[00:45] All Kinds of Culminating or Bringing to Life

Rachael: I couldn't think of a better time to have this conversation between what's going on this week and last week. With pipeline, the Biden executive order, and then all kinds of culminating or bringing to life. Everything she's captured in her book, This is How They Tell Me the World Ends. Are you as excited as I am?

Eric: I'm more excited, actually. Maybe we could've done it while we were all out of gas, but this is a great time. Who do we have today, Rachael?

Rachael: Today, we have Nicole Perlroth. She is a New York Times cybersecurity digital espionage reporter. She's been in the cyber trenches for more than ten years. I can't imagine all the insights that she has, the seven years it took to put this amazing book together. Nicole, welcome to the podcast. We're so happy to have you here.

Nicole: Thank you so much for having me. This is awesome.

Rachael: First I want to congratulate you on this book. We were talking a little bit earlier. For a lot of cybersecurity, it is a bit hard to translate cyber into layman's terms. You've done this incredibly well. There are so many moments in your book, I don't even know where to start about salmon, a digital test kitchen in Ukraine, and then on and on.

Rachael: Particularly, what caught me as well is what you said at the end. As a journalist today and particularly covering cyber and kind of having to think about that. Looking over your shoulder, being an amazing journalist.

Like a Fight Club

Rachael: I just want to say thank you because what you're doing is not easy. All the work that you put into this, it's incredible. It's blood, sweat and tears from where I sit. So thank you for doing this because this is critical work that people need to read.

Nicole: Thank you so much for saying that. Yes, this was probably the hardest topic. I could've chosen this space because like I said in the book, it's like a fight club. This is the one thing, the first rule is nobody talks about this. The second challenge was really figuring out how to tell this story to a lay audience.

Nicole: Where their eyes weren't going to roll to the back of their heads. Or they weren't going to tune it out because of the techno-jargon. To tell it in a really human way and also to tell it like a hero's journey where there wasn't really a hero.

Nicole: I wanted there to be a human that represented a different slice of the cyber arms market. There was no one person that could kind of carry the narrative along. It is why I ended up having to insert myself in the book a little bit. I wanted to hold the reader's hand, and I knew it was going to take someone like me that really didn't grow up coding.

Nicole: Didn't have a strong computer science background, but had been parachuting into these cyber attacks for the last ten years. And sort of seeing where this was going and being able to take the reader's hand. Say, "Hey, look at where this is trending. It's not going to be good."

Pieces and Parts

Eric: But I looked at it as someone who's in the industry. I’d say, it brought to light a lot of things I knew pieces about. I knew pieces and parts, but it rounded out the story. So if you're in the business, in Infosec Cybersecurity, depending on when you got in, there are a lot of components that fill in gaps that I just never even thought about. It was great from that perspective.

Nicole: Thank you so much. I've never said this before, and I don't even think I've admitted this to myself. But while you were saying that, what it made me think about was during the subprime mortgage crisis, I had this idea for a story where I wanted to follow one mortgage through the chain to see where it ended up.

Nicole: I ended up finding this woman who lived on Stanton Island who got in this subprime mortgage, this high-risk mortgage. Then I tracked it from her through her broker, through the banks. Ultimately to the American taxpayer which was left holding the bill after AIG's bailout.

Nicole: That's sort of actually what I set out to do with this book. It’s let's follow the chain here. Because like you said, it's really easy to sort of focus on your piece of the puzzle. But very few people have lifted their heads up, looked at where this is going from slice to slice.

Nicole: And said, "Wait a minute," sort of like this subprime mortgage crisis, "Wait a minute. What is all this risk we have taken on and baked into the system? Who's going to be left holding the bag?"

[05:48] How We Solve the Problem Based on the Book of Nicole Perlroth

Nicole: That is the case for the cyber arms market. Everyone's focused on their own slice of the puzzle. But when you step out and look, it's like individuals are the ones who are going to end up paying the price. Most people aren't even aware that this is playing out every day.

Eric: There's nobody in charge.

Nicole: Nobody in charge, yes.

Eric: That's the problem. It's a mess. So I was looking for the answer. How do we solve this problem at the end of the book? It's not there.

Rachael: Well, there's no silver bullet on this.

Eric: No silver bullets in cybersecurity.

Nicole: Yes. But the other day, I did talk to Senator Angus King. The independent from Maine who is one of the most articulate senators on this issue these days. He’s really involved with the Solarium Commission, and he had this funny thing he said to me the other day. He said, "There's no silver bullets, but we've got to come up with our silver buckeye shot."

