16 February 2021

U.S. Cyber Weapons Were Leaked — And Are Now Being Used Against Us, Reporter Says

By TERRY GROSS

In December 2020, a U.S. cybersecurity company announced it had recently uncovered a massive cyber breach. The hack dates back to March 2020, and possibly even earlier, when an adversary, believed to be Russia, hacked into the computer networks of U.S. government agencies and private companies via SolarWinds, a security software used by many thousands of organizations in the U.S. and around the world.

New York Times cyber security reporter Nicole Perlroth calls the SolarWinds hack "one of the biggest intelligence failures of our time."

"We really don't know the extent of it," Perlroth says. "What we know is that this thing has hit the Department of Homeland Security — the very agency charged with keeping us safe — the Treasury, the State Department, the Justice Department, the Department of Energy, some of the nuclear labs, the Centers for Disease Control."

Perlroth says the fact that the breach went undetected for so long means that the hackers likely planted "back door" code, which would allow them to re-enter the systems at a later date.

"We're still trying to figure out where those back doors are," Perlroth says. "And that could take months, if not years, to get to the bottom of."

In her new book, This is How They Tell Me The World Ends, Perlroth writes about the global cyber weapons race and how the U.S. went from having the world's strongest cyber arsenal to becoming so vulnerable to attack.

"We are one of the most advanced, if not the most advanced cyber superpower in the world, but we are also its most targeted and its most vulnerable," she says.

Part of the problem, Perlroth says, is that the U.S. has spent more energy on hacking other countries than on defending itself.

"We really need to make a decision as a society and inside government to stop leaving ourselves vulnerable," she says. "We have to take our own security seriously. We also have to stop leaving gaping holes in software that could be used by adversaries to pull off some of these attacks."

On SolarWinds, the cyber security company through which the hackers entered, which used the password "solarwinds123"

Their security was just not up to snuff. We learned that they had really basic passwords. We learned that they were warned as far back as two years before this attack began that if they didn't take their security more seriously, it could be catastrophic.

When I started calling up some of the victims of this attack, many of them didn't even know they used SolarWinds software until it came out that the company was breached. ... So what we were looking at really was a company that didn't have very good security, but that was touching some of the most sensitive systems we have. This was used inside the Pentagon. The NSA used that. We know that the Treasury used it and all the other victims that are coming out, including our utility companies.

On how the SolarWinds hackers may have accessed Black Start, the name of U.S. plans to restore power in the event of a catastrophic blackout

Originally when this hack was discovered, one of the bright spots was that they believed that the hackers had not made their way into classified systems. But what I kept hearing from security researchers and people who worked at these agencies was just how much vulnerable data was outside these classified systems. And one of those things was Black Start.

Black Start is just a very technical document. And it's essentially a to-do list. If we were able to have a major power failure, it says, you know, we're going to go turn on the power here first, then we're going to move over here and do this. And with that document in hand, that could be very valuable for an adversary because it would essentially give them the perfect hit list to make sure that the power stayed off.

On a recent cyber attack on the water supply in Oldsmar, Fla., in which hackers attempted to increase the amount of lye in the drinking water

I think it's just a wake-up call in general that a lot of these facilities allow contractors and engineers to get in, get remote access from miles away or across the country. And I think we need to start rethinking that access. Do we really want strangers being able to get into these systems from afar? And I think right now would be a good time to ask ourselves. And I think the answer is probably no.
This is really dangerous.... They increased the amount of lye in the water from 100 parts per million to 11,000 parts per million. - Nicole Perlroth

This is really dangerous. You know, they increased the amount of lye in the water from 100 parts per million to 11,000 parts per million. It just so happened that there happened to be a software engineer sitting at his computer watching his cursor move around on his screen and then later watched someone go into these functions and upped the amount of chemical. Had that not happened, then we would have been looking at an attack that would have badly sickened a lot of people.

On what a "zero day" is

A zero day is just a hole in software that hasn't been discovered yet. And, you know, once these zero days are discovered, they get patched, and a patch gets rolled out via your software updates. But if a government discovers this hole first, then it can be used for espionage, it can be used for cyber weapons.

And so for a long time, we have recognized the sort of espionage and battlefield potential of a zero day. And starting in the 1990s, I learned through the process of reporting out this book, that the U.S. government was actually actively paying hackers and defense contractors to find these zero days to write them into reliable exploits that they could use to spy on our adversaries. Or to essentially drop a cyber weapon into their systems if we needed to one day.

On the underground market for buying and selling cyber vulnerabilities

Hackers can find a zero day in a critical system like Microsoft or maybe your Apple iPhone software, and they have a decision — they can give that vulnerability to Microsoft or Apple, which these days will pay them small bounties for turning that over, or they can fetch much higher rates by giving that zero day to a digital arms broker essentially, or by selling it directly to a government.

