The book: This is How They Tell me The World Ends: The Cyber Weapons Arms Race (Bloomsbury) offers terrifying insights into the global — yet invisible — cyberweapons market, and the role governments play within it. Nicole Perlroth ’04 is an expert reporter on cybersecurity and digital espionage, and her New York Times bestselling book recently won the prestigious FT/McKinsey “Best Business Book of the Year” prize. McKinsey praised the book for its analysis of “the threat posed by the arms race between cyber criminals, spies, and hackers fighting to infiltrate essential computer systems.”

The author: Nicole Perlroth ’04 is an award-winning cybersecurity and digital espionage journalist. She has covered the gamut from Russian hacks of airports to cyberattacks on the Trump campaign. She is also a regular lecturer at the Stanford Graduate School of Business. Perlroth is a graduate of Princeton University and Stanford University.

Excerpt:

Prologue

Kyiv, Ukraine

By the time my plane touched down in Kyiv—in the dead of winter 2019—nobody could be sure the attack was over, or if it was just a glimpse of what was to come. A note of attenuated panic, of watchful paranoia, had gripped our plane from the moment we entered Ukrainian airspace. Turbulence had knocked us upward so suddenly I could hear bursts of nausea in the back of the plane. Beside me, a wisp of a Ukrainian model gripped my arm, shut her eyes, and began to pray.

Three hundred feet below, Ukraine had gone into orange alert. An abrupt windstorm was ripping roofs off apartment buildings and smashing their dislodged fragments into traffic. Villages on the outskirts of the capital and in western Ukraine were losing power—again. By the time we jerked onto the runway and started to make our way through Boryspil International Airport, even the young, gangly Ukrainian border guards seemed to be nervously asking one another: Freak windstorm? Or another Russian cyberattack? These days, no one could be sure. One day earlier, I had bid my baby adieu and traveled to Kyiv as a kind of dark pilgrimage. I came to survey the rubble at ground zero for the most devastating cyberattack the world had ever seen. The world was still reeling from the fallout of a Russian cyberattack on Ukraine that less than two years earlier had shut down government agencies, railways, ATMs, gas stations, the postal service, even the radiation monitors at the old Chernobyl nuclear site, before the code seeped out of Ukraine and haphazardly zigzagged its way around the globe. Having escaped, it paralyzed factories in the far reaches of Tasmania, destroyed vaccines at one of the world’s largest pharmaceutical companies, infiltrated computers at FedEx, and brought the world’s biggest shipping conglomerate to a halt, all in a matter of minutes.

The Kremlin had cleverly timed the attack to Ukraine’s Constitution Day in 2017—the equivalent of our Fourth of July—to send an ominous reminder to Ukrainians. They could celebrate their independence all they wished, but Mother Russia would never let them out of its grip. The attack was the culmination of a series of escalating, insidious Russian cyberattacks, revenge for Ukraine’s 2014 revolution, when hundreds of thousands of Ukrainians took to Kyiv’s Independence Square to revolt against the Kremlin’s shadow government in Ukraine and ultimately oust its president, and Putin’s puppet, Viktor Yanukovych. Within days of Mr. Yanukovych’s fall, Putin had pulled Yanukovych back to Moscow and sent his forces to invade the Crimean Peninsula. Before 2014, the Crimean Peninsula was a Black Sea paradise, a diamond suspended off the south coast of Ukraine. Churchill once coined it “the Riviera of Hades.” Now it belonged to Russia, the infernal epicenter of Vladimir Putin’s standoff with Ukraine.

Putin’s digital army had been messing with Ukraine ever since. Russian hackers made a blood sport of hacking anyone and anything in Ukraine with a digital pulse. For five long years, they shelled Ukrainians with thousands of cyberattacks a day and scanned the country’s networks incessantly for signs of weakness—a weak password, a misplaced zero, pirated and unpatched software, a hastily erected firewall—anything that could be exploited for digital mayhem. Anything to sow discord and undermine Ukraine’s pro-Western leadership. Putin laid down only two rules for Russia’s hackers. First, no hacking inside the motherland. And second, when the Kremlin calls in a favor, you do whatever it asks. Otherwise, hackers had full autonomy. And oh, how Putin loved them. Russian hackers are “like artists who wake up in the morning in a good mood and start painting,” Putin told a gaggle of reporters in June 2017, just three weeks before his hackers laid waste to Ukraine’s systems. “If they have patriotic leanings, they may try to add their contribution to the fight against those who speak badly about Russia.”

