More on this book
Community
Kindle Notes & Highlights
Read between
January 16 - March 17, 2024
My hope is that my work will help shine even a glimmer of light on the highly secretive and largely invisible cyberweapons industry so that we, a society on the cusp of this digital tsunami called the Internet of Things, may have some of the necessary conversations now, before it is too late. —Nicole Perlroth November 2020
Freak windstorm? Or another Russian cyberattack?
The crux of Putin’s foreign policy was to undercut the West’s grip on global affairs. With every hack and disinformation campaign, Putin’s digital army sought to tie Russia’s opponents up in their own politics and distract them from Putin’s real agenda: fracturing support for Western democracy and, ultimately, NATO—the North Atlantic Treaty Organization—the only thing holding Putin in check.
The former director of the NSA, Keith Alexander, famously called Chinese cyberespionage the “greatest transfer of wealth in history.” The Chinese were stealing every bit of American intellectual property worth stealing and handing it to their state-owned enterprises to imitate.
There seemed no bottom to the lengths Russia was willing to go to divide and conquer.
What had saved Ukraine is precisely what made the United States the most vulnerable nation on earth. Ukraine wasn’t fully automated. In the race to plug everything into the internet, the country was far behind. The tsunami known as the Internet of Things, which had consumed Americans for the better part of the past decade, had still not washed up in Ukraine.
But those rationalizations often ignored the dark side of their business. Nobody was willing to admit that one day these tools could be used in a life-threatening attack, that they were increasingly finding their way to oppressive regimes looking to silence and punish their critics, or infiltrating industrial controls at chemical plants and oil refineries, and that possibly, perhaps inevitably, those who dealt in this trade might one day find blood on their hands.
Were there any rules or laws to their trade? Or were we supposed to put our faith in hackers’ own moral fortitude?
Though society has come to conflate hackers with black hats and criminals the reality is that we owe them much of our progress and, ironically, our digital security.
iDefense was getting priced out of the very market it helped spawn. Others had caught on to what Endler had known all along: there was more to be gained by embracing hackers and their discoveries than pretending the holes did not exist. But these newer players were entering the market for very different reasons. And they had much bigger pockets.
In the military, secure communications mean the difference between life and death, but the big technology companies didn’t seem to grasp that.
But the darker the market, the less efficient it is. The more open the market, the more it matures, the more buyers are in charge.
Before we parted ways, Sabien told me he had something he wanted to show me. He passed me his phone. On the screen was a quote attributed to Nathaniel Borenstein, who I vaguely recalled as one of two men who invented the email attachment, the invention so many nation-states now used to deliver their spyware. “The most likely way for the world to be destroyed,” it read, “most experts agree, is by accident. That’s where we come in; we’re computer professionals. We cause accidents.”
For Charlie, the episode was a dark one. His white paper had changed nothing. The big vendors—Google, for Christ’s sake—still had it wrong. They would rather bury their head in the sand and threaten hackers than work with them to secure their products.
For Deeley, this was complete vindication. For years he had argued that encryption was not enough. To truly thwart government interception, the NSA would have to lock down anything that plugged into an outlet. Now he had proof.
And analysts never wondered why the Soviets treated their own typewriters with such paranoia. The Soviets banned their own staff from using electric typewriters for classified information, forcing them to use manual models for top-secret information. When Soviet typewriters weren’t being used at the country’s own embassies, the Soviets stored them in tamperproof containers. And yet the Americans hadn’t bothered to ask why.
Gunman opened the door to what was possible. Now, everywhere you look are endless opportunities for espionage—and destruction.
I asked nearly every single one of the men who guided the CIA and NSA through the turn of the century to name the father of American cyberwar, and none hesitated: “Jim Gosler.” And yet in hacker circles Gosler remains an unknown.
Organizations can’t stop the world from changing. The best they can do is adapt. The smart ones change before they have to. The lucky ones manage to scramble and adjust, when push comes to shove. The rest are losers, and they become history.
Either the intelligence community would grow and adapt, or the internet would eat us alive.
“Think about it,” he told me one day. “Nothing is American-made anymore. Do you really know what’s in your phone, or in your laptop?”
And yet here we were, entrusting our entire digital lives—passwords, texts, love letters, banking records, health records, credit cards, sources, and deepest thoughts—to this mystery box, whose inner circuitry most of us would never vet, run by code written in a language most of us will never fully understand.
The opportunities to sabotage the global supply chain were endless, Gosler told me.
One year later R. James Woolsey, President Clinton’s new pick for CIA chief, would tell senators, “Yes, we have slain a large dragon. But we live now in a jungle filled with a bewildering variety of poisonous snakes. And in many ways, the dragon was easier to keep track of.”
