The Cybersecurity Canon: Zero Day

For the past decade, I have had this notion that there must be a Cybersecurity Canon: a list of must-read books where the content is timeless, genuinely represents an aspect of the community that is true and precise and that, if not read, leaves a hole in cybersecurity professional’s education. I’ll be presenting on this topic at RSA 2014, and between now and then, I’d like to discuss a few of my early candidates for inclusion. I love a good argument, so feel free to let me know what you think.

Zero Day (2011) by Mark Russinovich

A number of the Cybersecurity Canon candidates I’ve discussed so far have been heavier reads. But there are some lighter books I think are worthy of consideration, too. “Zero Day,” by longtime security researcher Mark Russinovich, is one of them.

I appreciate what Russinovich is trying to do with this novel: Tell an exciting, “Die Hard”-like story with interesting cybersecurity people and realistic tech and, at the same time, inform the general reader about how dangerous the current state of the cybersecurity environment is. In a presentation that Russinovich did at RSA in 2012 to supplement this book, he quoted Senator Joe Lieberman:

“To me it feels like it is September 10, 2001. The system is blinking red – again. Yet we are failing to connect the dots – again.”

One of the reasons I started this project was to talk about novels that discuss these ideas in a compelling way. Russinovich has devoted two novels to the idea: Zero Day and 2012’s Trojan Horse. He is also a geek of the highest order: a Microsoft Technical Fellow, a co-founder of the famous Sysinternals website and famous for his discovery of the root kit that Sony BMG installed on its music CDs back in 2005.

The good guys in the story are a Mr. Jeff Aiken, an überkind computer security consultant with a past, and Daryl Haugen, the US CERT director and no slouch in the technical prowess department. These two fight the US government bureaucracy in an effort to defeat a follow-on 9/11 cyberattack that is intended to destroy a significant portion of every data system in the US.

Along the way, the reader is treated to colorful descriptions of malicious code attacking an on-board in-flight aircraft computer system causing a near-crash, adjusting the geo-positioning system on a large oil tanker that causes a harbor crash and the spillage of millions of tons of crude oil into the harbor, tinkering with the Supervisory Control and Data Acquisition (SCADA) systems in multiple nuclear power plants, and controlling multiple manufacturing robots on an assembly line that eventually causes the murder of one of the human technicians.

The main hacker in the story is Superfreak (aka Vladmir Koscov), a Russian engineer who has found a way to make a pretty good living building elite malicious code for his benefactors. His benefactors are two Islamic brothers with ties to Osama bin Laden and who are intent on striking the US another significant blow after the first 9/11 attacks. One of the brothers even makes a special pilgrimage across the desert to receive his mission from bin Laden personally.

Russinovich uses this Tom Clancy-ish plot to push the story forward. Along the way, he takes the time to explain the cybersecurity environment to the average reader. He provides decent descriptions of the classic “Salami Slice” bank hack, the game-changing Slammer Worm attack of 2003 that compromised every machine on the planet that it was going to compromise in 10 minutes (some 75,000 victims), the E-Gold Money Laundering scheme (a blackhat internet service that was popular for a few years in the 2000s), and what a zero day vulnerability is. He makes the point about why the US is vulnerable to the plot’s cyber terrorism evil plan compared to other nations based on how completely the US has embraced the internet for day-to-day business.

I first read this book when Russinovich published it back in 2011, and it wasn’t one I recommended that often to cybersecurity friends. The characters aren’t always convincing and the plot favors “on the nose” resolutions instead of more realistic cybersecurity scenarios.

But as a very readable cybersecurity novel intended for a mass audience, it works. It’s important for non-technical audiences to think about cybersecurity issues, and in a business, for cybersecurity professionals to drive awareness. This is something several of my Palo Alto Networks colleagues have touched on and it’s worth repeating: cybersecurity is everybody’s problem.