Nicole Perlroth: Cybersecurity and the Weapons of Cyberwar

Nicole Perlroth: Cybersecurity and the Weapons of Cyberwar | Lex Fridman Podcast #266

hy2G3PhGm-g • 2022-02-20

Transcript preview

Open

Kind: captions
Language: en
if one site is hacked you can just
unleash all health we have stumbled
into this new era of mutually assured
digital destruction how far are people
willing to go you can capture their
location you can capture
their contacts that record their
telephone calls record their camera
without them knowing about it
basically you can put an invisible ankle
bracelet
on someone without them knowing you
could sell that
to a zero-day broker for two million
dollars
the following is a conversation with
nicole pearl roth cyber security
journalist and author of this is how
they tell me the world ends the cyber
weapons arm race
this is the lex friedman podcast to
support it please check out our sponsors
in the description and now dear friends
here's nicole paul roth
you've interviewed hundreds of cyber
security hackers activists dissidents
computer scientists government officials
forensic investigators
and uh mercenaries so let's talk about
cyber security and
cyber war start with the basics what is
a zero day vulnerability
and then
a zero day exploit or attack
so
at the most basic level let's say i'm a
hacker and i find a bug in your iphone
ios software that no one else knows
about especially apple
that's called a zero day because the
minute it's discovered engineers have
had zero days to fix it
if i
can study that zero day i could
potentially write a program to exploit
it
and that program would be called a zero
day exploit
and for ios the dream
is that you craft a zero day exploit
that can remotely exploit someone else's
iphone without them ever knowing about
it
and you can capture their location you
can capture
their contacts that record their
telephone calls record their camera
without them knowing about it basically
you can put an invisible ankle bracelet
on someone without them knowing and you
can see why that capability that zero
day exploit would have immense value
for a spy agency or a government that
wants to monitor its critics
or dissidents
and so there's a very lucrative market
now for zero day exploits so you said a
few things there one is ios why ios
which operating system which one is the
sexier thing to try to get to or the
most impactful thing
and uh the other thing you mentioned is
remote
versus like having to actually come in
physical contact with it is that the
distinction
so
iphone
exploits have just been a government's
number one
priority
recently actually the price of an
android remote zero day exploit
something that can get you into android
phones
is actually higher the value of that is
now higher on this underground market
for zero day exploits
than an iphone ios exploit so things are
changing so the
there's probably more android devices so
that's why it's better
but then the iphone side
if i so i'm an android person
because i'm a man of the people
but it seems like all the elites use
iphone all the people at nice dinner
parties so
uh is that is that the reason that like
the more powerful people use iphones is
that why i don't think so i actually so
it was about two years ago that the
prices flipped it used to be
that if you could craft a remote
zero click
exploit for ios
then that was about as good as it gets
you could sell that
to a zero day broker
for two million dollars
the caveat is you can never tell anyone
about it because the minute you tell
someone about it apple learns about it
they patch it and that 2.5 million
dollar investment that that zero day
broker just made goes to dust
so a couple years ago
and don't quote me on the prices but
an android zero click
remote exploit for the first time topped
the ios and actually a lot of people's
read on that
was that it might be
a sign that apple security
was falling
and that it might actually be easier
to find
an ios zero-day exploit than find an
android zero-day exploit the other thing
is market share
there are just more people around the
world that use android
and a lot of governments that are paying
top dollar for zero day exploits these
days
are deep pocketed governments in the
gulf
that want to use these exploits to
monitor their own citizens monitor their
critics
and so it's not necessarily that they're
trying to find elites
it's that they want to find out who
these people are that are criticizing
them or perhaps planning the next arab
spring
so in your experience are most of these
attack targeted to cover a large
population or is there
attacks that are targeted towards
specific individuals
so i think it's both
some of the zero day exploits that have
fetched top dollar
that i've heard of in my reporting in
the united states were highly targeted
you know there was a potential terrorist
attack they wanted to get into this
person's phone it had to be done in the
next 24 hours they approached hackers
and say we'll pay you
x millions of dollars if you can do this
but then you look at
when we've discovered ios zero day
exploits in the wild
some of them have been targeting large
populations like uyghurs
so a couple years ago there was a
watering hole attack okay it's a
watering hole attack there's a website
it was actually it had information
aimed at uyghurs
and you could access it all over the
world
and if you visited this website
it would drop an ios zero to exploit
onto your phone
and so anyone that visited this website
that was about uyghurs anywhere i mean
uyghurs
uyghurs living abroad basically the
uyghur diaspora
would have gotten infected with this
zero-day exploit so in that case you
know they were
targeting huge swaths of this one
population or people interested in this
one population basically in real time
who are these attackers
from the individual level to the group
level
psychologically speaking what's their
motivation is it purely money
is it the challenge
are they malevolent is it power
these are big philosophical human
questions i guess
so these are the questions i set out to
answer for my book
i wanted to know
are these people that are just after
money
if they're just after money how do they
sleep at night not knowing whether that
zero day exploit they just sold to a
broker is being used to basically make
someone's life a living hell
and what i found was there's kind of
this long sordid history to this
question
you know it started out
in the 80s and 90s when hackers
were just finding holes and bugs and
software for curiosity's sake really as
a hobby
and some of them would go to the tech
companies like microsoft or sun
microsystems at the time
or oracle
and they'd say hey i just found this
zero day in your software and i can use
it to break into nasa
and the general response at the time
wasn't thank you so much for pointing
out this flaw and our software we'll get
it fixed as soon as possible
it was
don't ever poke around our software ever
again or we'll stick our general counsel
on you
and
that was really sort of the common
thread for years
and so hackers who set out to do the
right thing
were basically told to
shut up and stop doing what you're doing
and what happened next was
they basically started trading this
information online now when you go back
and interview people from those early
days
they all tell a very similar story which
is they're curious they're tinkers you
know they remind me of like the kid down
the block that was constantly poking
around the hood of his dad's car
you know they just couldn't help
themselves they wanted to figure out how
a system is designed
and how they could potentially exploit
it for some other purpose it doesn't
have to be good or bad
but they were basically kind of beat
down for so long
by these big tech companies
that they started just
silently trading them with other hackers
and that's how you got these
really heated debates in the 90s about
disclosure
should you just dump these things online
because any script kitty can pick them
up and use it for all kinds of mischief
but you know don't you want to just
stick a middle finger to all these
companies that are basically threatening
you all the time so there was this
really interesting dynamic at play
and
what i learned in the course of doing my
book was that
government agencies and their
contractors sort of tapped into
