Is This Is How They Tell Me the World Ends worth reading?

Yes, for anyone interested in cybersecurity, national security, or how technology reshapes geopolitics. Perlroth's decade of reporting gives her access that no outside researcher could replicate. The book is alarming in proportion to how accurate it is.

How technical is the book?

Less technical than the subject might suggest. Perlroth explains zero-days, malware, and exploit markets clearly for a general audience. Readers with technical backgrounds may find some explanations simplified, but the value is in the reporting rather than the technical detail.

What is a zero-day exploit?

A zero-day is a software vulnerability unknown to the vendor and therefore unpatched. An attacker who knows about it has zero days of exposure from the vendor's side — they can exploit it without any defense being available. Zero-days can be worth millions of dollars depending on the target software.

How long does it take to read?

About nine to ten hours at average pace. The book is dense with detail and benefits from being read in extended sessions rather than short ones, since the narrative builds context across chapters.

What happened with WannaCry and NotPetya?

Both were cyberattacks in 2017 that used NSA cyberweapons leaked by Shadow Brokers. WannaCry, attributed to North Korea, hit hospitals, transport systems, and businesses globally. NotPetya, attributed to Russia, targeted Ukraine but spread worldwide and caused approximately $10 billion in damage, making it the most destructive cyberattack in history.

This Is How They Tell Me the World Ends by Nicole Perlroth: Summary & Discussion Questions

Summary

This Is How They Tell Me the World Ends is Nicole Perlroth's investigation into the global market for zero-day exploits — previously unknown software vulnerabilities that can be used to compromise systems before the vendor knows they exist and before any patch is available. Perlroth, who covered cybersecurity for The New York Times for a decade, spent years interviewing vulnerability brokers, intelligence officials, hackers, and government contractors to map an ecosystem that operates largely in secret and has become one of the most consequential and least understood corners of national security.

The book opens with Stuxnet, the U.S.-Israeli cyberweapon that destroyed Iranian centrifuges at Natanz around 2010 and was the first known instance of a digital weapon causing significant physical damage to industrial infrastructure. Stuxnet required multiple zero-days to deploy, and its discovery — by accident, when it escaped onto the open internet — revealed to the world that state-level cyberweapons had already reached a level of sophistication that most had assumed was years away.

Perlroth traces the development of the zero-day market from its origins among teenage hackers and bug bounty programs into a global arms bazaar where governments, intelligence agencies, and private contractors buy and hoard vulnerabilities for offensive use. The central tension is that every zero-day the U.S. government hoards for offense is a vulnerability that remains unpatched in American systems — including power grids, water treatment facilities, hospitals, and financial infrastructure. The decision to stockpile rather than disclose involves trading offensive capability against defensive vulnerability, and it is made with essentially no public accountability.

The book is strongest in its portraits of the people operating in this ecosystem — researchers who discovered they could earn six or seven figures selling vulnerabilities rather than disclosing them responsibly, contractors building exploit capabilities for governments that couldn't always control them, and intelligence officials trying to manage a technology that spreads faster than any precedent. Perlroth's reporting on Shadow Brokers, the group that leaked NSA cyberweapon stockpiles in 2017 and whose tools were subsequently used in WannaCry and NotPetya — attacks that collectively caused tens of billions of dollars in damage — is particularly important.

Key takeaways

1.
Zero-day exploits are unknown software vulnerabilities that can be bought and sold before the vendor has any chance to patch them. A functioning market for these vulnerabilities now operates globally.
2.
Stuxnet was the first known cyberweapon to cause physical infrastructure damage, and its escape onto the open internet demonstrated that offensive cyberweapons cannot be reliably contained.
3.
The U.S. government built the world's most capable offensive cyber program and also created the market that now supplies adversaries with comparable tools. The two facts are not unrelated.
4.
Every zero-day stockpiled for offensive use remains an unpatched vulnerability in civilian infrastructure. The tradeoff between offensive capability and defensive exposure is rarely made explicit to the public.
5.
The Shadow Brokers leak of NSA cyberweapons led to WannaCry and NotPetya, which together caused estimated damages exceeding $10 billion globally. This is the cost of stockpile loss.
6.
Cyber deterrence doesn't work the way nuclear deterrence does. Attacks are deniable, attribution takes time, and the speed of escalation is hard to manage through diplomatic channels.
7.
Private contractors sit at the center of the offense-for-hire market. Companies like NSO Group, Hacking Team, and Zerodium have moved state-level offensive capability to anyone who can pay — including authoritarian governments.
8.
The Vulnerabilities Equities Process — the U.S. government's internal procedure for deciding whether to disclose or keep a vulnerability — was secret, inconsistent, and heavily weighted toward offense until Snowden and subsequent revelations forced reforms.