Nicole: We have to figure out what are the 15 things we have to be doing to nail this. Or at least just get to a bare minimum standard that raises the bar. For all of these companies and organizations and federal government agencies. What you're seeing right now is this effort to finally put those in place for better or worse.

Eric: We need to do something. I made a few notes. Jim Gosler talks at the end about what I call the saddest line in the book. It was on 385 for anybody who wants to look it up for the full context.

Behind Enemy Lines

Eric: He says, "In truth, there is no one running point. There is no cavalry." It reminds me of something I said, we said all the time when we were in the army. We worked in six-man teams behind enemy lines. There's no cavalry coming, you had to figure it out. You had to do something, but it was just the saddest line to me, the reality of it hitting. There's no one in charge.

Nicole: Yes, and it's true for everyone, even in federal government. We just saw what happened with SolarWinds. It's never been more apparent that our cybersecurity is not up to snuff. The book, I was racing to finish it before the election. Then it was like the election that never ended. So if you're reading those last chapters, you see me just furiously typing whatever the latest was that week.

Nicole: Then it got out there right before SolarWinds, and you know what's crazy? I was one of those reporters on the phone with Chris Krebs and Chad Wolf the day of the election. These background briefings they were giving a few reporters. They kept saying, "It's early, but I think it might just be another Tuesday on the internet. We're just not seeing it. We are not seeing the foreign interference."

Nicole: It’s almost so hard to wrap your head around that. Given all of the things we've been following and reporting on for the previous year. But now, we know that at that very moment, the SVR was inside Chad Wolf's inbox reading his emails. That really gets to there’s no cavalry. We have Paul Nakasone on the phone reassuring us there’s no foreign interference. At that very moment, they're inside our nuclear lab IT systems.

Put Out the Latest Fire

Eric: They were focused. I've done government work a good bit of my career. I don't want to say it's put out the latest fire, but the government's constrained like any other business. Maybe more so. They had to have a good election. They’re 110% focused on the election. I've talked to Chris Krebs also after that.

Eric: The pride and joy he expressed in what they did, how they did it. His team giving us a great election should not be minimized. They just don't have the resources and cybersecurity. The defender is always at a disadvantage. They allowed a proper election to go on. There really haven't been any proven, massive reports of interference.

Nicole: No, and I think Chris Krebs is a hero in my book. Matt Masterson is a hero in my book. They took the constraints that they had. Which states have long been reticent of any kind of federal assistance in elections, even if it's cybersecurity. They told me they really talked about ransomware with some of these counties.

Nicole: Because they had to walk this crazy tightrope between the politics of it and the reality of it. They knew that if they went out to some of these rural counties. Then said you need to get paper backups or some kind of record because of Russian foreign interference. These people were going to say, "Go screw yourself." But instead, they went out.

Nicole: Right, and Russia's a hoax. So what did they do? They were really clever, they said, "Well, have you heard about ransomware?" It's like, "Yeah," because ransomware is hitting the guy at the clerk's office over in the next county. They're like, "Oh, ransomware. I can get my head around that."

In Case Ransomware Comes for You

Nicole: Okay, so in case ransomware comes for you, you need to have some kind of backup system. And that's how they did it. So it's genius the way they did it, and it wasn't in your face. The other day we had this podcast at the New York Times. It’s a daily podcast about the doctor who's in one of these countries where everyone thinks the vaccine's going to plant a micro.

Nicole: It just followed the conversation where he was just very quietly listening to the concerns, probably listening to the 1,000th person talk to him about their fear of a microchip.

Eric: I have some neighbors with this problem.

Nicole: Okay, so he said, "How big is a microchip and how big is this needle?" Just literally, not condescendingly walking people through what it actually is. That's what they did, and that's time-consuming, and that should not be overlooked. And you're right, that was priority number one, but also it shows how clever our adversary is.

Nicole: They were like, "Everyone's going to be looking at the election. So let's go do this other thing." And you know one really interesting question, we'll never know the answer to unless we were a fly on Vladimir Putin's wall. David Singer and I had reported that Cyber Command had been breaking into the Russian grid.

Nicole: And it’s making a really loud show of it. That was back in 2019, I think we reported that, maybe even 2018. There is an interesting question, which is, were they planning to do more interference in the election? But they diverted because of those efforts. Because we were making a loud show of our efforts to get into their grid.

Turn Off Your Lights

Nicole: To say, "If you mess with our elections or our grid, we'll turn around and turn off your lights." I don't know if we'll ever get the answer to it, but I think the government does deserve more credit. It's just that they are so constrained, like you said, Eric. There isn't more they could've done.

