Bibliographic Info
- Author: Nicole Perlroth, New York Times cybersecurity reporter
- Published: 2021
- Raw file:
raw/This Is How They Tell Me the World Ends - Nicole Perlroth.md
Core Thesis
The US government’s decision to secretly stockpile and weaponise software vulnerabilities (zero-days) rather than fix them has created the most destabilising arms race in history. The weapons are invisible, the battlefield is everywhere, and the US is uniquely vulnerable because it runs more critical infrastructure on networked software than any other nation.
The central paradox: the US built the world’s most powerful offensive cyberprogram and simultaneously made itself the world’s most vulnerable target.
The Key Concept: Zero-Days
A zero-day is a software vulnerability unknown to the vendor — there have been zero days available to patch it. Until patched, it can be exploited silently and indefinitely.
Why zero-days are extraordinarily valuable:
- The victim has no defense (no patch exists)
- Attribution is nearly impossible
- Exploitation leaves few forensic traces
- Vulnerabilities in widely-used software can persist undetected for years
The market: Governments, intelligence agencies, defence contractors, and criminal organisations buy and sell zero-days. iOS zero-days: $1–2.5M+. The market is entirely unregulated and opaque.
The Historical Arc
NSA’s Post-9/11 Pivot to Offense
After 9/11, the NSA built TAILORED ACCESS OPERATIONS (TAO) — an elite hacking unit tasked with breaking into adversary systems. The method: acquire and stockpile zero-days for silent exploitation.
The NSA’s logic: if a vulnerability exists, better that we hold it than adversaries. Reporting it to the vendor destroys the capability. This led to the US becoming the world’s largest buyer and hoarder of offensive cyberweapons — choosing systematically not to report vulnerabilities that put American infrastructure at risk.
Stuxnet (2010): The Rubicon
Joint US-Israeli operation targeting Iran’s Natanz nuclear facility. Used four zero-days simultaneously to cause centrifuges to physically destroy themselves while reporting normal operation to operators. ~1,000 centrifuges destroyed.
But Stuxnet escaped. Security researchers discovered and published its techniques. Every sophisticated nation studied it. The US had demonstrated that cyberweapons could destroy physical infrastructure — and then taught the world how to do it.
Shadow Brokers and the Weapons Escape (2016–17)
An anonymous group leaked the NSA’s hacking arsenal, including EternalBlue — an exploit for a Windows vulnerability the NSA had stockpiled for years. Microsoft had patched it in March 2017; millions of systems worldwide hadn’t applied the patch when Shadow Brokers released it.
- WannaCry (May 2017): North Korea weaponised EternalBlue into ransomware. UK NHS disrupted, 200,000+ victims globally, ~$4–8B in damage.
- NotPetya (June 2017): Russian GRU weaponised EternalBlue into a destructive wiper. Maersk (870M), FedEx (10B — the most costly cyberattack in history.
The NSA had known about EternalBlue for years and chose stockpiling over patching. When the weapons escaped, they caused damage orders of magnitude greater than any intelligence benefit derived.
The Global Arms Race
The Buyers and Their Strategies
Russia (FSB, GRU, SVR): The most aggressive user of cyberweapons as instruments of geopolitical coercion — not just espionage but destruction. Ukraine power grid attacks (2015, 2016), NotPetya, election infrastructure targeting.
China (PLA cyber units): World’s largest state-sponsored hacking apparatus. Focused on intellectual property theft — stealing terabytes of US corporate and military research to compress Chinese industrial development timelines.
North Korea (Lazarus Group): Uses cyberattacks for revenue generation — bank heists, cryptocurrency theft, ransomware. Bangladesh Central Bank: $81M stolen in one weekend.
Iran: Post-Stuxnet, invested heavily in offensive capability. Shamoon wiper destroyed 35,000 Saudi Aramco computers. DDoS attacks on US banks.
The Market: Exploit Brokers and the Zero-Day Economy
Companies like Zerodium publicly list prices for zero-days by target (iOS: 2M, WhatsApp: $1.5M). Independent researchers who once reported vulnerabilities to vendors for small bug bounties now sell to the highest bidder — often a government that will use the vulnerability offensively rather than fix it.
NSO Group (Israel) sells “lawful intercept” tools to governments — the Pegasus spyware has been used to surveil journalists, dissidents, heads of state, and human rights activists in Saudi Arabia, Mexico, UAE, India, and many others.
The Structural Vulnerability
The US is more exposed to cyberattack than any adversary:
- More critical infrastructure runs on networked, commercial software
- Power grid, financial system, hospitals, water treatment — all increasingly connected
- Russia and China maintain more air-gapped critical systems and manual backups
The US built weapons optimised for attacking networked systems, and it is the most networked country in the world. The arms race it started is one in which it has the most to lose.
The Vulnerability Equities Process: Broken by Design
The US government’s process for deciding whether to disclose or stockpile zero-days (the VEP) is dominated by intelligence agencies whose equities are classified. The scales are systematically tilted toward offense:
- Offensive capability value is immediate and visible
- Defensive value (patching protects diffuse millions of Americans) is probabilistic and invisible
- No public advocate in the room
The result: the US retains far more vulnerabilities than it should, leaving American infrastructure systematically less secure.
Cross-wiki Connections
| Concept | Existing Pages | New Pages |
|---|---|---|
| Zero-day market | large-language-models, transformer-architecture | zero-day |
| Cyberweapons as arms race | prisoners-dilemma | — |
| Stockpiling vs. patching decision | wysiati, sunk-cost-fallacy | — |
| NSA/government incentive structure | extractive-institutions, invisible-hand | — |
| WannaCry/NotPetya cascade | lollapalooza-effect | — |
Notable Cross-Thread Connections
-
prisoners-dilemma ↔ cyberweapons: The zero-day stockpiling regime is a global, multi-party prisoner’s dilemma. Each nation retains vulnerabilities rather than reporting them — rational individually, collectively catastrophic. Unlike the arms race the Axelrod transcript describes (which reached detente), the cyberweapons race has no mechanism for mutual verification or trust-building because capabilities are invisible and unverifiable.
-
wysiati ↔ stockpiling decision: NSA decision-makers could clearly see the intelligence value of zero-days. The diffuse harm — unpatched vulnerabilities in American infrastructure, the risk of eventual escape — was invisible. What they saw (a powerful offensive tool) was all there was. The outcome (WannaCry, NotPetya) was the consequence of what they couldn’t see.
-
lollapalooza-effect ↔ WannaCry/NotPetya: These weren’t single-cause events. NSA stockpiling + Shadow Brokers leak + slow enterprise patching culture + North Korean/Russian weaponisation + global internet connectivity = $10B in damage from a vulnerability the NSA knew about and chose not to fix. Classic lollapalooza.
-
extractive-institutions ↔ the zero-day market: The VEP is a captured process — intelligence agencies making decisions about public goods (software security) in private, for their own benefit, with no public advocate. This is extractive institutional logic applied to a technical domain.
-
creative-destruction ↔ AI-enhanced cyberattacks: AI is transforming the threat landscape — automated vulnerability discovery, AI-assisted attack scaling. This is creative destruction in the security domain: new AI capabilities will make old defensive postures obsolete, and the question is who adapts faster.
-
large-language-models ↔ cybersecurity: LLMs can both find vulnerabilities (defensive) and generate exploits (offensive). The current cybersecurity threat landscape is about to become significantly more dangerous due to AI-enabled attack automation.