‘Every Attack Was Like a Slightly Deadlier Version Than the Last:’ NYT’s Perlroth Talks About Her New Book
When Nicole Perlroth joined The New York Times’ technology bureau nearly ten years ago, cybersecurity was in a much different place than it is today.
“The crazy thing happening in that moment was Anonymous, which seems so quaint these days,” she said.
As the decade unfolded, she witnessed and wrote about attacks that grew increasingly brazen and destructive: hacks targeting Sony Pictures, Yahoo, and Equifax, as well as incidents that spiraled out of control such as WannaCry and NotPetya. Governments were stockpiling cyber weapons and unleashing them on adversaries. Occasionally the tools would get stolen and used against the country hoarding them.
Over the last seven years, Perlroth has been working on a book that weaves these threads together to highlight how vulnerable we’ve become. Perlroth talked to The Record this week about the anxiety of writing on a subject where many questions are still unanswered, as well as her decision to craft her narrative like a spy thriller. Her book, This Is How They Tell Me the World Ends, was released Tuesday.
Adam Janofsky: As someone who writes and reads about cybersecurity every day, I’m surprised by just how much is new to me in your book. It’s interesting to people who both know nothing about cybersecurity and those who work in the field.
Nicole Perlroth: Oh good, that was the goal! I was so scared of the people who work in the field. It’s funny, their reactions have been both, “This is all wrong!” from the people who I out as training Turkish military and less-than-savory governments, and there’s others who say, “What about this story? What about this exploit broker? What about this person?” And I’m thought, I never heard of them… I’m going to have a few stories to write after this.
In general, it’s a hard audience to please. But it’s a really hard audience to please when you’re writing for [someone like] my mom, who doesn’t care about this one zero-day exploit that I didn’t write about in the book. It’s hard enough for her to understand what a zero-day is in the first place, so writing it in a way that she knows what I’m talking about is a challenge, and knowing that inevitably the people who specialize in this area are going to say this isn’t technical enough… It’s a hard audience all around to please.
AJ: What made you decide to write a book in the first place?
NP: In 2014 I looked around and there were so many people writing cybersecurity books, and they were putting my articles in the footnotes. There were a lot of research reports coming out that were citing my work on things including the Saudi Aramco attack. And I just had to kind of give myself a pep talk: Nicole, you know more about this one attack that changed the game than anyone else, except for the people sitting on premises unwinding it, but you’ve talked to all of them. I can write all the A1 articles I want about these attacks, but sometimes it doesn’t make sense unless you string them together in a narrative and show people here’s where we started, here’s where we are now, and here’s how we got here. It goes back several decades to decisions we made about leaving systems more vulnerable so we could spy on them, it goes back to Silicon Valley pitching this promise of a frictionless society that we all bought into without thinking about the security implications. And I work for The New York Times, which has a very New York Times-y voice—I love that voice, and I can do that voice, but I just felt this was calling out for someone to grab the reader by the hand in a really accessible and interesting way and navigate them through the backstory. Until I did that, I was going to feel a bit of agony that I wasn’t getting the real story out there.
That was in 2014, when I pitched and sold the book. I was writing about this theoretical danger—that we were stockpiling zero-days and incentivizing people to leave them open, and I could see that the attacks were getting worse and worse. But I never expected Shadow Brokers would happen, where these tools would actually get hacked and dumped and immediately picked up by our adversaries. Even when I was covering Shadow Brokers for the Times, we would put those stories on the front page but to me what happened there was so much worse than what happened with Snowden. I had first-hand experience with the Snowden documents—I was in a closet going through them for several months—but what he leaked were these really vague PowerPoint slides and internal wikis at NSA. It was nowhere near the code and capabilities itself, and that’s what the Shadow Brokers did. They leaked out the NSA’s premier access and hacking tools, and I just didn’t think people were grasping the gravity of it. So that became a major milestone of the book.
