CSO Perspectives (Pro) 4.25.23
Ep 5566 | 4.25.23

Bonus: 2023 Cybersecurity Canon Hall of Fame inductee: This Is How They Tell Me the World Ends by Nicole Perlroth.


Rick Howard: You're listening to the 2012 song, Hall of Fame, by the Script and Will I Am. Which means it's that time of year again. The cyber security canon committee has announced the Hall of Fame inductees for the 2023 season to coincide with the RSA Conference and I got to interview the winning authors and cannon committee members who recommended the book. As you all know, N2K and the leaders of the Cyber Security Canon Project team up each year to highlight this valuable and free resource for the entire InfoSec community, to find the absolute must read books for the cyber security professional and the book we're going to talk about next, the next inductee into the Canon Hall of Fame this year is, This Is How They Tell Me the World Ends: The Cyberweapons Arms Race, by Nicole Perlroth. So, hold on to your butts.

Hold onto your butts.

Rick Howard: This is going to be fun. My name is Rick Howard, and I'm broadcasting from the CyberWire's alternate Secret Sanctum Sanctorum Studios located underwater somewhere along the San Francisco Oakland Bay bridge in the good old US of A. And the interns can't be more ecstatic for this change of venue. Hey, hey, hey, hey, settle down back there. This is only temporary. It's back to the Baltimore underwater lair next week. You don't want to give them too much hope. And you're listening to CSO Perspectives, my podcast about the ideas, the strategies, and technologies, that senior security executives wrestle with on a daily basis. Before we get started, the CyberWire will be out in force at the RSA Conference this year. Dave Bittner and crew, including me, will be hanging out at the Marriott Marquis Hotel, second level, Foothill H Boardroom. If you're in the vicinity, stop by. If we're not doing a live interview, we would love to see you. As for me, I'm giving a presentation on Wednesday afternoon, 26 April, at 2:25 pm, called The Emperor Has No Clothes, about the evolution and current state of the CSO position with my pal, Todd [inaudible]. And immediately after, I'm signing copies of my book, Cyber Security First Principles: A Reboot of Strategy and Tactics, at the conference bookstore in Moscone South from 3:30 to 4:30. And speaking of books, if you're looking for your next cyber security book to read, besides mine of course, members of the Cyber Security Canon Community will be at the bookstore Monday, Tuesday, and Wednesday, from 2:00-3:00 pm to help you decide your next most favorite read. They can point you into a direction to match your interests. So, with all those announcements out of the way, it's time to talk about the book.

Nicole Perlroth: I'm Nicole Perlroth, I am a cyber security journalist and author, and an advisor to the cyber security and infrastructure security agency at the Department of Homeland Security.

Rick Howard: Nicole is being quite modest. She is a world class journalist who has worked for Forbes Media covering business issues, and the New York Times for over a decade on the cyber beat. While at the New York Times, she covered the Russian hacks on nuclear plants, airports, elections, and petrochemical plants. North Korea's cyber-attack against Sony Pictures, Bangladesh banks, and crypto exchanges, Iranian attacks on oil companies, banks and dams, and thousands of Chinese cyber-attacks against American businesses, including leading the investigation of the month long Chinese attack of the New York Times. She's been widely cited and published in the New Yorker, the Wall Street Journal, Wired, The Economist, and a host of other well-known journalistic outlets. Her outing of hacking divisions within China's PLA compelled the first United States hacking charges against the Chinese military and earned her the prestigious Best in Business Award from the Society of American Business Editors and Writers. And her investigation into commercial spyware was nominated for a Pulitzer Prize. Perlroth left the New York Times in 2021 and is now an advisor to the Cybersecurity and Infrastructure Security Agency, CISA. I talked to her just before the holidays about her Canon Hall of Fame book. First, just let me congratulate you on being inducted into the Cyber Security Canon Hall of Fame. The first time I read your book was early last year and I've been advocating for it ever since. So, congratulations.

Nicole Perlroth: Thank you so much, I think it's been incredible to see the impact the book has had and it's won some awards in really different spaces. It won the FT & McKinsey Business Book of the Year Award but it also won a bronze medal from the Council on Foreign Relations, but I think this award might mean the most to me. You know, it took me seven years to write this thing, and I think that was because I was so worried about what the cyber security community and technical community would say about a book that was really written for the layperson. Every time I wrote a description of a zero day or some, what [inaudible] did, I just knew, oh, my God, I'm going to get pillaged on Twitter for this definition. And I would like step back from the computer for a month, you know, it's just, it was not realizing. So, the fact it's getting recognition from this community, it means so much to me. So thank you.

