The problem with having a Kindle is that when you get tired of reading a book, it’s difficult to take a break from it and come back later. Generally speaking, once I start a book, I want to finish it before I move on to the next one. Unfortunately, although this was fairly well-written, it was a slog to get through, due to the content. Honestly, the subject was enough to bore me to tears, even though I readily (and perhaps, abashedly) admit the importance of it.

The state of the world is frightening, but when you stop to consider the lack of cyber security and the damage that can be done, particularly to necessary infrastructure (power, communications, transportation, etc.), it’s downright terrifying. This is not a fun book to read if you’d rather hide your head in the sand and pretend that everything is just fine. It’s not.

I had heard about this book on the news so when I saw it on Netgalley, I jumped at the opportunity to read it. One of the first things that became apparent to me is that this book is incredibly long (although, again, it may just seem that way to me because it took so long for me to read it). The other realization that is painfully unavoidable is that there isn’t much I can do about it (not the length of the book—the problem of cyber security) .

The author attempts to engage the reader by relating personal experiences with individuals important to the story, and for the most part, it’s an effective way of maintaining interest because most people are interested in stories about people. There was little that she could do to disguise the complicated nature of the events and explanations for why and how they happened. For those of us whose brains don’t work that way, reading about computers, coding, hacking, and the rest is just confusing and, in my case, put me to sleep.

There were a few quotes worth remembering. For example, she shares this one: “The most likely way for the world to be destroyed, most experts agree, is by accident. That’s where we come in; we’re computer professionals. We cause accidents.”

Another quote, at CIA headquarters says: “Organizations can’t stop the world from changing. The best they can do is adapt. The smart ones change before they have to. The lucky ones manage to scramble and adjust, when push comes to shove. The rest are losers, and they become history.” Ouch.

I also learned that “one terabyte is equivalent to a thirty-one mile-high stack of paper, each sheet packed with single-spaced data.” I found that fascinating, but not as much as the fact that in 2011 the Pentagon learned that the security system for which they had paid $613 million to Computer Services Corporation had been subcontracted to another company, Netcrackers Technology, who had subcontracted to programmers in Moscow. Basically, the system was riddled with Russian backdoors and our tax dollars had been used to make this happen. This should be criminal.

The author talks about election security, which is possibly as scary as the potential for adversaries to hack into infrastructure and cause injuries and deaths. Although Russia is not the only country hacking into US elections, they have been one of the more successful. A long-time confidant of Putin, Migranyan is confident that all is going as planned. He said, “Will the U.S. survive past 2025? Your country is hurtling toward the abyss. I feel badly for you!”

Lest we think that the U.S. government, at least, protects its data, by the time I finished this book, I was beginning to suspect that’s not even possible. “The number of attacks on U.S. networks differ (sic) depending on the source, but, for starters, the Pentagon said in 2017 that daily scans, probes, and attacks on the Department of Defense’s computer networks had risen to eight hundred million ‘cyber incidents,’ up from forty-one million daily scans in 2015.”

I might have given this book five stars, but for one issue. I felt the editing left much to be desired. Sentences were clunky and lacked variety (mostly long, convoluted sentences), which added to the laborious nature of the reading tempo. I can accept typos in an ARC and I know that Netgalley warns that books are not in their final state when shared with readers. However, that usually means finding a few errors, mostly typos or spacing issues, maybe formatting. I found those here, and could have let them slide, but I did not believe the actual sentence structure would be changing prior to publication. This is on the editor, not the author.

Overall, the book is definitely worth reading, but if you’re like me, prepare yourself. I’m a fast reader (average a book every day or two) and it took me almost a week to work my way through this one.

“The world is on the precipice of a cyber catastrophe.“ —from This is How They Tell Me the World Ends.

Beginning with zero-days or back doors into famous software like Microsoft Windows, Google and Cisco, hackers have been hacking into our digital information since the 1990s. But the hackers are not nerds living in their mom’s basement anymore. They are elite special forces employed by governments worldwide. Israel, Russia, China, North Korea, and Iran have extensive shadow corps of hackers that have digitally infiltrated into other countries—as does the US.

“It’s like having cyber nukes in an unregulated market that can be bought and sold anywhere in the world without discretion.”

In the United States, the National Security Agency was the world’s best at finding zero-days and coding exploits to use them to secretly move around in other’s systems. That quickly changed in 2016, when their secret weapons were released online by a mysterious group whose members are still unknown today. Aided by the NSA’s gold standard of hacks, other, less friendly, nations began their ascent. First, there were the physical weapon wars like WWI and WWII. Then there was the nuclear deterrent wars called The Cold War. And now there is cyber war. Is it the war to end all wars?

