For an important reminder of the stakes involved in shoring up the cybersecurity of the nation's critical infrastructure, from banks to power plant operators, read the nonfiction book "This Is How They Tell Me the World Ends" by Nicole Perlroth.
Though the book came out in 2021, it remains an important read for bankers today because it helps explain much about the current landscape of cyber threats. It covers not just how nation-states attack their enemies with cyber warfare, but the proactive mindset that banks need in efforts to mitigate their own risks and risks to the financial system as a whole. All of this remains relevant today.
Perlroth is a former New York Times reporter who has moved on to cybersecurity venture capital, advising the Department of Homeland Security's Cybersecurity and Infrastructure Security Administration (one of the many subjects of her book) and producing a television series adaptation of her book for FX Networks.
Perlroth's reporting has unearthed Russian hacks of nuclear plants, airports, elections and petrochemical plants; North Korea's cyberattack against Sony Pictures, Bangladesh banks and crypto exchanges; Iranian attacks on oil companies, banks and dams; and thousands of Chinese cyberattacks against American businesses, including against the Times itself.
"This Is How They Tell Me the World Ends" is Perlroth's opus. It synthesizes and expands on her impressive body of work. It opens with the dramatic moment in 2013 when her editors at the Times pulled her onto the cybersecurity beat, stuffing her into publisher Arthur Sulzberger's storage closet alongside other Times reporters to analyze files leaked by Edward Snowden. It ends in 2021 with her locked up in quarantine because of COVID-19, anxious that the next big hack might come at any second.
Between those bookends, Perlroth's writing reads like a spy thriller. It is, but it is also nonfiction, written by a reporter who, during her eight years as a cybersecurity reporter for the Times, was often first to break news about the cyberwar playing out between the U.S. and its adversaries. The book largely dives into the world of zero-day vulnerabilities. These are bugs in computer systems that are not (yet) known to their owners, developers or anyone else capable of mitigating them. Zero-day exploits underpinned the successful campaign by the U.S. and Israel to set back Iran's nuclear program by several years, using a computer worm called Stuxnet.
Perlroth's book pierces the veil that zero-day marketplace participants have built. These participants include governments, contractors, notorious hackers and mercenaries. Perlroth's romp through secrets and stories clarifies the market forces that, among other things, have driven up the prices that governments and companies of all sizes and intentions are willing to pay for zero-day exploits.
On one side is Google with its Project Zero, a program that hires security analysts to find zero-day vulnerabilities in popular software, disclose the vulnerabilities to the software manufacturer, then publicly documents the vulnerability after the manufacturer fixes the bug (or after 90 days, if the manufacturer drags its feet).
On another side is the National Security Agency. Perlroth describes in the book how, around 2010, the agency discovered a vulnerability in Microsoft Windows. Rather than tell Microsoft or anyone else about it, the NSA exploited that vulnerability for espionage. Only in 2017 did the vulnerability become public, when someone stole or leaked the agency's actions, allowing North Koreans and Russians to deploy it against a variety of companies and states, particularly in Ukraine.
One important upshot of the stories Perlroth tells is that companies — banks and other firms that make up the nation's critical infrastructure — have frequently been casualties and bystanders of the global cyberwar described in the book. The most glaring example of that is the NSA's attempt to exploit the Windows bug, which later backfired when it was leaked. Honda, FedEx, Merck and others in attacks dubbed WannaCry and NotPetya were all affected.
Alas, for all the value Perlroth offers readers in the storytelling — whether by holding the NSA's feet to the fire for poor judgment or negligence, shedding light on the important inefficiencies in the zero-day exploit market or lionizing heroes of the zero-day marketplace for selfless acts — the book has its cringeworthy moments.
For one, the book is chock-full of truisms. "Digital vulnerabilities that affect one affect us all," and "the world is on the precipice of a cyber catastrophe" are two examples. Most of these are innocuous enough; some border on misleading and hyperbolic. To her credit, Perlroth is aware of these moments. She discusses the acronym FUD, which stands for fear, uncertainty and doubt — something she calls "a scourge in the cybersecurity industry" — and acknowledges that the more technically minded readers "will argue I have overgeneralized and oversimplified," and she admits some subjects are better left to them.
"But," Perlroth goes on, "I would also argue that many are not technical at all, that we each have a role to play, and that the longer we keep everyday people in the dark, the more we relinquish control of the problem to those with the least incentive to actually solve it."
She writes this in her epilogue, which offers some of her opinions on policy prescriptions meant to address the negative externalities of the zero-day exploit market and the insecurities inherent in the many computer systems that reach into every corner of life. Naturally, opinions differ on the ideas she pushes in this section.
But there is also some sound advice targeted at the "everyday people" for whom she wrote the book — the people who know enough and care enough to pick up the book, but who can't effect change from the top of the corporate food chain.
To sum it up: Use strong passwords, and turn on multifactor authentication whenever available. As scary as zero-day exploits are, the vast majority of cyberattacks — 98%, according to Perlroth — start with a phishing attack that contains no zero-day, no malware. Strong passwords and multifactor authentication are excellent antidotes to these common attacks.
As for the remaining 2%: Those are the most interesting attacks, and if you want to better understand them, pick up "This Is How They Tell Me the World Ends."