Gary McGraw: This is a Silver Bullet Security Podcast with Gary McGraw. I’m your host, Gary McGraw, vice president of security technology at Synopsys and author of “Software Security.” This podcast series is cosponsored by Synopsys and IEEE Security and Privacy Magazine. For more, see www.computer.org/security and www.synopsys.com/silverbullet. This is the 138th in a series of interviews with security gurus, and I’m super pleased to have today with me Nicole Perlroth. Hi, Nicole.
Nicole Perlroth: Hi, Gary.
McGraw: Nicole Perlroth covers cyber security for the New York Times and the “Bits” blog. Before joining the San Francisco bureau in 2011, she was deputy editor at Forbes, where she covered venture capital and web startups. Nicole is the recipient of several journalism awards for her reporting on efforts by the Chinese government to steal military and industrial trade secrets. She has a B.A. in poli sci and Near Eastern studies from Princeton and an M.A. in journalism from Stanford and is a native of the Bay Area, where she still lives. Thanks for joining us today, Nicole.
Perlroth: Thanks for having me. I’m a big fan, Gary.
McGraw: According to rumor, the first pitch you ever did landed you on the front page of Sunday’s Post, so do tell.
Perlroth: Oh, I love that you found that. Yes, so I did not do anything with journalism. I didn’t work for a student paper. I didn’t ever have any ambitions of being a journalist. I’d gone to an expensive college where I did nothing with my education towards journalism. And then I took some jobs after Princeton that a lot of Princeton graduates take, like I was a consultant for a little while. I worked on Capitol Hill for a little while. I worked in marketing for Coach, the handbag company, for a little while. And I just thought all of these jobs were completely mind-numbing, and I just missed any kind of intellectual stimulation.
So I ended up actually taking one of those adult continuing studies classes at NYU at night while I was working at Coach by day. And the guy who taught the class…it was a feature writing class. I just sort of missed writing. The guy who taught the class was John Crudele, who’s a business columnist at the New York Post. And he said, “You have some skills here. I think you should try freelancing.” And actually he gave me an assignment. He was trying to help me out. So at that time, there’d been some New York Post stories about the rat fiasco…
McGraw: Oh, I remember that.
Perlroth: …at Taco Bell/KFC. Yes.
Perlroth: Yeah, some of your listeners may remember someone found rats doing cartwheels in the back of this Taco Bell/KFC. So he said, “Why don’t you do a freelance story for the New York Post about how it’s not just Taco Bell per se and all these expensive restaurants probably have rat problems too?” So I said OK. So again, by day I’m working at this luxury handbag company, and by night I’m going through the Department of Health’s restaurant records to see which of these nice restaurants had rat problems. And what I found was this restaurant that I really liked—I actually had just eaten at the restaurant, a week earlier…
McGraw: Oh, no.
Perlroth: Had one of the most horrific health records I’d seen. It was like cockroaches and rats and just people smoking, not washing their hands, not cleaning the toilet. I mean, it was kind of horrendous. But I couldn’t really wrap my head around it, because I’d just been there, and it was really clean…
Perlroth: And it was a good restaurant. So anyways, I called them and I said, “I happened upon your health record, and I really can’t parse this, because I was just at your restaurant. It seemed pretty clean and sanitary to me.” And they said, “Well, thanks for calling. Actually, the health inspector came to our restaurant to do his review, and he ended up getting drunk at the bar and passing out for 2 hours. And we think he just made a bunch of stuff up on our report…”
Perlroth: “…to justify to his supervisor why it took him so long to do the inspection.” So I said, “Oh my God, you’ve got to be kidding me. If only there were proof of this. We should get this guy.” And they said, “Well, actually, we have a camera in the restaurant that caught some of this.”
McGraw: So there was proof.
Perlroth: There was proof. So I go to the New York Post. I’ve no idea what I have. I sort of sheepishly walk into the New York Post, and I say, “You know, I’m really sorry I didn’t get to do this assignment the way that you envisioned it. But I did end up getting this video footage of this health inspector drunk, passed out at this bar, and then failing this restaurant and making up this whole report.” So lo and behold, they couldn’t believe I didn’t really know what I had.