This is How They Tell Me the World Ends is scary—very scary! It is enough to make you stockpile cash and change all your passwords to nonsense words, if you haven’t done so already. While the book is well-researched, it also drags a bit at the beginning. However, it is an important subject written in regular English that everyone needs to read. 4 stars!

Thanks to Bloomsbury USA and NetGalley for a copy in exchange for my honest review.

We’ve all heard about the theft of passwords, personal data and the takeover of systems. How ransomware is crippling the budgets of towns across the country. How hospitals and utilities are caught up in it. But Nicole Perlroth, a New York Times reporter whose beat is cybersecurity, shows how they are all tied together. In her remarkable book that reads like a secret agent thriller, she proves It all boils down to a handful of shady players. And most of them are countries, not criminal masterminds.

In This Is How They Tell Me The World Ends, Perlroth demonstrates with great flair and endless drama that it is Russia, China, Iran and North Korea that are behind almost all the mayhem. And they got all the tools from the United States, which created a market for zero-day exploits, and promptly lost control to the rest of the world. Everyone is using “secret” American tools to invade American systems.

The book traces the birth and development of a strange, disorganized, inefficient and largely unknown market. It trades in software defects that allow anyone to break into a website or a computer system or individual computer, never be noticed, and take control of it from within. This happens in the USA every 39 seconds, she says.

And it is not limited to computers. It works in cellphones, industrial equipment, newer cars, and all the gadgets that make up the Internet of Things, from thermostats to baby cameras, smart doorbells to refrigerators. Even printers can be hacked. Governments can sit and watch documents being printed in a piece of equipment most administrators never worry about.

Hackers can take control of cars from anywhere in the world, wipe hard drives clean, steal address books and passwords, lock up the whole system, change the password to shut out the owner, shut off the electricity while changing all passwords so engineers can’t get back in… it is endless fun in our rush to digitize absolutely everything. Without adequate security.

When the power goes out, the economy stops. ATMs don’t work, bank accounts can’t be checked, credit and debit cards don’t work in stores. Neither will gas pumps, electric rechargers, medical histories, traffic lights, elevators or refrigerators. And if the hackers choose to cripple the power generating facilities and not just turn them off, it could take as long as two years for them to come back online, because electrical substations and generators are all custom designed and built. There is no way to replace them quickly. We are that close to total disaster, all day long.
This is not just theory. Russia does this to Ukraine, at will. It is a reminder of who is running their world, as well as a real world training ground for the hackers back in Moscow. The USA has seen fit to at least threaten this sort of action too, if only to try to stop others from using it on America. It’s another instance of mutually assured destruction, like we needed another one. This one is child’s play and costs essentially nothing. And anyone can participate. It is frightening to Perlroth, and she works hard to make readers feel it too. She succeeds only too well.

The hottest area of hacking is zero-day. Zero-day defects are holes that hackers discover by trying to break into systems. Once they succeed, they need to pretty up the package for sales, making the exploit easy to use, reliable, repeatedly usable, and which keeps the intruder invisible to the IT departments overseeing the target systems. Buyers want exclusivity so no one else can get in, and certainly not the company that made the software or the IT system, as that would spoil the fun when they patched it.

It all began before there was an internet, at the American Embassy in Moscow. The Russians managed to plant small, anonymous-looking bars inside the IBM Selectric typewriters the Americans were so proud of. The bars were transmitters, sending every keystroke made right to Russian intelligence. It meant the Russians didn’t have to bother over sophisticated American encryption, because they saw all the information before it was encrypted. This went on for years until some Selectrics were sent back to the US for inspection.

It was a wakeup call for American intelligence, which correctly saw itself as way behind. Its overreaction was to create numerous spy agencies dedicated to both defense - making sure this never happened again - and offense – doing it to others.

By 1967, there were already official warnings that “computers in an open environment could offer no safety whatsoever.” But the government never acted to change that by regulating computers. Instead, everything became a race to be first, and security be damned. It didn’t matter how buggy the software was; the main thing was to get it out there. The result is a global colander of unreliability. The US government did not insist on quality; anything a company wanted to sell was okay with Washington.

In the early days before mass hacking, it seemed unnecessary to worry about the bugs. Market share was all that mattered, and speed was of the essence (Move fast and break things, Facebook said).

Nothing changed the surveillance game more than Apple’s unveiling of the first iPhone in 2007. “[NSA –ie. government] hackers developed ways to track an iPhone user’s “every keystroke, text message, email, purchase, contact, calendar, appointment, location and search, and even capture live audio and video of her life by hijacking her phone camera or hot-miking her microphone,” Perlroth says.

