This Is How They Tell Me the World Ends: The Cyberweapons Arms Race

by Nicole Perlroth

Hackers had been around for more than a century. In the 1870s, several teenagers were caught tampering with the country’s primitive telephone system. The label hacker has a spotted history—one alternately celebrated and condemned—but history’s most revered entrepreneurs, scientists, chefs, musicians, and political leaders were all hackers in their own right. Steve Jobs was a hacker. So is Bill Gates. The New Hacker’s Dictionary, which offers definitions for just about every bit of hacker jargon you can think of, defines hacker as “one who enjoys the intellectual challenge of creatively overcoming or circumventing limitations.” Some say Pablo Picasso hacked art. Alan Turing hacked the Nazi code. Ben Franklin hacked electricity. And three hundred years before them, Leonardo da Vinci was hacking anatomy, machinery, and sculpture. Leonardo famously labeled himself with the Latin phrase senza lettere—without letters—because, unlike his Renaissance counterparts, he couldn’t read Latin. He learned by tinkering instead, a habit that led many a modern-day hacker to claim him as one of their own. Though society has come to conflate hackers with black hats and criminals the reality is that we owe them much of our progress and, ironically, our digital security.

Thompson, who had won the 1983 Turing Award for cocreating the Unix operating system, used his turn at the lectern to share his concerns on where technology was headed. He’d titled his lecture “Reflections on Trusting Trust,” and his conclusion was this: unless you wrote the source code yourself, you could never be confident that a computer program wasn’t a Trojan horse.

The world was now using the same Microsoft operating systems, Oracle databases, Gmail, iPhones, and microprocessors to power our daily lives. Increasingly, NSA’s work was riddled with conflicts of interest and moral hazards. Nobody seemed to be asking what all this breaking and entering and digital exploitation might mean for the NSA’s sponsors—American taxpayers—who now relied on NSA-compromised technology not only for communication but for banking, commerce, transportation, and health care. And nobody apparently stopped to ask whether in their zeal to poke a hole and implant themselves in the world’s digital systems, they were rendering America’s critical infrastructure—hospitals, cities, transportation, agriculture, manufacturing, oil and gas, defense; in short, everything that undergirds our modern lives—vulnerable to foreign attacks.

Sam’s Q’s lab, though with a far less cinematic

Back in 2011, a whistleblower tipped off the Pentagon that its security software was riddled with Russian backdoors. The Pentagon had paid Computer Sciences Corporation—the same megacontractor that now owns VRL—$613 million to secure its systems. CSC, in turn, subcontracted the actual coding to a Massachusetts outfit called NetCracker Technology, which farmed it out to programmers in Moscow. Why? Greed. The Russians were willing to work for a third of the cost that U.S. programmers had quoted. As a result, the Pentagon’s security software was basically a Russian Trojan horse, inviting in the very adversary the Pentagon had paid hundreds of millions of dollars to keep out.

In cyber, it’s spy-versus-spy all the time.” In the vast bureaucracy that was the Department of Defense, one agency was now paying hackers to patch its holes, while others were paying them far more to keep the world’s holes wide open.

That was a deal the United States would never keep itself. “It was the old people-in-glass-houses problem,” a senior Obama official told me. The NSA’s bread and butter was hacking foreign agencies and officials. China’s breach of OPM was essentially a countermeasure. “There was an inherent tension between protecting the private sector, the personal data of our citizens, and the interests of our intelligence community, which was directing the same kind of campaigns. But the real killer was commercial espionage.”

We’ve all migrated to the same technology. You can no longer cut a hole in something without poking a hole in security for everyone.”

The agency used EternalBlue for espionage. But they knew if the exploit ever got out, it could just as easily function as an intercontinental missile. If hackers in Iran, North Korea, China, Russia, or God knows where else swapped out the payload for one that could sabotage data or shut down systems on the other side, it could wreak total havoc. “We knew it could be a weapon of mass destruction,” one former TAO hacker told me. Some officials argued that the exploit was so dangerous that they should turn over the underlying zero-days to Microsoft. But the intelligence it produced was so critical, one former intelligence analyst told me, that turning it over was never seriously considered. Instead the NSA held on to EternalBlue for seven years—over a period that saw some of the most aggressive cyberattacks on American networks in history—and prayed it would never be found.

With Krylova’s field guide in hand, Russia’s trolls started in on Texas and spread out from there. In September 2014 the IRA launched a Heart of Texas Facebook group and started pumping out pro-Texan secessionist memes, #texit hashtags, and the usual scare tactics: Hillary Clinton was coming to take their guns away, and the like. Within a year the group had generated 5.5 million Facebook likes. Then, in a countermove, the IRA created a separate Facebook group, the United Muslims of America, and promoted rallies and counterrallies outside the Islamic Da’wah Center in Houston. Demonstrators from the Heart of Texas group confronted pro-Muslim protesters across the street in a terrifying real-world standoff that Russia’s digital puppeteers were coordinating from five thousand miles away. Even the Russian trolls back in St. Petersburg couldn’t believe the Americans were so gullible.

When that took off, they promoted rallies in Pennsylvania, New York, and California. By the time the IRA campaign was fully revealed, years later, Putin’s trolls had reached 126 million Facebook users and received 288 million Twitter impressions—a staggering number, given that there are only 200 million registered voters in the United States, and only 139 million voted in 2016.

