Kim Zetter is a former staff writer at WIRED and author of the seminal cybersecurity book “Countdown to Zero Day: Stuxnet and the Launch of the World’s First Digital Weapon.” Her work has appeared in The New York Times, POLITICO, The Washington Post and regularly in her Substack newsletter, “Zero Day.” In this episode, Kim talks about her approach to reporting, what sparked her Stuxnet investigation and how the discovery of that malware fundamentally altered our global cybersecurity conversation.
Kim Zetter is a former staff writer at WIRED and author of the seminal cybersecurity book “Countdown to Zero Day: Stuxnet and the Launch of the World’s First Digital Weapon.” Her work has appeared in The New York Times, POLITICO, The Washington Post and regularly in her Substack newsletter, “Zero Day.” In this episode, Kim talks about her approach to reporting, what sparked her Stuxnet investigation and how the discovery of that malware fundamentally altered our global cybersecurity conversation.
Why you should listen:
* Hear from one of the most influential and knowledgeable journalists writing about cybersecurity today.
* Get her take on some of the biggest security stories of 2021 such as Colonial Pipeline and the Pegasus Project.
* Learn more about the key policy debates around election security and critical infrastructure protections.
Key Quotes:
* “Stuxnet really helped shine a light on industrial control systems as a target.”
* “We focus too much on the stuff that makes the headlines and completely ignore the innocuous things that you’re downloading onto your phone .... Those things are spying on you, as well.”
* “The Obama administration was the first administration to [make] cyber a priority, but they didn't really put critical infrastructure as a priority in the sense of using the government's weight to force security on critical infrastructure. We're actually only seeing that in this last year … in the wake of Colonial Pipeline.”
* “When we saw Russia trying to interfere in 2016, that woke up DHS that someone, somewhere needed to have some kind of influence over election officials.”
Links:
* https://zetter.substack.com/
* https://www.nytimes.com/2018/09/26/magazine/election-security-crisis-midterms.html
[00:00:00] Bella DeShantz: Kim, we're so excited to get to chat with you today. Uh, my name is Bella Deshaun's cook. I'm joined by Jeremiah over here, Jeremiah. How are you today?
[00:00:26] Jeremiah Roe: Hey, Bella. Uh, great. Thank you so much, Kim. Uh, super excited to speak with you today?
So thank you so much for coming.
[00:00:34] Bella DeShantz: awesome. So we're gonna jump right in. Uh, you've been writing about cybersecurity for awhile. You've reported for wired Politico, vice the New York times. And you've also written a book about Stuxnet called countdown to zero day. How can you, how can you possibly keep up with everything that's going on in cyber today and how do you choose what subjects and stories you want to.
[00:00:57] Kim Zetter: I can't keep up. [00:01:00] it's really overwhelming. It didn't used to be, I remember that there used to be days where you were fishing around trying to find something to write about. Um, and that's just not the case ever anymore. so yeah, it's overwhelming for everyone. And I think, um, the, I mean the only thing that I can do to handle that is really to pick some specific areas that I want to focus on and then kind of ignore everything else.
and so the things that I focus on our nation state attacks, cyber warfare, exports of digital tools, uh, election security, things like that. So I really had to end critical infrastructure. So I really had to narrow the focus just in order to manage what I'm taking.
[00:01:51] Bella DeShantz: And what made you, or why do you focus on those areas? What's important about those. Specific areas.
[00:01:58] Kim Zetter: Those are the areas that really interested [00:02:00] me. there's just so much going on and, um, it's the way that I've always actually handled. my beat is really follow what interests me and that's worked to certain extent.
I love intelligence. I love secrets,you know, digging into things, investigative stuff. so that's where my interests lie. and that's really sort of the yard stick that I use when I'm, when I'm looking at something, things that are happening, does it fall into the categories that I really care about and that I want to know more about.
So I'm really following my own curious.
