This is how they tell me the world ends - Perlroth

As a reporter from Silicon Valley hired by the New York Times to cover cyber (yes I called it cyber) for the past 10 years, Nicole Perlroth has been in a unique position to interview and report on the wave of cyber-attacks that have defined this decade.  Starting with the realization of the threat from a nation state attack with something as sophisticated as the Stuxnet worm attack in 2010 and ending right after the Solarwinds attacks in 2020 which laid us bare. she has chosen an active time to be covering the cyber beat and a great time to write it all down.

Her research is now accessible to all.  With the melodramatic title, “This is How They Tell Me the World Ends”, Perlroth dives into what can only be called a hyper extended NYT’s article about her investigation into the history of so the called “Zero-Day” exploit.  And further, the creation of the “bug” bounty program that built a market and financed several generations of hackers working from their mother’s basement.   Principally, in her mind, because the Stuxnet worm contained seven (7) of these 0-days (fact check necessary) she was intrigued by what she was told by the multitudes of domestic and international computer savvy personalities (hackers?) she came across during her reporting travels.

Perlroth has presented a long history of the spy vs spy world depicting the dark underbelly of an underground eco-system she documented in an effort to unearth the 0-day feeding frenzy.  She does this to place the blame for the failure of our US government to keep us safe from cyber-attack while at the same time placing blame on our government for feeding the legions of hackers out there finding 0-day’s to sell without scruples on the black market to the highest bidder.  Thus creating the plethora of vulnerabilities from which the same government has been left unprotected.  It’s a lot more complicated than that…and she carries the story well.  Some of her sources provided her the proper insight and perspective.  Some of her sources were speculating wildly about things of which they have little to no idea about.  It wasn’t clear to me if Perlroth could sort them out because she kept coming back to a reference about Salmon when she reached a dead end.  Or the idea that no one would really talk to her about truly classified information.  Furthering, in her mind, a grand conspiracy theory guided by some unseen hand she would now just label as dramatically as technical brick wall she couldn’t scale.

They say in my business, particularly as it relates to articles we read about in the media, I can neither confirm nor deny the facts surrounding these topics as they have been reported.  So I’m not going to walk through point by point what’s she has written correctly and what she has wrong.  She is clearly reporting on a story for which she has hundreds of sources who have been willing to talk to her.  There is no use disputing much of what she is saying.  What she hasn’t reported on, however, beyond the coveted 0-day, is everything else that could also comprise a cyber attack.  Solarwinds, for instance, didn’t require a 0-day.  Most of the security breaches that have taken down the big commercial companies of the past decade (I won’t list them) did not require a 0-day (Perlroth lists everything). Most breeches are the result of poor cyber-hygiene and persistent social engineers finding passwords for accounts through hapless insider.  Solarwinds was a supply chain attack.  Source code was modified from the inside.  And that Trojan in the code left the back door unlocked.  No 0-day hacker or code researcher looking to defend that system is going to find what amounted to a single line of operational source code that was working correctly.

But what does this all mean?  Is this how they told tell her, and she is now telling us, how the world ends?  Throughout the read she makes the parallel to the development of nuclear weapons.  During that phase of our existence starting with the Manhattan Project we hung under the Sword of Damocles.  She continuously harkens back to the fact that we haven’t seen a cyber-derived mushroom cloud rising from some hacked nuclear reactor which will surely give us our own Chernobyl or Fukushima, yet.  According to Perlroth it’s just a matter of time. For the record I don’t buy into the analogy nor am I worried about the mushroom cloud.  That does not keep me up at night.  At the end of the book, she argues, that the Cyber Pearl Harbor is a misnomer.  The single event won’t happen because it’s actually already occurred through a thousand cuts.  Cyber vulnerabilities just crept up on us and we never noticed just like a frog doesn’t notice it’s being boiled.  She can’t say both things. If a mushroom cloud produced by a cyber-attack in our own back yard isn’t a cyber-Pearl Harbor I don’t know what you would call it.  Again, I’m able to sleep at night.

Towards the end of the book she turns political.  She begins coving the presidential election and leaves 0-day cyber and begins commenting on the success and utility of Russians troll farms both in 2016 and again in 2020.  Once again, the fabled 0-day of her reporting, not a factor in the social influence game…but nevertheless social media provides huge surface for 0-day-less cyber attackers to work with.

So to complete my review I’ll start with for 4 stars as Perlroth does provide a decent history and retelling of a number of cyber stories.  It’s a nice recorded history of some fabled characters but not deeply technical.  It’s not unlike the history of other malicious hacks as told in multiple cyber pod casts such as the one called “Malicious Life” sans code.  Subtract 1 star for her unnecessary degradation into politics which added perhaps 100 unnecessary pages to the book.  Three stars for this necessary piece of cyber history and tribute to the 0-day.