It would take only one flaw. In billions of lines of code, one flaw — and the banking system, power grid, Pentagon, air traffic control system, hospitals, and the world’s logistics can all be taken down. And the effort may already be underway.
The internet was never built with security in mind. According to our guest in this week’s WhoWhatwhy podcast — New York Times cybersecurity correspondent Nicole Perlroth, the author of This Is How They Tell Me the World Ends — it was originally thought that at most a couple hundred computers would be connected to the internet.
Today the world is totally interconnected, from our cars and refrigerators to our nuclear reactors and air traffic control systems. So we have good reason to be afraid, very afraid.
Perlroth paints a picture of a world at risk — a world where hand-to-hand digital combat is a real thing, and where 80 percent of our critical infrastructure is controlled by private companies.
Some of the best and brightest US cyber experts are good at playing offense on the world stage, but not as strong on defense, and that’s a major problem.
She describes Russian efforts to hack our elections, their destructive cybercrimes that undermined the Ukrainian power grid, the long-term consequences of the SolarWinds hack, and why it may take years before we find all the ways that government systems have been penetrated.
We get a picture of how Russian hackers, using our privacy laws against us, set up shop in New Jersey.
Perlroth details a bizarre sign of the times — a company openly operating in the international business of buying and selling security flaws, which are called “zero days” — and why any hacker who discovers such flaws can make millions in the global marketplace. This is the new international arms trade.
And if all of this isn’t scary enough, if knowing that all of your passwords have already been hacked doesn’t make you paranoid, the coming AI revolution will set all of this on steroids.
Click HERE to Download Mp3
Full Text Transcript:
Jeff Schechtman: Welcome to the WhoWhatWhy podcast. I’m your host, Jeff Schechtman. Several years ago, the venture capitalist, Marc Andreessen famously said that, ‘Software is eating the world.’ At the time, this was a wake-up call for many traditional companies and even government as they made the transition to a fully digital world. What he could have said, is that software just might destroy the world as our hyperconnected digital landscape ushered in the potential danger of cyberattacks and the need for ongoing cybersecurity. There was once a time when we didn’t think a global pandemic was possible in the 21st century.
The events of 9/11 took us by surprise as did Pearl Harbor and Midway. Yet, all of these tragic historical events were imaginable. The fact that we were so unprepared is less a failure of technology and ability and more a failure of human imagination, imagination which should be our first line of defense in preparing for any eventual threats that may lie ahead. We hear a lot lately about infrastructure. The fact is that nothing can be more important as both a part of and the protection of that infrastructure from cyberattacks.
Building appropriate defenses against those cyberattacks really needs to be job one in any infrastructure effort because if we don’t, the consequences could truly be catastrophic. We’re going to talk about this personal and global threat today with my guest, Nicole Perlroth. Nicole Perlroth covers cybersecurity for the New York Times. She’s a recipient of numerous journalism awards and prior to joining the Times, she covered venture capital and startups for Forbes. She is a guest lecturer at the Stanford Graduate School of Business and herself a graduate of Princeton and Stanford.
It is my pleasure to welcome Nicole Perlroth to the program to talk about her new book, This Is How They Tell Me the World Ends: The Cyberweapons Arms Race. Nicole, thanks so much for joining us.
Nicole: Thanks so much, Jeff for that wonderful introduction. It’s lovely talking to you today.
Jeff: Well, it’s great to have you here. First of all, before we talk about the realities of cyberattacks and the dangers that we’re facing, talk a little bit about how interconnected we are. I think it’s something people forget, that everything from our power plants, to air traffic control, to our electrical grid, and on and on is so interconnected today, particularly here in America.
Nicole: That’s right. You nailed it when you cited Marc Andreessen, saying a few years ago that software was eating the world. I don’t think Marc Andreessen was speaking about security when he spoke those words, but the internet was never built to handle the load that we’ve attached to it. It was built, originally, at the Pentagon for openness, access, convenience. It was built to share resources among different machines. Back then, they were thinking about a dozen, maybe at most, a hundred machines connected in our network.
