This Is How They Tell Me the World Ends: The Cyberweapons Arms Race

by Nicole Perlroth

The former director of the NSA, Keith Alexander, famously called Chinese cyberespionage the “greatest transfer of wealth in history.” The Chinese were stealing every bit of American intellectual property worth stealing and handing it to their state-owned enterprises to imitate.

In the United States, though, convenience was everything; it still is. We were plugging anything we could into the internet, at a rate of 127 devices a second. We had bought into Silicon Valley’s promise of a frictionless society. There wasn’t a single area of our lives that wasn’t touched by the web. We could now control our entire lives, economy, and grid via a remote web control. And we had never paused to think that, along the way, we were creating the world’s largest attack surface.

The biggest secret in cyberwar—the one our adversaries now know all too well—is that the same nation that maintains the greatest offensive cyber advantage on earth is also among its most vulnerable.

The world’s infrastructure was racing online. So was the world’s data. The most reliable way to access those systems and data was a zero-day. In the United States, government hackers and spies hoarded zero-days for the sake of espionage, or in the event they might need to do what the Pentagon calls D5—“deny, degrade, disrupt, deceive, or destroy”—an adversary’s critical infrastructure in the event of war one day.

The first thing spies would do after successfully breaking into a machine, Sabien told me, was listen in for other spies. If they found evidence that the infected machine was beaconing out to another command-and-control center, they would scrape whatever the others were catching. “And if they were really selfish,” Sabien told me, “they’d patch the system and kick everyone else out.” It wasn’t abnormal, Sabien said, to find multiple nation-states listening in on the same machine—especially in the case of high-profile targets, diplomats, government shell companies, arms dealers, and the like. There was one well-known exploit in HP printers that for years, Sabien told me, was utilized by “government agencies all over the world.” The exploit allowed anyone with knowledge of its existence to scrape any files that passed through HP’s printers and offered spies a foothold in their target’s network, where IT administrators would least suspect. The day the printer exploit was discovered and patched by Hewlett-Packard, Sabien said, “I just remember thinking to myself, ‘A lot of people are having a very bad day.’ ”

He passed me his phone. On the screen was a quote attributed to Nathaniel Borenstein, who I vaguely recalled as one of two men who invented the email attachment, the invention so many nation-states now used to deliver their spyware. “The most likely way for the world to be destroyed,” it read, “most experts agree, is by accident. That’s where we come in; we’re computer professionals. We cause accidents.”

The NSA has a strict prepublication review policy: anything former employees publish, for as long as they shall live, must be run by the agency’s minders. Until an NSA review board has cleared them for publication, anything a former NSA employee wishes to publish will remain classified.

The enemy is a very good teacher. —THE DALAI LAMA

But his all-time favorite is Price Pritchett, the organizational management guru. For years, anytime intelligence officials visited Gosler’s office at CIA headquarters in Langley, they were greeted with the following Pritchett quote on the wall: Organizations can’t stop the world from changing. The best they can do is adapt. The smart ones change before they have to. The lucky ones manage to scramble and adjust, when push comes to shove. The rest are losers, and they become history.

Five years into his gig at Sandia, Gosler transitioned into the team charged with making sure that each nuclear component would work exactly as it was supposed to work whenever the president authorized them to, and, critically, not work under any other circumstance. Accidents and malfunctions were more common than one would think. One Sandia study found that between 1950 and 1968, at least twelve hundred nuclear weapons had been involved in “significant” accidents.

Despite the security implications, there appeared to be no sign of turning back. The first complete version of the Linux operating system contained 176,000 lines of code. Five years later, it would contain 2 million. By 2011 Linux would contain more than 15 million lines of code. Today, the Pentagon’s Joint Strike Fighter aircraft contains more than 8 million lines of onboard software code, while Microsoft’s Vista operating system contains an estimated 50 million lines. Each line of that code contains instructions that can potentially be subverted for any number of means. The more code, the more difficult it is to discover errors, typos, or anything suspicious. Finding Gunman’s typewriter implant was an intelligence feat. Finding the equivalent of that implant in a next-generation fighter jet? Good luck.

