This Is How They Tell Me the World Ends: The Cyberweapons Arms Race

by Nicole Perlroth

PROLOGUE

The biggest secret in cyberwar—the one our adversaries now know all too well—is that the same nation that maintains the greatest offensive cyber advantage on earth is also among its most vulnerable.

PART I Mission Impossible

CHAPTER 1 Closet of Secrets

The documents were littered with NSA claims that the agency's hackers had access to nearly every piece of commercial hardware and software on the market. The agency appeared to have acquired a vast library of ways into every major app, social media platform, server, router, firewall, antivirus software, iPhone, Android, BlackBerry, computer, and operating system.

In the hacking world, these invisible entry points have sci-fi names: they call them zero-days. Zero-day is one of those cyber terms like infosec and man-in-the-middle attack that security professionals throw around to make it all too easy for the rest of us to tune them out.

A series of seven zero-day exploits* in Microsoft Windows and Siemens’ industrial software allowed American and Israeli spies to sabotage Iran’s nuclear program. Chinese spies used a single Microsoft zero-day to steal some of Silicon Valley’s most closely held source code.

CHAPTER 2 The Fucking Salmon

In a growing number of cases, zero-days were the only way governments could keep from “going dark.”

Stuxnet—as the computer worm came to be called—had been discovered in bits and pieces in 2010 as it slithered its way through computers around the globe, using an unheard-of number of zero-day exploits, seven to be precise. Some were clearly designed to infect hard-to-reach—even offline—computers. One Microsoft zero-day allowed the worm to invisibly spread from an infected USB flash drive onto a computer undetected. Others allowed it to crawl across the network from there, climbing ever higher up the digital chain of command in search of its final destination: Iran’s Natanz nuclear plant, where it burrowed deep into the offline, or “air-gapped,” computers that controlled the rotors that spun Iran’s uranium centrifuges.

Langner had mapped out “target-rich environments”—industrial systems still vulnerable to Stuxnet’s code around the globe. The bulk were not in the Middle East. They were in the United States.

PART II The Capitalists

CHAPTER 3 The Cowboy

The world’s infrastructure was racing online. So was the world’s data. The most reliable way to access those systems and data was a zero-day. In the United States, government hackers and spies hoarded zero-days for the sake of espionage, or in the event they might need to do what the Pentagon calls D5—“deny, degrade, disrupt, deceive, or destroy”—an adversary’s critical infrastructure in the event of war one day.

All this success started to piss off the software vendors. Microsoft, Sun, Oracle—they all hated the program. Their employees accused iDefense of inviting hackers to break into their products. And as the program picked up, iDefense’s customers started pestering the tech companies to patch their systems—and fast. Suddenly the biggest tech companies in the world were being forced to work on someone else’s timetable. And they went after iDefense with a vengeance.

In the rush to best Netscape, speed, not security, was the name of the game. More than a decade later, Mark Zuckerberg would coin a name for this approach at Facebook with his motto “Move fast and break things.” Just as soon as these products hit the market, hackers began unspooling them with glee. They wanted to see how far the bugs in their new internet toys could take them—which, as it turned out, was quite far. Hackers found they could tunnel through Microsoft’s systems to customers all over the web. They tried to point out errors to Microsoft, but rarely, if ever, was their work taken seriously. Part of the problem was that code—not diplomacy—was their strong suit.

Code Red came on the heels of a series of other embarrassing Microsoft-related attacks. One computer virus, named Melissa by its author after a stripper in Florida, exploited Microsoft flaws to shut down the servers at some three hundred corporations and government agencies, leaving behind a cool $80 million in damages. Another virus born out of the Philippines, ILOVEYOU, wiped files and infected victims at a rate of some 45 million a day, forcing major Microsoft customers like Ford Motor Company to shut off email.

And then there was Nimda, an attack that slowed the internet to a crawl. Nimda took advantage of an unpatched Microsoft bug to infect everything in its reach—email, servers, hard drives—and then happily reinfected everything it had already hit. It had only taken twenty-two minutes for Nimda to become the worst cyberattack of its time. The tech-research firm Gartner warned Microsoft customers to “run, don’t walk, away” from Microsoft’s web server software. Nimda’s timing—just one week after 9/11—caused government officials to suspect cyberterrorists. A line in the code—“R.P. China”—pointed to China. Or had it been planted there to throw off responders? Why RPC and not PRC? Was it the work of a Chinese speaker who didn’t know English grammar conventions? Or terrorists planting a false flag? Nobody ever found out. But the mere suspicion that the attack had been the work of cyberterrorists made Microsoft’s security woes too alarming for the government to ignore.

By the time I joined the security beat eight years later, I would always make a point of asking hackers, “I know you hate the vendors, but of all of them, who do you hate least?” The answer was always the same. “Microsoft,” they would tell me. “They turned their shit around.” The ripple effect of Gates’s memo could be seen far from Redmond, in underground dark web forums and in hotel rooms at the big security conferences. There, in the shadows, a growing number of defense contractors, intelligence analysts, and cybercriminals started doling out higher rewards to hackers who promised to keep their bug discoveries secret.

