The failure to terminate the email account of a former employee was enough for a critical US energy company to be floored by an attack by malevolent hackers. For a water company in Florida it was a case of poor housekeeping when it came to deploying a patch on faulty old software that led to disruptions in supplies.
These are just two of the examples given by Nicole Perlroth of how small, seemingly innocuous holes or glitches in corporate IT networks and management policies can become the gateways to much bigger disasters, whose consequences can reach far beyond the realm of one company or institution. In a hyperconnected world, once a hacker gains a digital toe in the door their ability to wreak destruction and havoc across a much broader field is considerable — as Perlroth details in her book, This Is How They Tell Me the World Ends, winner of the Financial Times and McKinsey Business Book of the Year for 2021.
The book is a chilling tale of the dangers posed by essentially vulnerable IT systems that are at the centre of a rapidly escalating global cyber arms race. The players in this nebulous world, which Perlroth covered for 10 years from Silicon Valley as a cyber security reporter for the New York Times, are no longer just criminals or lone mischievous bedroom-based hackers, but increasingly nation state actors with clear aggressive intent.
Since finishing the book, which was published earlier this year, the situation has only worsened. In particular the pandemic and the associated move towards working from home and hybrid working arrangements has presented criminals or hostile state actors with further opportunities to exploit stretched IT systems. “The attack surface has widened,” she says.
In the midst of it all is a wild and nebulous market, where hackers trade their knowledge of holes and vulnerabilities in networks and operating systems — a backdoor way-in to a smartphone’s operating system, say, is sold for millions of dollars. Known as “zero days” these hacks have moved from the margins to be one of the main areas of operation for malevolent activity.
“It’s a healthy market,” explains Perlroth. It comes with one key proviso: participants never talk about it because to reveal knowledge of a vulnerability in an adversary’s system is to render that valueless as the target will quickly move to fix it.
The book opens with Perlroth arriving in Ukraine after the country has been the victim of a sustained and broad-based cyber attack, orchestrated by Russia. In what she describes as “ground zero for the most devastating cyber attack the world has ever seen” government agencies, transport systems, cash machines and utilities have all been hit.
Perlroth’s bigger point, however, is that these events are not just things that happen in far away places. Rich, industrialised, highly networked and digitally dependent countries, such as the US and the UK, are especially vulnerable and ill-prepared. “There is no cavalry,” she says, adding that she wrote the book because she wanted to “wake people up”. The scale of the threat, as she sees it, is captured in the book’s title. Without change “we are in for some calamitous, cyber-induced event that will take us all down or we will be where we are now, which is death by a thousand cuts”.
Governments, business and individuals are all part of the problem. State-directed offensive cyber strategies often draw on turning a blind eye to and then exploiting flaws in widely used software programmes. Businesses often see cyber security as a cost centre that needs to be kept under tight control. Individuals typically feel that they don’t have a meaningful role in a much bigger conflict.
That, says Perlroth, needs to change fast, not least as the advent of artificial intelligence will only make the situation worse, if not irreversible. Policymakers need to recognise that future geopolitical conflicts “will play out as a cyber war or have a strong cyber component”. The country that wins “will look a lot like a digital Israel”, she says. “A country that can continue to run its most basic services while surrounded by hostile activity.” The US and Britain, she adds bluntly, are not in that state. “Unless we up our cyber defences we won’t win any more wars.”
Businesses need to hold themselves more accountable. Boards need to ask their chief information officers and security officers “will we be affected by next nation state conflict, will we withstand it: or will we be unwittingly the front line in that conflict?”
“You might not think that you are a target as a business. You might think your own data is protected. But if you’re not watching what’s happening on your network you could be used as a conduit for a nation state espionage operation,” says Perlroth. “You could be the lowest common denominator.”
In terms of what businesses can do, a number of necessary actions are fairly straightforward — and already known. These include educating employees not to click on attachments and links, providing training against phishing and other common hacking tactics, introducing two factor authentication and regular changing of passwords. In other words, as Perlroth, puts it: “All of the things we have been told time and time again we need to do but are annoying. We need to make them a priority.”
But there is much more that needs to be done. This is why Perlroth herself has decided to leave journalism and join the US government on a two-year assignment as an adviser to a new cyber security agency at the Department of Homeland Security. The group brings together people from politics, public administration, the tech world and experts such as Perlroth.
She believes that as a journalist in Silicon Valley she was well-placed to be a “connector” and “translator” between different worlds and actors that have often found it difficult to communicate and work with each other. “We have to work together — business and government — to hack our way out of this mess. That involves a level of collaboration and co-operation that we may never have seen in the west.”
Frederick Studemann is the FT’s literary editor