So long as computer operating systems accepted software updates without question, the report concluded, computers would be manipulated to accept trapdoors.

“Think about it,” he told me one day. “Nothing is American-made anymore. Do you really know what’s in your phone, or in your laptop?” I looked down at my iPhone with a renewed sense of intrigue, the kind of look you might give a beautiful stranger. “I do not.” Inside that sleek black glass sandwich was a universe of hardware—circuitry, encryption chips, flash memory, cameras, logic boards, battery cells, speakers, sensors, and mystery chips—pieced together by faceless, haggard workers on a factory floor somewhere far beyond my reach. And yet here we were, entrusting our entire digital lives—passwords, texts, love letters, banking records, health records, credit cards, sources, and deepest thoughts—to this mystery box, whose inner circuitry most of us would never vet, run by code written in a language most of us will never fully understand.

The goal was to track down every lead and watch every terrorist, would-be terrorist, terrorist sponsor, and foreign adversary. The U.S. government wanted to know who they knew, where they slept, who they slept with, who paid them, what they bought, where they traveled, when they ate, what they ate, what they said, and what they thought in an expansive effort to anticipate terrorist plots well before things went boom. “If we didn’t know where they got their hair cut, we weren’t doing our jobs,” one former NSA employee told me.

Their job was to find every crack in every layer of the digital universe and plant themselves there for as long as possible.

“The NSA’s capabilities were far, far more expansive than what Snowden revealed.” Beyond Snowden’s reach—up another several rungs of access—was an arsenal of exploits available only to the agency’s elite TAO hackers. There, TAO vaults contained a catalog of vulnerabilities and exploits that granted entry into most nooks and crannies in the digital universe. The agency could hardly keep track of all the hacking tools at its disposal. It had to turn to—what else?—computer algorithms to name its various exploits.

TAO became a digital Ford assembly line for cyberespionage. One unit searched for vulnerabilities and developed exploits. Another honed and sharpened the implants and payloads they used once TAO hackers had their beachhead.

Yet another TAO unit, known as the Transgression Branch, oversaw the NSA’s “fourth-party collection” efforts—jargon for piggybacking on another country’s hacking operation. This branch was considered especially sensitive because it frequently involved hacking American allies, like South Korea or Japan, to net intelligence on notoriously hard-to-reach targets like North Korea.

Separate TAO units worked closely with the CIA and FBI to reach unreachable offline targets and networks. In some cases American agents would spend months grooming someone in a target’s inner circle to get them to physically place a TAO implant on the target’s computer. Other times, TAO would closely monitor their target’s purchase history, tipping off agents to any opportunities to seize a target’s package and plant an implant in transit. Sometimes it was as simple as a CIA officer throwing on a hard hat, dressing up as a construction worker, and walking into a target’s offices. “It’s amazing what people let you do when you’re wearing a hard hat,” one former CIA officer told me.

But nothing changed the surveillance game more than Apple’s unveiling of the first iPhone in 2007. TAO hackers developed ways to track an iPhone user’s every keystroke, text message, email, purchase, contact, calendar appointment, location, and search, and even capture live audio and video feeds of her life by hijacking her phone camera or hot-miking her microphone. The NSA swallowed up mobile alerts from travel companies—flight confirmations, delays, and cancellations—and cross-matched them with itineraries of other targets. An automated NSA program called Where’s My Node? sent analysts an email anytime an overseas target moved from one cell tower to another.

Mike McConnell, the former director of national intelligence, would later tell me, “In looking at any computers of consequence—in government, in Congress, at the Department of Defense, aerospace, companies with valuable trade secrets—we’ve not examined one yet that has not been infected,” by China.

“You have to understand,” one of the NSA’s TAO analysts told me, “we were collecting crazy intelligence. You couldn’t believe the shit you were looking at. Our work was landing directly in presidential briefings. You felt your work was saving countless lives.”

That all may very well have been true. But it is also certainly true in reverse. Even as American officials were publicly accusing China of embedding trapdoors in Huawei’s products, my Times colleague David Sanger and I learned from leaked classified documents that the NSA had pried its way into Huawei’s headquarters in Shenzhen, years ago, stolen its source code, and planted its own backdoors in the company’s routers, switches, and smartphones.

