This Is How They Tell Me the World Ends: The Cyberweapons Arms Race

This Is How They Tell Me the World Ends: The Cyberweapons Arms Race by Nicole Perlroth“This Is How They Tell Me the World Ends” tells the gripping story of a new form of warfare that takes place in the digital realm and its impact on society. New York Times Bestselling author Nicole Perlroth provides readers with an eye-opening look into the cyberweapons race and our vulnerabilities. This fascinating 505-page book includes twenty-three chapters broken out by the following seven parts: I. Mission Impossible, II. The Capitalists, III. The Spies, IV. The Mercenaries, V. The Resistance, VI. The Twister, and VII. Boomerang.Positives:1. An exhaustively researched, well-organized book that reads like a spy novel.2. The fascinating topic of cybersecurity.3. The writing style is engaging and keeps your interest.4. Defines key hacking terms such as zero-days, which are basically a software or hardware flaw for which there is no existing patch. They are called zero-days because the victims or good guys have zero days to fix them.5. It provides a lot of insights into investigative journalism. Perlroth is a part of the story as she relates the challenges she faced to uncover the cybersecurity world. “The first rule of the zero-day market was: Nobody talks about the zero-day market. The second rule of the zero-day market was: Nobody talks about the zero-day market. I’d posed this question many times, and I knew it was the one question nobody in this business would answer.”6. Does a great job of describing the hackers, their sponsors (if they have any) and state sponsors. “The New Hacker’s Dictionary, which offers definitions for just about every bit of hacker jargon you can think of, defines hacker as “one who enjoys the intellectual challenge of creatively overcoming or circumventing limitations.””7. Describes how hacking companies operate. “In the mid-1990s Sabien’s team started trafficking in digital access, searching for bugs and exploiting them for customers. The bulk of his company’s revenues—more than 80 percent—came from the Pentagon and intelligence agencies, with the remainder from law enforcement and other U.S. government agencies. The goal was to deliver their government customers secret tried-and-tested ways into every system used by the adversary, be it nation-states, terrorists, or low-level criminals.”8. The purpose behind the zero-days. “Once his zero-day was in the agency’s hands, they could use it to spy on whomever they chose. In the United States, the likeliest targets were terrorists, foreign adversaries, or drug cartels, but there were never any guarantees that very same zero-day wouldn’t come back to haunt you.”9. Uncovering the world of spies. “I asked nearly every single one of the men who guided the CIA and NSA through the turn of the century to name the father of American cyberwar, and none hesitated: “Jim Gosler.””10. Great quotes that must be shared. “Organizations can’t stop the world from changing. The best they can do is adapt. The smart ones change before they have to. The lucky ones manage to scramble and adjust, when push comes to shove. The rest are losers, and they become history.”11. Defines the role of the TAO (Tailored Access Operations) unit inside the NSA. “In the aftermath of 9/11, these hundreds turned to thousands as TAO accelerated its breaking-and-entering mission around the globe, through a combination of brute-force hacking, cracking passwords and algorithms, finding zero-days, writing exploits, and developing implants and malware that bent hardware and software to their will. Their job was to find every crack in every layer of the digital universe and plant themselves there for as long as possible.”12. Describes the role of hacking with regards to the Natanz Nuclear Facility in Iran. “By late 2008 the joint operation known as Olympic Games had infiltrated Natanz’s PLCs, and nobody appeared to suspect a cyberattack.”13. Global hacking described. “The NSA was finding evidence that Russian hackers were tampering with the same routers and switches it had exploited for years. Chinese hackers were breaking into American telecoms and internet companies and stealing passwords, blueprints, source code, and trade secrets that could be used to exploit these systems for their own ends.”14. Describes some of the stars of cybersecurity. “Inside the agency, these men had been revered as “the Maryland Five,” and time and time again, they had proved indispensable. They were each members of a premier TAO access team that hacked into the systems nobody else could. If the target was a terrorist, an arms dealer, a Chinese mole, or a nuclear scientist, you wanted the Five on it. Rarely was there a system, or a target, they could not hack.”15. Describes what happens when hackers attack corporations. “It