My podcast partner, Joe Klein, and I interviewed Nicole Perlroth, author of “This is How They Tell Me The World Ends” at some length last week for this episode of ‘Night Owls'. It’s a terrific interview, entirely because of Ms. Perlroth. It’s broken into two parts, as the interview itself ran a bit long. It’s a guided tour of the world of cyber weapons and the ongoing cyberwars, by the woman who wrote the book on the subject.
Begin with a 2022 interview with Ms. Perlroth, conducted by Kristen Eichensehr, Director of the National Security Law Center at The University of Virginia Law School. (Video of the interview is here. The transcript is here.)
Q. Ms. Eichensehr:
Let's start with the basics. Can you tell us what is a zero-day exploit. And how has that market for them evolved?
A. Ms. Perlroth:
So a zero-day is-- and I'll just make it-- I'll use a tangible example. If I'm a hacker and I find a bug in your iPhone software, your iOS software that Apple doesn't (know) about, I can probe and pick at that bug and see (if) maybe I can do something with this.
And let's say I was a really good hacker and I could craft a program that could exploit that software bug to read your text messages, to track your location, to record your phone calls, to turn on your camera. That's the zero-day exploit that's really the mother of zero-day exploits.
If you can craft that program and hijack anyone's iPhone remotely, you can sell that right now to a number of brokers. Some of them are based in Washington and Virginia. (You can sell it to them) for $2.5 million. If you can do it in Android, if you can get a really good remote zero-day exploit for Android software, that's $3 million now.
And then there are companies overseas in the Gulf that will offer you $3.5 million for that zero-day exploit. The caveat is if you sell that exploit to one of these zero-day brokers, you can never talk about it. Because the minute you talk about it, Apple finds out about it, Apple works on a patch.
So that’s the marketplace. What’s the asking price for a zero-day exploit that shuts down utilities in Philadelphia, Detroit, Milwaukee, Phoenix and Atlanta on Election Day (or any day)? What’s the asking price for a zero-day exploit that hijacks the emergency warning system in those five cities? What’s the asking price for shutting down the cell towers in those five cities. What’s the asking price for all three?
How many people could you distract or prevent from voting on Election Day? For the sake of argument, let’s say 35,000 in each of those five metropolitan areas. So that’s 245,000 votes. Cut it in half and you’re at 122,500 voters who, for reasons largely caused by the hack, don’t vote. If a total of 45,000 votes in three states had gone Trump’s way instead of Biden’s way in 2020, the electoral college vote would have been a tie (269-269). If the hack is directed at Democratic precincts only, its impact might well be decisive.
And that’s just Election Day. According to Pew Research, forty-five percent of the electorate in the 2020 presidential election voted absentee or by mail. What if you had a zero-day exploit that got into the voter registration rolls and erased voters in certain precincts or changed their address so it wouldn’t match the driver’s licenses on file or changed their names by a letter or two and added a middle name that didn’t match? Would their votes be counted? Who would decide?
What’s the market for throwing the electoral process in the United States of America into chaos? Large, I would imagine. There would certainly be interested parties: China, Russia, Iran, North Korea for starters. And there are equally interested non-state actors — transnational criminal organizations, anarchist groups, terrorists. If a zero-day exploit was offered up to the Sinaloan cartel for $10 million, one that could do some or all of the above, what do we think they would do? My guess is that they would resell it to a foreign government or transnational criminal organization with their own reasons to throw the electoral process in the United States into chaos. They wouldn’t sell it for $10 million. They’d sell it for a lot more than that. The beauty of bitcoin is that it would difficult if not impossible to find out how much more the buyer paid.
Ms. Perlroth published her book in 2019 and she was sufficiently alarmed by what was happening in cyberspace that she entitled her book: “This is How They Tell Me The World Ends.” If she were to update the book jacket with a new title, it would probably go something like this: “This is How They Tell Me the World Ends when zero-days are made exponentially more treacherous by artificial intelligence (AI), the most powerful information technology in the history of mankind.”
The political press corps has focused its AI coverage on “deep fakes” as the leading threat to the 2024 elections, both here in the U.S. and around the world. “Deep fakes” use artificial intelligence to make it seem like Barrack Obama is calling Biden a “fool’s fool” when, in fact, he’s never said anything of the sort. The problem with deep fake audios is that you and I can’t tell the difference between fake Obama voice and real Obama voice. And for good reason: The fake Obama sounds exactly like the real Obama.