Alexander’s pitch always reminded me of the quote that Sabien, the original zero-day broker, shared with me years later: “The most likely way for the world to be destroyed, most experts agree, is by accident. That’s where we came in; we’re computer professionals. We cause accidents.”

They planned out their entire mission like a SEAL Team Six operation: navigation, entry and exit strategies, delivery vehicles, and customized weapons equipment.

But this was the age of acceleration. Everything that was analog was being digitized. Everything that was digitized was being stored. And everything that was stored was being analyzed, opening up entirely new dimensions for surveillance and attack.

The NSA had started test-driving a game-changing new robot, code-named Turbine, to take over management of its vast implant apparatus. Described internally as “an intelligence command and control” that would enable “industrial-scale exploitation,” Turbine was designed to operate “like the brain.” The Turbine robot was part of a broader “Owning the Net” NSA initiative and if all went well, officials believed it could ultimately supplant humans in operating the NSA’s vast digital spiderweb. It would now be up to this automated robot to decide whether to use an implant to hoover up raw data or inject malware that, like a digital Swiss Army knife, could do almost any job the NSA needed to get done. The agency’s diverse arsenal of malware tools—many described in leaked NSA documents but many more that were not—could steal phone conversations, text threads, emails, and industrial blueprints. Other malware could hot-mic an infected computer and capture any conversations in close proximity. Still other tools could steal screenshots, deny a target access to certain websites, shut down computers remotely, corrupt or delete all their data, and grab their keystrokes, search terms, browsing histories, passwords, and any keys necessary to unscramble encrypted data. Some NSA tools supercharged the agency’s malware, enabling their code to spread automatically from vulnerable server to server in a fraction of a second, rather than relying on human operators to manually infect each server o...

The equipment catalog read straight out of Bond’s Q Factory. There was Monkeycalendar, an exploit that relayed a target’s geolocation back to the agency via invisible text message; Picasso, a similar exploit that could do all that and hot-mic a phone’s microphone to eavesdrop on any conversations nearby. Surlyspawn, the modern-day equivalent of the Russian typewriter exploit in Gunman, could grab keystrokes off computers that were not even connected to the internet. The Der Spiegel leak is how the world came to know about Dropoutjeep, the TAO exploit developed specifically for the iPhone, the one that could do all the usual text, phone call, and location monitoring, hot-miking and photo snapping, even when the iPhone was offline. Among the more intriguing tools mentioned in the catalog was a device called Cottonmouth I that looked like any old USB stick, but contained a miniature radio transceiver that passed data to yet another NSA gadget—dubbed Nightstand—miles away. Once details of these tools were leaked, security researchers came to suspect that they might hold the key to how the Americans and Israelis got Stuxnet into Natanz in the first place.

The world had changed in the thirty-odd years since Gunman. It was no longer the case that Americans used one set of typewriters, while our adversaries used another. Thanks to globalization, we now all relied on the same technology. A zero-day exploit in the NSA’s arsenal could not be tailored to affect only a Pakistani intelligence official or an al-Qaeda operative. American citizens, businesses, and critical infrastructure would also be vulnerable if that zero-day were to come into the hands of a foreign power, cybercriminal, or rogue hacker.

As the Trump administration would later learn first-hand—in its losing battle to blackball Huawei from next-generation mobile networks—no amount of government lobbying can halt globalization when it came to technology.

secrecy did little to make Americans more secure. Zero-days do not stay secret indefinitely. One study by RAND Corporation, the research corporation that concentrates on U.S. defense planning, found that while the average zero-day exploit can stay secret for nearly seven years, roughly a quarter of zero-day exploits will be discovered within a year and a half. Earlier studies determined that the average life-span of a zero-day is ten months.

Starting in 2008, the Five hired away some of the NSA’s best zero-day hunters, contracted with hackers in places like Argentina, Malaysia, Italy, Australia, France, and Singapore, and poured their money into giant “fuzz farms”—tens of thousands of computers in virtual server farms—that threw terabytes of junk code at VRL’s tools to ensure that nothing they sold intelligence agencies would crash in the course of an operation, or tip off a target to the fact they’d just been hacked by Uncle Sam.