that frustration and that resentment
and they started quietly reaching out to
hackers on these forums
and they said hey you know that zero day
you just dropped online could you could
you come up with something custom for me
and i'll pay you six figures for it so
long as you shut up and never tell
anyone that we that i paid you for this
and that's what happened
so throughout the 90s there was a bunch
of boutique contractors that started
reaching out to hackers on these forums
and saying hey i'll pay you six figures
for that bug you were trying to get
microsoft to fix for free
and sort of so began or so catalyzed
this market
where governments and their
intermediaries started reaching out to
these hackers and buying their bugs for
free
and in those early days i think a lot of
it was just for quiet
counterintelligence traditional
espionage but as we started baking
the software
windows software schneider electric
siemens industrial software
into our nuclear plants
and our factories and our power grid and
our petrochemical facilities and our
pipelines
those same zero days came to be just as
valuable for sabotage and war planning
does the fact that the market sprung up
and you cannot make a lot of money
change the nature of the attackers that
came to the table
or grow the number of attackers
i mean what is i guess you told the
psychology of the hackers
uh in the 90s what is the culture today
and where is it heading so i think there
are people who will tell you they would
never sell a zero day to a zero day
broker or a government
one because they don't know how it's
going to get used when they throw it
over the fence you know most of these
get rolled into classified programs and
you don't know how they get used
if you sell it to a zero day broker you
don't even know which nation state might
use it
or potentially which criminal group
might use it if you sell it on the dark
web
the other thing that they say is
that
they want to be able to sleep at night
and they lose a lot of sleep if they
found out their zero day was being used
to you know make a dissidence life
living hell
but there are a lot of people good
people who also say
no this is not my problem
this is the technology company's problem
if they weren't writing new bugs into
their software every day
then there wouldn't be a market you know
then there wouldn't be a problem
but they continue to write bugs into
their software all the time and they
continue to profit off that software so
why shouldn't i
profit off my
labor too
and one of the things that has happened
which is i think a positive development
over the last 10 years
are bug bounty programs
you know companies like google and
facebook and then microsoft and finally
apple which resisted it for a really
long time
i've said okay
we are going to shift our perspective
about hackers we're no longer going to
treat them as the enemy here we're going
to start paying them for what it's
essentially free quality assurance
and we're going to pay them good money
in some cases you know six figures in
some cases we're never going to be able
to bid against a zero-day broker who
sells to government agencies
but we can reward them and hopefully get
that to that bug earlier where we can
neutralize it
so that they don't have to spend another
year developing the zero day exploit and
in that way we can keep our software
more secure but every week i get
messages from some hacker that says
you know i tried to
see this zero day exploit that was just
found in the wild you know being used by
this nation state i tried to tell
microsoft about this
two years ago and they were gonna pay me
peanuts so
it never got fixed you know there are
all sorts of those stories that can
continue on
and
you know i think just generally
hackers are not very good at diplomacy
you know they tend to be pretty snipey
technical
crowd
um and very philosophical in my
experience but you know diplomacy is not
their strong suit
well there almost has to be a broker
between companies and hackers
where you can translate effectively just
like you have a zero-day broker between
governments and hackers yes you have to
speak their language yeah and there have
been some of those companies who've
risen up to meet that demand and
hacker one is one of them bug crowd is
another
synac has an interesting model so that's
a company that
you pay for a private bug bounty program
essentially so you pay this company they
tap hackers
all over the world to come hack your
software hack your system
and then they'll quietly tell you what
they found
and i think that's a really positive
development and actually the department
of defense hired all three of those uh
companies i just mentioned to help
secure their systems now i think they're
still a little timid
in terms of letting those hackers into
the really sensitive
high side classified stuff
but you know baby steps
just to understand what you were saying
you think it's some impossible for
companies to financially compete with
the zero day brokers with governments
so like the defense can't outpay
the um the hackers it's interesting you
know they
they shouldn't out pay them because what
would happen if they started offering
2.5 million dollars at apple
for any you know zero day exploit that
governments would pay that much for
is their own engineers would say why the
hell am i working you know for less than
that
and and doing my nine to five every day
so you would create a perverse incentive
and i didn't i didn't think about that
until i started this research and i
realized okay yeah that makes sense you
don't want to incentivize offense so
much that it's to your own detriment
and so i think what they have though
what the companies have on government
agencies
is
if they pay you you get to talk about it
you know you get the street cred you get
to brag about the fact you just found
that 2.5 million dollar
you know ios zero day that no one else
did
and if you sell it to a broker you never
get to talk about it and i think that
really does eat at people
can i see a big philosophical question
about human nature here
so if you have
in what you've seen
if a human being
has a zero day they've found a zero day
vulnerability
that can um
hack into i don't know what's the worst
thing you can hack into something that
could launch nuclear weapons
which percentage of the people in the
world that have the skill would not
share that with anyone um with any
bad party
i guess how many people
are completely devoid of ethical
concerns in your
in your sense so my my belief is
all the ultra competent people or very
very high percentage of ultra competent
people are also ethical people
that's been my experience but then again
my experience is narrow
what's what's what's your experience
been like so
this was another question i wanted to
answer you know
who are these people who would sell
a zero day exploit that would neutralize
a schneider electric safety lock at a
petrochemical plant basically the last
thing you would need to neutralize
before you trigger some kind of
explosion
who would sell that
um
and
i got my answer
well the answer was different a lot of
people said
i would never even look there because i
don't even want to know i don't even
want to have that capability i don't
like i don't even want to have to make
that decision
about whether i'm going to profit off of
that knowledge
i went down to argentina and
this whole kind of moral calculus i had
in my head was completely flipped around
so
just to back up for a moment so
argentina actually
is a real hacker's paradise
people grew up in argentina and you know
i went down there i guess i was there
around
2015 2016 but
you still couldn't get an iphone
you know you they didn't have amazon
prime you couldn't get access to any of
the apps we all take for granted
to get those things in argentina as a
kid you have to find a way to hack them
you know and it's the whole culture is
really like a hacker culture
they say like it's really like a
macgyver culture you know you have to
figure out how to break into something
with wire and tape
and that
means that there are a lot of really
good hackers in argentina who are who
specialize in developing zero day
exploits
and i went down to this argentina
conference called echo party
and
i asked the organizer okay can you
introduce me to someone who's selling
zero-day exploits to governments
