A new book gets the policy recommendations right while making technical errors that could undermine trust in its conclusions.
By Tarah Wheeler, an information security researcher and social scientist, and a cybersecurity fellow at the Harvard Kennedy School.
MAY 3, 2021, 2:57 PM
In one of the biggest tech book launches of 2021, Nicole Perlroth, a cybersecurity reporter at the New York Times, published This Is How They Tell Me The World Ends to cheers from the general public, plaudits from fellow journalists, and a notable wave of criticism from many in the cybersecurity community.
Perlroth’s book about the global market in cyberweapons is a riveting read that mixes profound truth on policy with occasional factual errors, and it ultimately achieves its goal of scaring the shit out of anyone who doesn’t know much about the topic. But the book might also be read by people who have to act on cybersecurity policy and are unfortunately trusting Perlroth to explain the technical details accurately.
The book fails on that count, and the risk is that policymakers either won’t implement the sensible policies she recommends, or that they’ll so misunderstand and fear the technology described that they’ll overreact and make ill-informed and potentially dangerous policy choices.
In a string of interviews with known and shadowy figures largely from the U.S. cybersecurity journalism and military community, with some credible information security technologists mixed in, Perlroth’s book describes the global market for what are known as zero-day vulnerabilities—undisclosed software bugs that can be exploited for access.
She situates cyberespionage as the natural successor to classical espionage. Nearly a third of the book is dedicated to the history of the Cold War and Soviet espionage, truly prescient for a book being released right after the SolarWinds listening operation, a U.S. government data breach in which Russian hackers are suspected. Perlroth’s story of Project Gunman, the 1984 counterespionage operation to find how the Soviets had breached U.S. encryption, is riveting.
The technical details here are fascinating, and she draws a clear line to the moment when U.S. and Russian communication tools began to be based on the same technologies at Microsoft, IBM, HP, and more. “It was no longer the case that Americans used one set of typewriter, while our adversaries used another. Thanks to globalization, we now all relied on the same technology,” she writes. “A zero-day exploit in the [National Security Agency]’s arsenal could not be tailored to affect only a Pakistani intelligence official or an al-Qaeda operative. American citizens, businesses, and critical infrastructure would also be vulnerable if that zero-day were to come into the hands of a foreign power, cybercriminal, or rogue hacker.”
Her account of the outsized funding for offensive weaponry being developed at the end of the Cold War brings fully into focus the beginnings of the cyber-arms race.
Her account of the outsized funding for offensive weaponry being developed at the end of the Cold War brings fully into focus the beginnings of the cyber-arms race: “So fixated was the NSA on its new offensive cyber tools that year that offense trumped defense at the agency by a factor of two. The agency’s breaking-and-entering budget had swelled to $652 million, twice what it budgeted to defend the government’s networks from foreign attack.”
Even more importantly, as those dollars rolled in, “Congress continued to approve vague ‘cybersecurity’ budgets, without much grasp of how dollars funneled into offense or defense or even what cyber conflict necessarily entailed.” It’s disturbing to realize how much Congress budgeted for offensive weapons without understanding that those weapons would not be functional without puncturing holes in U.S. defenses, nor that the tools of offense and defense in cybersecurity are fundamentally different. They didn’t seem to understand that they weren’t buying guns that could be used in both offense and defense—they were buying the digital equivalent of nuclear weapons, biological agents, and mustard gas.
Perlroth exposes the inner ethical absence in the brokers and purchasers of these weapons when saying that “nobody apparently stopped to ask whether in their zeal to poke a hole and implant themselves in the world’s digital systems, they were rendering America’s critical infrastructure … vulnerable to foreign attacks.” Perlroth explains that “More hacking—not better defenses—was the Pentagon’s response to the Russian attacks on its own classified networks.” She’s right. Adding more offensive cyber-capability isn’t fixing the problem of crumbling U.S. cyber-infrastructure, which is decaying along with the country’s bridges, dams, and roads.
The book’s analysis of the strange economic incentives of offensive cyberweapons is, however, paired with some unforced errors when describing Stuxnet, surely the most public and well-analyzed cyberattack. The author insists that Stuxnet, the world’s first highly publicized act of cyberwar, took advantage of seven zero-day vulnerabilities. But for more than a decade, the widely accepted number has been four partially known exploits. (Two had been patched by the time the news came out.)
This is odd, and the cybersecurity community has corrected her reporting on this factual error for years. It may seem petty and tiny, but there’s a reason we’re insisting on the difference between known vulnerabilities (the U.S. repository for catalogued vulnerabilities is at 153,031 and counting), exploits (most of the time these are known and unpatched; a common open-source database currently shows 43,989 and counting), and zero-day vulnerabilities (completely unknown and comparatively rare; Google’s Project Zero found 16 total wild zero-day vulnerabilities in the first three months of 2021, which was a new record for them). It’s because that difference is huge in terms of what it implies we and policymakers should do about cybersecurity. Let me explain.