Nicole Perlroth: “This Is How They Tell Me The World Ends”

CHRISTIANE AMANPOUR: Now, Russia’s hacking operations, which we were just discussing are only the start of the story. The cyber arms race is a global battle and the targets aren’t just nation states. You and I are vulnerable every time we log onto our e-mail, order a ride share or swipe our credit card. But New York Times journalist, Nicole Perlroth says, the U.S. is still not doing enough to protect its citizens. She’s the author of the book, “This is How They Tell Me the World Ends.” And here she is talking with our Hari Sreenivasan.

HARI SREENIVASAN: Christiane, thanks. Nicole Perlroth, thanks for joining us. What you do so well in this book is lay out a series of almost marketplaces that people don’t know exist that, you know, there are hackers inside and outside of government that are finding tiny vulnerabilities and pieces of software that we all use, but how that virus or how that piece of code gets into the hands of someone that can take action to it. I mean, it’s sort of a byzantine world of bizarre characters, some of them are incredibly interesting personalities, but the fact that people are buying and selling this and this is just part of the armaments that countries have now

NICOLE PERLROTH, AUTHOR, “THIS IS HOW THEY TELL ME THE WORLD ENDS”: That’s why I wrote the book. It’s just because I couldn’t wrap my head around the fact that we, the U.S. taxpayer, pay the U.S. government to keep us safe in terms of national security but also, we assume cyber security. And that in a lot of cases, they are leaving us more vulnerable to preserve their espionage operations and their battlefield preparations. So, at the most basic level, I just couldn’t wrap my head around the idea that the U.S. government would pay hackers or their intermediaries’ good money, you know, millions of dollars, in some cases, to turn over holes in software like your iPhone IOS software so that they can stock pilot in case they need to use it to spy on a terrorist or a drug cartel or a child predator. And that three decades ago, there really wasn’t this moral hazard baked in because if we found a hole in Huawei software, well, for most part Americans weren’t using Huawei but China was and North Korea was and Iran and Sudan and Syria, so we had a legitimate case to make that we should break into that software and use a beachhead to spy on some of our adversaries. But these days, three decades later and Huawei is obviously a glaring exception and we’re lobbying hard to get our allies not to use Huawei’s hardware and software and 5G but, you know, with few exceptions, we’re all using the same technology now. So, when the U.S. government finds a flaw in Microsoft Windows and doesn’t tell Microsoft about it so Microsoft can fix it, they’re not just leaving Americans safe in name of their counter intelligence operations, they’re also leaving a lot of our critical infrastructure safe because as Marc Andreessen put it, software is eating the world. So, Microsoft Windows and other software is making its way into our power grid, into our gas pipelines and other energy infrastructure and our hospitals and water treatment, et cetera. So, the stakes keep going up for these programs and it was just surprising to know that even so it hasn’t really changed the calculus that much about stockpiling vulnerabilities in the software that we all use now.

SREENIVASAN: You know, just recently, it was revealed that a pair of hackers worked with the Department of Justice, people remember the horrible shooting that happened in San Bernardino. But after that, there was also this kind of ethical quandary that the U.S. government was engaged in in saying to Apple, hey, we want a way to open this iPhone because we think this person might have had more information on there. We want to be able to open it. Tim Cook famously said no. If I create a back door for you, I create a back door for everyone. This is bad policy. And then suddenly, the Department of Justice stopped. They said, no, that’s all right. You don’t have to. We got our way back in. And now, years later, we are figuring out how that happened. But it’s stunning to think that technically that vulnerability could be found by more than just those two people, even though — right, it’s that when they poke a hole into something, if the government thinks that they can hold onto it, I mean, there’s a shelf life for these things.

