More on this book
Community
Kindle Notes & Highlights
Iran’s hackers were to open the floodgates all at once, they would trigger a tsunami that surely merited an equally destructive U.S. response.
These simulations involved attacks on cellular networks, the financial system, water facilities, and the power grid. The calamitous cyberattack U.S. officials had long dreaded was near. As one senior American military official put it, “There’s nothing but upside for them to go after American infrastructure.”
With his access to the grid, Abbasi told us, he could cause all kinds of destruction: sabotage data, turn off the lights, blow up a pipeline or chemical plant by manipulating its pressure and temperature gauges. He casually described each step as if he were telling us how to install a spare tire, instead of the world-ending cyberkinetic attack that officials feared imminent.
North Korean hackers popped out of nowhere and struck Sony Pictures in an Aramco/Sands–style attack that destroyed 70 percent of Sony’s computers and reduced employees to pen and paper for months.
“Destructive alarm bells should have gone off,” Panetta told me. Instead, the media coverage homed in on the leaked emails, in which Sony executives panned Adam Sandler films and called Angelina Jolie “a
“The attack went off in a big way, and yet we got no support
from fellow movie studios, no support from the mayor of Los Angeles, no support from then attorney general Kamala Harris,”
sent a confidential letter to the House Committee on Energy and Commerce in support of a bill to improve the cybersecurity of America’s critical infrastructure. Their letter was blunt: “Virtually all of our civilian critical infrastructure—including telecommunications, water, sanitation, transportation, and health care—depend on the electric grid.
The grid is extremely vulnerable to disruption caused by a cyber or other attack. Our adversaries already have the capability to carry out such an attack.
Russia did attack the grid, we were screwed. The Department of Homeland Security had emergency preparedness plans for natural disasters, earthquakes, hurricanes, tornadoes, heat waves, and power outages that spanned days. But there was no grand master plan for a cyberattack that denied power to millions of people for any sustained period. Intelligence officials had warned Congress, time and time again, that a carefully orchestrated cyberattack on the American grid could unleash outages for at least months, if not years.
always imagined the White House would have some advanced, real-time map of cyberattacks, denoted in red blips, sailing toward the White House from decoy servers around the globe, and a team of responders waiting to zap them in real time. Nope. When it came to defense, the nation with the most advanced hacking capabilities in the world was reduced to a printout, like the rest of us.
Heartbleed was a classic flaw in OpenSSL, a popular open-source software tool used to encrypt internet traffic. Everyone from Amazon to Facebook to the
FBI used the free tool to encrypt their systems.
The world soon learned just how neglected OpenSSL had become. The code played a critical role in securing millions of systems, and yet it was maintained by a single engineer working on a shoestring annual budget of $2,000—most of that donations from individuals
Heartbleed bug had been introduced in a software update two years earlier and yet, nobody had bothered to notice it.
“Governments are starting to say, ‘In order to best protect my country, I need
to find vulnerabilities in other countries,’ ” Schmidt told me before his passing. “The problem is that we all fundamentally become less secure.”
“If someone comes to you with a bug that could affect millions of devices and says, ‘You would be the only one to have this if you pay my fee,’ there will always be someone inclined to pay it,” Schmidt told me. What he said next never left me: “Unfortunately, dancing with the devil in cyberspace is pretty common.”
On the one hand, retaining a zero-day vulnerability undercuts our collective cybersecurity. On the other, disclosing a zero-day so vendors can patch it undercuts intelligence agencies’ ability to conduct digital espionage, the military’s ability to carry out offensive cyberattacks, and law enforcement to investigate crimes.
chances were slim that officials in Iran and North Korea were sitting around long mahogany tables debating whether to turn over a Windows zero-day to Microsoft.
Shortly after TAO first uncovered, or purchased, the flaws that made up the tool EternalBlue, they took to calling it EternalBluescreen—a reference to the eerie blue screen of death that pops up anytime a computer crashes.
“We knew it could be a weapon of mass destruction,” one former TAO hacker told me.
Instead the NSA held on to EternalBlue for seven years—over a period that saw some of the most aggressive cyberattacks on American networks in history—and prayed it would never be found.
“These are the keys to the kingdom,” one put it bluntly. He had already combed through the sample cache and recognized the tools as TAO’s. They were all a cyberterrorist would need to break into government agencies, labs, and corporate networks all over the world.
detailed how the CIA could hack into cars, smart TVs, web browsers, and the operating systems of Apple and Android phones and Windows, Mac, and Linux computers. Essentially, the motherlode.
“It’s clear where the world is going,” Smith told the crowd of diplomats. “We’re entering a world where every thermostat, every electrical heater, every air conditioner, every power plant, every medical device, every hospital, every traffic light, every
automobile will be connected to the internet.
Think about what it will mean for the world when those devices are th...
This highlight has been truncated due to consecutive passage length restrictions.
The United States had, for two decades, been laying the groundwork for cyberwar, and it was now American businesses, infrastructure, and civilians who were bearing the brunt of its escalation and collective inaction.
For all the internet’s promise of efficiency and social connectivity, it was now a ticking time bomb.
Not a day went by in 2019, Microsoft’s security engineers told me, when they did not encounter the NSA’s cyberweapons in a new attack.
EternalBlue
residents in Baltimore awoke to discover that they could no longer pay their water bills, property taxes, or parking fines. Homes drifted into foreclosure because their owners simply couldn’t access the system to pay back bills. Epidemiologists had no way to warn city health officials about spreading illnesses.
demanding Bitcoin to unlock their data.
locked up its systems with ransomware; another detonated EternalBlue to steal data.
“These exploits are developed and kept secret by governments for the express purpose of using them as weapons or espionage tools. They’re inherently dangerous. When someone takes that, they’re not strapping a bomb to it. It’s already a bomb.”
China had discovered the NSA’s exploits on their own systems, snatched them, and used them for their own stealth attacks.
It took three years for anyone to sort this out.
NSA’s advantage had hugely eroded over the last decade
we had grossly underestimated our enemies.
Legion Amber’s early targets were U.S. defense contractors. But its hit list expanded over the years to include American weapons developers and scientific research labs, where they stole aerospace, satellite, and—most alarming of all—nuclear propulsion technologies.
In early 2019, I discovered that Boeing, General Electric Aviation, and T-Mobile had all been targeted.
China’s hackers were coming in through side doors, breaking into companies via the software employees use to work remotely.
“The Chinese use their best tools against their own people first because that’s who they’re most afraid of,” Jim Lewis, the former government official who tracked cyber threats, told me. “Then they turn those tools
on us.”
As of this writing, Iran’s hackers were pushing deeper into U.S. critical infrastructure and the companies that control the American grid.
And showed no signs of leaving anytime soon. It is Iran’s way of saying, “We’re sitting here with a gun to your head,”
My source had gotten his hands on an urgent DHS-FBI alert. It was meant solely for the utilities, the water suppliers, the nuclear plants. The bureaucrats were trying to bury it on a holiday weekend. And as soon as I got eyes on it, I could see why: the Russians were inside our nuclear plants.
shamelessly meddling in our politics. But when it came to our infrastructure, they had probed and prodded, lurked, fired off their warning shots in Ukraine, then vanished. Now they were inside our nuclear plants, lying in wait for the day Putin yelled “FIRE.”
Russia’s hackers had leapt from an engineer’s computer into the plant controls and switched off the safety locks—the last step before triggering an explosion.