Eric: I have been there in these conversations. They have deep conversations about capabilities but also outcomes, positive and negative. These are really hard problems. Okay, question for you, switching then. Sunburst, Colonial Pipeline. Which is worse? Which wakes up the American people? Or do neither of them?

Nicole: Colonial Pipeline does because of just the visual of gas not being available. And people blowing up their Hummer because they started panic buying and shoving gas in plastic bags. That is the visual that America needed. That fact that there came an attack, even better because it reminded people that it doesn't have to be some sophisticated nation-state attack that could cause this.

Nicole: It could be some bumbling ransomware operator who hits an IT system. It happens to be the IT system for the company that brings half the jet fuel to the east coast and gas to the east coast. So they're going to shut down the operations because they're not even prepared for this scenario. It's just perfect because it shows how unprepared we are, how we don't have resilience in place.

Nicole: The fact that the company was basically telling the White House to go pound sand while they quietly paid the ransom, really gets to the issue of the fact that the government has no control in a lot of these cases. So much of our critical systems is operated by the private sector.

[14:29] Patient Zero

Nicole: We don't know who patient zero was. We don't even know if this is factored in. But of course, the security communities are doing scans of Colonial's posture. Find out they didn't patch for that Microsoft Exchange vulnerability where the patch had already been available for two months. And oh, they didn't do this and that.

Nicole: So it's just a perfect illustration. SolarWinds is like, it takes people a second to wrap their head around it. They hacked into government systems, oh, and they got into our utility systems. But thank God it's this quiet Russian intelligence group. It's not the one that actually turned off the lights.

Nicole: It's scary, but it takes people a second to wrap their heads around just how pervasive it is. I do think it's worse when you know the level of the threat. They’re only three clicks away from them having use the access to do something more disruptive or destructive. It is worse.

Eric: Which I find nobody's talking about the destructive side, the potential destructive side of Sunburst. We'll call it Sunburst today.

Nicole: Up to you guys because you guys are in this industry. I feel like anytime I talk about the destructive potential, everyone sort of screams fud. You're being too alarmist. It didn't happen. Why are you trying to scare people? But the reality is, we've seen Russia turn off the lights in Ukraine. We saw them dismantle the safety locks.

Eric: Horrible.

Nicole: Worst attack ever, barely paid a price for it. Companies, FedEx and Merk and Mondelez, they're still trying to recoup.

Eric: Hundreds of millions of dollars. It's a disaster. Saudi Aramco, we saw that they had to replace their whole infrastructure.

The May 14th Report from Nicole Perlroth

Eric: I mean, we can go on and on. I don't know if anybody cares. It's almost like your credit card. When someone steals your credit card information, you call the bank up. They send you a new credit card. Two days later, it shows up, and you're good to go.

Eric: I do it at least once or twice a year with different cards because the consequences to me are essentially zero. Two day wait. Okay, it's all digital. Now, with Apple Pay it's even better. They used to take your old card, move it to your new card. You don't even have to register it on your device or anything else. There's no consequence.

Eric: I think with the exception of maybe some gas lines and a little bit of panic, "Am I going to be able to drive to the beach this weekend?" Even with Colonial Pipeline, I question whether it was enough. Yet we were, per your report from last Friday, Nicole. The 14th of May, I think, great article with David Singer.

Eric: We were three to five days away from a national catastrophe. If you go back to Ted Copple's book, I think it was Ted Copple. Lights Out, a very easy read book about the potential if a cyber attack happened on Manhattan, how quickly they run out of power, how quickly they run out of food. And how quickly we have this mass exodus, the bridges are jammed. I mean, everything falls apart.

Nicole: Yes. To this point about walking this tightrope between laying out the reality but not being accused of being an alarmist. I did this interview with Dale Peterson, really focused on critical infrastructure.

The Potential for a Grid Hack

Nicole: Puts on the best critical infrastructure conference there is every year. He hated the parts of my book where I talk about the potential for a grid hack. He said, "I took it to the most hysterical level." He doesn't think Russia getting into the IT systems at some of these utilities should even be talked about in the context of a grid attack. Because on their own, they're not getting into the IT systems. And I disagree.

Nicole: I said, yes, on their own, they're not that bad. On their own, Russia ended up only turning off the power in Ukraine for a few hours. They turned off the safety locks that Petro.

Eric: It was a very manual from everything I've read. The power grid in Ukraine, you could literally shut things down and still run the power.

Nicole: Right. But where I think people like Dale miss it is the Colonial Pipeline example. A ransomware actor holding an IT system at Colonial Pipeline on it in itself is not the start of hybrid warfare. But look what happened. They had to shut down their operation.

