The Growing Imbalance in Worldwide Cyber Warfare

You’ve probably heard of SolarWinds—the network services provider hacked by Russian agents that triggered an expansive cyberespionage campaign on companies and federal agencies when it unwittingly sent malicious code to clients in an automated update for its software.

Microsoft Corp. CEO Brad Smith called the attack “a moment of reckoning” and urged greater cooperation between business and government to increase cybersecurity as the number, nature, and motives of hackers multiply, oftentimes supported or minimally suppressed by nation-states that include Russia, China, North Korea, and Iran.

You’ve probably also heard of Colonial Pipeline Co., which supplies the East Coast with 45 percent of its fuel. In May, the privately held company chose to shut off its pipeline when faced with a ransomware attack that left the company unable to bill customers for the fuel being received, a choice that caused widespread chaos as panicked consumers raced to fill up their gas tanks amid shortages.

Then, there’s meatpacking business JBS USA, which you probably had never heard of, until it paid an $11 million ransom after its operations were shut down by an attack that law enforcement has also pinned on Russian hackers.

Conversely, what do you know about the underground nation-state hackers behind some of these recent headlines? In her new book, This Is How They Tell Me the World Ends: The Cyberweapons Arms Race (Bloomsbury Publishing, 2021), Nicole Perlroth dives deeper into this dark side of technology. Her reporting provides riveting, sometimes terrifying insights into global cyber warfare.

On the virtual stage in June for the kickoff of NACD’s first-ever Cybersecurity Continuous Learning Cohort, I was invited to interview Perlroth, a New York Times journalist who covers cybersecurity and digital espionage, on her book and the evolution of cyber risks more generally. Here’s what I learned.

The title of Perlroth’s book dates to 2012 and was inspired by then-US Secretary of Defense Leon Panetta who in a speech warned of a “cyber Pearl Harbor.” It wasn’t until Perlroth went to Ukraine in 2017 after the NotPetya attack that shut down the country’s power grid that she was jolted into awareness on just how overdue we are for a cataclysmic cyber event. (In a more recent NYT interview by Perlroth, Panetta lamented his use of “Pearl Harbor,” telling her: “Call it whatever the hell you want. It’s a national security threat. Don’t try to fool yourself that somehow, just because you don’t like the words, the threat is not real.”

Over time, board oversight of cybersecurity has changed because hackers’ techniques—and the will of wily nation-states’ leaders to advance their own agendas—have also changed. In the ‘90s and early 2000s, Perlroth said, hackers mostly poked around, looking for vulnerabilities, and dropping the details online for the equivalent of street cred. The good ones would approach companies and say, “Hey, you have a major vulnerability in your code or software that lets me break into customers like NASA, or the White House, or Ford. You should fix it.” Companies mostly ignored them, or had their general counsels send the equivalent of a cease-and-desist letter. Now, “more mature” corporate executives see cyberattacks as existential threats to their business and other victims.

This is an abbreviated version of a more thorough Directorship magazine article exclusively for NACD members. If you are an officer or director of a public, private, or nonprofit organization, you can become an NACD member to view the complete article and related resources.