61 pages • 2-hour read
This Is How They Tell Me the World Ends: The Cyberweapons Arms Race
A modern alternative to SparkNotes and CliffsNotes, SuperSummary offers high-quality Study Guides with detailed chapter summaries and analysis of major themes, characters, and more.
Part 2Chapter Summaries & Analyses
Part 2: “The Capitalists”
Part 2, Chapter 3 Summary: “The Cowboy”
John P. Watters is a private equity investor from Texas who bought the failing cybersecurity company, iDefense, in 2002 and transformed it into a profitable, industry-leading business. Early cybersecurity companies functioned by informing their customers of newly discovered bugs and exploits in software, offering ways to work around or patch the vulnerabilities. Generally, this practice left security companies and users in a constant state of catch-up, simply reacting to threats after they appeared. iDefense primarily based its alert system (iAlert) on information gleaned from the hacker forum-cum-mailing list, BugTraq, which was distributed by their competitor, SecurityFocus.
However, Watters completely changed the corporate culture of iDefense by listening to skilled hackers in his employ and finding new ways to reshape company policy and strategy. Hackers David Endler and Sunil James were particularly influential in this process. Watters began offering to pay a bounty to hackers for every zero-day exploit that they reported directly to iDefense, inadvertently creating the first iteration of a legitimate market for hackers to sell zero-day exploits. Big tech companies hated Watters’s business model because it put pressure on them to patch exploits that they would rather ignore. Although Microsoft was initially one of the least security-conscious companies of the tech world, it changed its stance after weathering several highly publicized cyberattacks on its products. Now, Microsoft has become hackers’ “least hated” major tech company because of its diligence in information security.
As iDefense became more successful, Watters began receiving calls from brokers who worked with government agencies; they offered to pay huge sums of money if Watters would provide them with information on zero-day hacks without informing developers or his customers of their existence. Watters refused, but he soon found his company being priced out of the very zero-day market that he helped to create as more (and bigger) competitors invaded the market. In 2005, he sold iDefense for a massive profit and moved on to different enterprises.
Part 2, Chapter 4 Summary: “The First Broker”
Zero-day brokers are notoriously secretive because their livelihoods depend upon their reputation for discretion. In 2015, Perlroth interviewed a man with the pseudonym Jimmy Sabien, who had been one of the first brokers of zero-days in the 1990s and early 2000s. Espionage tactics changed after the end of the Cold War because all nations began using the same kinds of technology and software; this shift meant that the tools developed by one nation could potentially be appropriated to target allies, enemies, and the originating nation itself. Nowadays, practically every country has a stockpile of zero-day exploits—even if they have no plans or means of implementing them.
Prior to his career as a broker, Sabien had previously served in the US military and worked in the private sector, developing cyberweapons. However, he realized that cyberweapons were only useful if one could access the targeted system, hence the need for zero-day exploits. Because of the inevitability of human error, eventually even the most secure systems could be infiltrated. Government agencies were willing to pay significant sums for the means to secretly access computer systems in embassies, foreign governments, and other such arenas. Sabien began by developing his own exploits, then tweaking ones that he found on BugTraq. He then moved on to contacting active hackers and buying newly discovered exploits directly from them.
Many such hackers came from Eastern Europe or Israel, and deals were always conducted in utmost secrecy: a practice that caused significant inefficiency because all exploits had to be verified before payment was made, and hackers were always paid in cash. In the early 2000s, Sabien could sell a single exploit several times over to different US government agencies because they all had similar goals and massive defense budgets, and they did not communicate effectively. These agencies were particularly interested in developed tools that chained zero-day exploits and programs together so that they could easily enter systems, harvest data, and affect processes without leaving traces.
Part 2, Chapter 5 Summary: “Zero-Day Charlie”
Charlie Miller is a hacker who is renowned for his skill in finding critical zero-days in well-secured commercial software. He worked for the NSA between 2001 and 2006, then continued to engage in hacking due to his own intellectual curiosity, earning considerably credibility in hacking circles.
