Lex Fridman Podcast - #266 - Nicole Perlroth: Cybersecurity and the Weapons of Cyberwar

If one site is hacked, you can just unleash all hell.

We have stumbled into this new era

of mutually assured digital destruction.

How far are people willing to go?

You can capture their location,

you can capture their contacts

that record their telephone calls, record their camera

without them knowing about it.

Basically, you can put an invisible ankle bracelet

on someone without them knowing.

You could sell that to a zero day broker for $2 million.

The following is a conversation with Nicole Perlroth,

cybersecurity journalist and author

of This Is How They Tell Me The World Ends,

The Cyber Weapons Arm Race.

This is the Lex Friedman podcast.

To support it, please check out our sponsors

in the description.

And now, dear friends, here’s Nicole Perlroth.

You’ve interviewed hundreds of cybersecurity hackers,

activists, dissidents, computer scientists,

government officials, forensic investigators,

and mercenaries.

So let’s talk about cybersecurity and cyber war.

Start with the basics.

What is a zero day vulnerability?

And then a zero day exploit or attack?

So at the most basic level, let’s say I’m a hacker

and I find a bug in your iPhone iOS software

that no one else knows about, especially Apple.

That’s called a zero day because the minute it’s discovered,

engineers have had zero days to fix it.

If I can study that zero day,

I could potentially write a program to exploit it.

And that program would be called a zero day exploit.

And for iOS, the dream is that you craft a zero day exploit

that can remotely exploit someone else’s iPhone

without them ever knowing about it.

And you can capture their location,

you can capture their contacts

that record their telephone calls,

record their camera without them knowing about it.

Basically, you can put an invisible ankle bracelet

on someone without them knowing.

And you can see why that capability,

that zero day exploit would have immense value

for a spy agency or a government

that wants to monitor its critics or dissidents.

And so there’s a very lucrative market now

for zero day exploits.

So you said a few things there.

One is iOS, why iOS, which operating system,

which one is the sexier thing to try to get to

or the most impactful thing?

And the other thing you mentioned is remote

versus like having to actually come

in physical contact with it.

Is that the distinction?

So iPhone exploits have just been

a government’s number one priority.

Recently, actually the price

of an Android remote zero day exploit,

something that can get you into Android phones

is actually higher.

The value of that is now higher on this underground market

for zero day exploits than an iPhone iOS exploit.

So things are changing.

So there’s probably more Android devices,

so that’s why it’s better.

But then the iPhone side,

so I’m an Android person,

because I’m a man of the people.

But it seems like all the elites use iPhone,

all the people at nice dinner parties.

So is that the reason that the more powerful people

use iPhones, is that why?

I don’t think so.

I actually, so it was about two years ago

that the prices flipped.

It used to be that if you could craft

a remote zero click exploit for iOS,

then that was about as good as it gets.

You could sell that to a zero day broker for $2 million.

The caveat is you can never tell anyone about it,

because the minute you tell someone about it,

Apple learns about it,

they patch it in that $2.5 million investment

that that zero day broker just made goes to dust.

So a couple of years ago,

and don’t quote me on the prices,

but an Android zero click remote exploit

for the first time topped the iOS.

And actually a lot of people’s read on that

was that it might be a sign

that Apple security was falling,

and that it might actually be easier

to find an iOS zero day exploit

than find an Android zero day exploit.

The other thing is market share.

There are just more people around the world that use Android.

And a lot of governments that are paying top dollar

for zero day exploits these days

are deep pocketed governments in the Gulf

that wanna use these exploits

to monitor their own citizens, monitor their critics.

And so it’s not necessarily

that they’re trying to find elites,

it’s that they wanna find out who these people are

that are criticizing them

or perhaps planning the next Arab Spring.

So in your experience,

are most of these attacks targeted

to cover a large population,

or is there attacks that are targeted

towards specific individuals?

So I think it’s both.

Some of the zero day exploits that have fetched top dollar

that I’ve heard of in my reporting in the United States

were highly targeted.

There was a potential terrorist attack.

They wanted to get into this person’s phone.

It had to be done in the next 24 hours.

They approached hackers and say, we’ll pay you

X millions of dollars if you can do this.

But then you look at,

when we’ve discovered iOS zero day exploits in the wild,

some of them have been targeting large populations

like Uyghurs.

So a couple of years ago,

there was a watering hole attack.

Okay, what’s a watering hole attack?

There’s a website,

it was actually had information aimed at Uyghurs

and you could access it all over the world.

And if you visited this website,

it would drop an iOS zero day exploit onto your phone.

And so anyone that visited this website

that was about Uyghurs anywhere,

I mean, Uyghurs, Uyghurs living abroad,

basically the Uyghur diaspora would have gotten infected

with this zero day exploit.

So in that case, they were targeting huge swaths

of this one population or people interested

in this one population, basically in real time.

So who are these attackers?

From the individual level to the group level,

psychologically speaking, what’s their motivation?

Is it purely money?

Is it the challenge?

Are they malevolent?

Is it power?

These are big philosophical human questions, I guess.

So these are the questions I set out to answer for my book.

I wanted to know, are these people that are just after money?

If they’re just after money, how do they sleep at night?

Not knowing whether that zero day exploit

they just sold to a broker is being used

to basically make someone’s life a living hell.

And what I found was there’s kind of this long sorted history

to this question.

It started out in the 80s and 90s

when hackers were just finding holes and bugs and software

for curiosity’s sake, really as a hobby.

And some of them would go to the tech companies

like Microsoft or Sun Microsystems at the time or Oracle.

And they’d say, hey, I just found this zero day

in your software and I can use it to break into NASA.

And the general response at the time wasn’t,

thank you so much for pointing out this flaw

and our software, we’ll get it fixed as soon as possible.

It was, don’t ever poke around our software ever again

or we’ll stick our general counsel on you.

And that was really sort of the common thread for years.

And so hackers who set out to do the right thing

were basically told to shut up

and stop doing what you’re doing.

And what happened next was they basically started trading

this information online.

Now, when you go back and interview people

from those early days, they all tell a very similar story,

which is they’re curious, they’re tinkerers.

They remind me of like the kid down the block

that was constantly poking around the hood of his dad’s car.

They just couldn’t help themselves.

They wanted to figure out how a system is designed

and how they could potentially exploit it

for some other purpose.

It doesn’t have to be good or bad.

But they were basically kind of beat down for so long

by these big tech companies

that they started just silently trading them

with other hackers.

And that’s how you got these really heated debates

in the 90s about disclosure.

Should you just dump these things online

because any script kitty can pick them up

and use it for all kinds of mischief.

But don’t you wanna just stick a middle finger

to all these companies

that are basically threatening you all the time.

So there was this really interesting dynamic at play.

And what I learned in the course of doing my book

was that government agencies and their contractors

sort of tapped into that frustration and that resentment.

And they started quietly reaching out to hackers

on these forums.

And they said, hey, you know that zero day

you just dropped online,

could you come up with something custom for me?

And I’ll pay you six figures for it

so long as you shut up and never tell anyone

that I paid you for this.

And that’s what happened.

So throughout the 90s,

there was a bunch of boutique contractors

that started reaching out to hackers on these forums

and saying, hey, I’ll pay you six figures

for that bug you were trying to get Microsoft

to fix for free.

And sort of so began or so catalyzed this market

where governments and their intermediaries

started reaching out to these hackers

and buying their bugs for free.

And in those early days,

I think a lot of it was just for quiet counterintelligence,

traditional espionage.

But as we started baking the software,

Windows software, Schneider Electric,

Siemens industrial software into our nuclear plants

and our factories and our power grid

and our petrochemical facilities and our pipelines,

those same zero days came to be just as valuable

for sabotage and war planning.

Does the fact that the market sprung up

and you can now make a lot of money

change the nature of the attackers that came to the table

or grow the number of attackers?

I mean, what is, I guess,

you told the psychology of the hackers in the 90s,

what is the culture today and where is it heading?

So I think there are people who will tell you

they would never sell a zero day

to a zero day broker or a government.

One, because they don’t know how it’s gonna get used

when they throw it over the fence.

Most of these get rolled into classified programs

and you don’t know how they get used.

If you sell it to a zero day broker,

you don’t even know which nation state might use it

or potentially which criminal group might use it

if you sell it on the dark web.

The other thing that they say is that

they wanna be able to sleep at night.

And they lose a lot of sleep

if they found out their zero day was being used

to make a dissident’s life living hell.

But there are a lot of people, good people,

who also say, no, this is not my problem.

This is the technology company’s problem.

If they weren’t writing new bugs

into their software every day,

then there wouldn’t be a market.

Then there wouldn’t be a problem.

But they continue to write bugs

into their software all the time

and they continue to profit off that software.

So why shouldn’t I profit off my labor too?

And one of the things that has happened,

which is I think a positive development

over the last 10 years, are bug bounty programs.

Companies like Google and Facebook

and then Microsoft and finally Apple,

which resisted it for a really long time,

have said, okay, we are gonna shift our perspective

about hackers.

We’re no longer going to treat them as the enemy here.

We’re going to start paying them

for what it’s essentially free quality assurance.

And we’re gonna pay them good money in some cases,

six figures in some cases.

We’re never gonna be able to bid against a zero day broker

who sells to government agencies.

But we can reward them and hopefully get to that bug earlier

where we can neutralize it

so that they don’t have to spend another year

developing the zero day exploit.

And in that way, we can keep our software more secure.

But every week I get messages from some hacker that says,

you know, I tried to see this zero day exploit

that was just found in the wild,

being used by this nation state.

I tried to tell Microsoft about this two years ago

and they were gonna pay me peanuts so it never got fixed.

There are all sorts of those stories that can continue on.

And I think just generally,

hackers are not very good at diplomacy.

They tend to be pretty snipey, technical crowd.

And very philosophical in my experience.

But diplomacy is not their strong suit.

Oh, there almost has to be a broker

between companies and hackers.

We can translate effectively,

just like you have a zero day broker

between governments and hackers.

You have to speak their language.

Yeah, and there have been some of those companies

who’ve risen up to meet that demand.

And HackerOne is one of them.

Bugcrowd is another.

Cynak has an interesting model, so that’s a company

that you pay for a private bug bounty program essentially.

So you pay this company, they tap hackers all over the world

to come hack your software, hack your system.

And then they’ll quietly tell you what they found.

And I think that’s a really positive development.

