This Is How They Tell Me the World Ends: The Cyberweapons Arms Race

Nicole Perlroth

In the epilogue, Nicole Perlroth goes back in history to a summer afternoon in 1976, when in the parking lot of a biker bar, a team of scientists from SRI International (which had an office in Menlo Park) sent the first email over the internet to ARPANET, as a demo for Pentagon officials who had flown in for this. In the world then, national security was largely a function of things in the physical domain – hijacked planes, rogue nations with nukes, drug trafficking, terrorists and so on. (Almost) half a century later, the world is a different place. Forget rogue nations or terrorists, a single hacker can seize control of a plane in mid-air with nothing more than a play on the code in the software running the plane. Everything from election systems, power grids, nuclear power plants, gas pipelines to hospital systems can be held hostage with ransomware. Most of them have been, and every device we use – from mobiles and laptops to connected homes and cars – is vulnerable. This is the story of that transition. 

Nicole begins the book in Ukraine, where she was surveying the aftermath of a devastating cyberattack, which included the Chernobyl radiation monitors going offline. The culmination of Russia’s revenge for the 2014 Ukrainian elections, which they unsuccessfully tried to hack. That the hack boomeranged and destroyed Russia’s own oil giant Rosneft’s data is a good example of how even those who unleash attacks cannot be sure of its speed and direction. 

But the story begins in the Cold War era, back in 1945, when bugs were ‘microphones’ and the advanced exploits were through anything that was attached to a plug – typewriters, copiers, printers etc. There is an extraordinary story from 1984 of Project Gunman, and how a coil in an electric typewriter was ‘weaponised’ with a magnetometer and a recording device for spying! 

And then came the computers. The first version of Linux had 176000 lines of code, now Microsoft’s Vista has 50 million. Each a potential vulnerability. Back in the day – from the late 90s, brokers started paying coders to purchase exploits in hardware/firmware/software – Sun, Cisco, Microsoft, HP, Oracle. They then sold it to these companies, sometimes having to show them proof of how it could be exploited. As the internet grew in size and became a global network, an underground market for exploits formed and the US government started building an arsenal including zero-days (a software/hardware flaw which doesn’t have a patch yet, called so because the ‘good guys’ have zero days to fix them). Some zero days are ‘ideal state’ – they require zero interaction from the target’s end, no mails or messages, and also ‘clean fail’ – they wouldn’t trigger an alert or crash a computer. But since the days of Stuxnet (2010), which had as many as seven zero-days and was used by the US to neutralise Iran’s Natanz nuclear facility), things changed. Just like Hiroshima, a weapon had been revealed and it would not go back into the box (Michael Hayden, former NSA director).

Also, in 2007 came the iPhone, supercharging the era of government snooping, and an invasion of privacy with minimum effort! By 2015, the NSA was even snooping on their own First Lady! It is now a minefield with different governments including not just powers like Russia and China but Iran, North Korea, Israel their opponents within the country and outside, hacker groups, tech companies, and government agencies all in an arms race to win cyber wars in milliseconds. 

The book has many interesting stories. The origins of Pegasus (by the NSO in Israel), named after the winged horse, and which could capture vast amounts of data from the air without leaving a trace. Aurora – the Chinese Legion Yankee attack on Google, and Brin’s strong response, though it was only for a short while. Argentina’s thriving hacker ecosystem, Iran’s ‘burning flag’ response to the US in its Aramco hack, Russia’s hacking of the DNC, WannaCry by Lazarus from North Korea, HeartBleed based on a widely used OpenSSL software, the linkage between the assassination of Jamal Khashoggi, the purchase of exploits by Emiratis, and the publishing of Bezos’ private photos (the source was actually the mistress’ brother, but the phone was simultaneously hacked too) are all signs of an escalating war. There is also a funny story on how, after Trump ordered Russia to close their San Francisco consulate, plumes of black smoke began pouring out of their building’s chimney. They were obviously burning something, and when a reporter asked an exiting man and woman about it, with acrid smoke billowing around them, they replied, “there is no burning.”

The weapon will not go back into the box, and it is now capable of devastation in milliseconds. The world, while aware of this, is not willing to find alignment on things that will now start taking human lives. One excellent place to start is to stop taking buggy code to market. In an economy that rewards first-to-market and “move fast and break things”, this is not going to be easy. As usual, Scandinavia leads the pack for safety, but Japan offers an instructive lesson in making cyber hygiene a priority for everyone from government agencies to individuals. But this provides no comfort because it is really an arms race with seemingly no end. 

The narrative is relentless and extremely accessible. It throws light on an area which we shouldn’t be ignoring, given how much is at stake. For me, it is also a validation on not going beyond the mobile phone in terms of tech hardware. But that really is small relative safety, nothing more. And just like Nicole, I wonder when we will see the ‘mushroom cloud’.