10 September 2018

David Sanger on the perfect weapon

By Elisabeth Eaves

Even though major newspapers cover the thrust and parry of cyberwar, it can be difficult to grasp the bigger picture. After all, cyberweapons are new, shrouded in secrecy, and invisible to the untrained eye, making them harder to comprehend than bullets or bombs. But with governments fighting ongoing cyberwars, inflicting damage that has cost billions of dollars and undermined democracy, it is time for a much larger public conversation on the subject, as David Sanger insists in his new book The Perfect Weapon: War, Sabotage and Fear in the Cyber Age.


Sanger, the national security correspondent for the New York Times and a senior fellow at Harvard’s Belfer Center for Science and International Affairs, has penned one of the most comprehensive and accessible histories of cyberwar to date. He begins with the first sophisticated state-on-state cyberattack, in which the United States and Israel used a computer worm dubbed Stuxnet, which they began developing in 2006, to shut down Iranian nuclear enrichment plants. He lays out events since then, up to and beyond the Russian hacking of the US Democratic National Committee a decade later, the repercussions of which are still being felt.

Sanger’s book is more than a history and primer. It also advances a series of arguments, among them that the United States is not ready for the kind of cyberattack likely to come, that the extreme degree of secrecy surrounding cyberweapons is excessive, and that the world needs to move ahead with setting some limits on cyberwarfare—perhaps a sort of “Digital Geneva Convention”—even if governments aren’t ready to do that yet.

Major cyberattacks have struck city services in Atlanta, the health-care system in Britain, centrifuges in Iran, a steel plant in Germany, a casino in Las Vegas, a petrochemical plant in Saudi Arabia, and missile systems in North Korea. In other words, Sanger writes, “The early damage has been limited.” But it will expand and accelerate, he believes, with virtually no chance that the hyperconnected and therefore target-rich Western democratic world will escape unscathed.

Sanger spoke to the Bulletin about all this and more by telephone in August. He was at his house in Vermont, on the edge of the Green Mountain National Forest, where that morning he had spied a black bear. This interview has been edited and condensed.

BAS: Could you briefly explain what implants are and why they matter?

DS: An implant is nothing more than malware that is hiding in a system. It could be in the utility grid. It could be in utility companies’ control rooms, as the US Department of Homeland Security recently warnedsome Russian malware was. But that’s not the only place an implant can be. It can be in your personal computer watching for something, looking to record your credit card numbers when you type them in. It could be inside your cell phone monitoring not only conversations but text. It could be in an industrial control system.

It was through implants that the United States got malware into Iran’s nuclear complex at Natanz, and ultimately affected the software, so that the nuclear centrifuges that produce uranium sped up and slowed down until they spun out of control. That was the essence of the Stuxnet attack, known by the code name Olympic Games.

Olympic Games . . . was the first truly sophisticated state-on-state attack. It opened the floodgates. They probably would have opened anyway to other states conducting fairly sophisticated attacks, whether it was Russia against the United States or the Iranians against Saudi Arabia or North Korea against Sony or China against industrial companies.

BAS: Are a lot of implants sitting in US systems currently?

DS: We’ve seen warnings from the Department of Homeland Security about the electric grid. But we think that there are hundreds of thousands—if not millions—of other implants in other systems. We place implants in systems around the world—“we” being the National Security Agency and US Cyber Command.

Americans get rightly upset when they hear that there are Russian implants in the utility grid, and they wonder what the intent is. Because if you look at an implant, you may know what it can do, but you don’t know what the intent is. Is it being reserved for war time? Is it there to be discovered, and let you know that we’re watching you?

But Americans frequently don’t think very much about the implants that the US puts in foreign systems. Of course, if we were to establish any global norms that said utility systems are off limits or election systems are off limits, we’d have to be prepared to agree to those same norms. It’s not at all clear to me that our intelligence agencies would be willing to give up what they have gained from putting implants in foreign systems.

BAS: You’ve written that the United States has the most powerful offensive cyber force in the world, but is lousy on cyber defense. Why is that?

DS: The reason we’re lousy on cyber defense is we have so much to defend. In cyber conflict, the advantage goes to the least-wired society attacking the most-wired society. This is why it’s the perfect weapon for the North Koreans. You probably have more IP addresses on your block in Chicago than the North Koreans have in the entire country.

And in the United States, the attack surface has expanded dramatically just in the past couple of years. Think about your house. Ten years ago, you probably had one or two internet-connected devices in your house, maybe a laptop or a desktop computer.

Now you’ve got a desktop computer that’s internet-connected. You have a wireless printer that’s internet-connected. You might have an Alexa down in the kitchen or your bedroom that is internet-connected. You have a smart TV. You might have an internet-connected refrigerator. I haven’t yet figured out what I’d do with an internet-connected refrigerator, but I guess if it told me to eat less, that would be useful, right? You’ve got internet connectivity in your car now. Once we have autonomous vehicles, you’ll have wildly more internet connectivity in your car. You’ve got security systems outside your house with wireless video cameras, they’re all internet-connected.

