The Urgent Questions About Cyberwarfare We Are Not Even Asking (But Must)

RCN‘s inaugural book review examines the indispensable This Is How They Tell Me the World Ends: The Cyberweapons Arms Race (by Nicole Perlroth, Bloombsury, 2021, 505 pages)

By Brian E. Frydenborg (LinkedInFacebookTwitter @bfry1981) July 31, 2021; see related June 7, 2021, article: Already in a Cyberwar with Russia, NATO Must Expand Article 5 to Include Cyberwarfare, cited by NATO LibGuide on Cyber Defence; condensed rewrite for Small Wars Journal September 24 also cited by NATO LibGuide on Cyber Defence and featured by Real Clear Defense.

nuclear cyber

SILVER SPRING/WASHINGTON—New York Times cybersecurity reporter Nicole Perlroth’s groundbreaking This Is How They Tell Me the World Ends is one of the most important books I have ever read.  Truck bombs and missiles and massacres are hard to shut out and miss (though Americans were famously and shamefully able to shrug off and ignore death and destruction in Iraq and Afghanistan even while American troops were fighting and dying there), but Perlroth’s book tries to shock Americans into caring deeply about an invisible war in an invisible battlespace that American citizens and policymakers have been all too content to ignore, but one which Perlroth makes clear is more of a clear and present danger to us than conventional or even nuclear weapons.  Such an undertaking is undeniably a tall order, but she is more than up to the challenge.

Invisible Weapons, Invisible Threats, Invisible Vulnerabilities

The main focus of this book is the black market for cyberweapons: how that fits into the history of cyberwarfare, the U.S. government’s role in fostering that black market, and how the proverbial cat is very much out of the bag as far as our rivals, adversaries, and a host of other bad actors are concerned.  Perlroth did not have a background in cybersecurity before joining The New York Times (she did have some Silicon Valley beat reporting) but quickly teamed up with the recently-retired-from-the-Times Scott Shane—then still with the Times and one of the top national security reporters in the country—and, among covering other major national cybersecurity stories, they were the Times’s pointwoman and pointman on the Snowden/NSA saga.

Rather counterintuitively, this makes her ideal for this book, as the relevant topics are very poorly understood by the public and politicians alike and she is better able to communicate as something of a non-expert recently turned expert to other non-experts—you and me, the lay-folk—which is exactly what this pressing topic requires.

Her descriptions are methodical and in direct but riveting and colorful language (she compares bar crowds at hacker conventions to the patrons of the Star Wars Mos Eisley cantina), painstakingly going step-by-step in explaining everything from the concept of “zero-days” to the Stuxnet attack, often using colloquial analogies and the occasional well-placed expletive.

From the start, it is clear this book consumed years of her life and not always in healthy ways, that researching this topic was a massive undertaking because it has essentially not been covered before, certainly not like this or in this depth.  In fact, the zero-day/exploit market was still essentially secret when Perlroth began trying to uncover it, and it took her two years of poking, prodding, snooping, and being rebuffed at every turn before she really got anywhere in terms of solid information from an insider on the nature of the secret government market for zero-day bugs and their exploits, bugs that were defined by their being wholly unknown both by the companies that made the affected software and the customers who used and relied on it, bugs that allowed hackers to take total, undetected control of the entire software package and often many others tied to it (and, yes, if you want to know, the latest mass ransomware cyberattack from Russia’s at-the-very-least-tacit ally REvil utilized a zero-day).

That initial breakthrough source for Perlroth only involved a player long-retired from the scene, and it would take her another five years of intrepid research to answer many of the main questions she set out to answer when she first started covering the Snowden revelations fallout, when she saw sign after sign of some massive secret government market for hacking vulnerabilities but no details beyond these hints of its existence.

As you read her book, you get the sense that she is overwhelmed and not really sure how to feel about what she has been discovering, let alone know precisely how to solve these daunting problems.

But this is itself wisdom: Perlroth is trying to raise awareness about just how crazy and complicated all this is, to make the public and leaders unnerved, upset, prepared to engage far more on these issues, to demand answers to weighty questions.  And for anyone rational and reasonable reading this book, in this she succeeds wildly.