And actually, the Department of Defense

hired all three of those companies I just mentioned

to help secure their systems.

Now I think they’re still a little timid

in terms of letting those hackers

into the really sensitive, high side classified stuff.

But you know, baby steps.

Just to understand what you were saying,

you think it’s impossible for companies

to financially compete with the zero day brokers,

with governments.

So like the defense can’t outpay the hackers?

It’s interesting, they shouldn’t outpay them.

Because what would happen

if they started offering $2.5 million at Apple

for any zero day exploit

that governments would pay that much for,

is their own engineers would say,

why the hell am I working for less than that

and doing my nine to five every day?

So you would create a perverse incentive.

And I didn’t think about that until I started this research

and I realized, okay, yeah, that makes sense.

You don’t want to incentivize offense so much

that it’s to your own detriment.

And so I think what they have though,

what the companies have on government agencies,

is if they pay you, you get to talk about it.

You know, you get the street cred.

You get to brag about the fact you just found

that $2.5 million, you know, iOS zero day

that no one else did.

And if you sell it to a broker,

you never get to talk about it.

And I think that really does eat at people.

Can I ask you a big philosophical question

about human nature here?

So if you have, I mean, what you’ve seen,

if a human being has a zero day,

they found a zero day vulnerability that can hack into,

I don’t know, what’s the worst thing you can hack into?

Something that could launch nuclear weapons.

Which percentage of the people in the world

that have the skill would not share that with anyone,

with any bad party?

I guess how many people are completely devoid

of ethical concerns in your sense?

So my belief is all the ultra competent people

or very, very high percentage of ultra competent people

are also ethical people.

That’s been my experience.

But then again, my experience is narrow.

What’s your experience been like?

So this was another question I wanted to answer.

Who are these people who would sell a zero day exploit

that would neutralize a Schneider Electric safety lock

at a petrochemical plant?

Basically the last thing you would need to neutralize

before you trigger some kind of explosion.

Who would sell that?

And I got my answer,

well, the answer was different.

A lot of people said, I would never even look there

because I don’t even wanna know.

I don’t even wanna have that capability.

I don’t even wanna have to make that decision

about whether I’m gonna profit off of that knowledge.

I went down to Argentina

and this whole kind of moral calculus I had in my head

was completely flipped around.

So just to back up for a moment.

So Argentina actually is a real hacker’s paradise.

People grew up in Argentina and I went down there,

I guess I was there around 2015, 2016,

but you still couldn’t get an iPhone.

They didn’t have Amazon Prime.

You couldn’t get access to any of the apps

we all take for granted.

To get those things in Argentina as a kid,

you have to find a way to hack them.

And the whole culture is really like a hacker culture.

They say it’s really like a MacGyver culture.

You have to figure out how to break into something

with wire and tape.

And that means that there are a lot of really good hackers

in Argentina who specialize in developing zero to exploits.

And I went down to this Argentina conference

called Echo Party.

And I asked the organizer, okay, can you introduce me

to someone who’s selling zero to exploits to governments?

And he was like, just throw a stone.

Throw a stone anywhere and you’re gonna hit someone.

And all over this conference, you saw these guys

who were clearly from these Gulf States

who only spoke Arabic.

What are they doing at a young hacking conference

in Buenos Aires?

And so I went out to lunch with kind of this godfather

of the hacking scene there.

And I asked this really dumb question

and I’m still embarrassed about how I phrased it.

But I said, so will these guys only sell

these zero to exploits to good Western governments?

And he said, Nicole, last time I checked,

the United States wasn’t a good Western government.

The last country that bombed another country

into oblivion wasn’t China or Iran,

it was the United States.

So if we’re gonna go by your whole moral calculus,

just know that we have a very different calculus down here

and we’d actually rather sell to Iran or Russia

or China maybe than the United States.

And that just blew me away.

Like, wow, he’s like, we’ll just sell

to whoever brings us the biggest bag of cash.

Have you checked into our inflation situation recently?

So I had some of those like reality checks along the way.

We tend to think of things as is this moral,

is this ethical, especially as journalists.

And we kind of sit on our high horse sometimes

and write about a lot of things

that seem to push the moral bounds.

But in this market, which is essentially

an underground market that the one rule is like fight club.

No one talks about fight club.

First rule of the zero day market,

nobody talks about the zero day market on both sides

because the hacker doesn’t wanna lose

their $2.5 million bounty.

And governments roll these into classified programs

and they don’t want anyone to know what they have.

So no one talks about this thing.

And when you’re operating in the dark like that,

it’s really easy to put aside your morals sometimes.

Can I, as a small tangent, ask you, by way of advice,

you must have done some incredible interviews.

And you’ve also spoken about how serious

you take protecting your sources.

If you were to give me advice for interviewing

when you’re recording on mic with a video camera,

how is it possible to get into this world?

Like is it basically impossible?

So you’ve spoken with a few people,

what is it like the godfather of cyber war, cyber security?

So people that are already out.

And they still have to be pretty brave to speak publicly.

But is it virtually impossible to really talk to anybody

who is a current hacker?

Are you always like 10, 20 years behind?

It’s a good question.

And this is why I’m a print journalist.

But when I’ve seen people do it,

it’s always the guy who’s behind the shadows,

whose voice has been altered.

When they’ve gotten someone on camera,

that’s usually how they do it.

Very, very few people talk in this space.

And there’s actually a pretty well known case study

in why you don’t talk publicly in this space

and you don’t get photographed.

And that’s the gruck.

So the gruck is or was this zero day broker,

South African guy, lives in Thailand.

And right when I was starting on this subject

at the New York Times, he’d given an interview to Forbes.

And he talked about being a zero day broker.

And he even posed next to this giant duffel bag

filled with cash, ostensibly.

And later he would say he was speaking off the record.

He didn’t understand the rules of the game.

But what I heard from people who did business with him

was that the minute that that story came out,

he became PNG’d.

No one did business with him.

His business plummeted by at least half.

No one wants to do business with anyone

who’s going to get on camera and talk

about how they’re selling zero days to governments.

It puts you at danger.

And I did hear that he got some visits

from some security folks.

And that’s another thing for these people to consider.

If they have those zero day exploits at their disposal,

they become a huge target for nation states

all over the world.

Talk about having perfect opsec.

You better have some perfect opsec

if people know that you have access to those zero day


Which sucks because, I mean, transparency here

would be really powerful for educating the world

and also inspiring other engineers to do good.

It just feels like when you operate in the shadows,

it doesn’t help us move in the positive direction in terms

of getting more people on the defense side

versus on the attack side.

But of course, what can you do?

I mean, the best you can possibly do

is have great journalists, just like you did,

interview and write books about it,

and integrate the information you get

while hiding the sources.

Yeah, and I think what HackerOne has told me was, OK,

let’s just put away the people that

are finding and developing zero day exploits all day long.

Let’s put that aside.

What about however many millions of programmers

all over the world who’ve never even heard of a zero day


Why not tap into them and say, hey, we’ll

start paying you if you can find a bug in United Airlines

software or in Schneider Electric or in Ford or Tesla?

And I think that is a really smart approach.

Let’s go find this untapped army of programmers

to neutralize these bugs before the people who will continue

to sell these to governments can find them and exploit them.

OK, I have to ask you about this.

From a personal side, it’s funny enough,

after we agreed to talk, I’ve gotten,

for the first time in my life, was a victim of a cyber attack.

So this is ransomware.

It’s called Deadbolt.

People can look it up.

I have a QNAP device for basically kind

of coldish storage.

So it’s about 60 terabytes with 50 terabytes of data on it

in RAID 5.

And apparently, about 4,000 to 5,000 QNAP devices

were hacked and taken over with this ransomware.

And what ransomware does there is it goes file by file,

almost all the files on the QNAP storage device,

and encrypts them.

And then there’s this very eloquently and politely

written page that pops up, describes what happened.

All your files have been encrypted.

This includes but is not limited to photos, documents,

and spreadsheets.

Why me?

This is a lot of people commented

about how friendly and eloquent this is.

And I have to commend them.

It is, and it’s pretty user friendly.

Why me?

This is not a personal attack.

You have been targeted because of the inadequate security

provided by your vendor, QNAP.

What now?

You can make a payment of exactly 0.03 Bitcoin,

which is about $1,000, to the following address.

Once the payment has been made, we’ll

follow up with transaction to the same address,

blah, blah, blah.

They give you instructions of what happens next,

and they’ll give you a decryption key

that you can then use.

And then there’s another message for QNAP that says,

all your affected customers have been targeted using

a zero day vulnerability in your product.

We offer you two options to mitigate this and future damage.

One, make a Bitcoin payment of 5 Bitcoin

to the following address, and that

will reveal to QNAP the, I’m summarizing things here,

what the actual vulnerability is.

Or you can make a Bitcoin payment of 50 Bitcoin

to get a master decryption key for all your customers.

50 Bitcoin is about $1.8 million.


So first of all, on a personal level, this one hurt for me.

There’s, I mean, I learned a lot because I wasn’t,

for the most part, backing up much of that data

because I thought I can afford to lose that data.

It’s not horrible.

I mean, I think you’ve spoken about the crown jewels,

like making sure there’s things you really protect.

And I have, you know, I’m very conscious,

security wise, on the crown jewels.

But there’s a bunch of stuff, like, you know,

personal videos that are not, like,

I don’t have anything creepy, but just, like,

fun things I did that because they’re very large or 4K

or something like that, I kept them on there,

thinking RAID 5 will protect it.

You know, just I lost a bunch of stuff, including raw footage

from interviews and all that kind of stuff.

So it’s painful.

And I’m sure there’s a lot of painful stuff

like that for the 4,000 to 5,000 people that use QNAP.

And there’s a lot of interesting ethical questions here.

Do you pay them?

Does QNAP pay them?

Do the individuals pay them, especially when

you don’t know if it’s going to work or not?

Do you wait?

So QNAP said that, please don’t pay them.

We’re working very hard day and night to solve this.

It’s so philosophically interesting to me

because I also project onto them thinking,

what is their motivation?

Because the way they phrased it, on purpose, perhaps,

but I’m not sure if that actually reflects their real motivation,

is maybe they’re trying to help themselves sleep at night,

basically saying, this is not about you.

This is about the company with the vulnerabilities.

Just like you mentioned, this is the justification they have.

But they’re hurting real people.

They hurt me.

But I’m sure there’s a few others that are really hurt.