They were not thinking of how our entire economy, power grid, hospitals, medical records, water treatment facilities, gas pipelines, oil rigs, personal data, deepest thoughts, locations all being overloaded onto the internet. That is what has happened with no signs of slowing down. From a personal level, security is annoying. We don’t want to be burdened with long passwords, different passwords for different sites, with two-factor authentication, with having to think twice before we click on a link or attachment in fear that it might be a nation-state, hacker, or cybercriminal trying to scam us or steal our personal data.
What we want right now, whether it’s an Uber or access to our brokerage account or online banking account, comes with a trade-off. Not many of us like to think about that trade-off, but it comes at a trade-off for security. Increasingly, we are seeing cybercriminals and nation-states exploit that virtualization for financial means, espionage, and surveillance. That is the problem that I wanted to write about.
Jeff: Is it that cybercriminals have become so good and so talented, and have taken advantage of so much of the information that is publicly out there, or is it simply that the whole cybersecurity realm has not kept pace with the reality of technology and all these other areas that you’re talking about?
Nicole: It’s both. It really is. We have always been vulnerable. Like I said, the internet was never built with security in mind. Cybercriminals, and nation-states, and nation-state-backed contractors have seen that there are systems of interest, most of them in the United States, that they can target anonymously with a high return on their investment. These days, the United States is still the most advanced player in cyberspace in terms of its authentic capabilities. But, what people don’t realize, and what I really wanted to open up the average American’s eyes to in writing this book, is that we might be the world’s top cyber superpower, but we are also, these days, it’s most targeted.
We see more nation-states knocking on our doors than probably any other country in the world. We are arguably its most vulnerable because we are so virtualized, because we have wired up so much of our critical infrastructure and put so much of our personal data and financial data online that people have various reasons to come after us for it. In terms of the other aspect of your question, ‘Is this a failure of the cybersecurity community?’ the problem has not gotten better. It doesn’t matter how much more money we pay cybersecurity firms. The problem keeps getting worse.
Is that a failure of the industry? Yes. But it also has become too expensive, probably, for most small- and medium-sized businesses to defend their customers’ personal data and critical infrastructure from nation-state hackers. One surprising statistic that I learned in doing this book is that more than 80 percent of America’s critical infrastructure — critical infrastructure’s a really boring term, but it just means water treatment plants, hospitals, elections, and the power grid, any system that we would hate to see affected by a destructive cyberattack — 80 percent of it is owned by private operators.
Some of them are PG&E, which really does have the security budgets and resources to hire-up many intelligence agencies who can keep track of what nation-state hacking groups are doing, and put in place advanced intrusion-detection tools, multi-factor authentication and look for anomalous activity on their networks. Most of them are not. Most of them are these small municipal water treatment plants like the one we saw happen in Florida a few weeks ago that have to rely on an outside network of contractors and engineers, that are not on premises, that are not in headquarters to monitor things like the chemical balance in the water.
That outside remote access can be exploited by hackers. We continue to see hackers try to get into these systems, not to spy on them or steal data, but to see how far they can potentially take these attacks and contaminate our drinking water, play with the locks and controls at a dam. We continue to see these close calls. Unfortunately, no matter how much money gets poured into the cybersecurity industry, these attacks are not slowing down
Jeff: Talk a little bit about the nexus between the fact that we are so good on the offense, that we are so good at our own efforts. You talk about Stuxnet and some other US efforts that have been so effective, and that we are the world’s leader in that, but there doesn’t seem to be a real relationship between how good we are on offense versus how we’ve acted on defense.
Nicole: Stuxnet is a great example. It’s worth just lingering there for a moment, if you don’t mind.
Nicole: It was fascinating to go back to the history of Stuxnet and it’s funny to call it history because it wasn’t that long ago, but the context was important. Let’s start in 2006. This was George W. Bush’s second term. We were seeing more American soldiers come back in caskets than ever before. We were already overstretched in the wars in Iraq and Afghanistan. The last thing that George W. Bush wanted was to get engaged in a third war in the Middle East, but that is essentially what Israel was pressuring us to do. Israel wanted to bomb Iran’s Natanz nuclear facility. That is where Iran was enriching its uranium to fulfill its ambition of having a nuclear weapon.