Because governments recognize that these zero days have tremendous espionage potential, they're willing to pay as much as 2 million to 3 million dollars these days for a major zero day in your iPhone or Android phone software. And it's not just the United States, although the United States was the first government to essentially start paying hackers to turn over these zero days and then stay very quiet about them by forcing them to sign nondisclosure agreements. And later, many of these programs were classified.

But over the last 10 years, this is not just a U.S. government market anymore. ... It's a broker for the United Arab Emirates and Saudi Arabia that pays top dollar for a way to get into your iPhone. So this market's really drifted outside U.S. control or even, you know, the control of our Western allies.

On the U.S.'s reluctance to sign a treaty banning hacking

The United States has been very hesitant to sign on to any cyber treaty or even any norms that would prevent the United States from hacking into the infrastructure in other countries. And part of this is just that the United States for a long time has been the most advanced player in the space. So by signing on to any kind of agreement to not hack each other's infrastructure, I think the theory was that we would be handcuffing ourselves. But right now, the problem has gotten so bad ... that I think there may be an opportunity here to come up with new rules of the game, to say maybe, OK, we won't agree to hack each other's critical infrastructure, but you cannot attack hospitals. You cannot attack the controls at our nuclear plants without some kind of repercussions here or some kind of international repercussions. So that might be a good place to start.

But I would be very surprised if we came up with or agreed to some kind of treaty that held us back. And one of the things U.S. officials will say is, sure, we could agree to a treaty. But the fact is that here when we do our own attacks, they're done inside Cyber Command, at the Pentagon.

In China and Russia and Iran, they outsource that work to contractors, to cyber criminals. And so even if those countries agreed not to pull off a grid attack, for instance, there's not much keeping these sort of lower tier contractors and cyber criminals from doing those government's dirty work for them.

On why she prefers to live "off the grid" in a cabin

There's no smart fridges here. There's no Alexa. Our wireless system is really poor and there's no baby monitors here either. And that's not the case at my home in the Bay Area. And so I ended up just writing a lot of the book up here just because it was a peaceful place to get away from my two year old. But also, as I started to look around, I just felt a lot more safe here as I was sort of just diving into the vulnerabilities of our everyday software that we rely on.

When I first started covering this beat, everyone was warning me to worry about webcams and worry about this. And, yes, I have a piece of tape over my webcam. But what sadly happened over the last 10 years is I've covered an attack that's hit every one of these things. ...

These are no longer like hypothetical scenarios. You're not a tinfoil hat person to be suspicious of some of these devices. They have and will continue to be used for espionage and surveillance. And because I cover these things all the time, I just feel much safer in my cabin in the woods.

Amy Salit and Seth Kelley produced and edited the audio of this interview. Bridget Bentz, Seth Kelley and Meghan Sullivan adapted it for the Web.

Copyright 2021 Fresh Air. To see more, visit Fresh Air.

TERRY GROSS, HOST:

This is FRESH AIR. I'm Terry Gross. The world is on the precipice of cyber catastrophe, and everything is vulnerable, including our government, our nuclear power plants, elections, power grid, hospitals and our cellphones. How we went from having the world's strongest cyber arsenal to becoming so vulnerable to cyberattack is the subject of my guest, Nicole Perlroth's new book, "This Is How They Tell Me the World Ends: The Cyberweapons Arms Race."

She's a cybersecurity reporter for The New York Times who has broken many stories. Her book describes how U.S. cyberweapons were hacked and used against us in ways we were unprepared for. Lately, she's been covering the latest massive cyberbreach in which an adversary, assumed to be Russia, hacked into federal agencies, private corporations and the U.S. infrastructure. The attack was launched in 2019 and went undetected until the fall in what was described in her reporting as among the greatest intelligence failures of modern times.

Nicole Perlroth, welcome to FRESH AIR. Let's start with the recent massive data breach that was discovered in the fall that is still being investigated. Describe the extent of it.

NICOLE PERLROTH: Well, the biggest problem is we really don't know the extent of it. We know that it came in through software that's used by some 18,000 agencies, corporations - and that actually they did not hack all 18,000. They sort of picked and chose their targets. But in the United States so far, what we know is that this thing has hit the Department of Homeland Security, the very agency charged with keeping us safe; the Treasury; the State Department; the Justice Department; the Department of Energy; some of the nuclear labs; the Centers for Disease Control.

And the problem is that they were inside these systems for so long that the chances are very likely, if not guaranteed, that they planted backdoors. And so it - right now, we're just understanding that they were inside for this long. We're still trying to figure out where those backdoors are. And that could take months, if not years to get to the bottom of.

GROSS: For listeners not familiar with the term backdoors, what are they?

PERLROTH: Backdoors are just code that, in this case, we assume Russian hackers planted that just allow them a foothold to come back at another time. And they can be in the network. They could be stealing an administrator's password. They could have planted code in software in another application that lets them come in at a later date.

GROSS: They may have hacked Black Start, which is the program for how the U.S. plans to restore power in the event of a catastrophic blackout. So that means if they did hack that, that if Russia causes a blackout, they could also prevent us from restoring the power grid. Do I have that right?