It is only in the past few years that the biggest companies in the world have woken up to how insecure their products are. For example, Apple famously got out of the password business, leaving it entirely and securely in the hands of the customer. When a terrorist shot up a bar in San Bernardino, Apple refused to help the FBI break into his phone. The Bureau took Apple to court to force it to help. But then the FBI suddenly withdrew its suit, because a hacker supplied it with a zero-day exploit to get around the iOS password system. And the FBI refused to share it with Apple. It liked having exclusive access (The FBI has fewer of these tools than most other agencies, so snagging the Apple exploit was a coup it would not give up for the mere good of all).

The various security agencies (as I recall there are 17 of them, maybe more by now) compete rather than co-operate. They are in a race to stockpile zero-day exploits, hire hackers, and stay ahead of the other agencies. It’s an absurd system that is causing hacker salaries and payments for exploits to skyrocket – all at the expense of the taxpayer.

Sadly, everyone else has plunged in as well. So-called allies like Saudi Arabia and the Emirates are among the most active government hackers invading US systems.
-The Chinese have stolen billions in intellectual property, manufacturing processes, design and patents, by hacking into untold numbers of systems across the country. They tapped Google’s undersea cables to steal tens of millions of passwords, address books, and documents.
-Russia prefers meddling in elections, giving Americans real insecurity about what is true anymore. They are enjoying the wild west of social media and fake news. This has had the (desired) result of making people forego voting altogether.
-The North Koreans are in it for the cash thanks to American embargoes of everything it does. The massive ransomware campaigns that cripple institutions have cost the US economy billions, with most of the cash goes into bitcoin for North Korea. It’s American money that keeps North Korea going.

Mike McConnell, former director of national intelligence put it this way: “In looking at any computers of consequence – in government, in Congress, at the Department of Defense, aerospace, companies with valuable trade secrets – we have not examined one yet that has not been infected.”

As usual, there is constant hypocrisy throughout. For all the noise the USA makes about Huawei telephone equipment providing personal data to the Chinese government, “NSA was doing everything it accused Beijing of doing, and then some.” Perlroth says.

The book becomes overwhelming, which accurately represents Perlroth’s feelings about what she has found. Anyone could tip the whole house of cards over with an errant keystroke. Damage and retaliatory strikes could easily wipe society blank overnight. Perlroth has made sense of it all, dividing the exploits among the players, showing their persistence in damaging the USA, thanks to the USA’s own tools.

It was Edward Snowden who revealed the extent of US aggression. It even hacked Chancellor Angela Merkel’s phone. With friends like the USA, morality has lost all meaning. Soon, hackers were forming companies to sell their services to government agencies. Some dumped exploits publicly, showing the power they had accumulated, and so providing secret tools of the NSA and others to the entire world for free. They have since been used extensively – against the USA.

What is probably most valuable in the book is Perlroth’s assembling of the steps that got the world here. When hackers started finding bugs, they would report them to the company. But rather than gratitude, companies threatened to sue the hackers, for things like copyright infringement. It took a long time for them to realize the hackers were actually doing them a favor. Middlemen began to appear, offering to buy zero-day exploits for a pittance. But in those days, any payment at all was an improvement. As time went on, government began to outbid the middlemen, raising prices substantially. Then at long last, the makers themselves got in on the action, paying even more. They had to, because the government agencies hoarded the exploits for themselves. The last thing government wanted was for the companies to patch the holes. The American government had its own plans for the weaknesses people brought in. And none of it was beneficial to Americans. All along, the companies and their customers lost billions of dollars to invaders and ransomware exploits.

Here’s how it took shape:
-discovering how sophisticated the Russians were in bugging the US embassy.
-taking hackers onboard and purchasing zero-day exploits from them.
-developing offensive weapons like Olympic Games’ Stuxnet to destroy Iranian nuclear production equipment.
-watching as Stuxnet escaped and infected equipment all over the world.
-bored civil service hackers into quitting government and starting their own consultancies, replicating their work for governments and business all over the world, spreading their knowledge over scores of countries.
-working for foreign clients, American hackers broke into First Lady Michelle Obama’s computer, received copies of all her correspondence as it was sent, opening a new era of zero morality and anything for a buck.

Possibly the most famous incident was Stuxnet, a worm created in the USA to pacify the Israelis, who wanted to bomb the uranium enrichment plant Iran had built 30 feet underground. The worm worked beautifully. It caused vast numbers of centrifuges to spin out of control and break down. Because the machines were not very reliable anyway, it took the Iranians a while to realize there was something more wrong than usual. And then it backfired. The worm escaped, infecting every machine it could find, doing all kinds of damage all over the world. America had unleashed the first cyber plague, all by itself.

