Nicole Perlroth, This is How They Tell Me the World Ends. Bloomsbury Publishing: New York, 2021.
Reviewed by Sheldon Greaves
To the average observer, the breathless pace of breaking events and emerging trends in the world of cybersecurity mitigates against anyone writing a thoughtful, encompassing narrative of how we arrived at the present state. However, Nicole Perlroth, a cybersecurity journalist for the New York Times has written a bracing and highly informative account of the cyber-weapons arms race. It is a story of brilliance, greed, and profound arrogance that has created a situation that quite literally puts all of us at increased risk.
Broadly speaking, the story begins with well-meaning computer programmers and hackers attempting to point out bugs in commercial software to companies that were not interested in listening. At best, a report of a bug would be ignored. Often, companies would threaten bug reporters with lawsuits. Gradually a market developed in which third-party companies would pay hackers to report bugs for a cash bounty, and the companies would confirm the problem, develop a solution, and then offer this to software companies who subscribed to the bug reporting service.
Gradually, however, the market dried up. Someone was quietly buying up bugs at ridiculously high prices, but then swearing the hackers who discovered them to total secrecy. The buyers were particularly interested in bugs that could be used to surreptitiously break into other computers and networks. It later came out that the buyers were from the U.S. Intelligence Community, with other governments eventually also getting into the game. These bugs or “exploits” were then built into powerful penetration tools for conducting cyber warfare, allowing intelligence agencies access to access unprecedented amounts of intelligence.
This created a number of problems, not the least of which was that for these exploits to work, the bugs in many widely-used software packages, operating systems, and hardware had to go unpatched. This meant that the vulnerabilities remained open to anyone who managed to discover them. Add to this the dynamics of greed on the part of programmers and hackers; the former pariahs of the software industry, suddenly could get five- or six-figure payoffs for a potent bug. They sold these exploits, often knowing full well that the bugs would go unpatched, and that in the wrong hands they could create havoc on the Internet.
The other dynamic was one of hubris. The NSA managed to insert “backdoors”—hidden entry points—into practically anything that could connect to the Internet. Over time, no one had a deeper or more comprehensive panoply of exploits and sophisticated penetration tools than the National Security Agency, followed closely by the CIA. For several years, the United States quietly enjoyed near-supremacy in cyberspace despite the occasional successes of unfriendly nations. Perlroth quotes Peter G. Neumann, one of the deans of American cybersecurity: “The NSA’s fatal flaw is that it came to believe it was smarter than everyone else.” Few of those who were in the know were willing to consider what might happen if their capabilities were revealed, let alone if their tools were leaked.
Two events were pivotal. The first was the use of the Stuxnet worm by the United States and Israel to disrupt Iranian efforts to produce enriched Uranium by destroying their centrifuges. Stuxnet was supposed to do its job and then disappear, but it managed to escape from the Nantaz facility. Other powers studied Stuxnet and learned from it. Soon Stuxnet code fragments were showing up in other cyber attacks. The second event was the bombshell disclosures of Edward Snowden, who revealed a fraction of the NSA’s cyberwarfare capabilities.
Perlroth paints a picture of a growing competence in other nations’ ability to conduct cyber operations, an arms race made more urgent by the fact that exploits have a limited lifespan, averaging about seven years if they are kept secret. Cyber weapons have become the poor nation’s weapon of mass destruction; computers are cheap. One just has to find people with the right skills; it’s mostly a matter of knowing where to look and cultivating talent.
But the dénouement of the story was when a mysterious group known as the “Shadow Brokers” managed to gain access to the NSA’s collection of exploits and penetration tools, and leaked them to the rest of the world, followed shortly by a similar release of CIA cyber weapons. Where Snowden had merely revealed the existence of these tools, the Shadow Brokers delivered the actual goods; the literal keys to the kingdom. Since then, cyber attacks have grown more aggressive and effective. Many of the most damaging attacks of recent years have used code from the Shadow Broker’s arsenal. As of this writing, the identity of the Shadow Brokers remains unknown.
Perlroth’s reporting also covers the internet campaigns aimed at the U.S. voter and efforts mostly by Russia to disrupt the 2020 presidential election, which was aided not only by the inaction of the Trump Administration, but the role of President Trump as a major vector of disinformation. In fact, Russian internet trolls found it much easier simply to amplify domestic disinformation than to create their own. Other missteps by the White House, notably launching a trade war with China and scrapping the Iran nuclear treaty, created additional international friction leading to hostile actions against the United States.
The picture painted by This is How They Tell Me the World Ends is not one of unbroken gloom; Perlroth points to efforts by the software industry, working in concert with the government, to devise practical and effective defenses to protect the nation’s data, infrastructure, and the privacy of its citizens. It will take a long, hard fight to back us away from the precipice, but the first step is clearly to reexamine the priorities of our cyber warfare capabilities that elevated exploiting flaws in systems over patching them. The larger lesson, I suspect, will be that a security posture is unsustainable, if one’s security depends on the insecurity of everyone else.