Infosec Book Review: Nicole Perlroth’s This is How They Tell Me the World Ends
Working in infosec is a perennial challenge regarding staying current, tracking the bleeding edge. One of the ways I’ve been practicing this for myself is reading more cybersecurity related books. I’m going to do some short book reviews, so I figured I would start with one I read recently.
Nicole Perlroth has what I like to imagine is a fantastic job. Cybersecurity journalist? Sign me up. Getting to interview threat actors, industry leaders, big money players — sounds like a blast. Investigative journalists who manage to exchange with criminals and hackers have my heart. And, Perlroth is no exception. I think she’s not only good at her job, but genuinely enjoys it.
Perlroth has spent a significant part of her career as a technology reporter for The New York Times. From what I can tell she cut her teeth reporting on the Shadow Brokers breach of NSA’s tools.
Now, about the book. It was published in 2021, so in terms of its relevancy, some current events will be missing. Overall, this is the kind of book you could hand to your parents to help them understand the current global landscape of cybersecurity, and a bit about what your day-to-day job working in cybersec is like. With that said: this is both the strength and the weakness of the book — it’s very generalist, great for laypeople.
Perlroth’s book is divided into chapters with each chapter focusing on either an era in cybersec history, a major issue facing the industry, or a particularly notable event. My favorite sections of this book are the areas where Perlroth delves into the Shadow Brokers breach and Stuxnet.
She also dedicates a large portion of the book to discussing the zero-day exploit market: its history, early players, and where it currently stands. Similarly, there are verbose discussions of security research and the challenges of disclosing vulnerabilities, ethically or otherwise.
My biggest takeaway from the book was this: whether cyber-warfare is waged or not is largely a matter of diplomacy and public relations, it would seem. Nation-state capabilities of both enemies and allies abroad are challenging to measure, and even more challenging to accurately attribute — but safely assumed to be advanced. Any sense of “peace-time” seems largely the result of eased political tensions and not because of a lack of capability or willingness.
Overall, I felt the book was a bit sensationalist at times, and a bit padded at others. It was a fun and easy read, with some nice interviews and cursory cybersec history. I’d sum this one up by saying this: give it to your dad to read. It’s a great book for reaching lay people, but if you’re looking for nitty gritty deep dives or technical approaches, this isn’t it.
Got any good Cybersec books to recommend? Let me know! I’m on the hunt and compiling a list, so please reach out. ❤