[00:02:47] Jeremiah Roe: I personally like secrets too. So, uh, you're you're right in my wheelhouse. Um, I like to, I like to find people's secrets learn about people's secrets. And when I say people, I mean like, you know, intelligence stuff, that's just
[00:03:04] Bella DeShantz: I finished reading countdown to zero day, uh, not too long ago actually. And I really loved it. Um, I thought that not only it, it does such a good job of, uh, kind of discussing the technical nature of Stuxnet, uh, of the, the malware, how it worked, what it did to the,what it did to Iran's nuclear program.
Uh, but beyond that, it really sort of feels like a spy thriller. I found myself reading and getting so caught up in the story, like what's going to happen next? Like how can this all be true? what inspired you to write about that? And then also, uh, not only to write about it, but to write the book in the way that you did.
[00:03:45] Kim Zetter: Well, I'm really happy to hear that it felt like a spy thriller to you. when I was approaching the book, I knew that I didn't want to write, I've been approached in the past about writing books and I really didn't want to write the books that I was [00:04:00] asked to write. I, I don't like reading books. I mean, there are a lot of really great books that I read for my work and they're really informative.
but I didn't want to write a book that was just straightforward. Okay. Here's the. On one thing, and then here's a separate chapter on another thing. And then another chapter on another thing. I didn't want to write a book like that. I wanted it to have some kind of narrative flow. I wanted to be a storyteller.
this is one of the first stories that I felt like was it merited book-length treatment and also had that ability to be told, uh, in sort of a narrative line. and so that was why I approached it the way I did. I wanted to write a story that I would want to read.and that included in, you know, adding all of those footnotes.
And I, I don't like when I read a book and the footnote is just a citation,, you know, a title of a book or the title of an article. I want footnotes that are going [00:05:00] to expand on the things that are in the body of the work. and so you find more nuggets in the footnotes. I really loved that. why I decided to do tell the story at all, was it was just so meaty. Um, there wasn't that much written about cyber warfare at the time. The government wasn't,, admitting that it was engaging in any of this. And,, I really felt like there needed to be some public dialogue on the topic and it was just also so media in the sense that it, it wasn't just about the technical issues.
It was [00:06:00] the geopolitical context around it. so I wanted to tell that whole story of not just here's an attack and how it worked and how it was captured,, but really why, why it was done and why this appeared to be the first one done by the U S like when I, when I entered the story or when I, when I, when I was before I started the research, my assumption was that this was not the first attack like this from the U S I was convinced they'd been doing this probably for a decade, and we just didn't know about it.
And what I was surprised in, in learning.
[00:06:35] Jeremiah Roe: And this is, this is a decade prior to Stuxnet, right?
[00:06:39] Kim Zetter: Yes.
[00:06:40] Jeremiah Roe: Or a decade? Yes. Yes.
[00:06:41] Kim Zetter: yeah, so Stuxnet was sex that was discovered in 2010. And I thought, I thought there was no way that something, this sophisticated was the first, I felt like there must have been operations leading up to this that led to the development of something, um, of this scope., and also just, you know, it [00:07:00] was just so brilliantly done, um, that I felt like there, there had to have been other sort of practices at the very least.
Um, and then I was surprised to find that there that are actually probably weren't., you know, what,, general, uh, Mike Mike Hayden told me was that there were so many legal restrictions around engaging in these kinds of operations, that it was just an utter headache for anyone to even propose doing something like this for the longest time.
And so I suppose that it really. You know, the danger that was imminent from Iran, having a potential nuclear weapons, and also the urgency of Israel, uh, pounding on the U S doors saying something has to be done,, that really sort of put this one over the, over the edge and convinced,, you know, whoever was making these decisions that [00:08:00] this was doable in a way that wouldn't cause collateral damage.
And also wouldn't trigger.
[00:08:07] Jeremiah Roe:when Stuxnet came out and then it was identified and people started really investigating it and looking into it, like, that's, that's a game changing piece of malware, you know, nobody else had seen anything else like that anywhere.
