This is How They Tell Me the World Ends
by Nicole Perloth
2021 Sep 04
Zero day: a software bug that allows a hacker to break into your devices and move around undetected. One of the most coveted tools in a spy’s arsenal, a zero day has the power to silently spy on your iPhone, dismantle the safety controls at a chemical plant, alter an election, and shut down the electric grid (just ask Ukraine).
For decades, under cover of classification levels and non-disclosure agreements, the United States government became the world’s dominant hoarder of zero days. U.S. government agents paid top dollar-first thousands, and later millions of dollars- to hackers willing to sell their lock-picking code and their silence.
Then the United States lost control of its hoard and the market.
Now those zero days are in the hands of hostile nations and mercenaries who do not care if your vote goes missing, your clean water is contaminated, or our nuclear plants melt down.
Filled with spies, hackers, arms dealers, and a few unsung heroes, written like a thriller anda reference, This Is How They Tell Me the World Ends is an astonishing feat of journalism. Based on years of reporting and hundreds of interviews, TheNew York Times reporter Nicole Perlroth lifts the curtain on a market in shadow, revealing the urgent threat faced by us all if we cannot bring the global cyber arms race to heel.
Notes & Highlights
…what really pissed off Aitel’s superiors is what he did after he left the Fort. He co-authored a book with several well-known hackers called The Shellcoder’s Handbook: Discovering and Exploiting Security Holes. It became a bible for aspiring hackers. In it, Aitel detailed specific exploits and attack methodologies…
Norway, the safest of them all, is the fifth most-digitized country in the world. But Norwegians implemented a national cybersecurity strategy in 2003 and they revisit and update it every year to meet current threats. Norwegian companies that provide “basic national functions”—financial services, electricity, health services, food supply, transportation, heating, media platforms, and communications—are required to have a “reasonable” level of security. The government penalizes companies that do not perform penetration testing, threat monitoring, or adhere to other best security practices. Government employees are required to use electronic IDs, multifactor authentication, and encryption. And Norwegian corporations have made cybersecurity core to their training and corporate culture.
Researchers attributed Japan’s progress to a culture of cyber hygiene but also to a cybersecurity master plan that the Japanese implemented in 2005. Japan’s policy is remarkably detailed. It mandates clear security requirements for government agencies, critical infrastructure providers, private companies, universities, and individuals. It was the only national cybersecurity plan, researchers discovered in their study, to address “airgapping” critical systems. In the years following its implementation, researchers found that Japanese devices were better protected than other countries with similar GDPs.
In 2019, for example, Cyber Command started uploading malware samples it discovered to VirusTotal, a sort of Google search engine for malicious code found in the wild.
Electronic Frontier Foundation