And the zero day factor is a big one.

Their QNAP right now is trying to figure out

what the hell is wrong with their system that would let this in.

And even if they pay, if they still don’t know where the zero

day is, what’s to say that they won’t just hit them again

and hit you again?

So that really complicates things.

And that is a huge advancement for ransomware.

It’s really only been, I think, in the last 18 months

that we’ve ever really seen ransomware exploit zero days

to pull these off.

Usually, 80% of them, I think the data shows 80% of them

come down to a lack of two factor authentication.

So when someone gets hit by a ransomware attack,

they don’t have two factor authentication on.

Their employees were using stupid passwords.

You can mitigate that in the future.

This one, they don’t know.

They probably don’t know.


And I guess it’s zero click because I

didn’t have to do anything.

The only thing, well, here’s the thing.

I did basics of I put it behind a firewall.

I followed instructions.

But I didn’t really pay attention.

So maybe there’s a misconfiguration of some sort

that’s easy to make.

It’s difficult. We have a personal NAS.

So I’m not willing to say that I did

everything I possibly could.

But I did a lot of reasonable stuff.

And they still hit it with zero clicks.

I didn’t have to do anything.

Yeah, well, it’s like a zero day.

And it’s a supply chain attack.

You’re getting hit from your supplier.

You’re getting hit because of your vendor.

And it’s also a new thing for ransomware groups

to go to the individuals to pressure them to pay.

There was this really interesting case.

I think it was in Norway where there was a mental health

clinic that got hit.

And the cybercriminals were going to the patients

themselves to say, pay this, or we’re

going to release your psychiatric records.

I mean, talk about hell.

In terms of whether to pay, that is on the cheaper

end of the spectrum.

From the individual or from the company?


We’ve seen, for instance, there was an Apple supplier in Taiwan.

They got hit.

And the ransom demand was $50 million.

I’m surprised it’s only $1.8 million.

I’m sure it’s going to go up.

And it’s hard.

There’s obviously governments, and maybe in this case,

the company are going to tell you,

we recommend you don’t pay or please don’t pay.

But the reality on the ground is that some businesses

can’t operate.

Some countries can’t function.

I mean, the underreported storyline of Colonial Pipeline

was after the company got hit and took

the preemptive step of shutting down the pipeline

because their billing systems were frozen,

they couldn’t charge customers downstream.

My colleague David Zanger and I got our hands

on a classified assessment that said that as a country,

we could have only afforded two to three more days

of Colonial Pipeline being down.

And it was really interesting.

I thought it was the gas and the jet fuel, but it wasn’t.

We were sort of prepared for that.

It was the diesel.

Without the diesel, the refineries couldn’t function,

and it would have totally screwed up the economy.

And so there was almost this national security

economic impetus for them to pay this ransom.

And the other one I always think about is Baltimore.

When the city of Baltimore got hit,

I think the initial ransom demand

was something around $76,000.

It may have even started smaller than that.

And Baltimore stood its ground and didn’t pay.

But ultimately, the cost to remediate was $18 million.

That’s a lot for the city of Baltimore.

That’s money that could have gone to public school education

and roads and public health.

And instead, it just went to rebuilding these systems

from scratch.

And so a lot of residents in Baltimore

were like, why the hell didn’t you pay the $76,000?

So it’s not obvious.

It’s easy to say, don’t pay.

Because why?

You’re funding their R&D for the next go round.

But it’s too often, it’s too complicated.

So on the individual level, just like the way

I feel personally from this attack,

have you talked to people that were kind of victims

in the same way I was, but maybe more dramatic ways or so on,

in the same way that violence hurts people?

How much does this hurt people in your sense

and the way you researched it?

The worst ransomware attack I’ve covered on a personal level

was an attack on a hospital in Vermont.

And you think of this as like, OK,

it’s hitting their IT networks.

They should still be able to treat patients.

But it turns out that cancer patients

couldn’t get their chemo anymore.

Because the protocol of who gets what is very complicated.

And without it, nurses and doctors couldn’t access it.

So they were turning chemo patients away,

cancer patients away.

One nurse told us, I don’t know why people

aren’t screaming about this, that the only thing I’ve

seen that even compares to what we’re

seeing at this hospital right now

was when I worked in the burn unit

after the Boston Marathon bombing.

They really put it in these super dramatic terms.

And last year there was a report in the Wall Street Journal

where they attributed an infant death to a ransomware attack

because a mom came in and whatever device

they were using to monitor the fetus

wasn’t working because of the ransomware attack.

And so they attributed this infant death

to the ransomware attack.

Now on a bigger scale but less personal,

when there was the NotPetya attack.

So this was an attack by Russia on Ukraine

that came at them through a supplier, a tax software

company in that case, that didn’t just

hit any government agency or business in Ukraine

that used this tax software.

It actually hit any business all over the world that

had even a single employee working remotely in Ukraine.

So it hit Maersk, the shipping company, hit Pfizer,

hit FedEx, but the one I will never forget is Merck.

It paralyzed Merck’s factories.

I mean, it really created an existential crisis

for the company.

Merck had to tap into the CDC’s emergency supplies

of the Gardasil vaccine that year

because their whole vaccine production line had been

paralyzed in that attack.

Imagine if that was going to happen right now

to Pfizer or Moderna or Johnson and Johnson.


I mean, that would really create a global cyber terrorist

attack, essentially.

And that’s almost unintentional.

I thought for a long time, I always

labeled it as collateral damage.

But actually, just today, there was a really impressive threat

researcher at Cisco, which has this threat intelligence

division called Talos, who said, stop calling it

collateral damage.

They could see who was going to get hit before they

deployed that malware.

It wasn’t collateral damage.

It was intentional.

They meant to hit any business that did business with Ukraine.

It was to send a message to them, too.

So I don’t know if that’s accurate.

I always thought of it as sort of the sloppy collateral

damage, but it definitely made me think.

So how much of this between states

is going to be a part of war, these kinds of attacks

on Ukraine between Russia and US, Russia and China,

China and US?

Let’s look at China and US.

Do you think China and US are going

to escalate something that would be called a war purely

in the space of cyber?

I believe any geopolitical conflict from now on

is guaranteed to have some cyber element to it.

The Department of Justice recently

declassified a report that said China has been hacking

into our pipelines, and it’s not for intellectual property


It’s to get a foothold so that if things escalate in Taiwan,

for example, they are where they need

to be to shut our pipelines down.

And we just got a little glimpse of what

that looked like with Colonial Pipeline and the panic buying

and the jet fuel shortages and that assessment I just

mentioned about the diesel.

So they’re there.

They’ve gotten there.

Anytime I read a report about new aggression from fighter

jets, Chinese fighter jets in Taiwan,

or what’s happening right now with Russia’s buildup

on the Ukraine border, or India, Pakistan,

I’m always looking at it through a cyber lens.

And it really bothers me that other people aren’t,

because there is no way that these governments

and these nation states are not going

to use their access to gain some advantage in those conflicts.

And I’m now in a position where I’m

an advisor to the Cybersecurity Infrastructure Security

Agency at DHS.

So I’m not saying anything classified here.

But I just think that it’s really important

to understand just generally what the collateral damage

could be for American businesses and critical infrastructure

in any of these escalated conflicts around the world.

Because just generally, our adversaries

have learned that they might never

be able to match us in terms of our traditional military

spending on traditional weapons and fighter jets.

But we have a very soft underbelly

when it comes to cyber.

80% or more of America’s critical infrastructure,

so pipelines, power grid, nuclear plants, water systems,

is owned and operated by the private sector.

And for the most part, there is nothing out there legislating

that those companies share the fact they’ve been breached.

They don’t even have to tell the government they’ve been hit.

There’s nothing mandating that they even

meet a bare minimum standard of cybersecurity.

And that’s it.

So even when there are these attacks, most of the time,

we don’t even know about it.

So that is, if you were going to design a system

to be as blind and vulnerable as possible,

that’s pretty good.

That’s what it looks like is what we have here

in the United States.

And everyone here is just operating like,

let’s just keep hooking up everything for convenience.

Software eats the world.

Let’s just keep going for cost, for convenience sake,

just because we can.

And when you study these issues and you study these attacks

and you study the advancement and the uptick in frequency

and the lower barrier to entry that we see every single year,

you realize just how dumb software eats world is.

And no one has ever stopped to pause and think,

should we be hooking up these systems to the internet?

They’ve just been saying, can we?

Let’s do it.

And that’s a real problem.

And just in the last year, we’ve seen a record number

of zero day attacks.

I think there were 80 last year, which

is probably more than double what it was in 2019.

A lot of those were nation states.

We live in a world with a lot of geopolitical hot points

right now.

And where those geopolitical hot points are

are places where countries have been investing heavily

in offensive cyber tools.

If you’re a nation state, the goal

would be to maximize the footprint of zero day,

like super secret zero day that nobody is aware of.

And whenever war is initiated, the huge negative effects

of shutting down infrastructure or any kind of zero day

is the chaos it creates.

So if you just, there’s a certain threshold

when you create the chaos.

The market’s plummeted.

Just everything goes to hell.

I mean, it’s not just zero days.

We make it so easy for threat actors.

I mean, we’re not using two factor authentication.

We’re not patching.

There was the shell shock vulnerability

that was discovered a couple of years ago.

It’s still being exploited because so many people

haven’t fixed it.

So the zero days are really the sexy stuff.

And what really drew me to the zero day market

was the moral calculus we talked about, particularly

from the US government’s point of view.

How do they justify leaving these systems so vulnerable

when we use them here and we’re baking

more of our critical infrastructure

with this vulnerable software?

It’s not like we’re using one set of technology

and Russia is using another and China is using this.

We’re all using the same technology.

So when you find a zero day in Windows,

you’re not just leaving it open so you can spy on Russia

or implant yourself in the Russian grid.

You’re leaving Americans vulnerable too.

But zero days are like, that is the secret sauce.

That’s the superpower.

And I always say every country now,

with the exception of Antarctica,

someone added the Vatican to my list,

is trying to find offensive hacking tools and zero days

to make them work.

And those that don’t have the skills

now have this market that they can tap into,

where $2.5 million, that’s chump change

for a lot of these nation states.

It’s a hell of a lot less than trying

to build the next fighter jet.

But yeah, the goal is chaos.

I mean, why did Russia turn off the lights twice in Ukraine?

I think part of it is chaos.