And so. And that's one of the most interesting things for me. It's, it's, it's sort of the beginning of, so everything coming forward from that point has been based off of, can I make something as good and sort of world shattering as Stuxnet? Can I, can I build the next, whatever that was? And so it's, it [00:09:00] seems really interesting to me that we hadn't been doing those things prior to, as a buildup.
Like, I feel like we almost had to have been [00:09:22] Kim Zetter: well, there was electronic warfare. So you, the U S has a long history of engaging in electronic warfare. Um, you know, taking out communication systems, digitally., we have that going all the way back to the nineties,, and, you know, Bosnia and things like that, where the government was engaging in this kind of activity, but for really strategic military purposes.
And so this was the first kind of, example of this. And there had actually been proposals in the past of doing maybe something similar to this. During the [00:10:00] Iraq war, there had been Posel to go into,, the banking systems,, and eliminate money or transfer money or something,, belonging to Iraqi leaders.
And that was nixed because they didn't want to have some kind of collateral,, implications of this. So,, so there have been discussions about this and there have been there there's always been this desire to engage in this, but again, the legal limits,, I suppose prevented it.
And I think. Post Stuxnet. I think what Stuxnet really did was it, it taught a lot of countries that this is it's possible to do this. This is obviously acceptable. If the U S and Israel were engaging it. And really why haven't we been doing this as well? And so that's been the problem postdocs net is that everyone now is sort of picked on this as [00:11:00] a viable and legitimate way to resolve disputes political disputes, diplomatic distributes,, and not have repercussions for it because certainly the U S, suffered no.
[00:11:13] Jeremiah Roe: Do you think that Stuxnet should have compelled the U S and other governments to take more proactive steps towards [00:12:00] protecting critical industry?
[00:12:01] Kim Zetter: Oh, yeah. I mean, it's funny though, because when Stuxnet was, when it was discovered that Stuxnet was targeting critical infrastructure and it's targeting industrial control systems,, there was an expectation that we would probably get some blow back attacks against the same kind of systems here in the U S and we didn't for a long time.
, but I think that,, you know, it was a matter of, first of all, even recognizing this as a target, the infoset community, didn't have an understanding and really didn't have anything to do with industrial control systems. All the focus was on it systems, the business network, the corporate network, and they, they had been blind to that.
There were, there were people that were in the industry who specialized in this area, but they were so limited in that., and they certainly didn't have,, kind of the attention of the public. And so Stuxnet really helped shine a light on industrial control systems as a [00:13:00] target at all. And the InfoSec community realized that they needed to school themselves on what these systems were, how they, how they were used, what their vulnerabilities were, and then of course what the potential risks were.
So I think that it took a lot of time to get up to speed. And then even then the government,, the us government wasn't paying attention.he Obama administration was the first administration to really sort of put cyber as, um, a priority, but they didn't really put critical infrastructure as a, as a priority in the sense of using the government's weight to force security on critical infrastructure.
And we're actually only seeing that, you know, in this last year,, where the them and mandates in the wake of ransomware, uh, in the wake of the colonial pipeline
[00:13:52] Bella DeShantz: why do you think it took like, you know, Stuxnet, like we've talked about it's it didn't happen yesterday. It happened a little while ago. why did it take that, that story is so scary, right? Like there's, that's such a serious example of targeting critical infrastructure. Why did it take ransomware attacks?
Which to me at least, I mean, also scary, but at a different level,
[00:14:18] Jeremiah Roe: and not particularly
[00:14:20] Bella DeShantz: is it taking these ransomware attacks for people to start listening about, you know, securing critical infrastructure and industrial control systems and not things like Stuxnet.
[00:14:32] Kim Zetter: well, stocks that happened overseas,, it wasn't conducted by an enemy of the U S it wasn't targeting the U S we tend to react to things, right. We don't prepare for things. We react to things. And it's not that we reacted to ransomware because ransomware has been [00:15:00] going on for, I mean, you know, very aggressively against the U S against us institutions has been going on since 2012, 2013.
