Nicole Perlroth: Cybersecurity and the Weapons of Cyberwar | Lex Fridman Podcast #266

A company producing industrial software, whose systems could be targeted by zero-day exploits for sabotage.

A business magazine that published an interview with the zero-day broker 'the gruck,' which subsequently damaged his business.

The US space agency, cited as a target a hacker boasted about being able to breach with a zero-day vulnerability.

The US governmental organization that has hired bug bounty companies to help secure its systems.

Cisco's threat intelligence division, which published research suggesting NotPetya's widespread impact was intentional rather than collateral damage.

The US governmental agency that declassified a report on China hacking American pipelines.

The Federal Security Service of the Russian Federation, which allegedly directs cyber criminals to pass over sensitive information on high-value targets, complicating international attribution.

A US governmental department where xenophobia emerged from fears of insider threats, leading to false accusations of spying.

The Chinese intelligence agency, which allegedly outsources cyber operations to private citizens, complicating international attribution for cyber attacks.

The organization behind FIDO keys, which are hardware devices (security keys) recommended for strong two-factor authentication.

The Massachusetts Institute of Technology, mentioned for its past implementation of an annoying and friction-filled two-factor authentication system.

The Federal Bureau of Investigation, which successfully clawed back some of the Colonial Pipeline ransom payment, demonstrating the traceability of cryptocurrency on the blockchain.

An organization offering cybersecurity training and certifications, providing resources for aspiring hackers to develop skills for defense.

The US Centers for Disease Control and Prevention, whose emergency supplies of the Gardasil vaccine Merck had to tap into after the NotPetya attack paralyzed their production.

A US agency within the DHS dedicated to protecting critical infrastructure from cyber threats, which Nicole Perlroth advises.

The former primary security agency of the Soviet Union, whose tactics of overt surveillance and intimidation of foreign journalists are contrasted with modern digital surveillance.

The US Department of Homeland Security, of which Nicole Perlroth is an advisor to the Cybersecurity and Infrastructure Security Agency (CISA).

The ransomware group responsible for the Colonial Pipeline attack, from whom the FBI was able to claw back some ransom money due to blockchain traceability.

The US governmental department where many employees of blockchain intelligence companies like TRM Labs previously worked, leveraging their expertise in financial tracking.

The National Security Agency, whose classified documents were leaked by Edward Snowden, revealing the extent of US surveillance programs and sparking global debate.

The US Central Intelligence Agency, mentioned in the context of the competence and potential malevolence of intelligence agencies.

The newspaper where Nicole Perlroth works as a journalist, and a point of reference for the idea of things being publicly exposed ("Front Page phenomenon").

The national intelligence agency of Israel, mentioned as an example of an intelligence agency that engages in controversial actions (like killing Iranian nuclear scientists) but also protects its citizens.

A technology company that has adopted bug bounty programs to improve security.

A company that manages bug bounty programs, connecting organizations with ethical hackers to find and fix vulnerabilities.

A platform that offers bug bounty programs, facilitating connections between companies and security researchers.

A company with a private bug bounty program model, where hackers are paid to find vulnerabilities in client systems.

A vendor of network-attached storage (NAS) devices that was targeted by the DeadBolt ransomware exploiting a zero-day vulnerability.

A shipping company that was hit by the NotPetya attack, highlighting the global reach and impact of supply chain cyber attacks.

A logistics company that was hit by the NotPetya attack.

A pharmaceutical company whose factories were paralyzed by the NotPetya attack, requiring them to tap into emergency supplies of Gardasil and highlighting the potential for global health crises from cyber attacks.

Refers to the company's devices, specifically the iPhone, which adopted biometric authentication (fingerprint and Face ID) as a significant step forward in user security.

A major technology company that initially threatened hackers who reported vulnerabilities but later adopted bug bounty programs to improve security.

A technology company mentioned for its early response to hackers reporting software flaws.

An American oil pipeline system that was hit by a ransomware attack, highlighting the critical infrastructure vulnerability and the economic impetus to pay ransoms.