I think part of it is to sow the seeds of doubt

in their current government.

Your government can’t even keep your lights on.

Why are you sticking with them?

Come over here and we’ll keep your lights on at least.

There’s like a little bit of that.

Nuclear weapons seems to have helped prevent nuclear war.

Is it possible that we have so many vulnerabilities

and so many attack vectors on each other

that you will kind of achieve the same kind of equilibrium

like mutually shared destruction?


That’s one hopeful solution to this.

Do you have any hope for this particular solution?

You know, nuclear analogies always tend to fall apart

when it comes to cyber,

mainly because you don’t need fissile material.

You know, you just need a laptop and the skills

and you’re in the game.

So it’s a really low barrier to entry.

The other thing is attribution is harder.

And we’ve seen countries muck around with attribution.

We’ve seen, you know, nation states piggyback

on other countries spy operations and just sit there

and siphon out whatever they’re getting.

We learned some of that from the Snowden documents.

We’ve seen Russia hack into Iran’s command

and control attack servers.

We’ve seen them hit a Saudi petrochemical plant

where they did neutralize the safety locks at the plant

and everyone assumed that it was Iran,

given Iran had been targeting Saudi oil companies forever.

But nope, it turned out that it was

a graduate research institute outside Moscow.

So you see countries kind of playing around

with attribution.


I think because they think, okay, if I do this,

like how am I gonna cover up that it came from me

because I don’t wanna risk the response.

So people are sort of dancing around this.

It’s just in a very different way.

And, you know, at the times I’d covered the Chinese hacks

of infrastructure companies like pipelines.

I’d covered the Russian probes of nuclear plants.

I’d covered the Russian attacks on the Ukraine grid.

And then in 2018, my colleague David Sanger and I

covered the fact that US Cyber Command

had been hacking into the Russian grid

and making a pretty loud show of it.

And when we went to the National Security Council,

because that’s what journalists do

before they publish a story,

they give the other side a chance to respond,

I assumed we would be in for that really awkward,

painful conversation where they would say,

you will have blood on your hands if you publish this story.

And instead they gave us the opposite answer.

They said, we have no problem

with you publishing this story.


Well, they didn’t say it out loud,

but it was pretty obvious they wanted Russia to know

that we’re hacking into their power grid too,

and they better think twice before they do to us

what they had done to Ukraine.

So yeah, you know, we have stumbled into this new era

of mutually assured digital destruction.

I think another sort of quasi norm we’ve stumbled into

is proportional responses.

There’s this idea that if you get hit,

you’re allowed to respond proportionally

at a time and place of your choosing.

That is how the language always goes.

That’s what Obama said after North Korea hit Sony.

We will respond at a time and place of our choosing.

But no one really knows like what that response looks like.

And so what you see a lot of the time

are just these like, just short of war attacks.

You know, Russia turned off the power in Ukraine,

but it wasn’t like it stayed off for a week.

You know, it stayed off for a number of hours.

You know, NotPetya hit those companies pretty hard,

but no one died, you know?

And the question is, what’s gonna happen when someone dies?

And can a nation state masquerade as a cyber criminal group,

as a ransomware group?

And that’s what really complicates

coming to some sort of digital Geneva convention.

Like there’s been a push from Brad Smith at Microsoft.

We need a digital Geneva convention.

And on its face, it sounds like a no brainer.

Yeah, why wouldn’t we all agree to stop hacking

into each other’s civilian hospital systems,

elections, power grid, pipelines?

But when you talk to people in the West,

officials in the West, they’ll say, we would never,

we’d love to agree to it, but we’d never do it

when you’re dealing with Xi or Putin or Kim Jong Un.

Because a lot of times, they outsource these operations

to cyber criminals.

In China, we see a lot of these attacks

come from this loose satellite network of private citizens

that work at the behest of the Ministry of State Security.

So how do you come to some sort of state to state agreement

when you’re dealing with transnational actors

and cyber criminals, where it’s really hard to pin down

whether that person was acting alone

or whether they were acting at the behest of the MSS

or the FSB.

And a couple of years ago, I remember,

can’t remember if it was before or after NotPetya,

but Putin said, hackers are like artists

who wake up in the morning in a good mood and start painting.

In other words, I have no say over what they do or don’t do.

So how do you come to some kind of norm

when that’s how he’s talking about these issues

and he’s just decimated Merck and Pfizer

and another however many thousand companies?

That is the fundamental difference between nuclear weapons

and cyber attacks is the attribution

or one of the fundamental differences.

If you can fix one thing in the world

in terms of cybersecurity

that would make the world a better place,

what would you fix?

So you’re not allowed to fix like authoritarian regimes

and you can’t.

You have to keep that,

you have to keep human nature as it is.

In terms of on the security side, technologically speaking,

you mentioned there’s no regulation

on companies in United States.

What if you could just fix with the snap of a finger,

what would you fix?

Two factor authentication, multifactor authentication.

It’s ridiculous how many of these attacks come in

because someone didn’t turn on multifactor authentication.

I mean, Colonial Pipeline, okay?

They took down the biggest conduit

for gas, jet fuel and diesel

to the East Coast of the United States of America, how?

Because they forgot to deactivate an old employee account

whose password had been traded on the dark web

and they’d never turned on two factor authentication.

This water treatment facility outside Florida

was hacked last year.

How did it happen?

They were using Windows XP from like a decade ago

that can’t even get patches if you want it to

and they didn’t have two factor authentication.

Time and time again,

if they just switched on two factor authentication,

some of these attacks wouldn’t have been possible.

Now, if I could snap my fingers,

that’s the thing I would do right now.

But of course, this is a cat and mouse game

and then the attackers onto the next thing.

But I think right now that is like bar none.

That is just, that is the easiest, simplest way

to deflect the most attacks.

And the name of the game right now isn’t perfect security.

Perfect security is impossible.

They will always find a way in.

The name of the game right now

is make yourself a little bit harder to attack

than your competitor than anyone else out there

so that they just give up and move along.

And maybe if you are a target

for an advanced nation state or the SVR,

you’re gonna get hacked no matter what.

But you can make cyber criminal groups deadbolt, is it?

You can make their jobs a lot harder

simply by doing the bare basics.

And the other thing is stop reusing your passwords.

But if I only get one, then two factor authentication.

So what is two factor authentication?

Factor one is what, logging in with a password.

And factor two is like have another device

or another channel through which you can confirm,

yeah, that’s me.

Yes, usually this happens through some kind of text.

You get your one time code from Bank of America

or from Google.

The better way to do it is spend $20

buying yourself a Fido key on Amazon.

That’s a hardware device.

And if you don’t have that hardware device with you,

then you’re not gonna get in.

And the whole goal is, I mean, basically,

my first half of my decade at The Times

was spent covering like the copy.

It was like Home Depot got breached,

News at 11, Target, Neumann Marcus,

like who wasn’t hacked over the course of those five years?

And a lot of those companies that got hacked,

what did hackers take?

They took the credentials, they took the passwords.

They can make a pretty penny selling them on the dark web

and people reuse their passwords.

So you get one from God knows who, I don’t know,

LastPass, worst case example, actually LastPass.

But you get one and then you go test it

on their email account.

And you go test it on their brokerage account

and you test it on their cold storage account.

That’s how it works.

But if you have multi factor authentication,

then they can’t get in

because they might have your password,

but they don’t have your phone,

they don’t have your Fido key.

So you keep them out.

And I get a lot of alerts that tell me

someone is trying to get into your Instagram account

or your Twitter account or your email account.

And I don’t worry because I use multi factor authentication.

They can try all day.

Okay, I worry a little bit, but it’s the simplest thing to do

and we don’t even do it.

Well, there’s an interface aspect to it

because it’s pretty annoying if it’s implemented poorly.

So actually bad implementation

of two factor authentication, not just bad,

but just something that adds friction

is a security vulnerability, I guess,

because it’s really annoying.

Like I think MIT for a while had two factor authentication.

It was really annoying.

I just, like the number of times it pings you,

like it asks to reauthenticate across multiple subdomains.

Like it just feels like a pain.

I don’t know what the right balance there.

Yeah, it feels like friction in our frictionless society.

It feels like friction, it’s annoying.

That’s security’s biggest problem, it’s annoying.

We need the Steve Jobs of security to come along

and we need to make it painless.

And actually on that point,

Apple has probably done more for security than anyone else

simply by introducing biometric authentication,

first with the fingerprint and then with face ID.

And it’s not perfect, but if you think just eight years ago,

everyone was running around with either no passcode

and optional passcode or four digit passcode on their phone

that anyone, think of what you can get

when you get someone’s iPhone, if you steal someone’s iPhone

and props to them for introducing the fingerprint

and face ID.

And again, it wasn’t perfect, but it was a huge step forward.

Now it’s time to make another huge step forward.

I wanna see the password die.

I mean, it’s gotten us as far as it was ever gonna get us.

And I hope whatever we come up with next

is not gonna be annoying, is gonna be seamless.

When I was at Google, that’s what we worked on is,

and there’s a lot of ways to call it

active authentication, passive authentication.

So basically you use biometric data,

not just like a fingerprint, but everything from your body

to identify who you are, like movement patterns.

So it basically create a lot of layers of protection

where it’s very difficult to fake,

including like face unlock, checking that it’s your actual

face, like the liveness tests.

So like from video, so unlocking it with video,

voice, the way you move the phone,

the way you take it out of the pocket, that kind of thing.

All of those factors.

It’s a really hard problem though.

And ultimately, it’s very difficult to beat the password

in terms of security.

Well, there’s a company that I actually will call out

and that’s Abnormal Security.

So they work on email attacks.

And it was started by a couple of guys who were doing,

I think, ad tech at Twitter.

So ad technology now, like it’s a joke

how much they know about us.

You always hear the conspiracy theories that

you saw someone’s shoes and next thing you know,

it’s on your phone.

It’s amazing what they know about you.

And they’re basically taking that

and they’re applying it to attacks.

So they’re saying, okay, if you’re,

this is what your email patterns are.

It might be different for you and me

because we’re emailing strangers all the time.

But for most people,

their email patterns are pretty predictable.

And if something strays from that pattern, that’s abnormal

and they’ll block it, they’ll investigate it.

And that’s great.

Let’s start using that kind of targeted ad technology

to protect people.

