Cybersecurity Book Club: “This is How They Tell Me the World Ends” by Nicole Perlroth
Introduction
What do Argentine hackers, Israeli security companies, Chinese cybercriminals, and the US government all have in common? All are key players in the black market trade of zero days, which are software bugs and vulnerabilities that have not yet been publicly disclosed. The purchase of these zero days is a decades-long practice for hackers, private firms, and even national governments.
In her book, This is How They Tell Me the World Ends, author Nicole Perlroth demonstrates how the secretive zero day market has catapulted into a global cyberweapons race. The hoarding of these zero days, Perlroth argues, directly informs the current cyber landscape and today’s constant slew of cyberattacks happening every hour of every day. The book details how the zero day trade has formed the cyclical nature of digital warfare: somebody discovers vulnerabilities, uses them to exploit victims, wreaks havoc on sensitive systems, and eventually moves on to hunt for new zero days.
This book takes us through a nearly 30-year history of the cyberweapons trade. From the NSA’s discovery of Soviet bugs planted inside US embassy equipment to more recent disinformation campaigns during the US 2016 presidential elections, Perlroth explains how cyber arms have proliferated and what the world can do about it.
Case Studies: How Zero Days Lead to Zero Safety
It is often better to show rather than tell. Based on more than 7 years of interviews with over 300 individuals, Perlroth certainly shows readers the foreboding nature of global cyberattacks. Diving into the underworld of zero days, her book reveals how this arsenal of digital weapons has enabled commercial spyware on iPhones, dangerous shutdowns of chemical and nuclear plants, electoral interference, widespread power outages, and mass human rights violations.
Here are some of the book’s illustrations of how zero days can have disastrous effects:
Everyone Loses in a Global Cyber Arms Race
Despite the book’s comprehensive analysis of past events, This is How They Tell Me the World Ends is also very forward-looking. The author ensures that readers understand the urgency of the global cyber arms race and how it informs the future. In the epilogue, Perlroth makes several actionable recommendations for how to address the digital dilemma.
“We must lock down the code.” Perlroth argues that the first step in securing digital infrastructure is shielding source code. It needs to be more difficult for cybercriminals to identify and exploit software bugs. This necessitates a shift in the tech industry. The author advocates for the industry to stop rewarding developers whose products are first on the market. As she rightly states, “Speed has always been the natural enemy of good security design.”
Restore the balance between defense and offense within the US Vulnerabilities Equities Process (VEP). The VEP is used by the US government to guide decisions about whether zero days are released to the public or saved for national security purposes. Perlroth asserts that the VEP is disproportionately used in favor of offense, meaning vulnerabilities tend to be withheld from affected companies. To tip the scales, she proposes that the implementation of VEP be managed by the Department of Homeland Security and audited by the Inspectors General and the Privacy and Civil Liberties Oversight Board.
Require expiration dates for stored zero days. The longer a zero day is stored, the more opportunities for it to fall into the wrong hands. This is especially true when the undisclosed vulnerability affects a broadly used system. According to Perlroth, the average life span of a zero day is approximately 1 year. Therefore, holding a zero day for longer will only incur more risk of that same vulnerability being used against our own interests.
Better governance of the zero day market. The book recommends that zero day brokers and hackers be required to hand over exclusive ownership of their tools after each transaction. This can prevent hackers from selling the same exploit to a multitude of buyers. Additionally, Perlroth asserts that companies that sell surveillance equipment, such as NSO and Hacking Team, should not be permitted to work with human rights violators. And finally, the author supports the implementation of policies outlining the so-called “red lines” of cyber warfare – the targets that are off limits to all hackers, brokers, and nation states.
Why This Book Matters
There is hardly a single aspect of our lives that is not controlled by technological processes. Our economy, education, democracy, and socialization are now driven by internet connectivity. For many years, the world asked few questions before plugging into the next greatest invention. The problem is that this interconnectivity presents a paradox: exposure is the kryptonite of swift innovation. As Perlroth’s book shows, we are confronted by the reality of more automation yielding more susceptibility. A vulnerability in the iPhone has the potential to affect every single iPhone owner. Similarly, a zero day exploit targeting Windows systems cannot be used to target a particular adversary without potentially affecting all Windows-facing devices.
“My hope is that my work will help shine even a glimmer of light on the highly secretive and largely invisible cyberweapons industry so that we, a society on the cusp of this digital tsunami called the Internet of Things, may have some of the necessary conversations now, before it is too late.” – Nicole Perlroth
This book was not written for the tech experts, programmers or CISOs – it was written for the everyday user. Perlroth’s targeted audience is primarily the groups who actively use technology but do not regularly consider its implications, those who are not aware of the part they play in the global cyber problem. This is a book for all of us, so that we can start considering the right answers to the difficult questions we face.
Approved for Public Release; Distribution Unlimited. Public Release Case Number 22-2361. The author's affiliation with The MITRE Corporation is provided for identification purposes only, and is not intended to convey or imply MITRE's concurrence with, or support for, the positions, opinions, or viewpoints expressed by the author.©2022 The MITRE Corporation. ALL RIGHTS RESERVED.