, it's only because it targeted something that was recognized as a national security risk and also an economic risk. It's really coming down to the economic issues around colonial pipeline, shutting down that pipeline. If colonial pipeline had not shut down that pipeline, I'm not even sure the attack on colonial pipeline would have had,, the consequences that, that it did have.
It was really, you know, lawmakers on Capitol hill., seeing people standing in line. Under what was really a fake manufactured shortage,, because there wasn't a gasoline shortage, there was simply people panicking who created a shortage. And,, and so I think that, you know, it's, it was really the economic factor here.
, and the national scale of, uh, the, you know, the potential [00:16:00] consequences of a, uh, uh, gasoline shortage of, uh, of a fuel shortage that really sparked this. And, and as far as, you know, not addressing this stuff for a decade, Um, certainly with the election stuff, when we saw Russia trying to interfere in 2016, that woke up DHS,, that it, someone somewhere needed to have some kind of authority or,, influence over,, election officials. And then I think from [00:17:00] there, it sort of naturally rolled out and that really depended on who was in DHS at the time.
You know, Chris Krebs, uh, took a big role in that and deciding, okay, we are going to see some authority here,, and start taking this.
[00:22:47] Bella DeShantz: How do you think we can get consumers to care about that more? So, like we talked earlier about the type of stories that you cover and how they have to reach sort of a certain level of, uh, [00:23:00] maybe I don't know that the, what you said earlier, but, you know, like covering broader than just like personal security.
Um, and I think that there is like to me, and I think to a lot of folks that I know when we hear these stories online about big, you know, industrial control system attacks and ransomware, that seems so far away from like personal security online, but ultimately like it's, it's, you know, part of the same issue.
How do we get consumers to care? You know, both about the big, scary attacks, but also about their own personal security on.
[00:23:36] Kim Zetter: Well, I mean, you know, the colonial pipeline, you know, it's, it was industrial control system. It, it feels removed from people, but really brought that home of course, was the gasoline at the pump., and that's what got people,, caring about it and that's what got the headlines., so I think that, you know, until it actually does hit home people seeing you to stories about [00:24:00] another breach of T-Mobile customers, I mean, how many, how many times is T-Mobile customer,, information get breached, you know, uh, once a year, probably.
, so I think that, you know,, getting customers to care about it, it really, unfortunately it comes down to the same thing that gets lawmakers to care about it until it hits you personally, they don't, I mean, lawmakers. you know, they passed, uh, this is always sort of my standard., for years you could get information from department of motor vehicles about anyone from their driver's license information.
, you could get information about,, video rentals and it wasn't until a lawmaker who was running for office had his video rental history,, publicly exposed that we got a law that said that you cannot,, share video rental history information, which is, you know, it feels
[00:24:53] Jeremiah Roe: happened to be nefarious.
[00:24:54] Kim Zetter: inane information, right.
Um, that needs to be
[00:24:58] Jeremiah Roe: big, that was at a blockbuster. [00:25:00] Wasn't it?
[00:25:00] Kim Zetter: And that's the information and that's the information we got protected and not other information. So that's unfortunately the way it is when it hits, you know, law.
you recently wrote a piece for the New York times, [00:27:00] uh, deal book, sort of outlining the risk of the systemic cyber cyber attack against the financials. what would the consequences of, of that kind of an attack be? Um, maybe not just the immediate consequences, but some of those consequences that people don't necessarily think about from a secondary perspective.
[00:27:21] Kim Zetter: well, we saw a parallel with the colonial pipeline., the run-on gasoline. You know, the, I think the worst,, concern for financial institution is the run on the banks., and not just among individual, uh, you know, bank, account holders, but you know, large businesses who have, uh, lots of amount of money in those banks money that they need at a moment's notice to cover payroll, um, to cover loans.
Um, that kind of thing, you know, the, the fear is that there would be some kind of, you know, residual panics, um, that would cause a run on banks. Now, as I wrote in the story, the banks are [00:28:00] supposed to have enough money on hand, uh, in cash, liquid liquidated that would cover all, all loans. If any loans were got called, um, all, um, all holdings within a bank.