PERLROTH: Yeah. So originally when this hack was discovered, one of the bright spots was that they believed that the hackers had not made their way into classified systems. But what I kept hearing from security researchers and people who worked at these agencies was just how much vulnerable data was outside these classified systems. And one of those things was Black Start. So Black Start's just a very technical document. And it's essentially a to-do list. If we were able to have a major power failure, it says, you know, we're going to go turn on the power here first, then we're going to move over here and do this. And with that document in hand, that could be very valuable for an adversary because it would essentially give them the perfect hit list to make sure that the power stayed off.

GROSS: This story that you're describing about how many places were hacked by Russia, this is very dangerous. This is - this leaves us really vulnerable. It shows how vulnerable we are. And they could have done so much more. The story has been reported. You've been reporting on it. Should we be a lot more upset and worried than we are as a nation?

PERLROTH: Well, one of the things that people have said to sort of caveat the extent of this breach is, well, you know, this was designed for espionage. It really looks like they were after emails and documents; they weren't looking to exact some kind of sabotage. But the problem with that argument is they can use the same exact access they have right now for other purposes. And they have done that, again, in Ukraine. Ukraine has sort of been Russian hackers' test kitchen for a lot of these attacks. And you know, the last time they pulled off a similar attack to this, where they came in through legitimate software, they used it to pull off an attack that essentially decimated all of the data in Ukraine on government networks, but also kept people from taking money out of ATMs, kept people from going to gas stations, kept shipments from reaching their recipients, kept paychecks from getting to their recipients and even at one point got into Chernobyl, the old nuclear site's radiation monitoring systems.

So we know what they are capable of with this kind of access. And that is the worst-case scenario. But just sticking with what we know, which is they got into these systems for espionage, I mean, essentially what the Biden administration just inherited was federal IT networks it cannot trust. And that is a pretty difficult predicament to be in.

GROSS: What has the speculation been about what Russia's motives are?

PERLROTH: Well, I think right now what we assume they were doing was getting after emails and potentially trying to get as many sensitive documents as they could - so traditional espionage. Now, I should stop here and mention that the U.S. does these exact kind of operations, which makes it very difficult to try to calibrate a response. You know, how do you respond to an adversary doing to you what we have long done to them? But the question is, where have they planted these backdoors? When could they come back? How do we ensure they don't get into more sensitive systems, into classified systems?

And, you know, another major target for this that we still really have only scratched the surface of is, did they get inside our critical infrastructure, too? We know that a lot of electrical utilities used the same SolarWinds software that allowed these hackers to get into our government agencies. So right now, when you talk to these utility companies, they are just ripping out their software, trying to understand if they were compromised, too. You know, what else touches their networks? Where else are they vulnerable? So it's been a big wake-up call, not just for governments, but for critical infrastructure operators, too.

GROSS: The Russians got into our system in this hack through a cybersecurity company called SolarWinds. It's an IT management company. And SolarWinds products are used by the military, the Pentagon, the State Department, the executive office of the president, some telecommunication companies, even the National Security Agency. How did Russia use SolarWinds to hack all these systems?

PERLROTH: What happened was these Russian hackers got into the build process at SolarWinds. This is the process whereby SolarWinds engineers create, test and roll out their software to customers. And so customers all over the world updated their software, just as we're supposed to do, with the latest SolarWinds software. But instead of getting SolarWinds software, what they got was what we assume to be a Russian backdoor. And once they got into these systems of interest, they moved around and planted new tools that would allow them backdoor access to these systems and allowed them to crawl into things like their Microsoft email, services, et cetera.

GROSS: We are all told to use complicated passwords that aren't intuitive to protect our security. My understanding is that the password for SolarWinds was solarwinds123.

PERLROTH: That's right. And we're learning a lot about SolarWinds. I think SolarWinds is learning a lot about SolarWinds right now. They actually have a new CEO who just started. But what we learned was, yes, their security was just not up to snuff. We learned that they had really basic passwords. We learned that they were warned as far back as two years before this attack began that if they didn't take their security more seriously, it could be catastrophic. Now, when I started calling up some of the victims of this attack, many of them didn't even know they used SolarWinds software until it came out that the company was breached and uses this Russian conduit.

So what we were looking at really was a company that didn't have very good security but that was touching some of the most sensitive systems we have. I mean, this was used inside the Pentagon. The NSA used it. We know that the Treasury used it and all the other victims that are coming out, including our utility companies. And one of the things that also struck me was, you know, most of their software build operations were not in the United States anymore even, they were in Eastern Europe. Now, that's not to say Eastern Europe is fundamentally dangerous. But it's just interesting that only now, after the fact, are we learning that we had the software in most government IT systems built elsewhere that really didn't have good security practices in place. And now we're seeing the repercussions from that play out every day.

GROSS: And what does it say that this breach was discovered not by our own intelligence community, but by a private cybersecurity company called FireEye?