Perlroth: But it went on the cover of the Sunday’s New York Post with this great headline that said something like “Rat Nap,” “Inspector Snoozeau.” I was 23 at that time, and I went to the corner bodega and bought out every single New York Post there.
Perlroth: Yeah, and I was just hooked. The guy was fired. The Department of Health had to have new rules for their inspections, and there had to be some follow-up with the restaurants. To see the impact of something that started out as just a silly assignment was pretty cool. That was my first article.
McGraw: That’s really interesting. So I was going to ask you what got you into covering information security, but if you start with rats, why not just keep on going?
Perlroth: Exactly, yeah. See, I did not choose information security. I was actually…while I was at Forbes, I was based in Silicon Valley, and I was covering venture capital really in the sort of heat-up ahead of Facebook’s IPO, and I was covering a lot of the investors and some of the private share sales. So I got a couple cover stories in Forbes. And I got this call one day from Damon Darlin, who’s a blog editor of mine at the New York Times, who said, “We’re looking at you for this job. It’s not venture though. I should tell you it’s cyber security.” And I just remember thinking, like…
McGraw: “What the heck?”
Perlroth: “You want to take me off…” Yeah, “You’re going to take me off this gravy train to go cover cyber security?” And I really honestly didn’t think I was qualified. I just sort of told myself, “Well, it’s an honor to get invited into the New York Times building and go out to New York for these interviews, and I’ll just be myself and see what comes of it.” And that was an interesting interview experience. But lo and behold, I ended up getting the job, and the rest is history.
McGraw: They sold you, it sounds like.
Perlroth: I wouldn’t call it that. I had to do 13 interviews in one day, if I’m remembering that correctly. It was like half-hour interviews each. And some of them were great. I was interviewing with Sam Sifton, who was our food critic at the time. So I was just fascinated to be meeting him…
Perlroth: And asking him like, “How do you be a food critic and not gain 100 pounds?” But then some of the interviews were really unpleasant, and people were like, “You’re the least qualified candidate.”
McGraw: Yeah, “Why are you here?” Blah, blah, blah.
Perlroth: Yeah, “Why are you here?” Yes.
McGraw: Yeah, but you know, somebody like you rises to that occasion.
Perlroth: Well, I said, “You really should interview this person and this person. I’ve been doing research for this interview, and their cyber security coverage is really great.”
Perlroth: And they said they did look at that person and that person, but when they came in to interview, the editors had no idea what they were talking about.
McGraw: Right, so it needed to be…
Perlroth: Which is a big problem with cyber security.
McGraw: …coverage for normals, yeah.
Perlroth: Yeah, they needed coverage for normies. That’s right.
McGraw: Yup. So how does that beat compare to the others you’ve covered? I mean, you’ve sort of talked about that, but give me a minute or two on that.
Perlroth: About how it compares to some of the other topics I’ve covered?
Perlroth: Venture capital was an interesting beat because it’s very self-promotional. You get a lot of calls from venture capitalists trying to get you to write a glowing profile of them, which is similar in some ways to information security because as you know, we constantly get pitched by cyber security firms or firms that want to slap the word “cyber” onto their website looking for promotion and willing to shamelessly dole out FUD in the process.
Perlroth: So dealing with the self-promoters was very good training for me…
McGraw: I love it.
Perlroth: …in covering the venture capitalists. The hard part is, I always say, it’s no longer even the reporting and writing that’s the hardest part of my job these days. It’s the day after the story publishes on Twitter.
Perlroth: When you’re writing for a laypersons audience, the technical audience is never going to be happy with how you’re covering information security, as you know. So dealing with such a hypercritical, vocal, philosophical, almost like religious community, I think, has been the hardest part, and I don’t think anything really prepared me for that.
