Nicole Perlroth offers a thrilling, educational and politically aware overview of the history and future of cyberattacks and data privacy.
Privacy? What Privacy?
Unless your background is in IT, you may think of digital security as an annoyance or as an intimidatingly impenetrable field of binary code and scary-smart cyberpunks. In this New York Times bestseller and winner of the 2021 Financial Times and McKinsey Business Book of the Year award, journalist Nicole Perlroth argues that laypeople must understand the cyber threats facing America’s infrastructure, public safety, prosperity and civil rights. Perlroth’s engaging style and easy humor renders these complicated issues – and the reasons they matter – understandable.
Here we were, entrusting our entire digital lives – passwords…banking records, credit cards… – to this mystery box, whose inner circuitry most of us would never vet, run by code written in a language most of us will never fully understand.Nicole Perlroth
Perlroth revels in the complexity and details of the cyberworld, yet her book takes on the authorial voice of an espionage thriller and keeps you riveted. Because she lives and works in Silicon Valley, her account occasionally suffers from a lack of input from the governmental agencies and personnel that make, she says, the crucial decisions. Thus at times, she seems an ultimate insider and at other times, a baffled outsider.
“Zero-Days”
Perlroth offers a necessary primer on the lexicon of hacking. Hacking communities find weaknesses, or “exploits,” in code, including zero-days, which are previously unknown and therefore exploitable vulnerabilities. The term “zero-days” refers to the number of days a developer has to fix an issue. For some hackers, as the author makes clear, identifying these weak points is a reward in itself; for others, it’s a business opportunity. Selling information about gaps in a target’s code to that company or government can be lucrative.
The American intelligence community’s greatest fear was that the change in information flows would cause them to go blind or deaf. Now their greatest fear was drowning. Nicole Perlroth
A Reagan-era discovery that the Soviets had hacked typewriters at a US embassy awakened the National Security Agency (NSA) to electronic espionage. Perlroth describes the NSA’s mission as then expanding into computers, the internet, smart infrastructure, fiber-optic connectivity, cloud storage, voice recognition and artificial intelligence.
Public knowledge of the US government’s participation in digital espionage remained negligible until Edward Snowden’s 2013 information leak. Afterward, many disgusted employees left the NSA for better jobs. As information about Stuxnet – a top-secret, successful NSA/Israeli hack against Iran – became public, more countries hunted for exploits.
In their eagerness to pay top dollar for more and better zero-day exploits and spy tools, US spy agencies were helping drive a lucrative and unregulated cyber arms race, one that gradually stopped playing by American rules.Nicole Perlroth
As Perlroth clarifies, Snowden’s papers also revealed that the NSA siphoned user data from undersea fiber-optic cables and switches; tech companies later encrypted that data. However, as Perlroth also reports, the NSA’s actual abilities were “far, far more” extensive than Snowden had disclosed.
Sophisticated Hacking
Regulating the zero-day market is akin, Perlroth explains, to restricting arms sales to dictators. Under the 1996 Wassenaar Arrangement, 42 participating nations, including the United States, agreed not to sell “intrusion tools” to countries like North Korea or Iran.
In the war on terror and the offensive cyber trade, you could rationalize just about anything. Nicole Perlroth
Perlroth marks the launch of a new era in 2008, when founders of the Israeli intelligence firm NSO Group marketed a way to bypass mobile phone and mobile app encryption. By 2010, the company was offering sophisticated hacking – once accessible only to US intelligence – to the international community. The United Arab Emirates used this method to keep tabs on journalists, and Mexican government officials targeted activists, critics, journalists and even health care experts supporting a soda tax.
By listening in on Google’s network traffic, the NSA could access all the Gmail inboxes and messages, Google Map searches and locations, calendars, and contacts they could ever want in plain text. Nicole Perlroth
To gain consumers’ trust, Perlroth reports, Google, Microsoft and Facebook created hacking bounty programs. Apple started encrypting user data in 2014. Google’s Project Zero eliminated swaths of bugs.
US Under Attack
Russia, China and Iran have caught up to or surpassed the United States in cyber defense. Cyberattacks by US enemies just grow bolder; Perlroth cites the North Korean 2015 Sony hack and the Iranian 2021 Saudi Aramco incursion. Russia’s 2015 and 2017 hacking campaigns against Ukraine, Perlroth divulges, punished the former Soviet state for attempting independence and tested techniques Russia would use against America.
Perlroth cautions that attacks on the United States now happen frequently – a flood so overwhelming but with effects so invisible that the public has become complacent. This enables many to dismiss security concerns as alarmism.
Russia’s 2016 US election hacking and disinformation campaigns, for example, discredited Hillary Clinton and boosted Donald Trump. President Barack Obama’s deal with Chinese president Xi Jinping to halt the cyber theft of US intellectual property collapsed when Trump started a trade war.
We had all spent the past four years worried what our foreign adversaries were planning. But as the election neared, it was clear that the real interference was coming from within. Nicole Perlroth
In 2017, Russians alarmingly breached the US nuclear system, mapping it for future attack. Ransomware attacks have increased in frequency since 2017; US cyber losses now total in the trillions of dollars. Perlroth discloses that no one is certain whether the attackers are individual extortionists or members of coordinated Kremlin campaigns.
Stopping Cyber Threats
The United States’ newly formed Cybersecurity and Infrastructure Security Agency helps individual US states back up data, update systems, change passwords, block bad IPs and use multifactor authentication. Perlroth insists that companies also should insulate medical records and trade secrets from data that aren’t as sensitive.
Call me crazy, but former NSA hackers should not be hacking the First Lady’s emails on behalf of a foreign nation.Nicole Perlroth
Education can help consumers avoid bad links, weak passwords and disinformation. Democracies should not hold elections online. The United States should reappoint a national cybersecurity coordinator, refilling the position that Trump nixed in 2018. Laws should limit defense contractors’ and hackers’ performance for foreign governments.
Review
This is a dizzying, bottomless subject, one potentially filled with quicksand traps for those writers who overemphasize technical jargon or pursue hacking strategies down rabbit holes of abstruse information. Nicole Perlroth avoids every trap. Her sense of balance is amazing; time after time, when you think she’s going to offer too much information, she demonstrates an admirable balance between educating readers and enticing them. This indispensable overview should be required reading for policy makers, executives, students and all concerned citizens.
Other worthy books on cybersecurity include Dark Territory by Fred Kaplan, Sandworm by Andy Greenberg, Cyber Crisis by Eric Cole and The Wires of War by Jacob Helberg.