Nicole Perlroth is a cybersecurity journalist for the New York Times. The title of her 2020 book, “This Is How They Tell Me the World Ends,” is intended to make it crystal clear just how dangerous of a situation we are facing. Reading like a fast-paced novel, this is a story you don’t want to ignore: How the evolution of cybercrimes and cyberespionage is leading to cyberwarfare.
Perlroth begins by telling how, years before the current invasion, Russia cyber-attacked Ukraine repeatedly, shutting down government agencies, railways, ATMs, gas stations and even heat and power in the dead of winter. During a national election, Russian hackers stole campaign emails and voter data, deleted files and implanted malware, severely disrupting the election. This was a proving ground for future Russian attacks elsewhere, including in the United States.
In telling this story, Perlroth defines key cybercrime terms, such as “zero-days,” which are a software or hardware flaw for which there is no existing patch. “Zero-days are the most critical tool in a hacker’s arsenal,” she writes — and these flaws can go undiscovered for years. Who’s the biggest exploiter of zero-days? The National Security Agency (NSA). Government-sponsored hackers such as the NSA absolutely love zero-days.
As the biggest culprit of cyberattacks, the NSA has an elite hacking division focused on exploiting technology for use in surveillance. One tactic the agency uses is putting “back doors” into computer chips, which allow unauthorized entry into “nearly every piece of commercial hardware and software on the market.” Perlroth reports that the NSA has attacked almost “every major app, social media platform, server, router, firewall, antivirus software, iPhone, Android phone, BlackBerry phone, laptop, desktop and operating system.” The NSA has hacking tools that let them “break into and spy on devices when they were offline, or even turned off. The agency can skirt most anti-intrusion detection systems and turn antivirus products — the very software designed to keep spies and criminals out — into a powerful spy tool.”
An example of an NSA-led cyberattack was “Stuxnet,” an intensely powerful computer worm developed with Israel in 2009 to destroy Iran’s nuclear capabilities. Stuxnet wreaked havoc in Iran, but then somehow the program escaped Iran and caused immense global damage. Stuxnet was then reverse-engineered by cyberterrorists so they could learn how it worked. Stuxnet became “the world’s first cyberweapon of mass destruction.” Did that slow us down? No! Perlroth continues, “After Stuxnet, the CIA, DEA, US Air Force, US Navy, and FBI started pouring more dollars into zero-day exploits and malware tools.”
The United States and Russia aren’t alone in developing and exploiting tools for cyberattacks. The typical countries America deems as bad actors — Iran, North Korea and China — have all invested heavily in these tools to spy, steal and weaponize. Also, many “friendly” countries have become spyware customers, purchasing weapons from small start-ups that have joined government-sponsored agencies in cyber-tool development. Governments aren’t regulators of zero-days; they are clients for them.
Perlroth explains how hacking has become a prosperous trade. Perlroth tells of multiple hackers who learned their trade working for agencies like the NSA, then moved on to the private sector. Some of these private sector companies are providing cyberweapons to the worst human-rights abusers in the world. Perlroth claims we have the equivalent of a cyber pandemic.
Russia’s President Vladimir Putin loves cyberwarfare. “Putin laid down only two rules for Russia’s hackers. First, no hacking inside the motherland. And second, when the Kremlin calls in a favor, you do whatever it asks. Otherwise, hackers had full autonomy,” Perlroth writes. To disrupt the 2016 U.S. election, Putin’s propaganda machine hired people with skill in news writing, graphic design and search engine optimization. These Russian hackers looked for opportunities within America to exploit for “division, distrust, and mayhem”, and used Facebook groups and Twitter to attack all sides of the political divide, reaching tens of millions of Americans. Putin’s hackers even went after the voter rolls in all 50 states, knowing that “even if they tweaked the data just a little, the Russians could cause fears of a rigged election and throw the election, and the country, into chaos.” One might conclude Putin succeeded beyond his wildest dreams.
At the same time, the NSA was still embedding implants “in nearly every major make and model of internet router, switch, firewall, encryption device, and computer on the market,” while not alerting software developers to the flaws they were exploiting. The NSA stubbornly believed “that all the flaws it was uncovering in the global computer systems would not be discovered by someone else.” The agency also believed that it could never be hacked. Both of these beliefs proved false. The NSA was hacked in 2016, and the hackers began selling NSA cyberweapons online. Now cybercriminals, using NSA tools, began hacking companies around the world, demanding ransom to decrypt their data. “More than six hundred American towns, cities, and counties were held hostage by ransomware attacks between 2019 and 2020.” These attacks generated billions of dollars for cybercriminals.
Unfortunately, it gets worse: American data breaches are surging. Russia has obtained the NSA’s best hacking tools and has infiltrated the Pentagon, White House and other U.S. government agencies. Even in 2020, Russia had deeply implanted itself within America’s electrical grid and critical infrastructure. “Russian hackers infected the software updates that reached the industrial controllers inside hydroelectric dams, nuclear power plants, pipelines, and the grid,” according to Perlroth. The Russians are inside our nuclear plants, mapping out networks for future attacks. Cyberterrorists could derail passenger trains; they could contaminate or even shut down our water supply. Because the United States is so highly connected on the internet, we are especially vulnerable.
So, what steps has the U.S. government taken as a result? Trump eliminated the position of White House cybersecurity coordinator and refused to meaningfully punish Russia. The United States had “little incentive to regulate a market in which the U.S. government was still its biggest customer.” Perlroth predicts that “the world is on the precipice of a cyber catastrophe,” and yet cybersecurity has largely been left to private companies like Microsoft and Google to keep us safe.
It all sounds pretty dire, but Perlroth does provide a long list of security measures that could be implemented to help remedy the situation. She describes what needs to be done “to lock down the code” and lists multiple steps that need to be taken at a national level.
Simply put, we need to revamp not only our systems but also our attitude. The NSA must focus on defense, not offense. We need new laws, new software development processes and new government security agencies, starting with re-establishing the position of a national cybersecurity coordinator. We need to do many things — quickly. As for individuals such as ourselves, Perlroth strongly recommends people use different passwords across different websites and to use multifactor authentication whenever possible.
Nicole Perlroth is such a good writer that she actually makes reading about this dire topic enjoyable. It’s very much worth picking up her book.
As well as changing your passwords, of course.
Illustration by Katura Reynolds.
Read more of the Nov. 23-29, 2022 issue.