So, so legally they are required, uh, to have enough money if they do have a run, uh, to, um, cover all that. But it's, you know, it's also the law, the loss of trust, um, in the bank system, I mean our entire financial sector runs on trust. You trust that your, when you send a bank transfer over the wire, that it is going to arrive and it's going to get approved and it's going to get deposited into your account.
And the accurate amount is going to get deposited. Now we have a certain amount of checks and balances over that, um, to ensure that, and we have also guarantees so that if it doesn't happen the way it's supposed to happen, the bank covers that and you don't cover it, um, to a certain extent. [00:29:00], there are limitations on that, of course.
Um, but that's the way we operate. We operate on this trust system with financial sector. And if you lose that, um, then you potentially have a situation where the, you know, the banking system could collapse. And I think that that's the biggest.
[00:29:21] Jeremiah Roe: that, that actually reminds me of something that you recently also wrote about, uh, from, uh, um, privacy. Perspective ultimately is about the Pegasus spyware case and how multiple, um, how there are multiple, uh, law enforcement agencies and intelligence agencies who were identified as, as utilizing this particular software, uh, to conduct surveillance operations, um, in a pretty or several unique instances.
I was wondering if you could elaborate a bit more on that.
[00:29:56] Kim Zetter: Yeah. I mean, so Pegasus has been around for a while and we've [00:30:00] seen, you know, stories trickling out about activists and journalists., who've been targeted with it and have suffered repercussions for it. Uh, some thrown in jail, some torture. And I think, and also family members, I mean the journalists whose family members have been surveilled, not just the journalist.
Um, so we've seen these stories trickling out and then it really just sort of hit a head when we got the recent, um, sort of Pegasus project, um, that was done by, um, multi more than a dozen, I think media outlets,, who were par privy to this list,, that we still don't know the nature of this list., but it was identified as being a list of potential targets or a wishlist of people that Pegasus customers, NSO group customers, um, would like to be spying on.
Um, it was a list of 50,000 and it's unlikely that this was actually a list compiled by NSO, [00:31:00], and or any single customer it's unclear., what the nature of the list was, but it's the bottom line is that there are a subset, a small subset of people who are on that list, who actually were targeted with the Pegasus software.
[00:31:17] Jeremiah Roe: Just to, just to give those listeners a bit more of an idea. There's, there's a particular quote I'd like to read from your article. Um, that specifies the Pegasus tool gives NSO clients powerful abilities to remotely insert tissue, Nestle extract stored, and real-time data from phones without tipping off the user that their device is spilling its secrets.
Like this is heavy information. Think about where you go, location tracking, um, texts, information that's stored on the phone, like full gamut of collecting of data, browser history, social networks, all that sort of stuff. [00:32:02] Kim Zetter: I w I want to put that in context though, because the NSO group solver Pegasus is made by an Israeli company called NSO group. This software is sold primarily to governments, law enforcement, intelligence agencies., you're probably not going to be infected with this software unless you are of interest.
If you're an activist., if you're, um, a journalist, if you're,, some kind of political, politically active in those kinds of countries that will go after you, um, using the software. But that doesn't mean that you won't be targeted by other kinds of software, um, that criminals and corporate espionage,, actors will infect your system with, I think the most powerful, uh, is, is so it, the most powerful effect for anyone who's targeted with this is.
What, what websites you're going to visit., it is your email exchanges, your text exchanges, and also the ability to [00:33:00] turn on the camera and the microphone on the phone. Now I wrote a story about it says back in Def con uh, probably a 2003,, about a piece of malware that would surreptitiously turn on the phone microphone and turn that phone into a listening device.
So that's, you know, almost 20 years ago, now that capability already existed in the hands of cyber criminals or people who are doing corporate espionage., but I think it's only that, you know, the NSO group got a lot of attention or the, the stories about it got a lot of attention and people get very, you know, uh, are sort of stunned by that.
