The Most Serious Security Risk Facing the United States

THIS IS HOW THEY TELL ME THE WORLD ENDS

The Cyberweapons Arms Race
By Nicole Perlroth

Sometime last year, a shadowy group of hackers — now thought to be Russians working for that country’s foreign intelligence service — broke into digital systems run by Solar Winds, an American tech firm, and inserted malware into the code. When the company then sent out its next regular software update, it inadvertently spread the virus to its clients — more than 18,000 of them, including huge corporations, the Pentagon, the State Department, Homeland Security, the Treasury and other government agencies. The hack went undetected for months, until the victims started discovering that enormous amounts of their data — some of it very sensitive — had been stolen.

Solar Winds may have been the biggest cyberattack on the United States in years, if not ever. But it was hardly a singular event. In the last half decade or so, American corporations have suffered billions of dollars of losses in similar incursions. Between 2019 and 2020, more than 600 towns, cities and counties were hit by ransomware attacks, shutting down hospitals, police departments and more. America’s adversaries — Russia, China, Iran and North Korea — have by now thoroughly infiltrated the computer systems that run some of the United States’ most important infrastructure, including not just power grids and dams but also nuclear plants.

All of which raises the question: Why does this keep happening? After all, the United States isn’t just the most formidable and intimidating military power in the world; it’s also the most sophisticated cyber power. The country’s conventional arsenal has proved remarkably effective at scaring off any would-be attackers; these days, no nation on the planet would dream of going toe-to-toe with the United States military. So why doesn’t the same logic work in the cyber realm, where Washington could just as easily inflict biblical vengeance on anyone who messed with it?

There are two basic answers. The first is that deterring cyberattacks turns out to be much, much harder than deterring conventional ones, for a long list of reasons. Among them: Despite all its offensive power, the United States, as one of the most wired nations on earth, is also more vulnerable to such attacks than many of its less-connected enemies. Cyberattacks are also relatively cheap, while cyberdefense is expensive and painstaking. And then there’s the problem of attribution: Given how hard it often is to spot digital incursions in the first place (remember, the Solar Winds hack went undetected for months), and the tendency of countries to rely on private hackers only loosely connected to the government to do their dirty work, figuring out whom to retaliate against can be very difficult. Unlike nuclear missiles, hacks rarely come stamped with a clear return address.

In “This Is How They Tell Me the World Ends,” Nicole Perlroth provides another explanation for the ever-expanding cyberassaults on the United States: the way that Washington, in its careless rush to dominate the field, has created and hypercharged a wildly lucrative, entirely unregulated gray market for insanely dangerous digital weapons that private hackers develop and then sell to the highest bidder. Which only sometimes is the United States.

Perlroth, a cybersecurity reporter at The New York Times, has written an intricately detailed, deeply sourced and reported history of the origins and growth of that market and the global cyberweapons arms race it has sparked. As she describes her book, “it is the story of our vast digital vulnerability, of how and why it exists, of the governments that have exploited and enabled it and the rising stakes for us all.”

This is no bloodless, just-the-facts chronicle. Written in the hot, propulsive prose of a spy thriller, Perlroth’s book sets out from the start to scare us out of our complacency — and (on my part, at least) it succeeds. As a narrator, Perlroth comes at the reader hard, like an angry Cassandra who has spent the last seven years of her life (which is both the length of her career at The Times and more or less the time she spent working on the book) unmasking the signs of our impending doom — only to be ignored again and again.

As for who’s most to blame for our current state of cyberinsecurity — in which all of us are targets and the tech we, our government and our infrastructure providers rely on is now penetrated at will by foreign actors — Perlroth has little doubt. Sure, the hackers who actually create all those nasty little tools and then sell them to whatever government will pay the most — no questions asked — bear primary responsibility. And sure, the foreign states who use these tools against us or their own people are guilty too. But none of this would have happened, Perlroth argues, if Washington hadn’t decided years ago to neglect cyberdefense and focus instead on paying programmers around the world to find and weaponize vulnerabilities in existing software — gaps known as “zero days” in the industry — that grant those that wield them “digital superpowers.” (The term “zero days” comes from the fact that when a tech company finds such a flaw in its software or hardware, it has zero days to fix it or suffer the consequences.)

If enabling this market was Washington’s original sin, its second catastrophic blunder, according to Perlroth, was Stuxnet: the computer worm the United States allegedly used to destroy a fifth of the centrifuges at Iran’s Natanz nuclear enrichment plant in 2009-10. While the worm, a stunning technological breakthrough, may have forestalled an Israeli attack on Iran, set back Tehran’s weapons program and driven the mullahs to the bargaining table, it also shattered a basic norm: It was the first time one government had digitally infiltrated the networks of another and used its access not for spying — which everyone does — but to wreak physical havoc. Once that gentlemen’s rule was broken, Perlroth argues, it became open season for America’s enemies to try to do the same to it; and now it’s only a matter of time, she concludes, till we face a digital Pearl Harbor.

This is all compelling stuff, and Perlroth makes a strong, data-driven case for action. Writing the story from Silicon Valley, as she does, gives her lots of advantages as an author: It means she has good access to the programmers, the hackers, the cyberarms merchants, the security experts and the tech firms that play central roles in the story and that are profiled in great (sometimes a little too great) detail. She also boasts a very good command of the technical details, which she’s able to explain with admirable clarity. I wish, though, that she’d spent more time on the other coast, in Washington, D.C., which often feels like a black box located very far from her account. That distance forces readers to guess at or make assumptions about the choices the government makes — and that Perlroth denounces — in the course of her narrative.

The book’s relative lack of access to policymakers and -making also proves an obstacle at the book’s end, where Perlroth offers a few short pages on how to deal with the very scary problems she’s highlighted in the preceding 400 pages. Many of her suggestions are sensible, but also feel like long shots — especially when she calls on the tech world to abandon its first-to-market obsession and slow down its product development so it can focus more on security. Knowing more about the rationale and decision-making processes behind the choices Washington has made so far — the reasons behind what it’s done and hasn’t done — would help us understand what kinds of solutions are practical and plausible going forward.

Still, Perlroth has done a valuable service in highlighting the need for big changes in how America approaches its cybersecurity — which, these days, means its security, period. Let’s hope that the people charged with doing something about it read this book and are persuaded.

Source: Read Full Article