The same exploits hackers had once happily traded for free, or dumped online to shame vendors into releasing a patch, started taking on higher monetary values as a new group of mystery buyers began creating a market for their finds and giving hackers far more reasons—much more profitable reasons—to quietly sell the holes they found than turn them over to vendors to be sealed shut.

CHAPTER 4 The First Broker

Government spies determined the best way to guarantee long-term access to data was a zero-day exploit. They were willing to pay hackers far more for that access than the pitiful amounts iDefense was paying. And once they shelled out six figures for those zero-days, they weren’t about to blow their investment and access by disclosing the flaw’s existence to anyone—especially a journalist from the New York Times.

Protecting computer networks for the military, Sabien told me, had left him intimately acquainted with technology’s flaws. In the military, secure communications mean the difference between life and death, but the big technology companies didn’t seem to grasp that. “People were clearly designing these systems for functionality, not for security. They weren’t thinking about how they could be manipulated.”

“They wanted the entire kill chain—a way in, a way to beacon out to their command-and-control server, an exfiltration capability, an obfuscation capability,” Sabien told me, using military-speak. “It makes sense when you think of the Special Forces and SEAL Team Six. They have snipers, sweepers, exfil specialists, and people who break down the doors.” This is what Sabien’s team provided in the digital realm. But their work wasn’t about shock-and-awe. Quite the opposite: every step had to be stealthy and invisible. The harder it was for their adversary to discover their code, and their presence, the better. The trifecta was a string of zero-day exploits that offered reliability, invisibility, and persistence. Rarely did you get all three. But when you did: “Ka-ching!” Sabien said.

Different agencies all wanted ways into the same systems, which played well from a bottom-line perspective, but not so much from the American taxpayer’s. His company was selling the same zero-day exploits two, three, four, times over to different agencies. The overlap and waste, Sabien recalls, became too much to stomach. The government has a name for this problem—duplication—and it wastes millions in taxpayer dollars every year. But duplication is even worse in the digital world, where contracts for bug-and-exploits are sealed up in nondisclosure agreements and often classified. The prevailing wisdom among intelligence agencies is that once word of an exploit gets out, it’s only a matter of time before it gets patched, and its value plummets. So little gets shared across agencies, let alone discussed.

“Each of the agencies wants the win,” Sabien told me. “They want to up their budgets so they can do the more advanced offensive operations.”

“With the breakup of the Soviet Union, you had a lot of people with skills, without jobs,” Sabien explained. But the most talented hackers, he told me, were based in Israel, many of them veterans of Israel’s Unit 8200. I asked Sabien how old his youngest supplier was, and he recalled a transaction with a sixteen-year-old kid in Israel.

“It’s like having cyber nukes in an unregulated market that can be bought and sold anywhere in the world without discretion,” he told me.

In this new world order, enemies were seemingly everywhere. In the United States, intelligence agencies began relying on cyberespionage to collect as much data about as many people as possible. It also began developing a cyberweapons arsenal in the event it would have to disrupt enemies’ networks, or infrastructure, one day. And an entire army of Beltway contractors was more than willing to supply the digital weaponry, the reconnaissance tools, and all the requisite parts.

The market’s spread to U.S. agencies didn’t bother Sabien. It was its spread abroad that had him rattled. “Everyone has their enemies,” he told me. For the first time since we’d sat down, his countenance was no longer jovial. “Even countries you would never suspect are stockpiling exploits for a rainy day. Most do it to protect themselves.” “But one day soon,” he added as we got up to leave, “they know they might have to reach out and touch someone.”

“The most likely way for the world to be destroyed,” it read, “most experts agree, is by accident. That’s where we come in; we’re computer professionals. We cause accidents.”

CHAPTER 5 Zero-Day Charlie

Apple has always insisted that its strict vetting procedures keep malware, spyware, and spam out of its iTunes store. Charlie famously trashed that myth when he submitted a fake stock-ticker app with a glaring security hole that allowed it to infect other apps on the iPhone, just to see if Apple would notice. Apple’s vetters missed the hole, and when Apple learned from news articles that Charlie’s app was a Trojan horse, they blacklisted him. The episode earned Charlie infamy in hacker circles and a nickname, Zero-Day Charlie. He relished it.

The last time Charlie and I had spoken by phone was after he and another researcher discovered a zero-day exploit in the Jeep Cherokee that allowed them to seize control of the steering wheel, disable the brakes, screw with the headlights, indicators, wipers, and radio and even cut the engine from a remote computer thousands of miles away. Eight months later, the automaker was still dealing with the fallout.

In 2007, as his two-year agreement to stay mum about his zero-day expired, Charlie began putting the finishing touches on his white paper—academically titled “The Legitimate Vulnerability Market: Inside the Secretive World of Zero-Day Exploit Sales.” It was then that he received the call from Fort Meade.

For the first time, the secret was out: the U.S. government was willing to pay hackers—quite a bit, as it turned out—to turn over vulnerabilities in the products and leave their customers—including American citizens—vulnerable in the process. And the government was doing so with money from taxpayers, the very people the government was charged with protecting.