PERLROTH: That’s right. And that was a big deal. I had signed on to do this book about best particular market in 2014 and I never knew that a year later the FBI would just come out and announce that it had paid a hacker more than a million dollars for a way into Apple’s devices and had no plans of telling Apple about it. And of course, we know because we have all seen so many high-profile cyber- attacks that we’re not the only one who would be looking for that capability. You know, China, Russia, Iran, the United Arab Emirates, Saudis, they all have their own reasons for wanting to keep tabs on iPhone communications. I mean, what more do you want as a spy agency than to track someone’s location or communications or contacts. And the going rate these days, actually in 2021, for that same hole that FBI purchased from hackers is actually $2.5 million. It’s already doubled from when the FBI paid those hackers back in 2015. And what’s interesting to me is that other brokers have popped up in Abu Dhabi that serve exclusively the Saudis and Emirates and they’ll offer $3 million for that same capability. So, we’re already getting outbid here in the United States. And that was a big focus of my research was trying to see just where these capabilities in these markets were drifting. Because for a long time, you know, the U.S. had the best hackers and talent and capabilities. But what has happened is as other governments eyes have opened to the potential for these iPhone or Windows vulnerabilities, they have stood up their own offensive programs but they don’t have the talent and hackers that we have here, but there is now a market and they can pay hackers all over the world to meet their demands for these capabilities and they are actively outbidding the United States in this market now.

SREENIVASAN: You know, I think maybe because of what happened on January 6th and just the general stress people have been under for the past year about politics. One of the things — one of the stories that kind of gets buried is the massive hacks that have happened in last few months, the hack by the Russians. We literally have the administration now putting economic sanctions on 16 different entities and 16 people. And I wonder, is that going to be enough of a deterrent? I mean, because it seems like the nation states have done their cost benefit analysis and this just part of how countries exist now.

PERLROTH: I think you’re right. You know, nothing we have done to Russia after the 2016 election such as sanctions, such as hacking into their grid stopped them from pulling off the latest attack that we’re calling solar winds, because they used an American company to break into our federal agencies, it didn’t deter them. But there is a question, and I don’t think we’ll ever get to the bottom of this unless we’re a fly on Vladimir Putin’s wall. But, you know, when they use solar winds to break into these federal agencies and get incredible access to the Department of Energy and our nuclear labs and the Department of Homeland Security and our Homeland Security secretaries e-mails, you know, they stop short of any kind of paralysis or degradation or destruction in the way that we have seen them use those attacks in Ukraine, for example. This really does appear to have been a classic espionage. And it was times around the same time that we were all worried about foreign interference and particularly Russian interference in the 2020 election. So, there is an interesting question here that I don’t know if we’ll ever be able to answer, which is, did all the attention to the election and the sanctions and our own hacking of Russia’s power grid deter them from doing more in 2020 to help elect then President Trump? Did it sort of send them in this other direction? And the timing here was very clever. You know, they just — they took a direct hit at our federal agencies when those same agencies were focused so acutely on the election and our backend election state infrastructure. And so, perhaps it was a deterrence. But, you know, they are in the systems as we speak. If it is the actor that we think it is, a unit of the SVR, we know them well because they actually hacked the State Department and the White House back in 2014, 2015. And when I interviewed those who were on the ground that were brought in to clean up from that attack, I’ll never forget, they described the process of kicking those hackers out as hand-to- hand digital combat. You know, the fact that they had found them in these digital hallways wasn’t enough to send them packing. They were really fighting to stay in those networks. And the fact that those same hackers might have been in our government agency systems for more than nine months before we even discovered them, you can pretty much guarantee that there is a long list of back doors planted in our federal I.T. systems and that it could be a long time before we confidently say, we kicked them out.

SREENIVASAN: You also point out how some of our biggest companies have been targets of nation states. Not something that they expected, not something that they prepare for and we hear about, you know, hacks of half a billion Facebook users’ information or a clubhouse being hacked, et cetera. I wonder how concerned do you think that Americans should be about their own information considering that we’re storing it in Amazon’s Cloud and in Google’s Cloud and, you know, I’m pressing I accept for lot and lots of things that I’m not reading all the way through?

