This Is How They Tell Me the World Ends

Introduction

In "This Is How They Tell Me the World Ends," Nicole Perlroth takes readers on a chilling journey through the shadowy world of cyber weapons and digital vulnerabilities. As a cybersecurity reporter for the New York Times, Perlroth has spent years investigating the growing threat of cyber attacks and the global arms race for digital weapons. This book serves as a wake-up call, revealing just how vulnerable our increasingly connected world has become to malicious actors, whether they be nation-states, criminals, or hackers for hire.

The story begins with a stark example of the real-world consequences of cyber warfare: in December 2015, Russian hackers shut off electricity and heat across western Ukraine, demonstrating their ability to hijack critical infrastructure. This attack was not an isolated incident but rather the culmination of years of escalating cyber conflicts between nations. Perlroth's book delves into the history, key players, and potential future of this new form of warfare, painting a picture of a world teetering on the brink of digital chaos.

The Rise of Zero-Days

At the heart of the cyber arms race are "zero-days" - previously unknown flaws in hardware or software that can be exploited to gain unauthorized access to systems. Perlroth explains that these vulnerabilities are called zero-days because once discovered, software developers have "zero days" to create and release a patch before the flaw can be exploited.

The author's journey into the world of zero-days began in earnest after Edward Snowden's revelations about the NSA's extensive surveillance capabilities in 2013. These leaks showed that the NSA had accumulated a significant arsenal of zero-days, providing access to widely-used apps, social media platforms, phones, computers, and operating systems. Contrary to popular belief, companies like Apple and Microsoft were not willingly collaborating with the NSA; in fact, they were furious to learn that the agency had been withholding information about vulnerabilities in their products.

Perhaps even more concerning is the revelation that the NSA often purchased these zero-days from hackers around the world using taxpayer money. This practice has given rise to a morally ambiguous marketplace where digital vulnerabilities are bought and sold to the highest bidder, often with little regard for how they might be used.

The Zero-Day Market: A Shadowy Ecosystem

Perlroth's investigation into the zero-day market reveals a complex and secretive ecosystem. Hackers who discover these vulnerabilities often sign non-disclosure agreements when selling their findings, preventing them from discussing the details of their sales for a specified period. This secrecy makes it difficult for sellers to determine fair prices for their work and for buyers to verify the authenticity and exclusivity of the zero-days they purchase.

The market operates on a precarious balance of trust. Sellers must trust that buyers won't simply test their zero-day and then use it without payment, while buyers must trust that sellers won't resell the same vulnerability to multiple parties. This system is fraught with potential for abuse and double-crossing, yet it continues to thrive due to the immense value placed on these digital weapons.

The author recounts her attempts to learn more about this market at a hacker convention in Florida, where she encountered resistance from hackers unwilling to discuss their business practices. This reluctance to share information is a common theme in the zero-day world, where secrecy is paramount and the consequences of revealing too much can be severe.

The Evolution of the Zero-Day Market

Perlroth traces the evolution of the zero-day market from its early days in the early 2000s to its current state as a multi-million dollar industry. Initially, hackers would often post their discoveries on message boards or attempt to bring flaws to the attention of companies like Microsoft. However, they were frequently met with hostility and legal threats rather than gratitude.

The landscape began to change when companies like iDefense recognized the value in paying hackers for their discoveries. This approach allowed them to provide their clients with valuable information about potential vulnerabilities, creating a win-win situation for both hackers and businesses.

However, the market took a significant turn when government intelligence agencies, flush with post-9/11 budgets, began entering the fray. Unlike security companies, these agencies were not interested in patching vulnerabilities; instead, they sought to keep them secret for use in surveillance and cyber operations. This shift in the market dynamic led to a situation where taxpayer money was being used to keep vulnerabilities in widely-used products a secret from both the companies that made them and the general public.

The Moral Dilemma of Zero-Days

The zero-day market presents a significant moral quandary for those involved. Hackers who discover these vulnerabilities often justify their work by claiming they are merely exposing flaws in systems and not responsible for how their discoveries are used. However, as the potential for harm becomes increasingly apparent, some in the community have begun to question the ethics of their work.

Charlie Miller, a former NSA employee turned independent hacker, serves as an example of someone grappling with these moral issues. After selling a significant zero-day to an unnamed government agency, Miller became disillusioned with the secretive and unfair nature of the market. He decided to publish an academic paper exposing the inner workings of the zero-day market, despite pressure from the NSA to remain silent.