Even if Perlroth is one of the only people attempting to put all this together—her book is essentially a first draft of history—if the best companies in Silicon Valley, the best minds at the NSA, CIA, DoD, and White House (let’s not even include Congress) and those of our foreign allies and adversaries have no seriously good, deep answers for these issues, how can we expect Perlroth?  Of all the experts on this topic, she is probably the only person right now who could write a coherent narrative accessible to a wider audience and actually be allowed to publish it (the vast majority of the folks involved are off-radar or offer no comment, often tied by government non-disclosure agreements or in fear of worse, as Perlroth makes clear).

Her book is messy, all over the place, and overwhelming: which is precisely what it needs to be, precisely how to characterize these problems, and precisely the way in which they must be presented.  Anything less would sell these terrors short, giving the false impression that these threats can somehow be compartmentalized or isolated; the reality is that this really is a giant, all-encompassing asteroid hurtling at us incredibly fast, and trying to pretend it is not a mess will do a disservice to any serious attempt to defend against it.

For these reasons and Perlroth’s skill at storytelling, Perlroth’s messy narrative more than works and engages and accurately—more than anything else I have seen penetrate major news coverage—alerts us to the scope of the messy threat we face.  She chronicles how, for so long, we have been flying blind, willfully ignoring or downplaying these threats, whether in government or in business, and, even today, critical infrastructure like our power grid, dams, and nuclear reactors are running insanely outdated, highly vulnerable software.  As she puts it:

We were plugging anything we could into the internet, at a rate of 127 devices a second. We had bought into Silicon Valley’s promise of a frictionless society.  There wasn’t a single area of our lives that wasn’t touched by the web.  We could now control our entire lives, economy, and grid via a remote web control.  And we had never paused to think that, along the way, we were creating the world’s largest attack surface.

At the NSA—whose dual mission is gathering intelligence around the world and defending U.S. secrets—offense had eclipsed defense long ago. For every hundred cyberwarriors working on offense, there was only one lonely analyst playing defense…

The biggest secret in cyberwar—the one our adversaries now know all too well—is that the same nation that maintains the greatest offensive cyber advantage on earth is also among its most vulnerable.

As just one example, she notes how a bipartisan group of top former energy, intelligence, and national security officials were secretly warning Congress all the way back in 2010 that a major, successful attack on just the U.S. power grid “would result in widespread outages for at least months to two years or more, depending on the nature of the attack” (yes, that is years, plural).  Penning much of her book during the heights of the 2020 coronavirus pandemic, Perlroth notes COVID-19 pushing us even more online as a society means that, now, “our attack surface, and the potential for sabotage, has never been greater.”

At no time does her narrative feel hyperbolic (if anything, the threat could be said to be so dire as to have language fail to do it justice, but Perlroth succeeds quite well in creating appropriate levels of tension of dread even in a non-fiction book; perhaps her deal with the FX television network to produce a TV series based on her book may succeed at further penetration through a different media platform that can reach an even wider audience).  Her readers will come away with the sense that there is a near-certainty that something terrible will happen soon enough—either intentionally or unintentionally—unless a drastic global effort is undertaken and a paradigm-shift occurs.

And similarly as I have noted when discussing a 2020 UK parliamentary report on Russian designs against the UK, with Russian (and other) cyberwarfare, so, too, both must American society within itself unite on these issues and America unite with its allies (through NATO, as I have argued).  Much like the COVID-19 pandemic response in the era of Trump, everyone and everything are pretty much on their own in fighting cyberwarfare; this cannot be the approach of free nations any longer.  Furthermore, these cyberweapons’ development and their sale and spread happen almost entirely in the shadows, those making the decisions facing little accountability, let alone any public scrutiny; while the cloak-and-dagger realm of spycraft, secret weapons, and cyberwarfare can hardly simply be made anywhere near fully transparent, this modus operandi, too, cannot continue as is.

No Easy Answers

Yet there are no easy solutions to these problems, and you would be right to distrust Perlroth if she claimed to have them (she wisely does not).  But her recommendations that we start coordinating among the different parts of our society—utilities, government, private sector, communities—start having serious public conversations, feel out some baseline international consensus, and that individuals in their personal and professional lives take basic cybersecurity steps (like two-step authentication) are as decent places to start as any.

So do not expect Perlroth to give detailed solutions; that is not her role.  But in raising crucial questions that are simply not properly being addressed in the public or private sectors, by leaders or by citizens, she may yet play the role of a Cassandra who, rather than be doomed to have her warnings ignored, instead helps frame a crucial long-overdue discussion at a time when there is little time to spare.

