The New York Times journalist and author of “This Is How They Tell Me The World Ends,” Nicole Perlroth, shares her predictions for the future and life-saving cybersecurity tips.
If your idea of a dystopian future is one where every facet of our lives is digital, Nicole Perlroth’s new book, This Is How They Tell Me The World Ends will do nothing to dampen your fears.
Perlroth, an award-winning cybersecurity journalist for the New York Times, has traveled the world investigating the cyber arms race, one of the biggest threats to national security. Through conducting interviews in Kiev with cybersecurity experts over Russian vareniki dumplings and sifting through Wikileaks docs in a windowless room at the Times headquarters in Manhattan, Perlroth has illuminated the advanced stage of the cybersecurity crisis. Delving into the complexities of “zero-day” malware and the even more complex zero-day market, This Is How They Tell Me The World Ends is a sobering exposé of the cyberwar we can no longer ignore.
On the heels of her book tour, we asked Perlroth how to conscientiously navigate our cyber-vulnerable world.
What steps did you take to protect yourself and your data when it became widely known that you were a journalist covering the zero-day market?
Nicole Perlroth: My advice to everyone is: You can’t protect everything, so think about what your crown jewels are and protect them with your life. For me, that’s my sources. Without them, I can’t do my job. At worst, they might be picked up and prosecuted for sharing confidential, or classified, information with me. In some cases, they might be picked up and prosecuted because of the mere suspicion that they’ve spoken to me. So while I can’t protect everything, I can do everything in my power to protect them; this means taking our most sensitive conversations—in some cases all communications—offline. That means going to extremes like meeting in person, without devices, or without even driving or Ubering to the meeting place, since the GPS in our apps, phones, and cars can be tracked. That’s why you saw Chinese APTs (nation-state hackers) target the travel and hospitality industries, airlines and hotels like Marriott. The goal was to cross-match the travel of Chinese citizens with American government workers to root out spies and double agents. I’ve covered enough of those breaches that I know these are not hypothetical threats.
Unfortunately, the pandemic made in-person meetings that much more difficult. When an in-person meeting can’t be accommodated, I’ve turned to encrypted messaging apps like Signal. But even that is not enough to avoid a keystroke logger tracking everything I type, so I am hyper-vigilant about protecting my devices. That means updating my software as soon as updates become available, turning on multi-factor authentication whenever possible, using long, different passwords for different sites, and never clicking on any links or attachments until I have confirmed directly with the sender that they sent me the message. A helpful acronym I heard recently for this is: EMAIL. It stands for Examine Messenger and Inspect Link. Easy to remember.
Knowing the vulnerabilities of a nation that depends on the Internet of Things, do you see a future where we scale back and revert to analog for some services? Or is increased cybersecurity our only hope?
Nicole Perlroth: I do think we are headed to a place where we will be pulling our most critical systems—the chemical controls at a water treatment plant for instance—offline. But that’s not a scalable solution. In the meantime, we need to stop baking vulnerable, buggy software into safety-critical systems like the power grid, nuclear plants, water and wastewater treatment facilities, and food production. Windows and Linux were designed for desktop computers. They were never designed to run our power grid and weapons systems. In the future, I think we’ll get to a place where we will only use stripped-down, vetted software for these safety-critical systems. But we’re in for a lot of short-term pain before we get there.
What is one way the daily internet user can combat misinformation campaigns that run rampant on social media before elections?
Nicole Perlroth: I think the “Rumor Control” page that CISA, the cybersecurity agency at DHS, created ahead of 2020 was a terrific start. We need more of that.
Are there tech companies or organizations that you do implicitly trust with your data?
Nicole Perlroth: I trust companies like Green Hill Software, which fit the description I laid out above. The first system that used Green Hill’s operating system was the B1B intercontinental missile delivery system. With that end user in mind, they knew they had to design software that could not afford a single error, or bug, that could be exploited by the enemy. They wrote and vetted their software accordingly. That is the only kind of software that we should be baking into other weapon systems, but also into self-driving cars, the grid, etc.
In a recent interview you did with former White House Chief of Staff Leon Panetta for the Times, you quote him as saying, “It’s like there’s a fire and you’re ringing a bell, but the fire department doesn’t show.” Whether it’s corporations, individuals, or national intelligence, who needs to be listening more carefully to these alarm bells and answering the call?
Nicole Perlroth: This applies to every level of society. Government needs to develop policies that prioritize our cyber defense. They need to break down the silos that impede cyber collaboration among intelligence and law enforcement agencies. Businesses need to do the same. They cannot continue to allow themselves to be so easily hacked via phishing campaigns, stolen passwords, outdated software, and a lack of multi-factor authentication. They need to invest in the tools, people, and culture of cybersecurity awareness. Individuals also need to understand that they are not only responsible for their own cybersecurity, but that of their employers, friends, and family. They say security is only as good as the weakest link and individuals—us—continue to be the weakest link. We need to build cyber awareness into public education from the bottom up, the same way the United States did[with the dangers of drug use] with “DARE” in the 1980s and 1990s, nuclear drills during the Cold War, and earthquake and fire drills today. That is the only way we are going to get to where we need to be as a nation prepared to withstand the next era of non-stop cyberattacks.