I also had a baby and got married and all sorts of fun things, so it took me a lot longer than I thought to get this out there. But I’m glad it’s coming out now, after the election, after we discovered SolarWinds, and we have a new administration that might actually read it and do something about it.
AJ: I was going to ask—you spent seven years writing this book, what made you decide that now was the time to publish it? It sounds like there were many reasons.
NP: Yeah, I tried to get it out before the election and because of COVID-19 it got pushed back from September to now. I was pretty bummed about that, but cybersecurity is weird and it turns out we didn’t have a big election hack, but we had this other thing. So I feel kind of fortunate that it’s coming out now—I feel that the whole book is a prelude to SolarWinds and this water treatment thing, and it helps show the reader how we got here more than I ever could in the day-to-day coverage.
The book I’ve had sitting on my desk this whole time was Flash Boys by Michael Lewis. I really used that as a template. He was writing about high-frequency trading, and we all heard that term and had a sneaking suspicion that we were all getting screwed. But he really laid that out and did it through the characters in the book and made it really accessible, and that’s what I wanted to do here.”
AJ: Going back to how you were saying that in your day job you have to write in a New York Times voice. I noticed a lot of reviewers have pointed out that your book is written like a spy thriller—did you read any detective novels as inspiration? What was the process like to come up with that style?
NP: The book I’ve had sitting on my desk this whole time was Flash Boys by Michael Lewis. I really used that as a template. He was writing about high-frequency trading, and we all heard that term and had a sneaking suspicion that we were all getting screwed. But he really laid that out and did it through the characters in the book and made it really accessible, and that’s what I wanted to do here.
The book started with me in the Snowden closet, and I didn’t intend to make it a spy thriller, but as I was writing it a year after I sold it, the Ukraine grid attack happened, Shadow Brokers happened, NotPetya happened… I went to Ukraine and it was really that trip that shocked me out of my complacency. I described it in the book, they were so close to grabbing me by the ears and saying: “Wake up! This was just a dry run. We were not the target—you are the target. And we’re not digitized like you are, so when it comes your way, it’s going to be really bad.” That became the prologue to the book, essentially me showing the reader that this turns off your ability to get gas, get money out of the ATMs, it turned off the radiation monitors at Chernobyl. And what saved Ukraine is precisely what makes us more vulnerable—we are way more wired than they are, and we don’t have their sense of urgency. We were in la-la land moving to ballot-marking machines and blocking every piece of legislation to add paper backups and risk-limiting audits. As I was on that trip, thinking about the 2020 election, I realized I needed to add urgency here to this narrative, and that’s why I put the Ukraine attack first and then led the reader towards Shadow Brokers.
I set out to write a character-driven account where each character would represent a different slice of the market. I didn’t intend to write a thriller. But as this thing kept going and escalating and every attack was like a slightly deadlier version than the last, it ended up becoming more of a spy thriller than I set out to write.
AJ: There are so many interesting characters in the book—when you talk about Ukraine you describe sitting down with a cybersecurity entrepreneur to eat vareniki—
NP: I feel bad that I described it as Jell-O, but it’s kind of how it looks and is sort of part of the accessibility of the book… But I apologize to anyone in Ukraine that I called vareniki Jell-O.
AJ: —you also talked to a lot of people who were formerly in the intelligence community and they spoke openly with you. How did you convince these people to go on the record?
NP: This was always the part that scared me the most about signing up to do this book—I knew I was eventually going to have to get into the innards of these intelligence programs to get to the history of how they started and who started them and what was the impetus to these programs. I knew that unless I did that, it wasn’t going to be a fair book, because there were legitimate reasons why these programs began.
