Halfway through Nicole Perlroth’s gripping new book, “This Is How They Tell Me the World Ends: The Cyberweapons Arms Race,” I unplugged and put into recycling the one and only IoT device in our home.
You might have heard about this book, as Perlroth’s been making the rounds promoting it. As a top reporter, she’s covered cybersecurity for the New York Times for years, and she knows her stuff.
Her interviews promoting the book have been compelling, but when I approached her decent-sized tome, I thought I was in for a typical non-fiction read — an author with an academic touch, a story told with a step of remove, and a text that would fall back on passages of analysis.
What I got instead was a sizzling, gripping story of espionage and cyberwarfare from 1945 to today, written in prose that charged across a panorama of incidents — from New Zealand to Holland to Africa to Argentina to Mexico to Silicon Valley to China to DC. Throughout, Perlroth knits it all together with excellent reporting, enviable writing, and jaw-clenched pacing.
What surprised me the most is how hard it was to put the book down. It’s so well-done. About halfway through, I thought I’d skip a page or two — it seemed there couldn’t be any more shocking, surprising plot twists. Wrong. I had to backtrack because I’d missed something important. And, boy, was I glad I did, because like much else in the book, the part I’d skipped was revelatory, too.
In short, the book is quite a read, and is one of the most absorbing books I’ve encountered in a long time. It is superbly organized, written, and edited — my main critique is that the index is mediocre.
But what a story Perlroth has to tell.
From IBM typewriters hacked by Russians in an almost undetectable way after World War II to the surge in ransomware attacks during Covid-19, the way cyberwar germinated, blossomed, and spread is documented clearly, with human failings like pride, greed, wrath, envy, lust, and sloth bringing us to where we are today — in the midst of an active cyberwar with nation-states, private groups, and criminal rings all pursuing zero-day exploits that can leave adversaries vulnerable to ransom demands, infrastructure disruption, and even deadly strikes.
Zero-day exploits — flaws in software or hardware the victim has zero days to fix — are a major focus of the book. These are the keys to the digital kingdom, and those who hold them can come and go undetected for months or years. There are thousands of these, and it’s hard to know how many are created every time there’s an upgrade or new app.
Another theme involves the arrogance of coders, who again and again claim their software is secure, or feel they can detect intrusions or malware easily, only to be proven wrong time after time. Microsoft, Google, Square, Twitter, and hundreds of other companies have learned lessons the hard way. The resulting maxim — stated in various ways — is that there are two types of entities in the world today: those who have been hacked, and those who don’t know they’ve been hacked.
The book is structured roughly chronologically, with some smoothly executed exceptions so that we can see how one thing presaged another. In this way, we move through a dizzying array of attacks showing that our computers, phones, networks, and databases are basically porous and ill-defended.
How ill-defended? Check out this passage:
Back in 2011, a whistleblower tipped off the Pentagon that its security software was riddled with Russian backdoors. The Pentagon had paid Computer Sciences Corporation . . . $613 million to secure its systems. CSC, in turn, subcontracted the actual coding to a Massachusetts outfit called NetCracker Technology, which farmed it out to programmers in Moscow. Why? Greed. The Russians were willing to work for a third of the cost that US programmers had quoted.
As a result of cyberwars and cybercrime, a massive amount of commercial, personal, and governmental data has been exfiltrated by hundreds of actors over the past 20-30 years, and cyberattacks are becoming far more common. As Perlroth writes toward the end of the book:
More than six hundred American towns, cities, and counties were held hostage by ransomware attacks between 2019 and 2020. Cybercriminal weren’t just hitting big cities like Albany and New Orleans, but smaller counties in swing states like Michigan, Pennsylvania, and Ohio. In Texas, a new battleground, twenty-three towns were hit simultaneously. In Georgia, the tally of victims was stunning: The city of Atlanta. The state’s Department of Public Safety. State and local court systems. A major hospital. A county government. A police department for a city of thirty thousand people. In each case, networks crashed; public records disappeared; email went down; laptops had to be forensically examined, reconfigured, and tossed out; police departments were relegated to pen and paper.
As the book progresses, cyberwar forces grow in scale and capabilities, fueled by an uncontrolled marketplace for hacks and zero-day exploits that developed over the years, with some zero-day vulnerabilities fetching six- or seven-figure bounties. The market itself is murky and mixed, with some participants acting as amoral arms dealers. Most problematically, with coding tools, there’s no guarantee exploits will only be used once, or that the buyer won’t resell them. Or that they won’t escape into the wild, to be found and used in more nefarious ways later.
It’s quite a story, and Perlroth tells it well and compellingly.
Perlroth’s coverage of Stuxnet is particularly interesting, as it portrays the tradeoffs of using cyberweapons — they can save lives, but they also show others how to make similar weapons, and they can boomerang on the creators. This happens more than once over the decades covered, especially as networks become faster and more pervasive, and adversaries become more capable.
Written just before the December 2020 SolarWinds attack, “This Is How They Tell Me the World Ends” makes it clear that any such attack is not a surprise now, but a logical progression decades in the making. The big concern is that a cyber Chernobyl is around the corner — a hacking accident that leads to mass casualties.
The way authoritarian regimes have used these tools to hurt dissidents and attack others is a related theme.
Reading this made me want to go back to 2014 or 2015 and shout more loudly and stridently, “If you think Sci-Hub is about OA, you’re being exploited by a cybercriminal or nation-state predator,” with this passage early on jumping out at me:
. . . the sophisticated cyberweapons they were building were useless without a way to deploy them. Access to a target’s computer system was critical. “You could be the best jewelry thief in the world, but unless you know how to bypass the Bulgari store alarm system, it doesn’t get you anywhere,” [one hacker] told me. “Access,” he said, “is king.”
When some librarians voluntarily turned over passwords to Sci-Hub, they were handing over keys to their institutions. It turns out that dropping a worm or virus into the computer system — even a system that seems peripheral and insignificant — can wreak havoc, steal information, or damage infrastructure. There are even attacks on smartphones that don’t require the user to do anything — they just find their way in over the air.
Everything imaginable has been hacked, and Perlroth takes you through example after example — PDFs, MP3s, routers, smartphones (Android, iOS), music apps, VPNs, password managers, cars, televisions, and more. It’s eye-opening.
As a result, stories of real-world harm caused by cyberwar are becoming more common — water systems, refineries, dams, traffic systems, trains, hospitals, banks. The list is long and worrisome. Perlroth reminds us that the 2016 US Presidential election outcome was probably changed as a result of a basic and successful phishing attack.
Perlroth’s impassioned epilogue — in which she offers clear guidance for how to tamp down the threats of cyberwar upon us all — notes that unlike Pearl Harbor, which was a surprise attack, we know the next attack is coming, and that it will be more severe than the previous one. And we’re not going to be able to do much to stop it without making radical upgrades to our defenses, code bases, coding habits, and security systems.
If you own a computer or a smartphone and connect to a router in your workplace or home, read this book. If you are responsible in any way for IT decisions for your employer or clients, read this book. And if you want to enjoy a cracking good tale about espionage, spies, and the safecrackers of the modern age, read this book.