with Aaron Schaffer

The U.S. government is paying hackers for vulnerabilities it finds in software and hardware used by corporations and governments. Once they've bought those vulnerabilities, they're turning them into cyberweapons employed in attacking or spying on adversaries.

That's the moral, political and economic dilemma explored by This Is How They Tell Me The World Ends: The Cyberweapons Arms Race, a new book out today by New York Times cybersecurity reporter Nicole Perlroth. 

After starting to cover cybersecurity a decade ago, Perlroth almost immediately began hearing stories about the government paid hackers to turn over vulnerabilities in software and hardware it could exploit for espionage, she writes. Despite a chorus of sources warning her she wouldn't get very far, Perlroth was determined to learn everything she could about the black market for cyberweapons.

“The American taxpayers pay the government in part to keep us safe. But in this case, the government was paying outsiders, hackers all over the world, to keep us more vulnerable to preserve their cyber offensive operations," Perlroth said in an interview. "And that fact alone just seemed really contradictory and full of moral hazard.”

Her interest in that hidden market accelerated after she reported on National Security Agency documents leaked by Edward Snowden confirming what she heard. But those documents only scratched the surface.

Through extensive interviews with the hackers, brokers and government officials who shaped the market, her new book attempts to fills in the gaps left by Snowden's revelations.

Perlroth spoke with The Cybersecurity 202 about her new book and the lessons it holds following a massive Russian hack of U.S. government agencies and companies. The conversation has been edited for clarity and length.

Cybersecurity 202: This book really dives into the economics of the hacking underworld. Why did you decide to take that direction rather than solely focusing on the geopolitical elements?

Perlroth: I was also interested in the lost opportunity that happened in the early days of the Internet when companies like Microsoft and Sun Microsystems and HP and Oracle –  their reaction to those hackers who were pointing out holes in their products was to essentially threaten them to stop poking around their products. And at that same time the government and its defense contractors clearly saw a value in what these hackers were doing, not for security, but for espionage. 

Hackers were getting hit over the head by the major tech companies and then, at the the same time in stealth in this sort of secret, invisible market shrouded in [non-disclosure agreements] and increasing classification levels, they're getting paid something like $150,000 for the same hole that no one wanted to fix at the tech companies. It just struck me as such a big disparity and also had the byproduct of leaving us all more vulnerable. 

What was the most surprising thing you found in your reporting?

I was shocked to find out that former NSA hackers were being recruited over to Abu Dhabi and were catching people like Michelle Obama, who had been in office, in their dragnet. That anecdote just really tells you everything you need to know about how out of control this market has become. The fact that an American contractor was being tasked with hacking an American ally and in the process was reading the first lady's emails just really stopped me in my tracks. 

Is there a sense that in some ways the United States is at fault for creating this industry of mercenary hackers, many of which are former U.S. government employees? 

This is a story about the hubris of American exceptionalism. We had some of the best hackers and exploitation programs in the United States, and we never truly meaningfully gave energy to thinking about what would happen when inevitably those same capabilities, people and tools came boomeranging back on us. And it's just this stunning realization that, yes, the United States remains the most advanced cyber superpower on Earth. But it's very clear to me, especially over the last 10 years, that lead is slipping, that advantage is slipping. 

It is time to now recognize where we went wrong and to recalibrate our fixation with cyber offense at the expense of defense. 

The Biden administration has indicated that it will make cyber diplomacy a foreign policy priority. Do you think that any sort of cyber arms treaty or sort of international set of standards for cyber warfare is within reach of this presidency or even our lifetime? 

It's a really good question and I don't know where I come out on it. I think it's really easy to say, yes, we need a Geneva Conventions for cyber. I mean, in theory, it sounds like a no-brainer. But let's just take Russia, which is basically outsourcing a lot of their hacks to cyber criminals and contractors. And Iran has done the same. And we know China has done the same. They have set up their information warfare systems for maximum plausible deniability. And we just don't have that luxury here because most of the aggressive attacks we're doing are being conducted within United States Cyber Command. So I do see the argument that we can't adhere or expect our adversaries to adhere to an agreement when so much of the dirty work is being done by cyber criminals or contractors that they're outsourcing this work to on the sly. 

Do you think that the SolarWinds hack will cause another reckoning for U.S. cybersecurity defenses?

I think so, and I hope so, and I think it has already begun. Fortunately, President Biden has mentioned cybersecurity more in his first 20 days in office than Trump did in his entire administration. So, you know, there's good progress there, but there's a lot of work to do. And I just hope the book is sort of another wake-up call that puts this all into perspective. 

If there's one lesson you want readers from the policy and government world to take away from this book, what is it?

