Nicole Perlroth ’04 is now an adviser to the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA).
Jason Henry/The New York Times
Perlroth believes she’s done everything possible to draw awareness to the issue as a reporter

Award-winning cybersecurity reporter Nicole Perlroth ’04 didn’t start her journalism career writing about cybersecurity or even tech. She started with a tabloid exposé — on food. 

In 2007, Perlroth was taking a nighttime journalism class at New York University taught by a New York Post columnist who suggested researching fancy New York City restaurants that had health violations. So Perlroth, who was working in marketing at the fashion company Coach during the day, began spending her evenings poring over records from the Department of Health until she found a restaurant in Chelsea that had a terrible report. She talked to the owner, who told her the inspector came in, got drunk at the bar, passed out, and then gave the restaurant an abysmal report to justify why he had spent several hours there — and it was all on video. That story became Perlroth’s first byline, a freelance piece in the New York Post that ran under the headline “It’s Inspector ‘Snooze’-eau.” 

She filled her living room with nearly 100 copies, Perlroth recalls. “At that moment, I said, ‘OK, I’ve never done anything with journalism, but this is interesting, this is intellectually stimulating, and it looks like you can actually change things.’”

Perlroth eventually found her niche writing about cybersecurity, something she did for a decade at The New York Times, which positioned her for a new role as an unpaid adviser to the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA). It’s also the subject of her 2021 bestselling book This Is How They Tell Me the World Ends: The Cyberweapons Arms Race, which won the Financial Times and McKinsey Business Book of the Year Award last year. The book traces the market for cyberweapons and vulnerabilities — flaws in code. Governments and independent hackers are constantly discovering these flaws and must decide what to do with them. Do they hoard the discoveries for their own future use, sell them to others, or disclose them so they can be patched? 

Perlroth’s reporting spans the globe, from Ukraine to Israel, and she is a central figure in the book, taking the reader along with her as she tries to uncover the shadowy, secretive figures who buy and sell code vulnerabilities and the tools used to exploit them.

Book jacket of This Is How They Tell Me the World Ends: The Cyberweapons Arms Race
While reporting on the latest cybersecurity news, Perlroth had grown concerned about governments stockpiling vulnerabilities — a story that wasn’t getting through to many of her readers. “That became the impetus for the book,” she says. “I need to write this as a nonfiction narrative where, unfortunately, I even have to be in this grabbing the reader by the hand.”

In some ways, Perlroth is an unlikely figure to be a star cybersecurity reporter or one of the main characters in a book about cyberweapons. She had no technical background and only ended up covering tech firms because she wanted to return to the West Coast. She pitched her editors at Forbes magazine to relocate her from New York to the Bay Area to cover venture capital. Then, in 2010, Perlroth got a phone call from The New York Times inviting her to interview for a job as a cybersecurity reporter.

“I said, ‘You’ve got to be kidding me,’ ” Perlroth recalls. She ultimately got the job because she could explain cybersecurity issues in an accessible, not-too-technical way for a non-technical audience. 

An early Times assignment that made a strong impression on Perlroth dealt with the hacking of the paper’s servers by China in 2012. Perlroth embedded with the team from the security firm Mandiant that was investigating the breach and witnessed firsthand how cyberespionage was like a 9-to-5 job for Chinese hackers. Originally, Perlroth and the investigators thought the hackers might be trying to find a way to turn off the paper’s printing press or sabotage its operations, but they later concluded it was an espionage incident, aimed at discovering the sources for a series of stories about corruption and the Chinese Communist Party.

Perlroth published a long article detailing the breach in January 2013. It changed her outlook on what it meant to cover cybersecurity and the scope of the problem she was up against. “Nobody is talking about this,” she says. 

While her nontechnical background turned out to be an advantage, it also has its drawbacks, she readily admits. In particular, when writing her book, Perlroth worried constantly about how it would be received. 

“I fact-checked this book to death, but I knew there were going to be some technical descriptors in there that were going to drive people crazy,” Perlroth says. That happened, but these critics — a small number of people in the field — weren’t the people she was trying to reach. 

Writing the book also forced her to think through and suggest some possible solutions. The final chapters include sweeping proposals to reform how the United States government handles computer vulnerabilities and develops cyber capabilities. 

As for Perlroth’s new role, it was an idea she’d gotten from a fellow Princeton alum, Kiersten Todt ’94, who is the chief of staff for CISA director Jen Easterly. She asked Perlroth if she might be interested in helping CISA ramp up its cybersecurity efforts.

At CISA, Perlroth is hoping to help establish a program for private-sector cybersecurity experts to spend some time in government and develop other pathways to recruit technical minds to work for the government. She’s also starting to think about working with cybersecurity start-ups.

Perlroth ultimately decided to move on from journalism, as she believes she’s done everything possible to draw awareness to the issue as a reporter. She adds, “I think I could have more impact behind the scenes.”