and he was like just throw a stone
[Laughter]
at throw stone anywhere and you're gonna
hit someone
and all over this conference you saw
these guys who were clearly from these
gulf states who only spoke arabic you
know what are they doing
at a young hacking conference in buenos
aires
and so i went out to lunch with kind of
this godfather of the hacking scene
there and i asked this really dumb
question and i'm still embarrassed about
how i phrased it
but i said so you know will these guys
only sell these zero-day exploits to
good western governments
and he said nicole last time i checked
the united states wasn't a good western
government you know the last country
that bombed another country into
oblivion wasn't china or iran it was the
united states so if we're going to go by
your whole moral calculus you know just
know that we have a very different
calculus down here and we'd actually
rather sell
to iran or russia or china maybe than
the united states
and that just blew me away
like wow you know he's like we'll just
sell to whoever brings us the biggest
bag of cash have you checked into our
inflation
situation recently
so you know i had some some of those
like reality checks along the way you
know we tend to think of things as is
this moral you know is this ethical
especially as journalists you know we
kind of sit on our high horse sometimes
and
um write about a lot of things that seem
to push the moral bounds but in this
market which is essentially an
underground market that you know the one
rule is like fight club you know no one
talks about fight club first rule of the
zero day market nobody talks about the
zero-day market on both sides
because the hacker doesn't want to lose
their 2.5 million dollar bounty
and governments roll these into
classified programs and they don't want
anyone to know what they have so no one
talks about this thing and when you're
operating in the dark like that it's
really easy to put aside your morals
sometimes
can i a small tangent ask you by way of
advice you must have done some
incredible interviews
and you've also spoken about how serious
you take protecting your sources
if you were to give me advice for
interviewing when you're recording on
mic
with a video camera
how is it possible to get into this
world
like uh is it basically impossible so
you've you've spoken with a few people
uh what is it like the godfather of uh
cyber war cyber security so people that
are already out
and they still have to be pretty brave
to speak
publicly
um but is it virtually impossible to
really talk to anybody who's a
current hacker you're always like 10 20
years behind
it's a good question and this is why i'm
a print journalist
but you know a lot when i've seen people
do it
it's always the guy who's behind the
shadows whose voice has been altered you
know when they've gotten someone on
camera that's usually how they do it
you know very very few people talk in
the space and there's actually
a pretty well-known case study and why
you don't talk publicly in the space and
you don't get photographed and that's
the gruck
so you know the gruck is or was this
zero day broker south african guy lives
in thailand
and
right when i was starting on this
subject at the new york times he'd given
an interview to forbes
and he talked about being a zero day
broker and he even posed next to this
giant
duffle bag filled with cash ostensibly
and later he would say he was speaking
off the record he didn't understand the
rules of the game
but what i heard from people who did
business with him was that the minute
that that story came out he became png'd
no one did business with him you know
his business plummeted by at least half
no one wants to do business with anyone
who's gonna get on camera and talk about
how they're selling zero days to
governments you know it's
it puts you at danger and i did hear
that he got some visits from some
security folks and you know it's another
thing for these people to consider you
know if they have
those zero-day exploits at their
disposal
they become a huge target for
nation-states all over the world you
know talk about having perfect opsec you
know you better have some perfect opsec
if people know that you have access to
those zero-day exploits
which sucks because um
i mean transparency here
would um be really powerful for
educating the world and also inspiring
other engineers to do good
it just feels like when you operate in
the shadows um
it doesn't help us move in the positive
direction in terms of like getting more
people on the defense side versus on the
attack side right but of course what can
you do i mean the best you can possibly
do is have great journalists
uh
just like you did interview and write
books about it and integrate the
information you get while hiring the
sources yeah and i think you know what
hacker one has told me was
okay let's just put away the people that
are
finding and developing zero day exploits
all day long let's put that aside
what about the you know however many
millions of programmers all over the
world who've never even heard of a zero
to exploit why not tap into them
and say hey we'll start paying you if
you can find a bug in
united airlines software or in schneider
electric or in ford or tesla
and i think that is a really smart
approach let's go find this untapped
army of programmers to neutralize these
bugs before the people who will continue
to sell these to governments can find
them and exploit them okay i have to ask
you about this uh from a personal side
of
it's funny enough after we agreed to to
talk
i've gotten for the first time in my
life was a victim of a cyber attack
um
so this is ransomware it's called
deadbolt people can look it up i have a
qnap device for
basically
kind of coldish storage so it's about 60
terabytes with 50 terabytes of data on
it
in raid 5 and apparently about four to
five thousand qnap devices
were
hacked and taken over with this
ransomware and what what ransomware does
there is
it goes file by file almost all the
files on the qnap storage device and
encrypts them and then there's this
very eloquently and politely written
page that pops up
you know it describes what happened all
your files have been encrypted this
includes but is not limited to photos
documents and spreadsheets
why me
this is uh a lot of people commented
about how friendly and eloquent this is
and i have to commend them it is and
it's pretty user friendly
uh why me this is not a personal attack
you have been targeted because of the
inadequate security provided by your
vendor
qnap
what now
you can make a payment of exactly 0.03
bitcoin which is about a thousand
dollars to the following address
once the payment has been made we'll
follow up with transaction to the same
address blah blah blah they give you
instructions of uh what happens next and
they'll give you a decryption key that
you can then use
and then there's another message for
qnap that says
all your affected customers have been
targeted using a zero-day vulnerability
in your product we offer you two options
to mitigate this and future damage one
make a bitcoin payment of five bitcoin
to the following address and that will
reveal to qnap the uh i'm summarizing
things here
what what the actual vulnerability is or
you can make a bitcoin payment of
50 bitcoin to get a master decryption
key for your customers 50 bitcoins about
1.8 million dollars
okay
so first of all on a personal level
this one hurt for me
um
there's
i mean i learned a lot because i wasn't
for the most part
backing up
much of that data because i thought
i can afford to lose that data
it's not like horrible i mean i think
you've spoken about
uh the crown jewels like making sure
there's things you really protect and i
have thing i have
you know i'm very conscious security
wise on the crown jewels
but there's a bunch of stuff like
you know personal videos they're not
like i don't know anything creepy but
just like fun things i did that because
they're very large or 4k or something
like that i kept them on there thinking
raid 5 will protect it
you know just i lost a bunch of stuff
including raw
um footage from interviews and all that
kind of stuff
so it's painful and i'm sure there's a
lot of painful stuff like that for the
four to five thousand people that use
qnap
and there's a lot of interesting ethical