But the majority, the vast, vast, vast majority of people are never going to be targeted with, with Pegasus. But they may be if you're working for a corporation like apple or Microsoft or anyone else that has,, intellectual property that China might want,, or that your adversaries in [00:34:00] another country might want corporate espionage has been going on for decades.
, and this enables that, you know, you, we take our phone everywhere. And when you go to the restaurant, you take that phone out and you put it on the tabletop with you., you put that phone,, on the table, in the conference room when you're having meetings with your colleagues. So that's the.
[00:34:24] Bella DeShantz: it's helpful. And I think important to clarify that those of us that are not, uh, in, you know, that those of us that have kind of a regular role in society are probably not at risk of being targeted by this kind of software. Um, but I think for me, like knowing that this type of software exists still makes me nervous, like, just because I won't be targeted by some foreign government doesn't make me necessarily, you know, what about folks around me or [00:35:00] other just general danger?
I guess my, my question to turn this into a question. Is it still important for us who know that we won't be targeted by this level of attack to, to care about this and, and to make sure that we're protected against it just in case.
[00:35:17] Kim Zetter: absolutely. Yes. And, and the thing is, is that you or the people around you can very well be targeted by, for instance, stocker where, um, by a spouse or an ex um, you know, those kinds of things, you can very easily be infected by that stuff. Uh, parents put tracking software on their, on their children's mobile phones.
Um, well, you know, that tracking software can be taken over by an adversary, not adversary, but by criminals, whatever, you know, we see this sort of thing. Like with baby monitors, it seems like the most innocuous thing you can put in your house., and then of course, hackers are taking over the baby monitors and those baby monitors are not just recording the sounds in your [00:36:00] child's room, but they are recording videos, , in your house, your home.
, you know, surveillance system can be hacked into, and then someone can be watching you,, if you've got surveillance in the bedroom or if you've got surveillance anywhere else in the house,, and your family members are engaging in conversations that can be picked up. Um, Alexa can be picking up conversations.
We've seen that. So I think that, you know, it's not just, I mean, focusing on the phones is important, but I think that people need to have a broader awareness of all of these things that feel very convenient. All of the technologies that you bring into your home, that you love because of what they can do for you have a double edge to them, and you have to understand the risks and potential consequences of bringing that stuff into your home of using it of, um, installing apps on your phone.
I mean, people will install anything on their phone. Um, if it's a game or it helps them [00:37:00] shop or, um, allows them to find restaurants. I mean, you know, I guess I'm saying that we focus too much on the stuff that makes the headlines and completely ignore the innocuous things that are, that you're downloading onto your phone with no thought at all.
Um, and those things are spying on you as well.
[00:37:17] Bella DeShantz: Yeah, this is my, my friends get so tired of me complaining about all of their smart home devices, smart home devices, but it's, it's, there's a real reason to be concerned. So on a, on a slightly different note, uh, you've written a lot about election security, uh, and I want to know, were you surprised by how politicized election security became in the last election?
And do you think that that will maybe hinder any progress that has been made for election security, uh, across this.
[00:37:52] Kim Zetter: I'm not surprised at the politicization. I've been writing about election security for a long time, and I think the problems, um, are not, uh, there, there are some concerns, obviously that it's become so politicized since the last election that it's hard to discuss, uh, vulnerabilities in voting systems because there's a fear of someone using it,, to, to politicize, uh, and,, you know, falsely talk about, uh, fraud in elections.
That didn't happen. So there is a concern of that, but I think it's, it was, it was more concerning that for 20 years, no one was paying attention. So all of the security experts, uh, talking about problems with election security and election officials really not paying any kind of mind to them simply because the voting machine [00:39:00] vendors told them don't pay any attention to these.
what I want to say is you're asking me, you know, if that's, if the politicization is a problem on,, taking election security seriously now,, and I say no to that, the problem was that election security wasn't taken seriously before. [00:40:00]
[00:40:01] Jeremiah Roe: with the information that's been available from say Stuxnet for the last 10 years, we should have had the ability to fix systems and prioritize systems to be focused on from a security perspective with election security.
