SolarWinds and a Prelude to the End of the World
At the end of 2020, the United States learned that nearly every branch of the federal government, many state and local governments, and countless companies—over 250 targets in total—had been hacked by Russian intelligence. Using the software update feature of a widely used network monitoring company, SolarWinds, Russian hackers burrowed into what were believed to be protected networks and sat there for at least a year, if not longer. Cleverly using U.S.-based servers, the Russians exploited the prohibition on spying inside the United States and also eluded the Department of Homeland Security. While that was alarming enough, it was also believed that early-warning sensors implanted in foreign networks by the National Security Agency and U.S. Cyber Command did not raise the alarm.
The more one reads about the SolarWinds breach, the more alarmed one becomes. Whether it was the failure of nearly every aspect of the billions of dollars’ worth of cyber defenses, the long-term and covert presence on America’s networks, or perhaps most alarmingly, the free rein Russians could have enjoyed manipulating or destroying data, every aspect of the SolarWinds breach should frighten Americans more much more than it has.
Washington still does not know, and may not for some time, the full reach of this hack or how it happened. For most Americans, the breach was merely background noise. They’ve become inured to breaches and hacks, but this breach had a short news cycle, especially with continuing post-election chaos, the dumpster fire that was 2020, and the country headed into the holidays. Yet, the SolarWinds breach was perhaps the apotheosis of several long-running, alarming, and potentially life-changing trends, which are explored in fantastic detail by The New York Times’ Nicole Perlroth in her exceptional new book This Is How They Tell Me the World Ends.
Zero Days and the Zero Hour
Ms. Perlroth is a seasoned cybersecurity reporter, and it shows—her mastery of detail and ability to write is vividly on display on every page. Reading this book, one will savor the vignettes and their connective tissue. I found myself pausing more often than usual to simply enjoy the prose, the detail, and the narrative. It is truly thought-provoking and pulls the reader fully into the narrative from the first page.
By focusing on the people of her story, more than the technology, she takes what can be arcane and impenetrable techno-speak (both by design and by consequence) and craft a thrilling story of the evolution of the market for “zero-days”. These digital exploits for which there are no fixes, meaning companies have no days to fix the vulnerability, are the currency of the new arms race. Countries and companies alike seek to develop, buy, sell, hoard, and exploit these vulnerabilities for both financial profit and intelligence gain.
This digital arms race graphically highlights the challenges of offense and defense in the cyber domain. Zero-day vulnerabilities that could be used by the U.S. or allied intelligence agencies are vulnerabilities that could also be used by foreign adversaries and criminals alike. These are not nuclear weapons, which are the province of nation-states. You don’t need a massive scientific and engineering program to identify, develop, or exploit zero-days. You merely need some increasingly deep pockets and the technical know-how to use the exploits, and even then, as Ms. Perlroth shows, there are custom-made point-and-click zero-days that almost anyone with basic technical competence could use.
Yet, this story is much more than the cyber arms race and zero-day exploits. It is about the tension between cyber offense and defense, geopolitics, security and openness, the evolution of our networked society, and its resulting vulnerability. That Ms. Perlroth manages to cover so many bases in such detail and make it read as good if not better than any thriller writer out there, is a testament to her talent.
How does Fort Meade (NSA) or Cheltenham (GCHQ) balance the need to exploit weaknesses in adversaries’ systems with defending the networks of the United States and the United Kingdom? This question is at the heart of the book. If the zero-days are patched, the opportunity for exploitation is lost. If they remain open, it could pay dividends in the near term, but cause untold havoc on civilian networks. While the Obama administration published a Vulnerabilities Equities Process to attempt to codify a policy, it remains an unanswered question. Cyberwarfare has no Geneva Convention, it has no rules or laws of war, and the barriers to entry are so low, the corresponding incentives for engaging in it are extremely high.