questions here do you pay them
does qnap pay them
do the individuals pay them
especially when you don't know if it's
going to work or not
do you wait so qnap
said that please don't pay them
we're working very hard day and night to
solve this mm-hmm
it's so philosophically interesting to
me because i also project onto them
thinking what is their motivation
because the way they phrased it on
purpose perhaps but i'm not sure if that
actually reflects their real motivation
is
um maybe they're trying to help
themselves sleep at night basically
saying this is not about you this is
about the company with the
vulnerabilities just like you mentioned
this is the justification they have
but they're hurting real people
they hurt me but i'm sure there's a few
others that are really hurt
and the zero day factor is a big one you
know that their qnap right now is trying
to figure out what the hell is wrong
with their system that would let this in
and
even if they pay
if they still don't know where the zero
day is what's to say that they won't
just hit them again and hit you again
so that really complicates thing and
things and that is a huge advancement
for ransomware it's really only been i
think in the last 18 months that we've
ever really seen ransomware exploit zero
days
to pull these off usually 80 of them
i think the data shows 80 of them come
down to a lack of two-factor
authentication
you know so when someone gets hit by it
by a ransomware attack they don't have
two-factor authentication on you know
their employees were using stupid
passwords like you can mitigate that in
the future this one they don't know they
probably don't know yeah and it was uh i
guess it's zero click because i didn't
have to do anything
the only thing i i'm
well you know here's the thing
i did you know basics of you know i put
it behind a firewall
i follow the instructions
but like i wasn't i didn't really pay
attention so maybe there's like maybe
there's a misconfiguration of some sort
that's easy to make
it's it's difficult when you have a
personal
nas on i so i don't i i'm not willing to
sort of uh say that i did everything i
possibly could um but i did
a lot of reasonable stuff and they still
hit it with zero clicks i didn't have to
do anything yeah well it's like a zero
day and it's a supply chain attack
you know you're getting hit from your
supplier you're you're getting hit
because of your vendor and it's also a
new thing for ransomware groups to go to
the individuals to pressure them to pay
there was this really interesting case
i think it was in norway
where there was a mental health clinic
that got hit
and the cyber criminals were going to
the patients themselves to say pay this
or we're going to release
your psychiatric records i mean talk
about hell
um in terms of whether to pay you know
that is on the cheaper end of the
spectrum from the individual from the
company both you know we've seen
uh for instance there was an apple
supplier in taiwan
they got hit and the ransom demand was
50 million
you know i'm surprised it's only 1.8
million i'm sure it's gonna go up
um and it's hard you know there's
obviously governments and maybe in this
case the company are going to tell you
we recommend you don't pay or please
don't pay
but the reality on the ground is that
some businesses can't operate
some countries can't function i mean
the under-reported
storyline of colonial pipeline
was
after the
company got hit and took the pre-emptive
step of shutting down the pipeline
because they their billing systems were
frozen they couldn't charge customers
downstream
my colleague david sanger and i got our
hands on a classified assessment
that said that as a country
we could have only afforded two to three
more days of colonial pipeline being
down
and it was really interesting i thought
it was the gas and the jet fuel but it
wasn't you know we were sort of prepared
for that it was the diesel
without the diesel the refineries
couldn't function and it would have
totally screwed up the economy and so
there was almost this
like national security
economic
impetus for them to pay this ransom
and the other one i always think about
is baltimore you know when the city of
baltimore got hit i think the initial
ransom demand was something around 76
000 it may have even started smaller
than that
and baltimore stood its ground and
didn't pay but ultimately the cost to
remediate was 18 million dollars it's a
lot for the city of baltimore that's
money that could have gone to public
school education and roads and
you know public health and instead it
just went to rebuilding these systems
from scratch and so a lot of residents
in baltimore were like why the hell
didn't you pay the 76 000
so it's not obvious you know it's easy
to say don't pay because why you're
funding their rnd for the next go round
um
but
it's too often it's too complicated so
on the individual level just like you
know the way i feel personally from this
attack have you talked to people that
were kind of victims in the same way i
was but maybe more dramatic ways or so
on
you know the same way that violence
hurts people
yeah how much does this hurt people in
your sense in the way you researched it
the worst
ransomware attack
i've covered on a personal level
was an attack on a hospital in vermont
and you know you think of this as like
okay it's hitting their i.t networks
they should still be able to treat
patients
but it turns out that
cancer patients couldn't get their chemo
anymore because the protocol of who gets
what is very complicated and without it
the nurses and doctors couldn't access
it so they were turning
chemo
patients away cancer patients away
one nurse told us
i don't know why people aren't screaming
about this the only thing i've seen that
even compares to what we're seeing at
this hospital right now
was when i worked in the burn unit
after the boston marathon bombing you
know they really put it in these super
dramatic terms and
last year there was a report in the wall
street journal where they attributed an
infant death
to a ransomware attack because
a mom came in
and whatever device they were using to
monitor the fetus
wasn't working because of the ransomware
attack and so they attributed this
infant death um to the ransomware attack
now on a bigger
scale but less personal
when there was the not pecha attack so
this was an attack
by russia on ukraine
um that came at them through a supplier
attacks
uh software company in that case
that didn't just hit any um
government agency or business in ukraine
that used this tax software it actually
hit any business all over the world that
had even a single employee
working remotely in ukraine
so it hit maersk the shipping company
but hit pfizer hit fedex but the one i
will never forget is merck
it
paralyzed merck's factories i mean it
really created an existential crisis for
the company
merck had to tap into the cdc's
emergency supplies of the gardasil
vaccine
that year because their whole vaccine
production line had been paralyzed in
that attack
imagine
if that was going to happen right now to
pfizer or madarina or johnson and
johnson you know imagine
i mean that would really create
a global
cyber terrorist attack essentially and
that's almost unintentional i thought
for a long time i always labeled it as
collateral damage
but actually just today there was a
really impressive threat researcher
at cisco
which has this threat intelligence
division called talos who said stop
calling it
collateral damage
they could see
who was going to get hit
before they deployed
that malware
it wasn't collateral damage it was
intentional they meant to hit any
business that did business with ukraine
it was it was to send a message to them
too
so i don't know if that's accurate
i i always thought of it as sort of the
sloppy collateral damage but it
definitely made me think
so how much of this between states is
going to be a part of
war
this kind of these kinds of attacks on
ukraine
between russia and u.s russia and china
china and us
let's look at china and u.s
do you think
china and u.s
are going to
escalate
something that would be called the war
purely in the space of cyber
i believe
any
geopolitical conflict
from now on
is guaranteed to have some cyber element
to it
the department of justice recently
declassified a report that said china's
been hacking into our pipelines and it's
