Last week, Google discovered a group of hackers had been breaking into some of the most widely used tech in the world. iPhones, Androids, computers running Windows. As with many security breaches, Google quickly shut it down. But there was a problem: the hacking was actually part of a counterterrorism mission conducted by Western governments.
In many ways, this latest Google security patch is similar to another critical moment from a decade ago, when Google discovered a large-scale hack by the Chinese government, an operation called Aurora. Then, as now, they responded unilaterally, acting more like a nation-state than a private company.
Unless you’re intimately familiar with the world of cybersecurity, this might have you scratching your head. Why are Western governments hacking iPhones? And how does Google have the power to shut down counterterrorism operations or to pressure foreign states?
But this story actually gets at a core tension in the cybersecurity domain. In the cyber black market, government agencies such as the National Security Agency (NSA) will pay millions of dollars to hackers who find security vulnerabilities in hardware and software. But they don’t buy information about these vulnerabilities — called zero days — so that they can patch them. They buy them because they want to leave them open. And then the NSA can use those weaknesses to hack into the iPhones of suspected terrorists, or drug smugglers, or child pornographers, to install spyware, for example.
But here’s the catch. Almost everyone on the planet uses the same suite of technologies. So, that iPhone security hole that allows the NSA to snoop on terrorists can also be used by Saudi Arabia to threaten its dissidents, or by China to spy on the Uighurs.
What’s more, this opaque market often supports companies that sell zero-day exploits — code that allows a hacker to leverage a vulnerability — to governments, democratic and autocratic alike, as well as to cybersecurity technology companies based in democratic countries. This is all leading to a cyber arms race that leaves us highly vulnerable.
Similarly, even when US zero-day exploits achieve strategic goals, such as the use of Stuxnet, which installed a worm that disabled Iranian nuclear reactors, the malware that these cyber attacks use, when released in the wild, can end up undermining our own critical infrastructure.
That’s because those system and software vulnerabilities can be explicitly used against us too. If the NSA leaves a hole in Windows — which they’ve done — they can access Windows systems all over the world. But if our adversaries discover those holes — which they usually do — that gives them access to all of our Windows systems as well. Which could mean access to our banks, our industrial secrets or even our nuclear power plants.
In fact, illiberal regimes around the world use zero days for a wide range of strategic purposes, as New York Times cybersecurity reporter Nicole Perlroth, whom I spoke with on this week’s episode of Big Tech, recounts in her book, This Is How They Tell Me The World Ends: The Cyberweapons Arms Race. China has long exploited them to steal industrial secrets — everything from the design of the F-35 stealth fighter, to Google’s base code, to the design of the US Navy’s smart grid and the formulas for Coca-Cola and Benjamin Moore paint. The Iranians use zero days to monitor dissidents; the Saudi Arabian government uses them to track journalists, such as Jamal Khashoggi, who was later murdered by its agents; and the North Koreans use them to deploy ransomware to raise money.
In other words, in the world of cyberwarfare, an offensive advantage is also a glaring defensive vulnerability. The very tools that we are using widely in the name of combatting cybersecurity risk leave us highly vulnerable to hacking from foreign states and malicious actors.
This is the world that Perlroth has been immersed in for nearly a decade now. As we move closer and closer to a world where everything is online, Perlroth makes it pretty clear that we haven’t done nearly enough to protect ourselves. And in pursuing this sometimes reckless path, we have left many of the safeguards to corporations, further empowering them to act less like private actors and more like nation-states.