PERLROTH: Well, I think that's what makes this one of the biggest intelligence failures of our time. You know, what happened here was FireEye discovered that it had been hacked, and to its eternal credit, it came out with that right away. And as it started unwinding this attack on its own systems, it realized that one of the conduits to getting into FireEye's networks had been SolarWinds. And so it was able to basically alert Microsoft and all of these technology companies and the government that SolarWinds had essentially been used as a backdoor for this attack.

GROSS: Do you think this does not speak well of our government cybersecurity protections?

PERLROTH: It does not speak well to our government cybersecurity protections. I mean, we are one of the most advanced, if not the most advanced cyber superpower in the world. But we are also its most targeted and its most vulnerable because we are so virtualized here. And we have spent way more energy on offense - and by offense, I mean hacking others - than we have on doing the really grueling and hard work to put up smart defenses. And there's never been a time that that hasn't been more glaringly clear than what we're unwinding now with the SolarWinds attack.

GROSS: Let me reintroduce you here. If you're just joining us, my guest is Nicole Perlroth, a cybersecurity journalist for The New York Times. Her new book is called "This Is How They Tell Me The World Ends: The Cyberweapons Arms Race." We'll be right back after a break. This is FRESH AIR.

(SOUNDBITE OF MUSIC)

GROSS: This is FRESH AIR. Let's get back to my interview with Nicole Perlroth, a cybersecurity journalist for The New York Times. Her new book about the cyberweapons arms race is called "This Is How They Tell Me The World Ends."

Do you know anything about President Biden's plans to deal with cybersecurity and to come to some kind of agreement with Russia and other adversaries that we won't attack each other and control the other country's infrastructure and power grid?

PERLROTH: So we know that Biden has made cybersecurity a top priority. We know he squeezed $10 billion in additional cybersecurity funding into his COVID recovery bill. We know that he has brought this up with Putin directly and their first phone call. We know he - there are new positions that were created from the latest defense bill. And he's brought in Ann Neuberger from the NSA to essentially debrief him on just how bad the threats from cyber vulnerabilities are and to try and come up with a real working plan here. But what we also know is that the United States has been very hesitant to sign on to any cyber treaty or even any norms that would prevent the United States from hacking into the infrastructure in other countries.

And part of this is just that the United States for a long time has been the most advanced player in this space. So by signing on to any kind of agreement to not hack each other's infrastructure, I think the theory was that we would be handcuffing ourselves. But right now, the problem has gotten so bad. You know, we know Russia has hacked our grid. We know that they have gotten into the switches that control the nuclear plants and power plants. We know that Russian cyber criminals have locked up our hospitals. People have not been able to get chemo treatments because of attacks on hospitals, cyberattacks on hospitals.

So the problem has gotten so bad that I think there may be an opportunity here to come up with new rules of the game to say maybe, OK, we won't agree to hack each other's critical infrastructure, but you cannot attack hospitals. You cannot attack the controls at our nuclear plants without some kind of repercussions here or some kind of international repercussions. So that might be a good place to start. But I would be very surprised if we came up with or agreed to some kind of treaty that held us back. And one of the things U.S. officials will say is, sure, we could agree to a treaty. But the fact is that here, when we do our own attacks, they're done inside Cyber Command at the Pentagon. In China and Russia and Iran, they outsource that work to contractors, to cybercriminals. And so even if those countries agreed not to pull off a grid attack, for instance, there's not much keeping these sort of lower-tier contractors and cybercriminals for doing those governments' dirty work for them.

GROSS: That's very worrisome. There's also been a proliferation of ransomware attacks. Over 600 towns and cities in America have been held hostage by ransomware between 2019 and 2020. Do we know who's behind that? Is that an organized effort? Is it coming from Russia?

PERLROTH: So most of it is coming from cybercriminals. There is one criminal group in particular that uses an infrastructure called TrickBot. And they'll sell access to other cybercriminals who use that as a conduit to pull off their attacks. And we know that in a lot of cases, their code is designed to avoid targets in Russia. So you can assume, you know, that that means many of the people pulling off these attacks are based in Russia. But beyond that, I mean, these are, for the most part, cybercriminals. What came to be a major concern going into the election with ransomware was that there is some fuzziness and has been for a very, very long time between Russia's cybercriminals and Russia's intelligence agencies.

So, for instance, when Yahoo, the technology company, was breached by Russian hackers, we learned that essentially the attack was four people, two of whom were cybercriminals and then two of whom were Russian intelligence officials. And they essentially allowed Russia's cybercriminals to mine whatever they were going to do for profit, but then they also used their access to do things like try and spy on people who worked inside the White House. So there's been sort of this tacit agreement in Russia between cybercriminals and the state. And so even though a lot of these attacks and most of them definitely are cybercriminals, we worried that cybercriminals might be used to enable some kind of state activity on our election infrastructure going into 2020. But fortunately, that never happened.