not for intellectual property theft
it's to get a foothold
so that if things escalate in taiwan for
example
they are where they need to be to shut
our pipelines down and we just got a
little glimpse of what that looked like
with colonial pipeline
and the panic buying and the jet fuel
shortages and that assessment i just
mentioned about the diesel
so
they're there you know they've got in
there
anytime i read a report about new
aggression from fighter jets chinese
fighter jets in taiwan
or what's happening right now with
russia's buildup on the ukraine border
or india pakistan
i'm always looking at it through a cyber
lens and it really bothers me that other
people aren't
because there is no way
that these governments in these nation
states are not going to use their access
to gain some advantage
in those conflicts
and
you know i'm now in a position where i'm
an advisor to the cyber security
uh infrastructure security agency at the
dhs so
i'm not saying anything classified here
but i just think that
it's really important to understand just
generally
what the collateral damage could be for
american businesses and critical
infrastructure in any of these escalated
conflicts around the world
because just generally
our adversaries have learned
that
they might never be able to match us in
terms of our traditional military
spending on traditional weapons and
fighter jets
but we have a very soft underbelly when
it comes to cyber
80 percent or more of america's critical
infrastructure so
pipelines power grid nuclear plants
water systems
is owned and operated by the private
sector
and for the most part there is nothing
out there
legislating that those companies
share the fact they've been breached
they don't even have to tell the
government they've been hit
there's nothing mandating that they even
meet a bare minimum standard of cyber
security
and that's it
so
even when there are these attacks most
of the time we don't even know about it
so that is you know if you were going to
design a system to be as
blind and vulnerable as possible that's
that is pretty pretty good
that's what it looks like is what we
have here in the united states
and
everyone here is just operating like
let's just keep hooking up everything
for convenience you know software eats
the world
um let's just keep going for cost for
convenience sake just because we can
and when you study these issues and you
study these attacks and you study
the advancement and the the uptick in
frequency and the the lower barrier to
entry that we see every single year
you realize just how dumb
software eats world is
and no one has ever stopped to pause and
think
should we be hooking up these systems to
the internet
they've just been saying can we let's do
it
and that's a real problem and this and
just in the last year you know we've
seen a record number of zero-day attacks
i think there were 80 last year
which is probably more than double what
it was in 2019.
[Music]
a lot of those were nation states
you know we live in a world with a lot
of geopolitical hot points right now
and
where those geopolitical hot points are
are places where
countries have been investing heavily in
offensive cyber tools
if you're a nation state
the goal would be to maximize the
footprint of zero day like super secret
zero day that nobody's aware of
and whenever
war is initiated the huge negative
effects of shutting down infrastructure
or any kind of zero day is the chaos it
creates
so if you just there's a certain
threshold when you create the chaos
the the markets plummet just everything
goes it goes to hell
so it's not just zero days you know we
make it so easy
for for threat actors i mean
we're not using two-factor
authentication we're not patching
um there was the shell shock
vulnerability that was discovered
a couple years ago it's still being
exploited no because so many people
haven't fixed it
um
so you know the zero days are really the
sexy stuff and what really got drew me
to the zero day market was the moral
calculus we talked about
particularly from you know the u.s
government's point of view how do they
justify
leaving these systems so vulnerable
when we use them here and we're baking
more of our critical infrastructure with
this vulnerable software you know it's
not like we're using one set of
technology and russia's using another
and china's using this we're all using
the same technology
so when you find a zero day in windows
you know you're not just leaving it open
so you can spy on russia or implant
yourself in the russian grid you're
leaving americans vulnerable too
but
you know but zero days are like that is
the secret sauce you know that's the
that's the super power you know and i
and i always say like every country now
with the exception of antarctica someone
added the vatican to my list
is trying to find
uh offensive hacking tools and zero days
to make them work and
those that don't have the skills now
have this market that they can tap into
where you know 2.5 million dollars
that's chump change for a lot of these
nation states it's a hell of a lot less
than trying to build the next fighter
jet
um but yeah the goal is chaos i mean why
did russia turn off the lights twice in
ukraine
you know i think
part of it is chaos i think part of it
is to to sow the seeds of doubt in their
current government
your government can't even keep your
lights on why are you sticking with them
you know come over here and we'll keep
your lights on at least you know there's
like a little bit of that
nuclear weapons seems to have helped
prevent nuclear war
is it possible that we have so many
vulnerabilities and so many attack
vectors on each other
that it will
kind of uh achieve the same kind of
equilibrium like mutually shared
destruction
yeah
that's one hopeful solution to this do
you have any hope for this particular
solution
you know nuclear analogies always tend
to fall apart when it comes to cyber
mainly because
you don't need fissile material you know
you just need a laptop and the skills
and you're in the game so it's a really
low barrier to entry
the other thing is attribution's harder
and we've seen countries muck around
with attribution
we've seen you know nation states
piggyback on other countries spy
operations and just sit there and siphon
out whatever they're getting
we learned some of that from the snowden
documents we've seen russia hack into
iran's command and control attack
servers
we've seen them hit
a saudi petrochemical plant where they
did neutralize the safety locks at the
plan and everyone assumed that it was
iran given iran had been targeting saudi
oil companies forever but nope it turned
out that it was a graduate research
institute outside moscow so you see
countries kind of playing around with
attribution why
i think because they think okay if i do
this like how am i going to cover up
that it came for me because i don't want
to risk the response
so people are sort of dancing around
this it's just in a very different way
and
you know at the times i'd covered the
chinese hacks of
infrastructure companies like pipelines
i'd covered the russian probes of
nuclear plants i'd covered covered the
russian attacks on on the ukraine grid
and then in
2018 my colleague david sanger and i
covered the fact that u.s cyber command
had been hacking into the russian grid
and making a pretty loud show of it
and when we went to the national
security council because that's what
journalists do before they publish a
story they give the other side a chance
to respond
i assumed we would be in for that really
awkward painful conversation
where they would say you will have blood
on your hands if you publish this story
and instead they gave us the opposite
answer they said we have no problem
with you publishing this story
why well they didn't say it out loud but
it was pretty obvious they wanted russia
to know that we're hacking into their
power grid too and they better think
twice before they do to us what they've
done to ukraine so yeah you know we have
stumbled
into this new era of mutually assured
digital destruction
um i think another sort of
quasi norm we've we've stumbled into is
proportional responses you know there's
this idea that if you get hit you're
allowed to respond proportionally
at a time and place of your choosing you
know that is how the language always
goes that's what obama
