zero-day

Zero Day, by Mark Russinovich

Rating: ** (2 stars out of 5)

I read about the computer security thriller “Zero Day” on a few technology websites as well as heard about it on the “Herding Code” podcast where they had an interview with the author Mark Russinovich. The premise was interesting: A widespread and destructive “zero day attack” highly disruptive to businesses and people, spanning countries and continents. From what I understood, Mark’s motivation in writing this was his feeling that technology security is not taken as seriously as it should be and he wanted to bring greater awareness to the risks involved. Perhaps this is also the reason that instead of using a financial motive for the attacks in the story, he decided to use terrorism as those might resonate better with the intended audience. Destruction of digital data is far more scary than theft.

Unfortunately, the book falls short on many dimensions. First, the thriller aspect — too many holes and too little action. At various points in the story, the book slows to a crawl. There is the concept of “show, don’t tell”, but Mark carries it a little too far by introducing too many events and characters, more instances of the virus attacks than necessary and more secondary villains than needed. Similarly, the sex scenes are ill-advised and even contribute to adding a hint of misogyny to the plot. The author has very outdated views about the motivations of women. In general, the characters are one-dimensional and make the story very predictable.

The core idea in the book is that only a few people understand the value of computer security while government, businesses and even security vendors ignore the risks. Those who understand keep screaming, but nobody listens. This is a standard plot in many books and movies and it can be done right. However, the way it develops in “Zero Day” is senseless. We see a plane that almost crashes and kills several people including children. There is a near-nuclear accident and a ship that runs ashore. All these incidents are high-profile and it is very clear that the same  virus strain is responsible. And yet no one is listening?

The author tries to compare the situation with 9/11 to make the case, but that won’t wash. 9/11 did not have a series of public, high-profile attacks on civilians before it unfolded. The plane incident would be enough to fill the papers and everyone would be searching for theories. A mere mention of the findings by the main characters would be enough to hit the front-page news.

The plot makes and breaks its own rules. Take the case of the assassin, supposedly a professional killer. He behaves recklessly at times, twice trying to kill in an area with lots of people present. You would think that a professional would have better tools (such as long-range rifles) at his disposal. Also, when he has an easy opportunity (and ammunition) to kill a key character, he decides not to. The coincidences start piling up. we get the very observant policeman on the beat who doesn’t know how to shoot. We see a roomful of villains not packing heat because they were too gullible (!)

Then we have things like the characters suddenly catching a plane to Russia. This is mind-boggling because you need a visa to enter Russia, my friend. And then another character leaves Russia, reaches Italy and goes on to France, inside 48 hours, even though she starts this journey with a bleeding head after being shot, and is probably wanted for questioning after the death of her family members. We also have a CIA deputy director engaged in espionage over several months — you would think someone would notice. The information he provided at considerable risk was incidental to the people who were paying him, so what was the point?

We learn that the main virus creator was physically disabled because of an attack by the Chechens. Yet he is unknowingly working for the Arabs who are affiliated with the Chechens. This seemed like the makings of a great plot twist if he ever found out, but it is not taken anywhere. It is also strange that he didn’t realize the significance of the date when the attacks were set to go off, but maybe someone else was working on that.

The technology side is also very confusing. First is that the attacks are set to go off on a particular date, but some of the attacks go off early, probably because the plot requires them to make the story seem more urgent. This is explained as suggesting that the computers which were affected had their dates wrong. That is unlikely for many of the systems that were affected in the story. Then we have a theory that the virus itself was manipulating the date, which seems absurd because the date was important (was someone even testing the virus or looking at its code?). And if the date was dependent on the local time, wouldn’t that be a loophole in the virus itself?

I was also unclear how the virus could get into places like an aircraft or nuclear plant control systems in quick notice. The Stuxnet and Flame viruses that attacked Iran did their work over several years and they apparently got in through physical means (via USB keys or something). Also there are different operating systems, their versions, then various protections (firewalls, anti-virus software and so on). The book is vague, implying that nothing matters other than finding the original source of the virus and coming up with an antidote.

Mark runs with a few stereotypes of the Saudis, the Russians, and the Chechens to fill the story. I get it that a thriller is not the best place to look for insightful commentary on geo-politics, but hey, the book was published in 2011. Over the last several years, has Mark learnt nothing about the various jihadist movements, the balance of power in different countries in the Middle East between different sects and groups, and the conflicts that have taken place during the last decade? It is almost as if he read a few newspaper articles from the early 2000s and fleshed out the villainous roles.