Nicole: They had almost a week of downtime. We were three to five days away from just being completely screwed in terms of transportation. Chemical factories were going to shut down. I mean, really in bad shape, and that's just from one ransomware attack on the IT systems.

Nicole: So just in the last six months, the book came out. Look at what's happened. SolarWinds, the attempted hack of the book until they were able to stop it. Hack of the water treatment facility in Oldsmar, Florida where they upped the level of lye in the water utility companies.

Rachael: That's crazy.

A Lot Like SolarWinds

Nicole: I've spoken with CEOs of those utilities. It looked like they were looking around. They didn't just download the software update and that was that. No, they actually came into their systems and took a good look around. And now the Colonial Pipeline and some of the attacks I haven't even had time to cover.

Nicole: Like the ransomware attack on Honeywell, the software supply chain hack that's happening in Europe at Centurion. I never know how to pronounce that company's name. It's a lot like SolarWinds, only we think it was a sandworm, not the SVR. We think it was the actual guys that did shut off the lights in Ukraine. So what are they doing?

Nicole: The other thing is, look at some of these Russian attacks that seemed really random over the last couple of years. Like the opening ceremony at the Olympics. Sure, we know that they were upset about some of the anti-doping stuff that came down. The immediate suspect there was North Korea because we were looking at the opening ceremony of the Olympics in Seoul.

Nicole: Then there was the attack on Petro Rabigh, Saudi plant. Where immediately we thought, "Oh, it's probably Iran given the Saudi Aramco thing." But no, later we found out it was a Russian graduate research institute. The Russian attack on a French television station where they pretended to be Islamic fundamentalists. Later we found out they were Russian.

Nicole: What are they doing? They're testing capabilities, but they're also messing around with attribution. They are testing attribution and false flags. It's only when you can step back, and it's really only when I have the time to step back.

[21:31]  When Nicole Perlroth Wrote the Book in the Middle of the Night

Nicole: I wrote the book in the middle of the night when my phone wasn't buzzing and some attack wasn't happening. It was like your holy S-H-I-T moment of, "Wow, the through-line here is pretty clear." But we're all just like, "Well, in this one attack, they only hit this one router."

Nicole: But it's important to start calling this out, and somewhat fortunate that the attacks that are getting closer to this are just close calls. That they could get the pipeline running. That they did catch someone who's sitting in front of their computer in Oldsmar, Florida and saw their cursor moving around.

Eric: We're very lucky, but I would agree with you. The adversary is learning, whether they do it or somebody else does. They're learning through these events what works and what doesn't. I've been there. We study vulnerabilities as the United States. We'd be fools to think our adversaries don't do that. They are looking at what is happening, some random ransomware group here, which may not be state-sponsored.

Eric: They're certainly allowed to operate with relative impunity. They're able to do something. You learn about it. Well, that goes into your battle plans. Next time you need to disrupt the United States because you want to do something in Syria. Or in Ukraine or something more serious, you learn. You save that weapon for later.

Eric: I fully agree with you. The difference between ransomware shutting something down and ransomware going to that next step to end lives. To cause explosions or prevent critical fuel or hospital services or whatever it may be, it's a couple of keystrokes. It really is.

Digital Days

Eric: We're not talking about you having to go in the country, you have to infiltrate. It's all digital these days. It is literally a couple of keystrokes. I'm fully in your camp on that one, and I don't know how the world ends. But this could be one of the ways that we have a catastrophic failure of society.

Rachael: Maybe that's what it takes. I hate to even say that, but I think people have gotten a bit numb. And to Nicole's point, all these close calls, "Oh, we'll dodge the bullet next time." Again, there were no real consequences. Yes, there was a line or two in a couple of states.

Rachael: I wonder, too, kind of this online versus in real life kind of dichotomy that we have. Everything feels like it's a movie in so many ways. We're watching this movie until it actually happens to me, until I can't go somewhere. Or if I can't get food or water or electricity because I was in Texas during the freeze, and it was horrible. I don't know if the people are going to put the calories to it.

Eric: But you take it for granted now that the power's back on and it's warm again.

Rachael: Because I'm on to the next thing. I hate it.

Nicole: This is all happening. I was finishing the book in COVID. Right when shutdown had really taken effect and I was finishing the book. I was thinking about that, and I think COVID is actually a useful prism to look at this. Because in the beginning, people were asking, "Is this real? Is this really going to kill me? Do I really need to wear a mask and social distance?"

Cyber Induced Kinetic Attack

Nicole: It's the same in cyber. When that big calamitous cyber induced kinetic attack, coordinated attack happens, we'll be asking all the same questions. Where was our PPE, why didn't we have vaccine systems ready to go? Why weren't we talking about the need to social distance? What resilience and backup plans do we have for the economy?