We've had, you know, a number of years for election security, brief focused on and developed and really secured in honed. And, and, and it seems like we haven't been able to do that. Do you think that there's a connection between, um, Either people's inability to drive success in the realm of security, or is it more of a, of a budgetary funding perspective
[00:40:49] Kim Zetter: I,
[00:40:50] Jeremiah Roe: that you've seen?
[00:40:51] Kim Zetter: the budget comes when you make it a priority. I mean, when it's clear that this is something that you have to do, you're going to find the budget. Um, when regulation comes down, you have [00:41:00] no choice, but to find the budget for it. Um, so it really is, uh, is a top down issue here.
I, in critical infrastructure, everyone thought, you know, why would anyone come after my manufacturing facility? Or why, why would anyone target this small little dam,, you know, uh, in upper state, New York or something, um, you know, in Florida where we had the water treatment plant years, you know, years, a decade since Stuxnet and this water treatment plant in Florida,, is not using two factor authentication.
, so it, it really is, uh, you know, it's the responsibility of all of the people who are administering and controlling and owning these facilities to take it seriously. But also in the case of that Florida municipality, they didn't have the., and these are, this is a government issue because those municipalities are, you know, the, the critical infrastructure, water treatment plants,, are controlled [00:42:00] by the municipality.
[00:42:12] Jeremiah Roe: so you see people's push nowadays, right? Like why can't the government just get up, you know, up-to-date with things that are currently going on, why don't we just do with, um, election, you know, uh, election capacities? Why Don't we just do things from a remote capacity? Let me elect for my computer. Let me like, from my mobile phone, let me you know, let me do
[00:45:32] Kim Zetter:
[00:45:35] Kim Zetter: Well, I'm not the only one saying this. The, the fence looked into this NIST looked into this multiple government agencies looked into this and they all concluded that given the current state of technology and given the way we do elections in the U S and how there has to be, um, anonymity in casting a ballot.
Um, and the fact that the voting would be done on someone's at-home device that cannot be [00:46:00] secured. Um, there is absolutely no way currently, and there's no logical way going forward, given what we have and the way we do elections for this to ever be.
[00:50:51] Bella DeShantz: You’ve done so much work on election security. Can you tell us just one story that you think had a really significant impact?
[00:51:02] Kim Zetter: one story that I wrote about election security that's stands out for me, um, because it was kind of a holy grail, uh, in covering election security for so long.
And that was a story that I wrote in 2000. I think it was 18 or 19 about, we finally actually had proof that voting machines were connected to the internet. Now, as long as I've been covering. Election officials and voting machine vendors had been telling me and telling everyone else that these voting machines are never connected to the internet and therefore they can't be hacked.
That latter part of course is not true, regardless of whether they're, they're connected to the internet or not., anything can be hacked., and if it's not, and anything that's not connected to the internet can still be hacked. If you've got a rogue insider, or if you've got that system, that's not connected to the internet, somehow communicating with [00:52:00] another system that is connected to the internet, um, you know, election workers will, will often plug in their phone, uh, to be charged, um, on an election management system.
So, so the story that, you know, that was a surprise for me, was to find out that researchers actually, you know, were able to trace and track these systems and they, you know,
And this was, uh, you know, this was a lie that was being told after the 2016 election election officials were trying to assure everyone that there was no way that anyone could have,, hacked the 2016 election because the voting machines are never connected to the internet. the intention there was to calm the public and to, and to not create the kind of panic that we saw, of course, in 2020.
So I understand the reason and the impulse to calm everyone and say the voting machines are never connected. The internet. There was no way they could have been hacked, but it was also a deception..
They'd been told by the voting machine vendors, they weren't connected to the internet. so that was a story that really stood out for me.
And even I, I contacted DHS [00:54:00] before I published that story. DHS had been given this information,, and other entities had been given this information about the voting machines connected to the internet months before a year before.
Um, and there've been zero action on. So,, it's, it's just, you know, it's a frustration., when these things do kind of hit a tipping point that it took, it took a long time for them to reach that point.