So this is how the sausage gets made, I guess: I was sitting at my desk one day and I was rueing about how am I going to find a character inside government who is going to talk to me? John Markoff, who covered cybersecurity for the Times for more than 20 years, was overhearing my conversation and came over and said, “Oh, you need to go find the godfather of cyber war. Call Jim Gosler.” I Googled Jim Gosler, I couldn’t find anything about him, so I started asking around. Anytime I got a chance to interview someone who oversaw the expansion of U.S. cyber espionage, at the end I would ask, “If you had to name one person who’s the godfather of cyber war, who would it be?” They all said Jim Gosler. So I reached him—he’s retired now and lives in the desert—and one of my favorite facts of the book is that he lives literally a stone’s throw from where we go to Black Hat and DEF CON every year and he’s never been to the conferences. He told me it’s a terrible place to recruit—you don’t want the people on stage demoing these things, you want the people toiling away in the research labs.
He never discussed any classified programs, I was able to kind of work around that piece. But the reason he talked to me was that he was a hacker himself, and he was just as scared of the vulnerabilities he was finding as researchers are today. But in those days, the biggest threat was Russia and an attack on our typewriters at the U.S. Embassy in Moscow. I had never heard about the project, it was called Project Gunman, and he was one of the people who pushed to declassify that project and said I had to read it to understand how we got to where we are. I went back and read the declassified report, and at that point in time we were all using different technologies and the espionage was all fair play. He spearheaded the programs and showed the government what was possible with the power of a zero-day.
He showed spies who were terrified that digital espionage would come to replace them that no, this is an amazing compliment to what you’re doing. Instead of breaking into file cabinets, you can get them on a thumb drive, and if we’re not doing this then we’re not doing our jobs and we’re going to be more vulnerable. He left the CIA in May 2001, got into his Jeep, rode out of the parking lot and basically went back to New Mexico and later retired. A few months later, 9/11 accelerated things at the same time as globalization was taking hold—we were all moving to the same technology. We were all using our iPhones, Android phones, Windows, Schneider Electric, Siemens. Finding a vulnerability in one of those systems and hoarding it for espionage or battlefield preparations necessarily entailed a tradeoff at the expense of defense. Later in his career, a couple years before I met him, he sat on the Defense Science Board where they had evaluated the risk to America’s critical infrastructure to a cyberattack, and he walked away horrified by the state of our vulnerability. So his motivation in talking to me was to do what I was trying to do: wake up America.
AJ: I’ve read some reviews that wished you would have spent more time talking about solutions. From my perspective, that might have been intentional—that this is a complex problem with few obvious solutions, and it will probably get a lot worse before it gets better. Do you agree, or are there things the Biden administration can do right now to prevent the next SolarWinds?
NP: I think those criticisms are really fair. I wanted the book to be a wake-up call and I sort of jammed the solutions into the epilogue, and I think it’s a totally fair criticism to say I didn’t spend enough space on them. I also was writing a book at the same time as my cyber compadre, as I call him—David Sanger, who wrote The Perfect Weapon and really got into policy questions. I didn’t want to go toe-to-toe with David on policy because his book is really excellent, so I thought of this as more of a compliment to that. When I get into the solutions at the end, it’s not from a Washington policy angle, it’s for everyday Americans, so some of the things I suggested were that we need a bill of materials to understand what software is in our systems. We don’t know and we only find out after things such as Heartbleed—someone discovers a vulnerability in a key encryption protocol such as OpenSSL, which is being secured by one volunteer operating on a $3,000 shoestring budget living in England who’s barely been able to pay his electricity bill for months.
We need to identify the open source code that makes its way into our systems and make sure it’s adequately defended, monitored, and authenticated so no one is adding backdoors. Same with the software makers—we need to know how much software making its way into our nuclear labs is American made, not to say that software made elsewhere is inherently more dangerous. But now we’re learning with SolarWinds, most victims didn’t know that a lot of the code is built in Belarus, which we call Europe’s last dictatorship, and we didn’t know how shoddy—I almost said a swear word—SolarWinds’ security was until this attack. solarwinds123 was the password and they didn’t have a bug bounty program and they were cost cutting and a lot of people were warning them internally that they needed to take security seriously otherwise it would be catastrophic.