Nicole: Battlefield testing, hardening our systems, those are all things that we were asking when the pandemic hit. How did we not learn more about this from China? And how were they able to hide this? Those questions all apply.

Eric: You talk about that in the epilogue. You compare the lack of preparedness for COVID-19 with a similar one for what you call I think The Big One, a massive cyber attack. In fact, I think you're talking to McManus in that, and he says, "Someone should do something." Someone really should do something.

Nicole: He doesn't even talk, you guys. Anyone who knows Greg McManus knows that he doesn't speak, but yes. His shirt said someone should do something when I went in to go interview people for a story. That shirt stuck with me for a very long time. Someone should do something. But who is someone and what should they do? That's my epilogue.

Nicole: I think like the pandemic, there's a lot the government could be doing, there's a lot businesses could be doing. But also, this is going to come down to people just being aware of the threat. Turning on two factors and not being the weakest link in the spear phishing attacks and password spraying attacks. It's really fun to talk about a digital geneva convention and hybrid warfare. But the fact is we're not even doing the basics.

Doing the Basics

Nicole: I know it's boring, and it's grueling, and it's annoying, but we're not even doing the basics. And I would not be surprised if that Colonial Pipeline hack doesn't come down to password spraying. Unpatched Microsoft systems, or someone clicking on a link or entering their login credentials somewhere that they shouldn't have been.

Eric: Well, I'm sure. While their IT systems were attacked. I personally think they did the right thing by shutting the pipeline down. Because if that had gotten into OT, we could've had a real problem.

Nicole: Yes.

Eric: So I think they did the right thing in that immediate reaction, but I'm sure it was something simple.

Nicole: Well, it's just an interesting question. Now we're learning that maybe it wasn't that they were afraid of the ransomware drifting into their OT systems. So much as they couldn't capture billing, they couldn't get paid. One of my first calls was to this company in Israel called Waterfall Security. I never like to promote companies, but here is one that these guys probably know what's happening here.

Nicole: They have these unidirectional gateways that they put in place. They work with a lot of pipeline operators in the United States, Colonial. If they had one of those installed, would've been able to capture billing off of that gateway if they had a redundant system in place. But they didn't have it, and they didn't have the gateway. So they didn't have the confidence that it wouldn't spread to their OT systems, and they couldn't charge their customers. Ultimately, it's a for-profit business. So of course, they need to capture billing.

One-Way Transfer

Eric: We're actually in this business, and we don't promote on the show here, but we see this all the time. Because those gateways are diodes, one-way transfer only. We make guards, which allowed information to transfer from secret to top-secret, top-secret to secret, whatever it may be. The technology's there. The problem we see often is the elevator needs to communicate with the service provider, or whoever sold it to them for support and service.

Eric: So they just connected right to the internet. We say that in the Target hack. So even if you do have the one-way, the diodes, the gateways, there are so many devices out there. The problem just exploded over the years. There's so many devices connected to the raw internet, let alone the corporate intranet. That accessibility, it's wide open, and how do you put that back in the bag?

Eric: How do you? You opened up the gift. You've played with it, now you got to package it up, rewrap it. It just doesn't happen easily. And that's what these companies are struggling with. It's the convenience, almost, or well, they say I have to do this. I have to provide information to them, similar to billing or whatever. That convenience overrides the inconvenience of being more secure. And that's human nature. I don't know how you get around it.

Nicole: I was thinking about that same question, about what my next story is going to be on this. And I was thinking about exactly what you just said, Eric. I was thinking, "Do you know who I'm going to call? I'm going to find some behavioral economists to call to figure out where and this was part of my goal in writing the book, too.

[30:36] It’s Time to Crack

Nicole: Because for too long, we've left these conversations to classified government corridors and the industry and journalists. I think it is time to crack to see what could be pulled from other fields like bioterrorism. But also behavioral economics because I think you're right, it's a human nature problem. Security is annoying, it's costly, it's just annoying. It's grueling and it's annoying, and it requires cyber hygiene and awareness.

Nicole: All of these things that sound really lame but are actually really important. How do you adjust human behavior? I’d really like to know what a behavioral economist has to say about this because we need to change the incentives. We need to figure out how to shift people's behavior and attention. That's not a cybersecurity problem. It's a human problem.

Eric: I don't think cybersecurity is. I mean, if you do something really basic, like just take it into the physical world. If somebody broke into your office or your house, the police would come, they would arrest them. You'd have physical cameras, you could take advantage of it. You could address that problem pretty well, the way we're societally structured.