A decade ago, if a skilled hacker discovered a zero-day in the morning, he might have a weaponized exploit ready to use that afternoon. But as software vendors like Microsoft began introducing stronger security and antiexploitation mitigations, it took more time and man-hours to develop a reliable exploit. “It went from a few hours, to a few weeks, to a few months,” one former NSA analyst told me.

As the number of people who reached out to him grew, he felt compelled to put out a public service announcement. “My mindset is, ‘Hey former NSA Operators, here’s what not to do when taking a job overseas,’ ” he began. “If the people sending you over there won’t tell you what you’re going to be doing before you get there, don’t go. If once you get over there, you’re given two folders, that’s a red flag. If you’re considering taking a contract for a lot of money overseas, you’re probably not taking the job you think you’re taking.”

Netragard did the kind of in-depth hacking tests that made sure clients wouldn’t be hacked by people like him. That was the motto: “We Protect You From People Like Us.”

On a trip to Moscow, he made a point of renting an Airbnb apartment with heavy metal doors and huge locks, with steel reinforcements. Before he ventured out, he painted over the screws on his laptop with his wife’s nail polish. It seemed paranoid, but by now he knew he had legitimate reasons to worry. If shadier players were coming into the industry, the shadiest were in Russia. Sure enough, when he returned, the polish was cracked. Someone had tampered with his laptop. If foreigners were willing to go to such lengths with him, they were almost certainly approaching newer players who made it clear they were open for foreign business.

They were after Google’s Gmail accounts and its source code. Most laypeople assume hackers are after short-term payoffs: money, credit card information, or bribe-worthy medical information. But the most sophisticated attackers want the source code, the hieroglyphics created and admired by the engineering class. Source code is the raw matter for software and hardware. It is what tells your devices and apps how to behave, when to turn on, when to sleep, who to let in, who to keep out. Source code manipulation is the long game. Code can be stolen and manipulated today and, like an invisible hole in the wall of the Oval Office, bear fruit immediately or years into the future. Code is often the most valuable asset technology companies have—their crown jewels—and yet when China’s contracted hackers started popping up across thirty-four Silicon Valley companies in late 2009, nobody had ever thought to secure it. Customer and credit card data merited fierce protection, but the vast majority of tech companies had left their source code repositories wide open.

Along with prodemocracy activists, China considers Tibetans, Uighur Muslims, pro-independence Taiwanese, and Falun Gong practitioners to be what the state calls the Five Poisons—groups the Chinese Communist party deems the biggest threat to their standing. China had reserved its best zero-day exploits and its top hackers to menace its own people.

A “new information curtain is descending across much of the world,” Secretary Clinton told an audience, before sounding the clearest warning shot yet on Chinese cyberattacks: “In an interconnected world, an attack on one nation’s networks can be an attack on all.”

Hackers at the NSA, the CIA, and their Five Eyes counterparts started sending in their resumes. Over the next decade, Google’s security team surpassed six hundred engineers, all determined to keep China and other oppressive regimes out. Google weaponized its greatest resource: data—mountains of it—to search its code for errors. It deployed giant “fuzz farms” of thousands of computers to throw massive amounts of junk code at Google’s software for days on end, in search of code that broke under the load. Crashes were a sign of weakness, a sign that its software might contain exploitable flaws.

Federal regulations mandate that only U.S. citizens with security clearances can work on classified systems, but that still leaves a lot of wiggle room when it comes to the raw material—the actual code. Back in 2011, a whistleblower tipped off the Pentagon that its security software was riddled with Russian backdoors. The Pentagon had paid Computer Sciences Corporation—the same megacontractor that now owns VRL—$613 million to secure its systems. CSC, in turn, subcontracted the actual coding to a Massachusetts outfit called NetCracker Technology, which farmed it out to programmers in Moscow. Why? Greed. The Russians were willing to work for a third of the cost that U.S. programmers had quoted. As a result, the Pentagon’s security software was basically a Russian Trojan horse, inviting in the very adversary the Pentagon had paid hundreds of millions of dollars to keep out.

