Gino Delaere is master in Applied Economics (University of Antwerp) and holds an MBA (Xavier Institute of Management in Bhubaneswar, India). For over two decades he has been specializing in emerging markets worldwide and traveling the world looking for interesting investment opportunities. Previously he worked for several large asset managers where he was actively involved in several thematically inspired equity funds. He joined Econopolis in 2010 and in his current role he is co-responsible for managing the emerging markets and climate funds.
This is how they tell me the world ends
If a title like " This is how they tell me the world ends" doesn't capture your attention, I'm not sure what will. The phrase is the title of a book authored by Nicole Perlroth. Perlroth, an American journalist, has garnered recognition for her extensive reporting on cybersecurity and digital espionage. Since 2011, she has served as a cybersecurity reporter for The New York Times, delving into significant cybersecurity events, data breaches, and the operations of hacking collectives and nation-state entities.
After having read this fascinating book, which reads nearly like a spy thriller and appears ideal for adaptation into a Netflix series, and considering our investment in cybersecurity themes within some of our funds, I find this book too compelling not to share some insights with you.
Perlroth dedicated an impressive seven years to conducting interviews with over 300 individuals, distilling her research into a comprehensive 491-page paperback. The book is acclaimed for its thorough historical analysis and depth, although, like most publications, it has faced criticism for certain inaccuracies and biases. Here, I'll concentrate on the book's overarching themes and conclusions, which bear relevance for anyone using electronic devices—ranging from smartphones and tablets to computers. This even extends to individuals operating critical infrastructure, such as electricity grids or nuclear facilities (more on this later).
The hidden wars of cyber weapons and zero-day exploits
Firstly, Perlroth emphasizes the intensification of the global cyber arms race, with nations amassing digital arsenals that could unleash catastrophic cyberattacks on crucial infrastructure. This modern quest for digital dominance mirrors the Cold War's nuclear arms race, focusing on accumulating cyber weapons and vulnerabilities. These digital weapons, unlike atomic bombs or ballistic missiles, are lines of code designed to infiltrate, surveil, or disable the vital services upon which contemporary societies depend.
Perlroth specifically sheds light on the burgeoning market for "zero-day exploits"—unpatched software vulnerabilities that hackers and governments alike can exploit to initiate cyberattacks. This murky realm of trading in zero-day exploits involves a blend of rogue hackers, private corporations, and state agencies competing for digital tools that could shift the power balance in their favor.
A key example of the catastrophic potential that Perlroth explores is the story of Stuxnet, one of the most sophisticated pieces of malware ever conceived. Its uncovering in 2010 raised global alarms, marking a new era in digital warfare. Stuxnet, crafted with precision rather than as a tool for mere disruption or data theft, targeted Iran’s nuclear program with the aim of sabotaging the Natanz nuclear facility. Believed to be the work of American and Israeli intelligence, Stuxnet's mission was to cause the facility's centrifuges to malfunction and destroy themselves. However, its notoriety stems not only from its intended effects, which were successfully achieved, but also from its unintended global proliferation. The malware inadvertently spread across the internet, infecting over 200,000 computers and sparking widespread concern within the cybersecurity community. This incident vividly illustrates the potential unintended consequences of deploying cyber weapons, highlighting their inherent uncontrollability. Once released, the impact of these digital weapons can far exceed their initial strategic goals. Moreover, the international community faces challenges in establishing comprehensive treaties or agreements to regulate the use of cyber weapons, in stark contrast to the more governed realm of nuclear arms.
Secondly, the combination of inadequate cyber defenses and the aggressive posture adopted by many nations significantly increases global susceptibility to devastating cyberattacks. The inclination towards cyber offense is driven in part by a nation's aim for supremacy in intelligence gathering and the strategic goal of keeping potential adversaries destabilized. Countries amass collections of zero-day exploits as if stockpiling digital armaments. This pursuit of digital superiority often leads governments to view cyber defense as less prestigious and proactive, and therefore, somehow less critical. A 2023 IMF survey involving 51 countries revealed that 56% of central banks or supervisory authorities lack a national cyber strategy for the financial sector, and 64% do not require the implementation and testing of cybersecurity measures.
