This book was a long but fascinating read, and I ended up giving it a 5/5. This Is How They Tell Me The World Ends goes in 1000 different directions in terms of topics and content, but largely kept my interest throughout its entirety. Primarily, this book is about zero-day vulnerabilities. They’re a little hard to explain, but I actually found a pretty good definition on Wikipedia:
A zero-day (also known as a 0-day) is a vulnerability or security hole in a computer system unknown to its owners, developers or anyone capable of mitigating it. Until the vulnerability is remedied, threat actors can exploit it in a zero-day exploit, or zero-day attack.
—Wikipedia, “Zero-day vulnerability”
Much of the book focuses on the history of zero-day vulnerabilities and exploits, and the threat actors that use them. There’s a lot of interesting history of American and foreign intelligence agencies (e.g. Iran, Russia, China, NK), the Stuxnet and NotPetya attacks, the history of zero-day exploit markets, interviews with high-level cyber personas, and much more. The book makes it incredibly obvious that Nicole Perlroth (the author) has done a lot of research into these things.
If you have a background in cybersecurity, I highly recommend this book. Even if you don’t have that kind of background, Nicole Perlroth does a great job of making the core concepts easily digestible; the focus is on the history, not the technical details of cyber warfare.
I will warn you that this book is not optimistic. I mean, read the title. One of the main points in the book is that the world is just not ready for cyber warfare. Utility companies, militaries, governments, journalists, and practically all organizations are extremely vulnerable to cyberattacks. I facepalmed several times while reading this book at the ridiculous level of vulnerability we find ourselves in. Several nation-states have exhibited both the capability and intent to utilize destructive cyber warfare, and it’s only going to get worse. Only the best of the best software and hardware companies are able to successfully block cyberattacks. Even then, it’s only temporary; even the most secure software is only 1 zero-day away from being compromised, and there are tens of thousands of hackers around the world looking for that next zero-day, ready for a massive payoff when they find it.
The state of the world is best summarized in this paragraph from the epilogue:
But in the two decades since 9/11, the threat landscape as been dramatically overhauled. It is now arguably easier for a rogue actor or nation-state to sabotage the software embedded in the Boeing 737 Max than it is for terrorists to hijack planes and send them careening into buildings. Threats that were only hypothetical a decade ago are now very real. Russia proved it can turn off power in the dead of winter. The same Russian hackers who switched off the safety locks at the Saudi petrochemical plant are now doing “digital drive-bys” of American targets. A rudimentary phishing attack arguably changed the course of an American presidential election. We’ve seen patients turned away from hospitals because of a North Korean cyberattack. We’ve caught Iranian hackers rifling through our dams. Our hospitals, towns, cities, and more recently, our gas pipelines have been held hostage with ransomware. We have caught foreign allies using cyber means to spy on and harass innocent civilians, including Americans. And over the course of the coronavirus pandemic, the usual suspects, like China and Iran, and newer players, like Vietnam and South Korea, are targeting the institutions leading our response.
In the book’s epilogue, the author does make some suggestions on how the situation could improve, and what should be done:
-
We must lock down the code… part of the problem is that the economy still rewards the first to market… but speed has always been the natural enemy of good security design. Our current model penalizes products with the most secure, fully vetted software.
-
We now need to take… a “defense in depth” approach… today, most software developers and companies still do the bare minimum, testing code only to make sure it works. Security engineers need to be brought in from the start to conduct sanity checks, to vet original code and any code borrowed from third parties.
-
…open-source protocols have become critical infrastructure and we barely bothered to notice.
-
the Cyber Solarium Commision… recommended the creation of a new National Cybersecurity Certification and Labeling Authority that would give consumers the information needed to assess the security of the tech products and services they buy.
-
…use different passwords across different sites and turn on multi-factor autentication whenever possible.
-
Our elections. They cannot be conducted online. Period… To date, there is not a single online voting platform that security experts… have not hacked.
-
The United States needs to reestablish a national cybersecurity coordinator- the position that the Trump administration eliminated in 2018.
- Perlroth generally suggests that the USA’s VEP (vulnerability equities process) should be more strict; that is, the gov’t should not be able to hold onto so many zero-days for so long. However, Perlroth admits “It would be naive… to require intelligence agency to turn over every single zero-day they find.”
Takeaways
- Catastrophic cyberattacks on critical infrastructure and other critical organizations have already happened, and will continue to happen. Any company that uses computers to any capacity needs to drastically ramp up security to prevent this ticking time bomb. Chances are, if your company has any value, you’re already compromised by multiple threat actors.
- Even the best hardware or software is only 1 zero-day away from being compromised, and it will be found, and patched, and another found, and patched again endlessly.
- After Stuxnet, the entire world woke up to the power of zero-days. The world will never be the same. Governments around the world will continue to purchase, stash, and utilize zero-days for their own benefit.
-
The vast majority of cyber attacks— 98% — start with phishing attacks that contain no zero-days, no malware.
-
Congress has failed, time and time again, to pass any meaningful legislation requiring the companies that manage our most critical functions meet basic standards.