Miller's actions sparked a debate within the hacker community. Some viewed him as a traitor for breaking the unwritten code of silence, while others praised him for shedding light on a market that often exploited hackers' work. This incident highlighted the growing tension between those who saw zero-days as a legitimate business and those who were becoming increasingly concerned about their potential for misuse.

The Global Impact of Zero-Days

The proliferation of zero-days has had far-reaching consequences on a global scale. As more countries entered the market, the demand for these digital weapons skyrocketed. Perlroth describes how countries like Israel, Russia, and India began investing heavily in cyber capabilities, often matching or exceeding U.S. spending on zero-days.

The author highlights the case of Vupen, a French company that saw its sales to government agencies double year-over-year. The company's founder, Chaouki Bekrar, openly flaunted his disregard for the ethical implications of selling zero-days to any government willing to pay, regardless of their human rights record.

This unrestricted sale of cyber weapons has led to a situation where oppressive regimes can easily acquire tools to monitor and suppress dissidents, journalists, and innocent civilians. The leak of internal emails from the Italian brokerage Hacking Team in 2015 revealed the extent of this problem, showing that the company had sold zero-days to countries with notorious human rights violations, including Sudan and Saudi Arabia.

The Stuxnet Watershed

A pivotal moment in the history of cyber warfare came with the deployment of Stuxnet, a highly sophisticated computer worm believed to have been developed by the United States and Israel to sabotage Iran's nuclear program. Perlroth provides a detailed account of Operation Olympic Games, the covert mission that led to the creation and deployment of Stuxnet.

The worm was a marvel of engineering, using a string of seven zero-days to infiltrate Iran's nuclear facilities, which were not connected to the internet. Once inside, Stuxnet targeted the centrifuges used for uranium enrichment, causing them to malfunction while hiding the damage from facility operators.

However, in June 2010, Stuxnet escaped the confines of the Iranian nuclear facility and began spreading across the globe. This unintended consequence highlighted the inherent risks of developing and deploying such powerful cyber weapons. As security researchers around the world began to dissect Stuxnet's code, its secrets were laid bare for anyone to study and potentially repurpose for their own attacks.

The Stuxnet incident marked a turning point in cyber warfare. It demonstrated the potential for digital weapons to cause physical damage to critical infrastructure and raised alarming questions about the unintended consequences of their use. Moreover, it ushered in a new era of cyber arms race, as countries around the world sought to develop their own Stuxnet-like capabilities.

The Escalating Cyber Arms Race

In the wake of Stuxnet, the global market for zero-days and cyber weapons exploded. Perlroth describes how countries around the world, from major powers to smaller nations, began investing heavily in offensive cyber capabilities. This led to a rapid increase in the number of brokers selling surveillance technology and a corresponding rise in the prices commanded by high-quality zero-days.

The author highlights the case of David Evenden, a former NSA employee who left to work for CyberPoint, a company in the United Arab Emirates that offered significantly higher pay than government agencies. Evenden's experience illustrates the ethical challenges faced by many in the industry, as he eventually quit when he realized his work was being used to target political dissidents rather than terrorists.

The proliferation of cyber weapons has led to a situation reminiscent of the nuclear arms race during the Cold War. Countries are stockpiling digital arsenals not necessarily for everyday use, but out of a belief that it's better to have these capabilities than to be caught without them. This mentality has driven the continued growth of the zero-day market and the development of increasingly sophisticated cyber weapons.

The Google Hack and Its Aftermath

Perlroth recounts the watershed moment in 2009 when Google discovered that Chinese hackers had infiltrated its network and stolen its source code. This incident, attributed to an elite Chinese hacking group known as Legion Yankee, marked a turning point in how major tech companies approached cybersecurity.

In response to the hack, Google implemented a bug bounty program, offering rewards of up to $31,337 (spelling out "elite" in hacker code) for verified flaws in its products. This approach, while not offering payouts as high as those available on the international market, provided hackers with the ability to publicly claim credit for their discoveries and avoid ethical concerns associated with selling to government agencies.

Other tech giants like Microsoft and Facebook followed suit, implementing their own bug bounty programs. However, some sellers, like Vupen's Chaouki Bekrar, scoffed at these rewards, claiming they could earn far more by selling to government clients. This tension between public and private markets for zero-days continues to shape the cybersecurity landscape.

The incident also spurred tech companies to take security more seriously, shifting from a focus on rapid product releases to a more measured approach that prioritizes testing and security. Microsoft, for example, began receiving around 200,000 vulnerability reports annually, highlighting the scale of the challenge facing major software providers.

