Nicole Perlroth - This Is How They Tell Me the World Ends: The Cyberweapons Arms Race

More Praise for This Is How They Tell Me the World Ends

Possibly the most important book of the year Perlroths precise, lucid, and compelling presentation of mind-blowing disclosures about the underground arms race is a must-read expos.

Booklist (starred review)

[A] wonderfully readable new book. Underlying everything Perlroth writes is the question of ethics: What is the right thing to do? Too many of the people she describes never seemed to think about that; their goals were short-term or selfish or both. A rip-roaring story of hackers and bug-sellers and spies that also looks at the deeper questions.

Steven M. Bellovin, professor of computer science, Columbia University

The murky world of zero-day sales has remained in the shadows for decades, with few in the trade willing to talk about this critical topic. Nicole Perlroth has done a great job tracing the origin stories, coaxing practitioners into telling their fascinating tales, and explaining why it all matters.

Kim Zetter, author of Countdown to Zero Day

Nicole Perlroth does what few other authors on the cyber beat can: She tells a highly technical, gripping story as if over a beer at your favorite local dive bar. A page-turner.

Nina Jankowicz, author of How to Lose the Information War

From one of the literati, a compelling tale of the digerati: Nicole Perlroth puts arresting faces on the clandestine government-sponsored elites using 1s and 0s to protect us or menace usand profit.

Glenn Kramon, former New York Times senior editor

Reads like a thriller. A masterful inside look at a highly profitable industry that was supposed to make us safer but has ended up bringing us to the brink of the next world war.

John Markoff, former New York Times cybersecurity reporter

A whirlwind global tour that introduces us to the crazy characters and bizarre stories behind the struggle to control the internet. It would be unbelievable if it wasnt all so very true.

Alex Stamos, director, Stanford Internet Observatory and former head of security for Facebook and Yahoo

Lays bare the stark realities of disinformation, hacking, and software vulnerability that are the Achilles heel of modern democracy. I work in this field as a scientist and technologist, and this book scared the bejesus out of me. Read it.

Gary McGraw, PhD, founder, Berryville Institute of Machine Learning and author of Software Security

Usually, books like this are praised by saying that they read like a screenplay or a novel. Nicole Perlroths is better: her sensitivity to both technical issues and human behavior give this book an authenticity that makes its messagethat cybersecurity issues threaten our privacy, our economy, and maybe our liveseven scarier.

Steven Levy, author of Hackers and Facebook

For Tristan, who always pulled me out of my secret hiding spots.

For Heath, who married me even though I couldnt tell him where I was hiding.

For Holmes, who hid in my belly.

CONTENTS

Theres something happening here.

What it is aint exactly clear.

Theres a man with a gun over there

Telling me I got to beware

I think its time we stop, children, whats that sound,

Everybody look whats going down

BUFFALO SPRINGFIELD

This book is the product of more than seven years of interviews with more than three hundred individuals who have participated in, tracked, or been directly affected by the underground cyberarms industry. These individuals include hackers, activists, dissidents, academics, computer scientists, American and foreign government officials, forensic investigators, and mercenaries.

Many generously spent hours, in some cases days, recalling the details of various events and conversations relayed in these pages. Sources were asked to present documentation, whenever possible, in the form of contracts, emails, messages, and other digital crumbs that were considered classified or, in many cases, privileged through nondisclosure agreements. Audio recordings, calendars, and notes were used whenever possible to corroborate my own and sources recollection of events.

Because of the sensitivities of the subject matter, many of those interviewed for this book agreed to speak only on the condition that they not be identified. Two people only spoke with me on the condition that their names be changed. Their accounts were fact-checked with others whenever possible. Many agreed to participate only to fact-check the accounts provided to me by others.

The reader should not assume that any individual named in these pages was a source for the events or dialogue described. In several cases accounts came from the person directly, but in others they came from eyewitnesses, third parties, and, as much as possible, written documentation.

And even then, when it comes to the cyberarms trade, I have learned that hackers, buyers, sellers, and governments will go to great lengths to avoid any written documentation at all. Many accounts and anecdotes were omitted from the following pages simply because there was no way to back up their version of events. I hope readers will forgive those omissions.

I have done my best, but to this day, so much about the cyberarms trade remains impenetrable that it would be folly to claim that I have gotten everything right. Any errors are, of course, my own.

My hope is that my work will help shine even a glimmer of light on the highly secretive and largely invisible cyberweapons industry so that we, a society on the cusp of this digital tsunami called the Internet of Things, may have some of the necessary conversations now, before it is too late.

Nicole Perlroth

November 2020

Kyiv, Ukraine

By the time my plane touched down in Kyivin the dead of winter 2019nobody could be sure the attack was over, or if it was just a glimpse of what was to come.

A note of attenuated panic, of watchful paranoia, had gripped our plane from the moment we entered Ukrainian airspace. Turbulence had knocked us upward so suddenly I could hear bursts of nausea in the back of the plane. Beside me, a wisp of a Ukrainian model gripped my arm, shut her eyes, and began to pray.

Three hundred feet below, Ukraine had gone into orange alert. An abrupt windstorm was ripping roofs off apartment buildings and smashing their dislodged fragments into traffic. Villages on the outskirts of the capital and in western Ukraine were losing poweragain. By the time we jerked onto the runway and started to make our way through Boryspil International Airport, even the young, gangly Ukrainian border guards seemed to be nervously asking one another: Freak windstorm? Or another Russian cyberattack? These days, no one could be sure.

One day earlier, I had bid my baby adieu and traveled to Kyiv as a kind of dark pilgrimage. I came to survey the rubble at ground zero for the most devastating cyberattack the world had ever seen. The world was still reeling from the fallout of a Russian cyberattack on Ukraine that less than two years earlier had shut down government agencies, railways, ATMs, gas stations, the postal service, even the radiation monitors at the old Chernobyl nuclear site, before the code seeped out of Ukraine and haphazardly zigzagged its way around the globe. Having escaped, it paralyzed factories in the far reaches of Tasmania, destroyed vaccines at one of the worlds largest pharmaceutical companies, infiltrated computers at FedEx, and brought the worlds biggest shipping conglomerate to a halt, all in a matter of minutes.