This Is How They Tell Me the World Ends: The Cyberweapons Arms Race by Nicole Perlroth. Nicole covers cybersecurity and digital espionage for The New York Times. Certainly this is one of the more anticipated books addressing a new cyber arms race. More than ever before, it is imperative to understand how a global market for Zero Day exploits began and today how it is certainly tipping the scales.
Quite frankly, Nicole’s reporting will stun readers. This book will also surprise long time IT professionals.
As it seems so often in life, by chance, a ‘stumbling’ idea took hold. Initially a company in 2003 began buying exploits from hackers for as little as $75. Fast forward to today, a good iOS zero day commands over $3 million dollars.
Nicole begins her reporting role at the NYTimes by reviewing secret documents leaked by Edward Snowden and Glen Greenwald.
This of course revealing the illegal spying on American citizens by the Bush Administration. At the same time, this project was tapping phone calls of German Chancellor Angela Merkel. The Guardian obtained copies via Greenwald who passed a copy to the NYTimes. This proved to be her introduction to the cyber world.
In addition, Nicole retells the hard lessons from Soviet spying (actually from within the US embassy) in Moscow back in the 1950s. This reveals a good baseline to today’s advanced attacks including the resources and dedication necessary to carry them out.
Cyber weapons for Board rooms
Chapter One’s Closet of Secrets is certainly mandatory reading for organizational leaders. It will become very apparent that organizations must reconsider their outdated understanding of information security. One cannot walk away from this book ignoring an often repeated message: your organization has already been hacked, or your organization does not yet realize it has been hacked. Thus, Nicole makes the case in her interviews with hackers that every computer, phone, network, or storage drive has been compromised.
Zero Days as weapons
Perhaps the most important message of this book is how Nicole documents known flaws in software actually developed into an extremely lucrative market:
At the most basic level a zero-day is a software or hardware flaw for which there is no existing patch. They got their name because, as with Patient Zero in an epidemic, when a zero-day flaw is discovered, software and hardware companies have had zero days to come up with a defense.
p.44
Unquestionably learning how ‘stacking’ three to four Zero Days together gains invisible access and control of any computer, mobile phone, or web browser is deeply concerning. Perhaps it will be just as shocking to learn a market for Zero Day exploits has been quickly growing over the last 15 years. For both terrorist organizations and governments alike.
It’s all about quick profits. Hackers are hoping their exploit can go undetected for perhaps 8 to 14 months. This provides their clients time to sit inside your network monitoring data flows while invisibly exfiltrating data from your organization. Their client lists are just as concerning. Absolutely stunning reading.
Global in scope
It was certainly entertaining to see Nicole addressing top flight cyber criminals from South America as some of the most talented and aggressive. While certainly not ignoring threats from traditional enemies of the US, the global reach of even teenage cybercriminals is a clear indication of how easy data is stolen, systems crippled, and demanding ransoms delivered.
Chapter 14 Aurora is addressing Google’s own famous cyber attack. This certainly remains a teaching moment. Very interesting look under the hood at Google in crisis. Google was hiring top security talent with $100,000 signing bonuses and reaching out to respected security firm Mandiant for help. Yet this attack becomes a bit unnerving when paranoia was settling into Google’s senior leadership for different reasons:
Mandiant and Google’s investigators were determined to follow the Chinese trail to the bitter end. And the trail made clear that their attackers had a very specific goal in mind. They were after Chinese dissidents’ Gmail accounts. The Chinese could have easily cracked those accounts by spraying them with possible passwords. But passwords can be changed. Hackers can be locked out after a series of wrong tries. The Chinese were looking for more permanent access. By stealing Google’s source code, China’s hackers could potentially implant backdoors into Gmail software, guaranteeing long-term access to any Gmail account of their choosing.
p.346
Moreover, the National Security Agency tracked multiple Chinese military groups known as Legion Yankee to be the source of the attack. Unbelievable and simply fascinating reading. Nicole recently wrote more about this attack in February 2021.
Data as weapons
For this purpose, one of the lasting impacts Nicole reveals is moving from Zero Days to the weaponization of data. This used to be called propaganda when I was growing up. Today in digital formats, it someone is considered different. However it is not.
In the run up to the 2016 presidential election Russia’s Internet Research Agency (IRA) a new propaganda machine began weaponizing data on social media. Across Europe this is not new. Yet, America was certainly caught flat-footed by their efforts:
In September 2014 the IRA launched a Heart of Texas Facebook group and started pumping out pro-Texan secessionist memes….Within a year the group had generated 5.5 million Facebook likes. Then, in a countermove, the IRA created a separate Facebook group, the United Muslims of America, and promoted rallies and counterrallies outside the Islamic Da’wah Center in Houston. Demonstrators from the Heart of Texas group confronted pro-Muslim protesters across the street in a terrifying real-world standoff that Russia’s digital puppeteers were coordinating from five thousand miles away. Even the Russian trolls back in St. Petersburg couldn’t believe the Americans were so gullible.”
p. 512
Is there anything worse than being gullible? This certainly proved to be the perfect venom injected across our me-first, selfie driven America.
A cyber trifecta
Indeed this book is refreshing for not taking readers off the coding deep end. Nicole skillfully writes an easy to follow narrative. David Sanger’s The Perfect Weapon is now an HBO Documentary. Sanger focused on Russian cyber attacks on Ukraine and the 2016 presidential election. In addition, David and Nicole collaborate on cyber reporting for the NYTimes. Nicole recently announced this book is also moving in the television direction as a short series or documentary. And unquestionably, Kim Zetter wrote an amazing book Countdown to Zero Day addressing Stuxnet attacks. For this reason, add Nicole’s book to an cyber trifecta. However, you will not sleep well at night. In conclusion, Nicole’s book is amazing and insightful. Certainly illustrates how Zero Days have changed the cyber landscape. I am finishing my second read of this book.
Powell’s Books | Nicole Perlroth in conversation with John Markoff
HEC Books | A Conversation with Nicole Perlroth
Carnegie Live | This is How They Tell Me the World Ends
Amanpour and Company | This Is How They Tell Me The World Ends
UCI Merage School | This Is How They Tell Me the World Ends