Cyberweapon Diplomacy and International Tensions

Perlroth explores how cyber capabilities have become a critical component of international diplomacy and conflict. During the Obama administration, efforts were made to neutralize cyber threats from Iran and China through diplomatic means. The Iran nuclear deal in 2015 seemed to temporarily reduce attacks from that country, while a summit between Obama and Chinese President Xi Jinping led to an agreement to cease intellectual property theft.

However, these digital truces proved fragile. The election of Donald Trump and shifting geopolitical dynamics soon led to a resurgence in cyber activities from both Iran and China. Meanwhile, Russia emerged as a major cyber threat, with attacks on critical infrastructure becoming increasingly common.

The author describes Russia's use of a cyber weapon dubbed Sandworm, which specifically targeted software used to control water treatment facilities, electric grids, and oil and gas pipelines. The attacks on Ukraine's power grid in 2014 and 2015 served as a stark demonstration of Russia's capabilities and a warning to other nations about the potential consequences of crossing Moscow.

This new reality has ushered in an era of digital mutually assured destruction, where nations possess the capability to cause significant harm to each other's critical infrastructure. Despite the clear dangers, the world has continued to increase its reliance on internet-connected devices and systems, further expanding the attack surface for potential cyber warfare.

The Shadow Brokers and the NSA Leak

One of the most significant events in recent cybersecurity history was the 2016 leak of NSA hacking tools by a group calling themselves the Shadow Brokers. Perlroth provides a detailed account of this incident and its far-reaching consequences.

The Shadow Brokers claimed to have obtained a collection of NSA cyberweapons, which they began releasing onto the internet for anyone to use. Among these tools was EternalBlue, a powerful exploit targeting Microsoft software that could move through networks almost undetected. The release of these tools was described by one former NSA employee as giving away "the keys to the kingdom."

The leak of EternalBlue and other NSA tools had immediate and severe consequences. Within weeks, the number of computers infected by variations of EternalBlue quadrupled. Malicious actors, including nation-states and cybercriminals, quickly incorporated these powerful tools into their own arsenals.

One of the most significant outcomes was the rise of ransomware attacks. North Korea, in particular, found success in using ransomware based on EternalBlue to generate much-needed revenue. The WannaCry attack in 2017, attributed to North Korea, spread to 150 countries within 24 hours, causing widespread disruption and financial losses.

Similarly, Russia incorporated elements of EternalBlue into its NotPetya malware, which caused billions of dollars in damages to companies worldwide. The proliferation of these tools has led to a surge in ransomware attacks on American towns and cities, with over 600 such incidents reported between 2019 and 2020.

The Urgent Need for Action

As Perlroth concludes her investigation, she emphasizes the critical need for immediate action to address the growing cyber threats facing the world. The author reflects on a photo she encountered of a New Zealand hacker wearing a t-shirt with the message "SOMEONE SHOULD DO SOMETHING" emblazoned across the chest, underscoring the urgency of the situation.

While acknowledging that achieving complete security for computer networks is likely impossible, Perlroth argues that significant improvements can and must be made. She criticizes the historical emphasis on offensive capabilities at the expense of defensive measures, particularly in the United States. The author calls for a shift in focus towards rigorous testing and security measures before products are released or systems are put online, citing the examples of Norway and Japan, where government regulations have led to significant reductions in cyberattacks.

Perlroth also advocates for the reestablishment and strengthening of the role of national cybersecurity coordinator, which was eliminated by the Trump administration in 2018. She suggests implementing new rules regarding the disclosure of vulnerabilities, including time limits on how long intelligence agencies can keep zero-days secret and the issuance of public advisory notices when vulnerabilities are discovered.

Final Thoughts

"This Is How They Tell Me the World Ends" serves as a stark warning about the dangers posed by the proliferation of cyber weapons and the vulnerabilities inherent in our increasingly connected world. Nicole Perlroth's extensive research and compelling narrative style bring to life the complex and often shadowy world of zero-days, hackers, and nation-state cyber operations.

The book highlights the urgent need for a global reassessment of cybersecurity priorities. As nations continue to stockpile digital weapons and critical infrastructure becomes increasingly vulnerable to attack, the potential for catastrophic consequences grows ever larger. Perlroth's work underscores the importance of international cooperation, responsible disclosure of vulnerabilities, and a renewed focus on defensive measures to mitigate these risks.

Ultimately, "This Is How They Tell Me the World Ends" is a call to action for policymakers, tech companies, and individuals alike. It challenges readers to confront the reality of our digital vulnerabilities and to demand more robust protections for the systems and networks that underpin modern society. As we continue to integrate technology into every aspect of our lives, the lessons and warnings contained in this book become increasingly crucial for safeguarding our collective future.