20 Dec. 2021
New York: Bloomsbury, 2021. Pp. xxvii, 491. ISBN 978–1–63557–605–4.
This Is How They Tell Me the World Ends begins with the June 2017 Russian cyberattack on Ukraine that rapidly spread beyond its initial target and caused ca. $10 billion in damages. As serious as the consequences were, the attack was merely a warning demonstration rather than a concerted campaign. NY Times journalist Nicole Perlroth's reporting is a sobering look at the destructive possibilities of cyberwarfare, though sometimes in needlessly apocalyptic language. She focuses on the development of a marketplace for "zero-day exploits," that is, "software or hardware flaws for which there is no existing patch" (7). The proliferation of such exploits is particularly dangerous for the United States, Perlroth argues. The offensive cyber capabilities of the National Security Agency are ineffective in defending US systems, which play a key role in civilian and military infrastructure.
The first half of the book concentrates on various actors in the cyberwarfare field. She begins with a group she calls "the Capitalists," private individuals who helped develop and publicize the zero-day marketplace in the 2000s, when technology companies were likelier to threaten anyone who reported an exploit with litigation rather than express gratitude. Perlroth identifies iDefense as an important early private player that offered to pay hackers for reporting exploits they identified. Hackers who enjoyed the challenge of breaking a system with no malicious motive could be rewarded rather than threatened for exposing problems in an operating system. iDefense was priced out of the market, as government agencies offered significantly larger prizes. In the wake of 9/11, breaking into the communications of terrorist organizations became an obvious priority; according to one of Perlroth's pseudonymously named sources, the National Security Agency, Central Intelligence Agency, Federal Bureau of Investigation, among others, became active buyers. Some of them were supplementing an existing cyber capability, others used the market to acquire that capability. The market increasingly attracted international attention, as more and more cyberweapons were sold to the highest bidder.
With her next group, "The Spies," Perlroth examines the development of US cyber capability, beginning in the 1960s as technological surveillance grew ever more sophisticated. She sees the 1984 discovery of a Soviet espionage coup as a critical catalyst. Soviet intelligence monitored whatever was written on the typewriters in the US embassy in Moscow, using sophisticated devices added to each machine. The challenge in discovering and responding to the incident fostered an imaginative approach to technical intelligence spearheaded by James Gosler.
The NSA grew more adept at intrusion as the internet expanded in the 1990s. The agency's Tailored Access Operations unit was dedicated to breaching systems worldwide; it became one of the NSA's most prestigious components. Only some of its activities were exposed by Edward Snowden. Perlroth identifies the sabotage of the Iranian nuclear program, generally ascribed to the United States and Israel, as a key milestone in cyber war; she details the specific targeting of the Stuxnet virus against the centrifuges at the Natanz nuclear facility, which significantly set back the Iranian program.
Perlroth argues that the use of Stuxnet and cyber capabilities to bring about physical destruction set a dangerous precedent in light of the weakness of American cyber defensive capabilities. By the 1980s and 90s, it was clear that digitization posed significant risks: "computer applications were … incorporating more and more lines of code, creating more and more room for error and incorporating into bigger and bigger–and more critical–attack surfaces" (86). This was occurring, Perlroth argues, as NSA was grew to believe that only it could carry out the kinds of operations it was conducting.
Finally, Perlroth examines "the mercenaries" and "the resistance" to illustrate the complex environment facing the United States, especially the NSA, as countries and private groups bought and stockpiled zero-day exploits en masse. The mercenaries, Perlroth notes, sold indiscriminately to buyers, including authoritarian governments that would use them to surveil and punish dissidents at home. The resistance, Perlroth maintains, consists largely of private efforts to counter digital intrusion and cyber corporate espionage, especially by China. These efforts are complicated by the tension between tech companies and the US government given the NSA's own intrusion and surveillance activities.
The author next analyzes the alarming developments of the 2010s as other actors shortened the US lead in the cyber realm. High profile incidents have exposed an increasingly threatening security environment. In 2014, North Korea attacked Sony using damaging emails to humiliate the company, in retaliation for The Interview, a comedy in which two reporters are drawn into plot to kill Kim Jong-un. Russia has used a various cyber techniques against Ukraine and the United States, notably during the 2016 presidential election. Chinese hackers have conducted industrial espionage on a gargantuan scale. Many local governments, hospitals, businesses, and individuals have endured ransomware attacks. Exacerbating this environment were leaks in 2016–17 of NSA exploits by still unknown actors calling themselves "Shadow Brokers." Less well known but equally disturbing incidents point to the risk of the digitization of US infrastructure; for example, an intrusion into the systems of a small dam in New England originated with Iranian hackers, who confused it with a similarly named, much larger dam in the Pacific northwest. This incident points to the potential use of cyberweapons to damage and disrupt critical infrastructure.
Perlroth's thesis is the that United States faces a serious security challenge that demands recognition and remedial action. To the notion of a potential "cyber Pearl Harbor," Perlroth responds that "the analogy … is a deeply flawed one. American didn't see that attack coming; we've seen the cyber equivalent coming for a decade" (384).
The author concludes that the US government must change its handling of cyber threats. She argues for (a) laws regulating the reporting of cyberattacks to provide a clearer sense of the problem, (b) a shift in US security agencies toward reporting rather than stockpiling exploits, and (c) serious efforts to provide digital defense-in-depth. It is hard to dispute that cyberwar poses a real danger to US national security. That said, the book's strong emphasis on the scale of danger, starting with its apocalyptic title, obscures vital distinctions between the threat levels represented by various cyber operations. For instance, Perlroth describes Stuxnet as the "first cyberweapon of mass destruction" (126), despite her own explanation of just how precisely targeted Stuxnet was; its purpose became apparent to investigators when it spread beyond the Natanz facility because it targeted not any and every centrifuge, but the specific centrifuges used by the Iranians at that specific facility.
As a history of US cyberwarfare and the larger cyber-weapons arms race, Perlroth's book offers an accessible and compelling narrative. Some of its elements are familiar,[1] but her work on the zero-day exploit market is salutary. Experts in the field may dispute particulars of the systems she discusses, but her compelling case that the US public need to assess the implications of cyberwar more intently makes this a reasonable trade-off. Overall this useful volume will engage and instruct readers curious about broader issues of cyberwar and national security. Even if the result is not the apocalypse, the potentials of cyberwar war merit serious attention.