Book written by Nicole Perlroth

Book review by Helen Patton

I recommend this nonfiction book for the Cybersecurity Canon Hall of Fame.

Review Guidance

Nicole Perlroth has written a book that delves into the history of zero-day exploits, and the business markets that have been created to serve governments and criminals in their efforts to attack with or defend from cybersecurity exploits. She takes a complex subject and lays out in detail the factors that contribute to the rise of cyberweapons, including monetary incentives and government power structures. The depth and breadth of the material included in the book make this a worthy read for any cybersecurity practitioner, company director or policy maker. I recommend this to the Cybersecurity Canon Hall of Fame.

Within the security community, Perlroth’s book has been praised for its depth and historical accounting of events (see here for an example). It has also been criticized for inaccuracies and biases (see here for an example). As is always the case with social media and cybersecurity, it is difficult to separate fact from fiction – so for the purposes of this review and my recommendations regarding Hall of Fame status, I have chosen to alert you, the reader, to these concerns, but not otherwise address them. Instead, I focus on the overall themes and conclusions of the book, which are important for any security professional, and worth reading.

The topic of zero-day exploits, the identification and use of them as an offensive tool, is a completely relevant topic to practitioners. We are all subject to impact by zero-day and other bugs that are known only to a handful of people but can be wielded against targets (and non-targets) with impunity. We are also all subject to government policies that support (or not) government creating, buying and stockpiling these bugs. Knowing about them, how this industry developed, where it might go next, and how our governments are addressing this issue is a key piece of practitioner knowledge now and for the foreseeable future.

This book can be read by deep security experts, as well as people with little to no security experience. Written by a journalist, it tells the story of the history of zero-day exploits with commonly known events, some lesser-known events, and draws the reader towards the final chapter where conclusions and recommendations are made. 

About the Book

Nicole Perlroth has taken seven years of interviews with over 300 individuals and condensed her findings into this hefty tome. She writes: “My hope is that my work will help shine even a glimmer of light on the highly secretive and largely invisible cyberweapons industry so that we, a society of the cusp of this digital tsunami called the Internet of Things, may have some of the necessary conversations now, before it is too late.” Her use of alarmist language (hyperbolic? prescient?) continues throughout the book, as she recounts events through the eyes of her interview subjects.

She breaks her book into a prologue, seven parts, and an epilogue:

Prologue – she starts in Kiev, introducing the concept of zero-days through the lens of Russian interference in the Ukraine. She introduces the Shadow Brokers and NotPetya, and notes “between 2016 and 2017 the gap between the United States’ cyber capabilities and those of every single other nation and bad-faith actor on earth closed substantially due to leaks from the NSA cyber arsenal.” She doesn’t even make it out of the prologue before noting that “the biggest secret in cyberwar – the one our adversaries now know all too well – is that the same nation that maintains the greatest offensive cyber advantage on earth is among its most vulnerable.”

Part 1: Mission Impossible – Perlroth recounts being assigned to the NYTimes cybersecurity beat; learning about Snowden, attending hacking conferences and trying to get tight-lipped industry insiders to talk about “Oh-Days.” She starts to learn more about the role of the NSA and other government agencies in finding, buying or creating cyber weapons.

Part 2: The Capitalists – Perlroth goes back to 1999 to tell the story of private and public groups involved in the trade of exploit. She starts with John Watters and iDefense, the first bug bounty company. She discusses the term “hacker” and explores the origin and evolution of the hacker role. She notes that in 2002 Microsoft announced their Trustworthy Computing Initiative. She chronicles the Microsoft vs. Netscape controversy, and the rise of the Melissa and ILOVEYOU viruses. The Trustworthy Computing Initiative caused the price for Microsoft zero-day exploits to rise and hackers started to hoard bugs as government agencies sought to buy zero-days.  Perlroth then explores the first zero-day brokers, including an unidentified source who “helped to pioneer the exploit business.” She chronicles the work of governments in the 90’s intent on stockpiling exploits. The cost to buy exploits was doubling every year. Lastly, she chronicles Charlie Miller’s attempts to make the exploit market transparent and to enable hackers to be paid for the bugs they find.

Part 3: The Spies – Perlroth talks about a number of government groups involved in cyberwar and the use of exploits in those efforts. For example, Project Gunman; Jim Gosler (“The Godfather” of American cyberwar) determined that cyberweapons would put critical infrastructure, including the US Nuclear arsenal, at risk; 9/11 and the rise of the Patriot Act and the Foreign Intelligence Surveillance Act; NSA and the Tailored Access Operations unit; China and Huawei; stuxnet and Unit 8200; and Vulnerability Research Labs. “It’s getting harder to know if you’re selling these tools to the good guys or enabling the bad.”

Part 4: The Mercenaries – Perlroth discusses the Wassenaar Agreement and Export Controls, and the companies that sell exploit technologies to other countries. For example, Immunity Inc. and Sinan Eren (“The Kurd”) and the role of exploit technology use by domestic and foreign powers, benevolent and less benevolent; Adriel Desautels’ Hacking Team selling spyware to government agencies; the Israeli NSO group and law enforcement’s use of Pegasus software; and the emerging focus on phone vulnerabilities.

Part 5: The Resistance – focusing on groups trying to combat zero-day exploits. For example, Google’s information security team, the 2009 Chinese Aurora attack (“We didn’t think militaries were allowed to hack civilians in peacetime”), and Google’s entry into the bug bounty market; Facebook’s bug bounty program; Katie Moussouris and Microsoft’s program; the creation of HackerOne; NSA hacking of Google and other US technology companies, Project Zero; and Apple iPhone encryption.

Part 6: The Twister – The escalation of hacking activities and the threat to critical infrastructure. For example, Argentina’s hacking culture, Alfredo Ortega (“Cyber Gaucho”); the rise of Iran and the Aramco hack; the Chinese PLA 61398 indictment; Denial of service attacks on Wall Street banks; North Korea’s Sony hack; Russian threats to the US power grid; and Sandworm.

Part 7: The Boomerang – when the tools amassed by governments are used against them and others.  For example, Heartbleed; the hack against the Office of Personnel Management; EternalBlue; Russian hacking of the Democratic National Committee; the Shadow Brokers hacking of the NSA and leaking their zero-day stockpile; the role of Kaspersky; North Korea’s use of the ransomware WannaCry, using the stolen exploit EternalBlue; NotPetya; attacks on local governments, schools and private industry; Cozy Bear; and Chris Krebs and the 2020 US elections. “As of this writing, foreign states and cybercriminals are hitting American networks from so many sides that, from my quarantined perch, it has become nearly impossible to keep track.”

Epilogue: Here she draws her conclusions and makes her recommendations. “The world is on the precipice of a cyber catastrophe.”

• Lock down the code
• Securing open-source software
• Cybersecurity bill of materials
• Vetting and training developers
• Rethink our computing architecture with security first
• Use of multifactor authentication
• Keep elections offline, improve security of voter registration systems
• Many policy recommendations to firm up national cybersecurity strategy and execution
• “Someone should do something”

Reading through these sections, a security practitioner can learn history, policy, strategy, technology, and espionage. Perlroth covers seminal cybersecurity events and gives a thoughtful view to the relationship between people and events that bring the industry to where we are now.  Some of her recommendations have already come to pass, and conversations continue at the national and international level about how to move forward with others. This book is a worthy read for anyone in the security community.