Armageddon may start not with the push of a button that launches a missile— but rather the click of a faraway computer key setting off the overload of a nuclear reactor, the derailment of a train or the failure of an oil rig.
In part, that's the premise of New York Times reporter Nicole Perlroth's forthcoming book (working title, This is How They Tell Me the World Will End), which she's been writing while on sabbatical from the Times. For five years at the NYT, Perlroth has been on the front lines of reporting on cybersecurity, from Chinese hacks to Trump's alleged Russian connections to the digital break-in of the Democratic National Committee.
She'll be in Portland March 23-24 to speak about the new trade in cyberweapons—and the threat they pose—at Portland's upcoming TechfestNW conference, a gathering of leading thinkers, startups and established companies that has showcased the the Pacific Northwest's talent and innovation for the past five years. The biggest such conference in Portland, it'll be held at the Portland Art Museum on March 23-24.
We spoke with Perlroth in advance of her appearance in Portland.
What's the topic of your talk at TechfestNW?
I'm writing a book on the underground market for cyberweapons. I feel a lot of people are making connections between the trade in cyberweapons and the nuclear market—we're operating in a new space, where largely the trade in cyberweapons and nuclear weapons is unchecked and unregulated. There's a sense that there's a deterrence strategy to limit the use of these tools: Can we look at cyberweapons through the lens of nuclear deterrence?
It'll be a very sunny talk.
But nuclear deterrence—mutually assured destruction—presumes you know who's making the attack.
The main problem is that attribution is so hard—you can't fire back. You can't know 100-percent you're firing at the right person. In China, in Russia, increasingly you see nation-states relying on freelance contractors to do their dirty work. Here we rely on the NSA and Cyber Command. But if we are hit by contractor, who do we hit back? The connections aren't as clear.
Your book has a somewhat scary working title—This Is How They Tell Me the World Will End.
Hackers and cybersecurity researchers have been warning me there will be a cyber Pearl Harbor: A virus will take out a train, blow up a chemical company. It always sounded like fearmongering.
The more I researched this market for cyber weapons, the more I found out how easily they'll be traded—China, Iran, Mexico, Argentina—the more I realized just how the people most determined to do destruction are finding it easier and easier to buy them off the shelf.
You've seen more and more of them, but they were pretty elementary level attacks. The only reason they haven't done more harm is they haven't had the sophistication. Increasingly those tools are just a transaction away. The ones I'm most scared of are someone accessing the power grid, someone accessing an oil rig—all those systems are online right now, baked in with legacy systems that have crappy security protocols in place. That's where the book is headed.
A couple of the stories you reported for the Times have also been optioned for movies.
One this year was optioned by the Weinsteins. We went out to Wisconsin, and they'd found Chinese military hackers in the backroad server of a welding company. The Weinsteins optioned it for a TV series.
A couple years ago I wrote a story about Brian Krebs, the cybersecurity blogger who made a niche in Russian cybercrime. People SWAT him—they pretend to be his wife, pretend to be a victim of abuse, and people send SWAT teams to his house. Somebody bought heroin on silk road, then called the FBI. Awful things happened to him as a result of covering Russian cybercriminals.
You've been on sabbatical from the New York Times while writing your book. What's the most troubling story on cybersecurity you've been forced to read about without covering it?
The Russian hacking stories are driving me crazy. I was one of the first people to start writing about the DNC hack. We did a piece about [Romanian hacker] Guccifer, how he was likely just a decoy for the FSS.(THE FSS is the principal security agency for the Russian Government). And then to see our new president calling out 400-pound hackers even as he got daily intelligence briefings was mindblowing.
I did a story while on sabbatical. People were being hacked by Israeli spyware in Mexico. They were all for a national soda tax in Mexico, for doubling the tax they have, and a government agency in Mexico was spying on them using Israeli spyware.
Mexico, we knew, had been using spyware on drug lords—but to use it on people pushing back against the soda lobby?
Is this an equal danger, that governments use these tools against their citizens?
There's a lot of overlap there. Governments can use these very invisible tools against whoever they want. But in every case it's just how easily these weapons are traded. There are no international laws that prohibit the use of these weapons. The U.S. set the bar pretty low when they used Stuxnet on Iranian nuclear systems.(Stuxnet is a computer virus that is believed to have created by the Americans and Isrealis to sabotage Irans nuclear program.)
Oregon Senator Ron Wyden [who is also speaking at TFNW] has been very vocal against government cybersurveillance of citizens.
He has taken a very brave, informed position on things like, should the government mandate that Apple make a backdoor into systems to allow government surveillance?
He's taken the right side of that decision: No, government should not make companies make products less secure. The moment they give one government a backdoor, Apple would have to give a back door to every country they do business with, first among them Beijing.
People have overhyped just how much the intelligence agencies in the U.S. are monitoring our own systems, Just in my reporting, I was surprised how many bureaucratic hurdles there are for intelligence and monitoring tools, cyberespionage tools. I'm more concerned about countries with no code of conduct having access. Our government spying on obesity activists and nutritionists would be weird.
Recently, Kellyanne Conway has been trying to walk back Trump's wiretapping Tweet about Obama. She said there's all kinds of ways Trump could have been surveilled, including that phones, TV sets, and microwaves can be turned into cameras.
That technology doesn't exist. But If she'd said thermostats, she would have been OK. I did a story where the U.S. Chamber of Commerce had been hacked by China. They called in the FBI, cleaned out all their systems. Six months later a thermostat started acting weird: It was communicating with a Chinese IP address.
TechfestNW will be held at the Portland Art Museum March 23-24, 2017. For information and tickets, go to techfestnw.com.