Months after Sanders ended his campaign and endorsed Clinton, several activists who ran Facebook pages for Bernie Sanders began to note a suspicious flood of hostile comments aimed at Clinton. “Those who voted for Bernie will not vote for corrupt Hillary!” they read. “The Revolution must continue! #NeverHillary.” “The magnitude and viciousness of it,” one Facebook administrator told my colleague Scott Shane, suggested that this was the work of a cold-blooded adversary with an agenda, but the sheer idea that any of this was a Russian campaign still struck many Americans as crazy Cold War–speak.

As easy as it was to blame operators for not keeping their systems up to date, patching and updating the software that runs large-scaled industrial machinery or touches the grid is no easy thing. Automated patches were still big no-nos inside critical infrastructure networks. Often any software updates to these systems need to be approved at high levels, and often only occur during narrow maintenance windows or when it is safe to pull systems offline—which can easily mean once or twice a year. Even critical patches, like the one Microsoft had rolled out for EternalBlue’s underlying bugs that March, are not applied if there is even the smallest chance of disruption.

It wasn’t much, but at least it helped Microsoft show that it wasn’t giving the NSA a direct pipeline to customers’ data. But the WannaCry attacks were different. The NSA had withheld Microsoft’s vulnerabilities for years, allowed its customers to get hacked, and once again, left it to Redmond to clean up the mess.

The damage to Merck and Mondelez alone topped $1 billion. Their insurers would later refuse to pay out damages relating to NotPetya, citing a widely written but rarely invoked “war exemption” clause in their policies. The Russian attack, insurers concluded, qualified as an act of war; while no lives were lost directly that June, it was a demonstration of how a stolen NSA weapon and some cleanly written code could do as much damage as a hostile military force.

And though he didn’t call out the agency by name, Smith took direct aim at the NSA, and the market the United States had created for cyberweapons. “Nation-state attacks are growing because of increasing investments that are leading to increasingly sophisticated cyberweapons,” Smith said. “We simply cannot live in a safe and secure world unless there are new rules for the world.” The twenty-first century required new rules of wartime and peace, Smith proposed. “The world needs a new, digital Geneva Convention … What we need is an approach that governments will adopt that says they will not attack civilians in times of peace. They will not attack hospitals. They will not attack the electrical grid. They will not attack the political processes of other countries; that they will not use cyberweapons to steal the intellectual property of private companies. That they instead will work together to help each other and the private sector respond when there are cyberattacks. In fact, what we really need is not only to recognize the need for rules but, frankly, to know when others are violating them.”

Scores of new nation-states were moving into this invisible battlespace. The United States had, for two decades, been laying the groundwork for cyberwar, and it was now American businesses, infrastructure, and civilians who were bearing the brunt of its escalation and collective inaction.

In the four intervening years, the Kremlin only grew more emboldened—albeit stealthier. In 2016 Russia’s influence operation stood out for its brazenness. Social media posts were written in broken English. Facebook ads were paid out in rubles, and self-proclaimed Texas secessionists and Black Lives Matter protesters logged into servers from Red Square. Now Russians were setting up offshore bank accounts, paying real Facebook users to rent their accounts, and obscuring their real locations using Tor, the anonymizing software. Inside IRA headquarters in Saint Petersburg, Russian trolls had far greater command of America’s politics. They switched out obvious Russian bots for human-scripted chatbots that searched for keywords in discussions and chimed in with incendiary scripted responses. They seized every opportunity to pour fuel on America’s culture wars, weighing in on guns, immigration, feminism, race, even the NFL players who took a knee during the national anthem. Russia’s trolls grew mindful of the time difference, posting anything that would make liberals’ blood boil in the early Russian hours, so it would stir them up at night, and posting anything aimed at conservatives early in the morning, just as they were settling in to Fox & Friends. The IRA continued to create fictitious Facebook accounts with monikers like “Bertha Malone” and “Rachell Edison,” seeded false stories that Obama had ties to the Muslim Brotherhood, and echoed NRA narratives that Democrats were out...

“If Sanders wins the Democratic nomination, then Trump wins the White House,” one former Kremlin advisor told a reporter. “The ideal scenario is to maintain the schism and uncertainty in the States ’til the end. Our candidate is chaos.”

we must stop introducing glaring bugs into our code. Part of the problem is the economy still rewards the first to market. Whoever gets their widget to market with the most features before the competition wins. But speed has always been the natural enemy of good security design. Our current model penalizes products with the most secure, fully vetted software. And yet, the “move fast and break things” mantra Mark Zuckerberg pushed in Facebook’s earliest days has failed us time and time again. The annual cost from cyber losses now eclipses those from terrorism. In 2018, terrorist attacks cost the global economy $33 billion, a decrease of thirty-eight percent from the previous year. That same year, a study by RAND Corporation from more than 550 sources—the most comprehensive data analysis of its kind—concluded global losses from cyberattacks were likely on the order of hundreds of billions of dollars. And that was the conservative estimate. Individual data sets predicted annual cyber losses of more than two trillion dollars.

Japan may even be more instructive. In Japan, the number of successful cyberattacks dropped dramatically—by more than 50 percent—over the course of a single year, according to an empirical study of data provided by Symantec. Researchers attributed Japan’s progress to a culture of cyber hygiene but also to a cybersecurity master plan that the Japanese implemented in 2005. Japan’s policy is remarkably detailed. It mandates clear security requirements for government agencies, critical infrastructure providers, private companies, universities, and individuals. It was the only national cybersecurity plan, researchers discovered in their study, to address “airgapping” critical systems. In the years following its implementation, researchers found that Japanese devices were better protected than other countries with similar GDPs.