- The US has long emphasized cyber offense over defense,
Nicole Perlroth argues in a new book. - But now the weapons it developed are being used against it, the
The New York Times reporter said. - Perlroth told Insider the US needs to shore up its biggest vulnerability: critical infrastructure.
In March 2017, WikiLeaks published a trove of leaked CIA hacking tools. The agency's internal report, obtained last year by The Washington Post, eventually blamed the CIA's hackers for spending too much effort "building cyber weapons at the expense of securing their own systems."
A month after the CIA tools leaked, a group called the Shadow Brokers dumped its fifth batch of hacking tools that it had stolen from the NSA's elite "Tailored Access Operations" group. Those tools were then used by foreign actors to carry out extensive cyberattacks, including the infamous WannaCry attacks, whose targets included American companies and government agencies.
More recently, the Solarwinds hack and an attempt by hackers to poison a Florida town's water supply exposed just how vulnerable America is to cyberattacks on its home turf.
For decades, the US has had the most sophisticated arsenal of
In "This Is How They Tell Me the World Ends: The Cyberweapons Arms Race," Perlroth, who has covered cybersecurity for more than a decade, says other countries' cyber capabilities have caught up to the US in recent years. At the same time, she argues, America's critical infrastructure - because so much of it is owned by private companies and connected to the internet - has become a huge target for its adversaries.
"More nation-states and cybercriminals target the United States with cyberattacks than almost any other nation, and we're the most vulnerable because we're the most wired," Perlroth said in an interview with Insider.
That wasn't always the case, Perlroth said, adding that the US is largely to blame for the flood of attacks.
In 2010, the US and Israel used a computer worm known as Stuxnet to sabotage a substantial portion of Iran's nuclear enrichment program, in what is widely considered the first cyber "use of force" that dealt damage in the physical world. Eventually, the code that powered the attack leaked online and hackers around the world - including in Iran - were able to reverse engineer it and re-deploy it for their own purposes.
According to Perlroth, that ignited a cyber arms race that hasn't stopped.
"Since then, almost every government on earth with maybe the exception of Antarctica has pursued these programs," Perlroth said. "And any government official will readily admit that the target of that attack - that Iran - caught up in terms of its capabilities for cyberattacks in a much shorter timeframe than we gave it credit for."
Countries like Iran, Russia, China, and North Korea have poured massive amounts of resources into their cyber capabilities and have successfully hit American targets using tools originally built by the US and its allies as well as tools developed in-house. And because it's so difficult to definitively attribute a cyberattack to a specific country, Perlroth said, the threat of the US retaliating with a strong offensive attack isn't as strong of a deterrent as it is with conventional weapons.
"We don't need to back off on offense," she said. "But the thing is, if we're going to pursue an offensive strategy, if we're going to just keep hacking into our adversaries…then we need to make sure that our own grid and our own critical infrastructure isn't vulnerable. And right now we're incredibly vulnerable."
The US has long neglected the security of critical infrastructure like power plants, hospitals, and airports, which hackers could infiltrate and wreak havoc on by shutting off power, deleting patient data, or causing planes to crash, according to Perlroth.
"These are all things that could happen simultaneously and would be in many ways more deadly than a bomb going off somewhere," Perlroth said, adding that these threats are amplified by the fact that private companies like Solarwinds, which own and operate the vast majority of US infrastructure, are first and foremost concerned with making money.
"The incentive has been get your product first to market, make your products easily accessible, not just to customers, but employees and contractors and vendors," she said. Perlroth also said that, following the Solarwinds hack, the US government should "pause here and take inventory" of its own IT systems, including which software touches various networks, who makes it and where, and what security practices those companies have in place.
Additionally, Perlroth says better information sharing is needed between the government and private sector around constantly evolving cyber threats - something lawmakers alluded to in their recent grilling of executives from Solarwinds, Microsoft, FireEye, and Crowdstrike.
Ultimately, Perlroth said the US needs to better incentivize companies to prioritize security, both by requiring and rewarding good security practices through stricter legal requirements and tax credits, but also by slapping fines on "companies whose passwords are 'Solarwinds123.'"