Most of our critical infrastructure, it seems, can be hacked. The computer systems of our airports, banks, companies, hospitals, and nuclear power plants can be deactivated and even controlled simply through bugs in the software used to operate them.
Nicole Perlroth has been reporting from the front lines of this cybercrime battlefield for over a decade. As the lead cybersecurity reporter at The New York Times, she investigated Russian hacks of elections and petrochemical plants; North Korea's cyberattack against Sony Pictures, Bangladesh banks and crypto exchanges; and Iranian attacks on oil companies, banks, and dams.
As an example of the type of havoc that cybercriminals cause, Perlroth points to the attack by the cybercrime group DarkSide on the Colonial Pipeline in 2021. The pipeline carries gasoline and jet fuel to the southeastern area of the U.S. The hackers used a breached employee password to shut down part of the pipeline and demand 75 bitcoins in ransom ($4.4 million).
After Colonial Pipeline paid the ransom, services were slowly restored. But the U.S. could have afforded only "three to five more days of the Colonial Pipeline being down before it ground the country - our economy - to a halt," says Perlroth.
"It was because Colonial Pipeline paid this ransom and the criminal group honored their hostage note that they were able to eventually get these operations back up and running, but it is worth pausing to think that all it would take to bring the world's richest economy to its knees is one stolen password," Perlroth has said in interviews. "This is what a bumbling (most of the bitcoins were recovered) cybercriminal group could do. Now, think of what a nation state could do in this space."
Is this how the world ends?
In 2021, Perlroth answered that question in her book, This Is How They Tell Me the World Ends, a terrifying bestseller about the global cyber arms race, that looks at some of the worst cybersecurity breaches in history and reveals how vulnerable we are to cyberattacks.
Her book focuses on how governments are using hacking as a weapon of war. Jim Goslar, one of the people she interviews, pioneered research into detecting computer code vulnerabilities in the 1980s, focusing on the code that controlled America's nuclear arsenal. As Perlroth writes, he demonstrated that the code was "at once a hacker's paradise and a national security nightmare."
In the 1990s, working at the Clandestine Information Technology Office of the Central Intelligence Agency (CIA), Goslar's role was to show that no computer program can ever be faultless. In her book, Perlroth writes: "And yet here we were, entrusting our entire digital lives - passwords, texts, love letters, banking records, health records, credit cards, sources, and deepest thoughts - to this mystery box, whose inner circuitry most of us would never vet, run by code written in a language most of us will never fully understand."
For seven years, Perlroth investigated the market in what are known as "zero-days" (or 0-days, pronounced "oh-days"). A zero-day is a computer software or hardware vulnerability for which there is no existing patch. Although such a vulnerability may be harmless, in the hands of malicious actors, they can become weapons. Using a zero-day, a hacker or government agency can spy on your iPhone, dismantle the safety controls at a chemical plant, destroy the servers of a film company, or change the results of an election.
Companies and governments pay hackers to find zero-days so that they can be fixed or exploited. Perlroth explains that the U.S. government was the world's main hoarder of zero-days for decades, buying them for millions from hackers and keeping them in vaults. This created a dark but thriving market for vulnerabilities. And what is shocking is the extent to which governments have been central to developing this market - and how it has slipped from their control.
The worm turns
To understand how this happened, let's return to the late 1960s, when computers, which had been used to store and process information, also became communication devices.
By 1972, the year ARPANET (the forerunner of the internet) was publicly demonstrated, James P. Anderson of the Pentagon's Defense Science Board Task Force on Computer Security argued that communication by computers offered a "unique opportunity" for espionage and sabotage, as they were virtually undefended and "totally inadequate to withstand attack."
At that time, the U.S. Navy, the National Security Agency (NSA), and the CIA were undertaking Operation Ivy Bells, which saw divers place a tap on a Soviet cable on the ocean floor north of Japan. The tap was a valuable source of information, until it was discovered in 1981.
In 1984, the U.S. Embassy in Moscow discovered an almost undetectable bug in their IBM Selectric typewriters, which meant that they had been communicating every keystroke to the Soviets for up to eight years.
By the 1990s, cyberattacks had become regular occurrences. In 2008, Russia hacked a Pentagon network. The following year, North Korea compromised the websites of the Treasury Department and the New York Stock Exchange. In 2010, a computer worm called Stuxnet devastated Iran's nuclear program. Although neither country has openly admitted responsibility, the worm is believed to be a cyberweapon built jointly by the U.S. and Israel.
Perlroth, who started covering cybersecurity a year later, argues that if you build a worm like Stuxnet, it will eventually come back to bite you. And that's what happened. Although the worm should have been contained, variants began appearing shortly after the attack and eventually infected more than 100 countries and tens of thousands of machines. Having helped to release the worm, the U.S. found that it could no longer simply be put back into the box.
Our vulnerable world
In 2013, by the time that Perlroth examined documents leaked by Edward Snowden, the former computer intelligence consultant, it was far more straightforward to spy than in the days of tapping undersea cables. The NSA no longer needed to be concerned with cracking digital encryption algorithms because it had acquired multiple ways to hack around them, using zero-days.
She writes in her book, "The agency appeared to have acquired a vast library of invisible backdoors into almost every major app, social media platform, server, router, firewall, antivirus software, iPhone, Android phone, BlackBerry phone, laptop, desktop, and operating system."
However, the problem for the U.S. is that it stopped being the dominant client on the market many years ago. In her book, Perlroth says that the "going rate" for an iOS zero-day exploit is $2.5 million, if it's sold to a broker in the U.S., but a dealer from the Emirates will pay $3.5 million. The U.S. is now being outbid, and the motivation of hackers can be extremely murky.
For her book, Perlroth traveled to Argentina and met a godfather of the hacking scene. She asked him who Argentine hackers would sell zero-day hacks to. Would it be only to "good" Western governments?
Perlroth recalls that he laughed in her face and said, "Nicole, the last time I checked, the last country that bombed another into oblivion wasn't China or Iran. We don't share your moral calculus."
Nicole Perlroth left The New York Times in 2021 to join the Department of Homeland Security's Cybersecurity Advisory Committee. But her book remains highly relevant. We live in a world in which most hackers will sell to the country that hands them the largest pile of cash.
Every second, in the U.S. alone, 127 new devices, ranging from refrigerators and thermostats to iPads, vacuum cleaners, library catalogues, and bicycles, are plugged into the internet. That's 328 million things every month. Yet, not one of those devices is safe from hacking. Think about that before you make your next mouse click.