This Is How They Tell Me the World Ends: The Cyberweapons Arms Race

by Nicole Perlroth

The former director of the NSA, Keith Alexander, famously called Chinese cyberespionage the “greatest transfer of wealth in history.” The Chinese were stealing every bit of American intellectual property worth stealing and handing it to their state-owned enterprises to imitate.

Starting in 2016, the U.S. National Security Agency’s own cyber arsenal—the sole reason the United States maintained its offensive advantage in cyberspace—was dribbled out online by a mysterious group whose identity remains unknown to this day. Over a period of nine months a cryptic hacker—or hackers; we still don’t know who the NSA’s torturers are—calling itself the Shadow Brokers started trickling out NSA hacking tools and code for any nation-state, cybercriminal, or terrorist to pick up and use in their own cyber crusades.

Snowden had given his trove of classified secrets to Glenn Greenwald, a Guardian columnist. But we were reminded that day, Britain lacked the same free speech protections as the United States. Collaborating with an American paper, especially one with top First Amendment lawyers, like the New York Times, gave the Guardian some cover.

Every year Watters made a point to throw the biggest parties at Black Hat and Def Con, recruiting more hackers to their program and awarding prizes to hackers who found the most serious flaws. Hackers who barely made it out of their basements would get hammered at the iDefense party, then take their liquid courage to the blackjack tables.

Amassing those stockpiles became a competitive enterprise. Cyber was one of the only bright spots in an otherwise dismal decade for defense spending. In the 1990s, the Pentagon’s military budgets were chopped by a third, with cyber being the one exception.

For years, anytime intelligence officials visited Gosler’s office at CIA headquarters in Langley, they were greeted with the following Pritchett quote on the wall: Organizations can’t stop the world from changing. The best they can do is adapt. The smart ones change before they have to. The lucky ones manage to scramble and adjust, when push comes to shove. The rest are losers, and they become history.

The previous year, Gosler had heard a famous lecture by Ken Thompson. Thompson, who had won the 1983 Turing Award for cocreating the Unix operating system, used his turn at the lectern to share his concerns on where technology was headed. He’d titled his lecture “Reflections on Trusting Trust,” and his conclusion was this: unless you wrote the source code yourself, you could never be confident that a computer program wasn’t a Trojan horse.

Gosler probably would have happily stayed at Fort Meade, had it not been for his promise to return to Sandia. He was of the old-school mindset that one owes loyalty to those who train them, and he knew his loyalties were in Albuquerque.

The CIA’s equivalent of Q Branch in the James Bond films, the agency’s Directorate of Science and Technology developed surveillance devices that imitated flying insects and gave birth to the lithium-iodine battery. The CIA developed the battery to improve its surveillance operations, but eventually it would be used in smartphones, electric vehicles, even pacemakers.

They tested the worm on several different versions of PLCs. But the worm didn’t bite. It was clear that it was looking for a very specific configuration of machines, and that its authors had designed the code with insider information on their target. “They knew all the bits and bytes they needed to attack,” Langner said. “They probably even know the shoe size of the operator.” The spreading mechanisms were impressive, but it was the worm’s payload—what Langner called its “warhead”—that blew him away. “The payload is rocket science,” he said. The mastery of the code suggested that this was not the work of some cybercriminal thug. This was the work of a well-resourced nation-state. And it had been designed, Langner concluded, to “drive the maintenance engineers crazy.”

Germans don’t do small talk, and they don’t do bullshit. Feel-good messages and blatant self-promotion have no place in Germany. Doing your job well is not a good reason to deliver a long, self-aggrandizing speech.

The NSA had started test-driving a game-changing new robot, code-named Turbine, to take over management of its vast implant apparatus. Described internally as “an intelligence command and control” that would enable “industrial-scale exploitation,” Turbine was designed to operate “like the brain.” The Turbine robot was part of a broader “Owning the Net” NSA initiative and if all went well, officials believed it could ultimately supplant humans in operating the NSA’s vast digital spiderweb.