said after north korea hit sony we will
respond at a time and place of our
choosing um but no one really knows
like what that response looks like and
so what you see a lot of the time are
just these like
just short of war
attacks you know russia turned off the
power in ukraine but it wasn't like it
stayed off for a week
you know it stayed off for a number of
hours
um you know not pecha
hit those companies pretty hard
um but no one died you know and the
question is what's going to happen when
someone dies
and
can a nation state masquerade as a cyber
criminal group as a ransomware group
and that's what really complicates
coming to some sort of digital geneva
convention
like there's been there's been a push
from brad smith at microsoft we need a
digital geneva convention
and on its face it sounds like a
no-brainer yeah why wouldn't we all
agree to stop hacking into each other's
civilian hospital systems elections
power grid
uh pipelines
but when you talk to
people in the west officials in the west
they'll say we would never
we'd love to agree to it but we'd never
do it when you're dealing with she or
putin or kim jong-un
because a lot of times
they outsource these operations to cyber
criminals
in china we see a lot of these attacks
come from this loose satellite network
of private citizens that work at the
behest of the ministry of state security
so how do you come to some sort of state
to state agreement
when you're dealing with
transnational actors and cyber criminals
where it's really hard to pin down
whether that person was acting alone or
whether they were acting at the behest
of the mss or the fsb
and you know a couple years ago i
remember
i can't remember if it was before or
after not pecha but putin said
hackers are like artists who wake up in
the morning in a good mood and start
painting in other words i have no say
over what they do or don't do so how do
you how do you come to some kind of norm
when that's that's how he's talking
about these issues and he's just
decimated merck
and you know pfizer and another you know
however many thousand companies that is
the fundamental difference between
nuclear weapons and and cyber attacks is
the attribution or one of the
fundamental differences if you can fix
one thing in the world in terms of cyber
security
that would make the world a better place
what would you fix
so you're not allowed to fix like
authoritarian regimes and you can't
right
you have to you have to keep that you
have to keep human nature as it is
in terms of on the security side
technologically speaking
you mentioned there's no regulation on
companies
united states
um what if you could just
uh fix with the snap of a finger what
would you fix two-factor authentication
multi-factor authentication
it's
it's ridiculous
how many of these attacks come in
because someone didn't turn on
multi-factor authentication i mean
colonial pipeline okay
they took down
the biggest conduit for gas jet fuel and
diesel to the east coast of the united
states of america how
because they forgot to deactivate an old
employee account whose password had been
traded on the dark web and they'd never
turned on two-factor authentication
this water treatment facility outside
florida was hacked last year
how did it happen
they were using windows xp from like a
decade ago that can't even get patches
if you wanted to and they didn't have
two-factor authentication time and time
again if they just switched on
two-factor authentication some of these
attacks wouldn't have been possible now
if i could snap my fingers that's the
thing i would do right now but of course
you know this is a cat and mouse game
and then the attackers on to the next
thing but i think right now
that is like
bar none that is just that is the
easiest simplest way to deflect the most
attacks and
you know the name of the game right now
isn't perfect security perfect security
is impossible
they will always find a way in the name
of the game right now is make yourself a
little bit harder to attack than your
competitor than anyone else out there so
that they just
give up and move along and you know
maybe if you are a target for an
advanced nation state or the svr
you know you're going to get hacked no
matter what
but you can make cyber criminal groups
deadbolt is it you can make their jobs a
lot harder
um simply by doing the bare basics and
the other thing is stop reusing your
passwords but if i only get one then
two-factor authentication so what is
two-factor authentication factor one is
what logging in with a password and
factor two is like have another device
or another channel through which you can
confirm yeah that's me yes you know
usually this happens through some kind
of text you know you get your one-time
code from bank of america or from google
and the better way to do it is spend
twenty dollars buying yourself a fido
key
on amazon that's a hardware device
and if you don't have that hardware
device with you
then you're not going to get in
and the whole goal is i mean basically
you know my first half of my decade at
the times was spent covering like the
cop beat it was like home depot got
breached news at 11 you know target
neiman marcus like who wasn't hacked
over the course of those five years and
a lot of those companies that got hacked
what did hackers take they took the
credentials they took the passwords they
can make a pretty penny selling them on
the dark web and people reuse their
passwords so you get one from you know
god knows who i don't know lastpass
the worst case example actually lastpass
but you get one and then you go test it
on their email account and you go test
it on their brokerage account and you
test it on their cold storage account
yeah you know that's how it works but if
you have multi-factor authentication
then they can't get in because they
might have your password but they don't
have your phone they don't have your
fido key
you know and and so you keep them out
and you know i get a lot of alerts
that tell me someone is trying to get
into your instagram account or your
twitter account or your email account
and i don't worry because i use
multi-factor authentication they can try
all day
um okay i worry a little bit but you
know there it's
it's the simplest thing to do and we
don't even do it well there's an
interface aspect to it because it's
pretty annoying if it's implemented
poorly yeah so uh so actually bad
implementation of two-factor
authentication
not just bad but just
something that adds friction is a
security vulnerability i guess because
it's really annoying like uh i think mit
for a while had
two-factor authentication it was really
annoying i just like though the time the
number of times it pings you
like uh
it re it asks to re-authenticate across
multiple sub-domains like it just feels
like a pain
i don't know what the right balance
there yeah it feels like friction
in our frictionless society it feels
like friction it's annoying that's
security's biggest problem it's annoying
you know we need the steve jobs of
security to come along and we need to
make it painless
and actually you know on that point
apple
has probably done more for security than
anyone else simply by introducing
biometric authentication first with the
fingerprint and then with face id it's
not perfect
but you know if you think just eight
years ago everyone was running around
with either no passcode an optional
passcode or four-digit passcode on their
phone that anyone you know think of what
you can get when you get someone's
iphone if you steal someone's iphone and
you know props to them for introducing
the fingerprint and face id and again it
wasn't perfect but it was a huge step
forward now it's time to make another
huge step forward um i want to see the
password die i mean
it's gotten us as far as it was ever
going to get us and i hope whatever we
come up with next is not going to be
annoying is going to be seamless when i
was at google that's what we worked on
is
and there's a lot of ways to call this
active authentication or passive
authentication so basically use
biometric data
not just like a fingerprint but
everything from your body to identify
who you are like movement patterns
so basically create a lot of layers of
protection where
it's very difficult to fake including um
like face unlock
checking that it's your actual face like
the liven

