Nicole Perlroth, who writes about cybersecurity and digital espionage for The New York Times, is the author of This is How They Tell Me the World Ends: The Cyber Weapons Arms Race (Bloomsbury). It’s a chilling tale about how the world, and the United States in particular, has grown increasingly vulnerable to cyber attacks by nation-states and contract cyber warriors. She has covered this beat for the Times since 2011. Prior to that, she wrote about startups and venture capital for Forbes. Perlroth, who is based in Silicon Valley, is a graduate of Princeton and Stanford universities. She is also a lecturer at Stanford Business School. What follows is a lightly edited Q&A.
Q: A few years ago, there was a lot of talk about Google secretly working on a project to get back into China. Can you say anything about that?
A: Google’s secret plan to re-enter China was code-named Dragonfly and it was a huge reversal from Google’s previous position. Google was kicked out of China after it stopped censoring its search results following a Chinese hack of its systems in 2009. But less than two years after its exit, executives were already clamoring to get back in. Dragonfly was their plan to reintroduce a censored search engine to China and the strategy was to slow-walk its reentry first by establishing a new artificial intelligence research center in Beijing, then releasing seemingly inconsequential products to China — first an app, then a mobile game– apparently in hopes that by the time Dragonfly was ready for launch it might be overlooked as the next logical step in Google’s regression.
What was really going on there?
In some ways this is the typical Silicon Valley story of a naive company thinking it could help democratize a police state. When Google first introduced its search engine to China in 2006, executives told themselves they were saviors. Sergey [Brin] and Larry [Page] told employees it was better to offer the Chinese censored search results than nothing at all, that Google could help educate the populace about the environment, avian flu, global markets. But very quickly, the compromises became too much to stomach. Officials not only demanded Google censor information about the “Five Poisons” — the Falun Gong, Taiwanese and Tibetan separatists, democracy activists, Uyghurs1The Associated Press is now using this spelling for Uighurs, and we are adopting their style — they censored anything that offended the CCP’s tastes — talk of time travel, reincarnation, even Winnie the Pooh would eventually be added to their blacklists.
Google was hearing it from both sides. When it didn’t move quickly enough to censor its search results, Chinese officials accused Google of hosting an “illegal site” and it started to worry about the safety of its employees. In the U.S., regulators likened Sergey and Larry to Nazi collaborators. So when Google discovered Chinese hackers inside their networks in late 2009, and discovered they were trying to get into Chinese dissidents’ email accounts, it became very clear just how naive Google had been.
It had to decide: Would it stay in China and allow the state to censor its search results and spy on its users? Or would it abandon the Chinese market and invest the resources necessary in security to kick the Chinese out and keep them out for good. It was Brin who ultimately decided to pull out. Google shut down Google.cn and redirected China’s Google users to uncensored search engines in Hong Kong, running afoul of Beijing, which eventually blocked the site completely. The company also started investing heavily in its security. It brought in intelligence analysts, rolled out multi-factor authentication, launched “bug bounty programs” that rewarded hackers who found security flaws in its systems. And it kickstarted a movement in Silicon Valley that drew in Facebook, Twitter, Apple, Microsoft, which all started bug bounty programs of their own. Google’s internal motto became “Never Again.” Never again would they let a foreign government spy on its users.
Brin told The Times that year, 2010, that he believed Google’s exit would ultimately push Beijing to loosen its grip on the internet. He could not have been more wrong. When Xi Jinping took office a few years later, he took a stranglehold on the web. China codified criminal punishments for anyone who “damaged national unity,” pioneered new forms of surveillance, hacked thousands of U.S. companies, including The New York Times, in search of your sources2Perlroth is referring to me, David Barboza, that the China hack was a search for my sources: here and, at one point, exported its censorship overseas with a cyberattack on American websites that hosted banned Chinese content.
Over that same time period, Chinese companies like Baidu and Alibaba started making further inroads into Silicon Valley, posing direct competition to Google. Google transformed from a search engine into a sprawl of different companies — Android, YouTube, Nest, cloud services, a venture capital firm — each with their own reasons for wanting to break back into the world’s largest internet market. [China’s 750 million internet users eclipses the combined populations of the United States and Europe]. And Page and Brin started ceding control to a new executive team who reprioritized the bottom line and started plotting their re-entry into China, despite the compromises that entailed.
But those moral compromises are even more glaring now than they were in 2006. For one, China only continues its hacking and theft of U.S. intellectual property and data. I covered the Chinese hack of The Times and you and I covered PLA Unit 61398,3David Barboza was the Shanghai bureau chief of The New York Times and wrote about the attacks from Shanghai, along with Perlroth and David Sanger in 2013, the Shanghai-based Chinese military hacking unit that had been breaking into thousands of companies. Our coverage led to a campaign by American officials to name and shame, and eventually indict China’s PLA hackers. And then there was the Chinese breach of the U.S. Office of Personnel Management in 2015, which resulted in the theft of personal data from nearly every American who had applied for a security clearance over the previous few years — medical histories, fingerprints, everything. In response, Obama’s national security team threatened to greet Xi Jinping on his first visit to the White House that year, 2015, with sanctions. The threat, and the embarrassment, was enough to push Xi to agree to commit to Obama that China would cease hacking for commercial benefit. And it stuck for a time. We saw a huge dip in Chinese hacks of American intellectual property until Trump entered office and flipped the tables over with his trade war.
Some argue Xi never planned to stick to that deal; that he only used that period to reorganize China’s hacking operations away from the PLA’s sloppy hacking units to the Ministry of State Security, which is known for its stealth and for outsourcing its most sensitive operations to a satellite network of contractors. And now Chinese intellectual property cyber theft has resumed, only this time they’re not doing it with misspelled spear phishing emails anymore. They were using more sophisticated and strategic methods of attack, hacking the supply chain and using “zero days” — secret flaws in code unknown to vendors — to invisibly spy on their targets, companies, but also activists, Tibetans, Uyghurs, not only in China, but the diaspora.
BIO AT A GLANCE | |
---|---|
CITIZENSHIP | Dual Dutch American |
CURRENT POSITION | cybersecurity/digital espionage reporter at The New York Times |
PERSONAL LIFE | Married to Heath Thomson |
That’s right. There were these remarkable hacks targeting Uyghurs, the ethnic minority group from Xinjiang…
The Uyghurs have, unfortunately, become Beijing’s Guinea Pigs for every new surveillance method they develop or acquire. In one attack, I covered in 2019, we discovered China was using some of the best hacking tools you could possibly get, zero-day exploits in Apple and Android mobile software that would have cost millions of dollars on the gray market, to hack Uyghurs in China and abroad, and they did this right under our noses. They baked these exploits into websites that hosted Uyghur content. Anytime someone visited those websites, they would inadvertently download China’s spyware onto their mobile devices. And these websites were not only visited by China’s Uyghurs but people all over the world, activists, even high school students researching their plight for a term paper. That attack was a game changer. It made clear that China was investing heavily in sophisticated hacking tools, turning them on their own minorities, and essentially exporting their surveillance abroad.
Given what you’ve just described, why would Google be so eager to return to China?
Profit and competitive pressure. Google is a different company than the one Page and Brin started some two decades ago, or even the one it was in 2009, when it discovered it was hacked. In 2015, Google reorganized under Alphabet. Google became just one subsidiary of a technology conglomerate. Sundar Pichai took over as C.E.O. that year. Baidu and Alibaba set up shop in Silicon Valley and executives feared that if Google did not re-enter China, not only would it miss out on the world’s largest internet market, but China’s tech companies would start to eat into Google’s market share here. In some ways, this is also Google’s antitrust defense: We have to be big because if we aren’t, we won’t be able to compete with China.
And what about Huawei? There are these long standing concerns that Huawei has been behind espionage efforts, but the U.S. has not proven this beyond a reasonable doubt. Is it there?
Here I should remind readers that we broke a story about the NSA breaking into Huawei’s headquarters to look for PLA back doors several years ago. They didn’t find them, as far as we know from the leaks, but once inside Huawei’s networks, the NSA’s operators figured, “Oh, wait a minute. This is a terrific beachhead to spy on Huawei users not only in China, but North Korea, Syria, Iran, Sudan,” all of whom preferred to use Chinese technology over U.S. technology. For years, the NSA used Huawei’s software to spy on our enemies. But the fact of that attack, what we call a “supply chain attack” has become a big headache for the Biden Administration as it coordinates its response to the Russian hack that we are still unwinding in the United States, in which Russian hackers used American software, SolarWinds, as a Trojan Horse to break into SolarWinds’ clients’ networks at the State Department, Justice Department, the Departments of Energy and Homeland Security. How do you retaliate for an attack that you yourself have pulled off, successfully, for decades?
Another area of interest is Russia and North Korea. They are both actively engaged in cyber attacks. Is there any coordination between these nations and China?
Not in terms of cyberattacks, but it’s clear they are borrowing pages from one another’s playbooks on disinformation and censorship. We now see more Chinese disinformation campaigns, stoked by bots and trolls, similar to Russia’s Internet Research Agency’s trolls. Putin has long envied China’s great firewall, and Navalny’s arrest and ensuing protests are pushing Putin to clampdown further. Just this week (March 9), Russian censors tried to throttle back access to Twitter and inadvertently knocked Russian governments sites offline in the process. It was an amateur mistake, but it was clearly the first of a new set of concrete steps Moscow is taking to unravel its own Iron Cyber Curtain. And Russia and Huawei signed a 5G agreement, so there will only be more coordination going forward. Xi calls Putin his “best friend” and “colleague.”
There is much more direct coordination between China and North Korea. Many North Korea’s hacking operations are conducted from China. Though there was one interesting hiccup in Chinese-DPRK cyber relations in 2017, when North Korea conducted a ransomware attack on global systems that boomeranged back on Chinese companies, universities and even some Chinese agencies. That was not the intent. Some think North Korea’s hackers were in the planning stages of an attack and their code fled the coop before it was ready. I always thought it would be fascinating to learn what discussions were like between Pyongyang and Beijing in the aftermath.
This may be a silly question, but what makes Russia so good at this type of thing? They clearly seem to be the most sophisticated in cyber attacks.
Russia benefits from the Soviet legacy of an emphasis on math, science, and engineering education, but many with hacking skills lack the same job prospects they have here and have turned to cybercrime. Russia has a well-oiled cybercrime economy and the state does not prosecute its cybercriminals; they use them to their advantage. Putin has only two rules for his hackers, “One, don’t hack inside the motherland.” And two, “When we tap you on the shoulder, you have to come work with us.” We saw this play out in an attack on Yahoo a few years ago that the FBI ultimately pinned the breach on two Russian cybercriminals and two FSB agents. The FSB allowed the cybercriminals to profit off stolen account data, but when they found a high value target, a White House staffer for example, they passed their credentials off to the FSB.
A similar dynamic emerged a few years ago in a sophisticated, and more disturbing, attack on a Saudi petrochemical facility, Petro Rabigh, when hackers remotely dismantled the safety locks at the plant, the last step in triggering a cyber-induced explosion. Given the target was in Saudi Arabia, the initial suspect was Iran, but later FireEye (and the Treasury Department) tied the attack back to a Russian university.
China has a similar model. In case after case, intelligence officials and security researchers have tied attacks to Chinese employees at Chinese tech companies or universities who operate at the behest of the Ministry of State Security. It gives them a degree of plausible deniability that we don’t have here, where most attacks are conducted from the Pentagon.
[Russia] does not prosecute its cybercriminals; they use them… And we don’t have that advantage, because all our attacks come from Cyber Command.
Wasn’t there just an attack a few weeks ago, on a water facility in the U.S.?
Yes. Hackers successfully breached a water treatment facility in Florida and upped the level of lye in the water. They could have contaminated the drinking water had an engineer not been sitting in front of his computer screen and caught his cursor moving around. This is the attack we have long feared, but we still don’t know who was behind it, and fortunately it was caught. But it is just one in a long list of close calls. And those close calls are only happening with more frequency.
Your book could not have come out a more important time, just in the aftermath of the Solar Winds attacks, apparently attributed to Russia…
My book went to press just before that attack was discovered. But in many ways my book is a prelude to that attack, which in retrospect was inevitable. The challenge now is: How will the U.S. respond? Particularly when we’re not even confident that we have eradicated Russian hackers from our systems. These hackers had broad access to U.S. government IT networks for nine months. It’s highly likely they planted backdoors in other parts of the network that could take months, if not years, to uncover.
The cyber attacks just look like we’re entering a bleaker and bleaker environment.
In cyber, the enemy is, indeed, a very good teacher. Each attack seems to build off the last. And now, in the pandemic, we are witnessing every flavor of attack play out at once. Nation-states, not just the usual suspects but new governments we rarely see in this arena, have been hacking one another, and global health organizations, in an attempt to glean any intelligence or advantage they can in terms of a vaccine. Cybercriminals have been holding cities, companies, healthcare organizations and hospitals hostage with ransomware. And these attacks are having physical effects. At one hospital, cancer patients were not able to get their chemotherapy treatments because of a ransomware attack. And the ransom demands keep going up. One healthcare organization was forced to pay $10 million to get their data back. And insurers are willing to pay cybercriminals because even $10 million is still cheaper than the cost to start from scratch.
Ten years ago, I might cover one big attack a week, or every other week. Now these hacks are all happening at once and it has become nearly impossible to keep track.
What are possible solutions here? Are there going to be separate grids? A decoupling on the web? Why isn’t that already happening?
Well, the short answer is we are limited by our free market economy. The majority of America’s critical infrastructure is owned and maintained by private companies. Some, like PG&E, have the big budgets and resources to hire mini intelligence agencies and install intrusion detection systems to detect and thwart nation-state attacks. But the vast majority- municipal water treatment facilities, wastewater treatment plants, utilities- do not. Lobbyists have blocked any legislation aimed at forcing these companies to meet basic security requirements. There are no liabilities for companies that do not air-gap their most crucial systems — the chemical controls at the water treatment facility in Oldsmar, Florida for example — or companies like SolarWinds whose software had incredible access to our government networks, our nuclear labs, and only after the fact did we discover that the passwords to their software update mechanism was “solarwinds123.” There is no R.O.I. for cybersecurity. But we will reject any attempt at regulating greater cybersecurity.
We are very much in a bind. After Snowden, the last thing companies like Microsoft, Pfizer, or even local electric utilities want is to invite the NSA into their networks, even if it is just to identify, monitor or block foreign attacks. This was most glaring in the election. States see any offer of federal cybersecurity protection in their elections as a Washington takeover. That is why Mitch McConnell said he blocked any election security bill that hit his desk.
So we leave it to the victims to handle this for themselves. The problem is that typically with nation-state campaigns, you see many companies hit at once. And we don’t find out about these campaigns until the data has already been intercepted or used to breach other victims because most companies, when they discover a breach, still try to sweep it under the rug out of fear of class-action lawsuits or their stock tanking.
After SolarWinds, Congress has batted around the idea of a breach notification law and better threat sharing. Breach notifications and threat sharing are, indeed, critical. But alone, they don’t get us where we need to be. Adversaries like Russia and China will continue to exploit our free market, and our civil liberties, against us.
There’s a reason why Russia staged their SolarWinds attack from servers inside the United States- it’s because the N.S.A. can’t look at domestic traffic. China just did the same with its latest attack on Microsoft email servers. They have seized on our blind spots, our civil liberties, our privacy protections, and to an disturbing degree they are exploiting our First Amendment with disinformation. And Congress is stuck dithering on data breach notification laws and “cancel culture.” The outlook is not good.
Do you see any prospect for major changes or a complete rethink of how we operate and connect with the rest of the world?
I hope SolarWinds ends up being the greatest thing that ever happened to our digital security. When I called up the victims of the SolarWinds hack, half of them didn’t even know they used SolarWinds’ Orion software, let alone that the software was built, tested and maintained in other countries, like Belarus. Finally we are asking ourselves what’s in our systems, how much of it is American-made, what tools make up the tools we rely on for the functioning of our most critical networks, like our national nuclear labs.
These are the hard questions we should have been asking ourselves all along. I do think SolarWinds could be the biggest counterintelligence failure of all time. The fact that the NSA, for all its prowess and hacking of Russian networks, didn’t catch this and it took FireEye, a private company, getting hacked to discover the Russians had used SolarWinds as a Trojan Horse, not only to break into FireEye but dozens of government agencies and technology companies? That’s a pretty clear indication that U.S. cyber offense alone, “active defense,” hacking enemy networks to get an early sense of who they plan to attack, before they hit us here, only gets us so far. It’s time to recalibrate and reprioritize our cyber defense. But these are hard problems. There is no silver bullet, or vaccine. It will take a whole of government approach. Yes, we need data breach notification laws and real-time threat sharing between companies like Microsoft and the government. But we are also going to have to change the market incentives: tax credits, for example, to companies that subject themselves to real penetration tests, that use up to date software, that regularly patch, and test their code before they roll it into our cars, homes, nuclear plants and power grid. And, more controversially, it may take penalties for companies like SolarWinds whose internal commitment to cybersecurity borders on negligence. And broader still, it’s going to take the American public waking up. That is why I wrote my book.
Neuberger spoke at a Feb. 17 press briefing about the SolarWinds hack.
You covered the Snowden case. There has long been speculation about his ties to Russia, or even in some distant way to China. What do you make of that?
I have never seen anything to confirm that speculation, but inarguably Putin has used Snowden’s presence in Moscow as a big game trophy. There’s just no getting around that.
You must have cyber warfare fatigue. This is really combat duty, no?
I do and it really is. In the beginning, covering these nation state attacks on our own paper, the Chinese theft of intellectual property, the hacks of dissidents and journalists, the power grid attacks, the break-ins at our nuclear plants was fascinating. But then they all started happening simultaneously. It’s been non-stop for ten years. I’m exhausted and it has taken a real toll. Covering cyberwarfare is paranoia-inducing. It darkens your world view. The backlash journalists, particularly female journalists, face on Twitter these days borders on abuse. I have a two year old son and I don’t know how much longer I can stay immersed in this world without it impacting me as a mother. These stories follow you through bath time. No matter how thick your skin gets, the Twitter bullying can send you into the fetal position. I used to tell myself, ‘After cybersecurity, you can move to the Home & Garden section.’ But then The Times cancelled the Home & Garden section. And now it’s hard to think about moving on because I hate the idea of abandoning something I’ve spent a decade immersed in, that is so critical and only becoming more so.
MISCELLANEA | |
---|---|
BOOK REC | The Godfather by Mario Puzo,Flash Boys by Michael Lewis, Red Notice by Bill Browder. In very different ways they are all about people who go to extremes to seek justice. |
FAVORITE MUSICIAN | David Byrne. Lately, The Barr Brothers. |
FAVORITE FILM | Inglorious Bastards |
PERSONAL HERO | Nora Ephron |
Why did you write this book? Or better, what was the key message you wanted to deliver?
That every incentive model — for people, for businesses, for government — was leading the United States down a path of further vulnerability. Here, in Silicon Valley, we all bought into the promise of a “frictionless society” where we could access anything we wanted — restaurants, groceries, an Uber — through our phones. But we never thought about the downside of these conveniences we all take for granted. Businesses are incentivized to get their product to market first, to “move fast and break things,” to “keep shipping,” to cut operational costs. They are not incentivized to lock up their systems, to test their code for vulnerabilities and secure it before it gets rolled into our phones, our lives, our critical infrastructure. And the government is supposed to keep us safe, but I was learning that, in too many cases, they were leaving us more vulnerable. And the clearest evidence for this was the government sponsored zero-day market. I’d long heard the government trafficked in a market for software and hardware vulnerabilities, known as zero-days, that are holes in software like Apple’s iOS mobile software. I knew U.S. government agencies paid hackers, brokers, defense contractors for zero-days to use for their espionage programs and, increasingly, their battlefield preparations, in the event they needed a beachhead to drop a cyberweapon onto an adversaries’ grid, or nuclear facility, or neutralize a North Korean missile launch. But governments weren’t telling technology companies about these holes, because why would they tell Apple about a iOS zero day that they spent two or three million dollars to purchase, so Apple could patch and fix it? And three decades ago, if we found or acquired a zero-day exploit for Chinese software, there was no real impetus for us to see to it that a Chinese software manufacturer got it fixed. But these days, we’re all using the same software: Android phones or iPhones, Microsoft Windows, Siemens and Schneider Electric industrial software. And once you keep a hole open in those systems, so you can spy on Iran, or Russia, or China, you are also leaving a hole open that could be used by those same adversaries to hack Americans, American businesses and critical infrastructure. And over time, I could see this was no longer a hypothetical. We have more adversaries and cybercriminals lined up at our gates than almost any other country in the world. In too many cases, we showed our adversaries what was possible in the digital domain, not just for espionage and surveillance, but for destruction. And they have taken several pages from our own playbooks.
I wanted people to wake up and see where we were headed. And that is a deadly cyber-induced kinetic attack on our critical infrastructure. But I also wanted to open up people’s eyes to where we are now, which is that everything worth intercepting in the United States — our software, our cyberweapons, our intellectual property, our power grid, our nuclear plants, our psyche in many cases — has already been intercepted. It shouldn’t have to take a boom to wake us up to the need for smarter digital defenses.
Can there really be international agreements in the cyber realm?
I don’t know if international norms will work. You know better than me. Putin and Xi Jinping can swear to God that they’re not going to attack our critical infrastructure — our grid, our hospitals, our elections- but chances are they will likely just delegate those attacks to the contractors, front companies, or cybercriminals they already outsource some of their most sensitive operations too. We don’t outsource or delegate. Any attack you see coming out of the United States these days comes from Cyber Command, espionage from NSA, or CIA, or another intelligence agency. We don’t tap the engineer at Google on the shoulder at night and say “Tonight you’re moonlighting for us.” So the United States does not want to sign onto any digital Geneva Convention that would handcuff our own operations, while these other governments, particularly Russia, just continue to outsource their dirty work. Putin himself said it a few years ago: “Hackers are free people, just like artists who wake up in the morning in a good mood and start painting.”
We don’t tap the engineer at Google on the shoulder at night and say “Tonight you’re moonlighting for us.” So the United States does not want to sign onto any digital Geneva Convention that would handcuff our own operations…
I read a report recently that some of America’s best hackers were actually ending up doing freelance work for other nations. Is that right?
Sadly yes. Forgive me for getting into the details a little bit. In my book, I reveal that an American contractor, called CyberPoint, was recruiting NSA hackers from the agency and sending them to Abu Dhabi with promises to double, then quadruple their salaries. They were told they would be doing the same job they were doing at the agency, just on behalf of our Emirati allies. At first, this made sense. They were tasked with hacking and tracking ISIS cells in the Gulf, a natural extension of the War on Terror. But very quickly their Emirati clients pivoted. They asked if they would hack Qatar and confirm reports that Qatar was funding the Muslim Brotherhood. And so, these young former-NSA American hackers started hacking Qatari royals. Well, one day, one of them reaches out to me and tells me this story and reveals that at one point, he was getting access to Michelle Obama’s emails ahead of a trip Obama had planned to visit Qatar. This was when Michelle Obama was First Lady, and the First Lady’s emails, security details, itinerary, were all beaming back to this young American’s computer in Abu Dhabi. That visual alone has to give you pause and make you wonder if this industry needs oversight. I think the answer is clearly, Yes. The trick is writing regulations in a way that doesn’t come back to bite us, and on that, the U.S. government doesn’t have a great track record.
David Barboza is the co-founder and a staff writer at The Wire. Previously, he was a longtime business reporter and foreign correspondent at The New York Times. @DavidBarboza2