There have been a lot of stories about “deep fake” audios and (to a lesser extent, because the quality isn’t as good) “deep fake” videos. There will be a lot more, trust me on that. Once the political press locks into a narrative, it’s almost impossible for it to change course. If everyone’s writing about it, everyone else has to write about it.
But deep fake audios and videos are not a clear and present danger to the political process in America. Yes, we will be inundated with them, but at some level that will inure us to them. We will rely on our family and friends, our trusted sources and our common sense to separate what’s real from what’s dubious if not malicious. And we will vote as we always have. “Fake news” isn’t something that was invented in the Trump years.
What is a clear and present danger to the political process in America is the hacking of our voting “system” and the public (and private) infrastructure that enables it. The director of the National Security Agency and the director of the FBI recently testified before Congress on this subject and assured the legislators that the United States government was fully prepared to defend and deal with a cyber attack from whatever source.
The first part of that promise (“defend”) is probably impossible. There’s always a way in. There is no doubt that the NSA and the Department of Homeland Security and the FBI will do everything they can to “defend” against cyber attacks aimed at our election process. But if we know one thing about cyber security, it is that there’s always a way in. Ask AT&T or Change Healthcare or Colonial Pipeline or Microsoft.
“Deal with” is another matter. “Deal with” is an implicit or explicit threat, which goes something like this: If you (let’s say Russia) try to interfere with our elections in November, at any level, we will “interfere” in your energy infrastructure, your banking system, your communications (and whatever else we choose to “interfere” with) on a scale that you can only imagine. And then double it.
This is known in the trade as the doctrine of Mutual Assured Digital Destruction or MADD (not to be mistaken with Mothers Against Drunk Driving). And it is MADD, like nuclear Mutual Assured Destruction (MAD) that keeps “the peace.”
In theory.
The problem is that if we add artificial intelligence to the tool box of a highly skilled hacker, as noted above, we are talking about an exponentially more dangerous threat; one that might be impossible to track, one that could cover its tracks, one that would be of unknown origin for weeks if not months, months if not years. To make things worse, this super-hack might originate from a non-state actor, who (or which) makes it look like it’s originated from a state actor, like Russia or China or Iran or North Korea. You can see how serious this threat snowballs, if properly executed.
Not so long ago, the United States had an enormous lead in “cyber capabilities.” The NSA was the gold standard. The others were tin. That’s no longer true. What Ms. Perlroth calls “the capabilities gap” has narrowed dramatically. The NSA, Cyber Command and the FBI, among others, are alarmed by how much.
Don’t take my word for it. Listen to FBI Director Wray on this subject, from a recent interview he did with CNBC:
We have seen since October 7 what I would describe as kind of a rogues’ gallery of foreign terrorist organizations all calling for attacks against Americans and our allies. And so the partnership, the deep partnership, that exists between the FBI and NSA and Cyber Command is incredibly important to that as well. But you can go around the horn, because the rest of those threats that Paul referred to, it’s not like they just took a breather when the foreign terrorist threat spiked up again. So, China, by far and away the biggest hacking program in the world, has stolen more of Americans’ personal and corporate data than every nation combined. If you took all of China’s cyber hackers and focused them on the U.S., which is their priority, if I took all FBI assets and said, forget Russia, forget Iran, forget cyber criminals, just focus on China, we’d be outnumbered 50 to one.
So the scale of China’s hacking program, both from a cyber espionage perspective, a prepositioning in the event of a conflict at some point, and even on the influence side is very, very significant. Meanwhile, you got Russia, which remains a top cyber threat, very sophisticated adversary, in terms of espionage, attack capabilities, influence, major investments by the Russian government in cyber operations, because they view that as an asymmetric weapon, if you will, that they can use to try to keep up with us. And then you’ve got Iran, which shouldn’t be underestimated. It’s a very sophisticated, very aggressive cyber adversary. And they have, for example, they’re one of the only countries to have conducted a destructive cyberattack in the U.S., the other one being North Korea. And they have shown themselves to couple that sophistication with a level of brazenness that’s really outrageous. We have seen the Iranians target, for example, a children’s hospital in New England. So, put those three – and that’s just the nation-states, and before you start getting to the foreign cyber criminals, which is a place we spend a lot of time engaging as well, and you have got a pretty full plate for our teams to work together.
Listen to our ‘Night Owls’ podcast (Episode #16) with Ms. Perlroth. Read her book. Here’s hoping none of the above comes to pass.
This article makes me think we’re chasing the wrong enemies. I haven’t heard any of this from traditional news institutions, and I read all of them. The big threat is to our democracy (encroaching fascism) and AI. But this one gives me the shivers.