GROSS: Nicole, this week we learned hackers tried to poison the water supply of a town in Florida - Oldsmar, Fla. - by dramatically increasing the level of lye in the water in a water treatment plant. Now, the hack was detected before it did any damage, before it reached the drinking supply. But as we record this on Tuesday afternoon, February 9, we don't yet know who was responsible. It could be an act of terrorism. It could be a disaffected teenager. It could be a foreign adversary. But whoever it was, should we take this as a warning about how vulnerable we are?

PERLROTH: I think that's just another wake-up call of several we've had recently, but this is the targets we worry about. You know, a small town's water treatment facility is not going to have the same security in place as a PG&E, for example, and are not going to be as resourced or have the budgets to protect their systems. In this case, it's a good sign that they were able to catch it. But I think it's just a wake-up call in general that a lot of these facilities allow contractors and engineers to get in, get remote access from miles away or across the country. And I think we need to start rethinking that access. Do we really want strangers being able to get into these systems from afar? And I think right now would be a good time to ask ourselves. And I think the answer is probably no.

GROSS: I think this is the first hack of its kind that got as far as it did, even though it didn't get that far. Have there been a lot of other attempts to poison the water supply by hacking the water treatment plant?

PERLROTH: There's only one that I know of. And it was in Israel at the beginning of the pandemic, right when they first issued their stay-at-home order. They accused hackers in Iran of getting into a water treatment facility in Israel. And they actually responded a month later with a disruptive cyberattack on an Iranian port. But this is really dangerous. You know, they increased the amount of lye in the water from 100 parts per million to 11,000 parts per million. So had it not been caught when it was - and it just so happened that there happened to be a software engineer sitting at his computer watching his cursor move around on his screen and then later watched someone go into these functions and upped the amount of chemical. Had that not happened, then we would have been looking at an attack that would have badly sickened a lot of people.

GROSS: Let me reintroduce you here. If you're just joining us, my guest is Nicole Perlroth. She's a cybersecurity journalist for The New York Times and author of the new book, "This Is How They Tell Me The World Ends." It's about the cyberweapons arms race. We'll be right back after we take a short break. I'm Terry Gross, and this is FRESH AIR.

(SOUNDBITE OF WAYNE HORVITZ'S "IN FIELDS THEY LAY")

GROSS: This is FRESH AIR. I'm Terry Gross. Let's get back to my interview with Nicole Perlroth, a cybersecurity journalist for The New York Times and author of the new book "This Is How They Tell Me the World Ends." It's about the underground cyber arms industry and how the National Security Agency's own cyber arsenal got into the hands of our adversaries, everything from our government to our nuclear power plants, the power grid, our elections, private companies, hospitals, our cellphones. They're all vulnerable. She's been covering the latest massive cyber breach in which an adversary - assumed to be Russia - hacked into federal agencies, private corporations and U.S. infrastructure.

One of our greatest strengths, our cyber weapons, has become one of our greatest vulnerabilities because those weapons have been stolen by hackers and by government hackers and used against us. What kinds of cyber weapons were stolen from us?

PERLROTH: So back in 2016, a group - we still don't know who they are, but they call themselves the Shadow Brokers - started trickling out some of the NSA's tools. Now, some of these were ways into firewalls like Cisco's firewalls that we use to protect our networks. And then later in 2017, they really dropped what were essentially the NSA's crown jewels. What they dropped was a vulnerability in Microsoft software and the NSA's code to exploit it, which essentially allowed any government with that tool in its hand to get inside enemy networks and once inside sort of supercharge their code so they didn't have to go and attack each system manually. Essentially, the code allowed them to travel and automate their attack to exact mass destruction.

Now, the NSA was using that tool for counterintelligence, for espionage. But once that tool was dribbled out online by the Shadow Brokers, anyone could essentially pick it up and bolt it on to their own attack, which is exactly what happened. So North Korea first picked it up. They bolted it on to some ransomware. They sent it around the world. It locked up hospitals in the U.K. It locked up law firms and companies all over the United States and the world, universities. But they'd actually made some sloppy mistakes in their code. And a hacker was able to essentially neutralize the attack pretty quickly. And then a month later, Russia essentially used the same tool, along with others, in an attack on Ukraine. But it also hit any company or business that even had a single employee in Ukraine. And that allowed that attack to spread as far as Tasmania to chocolate Cadbury factories there, to FedEx, to Pfizer, to Merck, which essentially saw its supplies of Gardasil vaccine eviscerated in that cyberattack. And they had to tap into emergency supplies at the CDC. It was truly the most destructive attack, cyberattack, in history. It cost victims - I think it came to a total of $10 billion. And then we started to see sort of the longer tail of these tools show up in attacks that cybercriminals were conducting on American towns, cities, universities.

Now, once those attacks happened, you know, anyone with a remotely capable IT administrator should have patched their systems for these holes and would have been able to mitigate these attacks. And so we've seen these tools pop up less and less, although they definitely are, you know, common tools that are tried in rudimentary cybercrime, cybercriminal attacks. But what that showed us was, you know, we were basically hoarding these holes in Microsoft software, which is some of the most widely used software in the world, for the purposes of our own cyber espionage programs without meaningful consideration for what might happen if that same hole was hacked, if it was discovered by someone else. And when that happened, we could see exactly what what the damages were, what the trade-off was from holding on to a vulnerability like that for more than five years.