was time to call in the specialists. Google’s first call was to a cybersecurity shop in Virginia called Mandiant. In the messy world of security breaches, Mandiant had carved out a niche for itself responding to cyberattacks, and was now on the speed dial of nearly every chief information officer in the Fortune 500.”16. Describes famous hacks. “The Chinese had been inside OPM’s systems for more than a year by the time they were discovered in 2015.”17. The impact of Snowden’s revelations. “Without the companies’ knowledge or cooperation, the Snowden revelations that fall showed that the NSA, and its British counterpart, GCHQ, were sucking up companies’ data from the internet’s undersea fiber-optic cables and switches.”18. Cyber wars. “Three years after the United States and the Israelis reached across Iran’s borders and destroyed its centrifuges, Iran launched a retaliatory attack, the most destructive cyberattack the world had seen to date. On August 15, 2012, Iranian hackers hit Saudi Aramco, the world’s richest oil company—a company worth more than five Apples on paper—with malware that demolished thirty thousand of its computers, wiped its data, and replaced it all with the image of the burning American flag.”19. Describes American vulnerabilities. “Their letter was blunt: “Virtually all of our civilian critical infrastructure—including telecommunications, water, sanitation, transportation, and health care—depend on the electric grid. The grid is extremely vulnerable to disruption caused by a cyber or other attack. Our adversaries already have the capability to carry out such an attack.”20. The impact of Stuxnet (computer worm responsible for the destruction of Iranian centrifuges). “Stuxnet had inspired dozens of other countries to join the zero-day hunt, and the United States was losing control over the market it had once dominated.”21. Describes many attacks and the impact of misspelling. “North Korea’s hackers had been caught—but never punished—for major cyber heists at banks in the Philippines, Vietnam, and at the Bangladesh Central Bank, where they’d made a $1 billion transfer request from the New York Federal Bank. Only a spelling error (they’d misspelled foundation as “fandation”) had kept bankers from transferring the full billion, but they’d still made off with $81 million, among the largest bank heists in history. WannaCry was the next evolution in North Korea’s efforts to generate badly needed income.”22. The impact of hacks. “China was decades behind the United States in nuclear weapons development, but thanks to Legion Amber, it had stolen everything it needed to catch up. In 2018, U.S. officials watched in horror as Beijing successfully tested a new submarine-launched ballistic missile and began moving ahead with a new class of subs that could be equipped with nuclear-armed missiles.”23. An excellent Epilogue that describes defenses against hacks. “So-called “password-spraying attacks” have surged in the past three years, in which hackers try common passwords (e.g. “password”) across multiple user accounts. It’s not rocket science, but it’s insanely effective. Password-spraying is all it took for Iranian hackers, working at the behest of the IRGC, to break into thirty-six private American companies, multiple U.S. government agencies, and NGOs. Multifactor authentication is the best defense against these attacks.”24. Notes included.Negatives:1. This book was begging for some key supplementary material but to no avail. I can think of many examples. I would have added a table of state sponsored hacking and their main goals. Another would be list of the top hackers in the world and their strengths. List of the biggest known hacks in the world.2. No formal bibliography.3. At around 400 pages of main narrative, it will require an investment of your time.4. With so many players and intersecting stories involved it can be easy to lose yourself.5. A glossary would have been helpful.In summary, this is an excellent book that describes the vulnerabilities of our digital world and how the modern arms race have moved away from the sea and air to said digital world. Perlroth identifies the major players and countries involved in the cybersecurity arena and what their main goals are. It also tells the story of how the US had become the world’s stockpiler of zero days and lost control of it. It reads like a spy novel but it’s real global warfare taking place in our digital realm with real-life consequences. Lack of supplementary material aside, I highly recommend this book.Further recommendations: “Cyber War” by Richard A. Clark, “The Personal Cybersecurity Manual” by Marlon Buchanan, “The Hacker and the State” by Ben Buchanan, “The Smartest Person in the Room” by Christian Espinosa, “Hunting Cyber Criminals” by Vinny Troia and “Social Engineering: The Science of Human Hacking.

