
Zero-Day is the technical term in computer security for a vulnerability in an application or operating system of which the developer is unaware, and for which he therefore has no effective response available. It is also the title of the six-part series released in January about an America brought to its knees by a large-scale computer attack: the whole country goes dark, underground trains collide on the same track, airport control centres stop working, sending air traffic into chaos, traffic lights go berserk and cause chain incidents, intensive care machines in hospitals go out... After one minute of blackout, more than four thousand people die. To discover the culprits and restore order in the country, former US President George Mullen, played by Robert De Niro, who has retired to private life after the death of his son, enters the scene.
The scenes of cyber-attacks and their catastrophic consequences in the real world are surprising and unexpected, especially for those who are used to thinking of viruses and cyber-attacks only as annoying problems with the home computer, or the hijacking of data and digital identities. Actually, they are much less so for cybersecurity experts, who consider this kind of threat as one of the main ones to be defended against in modern societies. We talk about it with Gabriele Costa, professor of computer science at the IMT Alti Studi Lucca School and expert in cybersecurity.
What is realistic about an event of the kind and scale of the one told in the Zero Day series?
The scenario shown in the TV series is rather apocalyptic in scale because, during a single attack, many critical infrastructures (hospitals, transport, telecommunications...) are affected. An attack on just one of these infrastructures that rendered it unusable for a long enough interval would certainly have a lesser impact, but all in all comparable to some of the scenes we have seen. We know this because we have already witnessed similar attacks in recent years and no stretch of the imagination is needed. The damage caused by large-scale attacks can now be quantified in hundreds of millions (of euros or dollars) of damage and sometimes even in loss of life.
And unrealistic?
A sequence of attacks affecting so many critical infrastructures at the same time is extremely unlikely and would require not one, but several Zero-Days. The reason is that, in general, the spread of a technology is inversely proportional to its criticality. For instance, the software that ensures the operation of a control tower is specialised and rare, compared to the software running on a smartphone. Hitting many systems and hitting critical systems are two targets that are typically mutually exclusive. WannaCry, the ransomwares which infected Windows machines worldwide within a few hours, did not aim to disrupt critical services, but did so collaterally. Stuxnet, the malware which attacked the uranium enrichment chain in Iran, itself chronicled in the 2016 documentary film Zero Days, only hit one plant.
Without spoilers about the perpetrators, it is eventually revealed in the series that the goal of the attackers was to generate chaos and fear in the public. What is the type of threat we should fear most today, and to which systems or apparatuses?
To generate chaos and fear, there are much cheaper tools than computer viruses, e.g. fake news. An attacker with several highly impactful zero-day vulnerabilities would use them to collect large amounts of money, for instance by demanding ransoms from governments and companies. This already happens today and is the mechanism behind the ransomwares. Many of these do not even use zero-day vulnerabilities, but known vulnerabilities. An example of ransomwares that exploited Zero-Day was the aforementioned WannaCry, which even used two of them (DoublePulsar and EthernalBlue). At the time, the two vulnerabilities literally fell from the sky, since they had become public knowledge only a month earlier following a security breach by the National Security Agency (and thus were not even Zero-Days, to be fair). Bought on the black market, two such vulnerabilities would have cost perhaps hundreds of millions of dollars. In everyday life, the ransomwares exploit vulnerabilities to demand a ransom by threatening harm. For instance, a few years ago, the railways had to deal with an emergency attack ransomwares of the Hive group and there were several days' effects on critical services such as ticket offices.
The Covid pandemic caught us - and the rest of the world - rather unprepared, five years ago, despite the fact that the World Health Organisation had been repeating for years or decades that it was only a matter of 'when' not 'if' a pandemic would break out. Where do we stand with regard to possible cyber attacks?
Nations move in random order and it is not easy to get an accurate picture. The numbers of attacks give us a bleak picture that is perhaps even reductive to describe as 'the Wild West'. There is good reason to believe that the intelligence services of various nations know of several Zero-Day vulnerabilities that they jealously guard while waiting for the order to use them. The comparison with the pandemic does not render the scenario well because natural phenomena are not driven by hostile agents. The worst scenario that can await us is that of a digital Caporetto.
How would defensive reactions to an attack like the one in the series be organised today, presumably?
In short: it would be very challenging and very expensive. Above all, processes need to be developed and people need to be trained. Staff training is fragmented and the network of cyber incident response centres (the CSIRTs) is only recently being developed under the leadership of the National Cybersecurity Agency. This is a fundamental first step, but there are still many gaps, first of all the fact that in Italy there is no CNA, i.e. a desk to report vulnerabilities discovered by analysts. To ensure that the system resists, we have to kick it where it hurts the most, carry out penetration testing (simulated and controlled cyber attacks) and campaigns of bug bounty (penetration testing open to the public, with a reward for those who discover and report vulnerabilities). All activities on which we are still lagging behind. Other activities, such as certifications and taking care of legal aspects, on the other hand, improve posture but leave a little time to be found. In a way, it's as if we were talking about boxing: proper nutrition is important, but the difference between the rookie and the champion is the number of punches you manage to land before your legs give out.
Chiara Palmerini