So where I focused on solutions were things including a bill of materials and security by design and at the individual level all the grueling, boring things we’re constantly telling people to do—different passwords, two-factor authentication, not clicking on links. If we don’t do the basic things, there’s no point in even offering solutions in the higher-up levels. I did offer some solutions there… don’t hoard a zero-day in Microsoft Windows software for more than five years that you likened yourself to fishing with dynamite. Clearly, once that got out we saw that you really were fishing with dynamite and it blew back on us and had real implications for American companies and hospitals.
I’m glad I addressed the bill of materials, because the SolarWinds attack makes it so blatant that we need something like it. But I also think there’s a real silver lining to SolarWinds, which is that the Biden administration has no choice but to address these questions. I think it’s promising that he pulled in Anne Neuberger from NSA—the joke used to be “No Such Agency,” but under her leadership they did start publishing a little more information about technology and the way it was getting exploited by Russia and other actors. It could have been more actionable and earlier, but it was a big step for them culturally, for sure. And if that was her priority within NSA I’m sure she’ll continue to make it a priority at the highest level of the administration. And Biden has said cybersecurity is going to be a top priority and it was one of the first things he brought up with Putin on their phone call. That’s a big change from Trump who said he believed Putin didn’t hack our election. So we slid back over the last four years—if we were doing any cybersecurity, it was in spite of, not because of, the administration, and now I think we’ll be doing a lot of things because of the new administration.
Even though it sometimes feels it’s too late in the game, that’s just not true. We’re at the beginning of artificial intelligence, we’re at the very beginning in some ways of virtualization. So if we can pause here, it’s not too late.
AJ: You’re based in San Francisco, not Washington, DC. How does that shape your reporting and approach to cybersecurity incidents?
NP: I was hired on the technology team at The New York Times because they did want me to cover the business of cybersecurity from Silicon Valley. But that was around 2010 and the crazy thing happening in that moment was Anonymous, which seems so quaint these days. Who cares about DDoS attacks these days? But very quickly it transitioned to nation state cyber warfare, from Stuxnet to Saudi Aramco to Sony to Sands Casino to Iranians getting into the Bowman Dam to the election. If we had paused and had time to think organizationally about the best place for me to be sitting, it would have probably been DC, but we didn’t even have time to have that conversation because things are moving so quickly. But I think in the end it worked out well because I have a great relationship with our DC national security team—I work really frequently with David Sanger, but also Mark Mazzetti and Matt Rosenberg and Scott Shane, and it was good because we can meet in the middle with our coverage.
Even though it sometimes feels it’s too late in the game, that’s just not true. We’re at the beginning of artificial intelligence, we’re at the very beginning in some ways of virtualization. So if we can pause here, it’s not too late.”
AJ: What’s it like to write a book where you don’t have all the answers? Do you think we’ll ever know who is behind Shadow Brokers, for example?
NP: I really hope so. But you nailed it on the anxiety of writing this particular book. It’s a really hard space to get to the bottom of, and that’s the anxiety that I think caused a lot of writer’s block that kept me from publishing the book for seven years. As a reporter, when you get writer’s block you know you just need to go do more reporting, but in this case I would reach a lot of walls and I would think I should keep reporting but at the end of the day this book is probably just scratching the surface. I wanted to tell it in a way, like I said, where I had one person representing their slice of the market. For the government that ended up being Jim Gosler, for the broker that ended up being a guy who I had to change their name, but Jim Sabien, and Shadow Brokers it almost added to the narrative that we didn’t know who they are, because it emphasized that we don’t know everything, that we can’t outsmart everyone with active defense because we don’t even know who hacked us.
Where I’ve gotten a lot of Twitter DMs and Signal messages over the last 48 hours are from people who work at other companies such as Trail of Bits, who my readers haven’t heard of but are exploit developers and have relationships with government agencies and are pissed that I decided to focus on Vulnerability Research Labs instead of them. I could have written several chapters about the exploit development shops themselves, but I ultimately went with VRL because they’re considered to be the best and no one has heard of them.
AJ: What about SolarWinds, where the government has said they’re confident that it’s tied to Russia but they haven’t made any attribution to a specific agency or said what the motivation is or whether or not there’s been retaliation or even what that might look like. How do you think that will play out?