The demand for zero-days spawned its market replete with beltway bandits, hucksters and frauds, hackers and spies, and representatives of the FAANGs. Tech companies, eager to patch their flawed software, want the exploits for themselves. The beltway bandits and other brokers want to maximize the profit—a world filled with NDAs, non-competes, and exploit expiration dates. The spies, of course, want to hoard as much as possible to leverage these zero-days for offensive attacks, if necessary, but for intelligence exploitation more immediately. Almost every department and agency of the federal government sought to acquire their own exploits, resulting in considerable duplication and overlap, working, often, at cross purposes.
An added problem is that even the professionals find it challenging to ensure the security of their exploits. Like Smaug sitting atop a hoard of golden zero-days, both the NSA and CIA succumb to their Bilbos. The still mysterious Shadow Brokers stole the NSA’s Tailored Access Operations (TAO) catalog of exploits, while another hacker released Vault7 documents to Wikileaks about the capabilities of the CIA’s Information Operations Center. At the same time, both the CIA and NSA grappled with how to handle and manage their exploits, deny them to America’s adversaries, and counter adversarial actions.
Here, Operation Gunman is instructive. During the height of the Cold War, the NSA physically removed the electronic devices from the embassy in Moscow to inspect them in hopes of finding a technical mole—a technical mole many, out of technological arrogance, said was impossible due to advanced encryption. The Embassy was hemorrhaging information at an alarming rate. Low and behold, after ripping apart and x-raying nearly every component, the NSA team found a clever exploit that granted the Soviets access to the data before it was encrypted.
Even without theft, the exploits and tools do not stay in the hands of the proverbial “good guys”. Many of those profiled by Ms. Perlroth note that they have or had rules about to whom they would sell, be it the United States, the Five Eyes (US, UK, Australia, Canada, and New Zealand), or NATO. Some simply demurred when asked about the impact of their brokering of these exploits, suggesting they’d rather talk about their dinner (ask Ms. Perlroth about the salmon). They would, in theory, draw the lines at American adversaries or those with poor human rights records. Yet inevitably, those same tools would end up in the hands of regimes with questionable records or used for purposes other than security—such as in Mexico where exploits were used to target those advocating for increased taxes on sugar, or inadvertently targeting Americans from overseas posts.
The Digital Frog in the Cyber Pot
The slow boil and doom and dread drips on every page. As Ms. Perlroth exposes more and more of the zero-day market and its rapacious players, the sheer vulnerability of the United States looms in the background. Yes, the United States and Israel leveraged zero-day exploits such as Stuxnet, and yes, the intelligence community has gathered untold insights into terrorists, cartels, and other foreign adversaries but those same tools could be, and indeed would be, turned on America. Ms. Perlroth takes readers to the frontlines where this has happened and is ongoing. Ukraine became the target of multiple, significant cyber-attacks which not only turned off the power but sought to disrupt the election. What should have been a blaring klaxon for America, was met with a shrug.
Americans have become so numb to the breaches, putting more and more of their lives online, all while the vulnerabilities are exponentially growing. According to Ms. Perlroth, the United States is connecting 127 new internet-enabled devices to the web every second. Each one of those devices is a potential entry point for hackers, criminals, or nation-states alike. The significant hacks that should have been watershed moments in raising the alarm received scant attention in the popular conversation. It was not that Sony was hacked by North Korea, but that executives thought Angelina Jolie was spoiled. It was not that the DNC was hacked, and the emails released by the Russians, but what Debbie Wasserman-Schultz said about then-candidate Bernie Sanders. The sensational details were titillating, but America missed the forest for the trees.
The zeal to get to market as fast as possible, “to move fast and break things,” and to deliver value to shareholders, can come into conflict with, or even override basic security concerns. Given the increasing complexity of code with millions and millions of lines each with potential vulnerabilities and unintended errors, the likelihood of a hack or a breach is increasing exponentially. With this in mind, the fact that Eastern European software companies were involved in the development of SolarWinds’ software is not surprising and may have provided an entry point for Russian intelligence. In a similar case recounted by Ms. Perlroth, after discovering a Russian presence on Pentagon networks, a company hired to remediate that problem subcontracted the work to another company, which subcontracted it again to a Russian intelligence-connected company. The Russians were hired to remove themselves from the networks they had penetrated.
