This Is How They Tell Me World Ends: The Cyber Weapons Arms Race
Book written by Nicole Perlroth
Book review by Larry Pesce
I recommend this nonfiction book for the Cybersecurity Canon Hall of Fame.
This Is How They Tell Me World Ends: The Cyber Weapons Arms Race is an important book for understanding the evolution of the 0-day exploit trade. Told from first-hand accounts by those that were actually there trading and developing these capabilities, a picture of large fortunes crossed with ethical dilemmas emerges. Whether or not you agree with the trade or use of cyber weapons, Perlroth’s recounting of these ethical dilemmas may leave you to some deep thinking on which side of an ethical line society or government should be on regarding the use of cyber weapons, when it is too much or not enough.
I approached this book with some trepidation, as I’d heard others offer Perlroth’s portrayal of hackers in general as some generally unsavory characters who were often also misogynists. While I could see those themes come through in the book, she was very much relaying her experiences and opinions on various situations, and I feel that she has a right to describe how she felt. Whether or not her perspective was due to misogynistic behavior, or because the folks interviewed for the book wanted to be secretive in speaking with a journalist due to the nature of their work is largely irrelevant. After reading This Is How They Tell Me World Ends, Perlroth clearly indicated that either situation could be in play.
Additionally, I’d heard “I was there, that’s not how it happened” claims, indicating that much of Perlroth’s relation of the facts were inaccurate. However, as a respected journalist with 15 years of experience reporting for Forbes and the New York Times, I’m very much of the opinion that Perlroth understands integrity in reporting, and as a result, her reporting should be reasonably accurate. In my experiences in dealing with reporters and how they interpret what is told to them by an interviewee, sometimes context and facts can be slightly twisted. Any perceived technical inaccuracies in the retelling did not appear to change the overall narrative.
Overall, Perlroth’s account of the evolution of the 0-day market was quite fascinating. I’ve been an information security professional for more than two decades and have had multiple occasions to speak with several of the subjects in the book, yet there was a huge wealth of information behind the scenes that I’d never heard or was not readily available from other sources.
Of this retelling, Perlroth traces the origins of several hackers, 0-day traders, and the eventual companies they create. Many become embroiled in legal and ethical challenges, as the selling and profit from 0-day trading quickly involves government agencies; some of these agencies are friendly, some are not, and many intend to use the acquired 0-day exploits to violate human rights, perform political and industrial espionage, cause widespread disaster, and possibly even death. 0-day exploits become digital munitions, as weapons wielded by governments for cyber war.
Following along with the governmental acquisition, development and use of these new cyber weapons reads like a spy-versus-spy novel. It is entertaining for sure, but that excited, suspenseful feeling moves to one of terror when you realize this is real and not fantasy.
Perlroth did a fantastic job of building suspense, but I felt like I was left hanging at the end. I suppose the feeling of unfinished business is in fact just that, unfinished business. I think that one of the lessons that I learned is that while trading cyber weapons has evolved over the years, it is not done evolving. We’re just getting started with cyber war, and it’s not going to go away any time soon.
I found this a great read to bring me up to speed on the history of the cyber arms race, leaving me with the understanding that the game is far from over. As an industry and a society, we should continue to observe and learn from the ongoing evolution. Knowing where we came from can really help to guide world policy, our industry and societal ethics. For those reasons alone, I feel that this book is worthy to be included in the Cybersecurity Canon.
We modeled the Cybersecurity Canon after the Baseball Hall of Fame and the Rock & Roll Hall of Fame, except it’s a canon for cybersecurity books. We have more than 25 books on the initial candidate list, but we are soliciting help from the cybersecurity community to increase the number. Please write a review and nominate your favorite.
The Cybersecurity Canon is a real thing for our community. We have designed it so that you can directly participate in the process. Please do so!