Discussion questions

Use these on your own, with a book club, or as chat starters in Superbook.

1.
The U.S. created the zero-day market through its demand for vulnerabilities. Does that responsibility come with any obligation for what happens to the market it created?
2.
Perlroth argues that stockpiling zero-days leaves civilian infrastructure more vulnerable. How should the government weigh offensive intelligence advantage against that defensive cost?
3.
Stuxnet escaped onto the open internet and eventually revealed U.S. and Israeli involvement. Does that outcome change how you evaluate the decision to use it?
4.
The private zero-day market pays researchers far more than responsible disclosure programs. What policy or economic interventions, if any, could change that calculation?
5.
Cyber deterrence appears not to work the way nuclear deterrence did. What makes it structurally different, and does that difference matter for how states should think about offensive cyber operations?
6.
The Vulnerabilities Equities Process was secret and weighted toward offense. What principles should govern that decision publicly, and who should have a say in it?
7.
Companies like NSO Group sell offensive cyber capabilities to any government that pays. What obligations do private companies have when their tools are used to surveil dissidents or journalists?
8.
Shadow Brokers leaked NSA tools that were then weaponized against civilian infrastructure worldwide. Who bears responsibility for the damage from WannaCry and NotPetya?
9.
Perlroth argues the U.S. is more vulnerable than most of its adversaries because more of its critical infrastructure is networked. Does that asymmetry change the calculus around offensive cyber investment?
10.
The book was published in 2021. Which developments since then seem most to confirm or challenge Perlroth's central arguments?
11.
Zero-day discovery often depends on individual researchers with specialized skills. What does it say about digital security that so much depends on finding a small number of exceptional people before adversaries do?

Themes

Cybersecurity Zero-day exploits Cyberwarfare National security Technology and policy

Frequently asked questions

Is This Is How They Tell Me the World Ends worth reading?

Yes, for anyone interested in cybersecurity, national security, or how technology reshapes geopolitics. Perlroth's decade of reporting gives her access that no outside researcher could replicate. The book is alarming in proportion to how accurate it is.
How technical is the book?

Less technical than the subject might suggest. Perlroth explains zero-days, malware, and exploit markets clearly for a general audience. Readers with technical backgrounds may find some explanations simplified, but the value is in the reporting rather than the technical detail.
What is a zero-day exploit?

A zero-day is a software vulnerability unknown to the vendor and therefore unpatched. An attacker who knows about it has zero days of exposure from the vendor's side — they can exploit it without any defense being available. Zero-days can be worth millions of dollars depending on the target software.
How long does it take to read?

About nine to ten hours at average pace. The book is dense with detail and benefits from being read in extended sessions rather than short ones, since the narrative builds context across chapters.
What happened with WannaCry and NotPetya?

Both were cyberattacks in 2017 that used NSA cyberweapons leaked by Shadow Brokers. WannaCry, attributed to North Korea, hit hospitals, transport systems, and businesses globally. NotPetya, attributed to Russia, targeted Ukraine but spread worldwide and caused approximately $10 billion in damage, making it the most destructive cyberattack in history.

About Nicole Perlroth

Nicole Perlroth spent more than a decade as a cybersecurity reporter for The New York Times, covering data breaches, state-sponsored hacking, and the intersection of technology and national security. She reported on major hacks including the Sony breach, the OPM hack, and Stuxnet, and developed sources across intelligence agencies, private security firms, and the hacker community. This Is How They Tell Me the World Ends, published in 2021, was a New York Times bestseller. She has since worked as a cybersecurity advisor and consultant.

More books by Nicole Perlroth