The situation is similarly dire within the corporate sector. A 2023 KPMG survey of 142 banking CEOs found that only 54% considered themselves well-prepared for a cyberattack. Those who felt ill-prepared largely attributed their vulnerability to the escalating sophistication of cyber threats, talent shortages, and insufficient investment in cyber defense. This is particularly alarming, considering research by the World Economic Forum indicates that 91% of cybersecurity and business leaders believe the occurrence of a widespread, catastrophic cyber event in the near future is likely.
Navigating the perils of cyber offense and the urgent call for defense
Perlroth delves further into the implications of this with sobering examples, honing in on instances where this offense-over-defense approach has led to dire consequences. Take, for instance, the Russian cyberattack in 2015 which triggered a cascade of failures in Ukraine's power grid, initiating a blackout that impacted roughly 230,000 residents. This sophisticated cyber onslaught didn't just switch off the lights. It underscored the dystopian implications of poorly guarded infrastructure.
Digging deeper, this incident was a symptom of a broader, chilling complacency. Information about cyber vulnerabilities is often siloed, with agencies and private companies wary of revealing anything that might hint at weaknesses, thereby stifling the collective ability to guard against shared threats. For instance, the author scrutinizes the complicity of technology companies in the proliferation of cyber weapons, criticizing their initial lax approach to security. She highlights instances where tech giants like Microsoft and Google have inadvertently facilitated cyber attacks in the past by failing to address systemic vulnerabilities in their products. Pelroth argues for greater corporate accountability and transparency, calling on technology companies to prioritize user safety and invest in robust security measures to migitate the growing threats posed by cyber weapons.
Paradoxically perhaps, it is the younger more tech-savvy generation that is potentially most at risk, says Dr. Yuhyun Park, founder of the DQ Institute, a think-thank dedicated to setting global standards for cyber intelligence. “We have witnessed seven years of consistently high, 70% cyber-risk exposure rates among children and adolescents between the ages of 8 and 18. We now refer to this phenomenon as a persistent cyber pandemic.” Keep this in mind next time there’s yet another software update that needs to be installed on your or your children’s computer. It may just be that technology companies keep trying to close loopholes for hackers this way.
Another particularly alarming case was the United States' Office of Personnel Management data breach. In what amounted to one of the largest thefts of government data in history, sensitive information on millions of American federal employees, including fingerprints and social security numbers, was siphoned off. All thanks to disregarded security warnings and outdated technology. This gaping breach was a testament to the government’s underestimating the potency and sophistication of cyber threats, reflecting a worrying trend not just in the U.S. but across the globe. Indeed, remember the Limburg.net hack and leaks of names, addresses and national registry numbers a few months ago in Belgium which made media headlines for a couple of days. After initially denying that personal data had been stolen, the story was later changed by admitting that hundreds of thousands of identity data had indeed been accessed by hackers.
Concluding insights on cyber warfare's ethical challenges and the call for collective vigilance
In conclusion, Nicole Perlroth’s book is a masterful work of investigative journalism that sheds light on the hidden dangers and ethical complexities of cyber warfare in the modern era. Throughout the book she exposes the vulnerabilities in our digital infrastructure and the perilous consequences of weaponizing software flaws for geopolitical and other gains. One of the quotes I remember vividly rom the book is a hacker at some point saying “There are two types of companies in the world. Companies that have been hacked and companies that do not yet know they’ve been hacked.”
The author offers a sobering assessment of the challenges ahead and emphasizes the need for collective action to safeguard the future of our digital society and prevent the catastrophic consequences of unchecked cyber aggression. She also tells the story of being called by a Russian hacker who told her that he’d just uncovered a trove of a billion passwords and to illustrate he told her what her passwords were. She then changed every password to every account she ever had to absurdly long ones and switched on two-factor authentification (which is still the best way to neutralize a hacker with a stolen password). Remember this next time you’re asked to choose a new password. And finally, if all of this hasn’t yet scared you or triggered your interest in cybersecurity companies, then I don’t know what will.