The Electric Grid and Way, Way More

Red Sky Alliance has previously reported on the many cyber perils within critical infrastructure and key resource sectors. Our worldwide electric grids remain on the top of government concerns. The New Yorker recently published a very thought-provoking and sobering piece on the same subject(s). We would like to share with our members.

In the nightmare, sirens caterwaul as ambulances career down ice-slicked, car-crashed streets whose traffic lights flash all three colors at once (they’ve been hacked by North Korea) during a climate-catastrophic blizzard, bringing pandemic patients to hospitals without water or electricity—pitch-black, all vaccinations and medications spoiled (the power grid has been hacked by Iran)—racing past apartment buildings where people are freezing to death in their beds, families huddled together under quilts, while, outside the darkened, besieged halls of government, men wearing fur hats and Kevlar vests (social media has been hacked by Russia), flashlights strapped to their rifles, chant, “Q is true! Q is true!”

“Someone should do something,” reads the T-shirt worn by one of Nicole Perlroth’s sources, a hacker from New Zealand, in “This Is How They Tell Me the World Ends: The Cyberweapons Arms Race” (Bloomsbury). Someone should. But who? And do what? And about which of the Biblical plagues facing humankind? Perlroth is a longtime cybersecurity reporter for the Times, and her book makes a kind of Hollywood entrance, arriving when the end of the world is nigh, at least in the nightmare that, every night, gains on the day.

Perlroth is interested in one particular plague, governments using hacking as a weapon of war, but her book raises the question of whether that’s the root of a lot of other evils. For seven years, Perlroth investigated the market in “zero-days” (pronounced “oh-days”); her book is the story of that chase, and telling that story, which gets pretty technical, requires a good bit of decoding. “A zero-day is a software or hardware flaw for which there is no existing patch,” she explains. Zero-days “got their name because, as with Patient Zero in an epidemic, when a zero-day flaw is discovered, software and hardware companies have had zero days to come up with a defense.” A flaw can be harmless, but zero-days represent vulnerabilities that can be turned into weapons. And, as Perlroth demonstrates, governments have been buying them and storing them in vaults, like so many vials of the bubonic plague.

It’s tempting to say either I can’t worry about this right now or Didn’t we already know this? For all the sensationalism of “This Is How They Tell Me the World Ends”—not least the title—much here fails to surprise: all code has bugs; it’s virtually impossible and prohibitively expensive to write perfect code; and bad actors can exploit those bugs to break into everything from your iPad to the Hoover Dam. Companies and governments therefore pay hackers to find bugs, so that they can be fixed, or exploited. What other choice do they have? you ask. Perlroth’s reply is it’s a lot worse than you think and If there aren’t other choices, it’s time to invent some.

Perlroth’s storytelling is part John le Carré and more parts Michael Crichton—“Tinker, Tailor, Soldier, Spy” meets “The Andromeda Strain.” Because she’s writing about a boys’ club, there’s also a lot of “Fight Club” in this book. (“The first rule of the zero-day market was: Nobody talks about the zero-day market. The second rule of the zero-day market was: Nobody talks about the zero-day market.”) And, because she tells the story of the zero-day market through the story of her investigation, it’s got a Frances McDormand “Fargo” quality, too; in one sequence, Perlroth, pregnant, questions Italian hackers in Miami bars. (They tell her that they live by a samurai code of honor. “Bushido, I thought. More like Bullshit,” she writes.) Reading how Perlroth found out about what’s going on is spellbinding, but it can obscure what happened when. Here, as I read it, is that sequence of events, the spell, unbound.

In the nineteen-sixties, computers, which had been used to store and process information, became communications devices. “Life will be happier for the on-line individual,” J. C. R. Licklider, the visionary behind arpanet, predicted in 1968. But, for all the benefits this development would bring, it struck many people as having unknowable effects—“What all this will do to the world I cannot guess,” the head of Bell Labs wrote that year—and it struck other observers as potentially quite dangerous. Also in 1968, the Pentagon’s Defense Science Board Task Force on Computer Security concluded that “contemporary technology cannot provide a secure system in an open environment.” In a follow-up report from 1972—the year arpanet was publicly demonstrated, at the DC Hilton, during the first-ever meeting of the International Conference on Computer Communication—the lead author, James P. Anderson, argued that communication by computers offered a “unique opportunity” for espionage and sabotage; virtually undefended and “totally inadequate to withstand attack,” computers were “a uniquely attractive target for malicious (hostile) action,” and, because of the growing connections among computers, a single attack could take down an entire network.

American intelligence agencies had long preferred offense to defense. As Perlroth writes, “Unimaginable volumes of nation-state secrets—previously relegated to locked file cabinets—were suddenly being transmitted in ones and zeroes and freely available to anyone with the creativity and skill to find them.” In the nineteen-seventies, in a project run jointly by the US Navy, the National Security Agency, and the CIA, divers placed a tap on a Soviet cable on the ocean floor north of Japan; they leeched information out of it until the breach was discovered, in 1981. Two years later, the French Embassy in Moscow discovered that the Soviets had bugged its teleprinters. Then, in 1984, an NSA project that involved taking apart and replacing every single piece of electrical equipment in the American Embassy in Moscow discovered an almost undetectable bug in the Embassy’s IBM Selectric typewriters: a single extra coil on the power switch, containing a miniature magnetometer. Every tap of every key was being collected and communicated by radio.