There are truly idiotic passages in the book, in which hackers, middlemen, agencies and manufacturers decide who should see the exploits, who should be allowed to buy them and who should hire themselves out to redeploy them for the new buyers. Their bizarre rationales and attempts to be moral are laughable. Who is trustworthy, who is an ally, whose policies are moral are all ephemera. How is a hacker to judge who would be an acceptable client? What is to prevent that acceptable client from then passing it on to an unacceptable accomplice? And will the client still be acceptable tomorrow? (It reminds me of a Mort Sahl line: “Anyone who consistently holds a foreign policy position in this country must eventually be tried for treason.”)

The bigger players all understand their power: “The most likely way for the world to be destroyed is by accident. That’s where we come in; we’re computer professionals. We cause accidents,” one major player told Perlroth. And back in the USA, the competing agencies are so narrowly focused, they have missed the forest: “We are looking through straws at a much bigger problem,” she quotes John Hultquist, threat analyst and director of intelligence at FireEye.

Perlroth is not having a good time with all this. Her life seems to be a series of chases and investigations every time a break in occurs somewhere. It could be Iranians trying to take over the controls of a dam, the Chinese inside a nuclear power plant, Russians playing with the banking system, or North Koreans extorting money from a hospital. This is her daily grind and it is stressful and depressing. She begs readers several times to download and install the patches companies are forever offering, no matter how often, and how big a pain they are. It is necessary and it is critical. Everything is at risk.

On the other hand, she says one of the most sophisticated ways hackers have of invading systems is by piggybacking on automatic updates and installing their malware as part of the update download.

One important takeaway for Perlroth is that online voting should be banned right now before it takes hold anywhere. It would be the fattest target for thousands of hackers worldwide, and nothing can be done to make it secure at this time. Vendors claiming their systems are totally secure clearly can’t be trusted.

The USA is entirely at fault. Perlroth says it “spawned and sponsored” the hacker market for decades. It never devised a national policy on cybersecurity. There are no laws or regulations to follow. Donald Trump closed down the only vestige – the Office of Cybersecurity Co-ordination – in 2018. America does not require companies to certify the security of their wares. It does not regulate the sale of discovered flaws. No one speaks for the United States in the field of cybersecurity. It is anarchy – everyone going in their own direction. The market is a joke, with prices for exploits going from two digits to seven. Everyone is waiting to take advantage of young hackers, too.

Perlroth says other countries, even more digitized than the USA, suffer far fewer attacks because they regulate and require testing. Norway, Denmark, Sweden, Finland and Japan are the best at it. The USA is everyone’s favorite target, because it’s so easy, and the pickings so rich.

One thing that’s missing from Perlroth’s excellent and fast-reading account is the very nature the people making all the discoveries. They are not Phds, rocket scientists or math whizzes. They are almost always kids and young men. They are often unemployed or working gigs or menial jobs. In other words, there are no qualifications to get into this business. There is no certificate. There is no internship. The barrier to entry is lying in a ditch. Anyone can do it. For government agencies to be bidding against each other for these bugs and exploits and hackers is madness.

Mandate every company to employ a team to run penetration tests and spend the rest of their time trying to break into their own systems. That would go a long way to stopping the chicanery in advance. Patching purchased flaws is a billion dollar business that should not even exist. But the USA won’t play. Sadly, its agencies see too much benefit in keeping it chaotic.

Last but not least, Perlroth feels vulnerable herself – physically. It used to be that the USA would protect and defend its investigative journalists. It had their backs. Snatching an American journalist off the streets would automatically have created an international incident. It was, she says, invisible armor. No more. Journalists are on their own. Don’t bother calling. In the shady world of international hacking, this adds untold risk.

Such is the state of the miasma the USA has created for the whole planet in cyersecurity.

David Wineberg

This is by far the best book I've read on cyberweapons & about how zero days get bought and sold, who's buying them, & and who's discovering them. This is not a dry infosec book at all, as there were multiple nights where I found myself reading way past when I should've gone to bed. This book raises some tough questions about the ethics of the cyberweapons trade and does not hold back in rightfully pointing out some of the major missteps by governments, corporations, & hackers. There are also some terrifying stories about the capabilities of cyberweapons that nations could potentially use. Essentially, quite a few countries have the cyber equivalent of nuclear weapons all pointed at each other. This book tells how we got to this point.