58 THENEWYORKER,FEBRUARY8, 2021
but for banking, commerce, transportation, and
health care. And nobody apparently stopped
to ask whether in their zeal to poke a hole
and implant themselves in the world’s digital
systems, they were rendering America’s criti-
cal infrastructure—hospitals, cities, transpor-
tation, agriculture, manufacturing, oil and gas,
defense; in short, everything that undergirds
our modern lives—vulnerable to foreign attacks.
In 2012, Iranian hackers using a ver-
sion of the Stuxnet worm destroyed the
data of thirty thousand computers used
by a Saudi oil company. That year, Re-
publicans in the Senate filibustered a
law that would have required Ameri-
can companies to meet minimum cy-
bersecurity regulations. Two years later,
North Korean hackers attacked Sony.
(As Perlroth observes, the press cover-
age mainly concerned gossip that was
found in Sony executives’ e-mails, not
North Korea’s ability to hack into Amer-
ican companies.) Russia, in the same
period, was “implanting itself into the
American grid,” hacking into systems
that controlled basic infrastructure, from
pipelines to power switches. By 2015,
Russians were inside the State Depart-
ment, the White House, and the Pen-
tagon. The hackers didn’t turn things
off; they just sat there, waiting. Begin-
ning in 2014, in anticipation of the 2016
election, they fomented civil unrest
through fake Twitter and Facebook ac-
counts, sowing disinformation. They
broke into the computers of the Dem-
ocratic National Committee. As with
the Sony attack, the press mostly re-
ported the gossip found in the e-mails
of people like John Podesta. All the
while, as Perlroth emphasizes, Russian
hackers were also invading election and
voter-registration systems in every state
in the country. Donald Trump’s response,
once he was in office, was to deny that
the Russians had done anything at all,
and to get rid of the White House cy-
bersecurity coördinator.
I
n the spring of 2017, still unknown
hackers calling themselves the Shadow
Brokers infiltrated the N.S.A.’s zero-day
archive, a box of digital picklocks. They
walked into the cyber equivalent of Fort
Knox, and cleaned the place out. But it
was worse than that, because they stole
cyberweapons, the keys to the kingdom.
By the next month, hackers from North
Korea were using some of those pick-
locks to break into the computer systems
of, among other places, British hospitals,
German railways, Russian banks, a French
automaker, Indian airlines, Chinese uni-
versities, the Japanese police, FedEx, and
electrical-utility companies all over the
United States. The attack, which was ac-
companied by ransom demands, came
to be called WannaCry. The cost to tech
companies, Perlroth reports, was in the
tens of billions of dollars.
One month later, Russia tried out its
kill-the-grid attack on Ukraine. It could
have been much worse were it not for
the fact that most of Ukraine’s systems
are not online. “What had saved Ukraine
is precisely what made the United States
the most vulnerable nation on earth,”
Perlroth observes. Every second, Amer-
icans plug into the Internet a hundred
and twenty-seven devices, from refrig-
erators and thermostats to library cata-
logues and bicycles. During the pan-
demic, the infrastructures of testing, care,
and vaccination development and dis-
tribution have all been attacked, in what
amounts to a cyber pandemic. In March,
2020, as the federal government first
began to frame a response to COVID-19,
hackers attacked the Department of
Health and Human Services. That spring,
hackers started attacking hospitals around
the world that were treating coronavirus
patients, shutting down thousands of
computers with ransomware. In Octo-
ber, the Cybersecurity and Infrastructure
Security Agency (CISA), a new division
within the Department of Homeland
Security, tweeted, “There is an imminent
and increased cybercrime threat to U.S.
hospitals and health care providers.” In
November, Microsoft reported that state-
sponsored hackers in Russia and North
Korea had repeatedly attacked at least
seven companies involved in the research
and production of COVID-19 vaccines.
Perlroth reports (and it’s hard to tell
if this is hyperbole) that the N.S.A. has
a hundred analysts working on cyber
offense for every analyst working on
cyber defense. In the fall, CISA dedi-
cated itself to protecting the election.
On Election Day, the agency issued up-
dates every three hours. The goal, as CI-
SA’s head, Chris Krebs, said, was for No-
vember 3rd to be “just another Tuesday
on the Internet.” On November 17th,
after Krebs again publicly declared the
election to have been free and fair—he
tweeted, “59 election security experts all
agree, ‘in every case of which we are
aware, these claims (of fraud) either have
been unsubstantiated or are technically
incoherent’”—Trump fired him. The
feared Election Day attacks never came,
not only because CISA worked well but
also, Perlroth suggests, because they were
no longer necessary. “Our candidate is
chaos,” a Kremlin operative told a re-
porter in 2016. That candidate stalked
the nation in 2016 and again in 2020.
In December, when CISA had no ap-
pointed director or deputy director, it was
reported that, for months, hackers, likely
employed by the Russian government,
had broken into Microsoft Office 365 sys-
tems at the departments of Treasury and
Commerce, partly by way of holes in soft-
ware updates from a company that sup-
plied network-monitoring cybersecurity
software. It has since become clear that
the breach reached into the Centers for
Disease Control, the Departments of Jus-
tice, Labor, Energy, Homeland Security,
and State, and classified research centers
including Los Alamos National Labo-
ratory, in addition to hundreds of private
companies. The scale of the breach, and
its consequences, is not yet clear; so far,
it’s too big to measure. Trump said he
did not believe that Russia could have
been involved; the federal government
has not retaliated, at least publicly. Biden,
in the days before he took office, spoke
of actions that would include, and go be-
yond, sanctions. Meanwhile, the federal
government is effectively insecure. So are
most of the rest of us. While writing this
essay, I got an “important security alert”
from my employer: “Microsoft has in-
formed us of an intrusion into Harvard’s
Office 365 email service.”
The arrogant recklessness of the peo-
ple who have been buying and selling
the vulnerability of the rest of us is not
just part of an intelligence-agency game;
it has been the ethos of Wall Street and
Silicon Valley for decades. Move fast
and break things; the money will trickle
down; click, click, click, click, buy, buy,
buy, like, like, like, like, expose, expose,
expose. Perlroth likes a piece of graffiti
she once saw: “Move slowly and fix your
shit.” Lock down the code, she’s saying.
Bar the door. This raises the question of
the horse’s whereabouts relative to the
barn. If you listen, you can hear the thun-
der of hooves.