PERLROTH: Yes. I mean, it is incredibly frustrating to be sitting in Silicon Valley right this moment and hearing things like move fast and break things and keep shipping and software eats the world without anyone mentioning security. You know, when I was in Ukraine, they have suffered every kind of cyber- attack from Russia including Russia turning off the lights and decimating their federal government agencies. And they said, you better pay a lot more attention in the United States to what’s happening here because we don’t think that we’re in the end target. We think we’re spring training. And we would never consider using the machine to conduct our elections. We will be doing our elections on pen and paper, thank you very much. But, yes. You know, to your point, yes, you know, the data is gone. No matter what you do in terms of trying to protect your house purchase by putting it through an LLC, you know, you’re still giving your address and your name to Amazon. And if someone wants the find out where you live, it’s pretty easy to do that. And even if you’re not telling anyone where you’re traveling or who you’re meeting with, the GPS on your phone that’s collected by data marketers, not even by nation states, it’s just enough for anyone who would want to know to know who you are meeting with. And all of that data has been targeted by hackers, and foreign nation states hackers over the last five, six years. You know, we have seen China hack the Office of Personnel Management, which had a clearinghouse of data on every one who ever applied for a security clearance in the United States, but we have also seen them hack Equifax and Marriott and a number of airlines and hospitality companies because they want to know where we are staying, where we are traveling, if there are Chinese citizens that are potentially travelling and staying at those same places so they can root out their own Chinese double agents. That kind of thing. And so, all of that is out there. And in a lot of cases, our personal data is not only sitting on the dark web, it’s sitting in nation state warehouses. So, what can we do? Well, what I do is I just think, what is thing that I have that a nation state or cybercriminal would want? And in my case, it’s probably in my sources. So, I go do ridiculous lengths these days to protect my sources. And it is much harder in the pandemic. You know, I can use signal the messaging app but I would much rather meet with people in person and when I do that, I’d rather leave my devices behind. I’d rather get a ride from someone else and not a uber or drive myself because my car has GPS navigation. I think about all of these things. Now, the average American is not a nation state target. And so, I think it’s just important for people to think about what is it that I have that a nation state or cybercriminal would want. In most cases, it’s probably your e-mail, log in credentials, which are the keys to the castle these days and to really just turn on two-factor authentication and use a different password for your e-mail than you use for anything else and you’ll get — you’ll knock off about 85 percent of the threats you could possibly face.

SREENIVASAN: I wonder what keeps you up at night knowing what you know now. I mean, I guess, in a way, are we winning or are we lucky that we’re not losing?

PERLROTH: Well, I would say we are losing. You know, I think we are, and this is just a stunning conclusion I made in doing the research for this book, the United States is still the world’s top dog in this space. We are still the world’s offensive cyber super power. But also, now are one of the most targeted nation states on earth, if not the most targeted by cyber criminals and other nation states. They reckon that they see incredible opportunities to, you know, countries like I said that — like Iran and North Korea that can’t match us on the battlefield and in terms of military spending, see that there are tremendous opportunities for them to deem with cyber-attacks and they have been doing that for quite a long time. But also, we are the most as a vulnerable. Like I said, you know, in Ukraine they have the sense of urgency. They have been getting beat up and blacked out by Russia, the world’s, you know, savviest cyber predator. But they’re not digitized in the way we are here. And we have just been plugging every last piece of our critical infrastructure and data into the internet without thinking about security. And so, we have created effectively the world’s most lucrative attack surface. And we are seeing people knock on our doors every day. And so, what I worry about is the fact the U.S. government’s policy and approach to this has been more hacking, has been what they call defend forward. You know, hacker adversaries so we can get an early alert system for what they have planned before these attacks come hit U.S. networks. But as we just saw with solar winds, we missed it for nine months. It actually wasn’t the NSA or Cyber Command that unearthed that attack, it was FireEye, a private Silicon Valley. And only after it was itself hacked by Russia and then was able to rewind the attack and figure out that the Russians had come in through solar winds, which was used by all of these federal agencies. So, I think it is time, probably high time, we are way past due to refocus on our cyber defense.

SREENIVASAN: Title of the book is “This is How They Tell Me the World Ends.” Nicole Perlroth, thanks so much for joining us.

PERLROTH: Thank you so much. This was wonderful.