They had asked us for our bunker-buster bombs because that’s what it would have taken to decimate Natanz nuclear facility. That facility is built in tunnels underground and Israel didn’t have the weapons necessary to decimate it. They were engaged in this huge pressure-campaign on the Bush administration and every simulation the Pentagon had done during that period showed that even if we just handed over our bombs we would, whether we wanted to be or not, get dragged into a third war in the Middle East, and potentially World War III. We were already overstretched and the American public had zero appetite for getting into a third war.
So, Bush famously said, ‘Get me a third option,’ and that third option became Stuxnet, which was a computer worm that was designed by the US and Israel. We knew we had to bring the Israelis in so that they felt like they had a stake in this and that they could see the power of a computer worm to decimate critical infrastructure. Otherwise, they would continue to pressure us for the bombs or maybe go rogue and bomb Natanz themselves, however successfully or unsuccessfully.
We pulled them in, we designed this worm, and it was bloody brilliant. It really was a masterpiece. It was able to get into Natanz, which in itself was a feat because the entire facility was air-gapped. That meant it was not attached to the outside internet. Someone, we still don’t know who, brought a thumb drive into the facility, put it in a computer, and launched that attack which crawled from that computer into an autonomous internal network and eventually into the industrial systems that controlled the speed of the rotors that spun Iran’s nuclear centrifuges.
In some cases, it would speed up the rate at which those centrifuges spun and then it would sit back for 27 days and do nothing. Then it would go back in and it would slow them down. Then it would sit back for 27 days and do nothing. It was all designed to mess with Iran’s head. It was designed to look like a natural accident and it was designed so that when Iran’s engineers at Natanz looked at their computer screens everything looked like it was functioning smoothly when, in fact, we ultimately took out something like 1,000 of their uranium centrifuges and set the program back years.
It was a masterpiece because it kept Israel’s jets on the ground. It kept us from getting dragged into this third war in the Middle East. It saved lives, but inevitably, as is the case with most targeted cyberattacks these days, it got out. We don’t know how it got out, but it got out and it zoomed around Europe and Asia, it came back to the United States where it got into networks like that of Chevron.
It didn’t do anything because the code had been so carefully designed to only destroy a system that met the exact specifications and configurations of Natanz’s uranium centrifuges, but in getting out, it allowed security researchers all over the world to dissect it, to analyze the code and ultimately, to determine the target was Iran’s Natanz nuclear facility. When it got out, what our adversaries like Iran were admiring weren’t the careful components of the code. They were admiring that the United States and Israel had just used code to reach into another nation’s critical infrastructure and destroy systems on the other end. When it was discovered in 2010, that really changed everything.
It was Pandora’s box opened, and since then we have seen almost every other nation-state, with the exception of Antarctica, try to acquire these hacking tools, these capabilities, in most cases for espionage, in a lot of cases for surveillance of their own people and journalists, dissidents and activists. But, also for their battlefield preparations for the event they might need to decimate their enemy’s critical infrastructure one day, and a market has crept up to meet their demands.
Jeff: Of course, we saw something like this on the part of the Russians with respect to SolarWinds getting into all of our government systems.
Nicole: Yep. From where I sat, I was covering digital threats to the 2020 election and ultimately, Russia didn’t interfere in the 2020 election, at least beyond disinformation on social media. As far as we know, they kept their hands off it. But, they also used it as an opportunity to go hack the federal agencies that were distracted by protecting the election, like the Department of Homeland Security, which is the very agency charged with keeping us safe, like the Department of Energy, which oversees our nuclear labs and actually used SolarWinds’s software to get into our nuclear labs, in some cases.
We don’t think they got into any of the critical systems beyond business networks and we don’t think they got into any classified systems, but it has been a huge wake-up call. If it is the unit of Russian intelligence, the SVR, that some suspect in government that it is, we are going to have a very hard time taking them out of our systems. The last time this particular group hacked the United States’ federal agencies it was 2014, 2015, when they hacked the state department and the White House.
What I remember from interviewing those who were hired to come in and kick them out is that they described the process of kicking them out as hand-to-hand digital combat. At one point, the Russian hackers took over their investigatory tools — the digital tools that they used for forensic investigation — and manipulated them so they would not identify Russia’s backdoors. That is the adversary we are dealing with. If we are dealing with that particular adversary, with SolarWinds, it could be a very long time before we unearth every last backdoor, which means that would be Biden administration just inherited is communication channels and networks they can’t trust. That’s a very difficult place to be in.
