The Invisible Cyber-War with Nicole Perlroth

August 4, 2022

When you hear the word cyber-attack, what comes to mind? Someone hacking into your email, or stealing your Facebook password?

As it turns out, our most critical infrastructure can be hacked. Our banks, water treatment facilities, and nuclear power plants can be deactivated and even controlled simply by finding bugs in the software used to operate them. Suddenly, cyber-attack takes on a different meaning.

This week on Your Undivided Attention, we're talking with cyber-security expert Nicole Perlroth. Nicole spent a decade as the lead cyber-security reporter at The New York Times, and is now a member of the Department of Homeland Security’s Cybersecurity Advisory Committee. She recently published “This Is How They Tell Me The World Ends” — an in-depth exploration of the global cyber arms race.

CORRECTIONS: In the episode, Nicole says that "the United States could have only afforded 2 to 3 more days of Colonial Pipeline being down before it ground the country — our economy — to a halt." The correct number is actually 3 to 5 days. She also refers to a 2015 study researching why some countries have significantly fewer successful cyber-attacks relative to cyber-attack attempts. That study was actually published in 2016.


Nicole Perlroth spent a decade as the lead cybersecurity, digital espionage and sabotage reporter for The New York Times. Her investigations ranged from Russian hacks of nuclear plants to North Korea's cyberattack against Sony Pictures. She’s the author of the New York Times bestselling book “This Is How They Tell Me The World Ends,” about the global cyber arms race, which won the 2021 McKinsey and Financial Times’ Business Book of the Year Award and has been translated into nine languages. Today, Nicole is a member of the Department of Homeland Security’s Cybersecurity Advisory Committee, and a guest lecturer at the Stanford Graduate School of Business.

Episode Highlights

Major Takeaways

  • The language we use to talk about cyber-warfare is almost incommensurate with its reality. We say "cyber-attack," but what we're actually talking about is attacks on banks, water facilities, nuclear power plants, and other critical infrastructure.
  • Zero days are bugs in software that the software company doesn’t know about. They’re called "zero days" because when they're exploited against users of the software, the software company has had zero days to fix them. A zero-day exploit is a cyber-attack that uses zero day bugs. It could be said that Twitter's trending topics are zero day bugs for hacking democracies — a list of psychological vulnerabilities that can be exploited to cause division and chaos in real time.
  • Venture capitalist Marc Andreessen famously quipped that software is eating the world. The software that’s eating the world is buggy, partly due to the economic incentives that drive its production. Therefore, within the context of cyber-warfare, we might say that when software eats the world, fragility eats the world.
  • Cyber-weapons are extraordinarily more cost-effective than kinetic weapons. The lifetime cost of one F-35 fighter jet can buy 2,000 zero day exploits per day for a year. This makes cyber-warfare more available to both state and non-state actors.
  • Attributing an attack is a significant challenge — especially given the combination of state and non-state actors. Because it can be difficult or impossible to determine the origin of a cyber-attack, cyber-criminals can go undetected and cyber-attacks can be mis-attributed. For example, even if an attack against Russia came from a lone hacker in Argentina, Putin might assume it was orchestrated by the U.S.
  • The United States is one of the most targeted countries for cyber-attacks. We may also be the most vulnerable, because software is baked into effectively all of our infrastructure, and we therefore have a wide attack surface. Specifically, Nicole Perlroth found that Ukraine is Russia's test kitchen, but Ukrainians believe Russia's ultimate target is the U.S.
  • There are a few rays of hope for alleviating the threat of cyber-warfare. First, the war in Ukraine has been the impetus for unprecedented collaboration between institutions, between public and private sectors, and between nations. Second, comprehensive national policies do lessen the threat of cyber-attacks, as demonstrated by countries like Scandinavia. And third, adversaries are all in each others' infrastructure by now, which may be enabling the emergence of Mutually Assured Digital Destruction (MADD).

Take Action

Share These Ideas