This Is How They Tell Me the World Ends: The Cyberweapons Arms Race

by Nicole Perlroth

On Tuesday, January 12, 2010, at 3:00 A.M. Beijing time, Google made its attack known to the world. Fearing for employees’ safety, Google had already tipped off the State Department. Then Secretary of State Hillary Clinton was personally briefed. American diplomats at the Beijing embassy prepared for a possible mass evacuation of Google’s Chinese employees and their families. And then they hit publish. “We have taken the unusual step of sharing information about these attacks with a broad audience not just because of the security and human rights implications of what we have unearthed, but also because this information goes to the heart of a much bigger global debate about freedom of speech,” then Google’s head lawyer, David Drummond, wrote in a blog post. “These attacks and the surveillance they have uncovered—combined with the attempts over the past year to further limit free speech on the web—have led us to conclude that we should review the feasibility of our business operations in China. We have decided we are no longer willing to continue censoring our results on Google.cn.”

China blocked Google permanently. And three years later, under its new president, Xi Jinping, China took a stranglehold over the web. It codified into law criminal punishments for anyone who “damaged national unity.” It pioneered new forms of digital surveillance—facial recognition software, hacking tools, and novel spyware—aimed not only at its own people but also at the growing Chinese diaspora abroad. And it started exporting its censorship overseas. At one point it seized control of foreign traffic intended for Baidu, China’s biggest internet company, injecting code that transformed Baidu’s traffic into a fire hose, then aimed it at U.S. websites that hosted mirror images of content banned in China. Some called China’s move “the Great Cannon,” and it was a shot across the bow to anyone who thought Beijing might eventually tolerate anything less than total internet control.

Google knew that its own hackers, and the most powerful fuzz farms in the world, were still no match for a country hell-bent on tracking its own people. And so Google came to the same epiphany iDefense had years earlier: it started tapping the world’s hackers for good. Until 2010, Google had only paid hackers for bugs in street cred. Anyone who responsibly disclosed a Google bug was rewarded with a T-shirt and a mention on Google’s website. After Aurora, Google decided it was time to start paying its volunteer army real loot.

When Moussouris pitched Steve Ballmer’s generals in 2011, they were receptive but not ready to pull the trigger. They needed more data. For the next two years she compared herself to Cassandra, “doomed to know the future but nobody believes her until she can show them the data.” By 2013 she had two years’ worth of data showing that Microsoft was now losing bug reports to third-party brokers and intermediaries. That June, correcting the trend became a matter of urgency. The Guardian dropped Snowden’s first NSA leaks that month, detailing an NSA program called Prism. One NSA slide appeared to show that Microsoft, and the other tech companies, gave the NSA direct access to their servers. Some leaks described Prism as a “team sport” between the tech companies, the NSA, the FBI, and CIA. Of all of Snowden’s leaks, those slides would end up being the most damning—and misleading. The tech companies had never heard of Prism. Yes, they complied with narrow, court-ordered requests for specific customer accounts and metadata, but the notion that they were somehow NSA collaborators, handing the agency real-time access to customers’ private communications, was flat-out wrong. Their denials, however, were complicated by the fact that, legally, they were forbidden from disclosing the full nature of their cooperation and resistance to the secret court orders.

more out the back. Without the companies’ knowledge or cooperation, the Snowden revelations that fall showed that the NSA, and its British counterpart, GCHQ, were sucking up companies’ data from the internet’s undersea fiber-optic cables and switches. In agency jargon, this was called “upstream” collection, as opposed to “downstream” methods like Prism, in which agencies demand customers’ data from companies through secret court orders. In a single day, top-secret NSA slides showed that—unbeknownst to Yahoo, Microsoft, Facebook, and Google—the agency had collected “444,743 Yahoo email address books, 105,068 from Hotmail, 82,857 from Facebook, 33,697 from Gmail, and 22,881 from unspecified providers.”

The slides appeared to show that the NSA and GCHQ were directly hacking Google and Yahoo’s internal data centers to intercept customer data before it was encrypted and passed over the open web—essentially a man-in-the-middle attack. The NSA-GCHQ code name for these attacks was Muscular. On one level, it was helpful in explaining that the companies were not willing accomplices.

One year later, September 2014, Cook took the stage in Cupertino to debut the new iPhone 6, “the biggest advancement in iPhone history,” the phone for the post-Snowden era. From now on, Apple automatically encrypted everything on the phone—messages, call logs, photos, contacts—using a complex mathematical algorithm that used the user’s own unique passcode to unwrap a larger key on the device. Apple no longer held the spare keys to customer data. They’d given the only pair to the users. If governments wanted access to their data, they were going to have to ask the customers directly.