Jeff: One of the other aspects of SolarWinds that’s so fascinating, because it makes it so much harder to get to, is the way — and you talk about this — the way in which they kind of set up shop here in the US at New Jersey, so that it would be harder for us to get to. Talk about that.
Nicole: We walked away from the Edward Snowden leaks with the impression that the NSA was spying on everything. The reality was different. The reality is there is a lot of red tape and privacy protections that keeps the NSA from spying on domestic systems. They can deploy all of their advanced cyber-hacking capabilities on foreign systems, but they can’t do so domestically. When they do, it’s often the FBI and the FBI has a warrant.
Really, they weren’t looking at domestic systems and Russia exploited that crack in the system brilliantly by using SolarWinds, which is a Texas company used by a lot of federal agencies, as a Trojan horse. We don’t know how they got into SolarWinds, but they got into SolarWinds and they hijacked the software update mechanism and used it to deploy malware and backdoors to all of these US government agencies and some of our top-tier security companies.
Then they brilliantly staged the attack — like you just said — from GoDaddy, again, Amazon Web Services, inside the United States and New Jersey where the NSA can’t look, nor do we want the NSA looking at those systems. They exploited our privacy protections brilliantly just as they exploited our first amendment protections brilliantly with their disinformation campaigns on social media. They have our number and it’s not easy to figure out how to unravel this thing and how to make sure it doesn’t happen again.
Lo and behold, just in the last month or two, we’ve learned that China has been hacking US systems using unknown vulnerabilities and Microsoft software, and that they have done so by staging their attack inside the United States where the NSA can’t look. Once again, they caught us blindsided. That attack was caught by a private security firm. It wasn’t caught by the NSA or the intelligence community. How do you stop these attacks? Well, it looks like Congress and the American people have very little appetite for allowing the NSA to spy on our domestic systems, even if it’s just looking for foreign malware.
We have opted to go the threat-sharing route, which is to set up a partnership between private companies like Google and Microsoft and security companies and intelligence agencies where they can share threat data anonymously in real time. That’s been something that we talked about doing for 10 years and, for whatever reason, we’ve never actually been able to put it into practice in a meaningful way that thwarted foreign threats.
A lot of this is going to come down to how we’re structuring the fine print to protect data, anonymize data, to make sure people don’t feel like the threat-sharing partnership is allowing the government to spy on their communications, to set it up in a way that the NSA feels comfortable contributing what it has gleaned from its foreign intelligence operations without giving away at sourcing and capabilities.
Hopefully we can get it together, but we are at a real disadvantage. In Israel, they do allow the government to sit on these networks and block foreign attacks as they come because in Israel national security is a top priority. People are willing to make the trade-off on privacy to allow the government to defend them, but we are not willing to make that trade-off here. We have to figure out some other market alternative. That’s where some of the most interesting discussions right now are happening in the Biden administration.
Jeff: One of the things that’s happened is — a sort of a subset of that — is the incentive sometimes for government to, even if they know that there are vulnerabilities in software, these zero days as you talk about, that the vulnerability of software gives them the opportunity to do their own spying and their own work. That’s worked against us in many cases.
Nicole: It gets technical pretty quickly. I like to just back up and let’s say I’m a hacker and I find a vulnerability in your iPhone iOS software, the software that powers your phone. If I’m a hacker and I know how to write the program to exploit that vulnerability, I could use it to remotely read your text messages, to track your location, to record your phone calls, to turn on your camera without you knowing about it, or turn on your audio microphone without you knowing about it. That capability, that remote capability is really all a spy.
We don’t realize it, but these iPhones are basically invisible ankle bracelets if a hacker or government knows how to exploit vulnerabilities in the software to do what they want to do. If I, hacker, write that program over that vulnerability, I can sell it to a zero-day broker. A zero-day is just a name for that unknown vulnerability. Right now, there are companies like Zerodium that have websites, not even on the dark web, just on the internet, you can search for it right now, it’s zerodium.com. They will pay you something like $2.5 million these days to turn over that program as long as you never tell a soul about it, particularly not Apple because the minute Apple would find out about it, they would patch it and fix it and you’d get an annoying prompt on your phone to update your software and that $2.5 million investment would turn to dust.
