Professor Vijay Gurbaxani interviews New York Times reporter Nicole Perlroth on what she believes is the most serious security risk facing the United States today—digital espionage and the rise of cyberattacks.

The Cyberweapons Arms Race is Heating Up

April 26, 2021 • By Sydney Charles

The Center for Digital Transformation (CDT) invited New York Times reporter Nicole Perlroth to discuss one of the most crucial challenges that confronts the digital world—cyber security—for the latest installment of its Digital Leadership Virtual Series. Moderated by Center Director and Professor of Information Systems and Computer Science Vijay Gurbaxani, the event explored cyber security, digital espionage and the global cyber arms race.

Perlroth is an award-winning journalist who has covered Russian hacks of nuclear plants, North Korea's cyberattacks against movie studios, banks and hospitals, Iranian attacks on oil companies and more. In her discussion with Gurbaxani, she discussed the purpose and inspiration behind the seven-year process that led to the publication of her new book This is How They tell Me the World Ends: The Cyberweapons Arms Race. She wanted to “write a book that put some of the information and the debates around vulnerabilities and the cyber arms race and put it into a readable, suspenseful narrative for the everyday American so that they’re not intimidated by some of the technicalities that are involved in these debates.”

According to Perlroth, by providing the next generation with tools for cyber awareness, society is less likely to become vulnerable to more severe cyberattacks in the future. Another aspect of security Perlroth wanted to explore was the government’s role in protecting society from hackers. 

“The one thing that I really wanted to understand was the government's role in this. Technically, government agencies are charged with keeping us Americans safe, but I knew there had been these murmurings of a gray market for vulnerabilities.” Historically, many hackers would find flaws in popular software platforms and break into that system or in some cases make the vendors aware of the vulnerabilities. Known as zero-days, they are named for the day on which the vendor discovers the vulnerability, which means that they have had zero days to mount a defense. When governments subsequently entered this market buying zero-day bugs to gain access into adversary’s systems and to track bad actors, a new kind of arms race began with countries stockpiling zero-days to use against each other and driving up prices. Perlroth said some zero-days “as advertised online by zero-day brokers who give these to governments, is $2.5 to $3 million.”

In today’s digitally-driven world, the risks have multiplied since many platforms, like iOS or Windows have many millions of users and a zero-day can be used to attack all of them. Witness the recent SolarWinds attack where hackers slipped malicious code into a routine update to the company’s widely used network management software, Orion. Roughly 18,000 customers, including major tech companies and federal agencies, downloaded the code. While it is still not exactly clear what damage was or will be done, the attackers now have the ability to spy on these organizations and even disrupt their operations.

Perlroth stated that “…this [cyber] market has drifted out of our control. We may still be here in the United States, the world's most sophisticated cyber actor when it comes to offense, but we are also now the most targeted. Most adversaries are all lined up at our doors, because they see we have systems of interest, both for profit and also for espionage and destruction and corporate espionage. Also, in many ways, you could argue we're also becoming the most vulnerable because we're the most digitized,” she explained. 

You can find the entire conversation here.