The questions are not just weighty and challenging policy-wise, but also philosophically.  How do we balance security and freedom, openness and security in the internet age?  How do we balance offensive and defensive cyber-capabilities?  To what degree and when can governments justify capabilities based on keeping vulnerabilities in widely-used, critical software secret from the software vendors and clients (including many major companies and institutions)?  How on earth can a measure of transparency, security, and trust be injected into the lucrative zero-day black market?  How can we punish cyber-transgressions even as we maintain the same or similar capabilities?  How can we deal with hackers operating in a grey zone of principles of freedom utilizing illegal intrusions?  How can we make sure cutting-edge cyberweapons we develop, use, and share with allies will not be used to oppress or even come to be used against us? 

No easy solutions, indeed.  But Perlroth repeatedly asks and muses on these questions and wants us all to do the same.

As you read the book, you will also appreciate how much Perlroth’s narrative is very much present with us day after day, week after week, month after month as the topics, events, and figures she covers demonstrate how their effects still reverberate today and keep popping up in unfolding events.  This has the effect of making her book concerned with and relevant to the past, present, and future, and her work and insight will stay with you long after you finish her book and keep forcing their ways back into the front-and-center of your brain (and should do the same for leaders and policymakers around the world).

Since her book’s publication, we have already seen the Colonial Pipeline, JBS, and Kaseya ransomware cyberattacks from Russian-based (and Russian-tolerated) hacking groups along with rampant coronavirus disinformation magnifying an already terrible pandemic and “killing people” (to quote President Biden); all these topics have been covered for the Times by Perlroth.  And Perlroth was all over the Israeli firm NSO Group’s Pegasus spyware being used for nefarious purposes long before the recent stories and a report from Amnesty International from just these past few weeks that have garnered a lot of attention with what are less-novel revelations and more confirmations of Perlroth’s fine investigative work on that topic for her book, with any reader of it hardly being surprised by any of the latest NSO information now being discussed.  And these bigger stories do not even touch upon many, many lesser-reported cyberattacks.

All in all, this is a groundbreaking book that not only towers above other cybersecurity works as the only current somewhat-full history of cyberwarfare and the cyberweapons black market mixed in with appropriate security policy concerns, it is a clarion call for the world that business as usual is taking us down something of a cyber-Guns of August path.  Whether nations and the world and, ultimately, the general public are up to the challenge in demanding a far less risky and far less dangerous cyber-domain, it will be to the degree that they understand the issues so excellently presented by Perlroth and prioritize them as she tells us we must.

Issues? (Or Why This Book Could Not Have Been Written by a Techie)

Some tech experts have brought attention to what they claim are technical inaccuracies with particular details in the book.  I am not qualified to weigh in on those, but of the few criticisms I have examined, with some, Perlroth has responded convincingly and seems to have successful challenged her critics’ framing of the issues or even their reading comprehension of her work (indeed, some seem to have easily fallen into their own errors of mansplaining—in spite of the general overuse of that term—which is not surprising given the notoriously male-dominated and toxic nature towards women of the tech, Silicon Valley, and cybersecurity worlds, as well as of social media.  While correcting reviewers’ misunderstandings in some cases, in others, Perlroth has taken some constructive criticism and worked to include corrections and even to give frustrated credit to some less-constructive criticism.

I even found one example of an individual—cybersecurity researcher Kevin Finisterre—who was mad that he was not included or credited in her narrative when he feels he should be, but no narrative ever includes everyone and in this case Perlroth retorted that one of her sources apparently left out Finisterre for, perhaps, self-serving purposes, and in a secretive, reclusive world with all kinds of bruised egos like the one Perlroth is covering, some omissions are going to be inevitable (in this case she has apologized and pledged to include the Finisterre in the next edition).  The fact of the matter is that no history book ever includes all relevant names and when sifting through research, data, and information, there must always be material, people, and events that are sifted out of inclusion to make books manageable.  Especially with first drafts of history, completeness is hard to come by, but a work can still be definitive if it is practically the only game in town and still makes a solid effort to be thorough, well-researched, and coherent, and, even allowing for some errors, Perlroth excels in all three areas.