Pulling out critical, credible, actionable intelligence was getting to be nearly impossible as unprecedented flows of noisy, seemingly unrelated data made its way through an endless maze of digital pipes back to the Fort. Solving for Big Data would consume U.S. intelligence agencies for decades.
Chinese hackers were not just engaged in traditional state espionage; they were pilfering intellectual property from every major company in the Fortune 500, American research laboratories, and think tanks.
“Sigint professionals must hold the moral high ground, even as terrorists or dictators seek to exploit our freedoms,” one classified NSA memo declared. “Some of our adversaries will say or do anything to advance their cause; we will not.”
In short, the NSA was doing everything it accused Beijing of doing, and then some.
In the post–9/11 urgency to capture and analyze as much data as humanly possible, leaked classified documents and my interviews with intelligence officials made it clear that few had stopped to question what the potential implications might be if word of their digital escapades ever got out.
The world was now using the same Microsoft operating systems, Oracle databases, Gmail, iPhones, and microprocessors to power our daily lives. Increasingly, NSA’s work was riddled with conflicts of interest and moral hazards.
There are no patents on vulnerabilities, exploits, and malware.
Alexander’s pitch always reminded me of the quote that Sabien, the original zero-day broker, shared with me years later: “The most likely way for the world to be destroyed, most experts agree, is by accident. That’s where we came in; we’re computer professionals. We cause accidents.”
The United States may have thwarted a conventional war, but in releasing Stuxnet on the world, it opened up an entirely new battlefront. The worm had crossed the Rubicon from defensive espionage to offensive cyberweapon, and in just a few years, it would come boomeranging back on us.
The world had changed in the thirty-odd years since Gunman. It was no longer the case that Americans used one set of typewriters, while our adversaries used another. Thanks to globalization, we now all relied on the same technology.
This paradox began to keep Pentagon officials up at night. America’s cyberweapons could no longer exist in a vacuum. The United States was effectively bankrolling dangerous R&D that could come boomeranging back on us.
amount of government lobbying can halt globalization when it came to technology.
The year I stepped into the closet of Snowden’s classified secrets, the zero-day market had become a full-fledged gold rush. But there was little incentive to regulate a market in which the United States government was still its biggest customer.
Wassenaar Arrangement.
the Wassenaar Arrangement on Export Controls for Conventional Arms and Dual-Use Goods and Technologies was designed to replace the previous set of Cold War norms used by Western states to keep weapons and military technology from making their way to Russia, China, and their communist satellites.
To sell these tools to other foreign groups, cryptographic controls require sellers to obtain a license from Commerce’s Bureau of Industry and Security, which often grants them for four years or more, and asks only that sellers report biannual sales in return. Pen-testers, exploit brokers, and spyware makers argue encryption controls are adequate; digital rights activists call that ludicrous.
He told him he would rather be dragged to prison than teach the Turkish military his tradecraft. I asked how Aitel reacted. “He’s very American,” was Eren’s response. “This was business. He was willing to work with everybody.”
It was a familiar story, one I would hear time and time again from hackers who believed that by coming up with their own ethical code, they could keep the darker forces of the internet—authoritarianism, repression, the police states—at bay a bit longer.
In the War on Terror and the offensive cyber trade, you could rationalize just about anything.
These men didn’t seem to care about public perceptions. They didn’t care for Bushido. And they felt no more responsibility for weaponizing the internet than the tech companies who left gaping holes in their products. They behaved more like mercenaries than patriots.
In one email in which Vincenzetti seemed to predict the future, he joked “Imagine this: a leak on WikiLeaks showing YOU explaining the evilest technology on earth! ☺.”
Desautels had believed he could control the market with morals and scruples. Bushido, I thought. More like Bullshit.
The Hacking Team leaks offered an incredible window into how zero-day exploits were being priced, traded, and incorporated into ever-more-powerful off-the-shelf spyware and sold to governments with the most abysmal of human rights.
But as I sifted through the leaks, I could see that the coverage had had the opposite effect: it had functioned as advertisement, showing other governments that did not possess these capabilities what they were missing. By late 2015, no intelligence agency on the planet was going to miss out.
While the world consumed itself with Hacking Team, the leaks made clear that sophisticated surveillance states, intelligence, and law enforcement agencies had already moved on. The Israelis didn’t bother with PCs; they could get everything their government clients might ever want or need simply by hacking phones. And judging by their pitch deck, NSO had found a way to invisibly and remotely hack into every smartphone on the market: BlackBerries, the Nokia Symbian phones still used by many in the third world, Android phones, and, of course, iPhones.
By hacking the “end points” of the communication—the phones themselves—NSO’s technology gave authorities access to data before and after it was encrypted on their target’s device.