McGraw: That’s really interesting. So you’ve been involved with some really big stories, including the recent story “Russian Election Hacking Efforts Wider Than Previously Known.” What was it like to be locked in a room working on that one?
Perlroth: For that one, I wasn’t really locked in a room. I was actually working from home for most of it. And the original assignment there…we don’t get too many assignments at the New York Times, especially when you’re covering something like information security, because there’s more than enough news to cover. But occasionally you get these assignments from the powers that be. So the assignment started as “Can you look out ahead of the 2018 elections and see what’s being done to prevent another situation like the one we had in 2016?”
So I started digging around, and what I found was that actually there were still many more unresolved issues from the 2016 elections than had been covered by the mainstream media. So one of the things that was so soothing after the election was we knew Russia had done a series of disinformation campaigns, we knew about the propaganda efforts—although at that point, we didn’t know the extent of them, that’s all coming out now—but for the most part, the intelligence report that came out last January delivered a pretty soothing message that said despite all those efforts to influence the 2016 campaign, Russia stopped short of hacking the actual vote counts, the vote tallies.
Perlroth: And what I’ve learned in the reporting is that actually, that conclusion came predominantly from spies, from spies that we have and digital intercepts of Russian communications where, I’m assuming, someone told someone else something along the lines of “We didn’t hack the vote count.” And they were really surprised that Trump had won…
Perlroth: …without those efforts. But no real forensic effort had been made to be sure that some of the systems that were hacked on the back end didn’t have an impact on the vote.
McGraw: Like the logbook things.
Perlroth: Exactly. And the place that really kept coming up again and again in my conversations was Durham, North Carolina, where the county did use an e-poll book, electronic poll book, vendor called VR Systems that we know from a leaked NSA report had successfully been hacked by the Russian GRU. And they did have a lot of the problems on Election Day that fit sort of the MO of someone trying to create chaos or prevent people from voting. And then I don’t have to tell you about the demographics of Durham, but it’s a predominantly blue county in a swing state.
So we started digging further, and we found that there were these instances of people showing up with their registration cards and being told that no, they were no longer registered and had been marked as inactive, or they’d voted early when they hadn’t, or they’d voted absentee when they hadn’t, and…
McGraw: Yeah, fishy, fishy, fishy.
Perlroth: …it was just written off to a glitch. Exactly. It was written off to a glitch, but no one had ever done any forensics investigation. And then where it got really deep in the weeds was when I found out actually the county had hired a local forensics or security company to do some forensics investigation. And so I got my hands on that report, and it was not like anything you would read from a Mandiant or CrowdStrike.
Perlroth: It was really like an old-school cop report where they had gone to these co-workers and said, “At 6:09, I interviewed Judy from Precinct No. 3.” But there was no actual forensics analysis, and the DHS and FBI had never done any kind of analysis of these systems in Durham, because they have to be invited in by the county and the state, and the state had really rebuffed their efforts.
So basically we started unraveling this, and we realized that this tale was more common that we knew. And I wish we could have gotten to the bottom of, did hacking actually occur on Election Day? And I regret that we were unable to get that far, but we’re still sort of staying on top of that one.
McGraw: Yeah. I hope that story gets more attention. We’ll be right back after this message.
If you like what you’re hearing on Silver Bullet, make sure to check out my other projects on garymcgraw.com. There, you can find writings, videos, and even original music.
So it seems really easy to cover spectacular failures like the Equifax breach.
Perlroth: Oh, yeah.
McGraw: Due to what I call the NASCAR effect, because humans love to read about disasters.
McGraw: But how do we get coverage for important but not really sexy computer security stuff, like, oh, I don’t know, say, software security? Asking for a friend.
Perlroth: Well, yeah. I mean, I agree with you. Some days, I feel like I’m on the cop beat, like “Tragedy struck Equifax on Tuesday morning,” and…
McGraw: Right, blood sells.
