The hidden world war

This book can perhaps be best described as an anecdotal history of one of the darkest, and most technically complex markets. It’s fun to read. The narrative jogs through the last 20-odd years. The author has reported on cybersecurity (aka “infosec”) for The New York Times for a decade. She is respected in tech circles for her persistence in getting the most close-mouthed (and nerdy) people in existence to talk about their work, and its ramifications.

The narrative has fascinating character sketches of some such individuals, as well as marvellous nuggets of information about the infosec industry. There are detailed accounts of several key events, such as the US-Israeli “Stuxnet” hack of Iran’s nuclear programme, that have rarely been written up for public consumption.

Fact-checks are difficult, due to the very nature of the subject and also the conscious avoidance of complex technical details. There are also some apparent errors, or perhaps discrepancies is a better word, with other accounts of some of these events.

In keeping with the NYT style, the author assumes her audience will consist of laypersons, and explains very basic stuff (“firmware”, “kernel”) in somewhat tedious detail. Despite those minor speedbumps, her easy style of first-person reportage maintains pace.

What’s this all about? As we come to rely increasingly on computerisation and the Internet, our civilisation also becomes more vulnerable to digital tampering. Nation states and non-state actors are very well aware of this.

All sorts of infrastructure— power grids, dams, ports, metro systems, banks, healthcare services, vehicles, taxi services, steel plants and so on — run digitally. Digitising is increasing at an accelerated pace as the Internet of Things takes hold, with fridges, houses and washing machines being digitised and Web-enabled by billions of smart sensors.

Billions of microchips, and integrated circuits are wired together in myriad ways and these talk via billions of lines of code. They generate data, as they perform an increasing variety of tasks. In addition, social media actively encourages users to put data and private lives on display. It is impossible to guard or secure all these nodes and networks, or even to check if they are compromised.

Enormous investments have been made in discovering holes and weaknesses in digital infrastructure. This has led to the creation and evolution of a market, for discovering, exploiting and weaponising such holes, for mostly malign purposes.

Hackers tend to be innately curious people, who like poking around with complicated things. But the discovery of a weakness anywhere in this chain is of great commercial value. So there are multiple ways for hackers who do discover weaknesses to profit from these.

“Zero-day” bugs, or flaws in code or hardware that are unknown to the vendor, can be the most dangerous and therefore, the most profitable. When a zero-day bug is discovered, it can be revealed to the software or hardware vendor for a bounty; these can also be worked into coding ransomware to blackmail users. These can also be sold to brokers who in turn sell them to shadowy government agencies which may use them in many different ways.

The security agencies are the highest payers in this opaque market, followed by the major Silicon Valley vendors such as Google, Apple, Microsoft and Facebook. The vendors look to patch such bugs and thereby make users more secure. But while they pay bounties nowadays, they have also been known to threaten and sue hackers who revealed bugs.

As this book details, government agencies often don’t inform the concerned vendors about a bug, and instead use these for surveillance, or to penetrate target systems. Increasingly such bugs are also being exploited in acts of undeclared war.

A cyber-weapon can cause as much disruption and damage as a bomb, or an earthquake without directly killing anybody. The price of a working zero-day exploit can easily run into six figures. The discoverer or broker selling it is often expected to maintain complete discretion, allowing an agency that buys it to quietly use it. The ethics of this are obviously questionable, since the government in question is often a malign entity. 

Given that a cyber-armoury can be of great use in geopolitical arm-wrestling, many nations are actively working to develop such capacities. India is very much a player here. Ms Perlroth explains how this market evolved, and how these institutional capacities developed, with governments edging out private operators, or entering enforced alliances with them in Russia and China.

Using cyber-weapons, power grids can be attacked; financial systems can be attacked; national security can be breached; sluice gates can be opened in dams, healthcare systems can be shut down; elections can be hacked. What’s more, all this and more, has been done in more or less deniable fashion in the past few years, as the book relates in detail.

A cyber-weapon may be deployed by a lone teenager; it could be used by a nation state with vast resources. Of course, sophistication will vary. Somebody called The Shadow Brokers leaked the most sophisticated armoury — that of the National Security Agency — a few years ago. This may have enabled other nations such as Russia, China and Iran to play catch-up effectively.

The book alleges China and Russia have penetrated US power grids, and been penetrated by US malware in turn, leading to a delicate balance of power. It also hints US agencies worked overtime to shut down Russian hacking operations and protect the 2020 election from interference. It’s a brave new world indeed, and one with very grey ethics.