While the United States (and Israel) may have been the first to unleash a modern-day cyber weapon with Stuxnet, those weapons have proliferated greatly and are now being turned on the West. The proverbial cyber bell cannot be un-rung. The country with the most powerful cyber arsenal and the greatest capabilities is equally cyber dependent, and thus the most vulnerable—a vulnerability increasing at an alarming rate. Congress has been slow to act with sensible arguments, often overruled by narrow special interests. Efforts to mandate security standards for critical national infrastructure companies were watered down to voluntary standards only, thanks to aggressive lobbying campaigns. Efforts to secure the nation’s elections were blocked at every turn by Senate Republicans claiming overreach by the federal government. The NSA’s efforts to ensure that “Nobody But Us,” or NOBUS, could operate at such a high level of cyber exploitation fell short.
The Cyberspace Solarium Commission articulated several sensible and potentially game-changing recommendations, yet the political will to act upon these and advance the nation’s cyber-security is still wanting. It remains to be seen where cyber-security ranks in terms of the Biden administration’s list of priorities and whether or not his cabinet will have a serious debate on the use of cyberweapons.
When a major cyber-attack happens against the United States, not merely a limited attack that releases uncomfortable emails, but a major breach of critical national infrastructure, no elected official will be able to say they were not warned. The Russians, the Chinese, the Iranians, and the North Koreans are aggressively attempting to penetrate America’s networks and, in many cases, are already embedded in the walls. In an alarming story recounted by Ms. Perlroth, Russians were found inside the safety networks of a nuclear power plant. It was merely a click away from potential disaster.
Fear, Uncertainty & Doubt
Ms. Perlroth’s book is easily an early contender for a “best of the year” award, and it is by far one of the best books on cyber warfare and espionage out there today. Her writing is fluid, engaging, and evocative. She relates complex IT concepts with ease and simplicity, making them accessible to a lay audience—the precise audience that should be reading this book. She doesn’t trade in “FUD”—fear, uncertainty, or doubt—or hyperbole. She simply doesn’t need to because the story is sufficiently scary enough on its own.
By focusing on the people aspect of the cyber arms race, the story is that much more understandable and relatable. Some of the subjects she covers in this book have received feature-length books—Sandworm, Countdown to Zero Day, The Spy in Moscow Station, to name a few. But what makes Ms. Perlroth’s book shine is how she distills these stories into their relevant bits and weaves them together into an overarching, compelling, accessible, and exceptionally well-written narrative.
Ms. Perlroth’s skill and reporting is on vivid display on nearly every page of this book. That she was even able to penetrate the zero-day market and the hacker community is a testament to her skills and determination as a reporter. She entertainingly recounts having to wear a glow-stick at one conference as a sort of neon green, scarlet letter, denoting that she was a reporter to the press-shy attendees of one conference.
Readers will be forgiven for being suspicious of their iPhones or smart devices after reading this book. They will probably want to change their passwords and enable two-factor authentication (2FA) and with good reason (and ironically enough something Ms. Perlroth recommends)—although the best solution may be to go completely off-the-grid (if that were only an option). Ironically, Ms. Perlroth’s story begins with her being pulled out of the African savannah to return for the Edward Snowden disclosures, only for it to close with her pining for a return to the elephants.
Is your business effected by Cyber Crime?
If a cyber crime or cyber attack happens to you, you need to respond quickly. Cyber crime in its several formats such as online identity theft, financial fraud, stalking, bullying, hacking, e-mail fraud, email spoofing, invoice fraud, email scams, banking scam, CEO fraud. Cyber fraud can lead to major disruption and financial disasters. Contact Digitpol’s hotlines or respond to us online.
Digitpol’s Cyber Crime Investigation Unit provides investigative support to victims of cyber crimes. Digitpol is available 24/7. https://digitpol.com/cybercrime-investigation/
UK +44 20 8089 9944