This Is How They Tell Me the World Ends: The Cyberweapons Arms Race

by Nicole Perlroth

Russian hackers are “like artists who wake up in the morning in a good mood and start painting,” Putin told a gaggle of reporters in June 2017, just three weeks before his hackers laid waste to Ukraine’s systems. “If they have patriotic leanings, they may try to add their contribution to the fight against those who speak badly about Russia.”

We might have seen that the end game wasn’t Ukraine. It was us.

The crux of Putin’s foreign policy was to undercut the West’s grip on global affairs. With every hack and disinformation campaign, Putin’s digital army sought to tie Russia’s opponents up in their own politics and distract them from Putin’s real agenda: fracturing support for Western democracy and, ultimately, NATO—the North Atlantic Treaty Organization—the only thing holding Putin in check.

The former director of the NSA, Keith Alexander, famously called Chinese cyberespionage the “greatest transfer of wealth in history.” The Chinese were stealing every bit of American intellectual property worth stealing and handing it to their state-owned enterprises to imitate.

Iran had brought down U.S. banking websites and obliterated computers at the Las Vegas Sands casino after Sands CEO Sheldon Adelson publicly goaded Washington into bombing Iran, and—in a wave of ransomware attacks—Iranian cybercriminals had held American hospitals, companies, entire towns hostage with code.

But there was no question that in terms of sophistication, Russia was always at the top of the heap.

Starting in 2016, the U.S. National Security Agency’s own cyber arsenal—the sole reason the United States maintained its offensive advantage in cyberspace—was dribbled out online by a mysterious group whose identity remains unknown to this day. Over a period of nine months a cryptic hacker—or hackers; we still don’t know who the NSA’s torturers are—calling itself the Shadow Brokers started trickling out NSA hacking tools and code for any nation-state, cybercriminal, or terrorist to pick up and use in their own cyber crusades.

On June 27, 2017, Russia fired the NSA’s cyberweapons into Ukraine in what became the most destructive and costly cyberattack in world history. That afternoon Ukrainians woke up to black screens everywhere. They could not take money from ATMs, pay for gas at stations, send or receive mail, pay for a train ticket, buy groceries, get paid, or—perhaps most terrifying of all—monitor radiation levels at Chernobyl. And that was just in Ukraine.

The Russians had used the NSA’s stolen code as a rocket to propel its malware around the globe. The hack that circled the world would cost Merck and FedEx, alone, $1 billion.

But the Ukrainian security experts I spoke with had a disturbing alternate theory: the NotPetya attack, and the power-grid attacks before it, were just a dry run.

In the United States, though, convenience was everything; it still is. We were plugging anything we could into the internet, at a rate of 127 devices a second. We had bought into Silicon Valley’s promise of a frictionless society. There wasn’t a single area of our lives that wasn’t touched by the web. We could now control our entire lives, economy, and grid via a remote web control. And we had never paused to think that, along the way, we were creating the world’s largest attack surface.

If Snowden leaked the PowerPoint bullet points, the Shadow Brokers handed our enemies the actual bullets: the code.

It was becoming painfully obvious that we were being used. To the Guardian, the Times was an insurance policy against their troubles with the British intelligence officers back home. The Times gave them safe cover and free lunch every day, but they did not want us as actual partners. We were supposed to be working in tandem, but the Brits had started publishing their own stories without giving us a heads-up.

“Nicole,” he said, loudly for the others to hear. “These men are young. They have no idea what they are doing. All they care about is money. They have no interest in learning how their tools will be used, or how badly this will end.”

This was before Gates became a philanthropic saint. He was firing off emails to AOL executives, demanding to know: “How much do we have to pay you to screw Netscape?”

“The most likely way for the world to be destroyed,” it read, “most experts agree, is by accident. That’s where we come in; we’re computer professionals. We cause accidents.”

the secret was out: the U.S. government was willing to pay hackers—quite a bit, as it turned out—to turn over vulnerabilities in the products and leave their customers—including American citizens—vulnerable in the process.

“This is it,” Charlie told the crowd. “From now on, stop giving away your bugs for free. We do all this work, and all we get is threats and intimidation.” “This is the moment,” he said. “Stop. No more free bugs!”

The Cold War was over, but new enemies were on the horizon, and the champagne would not flow for long. One year later R. James Woolsey, President Clinton’s new pick for CIA chief, would tell senators, “Yes, we have slain a large dragon. But we live now in a jungle filled with a bewildering variety of poisonous snakes. And in many ways, the dragon was easier to keep track of.”

Germans don’t do small talk, and they don’t do bullshit. Feel-good messages and blatant self-promotion have no place in Germany. Doing your job well is not a good reason to deliver a long, self-aggrandizing speech.

“There’s a Fog of War, but there’s also a Fog of Peace,” Eric Grosse, Google’s affable vice president of security engineering, told me. “There are so many signals triggering, it’s hard to know which ones to go after.”

Argentines’ disdain for the United States had eased somewhat under Obama, but they were still evenly split between those who had favorable opinions of the country and those who thought we were monsters. And you couldn’t really blame them. Declassified U.S. diplomatic cables showed that in 1976, Secretary of State Henry Kissinger gave Argentina’s military junta the green light to engage in widespread repression, murder, kidnappings, and torture of its citizens. “We want you to succeed,” Kissinger told an Argentine Admiral that year. “If there are things that have to be done, you should do them quickly.”

“You need to dispose of your view, Nicole,” Arce told me. “In Argentina, who is good? Who is bad? The last time I checked, the country that bombed another country into oblivion wasn’t China or Iran.”

The malware the Iranians used to hit Aramco was not even that sophisticated; it was essentially plagiarized from the code Americans and Israelis had used to infect and delete data on Iran’s oil networks four months earlier. But the malware—called Shamoon after a word left in the code—did exactly what it needed to do: it sent Iran’s chief regional rival, the Saudis, into a tailspin, and signaled to Washington that Iran now posed a formidable cyber threat of its own, that one day soon it would come for us.

Under Xi, China was cracking down on the Five Poisons—Uighurs, Tibetans, pro-independence Taiwanese, the Falun Gong, and prodemocracy activists—as never before.

the Russians were inside our nuclear plants.

Russia’s hackers had breached the most alarming target of all: Wolf Creek, the 1200-megawatt nuclear power plant near Burlington, Kansas.

They were hitting our nuclear plants, our hospitals, nursing homes, our brightest research labs and companies, and somehow, no matter how much I wrote, this all seemed to escape the consciousness of the average American, of the people now plugging in their Nests, Alexas, thermostats, baby monitors, pacemakers, lightbulbs, cars, stoves, and insulin pumps to the internet.

Our elections. they cannot be conducted online. Period. In 2020, with the pandemic in full swing, Delaware, New Jersey, and Colorado were experimenting with online voting. This is lunacy. As J. Alex Halderman, a computer scientist and election security expert, put it to me recently, “these jurisdictions are taking a major risk of undermining the legitimacy of their election results.”

To date, there is not a single online voting platform that security experts like Mr. Halderman have not hacked.

The United States may never sign on to a digital Geneva Convention so long as Russia, China, and Iran continue to outsource much of their dirty work to cybercriminals and contractors. And it will likely never sign onto any agreement that puts its strategic war-planning at a disadvantage. But we need red lines.