And yeah, I mean, it’s not gonna get us away

from the password and using multifactor authentication,

but the technology is out there

and we just have to figure out how to use it

in a really seamless way because it doesn’t matter

if you have the perfect security solution

if no one uses it.

I mean, when I started at the times

when I was trying to be really good

about protecting sources,

I was trying to use PGP encryption

and it’s like, it didn’t work.

The number of mistakes I would probably make

just trying to email someone with PGP just wasn’t worth it.

And then Signal came along and Signal made it wicker.

They made it a lot easier

to send someone an encrypted text message.

So we have to start investing in creative minds,

in good security design.

I really think that’s the hack that’s gonna get us

out of where we are today.

What about social engineering?

Do you worry about this sort of hacking people?

Yes, I mean, this is the worst nightmare

of every chief information security officer out there.

Social engineering, we work from home now.

I saw this woman posted online about how her husband,

it went viral today,

but it was her husband had this problem at work.

They hired a guy named John

and now the guy that shows up for work every day

doesn’t act like John.

I mean, think about that.

Like think about the potential for social engineering

in that context.

You apply for a job and you put on a pretty face,

you hire an actor or something,

and then you just get inside the organization

and get access to all that organization’s data.

A couple of years ago,

Saudi Arabia planted spies inside Twitter.


Probably because they were trying to figure out

who these people were

who were criticizing the regime on Twitter.

They couldn’t do it with a hack from the outside,

so why not plant people on the inside?

And that’s like the worst nightmare.

And it also, unfortunately, creates all kinds of xenophobia

at a lot of these organizations.

I mean, if you’re gonna have to take that into consideration,

then organizations are gonna start looking

really skeptically and suspiciously

at someone who applies for that job from China.

And we’ve seen that go really badly

at places like the Department of Commerce,

where they basically accuse people of being spies

that aren’t spies.

So it is the hardest problem to solve,

and it’s never been harder to solve

than right at this very moment

when there’s so much pressure for companies

to let people work remotely.

That’s actually why I’m single.

I’m suspicious that China and Russia,

every time I meet somebody,

are trying to plant and get insider information,

so I’m very, very suspicious.

I keep putting the touring test in front, no.

No, I have a friend who worked inside NSA

and was one of their top hackers,

and he’s like, every time I go to Russia,

I get hit on by these 10s.

And I come home, my friends are like,

I’m sorry, you’re not a 10.

Like, it’s a common story.

I mean, it’s difficult to trust humans

in this day and age online.

So we’re working remotely, that’s one thing,

but just interacting with people on the internet,

sounds ridiculous, but because of this podcast in part,

I’ve gotten to meet some incredible people,

but it makes you nervous to trust folks,

and I don’t know how to solve that problem.

So I’m talking with Mark Zuckerberg,

who dreams about creating the metaverse.

What do you do about that world

where more and more our lives is in the digital sphere?

Like, one way to phrase it is,

most of our meaningful experiences at some point

will be online, like falling in love, getting a job,

or experiencing a moment of happiness with a friend,

with a new friend made online, all of those things.

Like, more and more, the fun we do,

the things that make us love life will happen online,

and if those things have an avatar that’s digital,

that’s like a way to hack into people’s minds,

whether it’s with AI or kind of troll farms

or something like that.

I don’t know if there’s a way to protect against that.

That might fundamentally rely on our faith

in how good human nature is.

So if most people are good, we’re going to be okay,

but if people will tend towards manipulation

and malevolent behavior in search of power,

then we’re screwed.

So I don’t know if you can comment

on how to keep the metaverse secure.

Yeah, I mean, all I thought about

when you were talking just now was my three year old son.


He asked me the other day, what’s the internet, mom?

And I just almost wanted to cry.

You know, I don’t want that for him.

I don’t want all of his most meaningful experiences

to be online.

You know, by the time that happens,

how do you know that person’s human,

that avatar’s human?

You know, I believe in free speech.

I don’t believe in free speech for robots and bots.

And like, look what just happened over the last six years.

You know, we had bots pretending

to be Black Lives Matter activists

just to sow some division,

or, you know, Texas secessionists,

or, you know, organizing anti Hillary protests,

or just to sow more division,

to tie us up in our own politics

so that we’re so paralyzed we can’t get anything done.

We can’t make any progress

and we definitely can’t handle our adversaries

and their longterm thinking.

It really scares me.

And here’s where I just come back to.

Just because we can create the metaverse,

you know, just because it sounds like the next logical step

in our digital revolution,

do I really want my child’s most significant moments

to be online?

They weren’t for me, you know?

So maybe I’m just stuck in that old school thinking,

or maybe I’ve seen too much.

And I’m really sick of being

the guinea pig parent generation for these things.

I mean, it’s hard enough with screen time.

Like thinking about how to manage the metaverse as a parent

to a young boy, like I can’t even let my head go there.

That’s so terrifying for me.

But we’ve never stopped any new technology

just because it introduces risks.

We’ve always said, okay, the promise of this technology

means we should keep going, keep pressing ahead.

We just need to figure out new ways to manage that risk.

And you know, that’s the blockchain right now.

Like when I was covering all of these ransomware attacks,

I thought, okay, this is gonna be it for cryptocurrency.

You know, governments are gonna put the kibosh down.

They’re gonna put the hammer down and say enough is enough.

Like we have to put this genie back in the bottle

because it’s enabled ransomware.

I mean, five years ago, they would hijack your PC

and they’d say, go to the local pharmacy,

get a eGift card and tell us what the pin is.

And then we’ll get your $200.

Now it’s pay us, you know, five Bitcoin.

And so there’s no doubt cryptocurrencies

enabled ransomware attacks,

but after the Colonial Pipeline ransom was seized,

because if you remember, the FBI was actually able to go in

and claw some of it back from DarkSide,

which was the ransomware group that hid it.

And I spoke to these guys at TRM Labs.

So they’re one of these blockchain intelligence companies.

And a lot of people that work there

used to work at the treasury.

And what they said to me was,

yeah, cryptocurrency has enabled ransomware,

but to track down that ransom payment would have taken,

you know, if we were dealing with fiat currency,

would have taken us years to get to that one bank account

or belonging to that one front company in the Seychelles.

And now thanks to the blockchain,

we can track the movement of those funds in real time.

And you know what?

You know, these payments are not as anonymous

as people think.

Like we still can use our old hacking ways and zero days

and, you know, old school intelligence methods

to find out who owns that private wallet

and how to get to it.

So it’s a curse in some ways and that it’s an enabler,

but it’s also a blessing.

And they said that same thing to me

that I just said to you.

They said, we’ve never shut down a promising new technology

because it introduced risk.

We just figured out how to manage that risk.

And I think that’s where the conversation

unfortunately has to go,

is how do we in the metaverse use technology to fix things?

So maybe we’ll finally be able to, not finally,

but figure out a way to solve the identity problem

on the internet, meaning like a blue check mark

for actual human and connect it to identity

or like a fingerprint so you can prove your you.

And yet do it in a way that doesn’t involve the company

having all your data.

So giving you, allowing you to maintain control

over your data, or if you don’t,

then there’s a complete transparency

of how that data is being used, all those kinds of things.

And maybe as you educate more and more people,

they would demand in a capitalist society

that the companies that they give their data to

will respect that data.

Yeah, I mean, there is this company,

and I hope they succeed, their name’s PII Ono, Piano.

And they wanna create a vault for your personal information

inside every organization.

And ultimately, if I’m gonna call Delta Airlines

to book a flight,

they don’t need to know my social security number.

They don’t need to know my birth date.

They’re just gonna send me a one time token to my phone.

My phone’s gonna say, or my Fido key is gonna say,

yep, it’s her.

And then we’re gonna talk about my identity like a token,

some random token.

They don’t need to know exactly who I am.

They just need to know the system trust that I am,

who I say I am, but they don’t get access to my PII data.

They don’t get access to my social security number,

my location, or the fact I’m a Times journalist.

I think that’s the way the world’s gonna go.

We have, enough is enough on sort of

losing our personal information everywhere,

letting data marketing companies track our every move.

They don’t need to know who I am.

Okay, I get it.

We’re stuck in this world where the internet runs on ads.

So ads are not gonna go away,

but they don’t need to know I’m Nicole Perlora.

They can know that I am token number, you know,


And they can let you know what they know

and give you control about removing the things they know.

Yeah, right to be forgotten.

To me, you should be able to walk away

with a single press of a button.

And I also believe that most people,

given the choice to walk away, won’t walk away.

They’ll just feel better about having the option

to walk away when they understand the trade offs.

If you walk away, you’re not gonna get

some of the personalized experiences

that you would otherwise get,

like a personalized feed and all those kinds of things.

But the freedom to walk away is,

I think, really powerful.

And obviously, what you’re saying,

it’s definitely, there’s all of these HTML forms

where you have to enter your phone number and email

and private information from Delta, every single airline.

New York Times.

I have so many opinions on this.

Just the friction and the sign up

and all of those kinds of things.

I should be able to, this has to do with everything.

This has to do with payment, too.

Payment should be trivial.

It should be one click,

and one click to unsubscribe and subscribe,

and one click to provide all of your information

that’s necessary for the subscription service,

for the transaction service, whatever that is,

getting a ticket, as opposed to,

I have all of these fake phone numbers and emails

that I use in Alta Sign Up,

because you never know if one site is hacked,

then it’s just going to propagate to everything else.


And there’s low hanging fruit,

and I hope Congress does something.

And frankly, I think it’s negligent they haven’t

on the fact that elderly people are getting spammed to death

on their phones these days with fake car warranty scams.

And I mean, my dad was in the hospital last year,

and I was in the hospital room, and his phone kept buzzing,

and I look at it, and it’s just spam attack after spam attack,

people nonstop calling about his freaking car warranty,

why they’re trying to get his social security number,

they’re trying to get his PII,

they’re trying to get this information.

We need to figure out how to put those people

in jail for life, and we need to figure out

why in the hell we are being required

or asked to hand over our social security number

and our home address and our passport,

all of that information to every retailer who asks.

I mean, that’s insanity.

And there’s no question they’re not protecting it

because it keeps showing up in spam or identity theft

or credit card theft or worse.

Well, spam is getting better, and maybe I need to,

as a side note, make a public announcement.

Please clip this out, which is if you get an email

or a message from Lex Friedman saying how much

I, Lex, appreciate you and love you and so on,

and please connect with me on my WhatsApp number

and I will give you Bitcoin or something like that,

please do not click.

