In “This Is How They Tell Me the World Ends,” Nicole Perlroth provides another explanation for the ever-expanding cyberassaults on the United States: the way that Washington, in its careless rush to dominate the field, has created and hypercharged a wildly lucrative, entirely unregulated gray market for insanely dangerous digital weapons that private hackers develop and then sell to the highest bidder. Which only sometimes is the United States.
Perlroth, a cybersecurity reporter at The New York Times, has written an intricately detailed, deeply sourced and reported history of the origins and growth of that market and the global cyberweapons arms race it has sparked. As she describes her book, “it is the story of our vast digital vulnerability, of how and why it exists, of the governments that have exploited and enabled it and the rising stakes for us all.”
This is no bloodless, just-the-facts chronicle. Written in the hot, propulsive prose of a spy thriller, Perlroth’s book sets out from the start to scare us out of our complacency — and (on my part, at least) it succeeds. As a narrator, Perlroth comes at the reader hard, like an angry Cassandra who has spent the last seven years of her life (which is both the length of her career at The Times and more or less the time she spent working on the book) unmasking the signs of our impending doom — only to be ignored again and again.
As for who’s most to blame for our current state of cyberinsecurity — in which all of us are targets and the tech we, our government and our infrastructure providers rely on is now penetrated at will by foreign actors — Perlroth has little doubt. Sure, the hackers who actually create all those nasty little tools and then sell them to whatever government will pay the most — no questions asked — bear primary responsibility. And sure, the foreign states who use these tools against us or their own people are guilty too. But none of this would have happened, Perlroth argues, if Washington hadn’t decided years ago to neglect cyberdefense and focus instead on paying programmers around the world to find and weaponize vulnerabilities in existing software — gaps known as “zero days” in the industry — that grant those that wield them “digital superpowers.” (The term “zero days” comes from the fact that when a tech company finds such a flaw in its software or hardware, it has zero days to fix it or suffer the consequences.)
If enabling this market was Washington’s original sin, its second catastrophic blunder, according to Perlroth, was Stuxnet: the computer worm the United States allegedly used to destroy a fifth of the centrifuges at Iran’s Natanz nuclear enrichment plant in 2009-10. While the worm, a stunning technological breakthrough, may have forestalled an Israeli attack on Iran, set back Tehran’s weapons program and driven the mullahs to the bargaining table, it also shattered a basic norm: It was the first time one government had digitally infiltrated the networks of another and used its access not for spying — which everyone does — but to wreak physical havoc. Once that gentlemen’s rule was broken, Perlroth argues, it became open season for America’s enemies to try to do the same to it; and now it’s only a matter of time, she concludes, till we face a digital Pearl Harbor.