The first public announcement of what became known as Stuxnet, the malware designed to slow Iran’s nuclear program, could have easily disappeared into the ether. VirusBlokAda, a little-known cybersecurity firm in Belarus, first noticed the new vulnerability and posted an announcement on their website and an online English-language security forum. After some early news reports about the code and moves to patch the initial vulnerability by Microsoft, it would have been natural for everyone involved to move on the next malware threat. No one had any reason to know what Stuxnet would become.
But a number of security researchers were intrigued by what they saw and kept going back to crack the code. Their story is the backbone of Kim Zetter’s Count Down to Zero Day: Stuxnet and the Launch of the World’s First Digital Weapon, an incredibly detailed and readable account of the U.S. and Israeli attack on the computers that controlled the centrifuges at Natanz. Zetter follows the three main groups of cybersecurity experts from Symantec, Kaspersky Lab, and the Langner Group as they decode the malware. As the groups unraveled Stuxnet, they also discovered companion programs including Flame and Gauss, which were designed for espionage, not destruction. Zetter does an exceptional job of describing how the malware operated and how it affected infected Iranian networks.
Throughout the book, Zetter has to manage the tension between what the actual impact of Stuxnet on the nuclear program was and what the potential for future cyberattacks will be. If the computer attacks did little to hamper the Iranians and future attacks are likely difficult to develop, require extensive intelligence capabilities, and cause little physical damage, then Stuxnet looks less a weapon that reshapes foreign policy and more like another tool that is wielded by militarily and economically powerful states. Zetter sees Stuxnet as the beginning of something radically new and the possible damage from cyber as high, but she doesn’t silence other opinions. She gives voice to those who claim Stuxnet had little impact on Iran’s capabilities and when Zetter repeats anecdotes about other cyberattacks that have allegedly caused physical damage, she provides alternative explanations.
Despite the arguments that the cyberattacks may have prevented an armed attack on Iran’s nuclear facilities, and perhaps created the space for the current negotiations between Tehran and the West, Zetter is worried about the long-term implications of the United States being the first to use an offensive cyber weapon. Stuxnet was “a remarkable achievement” but “it was also remarkably reckless.”  The United States, in Zetter’s view, has essentially legitimated the use of digital assaults even though it is the country most vulnerable to cyberattacks. Moreover, and this is also well covered in Shane Harris’ book @War, U.S. intelligence and offensive operations often weakened Internet security for all by undermining technology standards and encryption.
In her conclusion, Zetter calls for greater transparency about offensive cyber operations, noting the unnecessary secrecy that surrounds most programs. Steve Coll, writing in the New Yorker, argues that the Obama administration has hidden most of the details of drone warfare, which allows others to create the narrative of how the weapons are used and to what effect. The same thing is happening with cyberattacks, and Zetter’s book is an important step in what should become a more public discussion of the costs and benefits of cyberattacks.