And I’m aware that there’s a lot of this going on,

a very large amount.

I can’t do anything about it.

This is on every single platform.

It’s happening more and more and more,

which I’ve been recently informed that they’re not emailing.

So it’s cross platform.

They’re taking people’s, they’re somehow,

this is fascinating to me because they are taking people

who comment on various social platforms

and they somehow reverse engineer.

They figure out what their email is

and they send an email to that person saying,

from Lex Friedman, and it’s like a heartfelt email

with links.

It’s fascinating because it’s cross platform now.

It’s not just a spam bot that’s messaging

and a comment that’s in a reply.

They are saying, okay, this person cares

about this other person on social media.

So I’m going to find another channel,

which in their mind probably increases

and it does the likelihood that they’ll get the people

to click and they do.

I don’t know what to do about that.

It makes me really, really sad,

especially with podcasting.

There’s an intimacy that people feel connected

and they get really excited.

Okay, cool, I wanna talk to Lex.

And they click.

And I get angry at the people that do this.

I mean, it’s like the John that gets hired,

the fake employee.

I mean, I don’t know what to do about that.

I mean, I suppose the solution is education.

It’s telling people to be skeptical

on the stuff they click.

That balance with the technology solution

of creating maybe like two factor authentication

and maybe helping identify things

that are likely to be spam, I don’t know.

But then the machine learning there is tricky

because you don’t wanna add a lot of extra friction

that just annoys people because they’ll turn it off.

Because you have the accept cookies thing, right?

That everybody has to click on now,

so now they completely ignore the accept cookies.

This is very difficult to find that frictionless security.

You mentioned Snowden.

You’ve talked about looking through the NSA documents

he leaked and doing the hard work of that.

What do you make of Edward Snowden?

What have you learned from those documents?

What do you think of him?

In the long arc of history,

is Edward Snowden a hero or a villain?

I think he’s neither.

I have really complicated feelings about Edward Snowden.

On the one hand, I’m a journalist at heart

and more transparency is good.

And I’m grateful for the conversations

that we had in the post Snowden era

about the limits to surveillance

and how critical privacy is.

And when you have no transparency

and you don’t really know in that case

what our secret courts were doing,

how can you truly believe that our country

is taking our civil liberties seriously?

So on the one hand, I’m grateful

that he cracked open these debates.

On the other hand, when I walked into the storage closet

of classified NSA secrets,

I had just spent two years

covering Chinese cyber espionage almost every day.

And the sort of advancement of Russian attacks

that were just getting worse and worse and more destructive.

And there were no limits to Chinese cyber espionage

and Chinese surveillance of its own citizens.

And there seemed to be no limit

to what Russia was willing to do in terms of cyber attacks

and also in some cases assassinating journalists.

So when I walked into that room,

there was a part of me quite honestly

that was relieved to know that the NSA

was as good as I hoped they were.

And we weren’t using that knowledge to,

as far as I know, assassinate journalists.

We weren’t using our access

to take out pharmaceutical companies.

For the most part, we were using it for traditional espionage.

Now, that set of documents also set me

on the journey of my book because to me,

the American people’s reaction to the Snowden documents

was a little bit misplaced.

They were upset

about the phone call metadata collection program.

Angela Merkel, I think rightfully was upset

that we were hacking her cell phone.

But in sort of the spy eat spy world,

hacking world leaders cell phones

is pretty much what most spy agencies do.

And there wasn’t a lot that I saw in those documents

that was beyond what I thought a spy agency does.

And I think if there was another 9 11 tomorrow,

God forbid, we would all say, how did the NSA miss this?

Why weren’t they spying on those terrorists?

Why weren’t they spying on those world leaders?

And there’s some of that too.

But I think that there was great damage done

to the US’s reputation.

I think we really lost our halo

in terms of a protector of civil liberties.

And I think a lot of what was reported

was unfortunately reported in a vacuum.

That was my biggest gripe that we were always reporting,

the NSA has this program and here’s what it does.

And the NSA is in Angela Merkel’s cell phone

and the NSA can do this.

And no one was saying, and by the way,

China has been hacking into our pipelines

and they’ve been making off

with all of our intellectual property.

And Russia has been hacking into our energy infrastructure

and they’ve been using the same methods to spy on track.

And in many cases, kill their own journalists.

And the Saudis have been doing this

to their own critics and dissidents.

And so you can’t talk about any of these countries

in isolation.

It is really like spy out there.

And so I just have complicated feelings.

And the other thing is, and I’m sorry,

this is a little bit of a tangent,

but the amount of documents that we had,

like thousands of documents,

most of which were just crap,

but had people’s names on them.

Part of me wishes that those documents

had been released in a much more targeted, limited way.

It’s just a lot of it just felt like a PowerPoint

that was taken out of context.

And you just sort of wish

that there had been a little bit more thought

into what was released.

Because I think a lot of the impact from someone

was just the volume of the reporting.

But I think based on what I saw personally,

there was a lot of stuff that I just,

I don’t know why that particular thing got released.

As a whistleblower, what’s a better way to do it?

Because I mean, there’s fear,

it takes a lot of effort to do a more targeted release.

If there’s proper channels,

you’re afraid that those channels will be manipulated

by who do you trust.

What’s a better way to do this, do you think?

As a journalist, this is almost like a journalistic question.

Reveal some fundamental flaw in the system

without destroying the system.

I bring up, again, Mark Zuckerberg and Metta,

there was a whistleblower

that came out about Instagram internal studies.

And I also torn about how to feel about that whistleblower.

Because from a company perspective, that’s an open culture.

How can you operate successfully

if you have an open culture

where any one whistleblower can come out,

out of context, take a study,

whether it represents a larger context or not,

and the press eats it up.

And then that creates a narrative

that is just like with the NSA,

you said it’s out of context, very targeted,

to where, well, Facebook is evil, clearly,

because of this one leak.

It’s really hard to know what to do there,

because we’re now in a society

that’s deeply distrust institutions.

And so narratives by whistleblowers make that whistleblower

and their forthcoming book very popular.

And so there’s a huge incentive

to take stuff out of context and to tell stories

that don’t represent the full context, the full truth.

It’s hard to know what to do with that,

because then that forces Facebook and Meta and governments

to be much more conservative, much more secretive.

It’s like a race to the bottom, I don’t know.

I don’t know if you can comment on any of that,

how to be a whistleblower ethically and properly.

I don’t know, I mean, these are hard questions.

And even for myself, in some ways,

I think of my book as sort of blowing the whistle

on the underground zero day market.

But it’s not like I was in the market myself.

It’s not like I had access to classified data

when I was reporting out that book.

As I say in the book, listen,

I’m just trying to scrape the surface here,

so we can have these conversations before it’s too late.

And I’m sure there’s plenty in there

that someone who’s US intelligence agencies

preeminent zero day broker probably

has some voodoo doll of me out there.

And you’re never gonna get it 100%.

But I really applaud whistleblowers

like the whistleblower who blew the whistle

on the Trump call with Zelensky.

I mean, people needed to know about that,

that we were basically, in some ways,

blackmailing an ally to try to influence an election.

I mean, they went through the proper channels.

They weren’t trying to profit off of it, right?

There was no book that came out afterwards

from that whistleblower.

That whistleblower’s not like,

they went through the channels.

They’re not living in Moscow, let’s put it that way.

Can I ask you a question, you mentioned NSA,

one of the things that showed

is they’re pretty good at what they do.

Again, this is a touchy subject, I suppose,

but there’s a lot of conspiracy theories

about intelligence agencies.

From your understanding of intelligence agencies,

the CIA, NSA, and the equivalent of in other countries,

are they, one question, this could be a dangerous question,

are they competent, are they good at what they do?

And two, are they malevolent in any way?

Sort of, I recently had a conversation

about tobacco companies.

They kind of see their customers as dupes,

like they can just play games with people.

Conspiracy theories tell that similar story

about intelligence agencies,

that they’re interested in manipulating the populace

for whatever ends the powerful,

in dark rooms, cigarette smoke, cigar smoke filled rooms.

What’s your sense?

Do these conspiracy theories have any truth to them?

Or are intelligence agencies, for the most part,

good for society?

Okay, well, that’s an easy one.

Is it?

No, I think it depends which intelligence agency.

Think about the Mossad.

They’re killing every Iranian nuclear scientist they can

over the years, but have they delayed the time horizon

before Iran gets the bomb?


Have they probably staved off terror attacks

on their own citizens?


You know, none of these, intelligence is intelligence.

You know, you can’t just say like they’re malevolent

or they’re heroes.

You know, everyone I have met in this space

is not like the pound your chest patriot

that you see on the beach on the 4th of July.

A lot of them have complicated feelings

about their former employers.

Well, at least at the NSA reminded me

to do what we were accused of doing after Snowden,

to spy on Americans.

You have no idea the amount of red tape and paperwork

and bureaucracy it would have taken to do

what everyone thinks that we were supposedly doing.

But then, you know, we find out in the course

of the Snowden reporting about a program called Lovin',

where a couple of the NSA analysts were using their access

to spy on their ex girlfriends.

So, you know, there’s an exception to every case.

Generally, I will probably get, you know,

accused of my Western bias here again,

but I think you can almost barely compare

some of these Western intelligence agencies

to China, for instance.

And the surveillance that they’re deploying on the Uyghurs

to the level they’re deploying it.

And the surveillance they’re starting to export abroad

with some of the programs,

like the watering hole attack I mentioned earlier,

where it’s not just hitting the Uyghurs inside China,

it’s hitting anyone interested

in the Uyghur plight outside China.

I mean, it could be an American high school student

writing a paper on the Uyghurs.

They wanna spy on that person too.

You know, there’s no rules in China

really limiting the extent of that surveillance.

And we all better pay attention to what’s happening

with the Uyghurs because just as Ukraine has been to Russia

in terms of a test kitchen for its cyber attacks,

the Uyghurs are China’s test kitchen for surveillance.

And there’s no doubt in my mind

that they’re testing them on the Uyghurs.

Uyghurs are their Petri dish,

and eventually they will export

that level of surveillance overseas.

I mean, in 2015,

Obama and Xi Jinping reached a deal

where basically the White House said,

you better cut it out on intellectual property theft.

And so they made this agreement

that they would not hack each other for commercial benefit.

And for a period of about 18 months,

we saw this huge drop off in Chinese cyber attacks

on American companies.