Eric: On cyber, it's all digital. We don't understand it, the authorities aren't there. The local law enforcement departments don't understand. DHS doesn't have the ability to reach in. You don't want to share. It's just a different level, and then the speed just kills. But you would never want someone to break into your business. You just won in the physical world. Do you want them in the cyber world?

Nicole: Yes, and there's no 911 for cyber. I couldn't even tell you who I would call.

Who Would Nicole Perlroth Call For Help

Nicole: I would call my sources, my super secret sources. I’d call them to say help, come to my house. Not everyone can do that.

Eric: I would, too. But Colonial Pipeline, I don't even know how they got to DHS. I mean, just think about that. They don't have that 911. We've got some major changes to make. I did see recently that there was a French insurance company, AXA, I think.

Rachael: AXA.

Eric: They're not covering ransomware anymore.

Nicole: Yes, and then they got hit with ransomware.

Rachael: Yes, yes!

Eric: Welcome to the business. Never stick your head up too far.

Rachael: The great irony. Yes.

Eric: The only thing in cyber that you can count on is if you stay below the high watermark, you're probably better off than not.

Nicole: It is not sad, though, because I'm seeing that across the board with disinformation and also just Twitter civics in general. The answer is don't say something too bold. Don't stand out. Or too important, don't stand up. Don't be a tall poppy because you're going to get cut down.

Eric: There's no real cost. I mean, that's the reality of it. There's so little to no cost. It's almost fun to go after them, but maybe that is the answer. If we don't cover ransomware, these companies can't just count on the insurance to bail them out. Get them new equipment, which they didn't have a budget for anyway and everything else. Maybe they do have to do a little more. That's only a small piece of it if you ask me, though.

The Cyber Trenches

Rachael: So I would be interested, Nicole, and we're talking about all these things and what a complicated landscape this is. There's no really clear path on how we get ahead of things and who's got the stick. After this many years, I like to call the cyber trenches. Do you have optimism for the cyber path ahead for the next five to ten years?

Nicole: I do not. I think we are approaching rock bottom, but I don't think we're there yet. We just talked about the visual coming from the Colonial Pipeline hack. I think that is what people need to see. We do have a new administration who got up there. The president got up on the podium to talk about a ransomware attack. Don't underestimate that. That is a huge step forward.

Eric: It's big.

Nicole: And it's not political to say that anyone who was working on cybersecurity over the previous four years was sort of doing so under cover of darkness. We didn't hear a lot about what Chris Krebs, Matt Masterson, and CISO were doing in terms of election security until very close to the election. Then they were very vocal after the fact, but when people would walk into the White House, Kirstjen Nielsen, and say we need to talk about election security.

Nicole: They were basically given the Heisman and told to never bring it up again. So the fact we have this new administration here saying cybersecurity is a top priority. Squeezing cybersecurity funding into the COVID relief bill and infrastructure bill. Putting in place the most prescriptive EO on cyber we've ever seen, even if it's not enough. Even if it's just the bare minimum or just a road map. That's a good start.

The Right People For the Job

Nicole: The people that they have nominated for these positions like Chris Inglis to be our national cybersecurity director, Jen Easterly who's fantastic. I have not heard anyone say a single negative thing about her. And obviously Anne Neuberger, these are the right people for the job. But as we have talked about, this is not simple. This is complicated, it's complex.

Nicole: It's even harder to do in a democratic government where so much of our economy and our critical infrastructure is governed by the private sector. Our adversaries don't have that problem. So we're going to have to think really creatively about solutions. We're going to have to pull in people from the private and public sector. And we're going to have to make individuals aware of this. So we're making progress on the awareness front, but so much of this is going to come down to execution.

Nicole: I do think there's going to be a fair amount of pain in the short term before we get to where we really need to be. But we have no choice. These attacks aren't going away. They're just going to get more frequent and more disruptive and more destructive. So at some point, we're going to have to change our behavior. It's just a matter of when that's going to happen and what it's going to take.

Eric: Yes, I'd agree with you. It's a really tough space. I think we need some kind of event to get us on the right track to change our way of thinking.

Nicole: Yes, it's so sad, though, because when I started on this beat ten years ago, CrowdStrike was just getting started.

[37:29] The Big Event

Nicole: I remember talking to the guys there, and I said, "What's it going to take?" And they said, "I think it's going to take a big event." That was ten years ago, and I guess we still haven't really had that big event here in the United States. So maybe they're right. Maybe you're right.

Eric: It hasn't been big enough.

Nicole: I just think it's almost a distraction from where we already are, and we have to start calling out where we already are. Our intellectual property's been pillaged by China for the last couple of decades. Iran used to have zero cyber capabilities when I started on this beat. Now they're one of the most prolific actors we saw last year.

