This Is How They Tell Me the World Ends: The Cyberweapons Arms Race

by Nicole Perlroth

In a Kremlin statement, Putin called for a cyber “reset” with the United States. “(I propose) … exchanging guarantees of non-interference in each other’s internal affairs, including electoral processes,” Putin began. “One of the main strategic challenges of our time is the risk of a large-scale confrontation in the digital sphere. We would like to once again appeal to the United States,” he said, “to reset our relations in the use of information and communication technologies.” Perhaps it was sincere. But American officials dismissed Putin’s proposal outright. The top national security official at the Justice Department disparaged Putin’s reset call as “dishonest rhetoric and cynical and cheap propaganda.” But something tells me the reason we did not see more Russian interference in 2020 was not because Putin was deterred, but perhaps because he concluded his work here was already complete. These days, Russian trolls barely have to lift a finger to sow discord and chaos when Americans, and our outgoing president, do it for them.

The report didn’t spell it out. But buried in its technical indicators, analysts had included a snippet of code from one of the attacks. The code made clear that Russia’s hackers had breached the most alarming target of all: Wolf Creek, the 1200-megawatt nuclear power plant near Burlington, Kansas. This was no espionage attack. The Russians were mapping out the plant’s networks for a future attack; they had already compromised the industrial engineers who maintain direct access to the reactor controls and radiation monitors that could affect the kind of nuclear meltdowns the world had only witnessed in Chernobyl, Three Mile Island, and Fukushima.

The report also included a telling timeline. The Russians had accelerated their strikes on America’s grid in March 2016, the same month Russia hacked Podesta and the DNC. Eight months later, even the Kremlin was surprised when their man was voted into the Oval Office. But instead of causing them to back off, Trump’s election only emboldened them. Under his watch, Russia invisibly worked their way into an untold number of nuclear and power plants around the country.

As Nakasone assumed his new duties, his staff was still assessing the Russian attacks on our systems. It was not just Wolf Creek; the Russians had also targeted Cooper Nuclear Station in Nebraska, and an untold number of other operators whose identities we still do not know. They also discovered that the same Russian hackers that successfully dismantled the safety guards at the Saudi refinery had been doing “digital drive-bys” of our own chemical, oil, and gas operators in the United States. Russia was inching dangerously closer to attack.

Cyber Command began planting crippling malware inside the Russian system at a depth and with an aggressiveness that had never been tried before. For years the United States had been among the stealthiest players in the digital realm, but now we were making a show of our power, letting Russia know that if they dared flip the switch here, we would reciprocate. There were some who believed that after years of getting beaten up and blacked out in the digital domain, these attacks were long overdue. Others worried that the United States was effectively enshrining the grid as a legitimate target, which, of course, it was.

Over the next few days we reached out to Bolton and Nakasone through their spokesmen, both of whom declined to answer our questions about the U.S. grid attacks. But when David went to the National Security Council and presented them with the details we were prepared to publish, something curious happened. Typically, with sensitive national security stories, there is pushback. This time, there was none. They had no national security concerns whatsoever about the publication of our story, officials said. It was the clearest evidence yet that our attacks on Russia’s grid were intended to be noticed.

But we can significantly raise the bar for the cybercriminals and nation-states looking to profit and wreak havoc on our infrastructure. To do this, we must stop introducing glaring bugs into our code.

We now need to take what the NSA itself calls a “defense in-depth” approach, a layered approach to security that begins with the code. And the only way to build secure code is to understand why vulnerabilities exist, where they exist, and how attackers exploit them, then use that knowledge to vet code and mitigate attacks, ideally before it hits the market.

Which brings us to open-source code, the free software code that forms the invisible backbone to much of everything we do online. Companies like Apple and Microsoft maintain proprietary systems but baked inside are the building blocks, constructed from open-source code that is maintained by volunteers who, in theory at least, check one another’s work in a peer-review system similar to that found in science or on Wikipedia. Open-source software makes up 80 to 90 percent of any given piece of modern software.

“Companies have to assume they’ve already been compromised, then figure out how to limit the blast radius.” This model is perhaps most familiar to readers in Apple’s “sandboxing” of apps on the iPhone. Apple designed its system so that each app does not have access to other applications or data without an iPhone user’s express permission. While attackers can still find critical bugs and “sandbox escapes,” Apple has significantly raised the ante, driving up hackers’ time and costs.

The idea is to redesign computer chips from the inside out, adding contamination chambers that would keep untrusted or malicious code from running on the chips inside our phones, PCs, and servers.

Already, the world’s biggest chipmakers, including Arm—which makes processors for most smartphones—have signaled their willingness to incorporate the new design—called CHERI, short for “Capability Hardware Enhanced RISC Instructions” architecture—into their chips. Microsoft, Google, Hewlett-Packard and others are exploring the concept.

Japan may even be more instructive. In Japan, the number of successful cyberattacks dropped dramatically—by more than 50 percent—over the course of a single year, according to an empirical study of data provided by Symantec. Researchers attributed Japan’s progress to a culture of cyber hygiene but also to a cybersecurity master plan that the Japanese implemented in 2005. Japan’s policy is remarkably detailed. It mandates clear security requirements for government agencies, critical infrastructure providers, private companies, universities, and individuals. It was the only national cybersecurity plan, researchers discovered in their study, to address “airgapping” critical systems.

The United States may never sign on to a digital Geneva Convention so long as Russia, China, and Iran continue to outsource much of their dirty work to cybercriminals and contractors. And it will likely never sign onto any agreement that puts its strategic war-planning at a disadvantage. But we need red lines. I believe we can agree on a set of targets that are off-limits for cyberattack, starting with hospitals, food and water supplies, election infrastructure, airplanes, nuclear facilities, and so on.

Some of the best cybersecurity reporting over the past decade—I am proud to say—belongs to my colleagues at the New York Times. John Markoff, my predecessor at the Times, has been generous with time and source material and collaborated with me on a number of articles that are mentioned in these pages. David Sanger first revealed the real codename “Olympic Games”—for the computer worm the world knew only as Stuxnet. And it was David that pulled me into the reporting on the escalating digital Cold War between the United States and Russia that the President likened to “treason.” Scott Shane wrote one of the most sweeping accounts of the NSA’s digital capabilities while seated beside me in Sulzberger’s closet. David, Scott and I partnered on a number of stories during and after the Shadow Brokers’ leaks. Without Azam Ahmed, I would never have uncovered the depths to which Mexico abused NSO’s surveillance technology. Mark Mazzetti, Adam Goldman, Ronen Bergman and I wrote a comprehensive account of Dark Matter and NSO Group for the Times. And later Mark, Ronen and I reported that a widely downloaded mobile app, called ToTok—a play on the popular Chinese app TikTok—was actually a cleverly disguised Emirati surveillance tool. Matt Rosenberg and I partnered on the more recent Russian attack on Burisma, the Ukrainian company at the heart of President Trump’s impeachment. And David, Matt and I continue to cover cybersecurity threats to the 2020 election together.