This Is How They Tell Me the World Ends: The Cyberweapons Arms Race

Over the years, Perlroth interviewed former Head of Cybersecurity for the Obama Administration J. Michael Daniel several times. Although Perlroth judges his efforts in this sphere to be insufficient, his work has involved crafting government policies designed to deal with major cyberattacks, and he has also led government agencies through several major hacking crises. One of the most impactful was the 2014 “Heartbleed” zero-day, which was discovered in an under-supervised open-source code that was used ubiquitously in many different critical programs and systems. As public trust in the NSA’s information security programs waned to an all-time low, Daniel made the unprecedented decision to provide the public with a basic explanation of the process by which the NSA decided whether a zero-day should be reported to the developer or stockpiled. Known as the VEP (Vulnerabilities Equities Process), this process involved representatives from numerous teams and agencies, who then weighed the potential uses of the exploit against the harm it could cause if it were to be weaponized against the United States. Approximately 90% of discovered exploits were reported for patching, but the actual number of zero-days that the NSA has remains unknown.

Toward the end of Obama’s second presidential term, Russian