Cybersecurity and the Weapons of Cyberwar (#266) | Nicole Perlroth on the Lex Fridman Podcast

Check out the Lex Fridman Podcast episode page

Key Takeaways

  • “Any geopolitical conflict from now on is guaranteed to have some cyber element to it” – Nicole Perlroth
    • The colonial pipeline, among other breaches of infrastructure, just recently got disclosed as China-backed intrusions (CISA & FBI report)
    • Uighur ‘watering hole’ attack – visiting an informational website about Uighur’s automatically dropped an iOS zero-day exploit onto your phone. “The Uighurs are China’s test kitchen for surveillance.” – Nicole Perlroth
    • It has already begun, continue reading for more examples
  • Software eats the world‘ is a dangerous and “dumb” narrative for critical infrastructure
    • Just because we can hook all of our systems up to the internet, doesn’t mean we should
    • The United States infrastructure is very vulnerable to digital threats – 80% or more of America’s critical infrastructure is owned and operated by the private sector with limited cybersecurity standards or legislative oversight
  • “The one rule is like fight club, nobody talks about fight club. Nobody talks about the zero-day market on both sides…When you’re operating in the dark like that, it’s really easy to put aside your morals.” – Nicole Perlroth
    • The current hacking environment promotes malicious action and disincentives proactive defense–we need to reestablish motivations among a new cohort of developers

Intro

Zero-day Vulnerability

  • Zero-day vulnerability – a vulnerability in a device or system that has not been disclosed to the party that’s interested in mitigating the flaw
    • Hackers want to keep the vulnerability open as long as possible, they can only broker their exploits as long as the flaw is not patched
  • Zero-day exploit – hackers take advantage of this vulnerability window for malicious reasons
    • Governments are paying hackers top dollar for zero-day exploits to monitor their critics and their own citizens
    • In the underground market for zero-day exploits, Android phones are more expensive to hack than iPhones

History of Hackers

  • This Is How They Tell Me the World Ends: The Cyberweapons Arms Race by Nicole Perlroth
    • How do hackers live with themselves knowing they are making someone’s life worse? What are their motivations?
  • Hacking started as a hobby, curious hackers would find zero-day vulnerabilities in large corporations for fun. The companies condemned them rather than asking them for assistance in patching the flaws.
    • This created a market with a large supply of zero-day vulnerabilities. Governments, nation-states, and criminal organizations swooped in and bought the zero-day vulnerabilities to exploit for both good and bad reasons.
    • Bug Bounty Programs – tech companies pivoted towards quality assurance through hacker programs–rather than labeling the hackers the enemy
  • Argentina is a hackers paradise – with limited access to technology infrastructure, you have to hack your way to access
    • “We’ll sell [exploits] to whoever brings us the biggest bag of cash” – Nicole Perlroth quoting The Godfather of the hacking scene
    • The hacking community doesn’t necessarily view the United States as the poster-child for morality, which impacts how they sell their exploits

We Should Talk about Fight Club

  • “The one rule is like fight club, nobody talks about fight club. Nobody talks about the zero-day market on both sides…When you’re operating in the dark like that, it’s really easy to put aside your morals.” – Nicole Perlroth
    • The hackers and zero-day brokers don’t want to lose their bounty or reputation (The Grugq)
    • The governments roll the exploits into classified programs that they want to keep secret
    • The current hacking environment promotes malicious action and disincentives proactive defense –we need to reestablish motivations among a new cohort of developers

Cyberattack Examples

Cyberwar & America’s Vulnerability

  • “Any geopolitical conflict from now on is guaranteed to have some cyber element to it” – Nicole Perlroth
    • Digital threats won’t be used just to gain intellectual property, it will be for strategic geopolitical leverage
    • The colonial pipeline, among other breaches of infrastructure, just recently got disclosed as China-backed intrusions (CISA & FBI report)
  • The United States infrastructure is very vulnerable to digital threats
    • 80% or more of America’s critical infrastructure is owned and operated by the private sector
    • There is currently very limited legislation on these companies to meet any sort of cybersecurity standards – requiring multi-factor authentication across these systems must be implemented
  • Software eats the world‘ is a dangerous and “dumb” narrative for critical infrastructure
    • Just because we can hook all of our systems up to the internet, doesn’t mean we should
    • We are irresponsibly increasing the number of unregulated attack vectors
    • “We’ve never shut down a promising new technology because it introduced risk, we just figured out how to manage that risk” – Nicole Perlroth

Edward Snowden

  • Is Edward Snowden a hero or a villain: Nicole says neither
    • Transparent communication about our privacy is essential, grateful that he cracked open these debates
    • But, the biased reporting damaged the United States’ reputation as a protector of civil liberties. Even though there are flaws, other countries are much worse–this debate can’t happen in isolation.

Become a Hacker (for good)

  • If you have any interest, become a hacker and apply yourself to defense
    • There is a large deficit in candidates for defense cybersecurity jobs. Nicole says offense has always been more appealing, but defense is equally as important; “it’s always been more fun to be a pirate than be in the coast guard.”
    • 3.5 million unfilled cybersecurity positions around the world
Lex Fridman Podcast : , , , , , , , , , , , ,
Notes By Drew Waterstreet

More Notes on these topics

Top Insights and Tactics From

31 Best Podcasts of All Time

FREE when you join over 35,000 subscribers to the
Podcast Notes newsletter

No Thanks