[00:54:26] Jeremiah Roe: when I see those kinds of things that really irks me inside a little bit, um, I do have a question about a substance that you recently created, uh, well, not recent, but a sub stack that you did create called zero day. Um, and I'm kind of curious what recently led you in that direction [00:55:00] Kim Zetter:, I went in that direction., really, it was a measure of where we were in the pandemic at that point., I've been doing freelance since 2016 and freelance budget started to freeze up in the pandemic. And so there wasn't a lot of, and also a lot of the focus of journalism turned to the pandemic., so there was a move away from, you know, buying stories about security.
So it was really a measure of sort of hearing from other journalists, what they were doing and how successful it was working out for them and feeling like,, if freelance budgets are drying up, I needed to find some other,, income. I also earned half my income through,,, speaking engagements.
And so those started drying up because conferences got canceled. So it was really a measure of trying to find some alternative way of, to bring in some income,, during the pandemic. And so a lot of people were trying to convince me of, of [00:56:00] going independent life. And I just decided to give it a try. I really didn't expect much from it.
I didn't know. I didn't think anyone would notice. I thought that I would just sort of do it quietly and then see how it went and maybe drop it after a month or so, because I really didn't expect it to be,, it to take off. I don't think it's the future of journalism., I think that there is a desire among journalists. Do you have more control over their work to get a better value for their work?
So there's really this, , desire on the part of journalists to find some kind of independent way to control their time, to control, um, their talent and to control what they produce. But I don't think it's a replacement for,, regular media. I don't think it ever will be.[00:58:00] Bella DeShantz: Uh, do you have plans for another book at.
[00:58:06] Kim Zetter: I'm always looking for what will be., again, that criteria for me is that it has to be media enough., and it has to be something that I can do in a way that can be done as I'm telling a story., I think that that's, you know, that book was two years. It took me two years to do that nights and weekends and holidays.
And now if I'm going to take something like that on it's really gotta be something that I'm feeling that I want to read the story, um, as much as I hope everyone else would. Um, so that's kind of a high bar.
[00:58:42] Jeremiah Roe: So for those listening, um, where can we hear more from you and find your book countdown to zero?
[00:58:49] Kim Zetter: Uh, the book's available on Amazon. You can buy it there in either hardcover, paperback, or Kindle or audio. Um, you can find my work. I mean, I'm P I'm [00:59:00] publishing on the sub stack and zero day and I'm on Twitter. So people can always follow me and see what my interests are and what I'm writing through Twitter as well.
[00:59:56] Jeremiah Roe: and in closing there's one last thing that we ask all of our [01:00:00] guests on the show.
[01:00:23] Jeremiah Roe: What is it that we wouldn't know about you or that people wouldn't know about you by looking at your Twitter or LinkedIn profiles?
[01:00:31] Kim Zetter: I love the gossip rags, or
[01:00:35] Jeremiah Roe: Oh
[01:00:36] Kim Zetter: you would, because I tweet a lot from people magazine., but,, yeah, I tell people there's, it's, it's my palate cleanser. I do. So
[01:00:45] Jeremiah Roe: that's great.
[01:00:46] Kim Zetter: I do so much heavy reading for my work. Um, so much technical stuff,, and government reports and it's all just so dry. And I mean, it's, it's fascinating because I love the topic, [01:01:00] but I also just need sometimes pretty pictures.
Um, and that,
these,
[01:01:07] Jeremiah Roe: I feel like you just described my whole capability of reading right there. Sometimes it just need pretty pictures.
[01:01:13] Bella DeShantz: this is how I feel about reality TV.
[01:01:15] Kim Zetter: I'm not ashamed of it. I'm not ashamed.
[01:01:18] Jeremiah Roe: That's. Thank you so much, Kevin.
[01:01:20] Kim Zetter: You're welcome. Thanks for having me.
[01:01:22] Bella DeShantz: this was great. Thank you so much. It was great. It was really great talking to you.