Resume

# Mengungkap Pasar Gelap Cyber: Kerentanan Zero-Day, Perang Digital, dan Masa Depan Keamanan Kita

### Inti Sari (Executive Summary)
Video ini membahas wawancara mendalam dengan Nicole Perlroth, jurnalis keamanan siber dan penulis buku *This Is How They Tell Me The World Ends*. Diskusi mengupas tuntas pasar gelap *zero-day*—kerentanan perangkat lunak yang tidak diketahui vendor—yang telah berubah dari hobi peretas menjadi senjata mematikan dalam perang negara. Pembahasan mencakup evolusi *ransomware*, dampak nyata serangan siber terhadap infrastruktur kritis dan individu, serta dilema etis dalam dunia intelijen digital dan keamanan masa depan.

### Poin-Poin Kunci (Key Takeaways)
*   **Zero-Day & Eksploitasi:** *Zero-day* adalah bug pada perangkat lunak yang tidak diketahui pembuatnya (seperti Apple atau Google), yang dijual dengan harga sangat mahal (hingga jutaan dolar) kepada pemerintah atau broker untuk memata-matai atau merusak sistem target tanpa terdeteksi.
*   **Dampak Ransomware:** Serangan *ransomware* tidak lagi sekadar meminta tebusan uang, tetapi telah mengancam nyawa (pasien rumah sakit) dan stabilitas ekonomi nasional (pipa minyak, jaringan listrik).
*   **Perang Geopolitik:** Negara-negara besar (AS, China, Rusia) secara aktif menggunakan *zero-day* untuk spionase dan sabotase, menciptakan kondisi "penghancuran digital timbal balik" (*mutually assured digital destruction*).
*   **Pertahanan Dasar:** Meskipun ancamannya canggih, banyak serangan dapat dicegah dengan langkah sederhana seperti penggunaan otentikasi dua faktor (2FA) dan tidak menggunakan ulang kata sandi.
*   **Etika & Keaslian:** Di era digital di mana privasi semakin tipis, disarankan untuk bersikap otentik dan "aneh" secara terbuka guna mengurangi risiko pemerasan, serta generasi muda didorong untuk fokus pada pertahanan siber.