But some of them continued.

Where did they continue?

They continued on aviation companies,

on hospitality companies like Marriott.


Because that was still considered fair game to China.

It wasn’t IP theft they were after.

They wanted to know who was staying in this city

at this time when Chinese citizens were staying there

so they could cross match for counterintelligence

who might be a likely Chinese spy.

I’m sure we’re doing some of that too.

Counterintelligence is counterintelligence.

It’s considered fair game.

But where I think it gets evil

is when you use it for censorship,

to suppress any dissent,

to do what I’ve seen the UAE do to its citizens

where people who’ve gone on Twitter

just to advocate for better voting rights,

more enfranchisement,

suddenly find their passports confiscated.

You know, I talked to one critic, Ahmed Mansour,

and he told me,

you know, you might find yourself a terrorist,

labeled a terrorist one day,

you don’t even know how to operate a gun.

I mean, he had been beaten up

every time he tried to go somewhere.

His passport had been confiscated.

By that point, it turned out

they’d already hacked into his phone

so they were listening to us talking.

They’d hacked into his baby monitor

so they’re spying on his child.

And they stole his car.

And then they created a new law

that you couldn’t criticize the ruling family

or the ruling party on Twitter.

And he’s been in solitary confinement every day since

on hunger strike.

So that’s evil, you know, that’s evil.

And we still, we don’t do that here.

You know, we have rules here.

We don’t cross that line.

So yeah, in some cases, like I won’t go to Dubai.

You know, I won’t go to Abu Dhabi.

If I ever want to go to the Maldives,

like too bad, like most of the flights go through Dubai.

So there’s some lines we’re not willing to cross.

But then again, just like you said,

there’s individuals within NSA, within CIA,

and they may have power.

And to me, there’s levels of evil.

To me personally, this is the stuff of conspiracy theories,

is the things you’ve mentioned as evil

are more direct attacks.

But there’s also psychological warfare.

So blackmail.

So what does spying allow you to do?

Allow you to collect information

if you have something that’s embarrassing.

Or if you have like Jeffrey Epstein conspiracy theories,

active, what is it, manufacture of embarrassing things.

And then use blackmail to manipulate the population

or all the powerful people involved.

It troubles me deeply that MIT allowed somebody

like Jeffrey Epstein in their midst,

especially some of the scientists I admire

that they would hang out with that person at all.

And so I’ll talk about it sometimes.

And then a lot of people tell me,

well, obviously Jeffrey Epstein is a front for intelligence.

And I just, I struggle to see that level of competence

and malevolence.

But, you know, who the hell am I?

And I guess I was trying to get to that point.

You said that there’s bureaucracy and so on,

which makes some of these things very difficult.

I wonder how much malevolence,

how much competence there is in these institutions.

Like how far, this takes us back to the hacking question.

How far are people willing to go if they have the power?

This has to do with social engineering.

This has to do with hacking.

This has to do with manipulating people,

attacking people, doing evil onto people,

psychological warfare and stuff like that.

I don’t know.

I believe that most people are good.

And I don’t think that’s possible in a free society.

There’s something that happens

when you have a centralized government

where power corrupts over time

and you start surveillance programs

kind of, it’s like a slippery slope

that over time starts to both use fear

and direct manipulation to control the populace.

But in a free society, I just,

it’s difficult for me to imagine

that you can have like somebody like a Jeffrey Epstein

in the front for intelligence.

I don’t know what I’m asking you, but I’m just,

I have a hope that for the most part,

intelligence agencies are trying to do good

and are actually doing good for the world

when you view it in the full context

of the complexities of the world.

But then again, if they’re not, would we know?

That’s why Edward Snowden might be a good thing.

Let me ask you on a personal question.

You have investigated some of the most powerful

organizations and people in the world

of cyber warfare, cyber security.

Are you ever afraid for your own life,

your own wellbeing, digital or physical?

I mean, I’ve had my moments.

You know, I’ve had our security team at the times

called me at one point and said,

someone’s on the dark web offering good money

to anyone who can hack your phone or your laptop.

I describe in my book how when I was at that

hacking conference in Argentina and I came back

and I brought a burner laptop with me,

but I’d kept it in the safe anyway

and it didn’t have anything on it,

but someone had broken in and it was moved.

You know, I’ve had all sorts of sort of scary moments.

And then I’ve had moments where I think I went

just way too far into the paranoid side.

I mean, I remember writing about the Times hack by China

and I just covered a number of Chinese cyber attacks

where they’d gotten into the thermostat

at someone’s corporate apartment

and they’d gotten into all sorts of stuff.

And I was living by myself.

I was single in San Francisco and my cable box

on my television started making some weird noises

in the middle of the night.

And I got up and I ripped it out of the wall

and I think I said something like embarrassing,

like, fuck you China, you know.

And then I went back to bed and I woke up

and it’s like beautiful morning light.

I mean, I’ll never forget it.

Like this is like glimmering morning light

is shining on my cable box, which has now been ripped out

and is sitting on my floor and like the morning light.

And I was just like, no, no, no,

like I’m not going down that road.

Like you basically, I came to a fork in the road

where I could either go full tinfoil hat,

go live off the grid, never have a car with navigation,

never use Google maps, never own an iPhone,

never order diapers off Amazon, you know, create an alias

or I could just do the best I can

and live in this new digital world we’re living in.

And what does that look like for me?

I mean, what are my crown jewels?

This is what I tell people, what are your crown jewels?

Cause just focus on that.

You can’t protect everything,

but you can protect your crown jewels.

For me, for the longest time,

my crown jewels were my sources.

I was nothing without my sources.

So I had some sources, I would meet the same dim sum place

or maybe it was a different restaurant on the same date,

you know, every quarter and we would never drive there.

We would never Uber there.

We wouldn’t bring any devices.

I could bring a pencil and a notepad.

And if someone wasn’t in town,

like there were a couple of times where I’d show up

and the source never came,

but we never communicated digitally.

And those were the links I was willing to go

to protect that source, but you can’t do it for everyone.

So for everyone else, you know, it was signal,

using two factor authentication,

you know, keeping my devices up to date,

not clicking on phishing emails, using a password manager,

all the things that we know we’re supposed to do.

And that’s what I tell everyone, like don’t go crazy

because then that’s like the ultimate hack.

Then they’ve hacked your mind, whoever they is for you.

But just do the best you can.

Now, my whole risk model changed when I had a kid.

You know, now it’s, oh God, you know,

if anyone threatened my family, God help them.

But it changes you.

And, you know, unfortunately there are some things,

like I was really scared to go deep on,

like Russian cyber crime, you know, like Putin himself,

you know, and it’s interesting.

Like I have a mentor who’s an incredible person

who was the Times Moscow Bureau Chief during the Cold War.

And after I wrote a series of stories

about Chinese cyber espionage, he took me out to lunch.

And he told me that when he was living in Moscow,

he would drop his kids off at preschool

when they were my son’s age now.

And the KGB would follow him

and they would make a really like loud show of it.

You know, they’d tail him, they’d, you know, honk,

they’d just be, make a ruckus.

And he said, you know what, they never actually did anything

but they wanted me to know that they were following me

and I operated accordingly.

And he says, that’s how you should operate

in the digital world.

Know that there are probably people following you.

Sometimes they’ll make a little bit of noise.

But one thing you need to know is that

while you’re at the New York Times,

you have a little bit of an invisible shield on you.

You know, if something were to happen to you,

that would be a really big deal.

That would be an international incident.

So I kind of carried that invisible shield with me

for years.

And then Jamal Khashoggi happened.

And that destroyed my vision of my invisible shield.

You know, sure, you know, he was a Saudi

but he was a Washington Post columnist.

You know, for the most part,

he was living in the United States.

He was a journalist.

And for them to do what they did to him,

pretty much in the open and get away with it,

and for the United States to let them get away with it

because we wanted to preserve diplomatic relations

with the Saudis,

that really threw my worldview upside down.

And, you know, I think that sent a message

to a lot of countries

that it was sort of open season on journalists.

And to me, that was one of the most destructive things

that happened under the previous administration.

And, you know, I don’t really know

what to think of my invisible shield anymore.

Like you said, that really worries me

on the journalism side that people would be afraid

to dig deep on fascinating topics.

And, you know, I have my own,

part of the reason, like I would love to have kids,

I would love to have a family.

Part of the reason I’m a little bit afraid,

there’s many ways to phrase this,

but the loss of freedom in the way of doing

all the crazy shit that I naturally do,

which I would say the ethic of journalism

is kind of not, is doing crazy shit

without really thinking about it.

This is letting your curiosity

really allow you to be free and explore.

It’s, I mean, whether it’s stupidity or fearlessness,

whatever it is, that’s what great journalism is.

And all the concerns about security risks

have made me like become a better person.

The way I approach it is just make sure

you don’t have anything to hide.

I know this is not a thing.

This is not a, this is not an approach to security.

I’m just, this is like a motivational speech or something.

It’s just like, if you can lose,

you can be hacked at any moment.

Just don’t be a douchebag secretly.

Just be like a good person.

Because then, I see this actually

with social media in general.

Just present yourself in the most authentic way possible,

meaning be the same person online as you are privately.

Have nothing to hide.

That’s one, not the only, but one of the ways

to achieve security.

Maybe I’m totally wrong on this,

but don’t be secretly weird.

If you’re weird, be publicly weird

so it’s impossible to blackmail you.

That’s my approach to security.

Yeah, well, they call it

the New York Times front page phenomenon.

Don’t put anything in email or I guess social media

these days that you wouldn’t want to read

on the front page of the New York Times.

And that works, but sometimes I even get carried,

I mean, I have not as many followers as you,

but a lot of followers,

and sometimes even I get carried away.

Just be emotional and stuff and say something.

Yeah, I mean, just the cortisol response on Twitter.

Twitter is basically designed to elicit those responses.

I mean, every day I turn on my computer,

I look at my phone, I look at what’s trending on Twitter,

and it’s like, what are the topics

that are gonna make people the most angry today?

You know?

And you know, it’s easy to get carried away,

but it’s also just, that sucks too,

that you have to be constantly censoring yourself.

And maybe it’s for the better.

Maybe you can’t be a secret asshole,

and we can put that in the good bucket.

But at the same time, you know,

there is a danger to that other voice,

to creativity, you know, to being weird.

There’s a danger to that little whispered voice

that’s like, well, how would people read that?

