March 9, 2022

Cybersecurity and the Weapons of Cyberwar (#266) | Nicole Perlroth on the Lex Fridman Podcast

Check out the Lex Fridman Podcast episode page

Key Takeaways

• “Any geopolitical conflict from now on is guaranteed to have some cyber element to it” – Nicole Perlroth
  • The colonial pipeline, among other breaches of infrastructure, just recently got disclosed as China-backed intrusions (CISA & FBI report)
  • Uighur ‘watering hole’ attack – visiting an informational website about Uighur’s automatically dropped an iOS zero-day exploit onto your phone. “The Uighurs are China’s test kitchen for surveillance.” – Nicole Perlroth
  • It has already begun, continue reading for more examples
• ‘Software eats the world‘ is a dangerous and “dumb” narrative for critical infrastructure
  • Just because we can hook all of our systems up to the internet, doesn’t mean we should
  • The United States infrastructure is very vulnerable to digital threats – 80% or more of America’s critical infrastructure is owned and operated by the private sector with limited cybersecurity standards or legislative oversight
• “The one rule is like fight club, nobody talks about fight club. Nobody talks about the zero-day market on both sides…When you’re operating in the dark like that, it’s really easy to put aside your morals.” – Nicole Perlroth
  • The current hacking environment promotes malicious action and disincentives proactive defense–we need to reestablish motivations among a new cohort of developers

Intro

• Nicole Perlroth (@nicoleperlroth) is a cybersecurity journalist for The New York Times and author of the book, This Is How They Tell Me the World Ends: The Cyberweapons Arms Race.
• Lex and Nicole discuss the current state of hacker culture, digital geopolitical conflicts, and the cybersecurity vulnerabilities of America.
• Host: Lex Fridman (@lexfridman)

Zero-day Vulnerability

• Zero-day vulnerability – a vulnerability in a device or system that has not been disclosed to the party that’s interested in mitigating the flaw
  • Hackers want to keep the vulnerability open as long as possible, they can only broker their exploits as long as the flaw is not patched
• Zero-day exploit – hackers take advantage of this vulnerability window for malicious reasons
  • Governments are paying hackers top dollar for zero-day exploits to monitor their critics and their own citizens
  • In the underground market for zero-day exploits, Android phones are more expensive to hack than iPhones

History of Hackers

• This Is How They Tell Me the World Ends: The Cyberweapons Arms Race by Nicole Perlroth
  • How do hackers live with themselves knowing they are making someone’s life worse? What are their motivations?
• Hacking started as a hobby, curious hackers would find zero-day vulnerabilities in large corporations for fun. The companies condemned them rather than asking them for assistance in patching the flaws.
  • This created a market with a large supply of zero-day vulnerabilities. Governments, nation-states, and criminal organizations swooped in and bought the zero-day vulnerabilities to exploit for both good and bad reasons.
  • Bug Bounty Programs – tech companies pivoted towards quality assurance through hacker programs–rather than labeling the hackers the enemy
• Argentina is a hackers paradise – with limited access to technology infrastructure, you have to hack your way to access
  • “We’ll sell [exploits] to whoever brings us the biggest bag of cash” – Nicole Perlroth quoting The Godfather of the hacking scene
  • The hacking community doesn’t necessarily view the United States as the poster-child for morality, which impacts how they sell their exploits

We Should Talk about Fight Club

• “The one rule is like fight club, nobody talks about fight club. Nobody talks about the zero-day market on both sides…When you’re operating in the dark like that, it’s really easy to put aside your morals.” – Nicole Perlroth
  • The hackers and zero-day brokers don’t want to lose their bounty or reputation (The Grugq)
  • The governments roll the exploits into classified programs that they want to keep secret
  • The current hacking environment promotes malicious action and disincentives proactive defense –we need to reestablish motivations among a new cohort of developers

Cyberattack Examples

• Do you pay the bounty requested by hackers or face the consequences?
  • A ransomware in attack on the City of Baltimore ended up costing them $18 million to restore systems after refusing to pay a $76,000 bounty
• The negative effects of digital threats can’t simply be described as collateral damage, they are intentional as well
  • Merck was incapable of producing the Gardasil vaccine after a cyber attack
  • Imagine if this happened to one of the Covid-19 vaccine producers, it would be a global cyber-terrorist attack
• Cyber security threats can impact xenophobia within companies
  • Former Twitter employees charged with spying for Suadi Arabia
• “The Uighurs are China’s test kitchen for surveillance” – Nicole Perlroth
  • Uighur ‘watering hole’ attack – visiting an informational website about Uighur’s automatically dropped an iOS zero-day exploit onto your phone

Cyberwar & America’s Vulnerability

• “Any geopolitical conflict from now on is guaranteed to have some cyber element to it” – Nicole Perlroth
  • Digital threats won’t be used just to gain intellectual property, it will be for strategic geopolitical leverage
  • The colonial pipeline, among other breaches of infrastructure, just recently got disclosed as China-backed intrusions (CISA & FBI report)
• The United States infrastructure is very vulnerable to digital threats
  • 80% or more of America’s critical infrastructure is owned and operated by the private sector
  • There is currently very limited legislation on these companies to meet any sort of cybersecurity standards – requiring multi-factor authentication across these systems must be implemented
• ‘Software eats the world‘ is a dangerous and “dumb” narrative for critical infrastructure
  • Just because we can hook all of our systems up to the internet, doesn’t mean we should
  • We are irresponsibly increasing the number of unregulated attack vectors
  • “We’ve never shut down a promising new technology because it introduced risk, we just figured out how to manage that risk” – Nicole Perlroth

Edward Snowden

• Is Edward Snowden a hero or a villain: Nicole says neither
  • Transparent communication about our privacy is essential, grateful that he cracked open these debates
  • But, the biased reporting damaged the United States’ reputation as a protector of civil liberties. Even though there are flaws, other countries are much worse–this debate can’t happen in isolation.

Become a Hacker (for good)

• If you have any interest, become a hacker and apply yourself to defense
  • There is a large deficit in candidates for defense cybersecurity jobs. Nicole says offense has always been more appealing, but defense is equally as important; “it’s always been more fun to be a pirate than be in the coast guard.”
  • 3.5 million unfilled cybersecurity positions around the world

Lex Fridman Podcast : china, cybersecurity, cyberwar, edward snowden, geo-politics, infrastructure, ransomware, software, surveillance, tech, uighurs, uyghurs, zero-day vulnerability
Notes By Drew Waterstreet