Brin was born in Moscow and grew up under Soviet oppression. As a matter of policy, the Soviet Union was not anti-Semitic. But in practice, Jews were banned from Russia’s prestigious universities and upper professional ranks. They were forced to take university entrance exams in separate rooms—dubbed “gas chambers”—and graded on a steeper curve. Brin’s father had to forfeit his dream of becoming an astronomer because Jews were expressly forbidden from enrolling in physics departments at Moscow’s prestigious universities. The Soviets didn’t trust them with their nuclear rocket research, and the state deemed astronomy a subset of physics. Brin’s parents escaped to the United States in the late 1970s to spare young Sergey the same fate.

But Google now had one advantage over its competitors. “Telling the world about the attack ended up being the best recruiting strategy in the world,” Adkins told me. After naming and shaming China, hundreds of security engineers who’d been itching for a fight—many of whom had written off Google because they took issue with its privacy practices—began knocking on its door.

“The word ‘hacker’ has an unfairly negative connotation from being portrayed in the media as people who break into computers,” Zuckerberg wrote. “In reality, hacking just means building something quickly or testing the boundaries of what can be done. Like most things, it can be used for good or bad, but the vast majority of hackers I’ve met tend to be idealistic people who want to have a positive impact on the world.”

Google encrypted users’ data as it moved from these front-end servers to the open internet, but it didn’t bother encrypting data internally between its data centers. Encrypting the links between data centers was in its long-term plans, Google said, but until Snowden, encrypting data as it flowed between its own data centers had always seemed like an unnecessarily expensive endeavor.

Over the past six months Grosse and his team had sealed up every crack the NSA had brilliantly exploited. Grosse called the unencrypted links between Google’s data centers “the last chink in our armor,” and he was now encrypting Google data internally. Other companies were following suit and migrating to a stronger form of encryption called Perfect Forward Secrecy, which made it far more labor-intensive for NSA to decode their data. Google was also now laying its own fiber-optic cable beneath the world’s oceans and rigging it with sensors that would alert the company to undersea taps.

While the United States was still the top player in offense, it was woefully behind in locking up its own systems, and only becoming more vulnerable by the day. American data breaches had surged 60 percent year over year, and were now so commonplace that most barely registered as more than a blip on the eleven o’clock news. Half of Americans had to have their credit cards replaced at least once because of internet fraud, including President Obama.

The barrier to entry was so low that for the cost of three F-35 stealth bombers, Iran’s Islamic Revolutionary Guard Corps built a world-class cyber army.

The Chinese cyberattacks on American businesses had to stop, Obama told Xi. If they didn’t, the United States had the next round of indictments ready to go and would move to sanctions. Xi agreed, but everyone in the room knew that by then, China had already collected enough U.S. intellectual property to last it well into the next decade. Chinese hackers had taken everything from the designs for the next F-35 fighter jet to the Google code, the U.S. smart grid, and the formulas for Coca-Cola and Benjamin Moore paint.

Almost immediately, the Chinese cyber theft that had ravaged American businesses over the previous decade plummeted. Security firms reported a 90 percent dropoff in Chinese industrial cyberattacks. For eighteen months, the world’s first cyberarms-control agreement appeared to stick.

The world soon learned just how neglected OpenSSL had become. The code played a critical role in securing millions of systems, and yet it was maintained by a single engineer working on a shoestring annual budget of $2,000—most of that donations from individuals—just enough to cover the electric bills. The Heartbleed bug had been introduced in a software update two years earlier and yet, nobody had bothered to notice it.

That March, Fancy Bear’s Russian hackers had sent John Podesta, Hillary Clinton’s campaign chairman, a fake Google alert, declaring that he had to change his Gmail password. Podesta had forwarded the email to the DNC’s IT staff for vetting, and in what would become the most tragic typo in American election history, a campaign aide wrote back, “This is a legitimate email.” He had intended to type “illegitimate,” but the damage was done.