NP: I think as soon as they find a smoking gun they need to let people know because there’s been so much speculation. FireEye says they haven’t attributed it but people inside the company will say they know it’s Russia but don’t know the specific group, and people in government have been more specific and said it’s this SVR group that previously hacked the White House and State Department back in 2014 and 2015 and are really good… quick tangent—I remember from those incidents that when the responders came in, they were using this RSA NetWitness tool for their investigation and one day they realized the Russians had actually taken over their investigatory tool so they wouldn’t discover their backdoor. That’s the adversary we’re up against and I think it’s going to be a really long time before we can confidently say we’ve identified every last backdoor, which gets to your other question about response. How do we respond to an attack that we do ourselves?
I’ve written stories about how the U.S. at one point went looking for [People’s Liberation Army] backdoors in Huawei software, and while they were in there were said: “Oh, all our adversaries use Huawei and this is a great backdoor—we can get into their software and all these targets of interest in Sudan, Syria, China, Iran, and North Korea that we wouldn’t be able to otherwise.” We’ve been doing these things for a long time and I think we’ll be very hesitant to respond as if this were an act of war, as Senator Dick Durbin had called it. The other thing is how do you respond when you’re not sure you’ve gotten the adversary out of your own IT systems? I don’t know.
The answer to this over the past few years has been sanctions and indictments and naming and shaming, but we’ve done that. Before the election we called out Russian hackers who broke into a Saudi petrochemical plant and hacked the Olympics and the French election. We had the Mueller report naming people involved in hacking our democracy. We’ve done indictments against Chinese hackers, but we’ve never seen anyone arrested for the most part for those attacks, so they’re not really a solid deterrent strategy. I think that’s going to be where the interesting discussions in this administration take place—we know deterrence hasn’t worked in the form of these diplomatic maneuvers, are we going to be more aggressive with our own cyberattacks, with active defense? Maybe. Probably. For too long there was no cost to our adversaries for making these attacks, so I’m not saying let’s pull back on offense, but if we’re going to go down this aggressive offense route, at least make sure our grid is locked up. And right now it’s very much not locked up. Every day we’re seeing just how vulnerable we are with hospital ransomware attacks, the water treatment facility hack, and everything else.
How do you respond when you’re not sure you’ve gotten the adversary out of your own IT systems? I don’t know.”
AJ: Are there any other unsolved cybersecurity mysteries that you’ve had in the back of your mind?
NP: Here’s one I allude to in the book. Back in 2015 or 2016 I went to the Pwn2Own contest in Vancouver…
AJ: The one where they’ll give you a Tesla if you can break into it?
NP: Yeah I think so, I haven’t been in recent years but it’s always a competition to see who can break into something in the shortest amount of time. For a long time we were dominating these contests. But the year I went, teams from China and South Korea were crushing us. And those guys don’t show up to the hacking contests anymore because China has seen the value in a zero-day and they don’t want their own skilled hackers sharing that information with other governments and security teams and have basically told people that if they disclose vulnerabilities without permission they’ll be arrested, they’ve prohibited them from going to hacking conferences. It just begs the question where are these zero-days going?
We saw I think early last year a watering hole attack where China baked in zero-days into a website that was widely read by Uigurs. That’s how those tools are getting used, and when I talk to Chinese foreign policy experts they say China uses its best stuff on its own people first and then it turns those tools on us. I think that’s fascinating and I would love to do a deep dive into what was the wake-up call for China to decide to hoard its knowledge of zero-days and the people who could exploit them and what their plans are for these capabilities.
AJ: Last question—can you tell me about why you decided to start the book with a Buffalo Springfield lyric?
NP: I always liked that song! I was driving one day and I was singing along to it and thought this was my epigraph. Unfortunately it cost me a little bit because you have to pay for the rights to use song lyrics—I thought about not using it, but I just felt it perfectly encapsulated what I was trying to do with the book, so I paid for the rights.