You know, how could that be manipulated?

How could that be used against you?

And that stifles creativity and innovation and free thought.

And you know, that is on a very micro level.

And that’s something I think about a lot.

And that’s actually something that Tim Cook

has talked about a lot,

and why he has said he goes full force on privacy

is it’s just that little voice

that is at some level censoring you.

And what is sort of the long term impact

of that little voice over time?

I think there’s a ways, I think that self censorship

is an attack factor that there’s solutions to.

The way I’m really inspired by Elon Musk,

the solution to that is just be privately

and publicly the same person and be ridiculous.

Embrace the full weirdness and show it more and more.

So, you know, that’s memes that has like ridiculous humor.

And I think, and if there is something

you really wanna hide, deeply consider

if that you wanna be that.

Like, why are you hiding it?

What exactly are you afraid of?

Because I think my hopeful vision for the internet

is the internet loves authenticity.

They wanna see you weird, so be that and like live that fully

because I think that gray area

where you’re kind of censoring yourself,

that’s where the destruction is.

You have to go all the way, step over, be weird.

And then it feels, it can be painful

because people can attack you and so on, but just ride it.

I mean, that’s just like a skill

on the social psychological level

that ends up being an approach to security,

which is like remove the attack vector

of having private information

by being your full weird self publicly.

What advice would you give to young folks today,

you know, operating in this complicated space

about how to have a successful life,

a life they can be proud of,

a career they can be proud of?

Maybe somebody in high school and college

thinking about what they’re going to do.

Be a hacker, you know, if you have any interest,

become a hacker and apply yourself to defense, you know.

Every time, like we do have

these amazing scholarship programs, for instance,

where, you know, they find you early,

they’ll pay your college as long as you commit

to some kind of federal commitment

to sort of help federal agencies with cybersecurity.

And where does everyone wanna go every year

from the scholarship program?

They wanna go work at the NSA or Cyber Command, you know.

They wanna go work on offense.

They wanna go do the sexy stuff.

It’s really hard to get people to work on defense.

It’s just, it’s always been more fun

to be a pirate than be in the Coast Guard, you know.

And so we have a huge deficit

when it comes to filling those roles.

There’s 3.5 million unfilled cybersecurity positions

around the world.

I mean, talk about job security,

like be a hacker and work on cybersecurity.

You will always have a job.

And we’re actually at a huge deficit

and disadvantage as a free market economy

because we can’t match cybersecurity salaries

at Palantir or Facebook or Google or Microsoft.

And so it’s really hard for the United States

to fill those roles.

And, you know, other countries have had this work around

where they basically have forced conscription on some level.

You know, China tells people,

like you do whatever you’re gonna do during the day,

work at Alibaba.

You know, if you need to do some ransomware, okay.

But the minute we tap you on the shoulder

and ask you to come do this sensitive operation for us,

the answer is yes.

You know, same with Russia.

You know, a couple of years ago when Yahoo was hacked

and they laid it all out in an indictment,

it came down to two cyber criminals

and two guys from the FSB.

Cyber criminals were allowed to have their fun,

but the minute they came across the username and password

for someone’s personal Yahoo account

that worked at the White House or the State Department

or military, they were expected to pass that over to the FSB.

So we don’t do that here.

And it’s even worse on defense.

We really can’t fill these positions.

So, you know, if you are a hacker,

if you’re interested in code,

if you’re a tinker, you know, learn how to hack.

There are all sorts of amazing hacking competitions

you can do through the SANS org, for example, S A N S.

And then use those skills for good.

You know, neuter the bugs in that code

that get used by autocratic regimes

to make people’s life, you know, a living prison.

You know, plug those holes.

You know, defend industrial systems,

defend our water treatment facilities

from hacks where people are trying to come in

and poison the water.

You know, that I think is just an amazing,

it’s an amazing job on so many levels.

It’s intellectually stimulating.

You can tell yourself you’re serving your country.

You can tell yourself you’re saving lives

and keeping people safe.

And you’ll always have amazing job security.

And if you need to go get that job that pays you,

you know, 2 million bucks a year, you can do that too.

And you can have a public profile,

more so of a public profile, you can be a public rockstar.

I mean, it’s the same thing as sort of the military.

There’s a lot of,

there’s a lot of well known sort of people

commenting on the fact that veterans

are not treated as well as they should be.

But it’s still the fact that soldiers

are deeply respected for defending the country,

the freedoms, the ideals that we stand for.

And in the same way, I mean, in some ways,

the cybersecurity defense are the soldiers of the future.

Yeah, and you know what’s interesting,

I mean, in cybersecurity, the difference is,

oftentimes you see the more interesting threats

in the private sector, because that’s where the attacks come.

You know, when cyber criminals

and nation state adversaries come for the United States,

they don’t go directly for Cyber Command or the NSA.

You know, they go for banks, they go for Google,

they go for Microsoft, they go for critical infrastructure.

And so those companies, those private sector companies

get to see some of the most advanced,

sophisticated attacks out there.

And you know, if you’re working at FireEye

and you’re calling out the SolarWinds attack, for instance,

I mean, you just saved God knows how many systems

from, you know, that compromise turning into something

that more closely resembles sabotage.

So, you know, go be a hacker, or go be a journalist.

So you wrote the book,

This Is How They Tell Me The World Ends,

as we’ve been talking about,

of course, referring to cyber war, cybersecurity.

What gives you hope about the future of our world

if it doesn’t end?

How will it not end?

That’s a good question.

I mean, I have to have hope, right?

Because I have a kid and I have another on the way,

and if I didn’t have hope, I wouldn’t be having kids.

But it’s a scary time to be having kids.

And you know, it’s like pandemic, climate change,

disinformation, increasingly advanced, perhaps deadly

cyber attacks.

What gives me hope is that I share your worldview

that I think people are fundamentally good.

And sometimes, and this is why the metaverse

scares me to death, but when I’m reminded of that

is not online.

Like online, I get the opposite.

You know, you start to lose hope and humanity

when you’re on Twitter half your day.

It’s like when I go to the grocery store

or I go on a hike or like someone smiles at me

or you know, or someone just says something nice.

You know, people are fundamentally good.

We just don’t hear from those people enough.

And my hope is, I just think our current political climate,

like we’ve hit rock bottom.

This is as bad as it gets.

We can’t do anything.

Don’t jinx it.

But I think it’s a generational thing.

You know, I think baby boomers, like it’s time to move along.

I think it’s time for a new generation to come in.

And I actually have a lot of hope when I look at you.

I’m sort of like this, I guess they call me

a geriatric millennial or a young gen X.

But like we have this unique responsibility

because I grew up without the internet

and without social media, but I’m native to it.

So I know the good and I know the bad.

And that’s true on so many different things.

You know, I grew up without climate change anxiety

and now I’m feeling it and I know it’s not a given.

We don’t have to just resign ourselves to climate change.

You know, same with disinformation.

And I think a lot of the problems we face today

have just exposed the sort of inertia

that there has been on so many of these issues.

And I really think it’s a generational shift

that has to happen.

And I think this next generation is gonna come in

and say like, we’re not doing business

like you guys did it anymore.

You know, we’re not just gonna like rape

and pillage the earth and try and turn everyone

against each other and play dirty tricks

and let lobbyists dictate what we do

or don’t do as a country anymore.

And that’s really where I see the hope.

It feels like there’s a lot of low hanging fruit

for young minds to step up and create solutions and lead.

So whenever like politicians or leaders that are older,

like you said, are acting shitty, I see that as a positive.

They’re inspiring a large number of young people

to replace them.

And so I think you’re right, there’s going to be,

it’s almost like you need people to act shitty

to remind them, oh, wow, we need good leaders.

We need great creators and builders and entrepreneurs

and scientists and engineers and journalists.

You know, all the discussions about how the journalism

is quote unquote broken and so on,

that’s just an inspiration for new institutions to rise up

that do journalism better,

new journalists to step up and do journalism better.

So I, and I’ve been constantly,

when I talk to young people, I’m constantly impressed

by the ones that dream to build solutions.

And so that’s ultimately why I put the hope.

But the world is a messy place,

like we’ve been talking about, it’s a scary place.

Yeah, and I think you hit something,

hit on something earlier, which is authenticity.

Like no one is going to rise above that is plastic anymore.

You know, people are craving authenticity.

You know, the benefit of the internet is it’s really hard

to hide who you are on every single platform.

You know, on some level it’s gonna come out

who you really are.

And so you hope that, you know,

by the time my kids are grown,

like no one’s gonna care if they made one mistake online,

so long as they’re authentic, you know?

And I used to worry about this.

My nephew was born the day I graduated from college.

And I just always, you know, he’s like born into Facebook.

And I just think like, how is a kid like that

ever gonna be president of the United States of America?

Because if Facebook had been around when I was in college,

you know, like Jesus, you know,

how are those kids are gonna ever be president?

There’s gonna be some photo of them at some point

making some mistake, and that’s gonna be all over for them.

And now I take that back.

Now it’s like, no, everyone’s gonna make mistakes.

There’s gonna be a picture for everyone.

And we’re all gonna have to come and grow up

to the view that as humans, we’re gonna make huge mistakes.

And hopefully they’re not so big

that they’re gonna ruin the rest of your life.

But we’re gonna have to come around to this view

that we’re all human.

And we’re gonna have to be a little bit more forgiving

and a little bit more tolerant when people mess up.

And we’re gonna have to be a little bit more humble

when we do, and like keep moving forward.

Otherwise you can’t like cancel everyone, you know?

Nicole, this is an incredible, hopeful conversation.

Also, one that reveals that in the shadows

there’s a lot of challenges to be solved.

So I really appreciate that you took on

this really difficult subject with your book.

That’s journalism at its best.

So I’m really grateful that you took the risk

that you took that on,

and that you plugged the cable box back in.

That means you have hope.

And thank you so much for spending

your valuable time with me today.

Thank you, thanks for having me.

Thanks for listening to this conversation

with Nicole Perlroth.

To support this podcast,

please check out our sponsors in the description.

And now let me leave you with some words

from Nicole herself.

Here we are, entrusting our entire digital lives,

passwords, texts, love letters, banking records,

health records, credit cards, sources,

and deepest thoughts to this mystery box

whose inner circuitry most of us would never vet.

Run by code written in a language most of us

will never fully understand.

Thank you for listening and hope to see you next time.

comments powered by Disqus