The United States still had the biggest offensive cyber budgets, but compared to conventional weapons, exploits were cheap. Foreign governments were now willing to match American prices for the best zero-days and cyberweaponry. The Middle East’s oil-rich monarchies would pay just about anything to monitor their critics. And in Iran and North Korea, which could never match the United States in conventional warfare, leaders saw cyber as their last hope of leveling the playing field. If the NSOs, Zerodiums, and Hacking Teams of the world wouldn’t sell them their wares, well, they could just hop on a plane to Buenos Aires.

Our own stockpile of cyber exploits and cyberweapons hardly deterred our adversaries from trying to acquire their own. What Iran, North Korea, and others could not develop on their own, they could now just buy off the market.

What oil is to the Saudis, so finance is to the American economy. A little more than a month after the Aramco attacks, Iranian hackers put U.S. banks in their crosshairs. Executives at Bank of America, J.P. Morgan, Citigroup, Fifth Third Bank, Capital One, and the New York Stock Exchange could only watch helplessly as, one by one, their banking sites crumbled or were forced offline by a deluge of Iranian internet traffic.

At the White House, President Obama concluded that nonresponse was no longer an option. That December, the president announced that the United States would “respond proportionally” to North Korea’s attack. He declined to give specifics, saying only that the United States would hit “in a place and time and manner of our choosing.” Later, officials would tell me Obama was speaking to two audiences that day; he was addressing Iran too. Three days later, a funny thing happened. North Korea’s already dim connection to the outside world went dark for an entire day.

2010 a bipartisan group of ten former national security, intelligence, and energy officials—including former secretaries of defense James Schlesinger and William Perry, former CIA directors R. James Woolsey and John Deutsch, and former White House national security advisors Stephen Hadley and Robert McFarlane—sent a confidential letter to the House Committee on Energy and Commerce in support of a bill to improve the cybersecurity of America’s critical infrastructure. Their letter was blunt: “Virtually all of our civilian critical infrastructure—including telecommunications, water, sanitation, transportation, and health care—depend on the electric grid. The grid is extremely vulnerable to disruption caused by a cyber or other attack. Our adversaries already have the capability to carry out such an attack. The consequences of a large-scale attack on the U.S. grid would be catastrophic for our national security and economy.” It went on: “Under current conditions, timely reconstitution of the grid following a carefully targeted attack if particular equipment is destroyed would be impossible; and according to government experts, would result in widespread outages for at least months to two years or more, depending on the nature of the attack.”

All optimism evaporated in 2014, when the Russians took their attacks one step further. That January, CrowdStrike discovered that Russian hackers had successfully compromised industrial control software companies and Trojanized the software updates that made their way into hundreds of industrial control systems across the country. It was the same technique the Americans and Israelis had used five years earlier with Flame, when they infected computers in Iran using Trojanized Microsoft software updates. But the Russians had been far less judicious. It wasn’t just U.S. oil and gas companies anymore; Russian hackers infected the software updates that reached the industrial controllers inside hydroelectric dams, nuclear power plants, pipelines, and the grid, and were now inside the very computers that could unleash the locks at the dams, trigger an explosion, or shut down power to the grid.

At the same time Russia was embedding in our grid, “little green men”—armed Russian Special Forces wearing green uniforms without insignia—had started cycling into Crimea. The Kremlin was signaling to Washington that if it retaliated on behalf of its Ukraine ally, or ever dared turn off the lights in Moscow, Russia had the ability to turn around and do the same. Call it mutually assured destruction for the internet era.

At 3:30 P.M., December 23, in the Ivano-Frankivsk region of western Ukraine, residents were just starting to pack up their desks and head home for the holidays when an engineer inside Prykarpattyaoblenergo’s control center noticed his cursor gliding across his computer screen, as if pushed by an invisible hand. The cursor moved to the dashboard that controlled Prykarpattyaoblenergo’s circuit breakers at substations around the region. One by one, the cursor double-clicked on the box to open the breakers and take the substations offline. The engineer watched in horror as a pop-up window suddenly appeared, confirming one last time that he wanted to cut heat and power to thousands of his countrymen. He desperately tried to regain command of his mouse, but it was no use. Whoever was inside his machine had left him powerless, and now was logging him out. He tried to log back in, but the hidden hand had already changed his password, kicking him out permanently. Now he could only watch as a digital ghost moved from one breaker to another, meticulously shutting down thirty substations altogether. Meanwhile, two other Ukraine power suppliers were struck in the same way, leaving a total of 230,000 Ukrainians in the dark. Once the power was cut, the hidden hand shut down Ukraine’s emergency phone lines too, just to add to the chaos. And finally, the coup de grace: The attackers shut off the backup power to the power distribution centers, forcing Ukrainians to try to put the pieces bac...

