Cyberwar - well-written, well-researched, well-reasoned
Reviewed in the United Kingdom on 3 December 2015
This book tells the story – or at least part of the story – of Stuxnet, the malware that was employed allegedly by the US and Israeli intelligence services to disrupt Iran’s nuclear enrichment programme in the late 2000s. Some have described it as the first case of cyberwar, but actually, it was more the first spectacular case of international state-on-state cybersabotage, and part of a wider campaign against the Iranian programme that also included the targeted assassination of Iranian physicists and the imposition of sanctions. In the end, Stuxnet was only one piece in the jigsaw puzzle that led to the June 2015 diplomatic accord temporarily closing the road to an Iranian nuclear bomb.
Kim Zetter does a superb job in telling how Stuxnet was detected, analysed, dismantled and neutralised. An accomplished journalist for WIRED, the technology newspaper cum blog, she clearly excels at unfolding this intriguing and captivating narrative. The book is well researched, and Zetter is at her best when she is explaining complex technicalities such as ripping apart and reverse-engineering a malware code. The true heroes of her book are the analysts and researchers of Symantec, Kaspersky and other security research firms. These sections of the book are highly readable; and she writes with a lay, and not an expert audience in mind – which adds to the readability. Woven into this first part of the book is an excellent chapter on how the zero-day market came about in the first place. Zetter also does a good job when highlighting how these valiant private sector cyberwarriors had to strike a balance between protecting their clients – i.e., neutralising Stuxnet – and avoiding the cross-fire of a state-on-state confrontation.
Zetter’s story is so sound and authentic as she can draw extensively on interviews she held with the heroes of her book. The story becomes much thinner when it comes to the “other side”, i.e., the manufacturers and distributors of the malware – or, for that, its targets, i.,e, the computer and machinery operators in Iran. There, she entirely relies on public sources and on what others have already written about the topic. She does that diligently and exhaustively, after proper research, as it befits a good journalist. And given the fact that this deals with the murky world of intelligence where interviews are not lightly given, she probably had no alternatives. Yet, as a consequence, these parts of book lack the authenticity that has the part outlining the story of Stuxnet proper. She closes the book with a highly readable chapter on assessing the success of the malware. She concludes that Stuxnet was a qualified success in the sense that it contributed to slowing down the Iranian enrichment programme, which bought diplomats time to negotiate. Yet, it remains unclear whether this was actually the goal of Stuxnet, or whether it did not have a further purpose, such as forcing the total shutdown of the Iranian enrichment programme. Given her limited access to government sources, Zetter cannot answer this question. She also concludes that this ‘qualified success’ of slowing down Iran’s programme came at the price of exposing the US as a reckless promoter of cyberwar, thus undermining her own credibility on the international stage on the one hand and –more importantly – undermining the trust of users in the safety and security of the internet on the other hand. Maybe this is a bridge too far, as most people outside the US would already have a view of the US being rather double-minded when it comes to the internet and the utility of cyberwar, but regardless to the depth of international cynicism, she clearly has a point here.
The book has a few weaknesses. First, it is too long. On many instances, the narrative could be shorter and crisper. Sometimes, one gets a bit the feeling she wanted to make as much use of her interview material as possible. Secondly, and this may be related to the first point, the structure of the book is somewhat repetitive. A great part of chapters in the first part follows the same pattern: introducing a technie nerd, describing him (they are always “hims”) and his physical appearance and dress a bit, adding a few sprinkles about his private life (mostly on girl friends), and then delve into that part of the technical dissection of Stuxnet which this chapter is about– and this deep dive is then deep indeed. This makes the reading attractive at the beginning, as it gives a very low entry barrier to the average reader, but it becomes somewhat tiring further down the road. These are weaknesses you can easily live with as a reader. A worthwhile, highly recommendable read in any case.
12 people found this helpful