GROSS: So this leads to a larger controversy here in the U.S. If you're a U.S. intelligence agency, including the National Security Agency, and you find a vulnerability in Microsoft, do you inform Microsoft so they can fix that vulnerability or do you just use that vulnerability to allow U.S. national intelligence to penetrate Microsoft's clients and get into those systems?

PERLROTH: So this is the big moral hazard in government today. This is the one that was the reason I wrote this book because back in the Cold War, we were all using different technology. You know, Russia would hack into our typewriters. We would hack into their systems. If we found a flaw in Russian technology, no harm, no foul to Americans. But thanks to globalization, we're all now using the same technologies. And Microsoft is a great example because, you're right, it's in our systems whether we know it or not. So when the American government discovers a major hole in Microsoft software, it has a decision to make. It can use that hole to attack Microsoft's customers all over the world. Or it can tell Microsoft, hey, you have a problem, you need to patch this and you need to roll it out to customers as quickly as possible. And what we've learned is that the United States government was making the calculation that it would actually hold on to a critical vulnerability in Microsoft software for more than five years so that it could use it to spy on terrorists and adversaries and I don't know who else.

But the problem is, once that got out, we could see just how dangerous that same vulnerability is in adversaries' hands. And, you know, it really is worth just reminding people that once that vulnerability was discovered and used later by Russia, you know, they used it to eviscerate patient records. Doctors couldn't access patients' records at hospitals in the United States. You know, companies like Merck were totally sidelined and in ways are still recovering from that attack. And that was almost four years ago. So, you know, these have real, real blowback potential for Americans and for American businesses. And in that case, you know, they're basically collateral damage when we hold on to these vulnerabilities and then they get discovered or hacked by an adversary. So what we've been told is that the government has a process for this decision-making. It used to be called NOBUS at the NSA, which stood for nobody but us. If the NSA found a vulnerability that they believed only they had the sophistication to exploit, they held on to it. If it was more of the low-hanging fruit, they turned it over to the technology companies. So under George W. Bush, the government essentially formalized NOBUS into a process where they would invite representatives in from various government agencies who would have a stake in this. And when they discovered a vulnerability, let's say, in Microsoft software, representatives from these various U.S. government agencies would sit around a table and they would debate the merits of keeping the vulnerability for their own espionage programs or turning it over to Microsoft to patch it.

And when I interviewed Michael Daniel, who oversaw this process under Obama, he said it's not pretty. Sometimes there's blood left on the table. And the reason for this is that, you know, they say that if they find a vulnerability in something like Huawei - OK, this is a technology that is Chinese. It's used by a lot of American adversaries. It's used in a lot of terrorist safe havens. If they find a vulnerability in Huawei, they might keep that because not a lot of American customers and businesses use Huawei software yet.

But if they find a vulnerability in Microsoft, that changes the calculation. And they told me that it would bias them towards disclosure, towards giving that vulnerability to Microsoft, tipping them off to it so they could roll out a patch to their customers. And what we learned with these attacks in 2017 was that that calculation, you know, the criteria that they had long told us they used to decide whether to keep or turn over a vulnerability, clearly wasn't working in this case because what was used in those attacks was a very glaring vulnerability in Microsoft software that could easily blow back on Americans and American businesses.

GROSS: Have American tech companies fought back about that?

PERLROTH: They have, and the companies that really have been at the forefront of this are Microsoft, Apple and Google. Microsoft's president, Brad Smith, has been out there very publicly saying we should not be holding on to these vulnerabilities, that we need the cyber equivalent of a Geneva Convention to establish norms for who we will and won't hack and how we will and will not go about those hacks. Apple's Tim Cook was very vocal about a situation when the FBI back in 2015 wanted Apple to create a backdoor so it could get into the iPhone of one of the shooters in the San Bernardino shootings. And Tim Cook really pushed back on that. And eventually the FBI said, well, actually, we don't need Apple's help. We have found an outsider who was able to give us this backdoor anyway. We paid him or her more than a million dollars. And so Tim Cook and Apple have been pushing the government to essentially, you know, disclose that vulnerability, whatever it is. And then at Google, Google has really designated teams of its own hackers to try and go out there and pore through some of the most widely used software we rely on to find these holes that governments could exploit so that they can help get them fixed before they can be used for espionage or mayhem.

GROSS: Let me reintroduce you here. If you're just joining us, my guest is Nicole Perlroth, a cybersecurity journalist for The New York Times. Her new book about the cyberwars is called "This Is How They Tell Me The World Ends." We'll be right back. This is FRESH AIR.

