A hugely detailed and deeply researched history of the market for “zero-day: exploits, the faults and technologies underlying computer viruses and ransomware. It’s a hugely complicated and technical field which Perlroth does an amazing job of making accessible to a non-technical audience. (I should probably say here that I teach computer security.)

Most of the book is a real page-turner, deeply embedded with the government agencies, companies, and hackers who compose the zero-day market. It’s scathing of the US’ trying to play both sides of the street, developing and buying zero-days in order to collect intelligence while weakening the security of ordinary users in the process by not informing the software developers of the problems they’ve found. They clearly knew this was dangerous, and even developed a doctrine for us: “NOBUS”, bugs that “no-one but us” would be smart enough to find or develop. This idea goes wrong spectacularly, as other nations realise how cheaply they too can have cyberweapons programmes: ironically they’re encouraged by the deployment of the Stuxnet virus to damage the Iranian nuclear programme. The leaks of the NSA’s zero-day stockpile by the Shadow Brokers – an event that’s somewhat under-explored – and their later use in hacks against US elections, are payback for hubris.

Perlroth is scathing of the Trump presidency’s neglect of cybersecurity and unwillingness to sanction Russia for known attacks – in part because it might cast doubt on Trump’s legitimacy as an elected president, but also seemingly from willful blindness and a mistrust of the professionals (including the military) tasked with protecting US networks. She was writing during the pandemic and before Trump conceded the 2020 election (to the extent that he ever did), and so if anything she understated the impacts of disinformation spreading.

The conclusions are a little breathless, but well-intentioned and technically appropriate, if a little US-centric – and in fairness the US has at least attempted to set up a more transparent approach to managing cyberweapons, even though the approach is drastically compromised by the desire to keep intelligence-gathering capabilities. Cybersecurity is an area where offence and defence are closely intertwined, and there’s a strong argument that the costs to society of the former mandate a focus on the latter. We need to accept that many cyberweapons that are used (or leaked) can be reverse-engineered and re-used against their original developers with little real up-front financial investment.

There’s some editing. including a repeated mis-use of “affect” rather than “effect”, and a really disastrous throw-away reference to the book Dune, the description of which is almost entirely wrong: surely an editor should have picked that up?

4/5. Finished Sunday 21 January, 2024.

(Originally published on Goodreads.)