reporting at The Intercept, or Der Spiegel’s archive of global snooping stories. Cybersecurity is one of the hardest modern issues on which to maintain journalistic impartiality, and Zetter’s dogged attempts to remain unbiased can at times be construed as the opposite. That quandary sums up her book quite well: few of the work’s failings are of the author’s conscious design, and it is truly frustrating since they prevent a good book from being exceptional.