A technology company mentioned as an early example of firms that resisted hackers reporting vulnerabilities.

A company producing industrial software, whose safety locks were mentioned as a target for zero-day exploits that could cause explosions at petrochemical plants, and a potential target for bug bounty programs.

A technology company that has adopted bug bounty programs to incentivize hackers to report vulnerabilities and is developing active/passive authentication methods.

An airline company mentioned as a potential target for bug bounty programs to find vulnerabilities in its software.

An automotive and energy company mentioned as a potential target for bug bounty programs.

A financial institution mentioned as an example of a service that uses one-time codes for two-factor authentication via text message.

A social media platform where alerts for login attempts are common, also mentioned for its design to elicit emotional responses and for reports of Saudi Arabia planting spies within the company.

A company specializing in email attack protection, using targeted ad technology principles to identify and block abnormal email patterns.

Formerly Facebook, discussed in the context of creating the metaverse and the security, ethical, and privacy challenges it presents for digital identity and human interaction.

A social media platform mentioned as an example of an account that alerts users to login attempts, where multi-factor authentication can prevent access.

A pharmaceutical company affected by the NotPetya attack, a supply chain cyber attack. The question of what would happen if similar attacks hit vaccine producers like Pfizer is raised.

A pharmaceutical company mentioned in the context of potential global cyber terrorist attacks on vaccine production lines.

A technology conglomerate with a threat intelligence division called Talos, whose researcher clarified the intentional nature of NotPetya's widespread impact.

A pharmaceutical company mentioned in the context of potential global cyber terrorist attacks on vaccine production lines.

A blockchain intelligence company, staffed by former US Treasury personnel, that assists in tracking cryptocurrency movements and identifying owners of private wallets.

An airline company mentioned as an example of an organization that currently collects extensive personal data from customers, which could be streamlined using tokenized identity systems.

A web services company that was hacked, leading to an indictment that exposed the collaboration between Russian cyber criminals and the FSB.

A cybersecurity company credited with calling out the SolarWinds attack, demonstrating the critical role of private sector defense in national security.

A software company specializing in big data analytics, mentioned for offering high cybersecurity salaries that government agencies struggle to match.

A Chinese e-commerce company, mentioned in the context of China allowing citizens to work there but forcing them to perform sensitive operations for the state when called upon.

An automotive company mentioned as a potential target for bug bounty programs.

A ransomware that targeted QNAP devices using a zero-day vulnerability, encrypting user files and demanding Bitcoin payment.

A destructive cyber-attack launched by Russia against Ukraine, which spread globally via a supply chain attack on tax software, affecting companies like Maersk, Pfizer, and Merck.

Apple's mobile operating system, a prime target for zero-day exploits due to its widespread use among certain demographics and the high value of its vulnerabilities.

Google's mobile operating system, which has recently surpassed iOS in value on the underground market for zero-day exploits due to its larger global market share.

An outdated Microsoft operating system mentioned for its lack of security patches, contributing to vulnerabilities in systems like a Florida water treatment facility.

Microsoft's operating system, noted as common technology used globally, meaning zero-day vulnerabilities in it leave everyone, including Americans, vulnerable.

An encryption program that Nicole Perlroth found too difficult and prone to error for protecting sources, contrasting it with later, more user-friendly solutions.

An encrypted messaging app praised for making secure communication easy and user-friendly, contrasted with PGP.

A vulnerability discovered years ago that is still being exploited because many systems have not patched it, demonstrating a pervasive lack of basic cyber hygiene.

A publication that reported on an infant death attributed to a ransomware attack on a hospital.

The podcast hosting this conversation on cybersecurity and cyberwarfare.

The newspaper where Jamal Khashoggi was a columnist, highlighting the vulnerability of journalists even from major news organizations.

A country that has been a target and a 'test kitchen' for Russian cyber attacks, including power grid disruptions and NotPetya, demonstrating the destructive potential of cyber warfare.

Location of an Apple supplier that was hit by a 50 million dollar ransomware attack; mentioned in the context of China potentially escalating cyber attacks if geopolitical tensions rise.