Perlroth: …you’re just like…yeah, exactly. But as far as software security, I mean, I think people are getting more interested in it. I know in my book, I’m hoping to sort of end on software security because I think there’s just more awareness now of vulnerabilities and just how big of an impact human error and sloppiness can have in terms of attacks. I mean, there was a big focus actually in the Equifax breach, at least initially, on the patching vulnerability.
Perlroth: It wasn’t patched.
McGraw: Yeah, and Craig Timberg talked about it explicitly in the Post. So that was cool.
Perlroth: Uh-huh, yeah. And one thing that gave me hope was when Facebook was IPOing—and I just know this from my venture beat days—their philosophy was “Move fast and break things.”
Perlroth: And recently, I forget how recently, but I was at Facebook headquarters, and that motto had been replaced. And I don’t know what audience I’m speaking to right now, so forgive my French, but there were signs on the wall that said, “Move slowly and fix your shit.” And I just thought that was a great ray of sunshine in an otherwise dreary space.
McGraw: Well, I think so too, and Alex is a really good guy. So his influence is very clearly seen over there.
Perlroth: Oh, yeah.
McGraw: Adult supervision.
Perlroth: And you know at Google, the amount of fuzzing that’s going on, and they say that their motto since the Chinese attack that happened there in 2010 has been “Never again,” that security and software security is extremely important to them. How that trickles to Android, I don’t know. But it’s something that’s getting talked about, I think, pretty seriously at the executive level at some of these tech companies, which is a good sign.
McGraw: I’ve been working on a new science project about CISOs, who you wrote about, I guess, 3 years ago in your story “A Tough Corporate Job Asks One Question: Can You Hack It?” Very hilarious lede.
Perlroth: Right. Didn’t someone say it was like being lambs waiting for their slaughter?
McGraw: Exactly. And you ended with the three envelope joke.
Perlroth: Oh, I love that.
McGraw: So though an 18-month tenure is still all too common in CISOs, I think some have made some real progress in the role. So do you think that CISOs are doomed to be the “guy before the guy” still? Or are you seeing forward progress?
Perlroth: No. I’m so glad you brought that story up, because I think that was the case at that time, and now you look at…some of those CISOs who’ve been through those breaches are now like top 10 recruits at companies. Because now that we’ve all admitted that we’ve all been hacked, you want someone that’s sort of a veteran of some serious nation-state hacks to be protecting your business, because they understand that compliance checklists aren’t going to cut it anymore.
Perlroth: So I think that has changed, and I do think that some of the people who worked at these high-profile companies that are most in demand—I think, unfortunately, Equifax executives, they were fired in the wake of this most recent breach. I don’t know if they’re going to have the same clout with future employers that some others have had. But yeah, I think it is changing. I also think now it’s not the CISO that gets fired; it’s the CEO.
McGraw: Right. Changes things just a little bit. It’s kind of like what Sarbanes-Oxley did. All of a sudden, the CEO goes to jail? They don’t do jail; they do limo.
Perlroth: Right, right.
McGraw: So you’ve had some of your stories optioned for TV and movies. Tell us about the Krebs story very briefly.
Perlroth: So Brian Krebs is probably very familiar to your audience, and I think he’s the best at what he does in terms of my competitors. I don’t even consider him a competitor, because he’s writing for a different audience…
Perlroth: And he’s just so good at what he does. So I was basically at his mercy when he was covering the Target attack, because every day it was like I was no longer doing any original reporting. I was just waking up and reading what Brian said.
McGraw: “According to Krebs, blah, blah.”
Perlroth: Exactly. And we all were: Wall Street Journal, Wired. We were all just writing what Brian was doing that day. And it got old pretty quickly. And finally I just said, “You know what? Brian is actually a really interesting coverage topic in his own right.” I mean, the guy has been SWATted, and I knew some of the stories about people sending heroin to his doorstep and that kind of thing.
McGraw: He told some of those stories on a version of Silver Bullet a few months ago.
