Sometime in mid-2009 or early 2010 — no one really knows for sure — a brand new weapon of war burst into the world at the Natanz nuclear research facility in Iran. Unlike the debut of previous paradigm-shattering weapons such as the machine gun, airplane, or atomic bomb, however, this one wasn’t accompanied by a lot of noise and destruction. No one was killed or even wounded. But the weapon achieved its objective to temporarily cripple the Iranian nuclear weapon program, by destroying gas centrifuges used for uranium enrichment. Unfortunately, like those previous weapons, this one soon caused unanticipated consequences.
The use of that weapon, a piece of software called Stuxnet widely concluded to have been jointly developed by the United States and Israel, was arguably the first publicly known instance of full-scale cyberwarfare. The attack deployed a software vulnerability or exploit, called a zero-day, buried so deeply in computer code that it remains undetected until someone — a team of hackers, a criminal, an intelligence or law enforcement agency — activates it. We’ve all heard of, and perhaps even been victimized by, criminal hacks that may have pilfered our credit card numbers and passwords, or been spammed by suspicious emails that invite us to claim supposed Nigerian fortunes. But zero-days operate on a different level entirely.
“Zero-days offer digital superpowers,” New York Times cybersecurity reporter Nicole Perlroth writes in “This Is How They Tell Me the World Ends: The Cyberweapons Arms Race.”
“Exploiting a zero-day, hackers can break into any system — any company, government agency, or bank — that relies on the affected software or hardware and drop a payload to achieve their goal, whether it be espionage, financial theft, or sabotage. There are no patches for zero-days, until they are uncovered. It’s a little like having the spare key to a locked building.”
Such capabilities, says Perlroth, make zero-days “one of the most coveted tools in a spy or cybercriminal’s arsenal.”
As with any other highly coveted commodity, a vast covert global market has sprung up to meet the demand for zero-days. Perlroth explains that this invisible digital trade was nurtured and encouraged by the U.S. intelligence community. As former National Security Agency contractor Edward Snowden’s leaked documents revealed, the NSA not only developed its own zero-days and hacking tools, but beginning in the 1990s started to pay out first thousands, then eventually millions of dollars to the world’s most skilled hackers to ferret out security holes in widely used software packages, finding backdoors that could be used to overcome increasingly sophisticated security and encryption protections.
The vulnerabilities were cataloged, filed, and gathered into a closely held, superclassified stockpile — a digital arsenal that could be used for espionage, surveillance, and actual cyberwarfare, all without any oversight or outside control. Among many other things, the NSA could now easily track anyone’s iPhone at will, read their email, access their contacts, even tap into cameras and microphones.
The NSA truly began to exercise its digital superpowers during the post-9/11 war on terrorism. At first, many of the hackers laboring to develop those tools were kept mostly in the dark about how they were being used, but eventually that changed. “In the years following 9/11, the NSA decided to give its top analysts a glimpse into the fruits of their labors,” Perlroth explains. “In a secure room at Fort Meade, the officials projected more than a dozen faces onto a bright screen. Each man on the screen, the analysts were told, was dead — thanks to their digital exploits.”
This invisible digital trade was nurtured and encouraged by the U.S. intelligence community.
Snowden’s revelations were only part of the story. As the U.S. sought to expand its stockpile to stay ahead of ever-changing technological upgrades and the capabilities of possible adversaries including Russia, China, and Iran, the American grip on the market began to slip away and other players began to get into the game. When Stuxnet inevitably spread from its narrow and carefully chosen Iranian target to work its way across the world’s computers via the internet, the potential advantages of zero-days became clear to everyone — and were available to any nation, any group, any organization willing to pay. Former NSA hackers set up shop, joining a burgeoning legion of international hackers looking to cash in, not all of them very picky about their clientele.
In effect, Perlroth explains, it has placed us in the midst of a new arms race, an ever-accelerating competition of offense vs. defense, move and countermove, nearly identical to the nuclear arms race of the Cold War. Former NSA director Michael Hayden noted in a 2013 speech at George Washington University that Stuxnet “has a whiff of August, 1945.” “Somebody just used a new weapon,” he continued, “and this weapon will not be put back in the box.”
He was alluding to the first use of the atomic bomb on Hiroshima, but zero-days have proliferated around the world far easier and faster than nukes. “The internet has no borders,” writes Perlroth. “No cyberattack can be confined to one nation’s citizens anymore.”
As with the atomic bomb, we’ve developed a weapon to protect ourselves which has now boomeranged back upon us. That’s been demonstrated in recent years by high-profile incidents such as Russia’s interference with the 2016 U.S. presidential election, Iranian attacks on Las Vegas casinos, North Korea’s assault on Sony Pictures, the SolarWinds attack that the U.S. is still yet to recover from, and others that Perlroth details — including a hacking attack on former First Lady Michelle Obama, and Russia’s outright cyberwarfare campaign against Ukraine’s power grid and infrastructure.
The cyberweapon arms race is an ever-accelerating competition of offense vs. defense, move and countermove, nearly identical to the nuclear arms race of the Cold War.
“Nations are now investing far more time and money in finding vulnerabilities than the commercial world, and the open-source community, is spending to fix them,” writes Perlroth. “Russia, China, North Korea, and Iran are stockpiling their own zero-days and laying their logic bombs. They know our digital topography well; in too many cases, they are already inside.”
“The world is on the precipice of a cyber catastrophe,” she concludes.
Perlroth has been covering the cybersecurity beat for a long time and clearly knows her subject extremely well, which may be the reason that “This Is How They Tell Me the World Ends” feels long and somewhat meandering. It’s a complex story with many players and parts, and she perhaps tries to cover a bit too much ground, to the extent that the book somewhat loses focus along the way. But it’s a vitally important topic that requires far more attention and concern, before the U.S. finds itself blindsided when an adversary decides to unleash full-scale cyberwar on us.
Francis Ford Coppola’s 1974 film “The Conversation,” about a surveillance expert played by Gene Hackman, ends with Hackman’s character so consumed with paranoia that he literally tears apart his own apartment searching for a nonexistent listening device. After reading Perlroth’s book, I felt a little paranoid myself, eyeing my own laptop and iPhone. (Maybe that’s why her author bio notes that she “increasingly prefers life off the grid” in her family’s “cabin in the woods.”)