Nicole: Russia is clearly testing their capabilities and messing around with attribution. Getting closer and closer to being able to pull off something really calamitous here. They just haven't had the geopolitical impetus yet. Ransomware has really become our digital pandemic, and there were a lot of lessons for good people. Nicole: But there were a lot of lessons for bad actors to be taken from the Colonial Pipeline attack. So I'm afraid we're going to see more ransomware attacks on industrial systems. Maybe that's what it's going to be. But I don't like the big event discussion so much because I always think it's a distraction from where we already are. And where we already are is not good either.

Eric: But each of these attacks really become or has become just an isolated incident with limited consequences. I mean, my information was stolen in OPM. It was one of the most costly attacks on the U.S. government in modern times, just from our capabilities perspective.

Another Event on the Spectrum

Eric: What we can't do as a result of that. But nobody talks about it anymore, rarely, I should say, even in government. We just assume that that is what happened. You look at Sunburst, we're still working through it. But it's just going to be another event on the spectrum with WannaCry and Petcha, on and on and on. There has to be a significant cost, and acute cost, also. What you're talking about with the intellectual property, Nicole.

Eric: Two to $600 million a year rolling over to China from industrial espionage, that's not acute enough. I mean, we haven't stopped it. We aren't taking it seriously. Yet it will eclipse the entire defense budget for the United States at some point if it hasn't already. And yet we're not taking it seriously enough.

Nicole: Right. The thing about it, though, is it's the silent killer. When you just look at the ransomware attacks we've had this year or over 2020, it was horrible. They were hitting schools and companies and the Honeywell and Dutch cheese industry I saw was hit recently. People couldn't get their Gouda in Holland, God forbid. But what ransomware has done is almost done us a favor in that the victims, they are outed in those ransomware attacks.

Nicole: They're getting outed even more today because now ransomware attackers are leaking their data in addition to just encrypting it. So suddenly, we see this ransomware as a pandemic. Well, the amount of Chinese intellectual property hacks was probably even more frequent than the ransomware attacks we're seeing now. It's just that we didn't see it, and everyone was sort of burying their own incident.

Eric: Certainly more severe.

Nicole: Yes, certainly more severe and more costly.

Never Out of Business

Eric: But even when we see it, I mean, look at it like in Equifax. Stocks higher than ever, back in business, never out of business, tons of data lost. I don't know how many people lost their jobs there. It's been a while, but there might have been one or two that were brought up on insider trading charges. I don't even know how they resulted, but I don't think there was a lot of consequence to anybody. That was pretty significant at the time.

Nicole: The other thing, too, and we sort of touched around this is China, when they hacked the New York Times. I had the fortune of sitting there and watching what they were doing. Then use that as sort of a launchpad for covering unit 61398. And all of the other ministry of state security contractors that were hacking American companies, and then the OPM breach.

Nicole: For the most part, they were doing all of those attacks with spear-phishing or other sort of basic means. Aurora was sort of the one caveat there that they used a zero day. But for the most part, they were using these basic methods. Well, by the end of my book, I talk about how they recognize the need to be even stealthier.

Nicole: They started telling their best security researchers and hackers to not show up at the western hacking conferences, own to own anymore. To keep their capabilities in house and to give the government the right of first refusal if they did discover a zero day in a critical system. No one really paid attention to that, but all of a sudden, where are we seeing those go?

iOS and Android Zero Days

Nicole: Well, there was a hack that used IOS and Android Zero days in a watering hole attack. It was aimed at people visiting Uyghur website a couple of years ago. So we saw them sort of testing these out on Uyghurs. Then we saw the Microsoft Hafnium attack. They used a zero day in Microsoft Exchange servers to go to town on these defense contractor systems.

Nicole: That is something to pay attention to, sort of the advancing of China's stealthy capabilities. I worry that we're going to miss a lot of what China is doing. Especially now that they've really sort of deployed more stealthy zero day tactics in these attacks. It's just tangential a little bit to our conversation, but it makes them harder to track and it's worrying.

Eric: Well, let me ask you a question. Even when we know about them we don't really do a lot about it. So does it matter whether we know or don't know? Nicole: Well, I don't know. I watched Anne Neuberger talk about how the government handled the Hafnium attack. How they brought in the private companies right away to say what we are going to do. We watched the FBI do something completely unprecedented which was patched by warrant. Get a warrant to access all the still vulnerable systems to patch them. That is unprecedented.

Nicole: We can debate the privacy implications and what the future implications would be of them using that for a very different reason. But that is some serious creativity right there. So it's like we have been doing a little bit more in just this administration's first five months.