The inefficiency and lack of transparency in the zero-day market often meant that hackers were mistreated and that both buyers and sellers were frequently left frustrated. Charlie researched the wildly inconsistent pricing in the zero-day market and sold a zero-day of his own in the Linux program Samba for a price of $50,000. (In the wrong hands, this zero-day could have crippled NASA and other major government agencies.) He then wrote an academic paper on the zero-day market. The NSA first attempted to bully him into keeping silent, and it only grudgingly authorized him to publish under the conditions of his prior NDAs. Charlie presented the paper in a lecture at Carnegie Mellon in 2009, outraging government intelligence agencies with his candor and confirming the worst fears of major tech companies who had long suspected that the government was undermining their security.
Charlie continued winning prestigious prizes at hacking conferences and discovering critical zero-days in Apple and Android products, which he would then help developers to patch for free instead of selling them. However, he was outraged to learn that despite his altruism, his contacts at Google tried unsuccessfully to get him fired from his job. Charlie and some of his hacker friends lamented that the most moral reaction to discovering a zero-day—reporting it to the developer and working to fix it—was often the one that had the worst outcome for the hacker. At a Vancouver hacking conference, Charlie and his friends decided that they would never again provide ungrateful corporations with zero-day exploits for free; they started a movement called No More Free Bugs, which trended under the hashtag “#NMFB.”
Part 2 Analysis
This part is dubbed “The Capitalists” because it covers the early days of the zero-day market, when the majority of the actors involved were Americans and were governed by financial motives alone. Perlroth strategically focuses on three figures who were highly influential in the early zero-day market, and she uses a pointed quote from the popular novel Lonesome Dove (1985) to introduce the idea that certain figures spent their best years “fighting on the wrong side” (19). This sentiment hints that although the early days of the zero-day market were the best for the eponymous capitalists, they were essentially working against their own best interests. Perlroth’s dour observation creates an ominous mood and foreshadows the harm that the hacks and systems developed during this period would ultimately cause. With the wisdom of hindsight, she portrays the gung-ho entrepreneurialism of this period as naïve and ill-advised.
These three chapters focus on specific figures, providing human faces to represent the different factors involved in the market, and showing the range of perspectives and personalities that Perlroth encountered in her investigation. Already, this section of the text illustrates the high stakes involved in hacking, especially given the large amounts of money changing hands and extensive measures that actors take in order to maintain secrecy. Perlroth creates detailed pen portraits of these significant figures to concisely convey their distinctive personalities and traits. Likewise, the fact that Sabien can only be presented under a pseudonym reinforces Perlroth’s previous assertions that her investigation is constantly hampered by the constraints of secrecy.
This section also hints at The Impact of Digital Espionage on Privacy and Civil Liberties by providing key glimpses of the shady practices embraced by government agencies like the NSA. The Role of Hacking in Modern International Relations and Conflicts is similarly reinforced through Perlroth’s discussion of the interest that both American and foreign government agencies have in acquiring zero-days. The purpose and impact of these cyberweapons stockpiles are left unexplored for now, but these chapters set the stage for deeper analyses of these issues. Perlroth also uses these early chapters to focus on The Responsibility to Safeguard Digital Infrastructure; her descriptions show just how unwilling both the tech companies and government agencies were to step up in this early stage. Security companies like iDefense, and altruists like Charlie are being actively undermined by the very institutions that should be fighting to protect systems and users. Instead, the security of digital infrastructure is being threatened by companies’ reluctance to patch their own programs, and the government’s desire to harvest and retain vulnerabilities for their own purposes.
Unlock all 61 pages of this Study Guide
Get in-depth, chapter-by-chapter summaries and analysis from our literary experts.
- Grasp challenging concepts with clear, comprehensive explanations
- Revisit key plot points and ideas without rereading the book
- Share impressive insights in classes and book clubs