“This game of zero-day exploits is a big deal,” General Bradford J. “B. J.” Shwedo told me in what I now knew to be a gross understatement. “If you wait to find out about a zero-day on game day, you’re already mauled. Sealing yourself off from the world is not the future of warfighting. In cyber, it’s spy-versus-spy all the time.”

Still, encryption didn’t do much to protect users from a nation-state with a zero-day. That was the beauty of a zero-day. A good zero-day could pierce the world’s encryption and get you onto a target’s device where everything was in plain text.

The release of atom power has changed everything except our way of thinking … the solution to this problem lies in the heart of mankind. If only I had known, I should have become a watchmaker. —ALBERT EINSTEIN

“Cheating the system is part of the Argentine mentality,” Cesar told me. “Unless you’re rich, you grow up without a computer. To access new software, you have to teach yourself everything from the ground up.”

The United States still had the biggest offensive cyber budgets, but compared to conventional weapons, exploits were cheap. Foreign governments were now willing to match American prices for the best zero-days and cyberweaponry. The Middle East’s oil-rich monarchies would pay just about anything to monitor their critics. And in Iran and North Korea, which could never match the United States in conventional warfare, leaders saw cyber as their last hope of leveling the playing field.

I asked how he’d figured out how to hack the world’s most protected networks. “It’s easy,” he told me. “They never anticipated they would be attacked.”

Turning a corner, I’d stumbled on a protest march. I would learn later that this was an every-Thursday event. Argentina’s grieving mothers, dressed in white head scarves, filled the city’s oldest square, the Plaza de Mayo, holding up signs bearing the names of their missing children. I’d struck on their march at 3:30, just as it began. The mothers were so old and frail now, they only managed a few loops around the obelisk before taking a seat in their chairs. One of the mothers stopped to address the crowd of onlookers. You could hear that her grief was still sharp. It was so easy to forget, walking around old-town Buenos Aires, with its hip bars and cafés, that not so long ago Argentina’s military turned on its own people. Over the course of Argentina’s “Dirty War” in the late seventies and early eighties, the military junta “disappeared” some thirty thousand people. Left-wing activists were accused of terrorism, tortured, raped, kidnapped, and machine-gunned to death at the edge of enormous pits, or drugged and tossed naked and half-conscious from military planes into the Río de la Plata river. So long as the desaparecidos were never discovered, the government could pretend they didn’t exist. Forty years later, Argentina had yet to make any serious effort to identify or document its victims. This was the era in which older Argentine hackers like Gaucho and Gera had come of age. No wonder they weren’t keen to turn their digital exploits over to governments. Younger genera...

While Tehran could never hope to match America in conventional weapons or military spending, Olympic Games had shown Tehran that cyberweapons had just as much potential to exact destruction. While the United States was still the top player in offense, it was woefully behind in locking up its own systems, and only becoming more vulnerable by the day. American data breaches had surged 60 percent year over year, and were now so commonplace that most barely registered as more than a blip on the eleven o’clock news. Half of Americans had to have their credit cards replaced at least once because of internet fraud, including President Obama. Breaches had hit the White House, the State Department, the top federal intelligence agencies, the largest American bank, its top hospital operator, energy companies, retailers, even the Postal Service. By the time anyone noticed, their most sensitive government secrets, trade secrets, employee and customer data, had already left the building. And Americans were now plugging in more power plants, trains, planes, air traffic control, banks, trading floors, oil pipelines, dams, buildings, hospitals, homes, and cars to the internet, oblivious to the fact that all those sensors and access points made for a soft underbelly. And lobbyists made sure U.S. regulators didn’t do a damn thing about it.

Printed in giant font on the office door were the following words: I GET TIRED OF COMING UP WITH LAST-MINUTE DESPERATE SOLUTIONS TO IMPOSSIBLE PROBLEMS CREATED BY OTHER #@% PEOPLE. I recognized the quote from the 1992 film Under Siege.