Perlroth: Oh, good. Well, New York Times readers didn’t know any of those stories, and I don’t think many of them really knew who Brian was, although they should have known because he was the first to report a lot of these stories. So I pitched that to my editors, and I told them all the juicy details about the SWATting and the heroin and feces being sent to his house, and they loved it. So I wrote that one up, and Sony bought the options to it. Which was sort of a funny story in itself because I went home to my now husband and said, “We’re going to be rich. Sony optioned my story. Go get some champagne. We’ll have a nice time.” And the next day, I talked to our lawyers at the Times, and they said, “Well…”
McGraw: “It happens all the time. It’s just an option.”
Perlroth: “It happens all the time.” After legal fees and the New York Times takes its 50% cut, they basically left me with 300 bucks.
McGraw: Well, that’s one good bottle of champagne. What the heck?
Perlroth: Well, I actually—it’s funny—I told my husband, “We should have bought wine coolers.”
McGraw: So all right, now a touchy subject. So you’re working on the book “This Is How They Tell Me the World Will End.”
McGraw: What’s the deal with the book?
Perlroth: Ugh. Well…
Perlroth: Let’s just say I’ve been a little busy at work, so it’s been hard to balance the two things. It’s hard to investigate Russian hacking by day and then come home and have anything left for a book about the exploit market.
Perlroth: But that’s what the book is about, and my final manuscript is due Christmas Eve. And after that, they’re going to start docking my advance, so I have no choice but to finish the book in the next couple months. And the fact that it’s gotten delayed has actually been a good thing, because I think the ending of the book about the exploit market that would be a really great ending is what we’ve just seen over the last couple of months with the Shadow Brokers leaks and the NSA exploits being used by North Korea.
McGraw: We can’t wait, so we’re psyched. All the readers are waiting for that. So hurry up.
Perlroth: Oh, OK, all right. I hear you. Well, it’s hard not to think of your listeners while I’m writing the book and all the people who are going to tell me I got something technically wrong and want to…
McGraw: Oh, that’s OK.
Perlroth: …explain this or that, but I’m used to that.
McGraw: So one other question. Sitting on the journalist side of the table as a New York Times reporter gives you lots of power, so do you experience the same kind of sexism that other women in tech experience?
Perlroth: I’ll tell you…so I do not experience the type of sexism that you read about in some of the articles on Uber. I have not experienced that. What I have experienced is…well, first of all, people talk about women in tech and how we need more women in tech, and I always just roll my eyes because I’m like, “Try cyber security.”
McGraw: Yeah, right. There’s plenty of room there.
Perlroth: Right. It’s like you’re preaching to the choir, only my choir is a lot smaller. And so that creates an interesting dynamic. I’ll tell you a funny story, which is that I went to go hear Mike Rogers, the head of the NSA, director of the NSA, go speak at Stanford. And he was speaking to an audience of Stanford students and academics, and there were reporters there, and all my usual competitors were there. So I’m sitting in the audience, and it’s time for questions, and I have my hand raised, and I’m trying to ask him a question, but he’s calling on all my competitors. And finally he said, “OK, now I’d like to hear from some Stanford students. Why don’t I choose this nice lovely lady in the front?”
McGraw: Oh, man.
Perlroth: And that was me, and I was like, “Nicole Perlroth, New York Times.” So I get a lot of that, which is fine. I think actually I’ve learned it can be a superpower and people sometimes feel more comfortable talking to me because I’m a woman writing for a lay audience.
McGraw: Right, right. So they dish when they probably shouldn’t, and you…
McGraw: And you’re a hardcore journalist, it turns out.
Perlroth: Yes, I catch them at their most vulnerable.
McGraw: So I have to brag a little bit. Over the last 12 months of Silver Bullet, we’ve interviewed 12 accomplished women, including Marie Moe, Lesley Carhart, Kelly Lum, Jessy Irwin, Kate Pearce, Chenxi Wang, Cheryl Biswas, Kelly Jackson Higgins, Ksenia Dmitrieva-Peguero—which is impossible to pronounce—Pavi Ramamurthy, and Wafaa Mamilli, and now you. So, incredible talent, ambition, and drive. And what one thing should we all do to encourage more women to join cyber security? Not…reporting too, all technical stuff. What do you think?