Meanwhile a new zero-day broker has quietly surfaced online and started outbidding everyone else on the market. The broker calls itself Crowdfense, and I have learned it works exclusively for the Emiratis and their closest ally, the Saudis. Crowdfense is ponying up $3 million for the same iPhone exploits everyone else is offering—at most—$2 million for.

This was all happening under an America First president who was temperamentally uninterested in complexity, who romanticized authoritarianism, and who dismissed any talk of Russian election interference as an elaborate “hoax.” That his trade war with China, his abandonment of the Iran nuclear deal, and his refusal to confront Putin directly might have unintended and dangerous consequences seemed to matter little in the Old Western Trump had written for himself. In his retelling, he was Wyatt Earp restoring law and order, securing the border, and blazing his way to glory.

More than six hundred American towns, cities, and counties were held hostage by ransomware attacks between 2019 and 2020. Cybercriminals were not just hitting big cities like Albany and New Orleans, but smaller counties in swing states like Michigan, Pennsylvania, and Ohio. In Texas, a new battleground, twenty-three towns were hit simultaneously. In Georgia, the tally of victims was stunning: The city of Atlanta. The state’s Department of Public Safety. State and local court systems. A major hospital. A county government. A police department for a city of thirty thousand people. In each case, networks crashed; public records disappeared; email went down; laptops had to be forensically examined, reconfigured, and tossed out; police departments were relegated to pen and paper.

Perhaps, very soon, we will learn that Iranian and Russian trolls are bouncing the president’s messages around social media echo chambers. But even if they are, they are getting drowned out by real Americans. If the goal of Putin’s 2016 interference was to sow chaos and undermine democracy, then what is now playing out is beyond his wildest dreams.

Few of the customers today know it, but the entire digital universe is in orbit around one picnic table out back where computer scientists relayed the first message over the internet one summer afternoon in 1976. That August, scientists from SRI International—the research institute in nearby Menlo Park—pulled up to the Zott’s parking lot in an old bread truck to perform a demo for Pentagon officials who’d flown in for the occasion. The choice of locale was an inside joke; the SRI geeks had hoped there’d be some Hells Angels bikers in the mix. Sure enough, when they greeted the generals that day, one asked: “What the hell are we doing in the parking lot of a biker bar?” “We thought you’d ask that,” one of the scientists had replied. “We wanted to do this demo in a hostile environment.”

It is now arguably easier for a rogue actor or nation-state to sabotage the software embedded in the Boeing 737 Max than it is for terrorists to hijack planes and send them careening into buildings. Threats that were only hypotheticals a decade ago are now very real. Russia proved it can turn off power in the dead of winter. The same Russian hackers who switched off the safety locks at the Saudi petrochemical plant are now doing “digital drive-bys” of American targets. A rudimentary phishing attack arguably changed the course of an American presidential election. We’ve seen patients turned away from hospitals because of a North Korean cyberattack. We’ve caught Iranian hackers rifling through our dams. Our hospitals, towns, cities, and, more recently, our gas pipelines have been held hostage with ransomware. We have caught foreign allies repeatedly using cyber means to spy on and harass innocent civilians, including Americans. And over the course of the coronavirus pandemic, the usual suspects, like China and Iran, and newer players, like Vietnam and South Korea, are targeting the institutions leading our response.

We must lock down the code. Nobody will bother to invest in making the higher-up layers more secure if our basic foundations are still weak. We can’t redo the internet or swap out the world’s code, nor should we try. But we can significantly raise the bar for the cybercriminals and nation-states looking to profit and wreak havoc on our infrastructure. To do this, we must stop introducing glaring bugs into our code. Part of the problem is the economy still rewards the first to market. Whoever gets their widget to market with the most features before the competition wins. But speed has always been the natural enemy of good security design. Our current model penalizes products with the most secure, fully vetted software.

Multifactor authentication is the best defense against these attacks. Turn it on, wherever you can, right now.

Studies have shown that—digitally speaking—the safest countries in the world, those with the lowest number of successful cyberattacks per machine, are actually the most digitized. The safest are in Scandinavia—Norway, Denmark, Finland, Sweden—and more recently, Japan. Norway, the safest of them all, is the fifth most-digitized country in the world. But Norwegians implemented a national cybersecurity strategy in 2003 and they revisit and update it every year to meet current threats. Norwegian companies that provide “basic national functions”—financial services, electricity, health services, food supply, transportation, heating, media platforms, and communications—are required to have a “reasonable” level of security. The government penalizes companies that do not perform penetration testing, threat monitoring, or adhere to other best security practices. Government employees are required to use electronic IDs, multifactor authentication, and encryption. And Norwegian corporations have made cybersecurity core to their training and corporate culture.