In such narratives of living history, the individuals presented often do not like how they are portrayed or lower- and mid-tier folks balk at not being included or included more, many in these categories often choking on their egos and unable to see their blind spots, but that is why a journalist and storyteller is there: not to portray the individual as he wants to be portrayed but to put him in the wider context and show how his self-perception lines up with the bigger picture.  That hardly means Perlroth’s choices are above criticism or that Finisterre specifically is unreasonable at feeling left out (I am unable to conclusively judge either way), but to characterize her errors as particularly egregious or the book in total as sloppy just seems unfair and inaccurate.  Given the high quality of her overall narrative and the dizzying array of events, characters, and locations involved, I am willing to give her the benefit of the doubt in most of these contested cases as a rule of thumb.

Not so others: things got so toxic for Perlroth on social media that she felt compelled to quit Twitter not long after her book came out, but thankfully she eventually returned.  Her book’s harshest non-social-media reviews seem to come from obscure techie blogs almost no one outside of the tech field would know (and many within would not) and Perlroth seems to have credibly pushed back against a good number of these worst detractors.  Adding credence to her defense is that most major new outlets that have reviewed her or mentioned her book have done so quite favorably, even if a few of these had their qualms and quibbles, which begs the question: if the obscure techies are right, why aren’t some of the biggest outlets in the news business echoing these framings and criticisms when they clearly have access to experts with similar pedigrees?  Never known collectively for their wonderful people skills or temperaments, the angry hardcore techies and their takes on Perlroth’s book serves as a reminder as to why it took a non-techie like Perlroth to produce this narrative that her antagonists never were able to before her book was published (skills like gaining access to important and secretive folk and making them like and trust you are crucial).

Regardless, neither individually nor collectively do any of these alleged and/or admitted errors take away from the most important thrusts, revelations, themes, or messages of the book and none reduce its singularity, urgency, or overall considerable strength.  Most readers will not know or understand these technical aspects (and most of the time Perlroth is dumbing down extremely complex phenomena with fun analogies because that is the only way the vast majority of us could even approach a worthwhile understanding), but they will still get the same overall big-picture sense of how government, business, society collectively, and individuals individually are all caught up in this and how urgent these problems are with or without adjustments related to these possible or actual technical errors.

Conclusion: Putting the Must in “Must-Read”

These seemingly minor admitted and potential technical issues, some distracting typos, and a perplexing decision (and confounding for policy wonks and researchers like myself) to have a sources/notes section at the end presented in narrative form—as opposed to footnotes where it is easy to tie a factoid to a source or note—aside, this book is a monumental achievement, one that both should change, further spark, and guide a debate that should be front and center in our present national agendas.

Perlroth has indeed presented a remarkable first draft of a living and unfolding history, the questions now are “Do we learn from it and heed its warnings?” and “What do we do armed with this indispensable knowledge?”  Trying to figure out the answers to those questions makes the technical spats discussed above seem like schoolyard squabbles, and how we rise—or fall—to the key challenges posed by Perlroth are likely to define much of our world for the rest of this century and beyond.

© 2021 Brian E. Frydenborg all rights reserved, permission required for republication, attributed quotations welcome

Also see my related article on the UK Parliament’s singularly excellent Russia report, my proposal to reform NATO’s Article 5 to explicitly include cyberwarfare, and my discussion as a member of a panel with author and Senior International Correspondent for The Guardian, Luke Harding, on Russia’s bad behavior

Also see see related June 7, 2021, article: Already in a Cyberwar with Russia, NATO Must Expand Article 5 to Include Cyberwarfare, cited by NATO LibGuide on Cyber Defence; condensed rewrite for Small Wars Journal September 24 also cited by NATO LibGuide on Cyber Defence and featured by Real Clear Defense and my eBook, A Song of Gas and Politics: How Ukraine Is at the Center of Trump-Russia, or, Ukrainegate: A “New” Phase in the Trump-Russia Saga Made from Recycled Materials, available for Amazon Kindle and Barnes & Noble Nook (preview here), and be sure to check out Brian’s new podcast!

eBook cover

If you appreciate Brian’s unique content, you can support him and his work by donating here

Feel free to share and repost this article on LinkedInFacebook, and Twitter. If you think your site or another would be a good place for this or would like to have Brian generate content for you, your site, or your organization, please do not hesitate to reach out to him!