(SOUNDBITE OF JOAN JEANRENAUD'S "AXIS")

GROSS: This is FRESH AIR. Let's get back to my interview with Nicole Perlroth, a cybersecurity reporter for The New York Times. Her new book about the cyber weapons arms race is called "This Is How They Tell Me The World Ends." We've been talking about cybersecurity vulnerabilities that can be exploited either by our intelligence agencies or by criminals or foreign adversaries. These vulnerabilities are called zero days. Can you expand on what a zero-day is?

PERLROTH: So a zero-day is just a hole in software that hasn't been discovered yet. And, you know, once these zero-days are discovered, they get patched and a patch gets rolled out via your software updates. If everyone's listening to this, please run your software updates. But if a government discovers this hole first, then it can be used for espionage. It can be used for cyber weapons. And so for a long time, we've recognized the sort of espionage and battlefield potential of a zero-day. And starting in the 1990s, I learned through the process of reporting out this book that the U.S. government was actually actively paying hackers and defense contractors to find these zero-days, to write them into, you know, reliable exploits that they could use to spy on our adversaries or to essentially drop a cyber weapon into their systems if we needed to one day.

GROSS: Well, part of your book is about the whole underground market that has grown around selling and buying these vulnerabilities, these zero-day vulnerabilities. Can you describe a little bit the underground market that buys and sells these vulnerabilities, giving access to systems ranging from infrastructure to Microsoft and lots of other places?

PERLROTH: Yeah. So, essentially, hackers can find a zero-day in a critical system like Microsoft or maybe your Apple iPhone software. And they have a decision. They can give that vulnerability to Microsoft or Apple, which, these days, will pay them small bounties for turning that over. Or they can fetch much higher rates by giving that zero day to a digital arms broker, essentially, or by selling it directly to a government, because governments recognize that these zero days have tremendous espionage potential. They're willing to pay as much as 2 million to $3 million these days for a major zero day in, let's say, your iPhone or Android phone software. And it's not just the United States. Although, the United States was the first government to, essentially, start paying hackers to turn over these zero days and then stay very quiet about them by forcing them to sign nondisclosure agreements. And later, many of these programs were classified. But over the last 10 years, this is not just a U.S. government market anymore. For a long time, our Western allies recognized the potential of a zero day as well for their own espionage operations and were paying hackers for these tools.

And then, more recently, oppressive regimes like the United Arab Emirates and Saudi Arabia, who are technically allies of ours, recognized the power of a zero day to monitor the iPhone communications of their own people and of their critics all over the world. And so they started paying top dollar for these zero days. These days, it's actually not the United States. It's a broker for the United Arab Emirates and Saudi Arabia that pays top dollar for a way to get into your iPhone. So this market's really drifted outside U.S. control or even, you know, the control of our Western allies. I went down to Argentina for the book and met with people who sell zero days there to governments. And I asked a really stupid question of someone who was in the scene. I said, you know, so will you only sell these zero days to good Western governments?

And he just laughed at me and said, Nicole, you know, the last time I checked, the country that bombed another country into oblivion wasn't China or Iran. We don't think of the United States as a good Western government. Someone comes here with a big bag of cash from Ghana, a big bag of cash from Russia or Iran or the United States. We just weigh the size of the bag of cash. And we'll sell our zero day to them. So - you know, we no longer have any control of this market, which makes these debates about whether to fix the vulnerabilities we are finding that much more critical today.

GROSS: So one of the implications of this, I think, is that a government doesn't need to have, like, a brilliant cybersecurity agency in order to find vulnerabilities in their adversary's systems. All the government needs to do - and this includes really authoritarian governments. All they need to do is have enough cash to buy the code from the hackers who have the code. And then they could use those vulnerabilities to whatever purposes they want.

PERLROTH: That's right. So they can buy their way into these capabilities. And the market has come to meet their demand. And then there's another thing here, which is they're not just paying hackers to sell these vulnerabilities. They're actually recruiting American hackers overseas to Abu Dhabi to do some of their espionage and surveillance work in some cases. And that was one of the big, eye-opening things I learned in the course of doing this book is that, you know, American contractors were luring NSA hackers out of the NSA, giving them jobs in Abu Dhabi, where originally they were told, OK, you're going to be monitoring terror cells on behalf of the UAE.

But very quickly, their assignments changed to, actually, can you get into Qatar's systems? We've heard that they're funding the Muslim Brotherhood. Can you find out if that's true? And so they would - these are American, former NSA hackers who then were turned on an ally, because Qatar is technically also a close U.S. ally. And they would monitor their systems. And even though they didn't find any evidence that Qatar was funding the Muslim Brotherhood, the requests kept coming until, eventually - in one case, I learned that they were inside Qatari royals' email networks as Qataris were trying to coordinate a trip with Michelle Obama, who, while she was in office, was planning a trip to Qatar in 2015. And every last email exchange from Michelle Obama was being read by former NSA hackers stationed in Abu Dhabi. So it's not just the tools that we've lost control of, but the tradecraft, too.