Ukraine had become their digital test kitchen, a smoldering hellscape where they could test out every hacking trick and tool in Russia’s digital arsenal without fear of reprisal. In the first year, 2014, alone, Russian state media and trolls barraged Ukraine’s presidential election with a disinformation campaign that alternately blamed the country’s mass pro-Western uprisings on an illegal coup, a military “junta,” or “deep states” in America and Europe. Hackers stole campaign emails, prowled for voter data, infiltrated Ukraine’s election authority, deleted files, and implanted malware in the country’s election reporting system that would have claimed victory for a far-right fringe candidate. Ukrainians discovered the plot just before the results were reported to Ukraine’s media. Election security experts called it the most brazen attempt to manipulate a national election in history. In retrospect, this should have all set off louder alarm bells in the United States. But in 2014, Americans’ gaze was elsewhere: the violence in Ferguson, Missouri; the horrors of ISIS and its seeming emergence out of nowhere; and, on my beat, the North Korean hack of Sony Pictures that December, when Kim Jong-un’s hackers exacted revenge on the movie studio for a Seth Rogen– James Franco comedy depicting the assassination of their Dear Leader. North Korean hackers torched Sony’s servers with code, then selectively released emails to humiliate Sony executives in an attack that offered Putin the perfect playbook for 2016.

For most Americans, Ukraine still felt a world way. We caught passing glimpses of Ukrainians protesting in Independence Square, and later celebrating as a new pro-Western leadership replaced Putin’s puppet. Some kept an eye on the battles in eastern Ukraine. Most can recall the Malaysian airplane— filled with Dutch passengers—that Russian separatists shot out of the sky. But had we all been paying closer attention, we might have seen the blaring red warning lights, the compromised servers in Singapore and Holland, the blackouts, the code spiking out in all directions. We might have seen that the end game wasn’t Ukraine. It was us.

Russia’s interference in Ukraine’s 2014 elections was just the opening salvo for what would follow—a campaign of cyberaggression and destruction the world had never seen. They were stealing a page from their old Cold War playbooks, and as my taxi made its way from Boryspil to Kyiv’s center, Independence Square, the bleeding heart of Ukraine’s revolution, I wondered which page they might read from next, and if we’d ever get to a place where we might anticipate it. The crux of Putin’s foreign policy was to undercut the West’s grip on global affairs. With every hack and disinformation campaign, Putin’s digital army sought to tie Russia’s opponents up in their own politics and distract them from Putin’s real agenda: fracturing support for Western democracy and, ultimately, NATO—the North Atlantic Treaty Organization—the only thing holding Putin in check. The more disillusioned Ukrainians became—where were their Western protectors, after all?—the better the chance they might turn away from the West and return to the cold embrace of Mother Russia.

And what better way to aggravate Ukrainians and make them question their new government than to turn off Ukraine’s heat and power in the dead of winter? On December 23, 2015, just ahead of Christmas Eve, Russia crossed a digital Rubicon. The very same Russian hackers that had been laying trapdoors and virtual explosives in Ukrainian media outlets and government agencies for months had also silently embedded themselves in the nation’s power stations. That December they made their way into the computers that controlled Ukraine’s power grid, meticulously shutting off one circuit breaker after another until hundreds of thousands of Ukrainians were without power. For good measure, they shut down emergency phone lines. And for added pain, they shut off the backup power to Ukraine’s distribution centers, forcing operators to fumble around in the dark. The power wasn’t out long in Ukraine—less than six hours—but what happened in western Ukraine that day is without precedent in history. The digital Cassandras and the tinfoil-hat crowd had long warned that a cyberattack would hit the grid, but until December 23, 2015, no nation-state with the means had the balls to actually pull it off.

Ukraine’s attackers had gone to great lengths to hide their true whereabouts, routing their attack through compromised servers in Singapore, the Netherlands, and Romania, employing levels of obfuscation that forensics investigators had never seen. They’d downloaded their weapon onto Ukraine’s networks in benign-looking bits and pieces to throw off intrusion detectors and carefully randomized their code to evade antivirus software. And yet Ukraine officials immediately knew who was behind the attack. The time and resources required to pull off a grid attack with that level of sophistication were simply beyond that of any four-hundred-pound hacker working from his bed. There was no financial profit to be gleaned from turning off the power. It was a political hit job. In the months that followed, security researchers confirmed as much. They traced the attack back to a well-known Russian intelligence unit and made their motives known. The attack was designed to remind Ukrainians that their government was weak, that Russia was strong, that Putin’s digital forces were so deep into Ukraine’s every digital nook and cranny that Russia could turn the lights off at will. And just in case that message wasn’t clear, the same Russian hackers followed up one year later, turning off Ukraine’s power again in December 2016. Only this time they shut off heat and power to the nation’s heart—Kyiv—in a display of nerve and skill that made even Russia’s counterparts at the National Security Agency headquarters in Fort Meade, Maryland, wince.

Reprint with permission from Nicole Perlroth, published by Bloomsbury Publishing. Copyright © Nicole Perlroth 2020.

Reviews:

“Possibly the most important book of the year … Perlroth’s precise, lucid, and compelling presentation of mind-blowing disclosures about the underground arms race is a must-read exposé.” — Booklist

“Nicole Perlroth does what few other authors on the cyber beat can: She tells a highly technical, gripping story as if over a beer at your favorite local dive bar. A page-turner.” — Nina Jankowicz, author of How to Lose the Information War