Nicole Perlroth’s This is How They Tell Me the World Ends is a deep dive into the history of the global cyberweapons market. It covers the origins of bug bounty programs, some history of offensive operations at the NSA, a narrative of well-known cyberattacks, and discussion of the risk the United States faces from digital attack. It is equal parts exciting and terrifying and overall a worthy read for anyone interested in cybersecurity.

The book is built around the sale of zero-days: exploitable software vulnerabilities unknown to the software’s creator. These vulnerabilities are a gold-mine for attackers because defenders have no way to counter them. Specifically, the author focuses on the market of selling zero-days (and in many cases fully functional exploit tools) by individual hackers or private companies to espionage agencies around the world. She tells the stories of hackers who built the exploits, brokers who facilitate the sale with a government agency, and employees of agencies or contractors using the tools around the world. The writing is distinctly non-technical and intended for general audiences, which makes sense from the author’s background as a journalist. Even as a technical person by profession I appreciated the non-technical nature of the book as the political and historical context of the subject tells a bigger picture than technical details of a particular exploit.

A large portion of the book is devoted to a narrative timeline of large attacks. This includes China’s large-scale attack of Google in 2009, Stuxnet, Russian hacking and disinformation campaigns in the lead up to the 2016 presidential election, NotPetya, and WannaCry. Although not directly related to the zero-day market, these attacks highlight the dangers of this underground market letting high-risk vulnerabilities go unpatched. Many of these attacks are directly related to the Shadow Brokers’ release of NSA tools (including the EternalBlue exploit used in NotPetya and WannaCry).

Perlroth concludes with a warning about the position the United States is currently in - our defensive capabilities are far less sophisticated than our offensive capabilities and we are extremely vulnerable to attacks on critical infrastructure. Russia, Iran, and presumably others have breached many of the systems that run power and water systems and in the current atmosphere there is little we could do to prevent them from causing lasting damage if intended.

One significant drawback to the book is the author’s continual view of the United States as the “good guys”. She describes the moral calculus of selling espionage weapons to good governments versus authoritarian regimes, often insisting there’s a difference between selling cyberweapons to governments that spy on foreigners and governments that use the tools on their own citizens, especially journalists and dissidents. One story stands out, about halfway through the book, when she describes a conversation she had with an Argentinian hacker. The short version is she asked if Argentinians were careful about only selling zero-days to the good guys, and the hacker pushed back on the implication that the United States and its allies are the good guys, given Argentina has good reason to distrust the US. I hoped the pro-US slant had been played up earlier in the book and this was the start of a shift in the author’s perspective, but sadly I was incorrect. Almost immediately after that conversation the slant came back to stay.

I would highly recommend this book for anyone even slightly interested in cybersecurity or espionage. The history of the zero-day market and descriptions of cyberattacks were fascinating. The book paints a terrifying image of the current state of the digital world, which may be hyperbolized, but is nonetheless compelling.