The Spy Who Came in from the Code
A New York Times reporter details how the government and tech companies are leaving the U.S. vulnerable to hacking and cyber espionage.
Illustration by Dalbert Vilarino
Nicole Perlroth remembers the moment she realized nobody was coming to get the bad guys.
She had recently begun reporting on cybersecurity issues for the New York Times when hackers hit the newspaper. Given the opportunity to embed with the paper’s security team, Perlroth was there when FBI agents showed up, ostensibly to collect evidence. The Times identified the culprits — they were based in Beijing and sponsored by the Chinese government — but the federal agents “closed their binders, thanked the team, and left — and we never heard from them again,” Perlroth recalls. “That was the equivalent of my… education in the world of cybersecurity. American businesses were being targeted by advanced nation-states, and there really was no cavalry.”
Speaking at Stanford Graduate School of Business as part of a series of recent talks sponsored by the Corporations and Society Initiative, Perlroth gave a sobering assessment of the growing threat posed by cyber espionage and digital warfare. Perlroth, the author of the book This Is How They Tell Me the World Ends, described how hackers, often working at the behest of foreign governments, exploit weaknesses in software to attack critical infrastructure, more or less with impunity.
“Everywhere you look, businesses are experiencing hundreds, thousands — in some cases, millions — of cybersecurity incidents every week,” by digital attackers seeking to steal intellectual property, disrupt business, or shut down essential services, Perlroth says. The destabilizing effects have so far been short-term and limited, but the prospect of a truly catastrophic event is growing.
Leaving the Back Door Open
The ubiquity of computer systems to run essential functions across all sectors of American society means that a vulnerability in a piece of software may open a backdoor to a vast number of targets. Known as “zero-days,” these undetected software holes are collected, bought, and sold, in some cases for millions of dollars, according to Perlroth.
And it isn’t just rogue agents from other countries that stockpile zero-days — so does the U.S. government. When intelligence agencies learn that Microsoft or another software company has a weakness in its code, they don’t tip off the company but instead file it away to potentially use for counterterrorism or battlefield preparations. “Most people have no idea the trade-offs that our government makes in the name of national security at the expense of cybersecurity,” Perlroth says. “When the U.S. government holds onto a vulnerability in the software, they are also making it more likely that someone else would find that hole and use it against American infrastructure. We need to be having conversations about the trade-offs involved.”
Perlroth compares the zero-day market to a “fight club,” in which secrecy protects the people involved. “When you talk about this trade, you reveal the moral dilemma that is inherent,” she says. Moreover, revealing information about these vulnerabilities puts zero-day buyers’ investments in jeopardy. “If Apple learns about a zero-day and they update their software, suddenly the money that you spent turns to dust.”
The Digital Arms Race
Cyber espionage is pervasive now, but its origins predate the Internet age and the advent of personal computing devices. In the 1970s, the Soviet Union implanted electromechanical bugs on IBM Selectric typewriters in U.S. diplomatic offices in Moscow and Leningrad. By recording every keystroke, the Soviets intercepted unencrypted communications for years, a discovery that alarmed American intelligence officials who worried they might lose the Cold War “and every war after that” unless they found ways to hack new technologies themselves, according to Perlroth. Both the U.S. and Russia — and more recent entrants like Iran and North Korea — have engaged in cyber warfare ever since, gradually ramping up their capability.
Those efforts have been enabled in part by the laissez-faire attitudes of tech companies, which typically prioritize speed and convenience over security, Perlroth says. “Speed is the natural enemy of security. Security teams are considered whiners, the party poopers, in these organizations… no one wants to be bothered with updating their software if it creates lag times.”
In some cases, incursions into networks are tests to see how much access hackers can get and what might be possible. Perlroth points to an attack on a Saudi Arabian petrochemical company two years ago as an example. “They used a couple of zero-days to dismantle the electric safety locks, which is the last thing you would do unless you are a hacker trying to trigger some kind of deadly explosion.” It took a year to determine that the attack originated in a research university outside Moscow.
“I really think that the next major geopolitical conflict will either be a cyberwar or will have some major cyber component to it,” Perlroth says. “The country that survives that conflict will look a lot like a digital Israel, a country that can continue to run its most basic functions and services even while it is surrounded by hostile neighbors.”
All of this is undeniably grim, but there is one hopeful scenario. After a decades-long buildup of nuclear weapons, the United States and the Soviet Union reached an arms agreement in the 1980s that dramatically reduced their arsenals. Mutually assured destruction made both sides amenable to finding common ground. Have cyber weapons become so dangerous that a similar kind of truce might be in everyone’s interest? Possibly, Perlroth says. “There is some pressure for a digital Geneva Convention. Shouldn’t we agree not to hack one another’s elections or hospitals or civilian systems like the power grid?”
Yet such an agreement assumes good faith on the part of the United States’ adversaries, she notes, and is complicated by the fact that foreign governments often outsource hacking, making attribution difficult following an attack.
In the meantime, the United States and its allies are developing a menu of options that would set the bar for certain kinds of retaliation, and are warning foreign governments that cyberattacks will have consequences. It’s too early to tell whether such measures will work, but the frank talk offers a sliver of light, Perlroth says. “We are engaging in these conversations at the highest levels, and that is very good news.”
For media inquiries, visit the Newsroom.