GROSS: If you're just joining us, my guest is Nicole Perlroth, a cybersecurity journalist for The New York Times. Her new book about the cyber weapons arms race is called "This Is How They Tell Me The World Ends." We'll talk more after we take a short break. This is FRESH AIR.

(SOUNDBITE OF SUSAN ALCORN QUINTET'S "NORTHEAST RISING SUN")

GROSS: This is FRESH AIR. Let's get back to my interview with Nicole Perlroth, a cybersecurity journalist for The New York Times. Her new book about the cyber weapons arms race is called "This Is How They Tell Me The World Ends."

I want to read a sentence from your bio on the book jacket. It says, (reading) Perlroth lives with her family in the Bay Area but increasingly prefers life off the grid in their cabin in the woods.

(Laughter) So you're speaking to us from your cabin. Obviously, you have some kind of Internet connection. How off the grid are you in your cabin in the woods?

PERLROTH: So it's a family cabin of ours. And there's no smart fridges here. There's no Alexa. There's - you know, our wireless system is really poor. And there's no baby monitors here either. And that's not the case at my home in the Bay Area. And so I ended up just writing a lot of the book up here just because it was a peaceful place to get away from my 2-year-old. But also, as I started to look around, I just felt a lot more safe (laughter) here. As I was sort of just diving into the vulnerabilities of our everyday software that we rely on, I realized that I don't have a lot of software where I'm sitting right now in this cabin. And so it just started to feel a little bit more safe up here.

GROSS: Yeah. You mentioned baby monitors. The new thing is - well, not so new anymore - the Internet of Things, where, you know, our refrigerators and coffeemakers and baby monitors and cameras outside our doors and other security measures, they're all connected to the Internet, which makes us so eminently hackable.

PERLROTH: Right. And, you know, when I first started covering this beat, everyone was warning me, oh, you know, worry about webcams and worry about this. And, yes, I have a piece of tape over my webcam. But what has sadly happened over the last 10 years is I've covered an attack that's hit every one of these things. One of my favorites was there was an attack at the U.S. Chamber of Commerce where China had gotten into their systems. The FBI had come in, done a big sweep, figured that they had eradicated China from their systems. And next thing they knew, a couple months later, one of their printers just started printing out reams of Chinese characters.

But the one that always stuck with me was there was a thermostat in their corporate apartment in D.C. And it had been acting funny. And when they did a little sleuthing, they found out that it had been communicating with a Chinese IP address. China was in the thermostat in their corporate apartment. And, you know, there's just been cases - other cases where there was one where we confirmed that a UAE contractor was spying on the baby monitor of a activist in the UAE. So these are no longer, like, hypothetical scenarios. You're not a tinfoil hat person to be suspicious of some of these devices. They have and will continue to be used for espionage and surveillance. And because I cover these things all the time, I just feel much safer in my cabin in the woods.

GROSS: Well, Nicole Perlroth, thank you so much for talking with us. This has been very informative and, also, very chilling. Is part of your goal to be chilling, to say, hey, wake up, everybody, this is what's going on?

PERLROTH: Yes, it is. Everything that can be intercepted here already has. You know, our intellectual property, our power grid, our nuclear plants, our hospitals have been taken hostage with ransomware. We are really in a very precarious place. But we haven't had that calamitous attack yet. And so the goal with writing this book and by putting it out now is this is my own sort of attempt at a wakeup call to say, you know, we really need to make a decision as a society and inside government to stop leaving ourselves vulnerable. You know, we have to take our own security seriously. We also have to stop leaving gaping holes in software that could be used by adversaries to pull off some of these attacks. And so if my book is chilling, it's because I'd rather people read this and be scared and really think deeply about how they're securing themselves than waiting for that big wakeup call attack to happen.

GROSS: Well, thank you for your reporting. And thank you for this interview. I really appreciate it.

PERLROTH: Thanks for having me, Terry. It's been an honor.

GROSS: Nicole Perlroth is a cybersecurity journalist at The New York Times. Her new book is called "This Is How They Tell Me The World Ends." Tomorrow on FRESH AIR, my guest will be Rashida Jones. She stars with Bill Murray in the film "On The Rocks," which was just nominated for a Critic's Choice Award for Best Comedy. It was written and directed by Sofia Coppola and draws on Coppola's relationship with her famous father, Francis Ford Coppola. Jones directed a documentary about her father, Quincy Jones. I hope you'll join us.

(SOUNDBITE OF QUINCY JONES SONG, "KILLER JOE")

GROSS: FRESH AIR's executive producer is Danny Miller. Our technical director and engineer is Audrey Bentham. Our interviews and reviews are produced and edited by Amy Salit, Phyllis Myers, Sam Briger, Lauren Krenzel, Heidi Saman, Therese Madden, Ann Marie Baldonado, Thea Chaloner, Seth Kelley and Kayla Lattimore. Our associate producer of digital media is Molly Seavy-Nesper. Roberta Shorrock directs the show. I'm Terry Gross.

No comments: