Nicole Perlroth is The New York Times’s cybersecurity and digital espionage reporter, and This is How They Tell Me the World Ends is her definitive account of the shady market for zero-day exploits. A zero-day exploit is a software vulnerability unknown to those responsible for fixing it, and zero-days are crucial tools for hackers, intelligence agencies, and law enforcement.
It seems like cybersecurity problems were poorly foreseen at almost every phase of the development of computing. Critically for Perlroth’s tale, software vendors initially handled discoveries of vulnerabilities in their products very badly. When programmers or hackers reported vulnerabilities to them, they at best ignored them but often threatened to sue them. The foreseeable result was that the hackers went to others who would pay them for the vulnerabilities—typically government intelligence agencies.
At first, that mostly meant the United States. But Perlroth traces the tale of how a whole market of brokers, contractors, and middlemen sprung up. Many of them are sketchy, and some sell to governments that use these vulnerabilities to monitor dissidents, track political opponents, and maybe even develop dangerous cyber weapons.
Then there’s the related question of what a government should do when it discovers or buys a zero-day vulnerability for software that’s widely used by people and companies across the globe. Disclosing the vulnerability to the software vendor offers the vendor a chance to fix the problem before malicious hackers can take advantage of it. But intelligence agencies have a powerful incentive to keep the knowledge to themselves and use the vulnerability to obtain intelligence or conduct cyber operations.
This balancing of incentives is called the vulnerabilities equities process (VEP), and it’s a hugely important but underdeveloped aspect of cyber law and policy. Perlroth focuses more on the history of the cyber arms gray market, and her discussion of the VEP just scratches the surface. She offers mostly criticism with few concrete suggestions for improvement—mostly just vague assertions that the government favors stockpiling vulnerabilities more than it should.
It’s a really interesting story, and Perlroth tells it well. She also does a good job of criticizing U.S. policy without suggesting that the U.S. and adversaries like North Korea, Iran, Russia, and China are equally morally situated. But the book feels a bit disjointed, and Perlroth’s salmon metaphor (you’ll have to read the book to understand) never lands. The book is also full of typos, misspellings, and grammatical errors to such an extent that it’s distracting. The discussion is also very high-level, which readers without a technical background will appreciate but might leave others wanting a little more.