Rick Howard: Your book is about a lot of different things. But one of the main topics is the current state of the software exploitation market. And I've been doing this cyber security thing for a long time now, I can tell you that many of my peers only have a really thin understanding of these ecosystems. I mean, they know they exist, but they don't really pay attention to them, or really know anything about them. So what compelled you to write about that? What was the, what was the hook there?

Nicole Perlroth: So I think it was a couple things, I think one, like I say in the book, zero day market is like fight club, you know, first rule of zero day market is nobody talks about the zero day market. The second rule, nobody talks about the zero day market. Any time there's anything that no one will talk about, it's like a magnet for a journalist. It's like why are we not talking about this. And you know, there are technical reasons why we don't talk about it, you know, a minute a zero day gets discovered, it's value turns to dust. But also I think there were tradeoffs being made you know, we keep this hole open for our own espionage, counter intelligence, counter terrorism operations. We're keeping Americans more safe by leaving it open and then closing it shut. And maybe that was true 20 years ago, when we were all using different technology and no one was really in on this game yet, or aware it even existed, or where the zero day market even existed. But that wasn't true anymore you know, just from my little perch at the New York Times, I could see every government, I would say with the exception of Antarctica, someone added the Vatican to my list recently, is searching for, developing, or acquiring exploits. And they're all using it for their own definition of national security. You know, we do it to track terrorists, try to figure out what our adversaries are doing before there's some major incident here. In the Gulf they're doing it to track their version of national security which is to prevent the next Arab Spring.

Nicole Perlroth: So it's depressing to send monitoring journalists, suppressing journalists, suppressing the free press, et cetera. China, you know, they're using them on the Uyghurs, and anyone who is critical of the Chinese Communist Party, et cetera, et cetera, et cetera. And so-- and the world had changed because of globalization you know, we're all using for the most part, with a couple of exceptions, like maybe [inaudible], we're all using the same technology. So when you leave a vulnerability open in an iPhone, for instance, instead of tell Apple about it so they can fix it, you're not just leaving it open for enemies, you're leaving it open for Americans too. So I just could not reconcile that in my head, that we the American taxpayer pay governments to keep us safe, pay our own government to keep us safe, but in this one regard, in cyber security, they were trading on cyber security in the name of national security and justifying it in many ways along those lines that this is critical for national security, when really, these two things were becoming one and the same. The more we were baking software into every nitty gritty, every nook and cranny of our economy, our critical infrastructure, you know, the more privacy become dependent on our iPhones, et cetera, the more the stakes were going up. So you put together these three things, this is something no one wanted to talk about, there are questions, I thought legitimate questions to be asked about whether this left us more secure or less secure. And the stakes were getting higher. And that other governments were onto these too, so I guess four things. And I thought, this really needs to be busted open and we need to have a national conversation about this.

Rick Howard: Well that kind of thing has been going on since the beginning, I mean you know, there's always been this push me pull you characteristic between what any government wants to do for gathering intelligence and then on the other side, protecting their citizens from bad things, but it wasn't until the internet got started that it became so easy to do. If you had some secret about how a hardware switch worked back in the '90s, okay, that can only be used in very specific cases, but now like you said, everybody has an iPhone, you can find some exploit code that's reliable, that can be used almost anywhere. If you'd like to hear the rest of this interview, subscribe now to CyberWire Pro, not only will you get to hear this interview in its entirety, but also all shows in the CSO Perspectives Podcast Series in total.

Rick Howard: The quarterly analyst call that I host, along with every podcast in the CyberWire network, ad free. And you all know, that's my favorite part. To subscribe, surf over to theCyberWire, all one word, dot com, slash pro. That's thecyberwire.com/pro. And I'd like to thank Nicole Perlroth for coming on the show to discuss her book, the latest inductee into the Cyber Security Canon Hall of Fame; This Is How They Tell Me the World Ends: The Cyberweapons Arms Race. If you'd like to learn more about this book, as well as all the other books in the Cyber Security Canon series, surf on over to Ohio State University, the official sponsor for the Canon Project, at cybersecuritycanon, all one word, dot com. And finally, if you're attending the RSA Conference this year, there will be a Canon Committee Member sitting at the RSA Conference bookstore, Monday, Tuesday, and Wednesday, from 2:00-3:00 pm, to help you find by next best cyber security read, which we all know will be my new book, Cyber Security First Principles: A Reboot of Strategy and Tactics. Links to all of this are in the show note. And finally, if you're attending the RSA Conference, come find us, the CyberWire Team will be hanging out at the Marriott Marquis Hotel, second level, Foothill H Boardroom. We would love to see you.