The city that suffered a ransomware attack with a relatively low initial demand, but incurred an 18 million dollar cost for remediation after refusing to pay.

A nation-state accused of hacking US pipelines for strategic foothold, conducting extensive cyber espionage, and using surveillance as a 'test kitchen' on the Uyghurs.

The state where a hospital suffered a ransomware attack that impacted cancer patients' ability to receive chemo, with severe human consequences.

A country that planted spies inside Twitter to monitor critics of the regime, highlighting the threat of social engineering and insider threats.

A nation-state identified as responsible for destructive cyber attacks, including NotPetya against Ukraine, and for probing nuclear plants and power grids; also known for government-sanctioned cyber criminals.

Mentioned as the only continent, with the Vatican, that lacks offensive hacking tools, illustrating the global proliferation of cyber warfare capabilities.

Mentioned alongside Antarctica as a possible exception to countries investing in offensive cyber tools, underscoring the widespread nature of cyber warfare preparation.

A country whose government has used surveillance and new laws to suppress dissent, confiscating passports and spying on critics like Ahmed Mansoor.

A vaccine whose production line at Merck was paralyzed by the NotPetya cyber attack, leading to the company tapping into CDC emergency supplies.

Nicole Perlroth's book exploring the cyberweapons arms race and the zero-day market.

Cybersecurity journalist and author of 'This Is How They Tell Me the World Ends,' discussing cyber warfare and its implications.

The co-founder of Apple, invoked as an example of someone who could design seamless and appealing security solutions.

A colleague of Nicole Perlroth at the New York Times, who co-reported on the Colonial Pipeline incident and US Cyber Command's actions against the Russian grid.

The Supreme Leader of North Korea, mentioned in the context of dealing with authoritarian leaders regarding agreements on cyber warfare.

CEO of Meta, who dreams about creating the metaverse, prompting discussion on security challenges and ethical implications of widespread digital life.

A Saudi journalist and Washington Post columnist, whose assassination undermined the perceived 'invisible shield' for journalists and sent a message that journalists were open season.

The President of Russia, who famously described hackers as 'artists' as a way to deflect state responsibility for cyber attacks, complicating international norms.

President of Microsoft, who championed the idea of a 'Digital Geneva Convention' to establish international norms against cyber attacks on civilian infrastructure.

The President of China, mentioned in the context of dealing with authoritarian leaders regarding agreements on cyber warfare, and a past agreement with Obama on intellectual property theft.

The host of the podcast, who shares a personal experience with ransomware and discusses ethical dilemmas of intelligence agencies.

A human rights activist and critic of the UAE regime, who was spied on, had his passport confiscated, and was imprisoned after advocating for better voting rights.

CEO of Tesla and SpaceX, mentioned as an inspiration for embracing full weirdness and authenticity as a way to remove attack vectors of private information.

Former NSA contractor who leaked classified documents, sparking debates about surveillance, privacy, and civil liberties, leading to complicated feelings about his role as a hero or villain.

Former Chancellor of Germany, who was justifiably upset that the US NSA had hacked her cell phone, highlighting the impact of surveillance even on allied leaders.

A convicted sex offender, whose association with MIT scientists and conspiracy theories about intelligence fronts are discussed as examples of malevolence and competence in institutions.

A cryptocurrency used by ransomware groups for ransom payments, allowing for tracking of funds via the blockchain by intelligence companies.

A proposed international agreement, championed by Brad Smith, to prohibit cyber attacks on civilian targets like hospitals and elections, though complicated by attribution challenges and state-sponsored criminal groups.

A proposed future digital world where more meaningful experiences will occur online, raising concerns about identity, manipulation, and the potential for increased cyber threats.

The distributed ledger technology underlying cryptocurrencies, which, despite enabling ransomware, also provides real-time tracking of ransom payments, offering a new tool for law enforcement.

A company seeking to create a vault for personal information, aiming to reduce the need for organizations like Delta Airlines to store sensitive customer data by using one-time tokens for identity verification.