Meanwhile, computer programs got longer and longer, from tens of lines of code to tens of millions, controlling ships and airplanes and missiles. American intelligence agencies began to consider the possibility of catastrophic breaches. In the nineteen-eighties, Jim Gosler, working for the Adversarial Analysis Group at Sandia National Laboratory, pioneered research in detecting vulnerabilities in computer code (in this case, in the code that controlled the nuclear arsenal). As Perlroth argues, Gosler demonstrated that the code was “at once a hacker’s paradise and a national security nightmare.” In 1989, the NSA brought Gosler onboard as a “visiting scientist.” In 1996, he took over the CIA’s Clandestine Information Technology Office. His role seems to have been to explain to people at Fort Meade and, later, at Langley that no computer and no computer program can ever be faultless, an argument with implications for both defensive and offensive operations. Between his two appointments, the Internet opened to commercial traffic, and people throughout the world started uploading and downloading. Perlroth, interviewing Gosler about how dangerous all this is, looks down at her iPhone: “And yet here we were, entrusting our entire digital lives—passwords, texts, love letters, banking records, health records, credit cards, sources, and deepest thoughts—to this mystery box, whose inner circuitry most of us would never vet, run by code written in a language most of us will never fully understand.”

In the dot-com nineties, cybersecurity firms sold antivirus software; penetration-testing companies sold the service of breaking through your firewall, to show you how they got in. (“We Protect People Like You from People Like Us” is the motto of one pen-tester.) They all peddled an amalgam of fear, uncertainty, and doubt that, in the tech world, had come to be abbreviated as fud. Some of those private companies realized that it wasn’t efficient to maintain a big staff of analysts when they could just pay bounties to hackers all over the world to figure out how to break into a system. Governments and intelligence agencies, too, started offering bounties for bugs, paying hackers, brokers, and, above all, defense contractors. Some of these companies, like the Miami-based “100% offensive” Immunity, Inc., and the Maryland-based Vulnerability Research Labs (which was acquired in 2010 by a giant defense contractor), are staffed with ex-intelligence agents, selling zero-days that are worth millions of dollars. After 9/11, the price for bugs went through the roof. With the launch of Google, and especially of Facebook, the amount of data to be found online mushroomed, and so did the ease of government surveillance. Perlroth writes, “It was often hard to see where the NSA’s efforts ended and Facebook’s platform began.” Only the arrival of the iPhone, in 2007, proved a greater boon to government surveillance.

Cyberattacks made headlines, and then vanished. In 2008, Russia got into a network at the Pentagon; hackers broke into the campaigns of both Barack Obama and John McCain; the next year, North Korea compromised the Web sites of everything from the Treasury Department to the New York Stock Exchange. In 2010, a computer worm called Stuxnet, created by the US and Israel in an operation approved by George W. Bush and continued by Obama, was discovered to have devastated Iran’s nuclear program. Perlroth, who started covering cybersecurity for the Times a year later, is arguing that, if you build a worm like that, it’s eventually going to come back and eat you. When the worm escaped, Joe Biden, then the Vice-President, suspected Israel of hastening the program, and breaking it. “Sonofabitch,” he allegedly said. “It’s got to be the Israelis.” It infected a hundred countries and tens of thousands of machines before it was stopped. “Somebody just used a new weapon, and this weapon will not be put back in the box,” Michael Hayden, a former NSA director, said. That somebody was the United States. It had built a boomerang.

The market for zero-days became a global gold rush. You could buy zero-days from anyone, anywhere; no rules obtained. “When it came to zero-days, governments weren’t regulators,” Perlroth writes. “They were clients.” After Chinese hackers attacked Google in 2010, the company started paying bounty hunters a maximum of $1337 a pop (the numerals spell out “leet,” short for “élite,” on your phone); soon, that got bumped up to $31,337 (“eleet”). Microsoft and other major players offered encryption services, which had the effect of raising the price of zero-day exploits. In 2013, the Times called Perlroth into a windowless closet in the office of Arthur Sulzberger, Jr., the publisher, to pore over the documents leaked by Edward Snowden. She was supposed to study attempts by the world’s top intelligence agencies to crack digital encryption but saw that “the NSA didn’t need to crack those encryption algorithms when it had acquired so many ways to hack around them”—that is, by zero-days. “The agency appeared to have acquired a vast library of invisible backdoors into almost every major app, social media platform, server, router, firewall, antivirus software, iPhone, Android phone, BlackBerry phone, laptop, desktop, and operating system.”

This is a sobering account for our current cyber perils. We at Red Sky Alliance are dedicated to helping the cyber security in many ways. Our underground collection and analysis helps in the over-all security process. If you would like a demo on our current capabilities, please contact us. Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the lab directly at 1-844-492-7225, or feedback@wapacklabs.com

Weekly Cyber Intelligence Briefings: https://attendee.gotowebinar.com/register/8782169210544615949