[44:25] More Creative Solutions

Nicole: I think we're looking towards more creative solutions. It's not like we're just pretending that these things aren't happening like we were ten years ago. There's a little bit of optimism there for you.

Rachael: Well, I like that as an ending. Optimism. We'll take it where we can get it.

Eric: I have one question for Nicole Perlroth as we finish up. I'll try not to go pessimistic here. Nicole, you comment near the end, I never miss the elephants more. I feel like I can relate to you. I've been to Africa, and it's such a quiet and peaceful place in many ways.

Nicole: Yes, but you know what I didn't mention, and this is going to be in my next story, scoop.

Eric: Oh, good, a scoop. Nicole: So my brother-in-law is a wildlife conservationist who works with a lot of African organizations. He lived in Kenya for a long time, and we were talking the other day about what the wildlife conservationists now have to do. Because they're getting hacked by these billion-dollar nation-state-backed poachers and poaching industry. So much of what North Korea's doing besides hacking cryptocurrency exchanges is wildlife trafficking.

Nicole: China's been basically quietly allowing the ivory poaching to happen. So these scientists in the field are expected now to defend themselves and their GPS collars. They're tagging these endangered species from these basically nation-state-backed threats. So that's going to be my next story. What does that even look like?

Eric: I hadn't even heard that. That's crazy.

Rachael: That is crazy.

Eric: Okay, Rachael. So we need to bring it back.

Nicole: Elephants are getting slaughtered.

Eric: We've got the president talking about it.

America Is More Aware

Nicole: I miss the elephants, now they're getting slaughtered.

Eric: We've got some great people in the administration. We're talking about this. America is more aware. There's some hope out there.

Rachael: Yes, there is, and I think coming back to elephants, I will say, I love the Sheldrick Wildlife Trust. Thank goodness that there are these amazing organizations out there. They’re trying to do everything they can to keep them safe and all the things. I always like to think the good guys win in the end, myself. That's my optimism.

Nicole: I think they do. It's just how long is it going to take? Are we going to wait for every elephant to be dead before we realize that we need to do something for other species? Similarly in cyber, are we going to wait until everyone gets ransomwared and our critical infrastructure is ransomwared? The lights go off before we do something.

Nicole: Hopefully, discussions like these help move the ball forward. Help get people thinking about this and help get people into this industry. I just heard Mark Montgomery, who headed up the Cyberspace Solarium Commission, say we have a 33% shortage of cybersecurity professionals in the United States. It comes out to a girth of something like 350,000 people.

Eric: No, it's reported to be a million to four million, depending on the data. I think ICCC has said it's well over one to two million people minimum there. It's crazy.

Nicole: These conversations help. It's been really fun to get emails from young women in particular who say, "Wow, I just read your book. I really want to get into the game, I want to get into cybersecurity. Where do you recommend that I start?

Eric: Just apply. I got the answer. Just apply. That's it, really. You could be an artist, a musician, a math scholar. Just apply. There are so many openings, there's so much opportunity out there. All you have to do is apply.

Eric: It's a great market, and that is a great note to finish on, actually, Nicole. Thank you. We spent so much time on diversity and figuring out how to get more tech talent, more people into this business to help. That's a great outcome from the book.

Journalists Have the Best Perspective

Eric: Well, thank you for spending time with us, I can't wait until the next one. I read all of your articles, all of David's articles. Journalists have the best perspective on this because you kind of do the 360 study of everything that's going on in the space. So keep writing, please. It's been great.

Nicole: Thank you.

Rachael: Very thoughtful reporting, and I appreciate it because I know that's not easy work, but it's so critical. So thank you very much.

Eric: Okay, Rachael, so I just checked our iTunes ratings. We're at a 4.6 on a 5 scale. We need more subscribers to smash that subscribe button. Give us some favorable feedback. We really appreciate it. It means a lot to us. Please, let us know what you like and dislike. Nicole, I can't thank you for spending your time with us today and for the work you're doing.

About Our Guest

Nicole Perlroth covers cybersecurity and digital espionage for The New York Times. She has covered Russian hacks of nuclear plants, airports, and elections, North Korea's cyberattacks against movie studios, banks, and hospitals. Iranian attacks on oil companies, banks and the Trump campaign, and hundreds of Chinese cyberattacks, including a months-long hack of The Times. Her first book, “This Is How They Tell Me the World Ends,” about the global cyber arms race, published in February 2021. The book, and several of her Times articles, have been optioned for television. A Bay Area native, Ms. Perlroth is a guest lecturer at the Stanford Graduate School of Business and a graduate of Princeton University and Stanford University.