I recently finished reading This Is How They Tell Me The World Ends by Nicole Perlroth. I don’t typically read non-fiction. I find that great fiction is often more “real” than most non-fiction in its ability to illuminate truths about ourselves. But, I love non-fiction when it’s (A) well-researched yet concise in analysis, and (B) reveals all the sub-stories that you feel in your gut are happening, but aren’t being captured. This book shines on both fronts.

When I first learned aboutStuxnet, I was astounded at the scale of coordination among multiple countries’ security agencies. I didn’t think this level of cooperation between governments was possible while simultaneously maintaining secrecy. I voraciously tried to consume as much content about the cyberattack as I could, but I always felt like the documented information was too thin for such a coordinated effort involved seven different zero-day exploits. I wanted to read a book that went deeper. This is (in part) that book. 

But Stuxnet is just one stop on a tour of decades of escalation in scope, sophistication, and consequences of cyberattacks. Perlroth does an excellent job of giving the reader the feeling of being an insider, hanging out at the after-parties of BlackHat and DEFCON, overhearing hackers on all sides of this fight speak with each other with as much candor as a diligent reporter can get access to.

The most memorable lesson from the book is the indefensible position US security agencies took for decades regarding their knowledge of security vulnerabilities of popular software. The US naively assumed only they would be savvy enough to exploit little-known zero day vulnerabilities in things like Microsoft Window, Apple’s Safari browser, or Cisco routers, and instead of working with vendors to patch known bugs, they hoarded them for years on end for the purpose of signal intelligence. This led to many years of global tech users being openly vulnerable to security exploits directly due to US security agencies’ inaction, and it was these same exploits that were often used by international governments and ransomware mercenaries to spy on and attack whomever they chose to target, which was often US corporations and US citizen employees of those companies. The US governments attempts at security through obscurity and secrecy (always a terrible idea by contrast to security by design) backfired predictably and terribly. And it continues today.

The climax of the book is the swelling brinksmanship that the US, Russia, Iran, and China have created in infiltrating each others’ digital systems (military, civilian, corporate, and most terrifyingly, power infrastructure systems). Any given one of the hacks described in this book made modest headlines at the time they happened (often in stories broken by Perlroth herself), but the real success of the book is seeing how these hacks are connected and often in an escalating response to each other, and how the actual people soliciting or selling exploits react as they see the consequences of their actions over time. 

If you want a survey of global cyberattacks over the past 2 decades, this is your book. 5/5 stars.