I think it's just stop making us more vulnerable and take responsibility for the vulnerability that has already been created. Stop thinking that we can outsmart our enemies with active defense. Clearly, SolarWinds showed that failed because it's not as if we learned about the attacks through some great hack or intelligence. We learned about it because FireEye caught the same Russian hackers in its systems and tipped off the government. So clearly this idea that we can outsmart our enemies is no longer true. It's a fallacy and we have to really recalibrate and focus on defense. Otherwise, we're just so screwed.

The keys

Lawmakers say a hacker's attempt to poison a Florida city's water supply raises serious concerns.

Sen. Marco Rubio (R-Fla.) tweeted that the hack on Tampa neighbor Oldsmar “should be treated as a matter of national security,” while Rep. Jim Langevin (D-R.I.) noted the hack is “the type of activity that keeps me up at night.”

The hacker remotely accessed a computer in Oldsmar’s water treatment system and was in the system for three to five minutes, authorities said. There, the hacker boosted the levels of lye, a corrosive chemical, from 100 parts per million to 11,100 parts per million. The change was spotted immediately and reversed, the Tampa Bay Times’s Jack Evans reports

Local and federal authorities investigating the incident haven’t yet identified who was behind the attack. Oldsmar Mayor Eric Seidel downplayed the risk of the incident, noting that “redundancies in the system” would have noticed the water’s change in acidity.

Researchers have attributed a stealthy new malware to China-linked hackers.

The malware, which “constantly changes its appearance and uses a modified encryption algorithm to evade detection,” is being used by the China-linked BlackTech hacking group, researchers from Palo Alto Networks’ Unit 42 say

Researchers are calling BendyBear “one of the most sophisticated pieces of Chinese malware discovered to date.” 

The group has been linked to a string of hacks on east Asian governments in recent years. Taiwan says the group, which has gone after important information, is backed by China.

The FBI says it is able to access Signal messages on unlocked phones.

It mentioned the capability in court documents, Forbes’s Thomas Brewster reports. The messages were accessed on locked phones that had been unlocked once but kept on, a state that leaves data more vulnerable to hackers.

Signal has long pushed back against claims that companies such as Cellebrite can hack Signal.

“This isn’t a vulnerability in Signal,” Jun Harada, Signal’s head of growth and communication, said in an emailed statement. “If the FBI is in physical possession of a device and uses an Android or iOS exploit to partially or fully bypass the lock screen, they can interact with the device as though they are its owner and access anything on the phone.” The FBI did not respond to a request for comment

Researchers and activists also noted that Signal is not designed to protect against attacks on devices. Electronic Frontier Foundation Cybersecurity Director Eva Galperin:

Chat room

Dragos founder and CEO Robert M. Lee noted the Florida hack points to ongoing concerns about the lack of resources dedicated to protecting the water industry:

Lee and former National Security Council cybersecurity policy director Robert Knake had this insightful back-and-forth on whether the hack amounts to an act of war:

Government scan

Cybersecurity agency releases analyses of SolarWinds attacks.

The Cybersecurity and Infrastructure Security Agency issued reports on the Sunburst and Teardrop malware that was used to hack SolarWinds’s Orion software. The Sunburst code, CISA said, “will not run if it detects certain security software running on the target system.” Politico’s Eric Geller called the report on the Sunburst attack “a great reminder of how careful and clever its developers were”:

Google is expanding its election security program to include state campaigns.

The tech company will now now provide both state and federal campaigns with free access to two-factor authentication security keys for email, advanced email protection and free security training, it announced in a news release. The company says it distributed more than 10,000 Titan Security key bundles to more than 140 U.S. Federal campaigns through its federal program leading up to the 2020 election.

The program is a partnership with the nonprofit organization Defending Digital Campaigns.

Cyber moves

  • Klon Kitchen, a former aide to Sen. Ben Sasse (R-Neb.) who has been the director of the Heritage Foundation’s Center for Technology Policy, has joined the American Enterprise Institute as a research fellow. Kitchen worked on the creation of the Cyberspace Solarium Commission. 


  • The Election Assistance Commission votes on new voting security guidelines on Wednesday at 10 a.m.
  • Anne Neuberger, the deputy national security adviser for cyber and emerging technology, speaks at a meeting of the National Security Telecommunications Advisory Committee on Wednesday at 1 p.m.
  • Chris Krebs, the former director of the Cybersecurity and Infrastructure Security Agency, and Sue Gordon, a top former intelligence official, testify at a House Homeland Security Committee hearing on cybersecurity on Wednesday at 2 p.m.

Secure log off

The Late Show