Perlroth: Well, first of all, that list gives me chills, and I just think it’s wonderful that you’ve lined up…some of those women that you listed are all…I’m a fan of all of them. Secondly, to get more women into cyber security, I don’t think we play up the sex appeal of cyber security enough. I mean, this is something that is changing all the time. You’re not just coding. On the technical side, you’re not just coding; you’re like playing cops and robbers, and I think that there is just constant…I talked earlier about how little intellectual stimulation there was in some of these jobs I had…
Perlroth: Particularly in marketing at Coach, where I worked with all women.
Perlroth: And this job in the cyber security world is just full of intellectual stimulation. It’s amazing how many times I…three days ago, I knew nothing about North Korean counterfeiting operations, but I had to go quickly study up on it. And because of the financially motivated attacks North Korea has been doing to make up for the fact that its counterfeiting operations are no longer as effective. So it’s not like I’m just buried in code. You’re actually…
McGraw: Yes, it’s real reporting.
Perlroth: Yeah, and you’re sort of on the front lines of history in some pieces, and there’s a real political bent to a lot of nation-state-type attacks that we’re seeing. So I think we just…I don’t think people realize that it’s not just code and it’s not just hackers in their basements, that there’s real opportunities here to be on the front lines of history. And cyber security is such a…I mean, talk about employment security. The problem’s only getting worse and worse, so there’s real opportunities here.
I actually met a young woman the other day who was going to Johns Hopkins, and she had sought out an internship related to cyber security for the summer, which that was the first I’d heard of a freshman coed seeking a job out like this. Most people just sort of fall into it.
Perlroth: And so I thought that was a nice thing to hear.
McGraw: Yeah, that’s cool. That’s a great answer. So last question, total flyer: How many dogs do you have? Is it three? I’m trying…
Perlroth: I have one and a half. I know it’s pretty confusing, but…
McGraw: It’s hard to tell.
Perlroth: I have one dog. I know; I am obsessed with dogs. So I have one dog named Homer; he is my main…he’s what I call our silent partner.
Perlroth: He’s with me all the time, although not right at this moment.
McGraw: Trying to make you not write the book. “Throw the ball. Don’t write the book. Throw the ball.”
Perlroth: Yes, exactly. He is a real distracter. And then I just got a puppy, who’s a Swiss mountain dog.
McGraw: Ah, so there’s only of those. I was thinking there were two of those.
Perlroth: Well, he is a cousin of my family’s Swiss mountain dog that they got 9 months ago.
McGraw: That makes sense.
Perlroth: So he was inspired by this other dog.
McGraw: OK, so two. That’s not so bad.
Perlroth: And we haven’t totally named the new puppy yet, but I like the name Hanzo, like Hattori Hanzo.
Perlroth: The sword maker in “Kill Bill.”
Perlroth: A Japanese ninja.
Perlroth: But I’m getting some pushback, so I’ll keep you posted.
McGraw: All right, very last: What’s your favorite place to dive on the planet?
Perlroth: My favorite place is to skydive? I’ve skydived in really ugly places, so New Jersey and Lodi, California.
McGraw: There you go.
Perlroth: Couldn’t tell you which one was better.
McGraw: Hey, thanks for your time, Nicole. It’s been a really interesting conversation.
Perlroth: Thanks so much for having me, and thanks for bringing all these inspiring women on.
McGraw: This has been a Silver Bullet Security Podcast with Gary McGraw. Silver Bullet is cosponsored by Synopsys and IEEE Security and Privacy Magazine and syndicated by Search Security. The July/August issue of IEEE S&P Magazine is a special issue devoted to post-quantum cryptography. It also features our interview with Kelly Lum, aka Aloria. Show notes, links, and an online discussion can be found on the Silver Bullet web page at www.synopsys.com/silverbullet. This is Gary McGraw.