This is how they tell me the world ends

American journalist Nicole Perlroth published in February 2021 a (thick) book entitled "This is how they tell me the world ends" which talks about 0-days, the evolution of state-sponsored cyber-attacks over the last 25 years, and the worrying turn this global cyber-arms race is taking.

In this article, we present a summary of this evolution, as described by Nicole Perlroth (Spoiler Alert!). All the events the author describes are in line with what we have seen (or at least read) over the last 20 years. Moreover, the end of the book (the last 60 pages) scrupulously lists bibliographical references for the main events. On the other hand, we are sometimes a bit sceptical about the causal links that the author sees between these events. The reading of the book gives the impression of a spiral of facts where one fact triggers the other (especially in the last part with the Russian attacks), whereas from our point of view, they are sometimes unrelated events. This spiral naturally leads to the feeling that this escalation will end badly one day. About this bad end, the author explains, that she has been asking several times to the experts she has met along the years: “When do you think things will go wrong?” And she always gets an answer like: “um,... probably in something like 18 months”. And this is from this anecdote that the "They tell me" in the book title comes. The second caveat we see for the book might be the fact it says that the US is undoubtedly the most advanced country in the cyber field, and far ahead of the rest of the world. It is difficult to assert whether this is true, or whether the author is influenced by his American culture. Finally, when reading the book, we often had the same feeling as the one we sometimes experienced when talking with people close to the military or intelligence community (in whatever country) who explained (without revealing any secrets, of course) that things are really worrying in the field of cyber-attacks.

Following are the main stages in the evolution of state-sponsored cyber-attacks, as described in the book.

Since the 1980s, the American secret services have been convinced of the power of software attacks and have been actively working to develop an offensive and defensive capability in this area. They have (probably) trapped every things they can.

Around 1995, the American government decided to contract external companies to find 0-days and develop offensive software, rather than continuing to do this in-house.

The number of companies involved will progressively grow. The first companies were working exclusively for the American government (for example VRL: Vulnerability Research Lab; …). But other companies decided to also work for friendly countries (e.g. the Five Eyes alliance countries). This was the time of companies such as Azimuth, Linchpin Labs, Endgame, Netragard, Exodus Intelligence...

In parallel to this secret market where the American government paid very high prices for 0-days, the public 0-day market appeared in 2002 with the iDefense company (the first company to publicly announce that it buys 0-days). Initially, the prices on this market were ridiculously low compared to the secret market. But this attracedt researchers from all over the world and caused an explosion of the number of players. In 2013, the French company Vupen (which later became Zerodium) was one of the best known players in this 0-day discovery market. And then also appeared the 0-day Brokers (like Zerodium) whose job is to buy (from researchers) and resell (to states) 0-days.

Gradually, the market was no longer exclusively American, and became international. Some American companies do not limit their business to the national market and friendly countries: Immunity offers its offensive training to a worldwide audience; CyberPoint helps the United Arab Emirates to develop its offensive capabilities (by hiring former NSA employees) and to create the DarkMatter UAE company in 2015; etc. Other companies appear all over the world. At the same time, the cyber-surveillance market was emerging. In 2015, there were three major players in this market: Hacking Team (in Italy), NSO Group and its Pegasus software (in Israel) and GammaGroup and its FinFisher software (in UK). This is a "dirty" market because part of it is aimed at totalitarian countries that can use these tools to hunt down opponents, minorities, rights associations ... In fact, from 2010 to 2015, we went from a market of 0-days to a market of offensive tools that use these 0-days. And this raise the question of the need of market regulation rules: should certain offensive cyber tools be classified as weapons of war?

The increase in the number of vendors on the offensive market responds to an increase in the number of buyers. In 2010 Google revealed that China was massively attacking American companies, and the acronym APT emerged. And with the Stuxnet attack in 2010, and the Snowden revelations in 2013, the world discovered the sophistication of US state-sponsored cyber-attacks. Of course, a handful of other States also already have an offensive capability. But it is now clear to all other States that they must develop this capability.

But if all the countries develop there cyber-attack capability, for Nicole Perlroth there is one actor who is more dangerous than the others and who plays a leading role in the escalation of the cyber-attacks: Russia. First, Russia undeniably has cyber power and showed it with its attacks against the power-grid in Ukraine in 2015 (Black Energy / SandWorm attacks) or the attack on the American elections in 2016 (attack against the Democrat Party). On the other hand, Russia is cleverly playing destabilisation. The theft of NSA tools by the ShadowBroker group in 2016 (possibly a Russian action), and then the release of one of the stolen tools (EternalBlue) gave all the attackers in the world an attack capability that the NSA had been using in secret for at least 5 years. EternalBlue was later used in 2017 in the WannaCry (by North Korea) and NotPetya (by Russia, against Ukraine) attacks.

According to Nicole Perlroth, while the US is the world leader in cyber-attacks, it is not alone and its adversaries have made great progress in recent years (in part by stealing US know-how). The attack tools developed by the United States could well backfire, once adversaries have learned from these tools and developed their own capabilities.