From Redmond to Silicon Valley, technology executives at Microsoft, Adobe, Google, Oracle, and Cisco combed through Charlie’s paper with a mix of alarm and agitation. He had only confirmed what executives had long suspected: their own government was perfectly willing to throw them, and their customers, under the bus in the name of national security.

PART III The Spies

CHAPTER 6 Project Gunman

But late one evening, on July 23, 1984, one of the analysts working alone that night noticed an extra coil on the power switch of a Selectric typewriter. That was hardly unexpected—newer typewriter models contained additional memory that would explain additional circuitry and coils. But the analyst decided to run the typewriter through an X-ray machine, top to bottom, just to be sure. “When I saw those X-rays, my response was ‘holy fuck.’ They really were bugging our equipment,” he recalled. There on the X-ray film, he could see that inside an unassuming metal bar that ran the length of the typewriter was the most sophisticated exploit he, hell, anyone at the agency, had ever seen. The bar contained a tiny magnetometer, a device that measures the slightest distortions in the earth’s magnetic field. The magnetometer was converting the mechanical energy from each typewritten keystroke into a magnetic disturbance. And next to it was a tiny electronic unit recording every disturbance, cataloging the underlying data, and transmitting the results in short bursts via radio to a nearby Soviet listening post.

Deeley’s team couldn’t help but admire the mastery involved. All the encryption gear in the world would not have kept the Soviets from reading the embassy’s messages. The Soviets had found a way to collect each and every keystroke before anyone had a chance to scramble them. It was masterful work, and a lesson the NSA would never forget. Years later, the NSA would turn the same trick on iPhones, computers, and on America’s biggest technology companies, capturing data as it flowed between Google and Yahoo’s data centers in unencrypted form.

“I think people tend to fall into the trap of being disdainful too often of their adversaries,” Faurer would later recall. “We tended to think that in technical matters we were ahead of the Soviet Union—for example, in computers, aircraft engines, cars. In recent years, we have encountered surprise after surprise and are more respectful. Most folks would now concede that they have enormously narrowed the gap and have caught us in a number of places.”

CHAPTER 7 The Godfather

“That was our big wake-up call,” James R. Gosler, the godfather of American cyberwar, told me one afternoon in late 2015. “We were lucky beyond belief to discover we were being had. Or we would still be using those damn typewriters.”

Over the course of Gosler’s career, this unassuming man served as the central catalyst for the United States government’s vulnerability discovery and exploitation programs as society made the transition to digital. And if he were less humble, Gosler would probably concede as much. Instead, he credits his colleagues and bosses in the intel world and a host of New Age management gurus. Gosler frequently cites Malcolm Gladwell—“The Outlier is fantastic!” he told me, more than once. Gordon Moore and Andy Grove, two former chief executives of Intel, were his heroes. Grove’s book Only the Paranoid Survive is his bible. But his all-time favorite is Price Pritchett, the organizational management guru. For years, anytime intelligence officials visited Gosler’s office at CIA headquarters in Langley, they were greeted with the following Pritchett quote on the wall: Organizations can’t stop the world from changing. The best they can do is adapt. The smart ones change before they have to. The lucky ones manage to scramble and adjust, when push comes to shove. The rest are losers, and they become history.

The previous year, Gosler had heard a famous lecture by Ken Thompson. Thompson, who had won the 1983 Turing Award for cocreating the Unix operating system, used his turn at the lectern to share his concerns on where technology was headed. He’d titled his lecture “Reflections on Trusting Trust,” and his conclusion was this: unless you wrote the source code yourself, you could never be confident that a computer program wasn’t a Trojan horse.

Thompson had perfectly articulated what Gosler knew to be true. But by the time Gosler listened to Thompson’s lecture, he could see that the predicament was getting exponentially worse. Very soon, he knew, they would not be able to guarantee the security of the country’s nuclear weapons arsenal.

“Even if you found something, you could never be confident you found everything,” Gosler said. “That’s the awful nature of this business.”

His so-called Ware Report proved a catalyst for the Pentagon to convene a Defense Science Board task force to study computer security. That task force came to several ominous conclusions, chief among them: “Contemporary technology cannot provide a secure system in an open environment.” The report was the first to advance the notion that computers were leading humanity, and with it the nation’s intelligence apparatus, down a dangerous path. But it offered little in the way of solutions. So over the next few years, the U.S. government culled some of the report’s authors, as well as top contributors at the NSA and CIA, to analyze the security risks posed by computers and offer recommendations.

Gosler will not discuss the exploit work he did for intelligence agencies over that time. It is all still highly classified. The whole story will be told only when secret U.S. documents are declassified, probably in the second half of this century. But all one needs to do is look at the source of his department’s funding to see how critical his work became for the nation’s intelligence apparatus. When Gosler first returned to Sandia in 1990, his department was running on $500,000 from the Department of Energy’s National Nuclear Security Administration. Five years later, Gosler’s department was plush with $50 million in intelligence funding. This investment in digital exploitation was in stark contrast to post–Cold War intelligence budget cuts, which saw billions slashed from intelligence budgets and a complete freeze on new hires at the NSA by the mid-1990s.