---

### Rincian Materi (Detailed Breakdown)

#### 1. Definisi dan Pasar Gelap Zero-Day
*   **Apa itu Zero-Day?** Ini adalah kerentanan pada perangkat lunak (misalnya iOS atau Android) yang belum diketahui oleh vendor, sehingga belum ada perbaikan (*patch*). *Zero-day exploit* adalah program yang ditulis untuk memanfaatkan bug tersebut.
*   **Kemampuan Eksploitasi:** Serangan ini memungkinkan peretas mengakses lokasi, kontak, rekaman telepon, dan kamera korban secara jarak jauh tanpa sepengetahuan pengguna, ibarat "gelang kaki tak terlihat".
*   **Nilai Pasar:** Harga eksploitasi iOS pernah menjadi yang tertinggi (sekitar $2 juta), namun kini eksploitasi Android melampaui iOS karena jumlah pengguna yang lebih besar dan permintaan dari negara-negara Teluk untuk memantau warganya.
*   **Sejarah Pasar:** Awalnya peretas mencari bug karena rasa ingin tahu, tetapi reaksi permusuhan dari vendor (ancaman hukum) membuat mereka menjual informasi tersebut. Pemerintah kemudian masuk ke pasar ini dengan menawarkan bayaran besar dan kerahasiaan.

#### 2. Evolusi Motivasi dan Etika Peretas
*   **Dari Spionase ke Sabotase:** Penggunaan *zero-day* berkembang dari mata-mata digital tradisional menjadi sabotase infrastruktur fisik seperti pembangkit listrik dan pabrik petrokimia.
*   **Dilema Etis:** Sebagian peretas menolak menjual ke broker karena tidak tahu bagaimana senjata mereka akan digunakan (misalnya terhadap pembangkang). Namun, yang lain berargumen bahwa perusahaan teknologi bertanggung jawab atas bug mereka, dan peretas berhak mendapat keuntungan dari kerja keras mereka.
*   **Faktor Ekonomi vs Moral:** Di negara seperti Argentina, tekanan ekonomi membuat peretas menjual kepada siapa pun yang membayar paling tinggi, tanpa memandang apakah pembelinya adalah "negara baik" (AS) atau "negara jahat" (Iran, Rusia).
*   **Program Bug Bounty:** Perusahaan besar seperti Google dan Microsoft kini membayar peretas yang menemukan bug (*Bug Bounty*), meskipun bayarannya seringkali kalah dari bayaran broker pemerintah.

#### 3. Ancaman Ransomware dan Dampak Nyata
*   **Pengalaman Pribadi:** Nicole Perlroth menjadi korban *ransomware* "Deadbolt" yang mengenkripsi data penyimpanannya sebesar 50TB. Peretas meminta tebusan dalam Bitcoin, baik dari individu maupun produsen perangkat (QNAP).
*   **Dampak Ekonomi & Sosial:**
    *   **Colonial Pipeline:** Perusahaan ini mematikan pipa minyak secara preventif karena sistem tagihan dibekukan, menyebabkan kepanikan nasional di AS terkait pasokan bahan bakar.
    *   **Kota Baltimore:** Menolak membayar tebusan kecil ($76 ribu) berujung pada kerugian $18 juta untuk perbaikan.
    *   **Rumah Sakit:** Serangan di Vermont memaksa pasien kanker ditolak, dan ada laporan kematian bayi karena perangkat pemantau janin gagal akibat serangan.
*   **NotPetya:** Serangan siber Rusia yang ditujukan ke Ukraina namun menyebar secara global, merusak perusahaan seperti Maersk dan Merck. Ini menunjukkan bahwa serangan siber memiliki dampak *collateral* yang luas.

#### 4. Perang Geopolitik dan Masalah Atribusi
*   **Rekor Serangan:** Tahun lalu tercatat 80 serangan *zero-day*, dua kali lipat dari tahun 2019, sebagian besar didorong oleh ketegangan geopolitik.
*   **Perbandingan dengan Nuklir:** Berbeda dengan senjata nuklir, barrier untuk masuk ke perang siber sangat rendah (hanya butuh laptop dan keterampilan) dan atribusi sangat sulit karena negara sering menyamarkan serangan mereka seolah-olah dilakukan oleh peretas lain.
*   **Strategi Negara:** China diketahui meretas pipa minyak AS bukan untuk mencuri kekayaan intelektual, tetapi untuk mendapatkan pijakan (*foothold*) jika terjadi konflik (misalnya terkait Taiwan).
*   **Deterrence:** AS mulai meretas grid listrik Rusia sebagai bentuk penghalangan (*deterrence*), menciptakan norma baru "respons proporsional".

#### 5. Pertahanan, Privasi, dan Masalah Kepercayaan
*   **Pentingnya 2FA:** Otentikasi dua faktor (2FA) adalah cara paling efektif untuk menangkis sebagian besar serangan kriminal siber, meskipun negara bangsa tingkat lanjut mungkin masih bisa menembusnya.

## Kesimpulan & Pesan Penutup
Wawancara ini mengungkap betapa kompleks dan berbahayanya pasar gelap *zero-day* yang kini telah menjadi senjata utama dalam perang digital antar negara. Ancaman siber tidak lagi sekadar masalah teknis, melainkan isu yang dapat mengganggu stabilitas ekonomi global dan membahayakan nyawa manusia. Oleh karena itu, sangat penting bagi kita untuk meningkatkan kewaspadaan pribadi melalui langkah-langkah pertahanan dasar seperti penggunaan 2FA. Keamanan siber adalah tanggung jawab bersama yang harus terus diperjuangkan demi melindungi masa depan digital kita.

Read

file updated 2026-02-14 15:52:53 UTC