THENEWYORKER,FEBRUARY8, 2021 57
In the nineteen-eighties, Jim Gosler,
working for the Adversarial Analysis
Group at Sandia National Laboratory,
pioneered research in detecting vulner-
abilities in computer code (in this case,
in the code that controlled the nuclear
arsenal). As Perlroth argues, Gosler
demonstrated that the code was “at once
a hacker’s paradise and a national se-
curity nightmare.” In 1989, the N.S.A.
brought Gosler onboard as a “visiting
scientist.” In 1996, he took over the
C.I.A.’s Clandestine Information Tech-
nology Office. His role seems to have
been to explain to people at Fort Meade
and, later, at Langley that no computer
and no computer program can ever be
faultless, an argument with implications
for both defensive and offensive opera-
tions. Between his two appointments,
the Internet opened to commercial traffic,
and people throughout the world started
uploading and downloading. Perlroth,
interviewing Gosler about how danger-
ous all this is, looks down at her iPhone:
“And yet here we were, entrusting our
entire digital lives—passwords, texts,
love letters, banking records, health rec-
ords, credit cards, sources, and deepest
thoughts—to this mystery box, whose
inner circuitry most of us would never
vet, run by code written in a language
most of us will never fully understand.”
In the dot-com nineties, cybersecu-
rity firms sold antivirus software; pene-
tration-testing companies sold the ser-
vice of breaking through your firewall, to
show you how they got in. (“We Protect
People Like You from People Like Us”
is the motto of one pen-tester.) They all
peddled an amalgam of fear, uncertainty,
and doubt that, in the tech world, had
come to be abbreviated as FUD. Some of
those private companies realized that it
wasn’t efficient to maintain a big staff of
analysts when they could just pay boun-
ties to hackers all over the world to figure
out how to break into a system. Govern-
ments and intelligence agencies, too,
started offering bounties for bugs, pay-
ing hackers, brokers, and, above all, de-
fense contractors. Some of these com-
panies, like the Miami-based “100%
offensive” Immunity, Inc., and the Mary-
land-based Vulnerability Research Labs
(which was acquired in 2010 by a giant
defense contractor), are staffed with ex-in-
telligence agents, selling zero-days that
are worth millions of dollars. After 9/11,
the price for bugs went through the roof.
With the launch of Google, and espe-
cially of Facebook, the amount of data
to be found online mushroomed, and so
did the ease of government surveillance.
Perlroth writes, “It was often hard to see
where the NSA’s efforts ended and Face-
book’s platform began.” Only the arrival
of the iPhone, in 2007, proved a greater
boon to government surveillance.
Cyberattacks made headlines, and then
vanished. In 2008, Russia got into a net-
work at the Pentagon; hackers broke into
the campaigns of both Barack Obama
and John McCain; the next year, North
Korea compromised the Web sites of ev-
erything from the Treasury Department
to the New York Stock Exchange. In 2010,
a computer worm called Stuxnet, created
by the U.S. and Israel in an operation ap-
proved by George W. Bush and contin-
ued by Obama, was discovered to have
devastated Iran’s nuclear program. Perl-
roth, who started covering cybersecurity
for the Times a year later, is arguing that,
if you build a worm like that, it’s eventu-
ally going to come back and eat you. When
the worm escaped, Joe Biden, then the
Vice-President, suspected Israel of has-
tening the program, and breaking it.
“Sonofabitch,” he allegedly said. “It’s got
to be the Israelis.” It infected a hundred
countries and tens of thousands of ma-
chines before it was stopped. “Somebody
just used a new weapon, and this weapon
will not be put back in the box,” Michael
Hayden, a former N.S.A. director, said.
That somebody was the United States.
It had built a boomerang.T
he market for zero-days became a
global gold rush. You could buy zero-
days from anyone, anywhere; no rules
obtained. “When it came to zero-days,
governments weren’t regulators,” Perl-
roth writes. “They were clients.” After
Chinese hackers attacked Google in 2010,
the company started paying bounty hunt-
ers a maximum of $1337 a pop (the nu-
merals spell out “leet,” short for “élite,”
on your phone); soon, that got bumped
up to $31,337 (“eleet”). Microsoft and
other major players offered encryption
services, which had the effect of raising
the price of zero-day exploits. In 2013,
the Times called Perlroth into a window-
less closet in the office of Arthur Sulz-
berger, Jr., the publisher, to pore over the
documents leaked by Edward Snowden.She was supposed to study attempts by
the world’s top intelligence agencies to
crack digital encryption but saw that “the
NSA didn’t need to crack those encryp-
tion algorithms when it had acquired so
many ways to hack around them”—that
is, by zero-days. “The agency appeared
to have acquired a vast library of invisi-
ble backdoors into almost every major
app, social media platform, server, router,
firewall, antivirus software, iPhone, An-
droid phone, BlackBerry phone, laptop,
desktop, and operating system.”
Then there are all the mercenaries.
Perlroth reports that, in 2015, a company
named Zerodium offered a million dol-
lars for a chain of zero-days that could
break into an iPhone remotely; in 2019,
Google offered $1.5 million for a way
to gain remote access to an Android
device. Some of those mercenaries are
Americans, who sell zero-days to for-
eign governments. In 2015, a former
N.S.A. hacker, David Evenden, was part
of a team that gained access to Michelle
Obama’s e-mails on behalf of the United
Arab Emirates while he was working
for a contractor called CyberPoint: Even-
den got in touch with Perlroth to share
his story, and to warn other former
N.S.A. employees to be careful if they
worked for foreign companies.
If it was hard to get people in the
know to talk on the record about the
zero-day archive, it was harder to get
people in power to understand its dan-
ger. Perlroth points out that the practice
of paying hackers to figure out ways to
break into other countries’ power grids,
weapons systems, transportation infra-
structure, and the like by way of holes in
Adobe Reader or Firefox or a fitness app
was an extension of pre-digital modes
of warfare—the way you’d, say, bomb a
bridge or take out a munitions factory—
that simply no longer apply. During the
Cold War, Perlroth writes, “Americans
spied on Russian technology, while Rus-
sians backdoored American typewrit-
ers.” No more. Instead, people across the
world use Microsoft and Google and
iPhones. “Increasingly, NSA’s work was
riddled with conflicts of interest and
moral hazards,” Perlroth argues:Nobody seemed to be asking what all this
breaking and entering and digital exploitation
might mean for the NSA’s sponsors—American
taxpayers—who now relied on NSA-compro-
mised technology not only for communication