This review written by Jim Loving, husband of CKL.Much like the famous people on the jacket of this book, I can not highly recommend this book enough. I only learned of it watching a short interview with the author, NY Times reporter, Nicole Perlroth on youtube.She has performed an invaluable service to the USA and the world – informing everyone of all that has been happening and continues to happen in the world of Cyber warfare, Cyber crime, and defense. She has been reporting on this beat for 15 years, and when she looks back on her career, she will view this time and this book, her first, as perhaps her greatest achievement. Why? Because it both informs the mass public of something very significant that has been happening and reported on in plain sight, yet not fully understood or appreciated to the mass voting public, perhaps not even by most of our public and private sector leaders. The title of the book is not hyperbole, it is in fact what we face in our always on, fully digitized society.It is a very well-written book, written in easily understandable language to the non-technical reader, and it reads like a spy thriller, because, that’s what it is for much of the story. The book tells the story of how we got here, from the origins of counter espionage during the Cold War, and its evolution during the rise of the Internet and digital society. She covers the USA development of cyber weapons (National Security Agency, NSA), the release of these weapons by hackers of NSA cyberweapons capabilities referred to as Shadow Brokers (their identity still not publicly known), and with boomerang effect, turned against the USA and other nation-states.Perlroth’s extensive knowledge and investigative reporting put her in touch with all key elements within this world – the hackers-for-hire by nation states, crime networks and the evolution of how lucrative and lethal this market has become. She draws extensively from her own reporting, but also her colleagues at the NY Times along with many other articles reporting on this story during this period, along with Government reports on the same. The Notes section alone is 60 pages long and important to read.As the book points out, after the NSA used Cyber Warfare first, when along with Israel, the US unleashed the Stuxnet virus in 2009 to take down Iran’s nuclear centrifuges. As with its first use of nuclear weapons during WWII, the US act began an arms race and escalation for this type of “grey zone” warfare and crime that is ungoing and raging today. Perlroth could have named this book Boomerang because now all of the world’s major powers, particularly adversaries to the western powers, all have the most sophisticated hacking tools and techniques developed by the NSA, and the USA, the most digital nation in the west, is now the most vulnerable to cyber attacks given the degree of digitization of its economy.There is now a permanent Cyber War underway between many forces - cyber criminals, sure, but more importantly nation states and their actors - Russia, China, Iran the big three, but N. Korea, and the Gulf States, including Saudi Arabia, UAE, and Israel, are also players, but so are hackers for hire in countries everywhere – the UK, USA, eastern Europe, South America (Argentina, who knew?), etc. All of the major US networks are under daily attack and the direct cost and long term risk to the US and other nations has grown exponentially. Cyber Warfare is now as great a threat as other weapons of mass destruction, perhaps more so.If Perlroth had only reported on the facts of how we got here and the extent of the threat and risks, she would have done a great service. Her Epilogue with recommendations based on her findings is significant because she observed the evolution of this threat from nearly its beginning. In an interview with Lex Fridman in 2022 (Nicole Perlroth: Cybersecurity and the Weapons of Cyberwar #266), she mentions that she is now consulting with the Department of Homeland Security, Cybersecurity and Infrastructure Security Agency – CISA. It is obvious they are listening to her because its current Director, Jen Easterly, laid out in broad terms the latest Biden Administration strategy in her 2/1/2023 article in Foreign Affairs – “Stop Passing the Buck on Cybersecurity – Why Companies Must Build Safety Into Tech Products.” The Biden Administration is soon to release the latest US strategy for cybersecurity defense and as reported by the Washington Post and others, it will be moving from voluntary efforts within industry to regulated compliance standards, taking on the lobbying of the US Chamber of Commerce in its efforts to prevent regulating the critical networks that the entire US society runs on.In reading Perlroth’s book, her recommendations, and CISA Easterly’s article, it was back to the future for me. When I started my career in IT 46 years ago, 34 of which were working for IBM, "Secure by default" and "secure by design" was a given within the industry. Then came the Internet, and changed incentives and business models - market driven apps. Bye bye security and privacy. In 2000, Lou Gerstner (then IBM CEO) said: "When a new technological change alters society, the industry pioneering it must take responsibility for the changes. If the industry doesn't step up, government will and that's no good. We don't shun government involvement, we need government, working side by side with industry and education leaders and citizens."That didn't happen. Perlroth’s book describes what did happen. To now get all of society, businesses, governments and NGOs to respond to this threat, All of government will mean that NSA and the US Cyber Command will have to also learn to work and play defense first, before playing offense, or industry may not want to work with NIST, DHS/CISA. Many horses are out of the barn as Perlroth has reported with this book. The Biden Administration and some in Congress are at least now trying to rally to the cause. This is better late than never, hopefully before the modern world ends. I highly recommend this book.

Great history of espionage, secret gathering, hacking, zero-day exploitation, and world events over the past few decades. Working in technology sales for the past 30 years, I can say that getting people to not only understand but address threats is a huge challenge. The author states “the cost of doing nothing now outweighs the cost of doing something” – I agree with this 100% - we see it all day everyday – in our all the businesses and entities we interact with. If you enjoyed Andy Greenberg’s Sandworm, this is a deeper dive into those groups and much more. Well written and well researched – easy to read. Could have definitely cut down the content a bit as some gets to be repetitive, and the main reason I knocked this down to 4 stars is b/c the author has obvious disdain for Trump – just totally unnecessary – stay focused on the topic. My personal thoughts are that no individual leader is solving this problem (or making it worse) – you have criminal enterprise making big bucks off these exploits, not to mention nation-state snooping – two things that WILL NOT STOP – have been around in one form or another since the dawn of humanity. The epilogue has some solid advice that is widely known in our industry – unfortunately, not widely implemented. There is much room for improvement in this field at an individual and corporate level – although so much of the software and hardware in use is global, it is good to see that there are certain countries making a concerted effort to build a culture of cybersecurity – raise the tide of all boats with better cyber-hygiene (would love to set that happen in the US along with a focus on health).