Pyongyang was learning that cyberattacks were a far easier way to get around sanctions than North Korea’s usual methods of counterfeiting and illicit wildlife trafficking. North Korea’s hackers had been caught—but never punished—for major cyber heists at banks in the Philippines, Vietnam, and at the Bangladesh Central Bank, where they’d made a $1 billion transfer request from the New York Federal Bank. Only a spelling error (they’d misspelled foundation as “fandation”) had kept bankers from transferring the full billion, but they’d still made off with $81 million, among the largest bank heists in history. WannaCry was the next evolution in North Korea’s efforts to generate badly needed income.

Stanford’s campus was dry. Under the deed of Leland Stanford, no alcohol could be served on campus or even in Palo Alto, and administrators worried about the flocks of students getting drunk down the road. Stanford’s first president had lobbied unsuccessfully to shut Zott’s down, calling it “unusually vile even for a roadhouse.”

Few of the customers today know it, but the entire digital universe is in orbit around one picnic table out back where computer scientists relayed the first message over the internet one summer afternoon in 1976.

There’s still a plaque commemorating the BEGINNING OF THE INTERNET AGE on the wall, and a picture of the men and one woman standing by as their colleague, beer in one hand, typed out the first internet dispatch with the other. A few years ago, I decided to track down the man in the photo. His name is Dave Retz. I asked Retz if anyone there that day had any security concerns about what they were building.

Open-source software makes up 80 to 90 percent of any given piece of modern software. Today, the average high-end car contains more than 100 million lines of code—more than a Boeing 787, F-35 fighter jet, and space shuttle. That code powers streaming music, allows hands-free calls, monitors gas levels and speed, and roughly a quarter of it is open-source.

The Linux Foundation, together with Harvard’s Laboratory for Innovation Science, is now midway through a census effort to identify the most critical and widely deployed open-source software in use, with the goal of giving developers the funds, training, and tools to protect it. Separately, Microsoft and Facebook sponsor an internet-wide bug bounty program to pay hackers cash for bugs they turn over in widely used technology. GitHub, the platform for programmers—that is now part of Microsoft—also offers bounties for open-source bugs, and has given the hackers who turn over these bugs legal safe harbor. These efforts are laudable and we need more of them, but they are only a small piece of the puzzle.

The Food and Drug Administration, for example, has been pushing medical device manufacturers to submit a “cybersecurity bill of materials,” a list of every commercial, open-source, and off-the-shelf software and hardware component in medical devices that could be susceptible to vulnerabilities.

The Linux Foundation recently started awarding digital badges to programmers who take training courses in secure programming and pass certification exams.

Among the most promising is a joint collaboration between the Pentagon’s Defense Advanced Projects Agency (DARPA), SRI, and the University of Cambridge in England. The last big collaboration between SRI and the Pentagon more or less gave birth to the internet. The latest project promises to be just as ambitious. The idea is to redesign computer chips from the inside out, adding contamination chambers that would keep untrusted or malicious code from running on the chips inside our phones, PCs, and servers.

The vast majority of cyberattacks—98 percent—start with phishing attacks that contain no zero-days, no malware. They just trick us into turning over our passwords. Despite the attraction of zero-days, Rob Joyce, the head of TAO, essentially the nation’s top hacker, gave a rare talk four years ago, in which he called zero-days overrated and said unpatched bugs and credential theft is a far more common vector for nation-state attacks.

So-called “password-spraying attacks” have surged in the past three years, in which hackers try common passwords (e.g. “password”) across multiple user accounts. It’s not rocket science, but it’s insanely effective. Password-spraying is all it took for Iranian hacking group, working at the behest of the IRGC, to break into thirty-six private American companies, multiple U.S. government agencies, and NGOs.

But Norwegians implemented a national cybersecurity strategy in 2003 and they revisit and update it every year to meet current threats. Norwegian companies that provide “basic national functions”—financial services, electricity, health services, food supply, transportation, heating, media platforms, and communications—are required to have a “reasonable” level of security. The government penalizes companies that do not perform penetration testing, threat monitoring, or adhere to other best security practices. Government employees are required to use electronic IDs, multifactor authentication, and encryption. And Norwegian corporations have made cybersecurity core to their training and corporate culture.