Zerodium will purchase that from you under the condition, ‘You not tell anyone,’ and then they’ll sell it to government agencies, US intelligence agencies, perhaps our allies in Europe, etc. I was always fascinated by this, that we, the US taxpayer, fund these programs for government agencies to hoard vulnerabilities in software, not tell the companies about it so they get fixed, but so that they can preserve their espionage advantage.
I was also fascinated by this because I knew the moral hazard baked into that calculation was getting bigger and more complex the more we all started using the same software. Three decades ago, Russia used one set of typewriters, we used another, China used Huawei software, with a few exceptions. We didn’t use Huawei software, routers, or switches, but these days the world, thanks to globalization, has all migrated to the same technology. Whether you like it or not, or know it or not, you use Microsoft Windows in your day-to-day life.
Maybe you don’t have a Windows PC, but Windows is baked into the power grid, into your electronic records, medical records, online banking. We all use Android phones or iPhones, unless you’re really paranoid and you’re still using a flip phone. When the US government or a zero-day broker finds a vulnerability in those systems and it holds on to them, it inevitably, logically, is keeping Americans less safe. It also knew that more and more nation-states were seeing the value of a zero-day and a zero-day exploit, and were coming into this market and were using them back on the United States.
This theoretical moral hazard of, ‘Do we hang on to this vulnerability so we can spy on China or Russia or terrorists somewhere, or do we patch it to keep Americans safe?’ was no longer just this theoretical moral hazard, as more and more nation-states were knocking on our doors, trying to get in, and participating in this market. That is the moral hazard that drew me to this space.
It was one that I knew most people didn’t even know existed, that this market existed. I felt strongly that where we were, which was leaving these conversations, these moral dilemma conversations, to government corridors and the cybersecurity industry, wasn’t panning out for the rest of us. They were not making us more safe. In a lot of cases, they were leaving us less safe.
It was important to me to tell this story of the market, to democratize some of the technical language around it because I feel really strongly that most Americans deserve to know what’s being done in the name of national security and to have these broader conversations about whether it’s leaving us more vulnerable, when we’re already getting hit with very visceral attacks, whether it’s ransomware attacks on our hospitals or the targeted attacks on the 2016 election, etc.
Jeff: Finally, Nicole, if we haven’t scared people enough, will artificial intelligence put all of this on steroids?
Nicole: Yeah, you know, when I started writing this book, I sold it in 2014, and I thought I better write this really quickly in nine months because we’re on the cusp of the Internet of Things revolution. We were all looking up our smart fridges and Alexa, etc. I thought, ‘Okay, I have to get this out in nine months so that I can beat that.’ Well, it ended up taking me seven years. The Internet of Things wave has come and gone. We are all just hooking up everything to Alexa and Nest. We are creating autonomous vehicles and are digitizing our transportation systems and the grid, etc.
Now, when this book came out in 2021, I still feel like we are at the very, very, very beginning of the age of artificial intelligence, and how can we possibly step into this world of machine-learning and artificial intelligence when we haven’t even figured out the security of where we are right now. It’s more critical than ever that we have these conversations about security, our digital vulnerability, and how these systems and data and nation-state programs could be used against us before we just walk headfirst into the artificial intelligence age. We really, like you said, are just at the very, very beginning. I hope that we all start having these serious discussions before we just dive in.
Jeff: Nicole Perlroth. The book is, This Is How They Tell Me the World Ends: The Cyberweapons Arms Race. Nicole, I thank you so much for spending time with us.
Nicole: Thank you so much. It’s been exhausting to have these conversations on some levels, but also so important. You asked all the right questions. Thank you so much.
Jeff: Thank you. Thank you, Nicole. I appreciate it.
Nicole: Thank you so much. I’m so sorry again for being late.
Jeff: Oh, no problem at all, worked out just fine. Thank you so much for doing it. You take care.
Nicole: Okay. All right. Bye.
Related front page panorama photo credit: Adapted by WhoWhatWhy from laboratorio linux / Flickr (CC BY-NC-SA 2.0).