New York Times Reporter Nicole Perlroth Writes How the U.S. Amassed an Arsenal of Computer Hacks That Makes It the Most Digitally Vulnerable Nation on Earth

Zero-days are so called because that’s how long software engineers have to patch them once they’re used to break into a system.

Nicole Perlroth

The Biden administration was guardedly silent last week after news broke that an explosion had blacked out Iran’s nuclear enrichment program.

Joe Biden’s reticence was understandable. His former boss, President Barack Obama, had shown the world what cyberweapons could do when he ordered U.S. intelligence to step up Bush-era cyberattacks on Iran’s uranium centrifuges. Obama made the move to avert airstrikes by Israel—and it worked, setting back Iran’s enrichment program by 18 months to two years.

In her harrowing new book, This Is How They Tell Me the World Ends (Bloomsbury, 528 pages, $30), New York Times cybersecurity reporter Nicole Perlroth warns that the United States, whose arsenal of cyberweapons is the largest, most sophisticated in the world, has fostered a global market in computer hacks that now makes it the most digitally vulnerable nation on earth. It’s a troubling topic Perlroth will address May 21 at TechfestNW, a virtual one-day technology festival (see more at techfestnw.com).

Once derided by Donald Trump as “somebody sitting on their bed who weighs 400 pounds,” elite hackers are now treated like rock stars at international conferences that rival Cannes for glamour. And “zero-days”—the bugs they find lurking in software used by smartphones and computers all over the world—can bring not only street cred but duffel bags stuffed with cash.

Zero-days are so called because that’s how long software engineers have to patch them once they’re used to break into a system. Coupled with “exploits”—elaborate lines of code—zero-days allow digital spies to sneak in the backdoors of the world’s most sensitive networks, steal stuff and break things.

This Is How penetrates a clandestine world where hackers, spy agencies, cybersecurity firms, software vendors, mercenaries, cybercriminals, terrorist organizations, and hostile nation-states buy and sell zero-day exploits that can turn off electrical grids, poison water supplies, steal industrial secrets, destroy hospital and banking records, sabotage nuclear facilities, interfere with elections, and empower nations to spy on their own citizens.

Perlroth traces the underground trade in zero-day exploits back to the Cold War under Reagan, when the U.S. National Security Agency figured out the Soviets had bugged IBM Selectric typewriters (ha! Remember those?) at the U.S. embassy in Moscow to steal typed messages before they could be encrypted. As technology shifted from analog to digital, Perlroth writes, the NSA took what it learned from the Soviet playbook to begin stockpiling the world’s largest arsenal of zero-day exploits.

In 2013, Edward Snowden blew the whistle on the NSA—not only tipping off other countries to the intelligence value of zero-day exploits coming available on a burgeoning world market, but suggesting the U.S. tacitly approved of their use to spy on friends as well as enemies, sabotage adversaries, and surveil a nation’s own citizens. (Perlroth spent six weeks locked inside Arthur Sulzberger’s storage closet, poring through the Snowden leaks. Her assignment was to find out if the NSA was hacking data encryption; instead she found the agency was hacking around it—a bigger story that would send her trotting the globe for the next seven years.)

Post-Snowden, North Korea figured out it could bypass international sanctions by robbing global banks of tens of millions online, and shut down a Hollywood studio, Sony Pictures, when it made a bad Seth Rogen comedy in 2014 poking fun at Kim Jong-un. After arch-conservative billionaire Sheldon Adelson suggested the U.S. nuke the Iranian desert, hackers cost the gambling impresario $40 million when they “bricked” (made useless) the computers at his Sands casino. (OK, maybe that wasn’t such a bad thing.)

But Snowden had merely sounded the alarm: The Shadow Brokers, a phantom group of hackers whose identities remain unknown to this day, broke into the NSA’s cyber arsenal and, in 2016, began leaking the agency’s zero-day exploits online.

Russia had digitally harassed Ukraine ever since the former Soviet republic overthrew its Russian puppet government in 2014. In 2017, it used NSA code stolen by the Shadow Brokers to turn off the lights in Kyiv, shut down ATMs, railways, government agencies, gas stations and the postal service, even switch off radiation monitors at Chernobyl. (Then the attack boomeranged on companies doing business with Ukraine, ranging from a state-owned Russian oil giant to a Cadbury chocolate factory in Tasmania.)

For Russia, Perlroth explains, Ukraine has always been just a testing ground for its cyberweapons, a smaller neighborhood kid Vladimir Putin can smack around without fear of reprisal. Putin’s real objective is to drive a wedge between the U.S. and NATO by undermining support for Western democratic institutions. This is why Russia set its cyber sights on the U.S. presidential elections in 2016 and 2020.

Perlroth’s verdict on the success of Putin’s election meddling is mixed: Yes, Russia hacked the DNC’s emails and trolled social media to influence swing-state voters, but no, the Russian bear probably never infiltrated U.S. voting systems in sufficient force to throw an election. But it didn’t have to—it merely had to sow enough distrust in election integrity to further split an already divided nation and fuel unfounded conspiracy theories that would embolden a fading president to incite a raid on the U.S. Capitol.

The larger menace for the United States, Perlroth argues, is that the arsenal of computer bugs amassed by the top cyberspies of one of the most technology-dependent nations on earth ultimately makes us less safe, not more. The NSA holds on to its zero-day exploits for far too long—in one disastrous case, more than five years.

Among other fixes, Perlroth urges that the U.S. adopt protocols that would turn over unused zero-days much more quickly to Microsoft and Apple to be patched. Until it does, Perlroth warns, click on those software updates and, for God’s sake, change your passwords. This Is How They Tell Me the World Ends is the book everyone will want to read the day after the world ends how Nicole Perlroth told us it would.

STREAM: Nicole Perlroth speaks at TechfestNW on May 21. Tickets to the virtual one-day festival are $25 at techfestnw.com.

Willamette Week’s reporting has concrete impacts that change laws, force action from civic leaders, and drive compromised politicians from public office. Support WW's journalism today.