We’re bad on defense because we’ve got so many spread-out elements. If you were going to attack the United States, you would attack that 85 percent of internet usage that is not in the hands of the US government. The financial markets, the utilities, the cell phone networks, they’re all in private hands which means they’re all at different levels of protection. Which makes sense. Some stuff is more vital than other stuff. But it gives the attacker so many opportunities.

Flip it on its head and suppose we say, “we’ll teach those North Koreans a lesson” with a cyberattack. As somebody in the book was quoted as saying, “How do you turn the lights off in a country where they’re never turned on?”

BAS: It seems the US government has made some mistakes on cyber and not necessarily learned from them. Chelsea Manning stole and shared military secrets in 2010, then just a few years later National Security Agency subcontractor Edward Snowden released US government secrets. Is the failure to fix things due to this being a really hard problem, or lack of money, or something else?

DS: I think it’s due to the lack of attention at high levels of the political system, bureaucratic inertia, and failure to understand the threat. When Dan Coats, the director of national intelligence, said “the warning lights are blinking red” the other day, in reference to Russian attacks including on the election system, he was deliberately using language that came out of the post-9/11 world.

But nobody put together all the dots pre-9/11, and I think people have had an even harder time putting together the dots in the cyberworld, because there are so many different attackers. There are so many different targets. Because it’s so easy and cheap to do, and because there’s still a huge absence of understanding about the scale on which cyberattacks happen.

In the book, I try to make people think about four different categories of cyberattack.

There’s espionage. Nothing new there, just using cyber to go do what previously was done by tapping phones or opening letters or putting satellites up in the sky that watched activity.

There’s data manipulation, which is much more subtle than most attacks. That’s how you would throw an election if you could get at the electoral results . . . That’s how you would change the blood types of US military personnel if you got into a medical database. That’s how you could change the recipient of money transfers, as the North Koreans did when they got money out of the Bangladeshi Central Bank and routed it to their own accounts in Southeast Asia.

There are attacks for destructive purposes. That’s Olympic Games. It’s also the North Korean attack on Sony. People remember it for the emails released about Angelina Jolie, but in fact it was notable because 70 percent of Sony’s computer systems were basically crippled. Hard drives melted down. That was a destructive attack. So was the attack on the Sands Casino in Las Vegas.

Then there is information warfare, which is on the verge between cyber and something very old that we’ve seen back to Stalin’s day and far earlier.

In the minds of politicians, some commentators, and the popular press, these frequently get all jumbled up. Yet they’re all different, and you have to defend against them all very differently.

BAS: So election manipulation via Facebook would fall into the information-warfare category.

DS: Absolutely, and the way you would combat that is not necessarily to stop it but to reveal where it’s coming from. If you got this notice on your Facebook account that said, “this may look like it’s coming from your next-door neighbor, but actually it looks to us as if it was initially launched from Moscow,” you’d say, “Hmm, that’s interesting. Unless my neighbors have been in Moscow lately, it seems like a strange place from which to post this.”

BAS: What would US citizens, or citizens of any Western democracy, have to actually change in their lives to be properly defended against the risk of major cyberattack?

DS: Before we get to what they would have to change in their lives, they have to debate intelligently what it is we’re trying to do.

Suppose you and I were to sit down over a beer and put together a list of the kinds of civilian-related systems we think should be off limits to state-run cyberattacks.

We come up with: Election systems, the electrical grid, anything that gets in the way of emergency services. Anything that would affect hospitals and nursing homes, homeless shelters, the most vulnerable.

Then we’d say, “Okay, let’s get the United States to come out and negotiate this internationally.” Not in the belief that it’s going to stop all cyberattacks, but with the idea that once you have norms against it, violating them would be like violating the Geneva Convention. Which is to say, you’d get some world condemnation, just as Assad gets when he gasses his own people.

My guess is that the American intelligence agencies would probably step in and say, “Whoa, before we go ban these, do you really want to stop the president from being able to manipulate an election if he believes it’s the least expensive, least life-costly way to deal with a country?”

After all, the US got involved in influencing elections in Italy in 1948 and Latin America in the fifties and sixties, in Japan and South Korea, South Vietnam, the list goes on. It’s not as if we’ve never done this. We just didn’t do it in a computer age.

Now, the electrical grid. You read in the book about a program called Nitro Zeus, which was designed to take out Iran’s grid if we were going to go to war with them, in the hopes that it would end the war without firing a shot. You could imagine the Pentagon or the intelligence agencies saying, “Do we really want to deprive a future president of that option?”

None of these decisions are going to be easy, but if you leave them solely up to the intelligence agencies and generals, you know how they’re going to turn out. To answer your question, we first have to decide, are we willing to give some things up—to say that some things are off limits—in order to buy some more protection for ourselves? We’ve done that in other areas. We don’t use chemical weapons anymore. We don’t use biological weapons. We never signed the land mine treaty, but we don’t use land mines outside of the Korean Peninsula. We’ve agreed to reductions in our nuclear force that are quite major.

So that’s the first thing we need to do: decide what it is we’re trying to get banned. That’s the political side.

Then you have to decide, what are the technological protections you think you can build up? You can do any number of technological protections, but some of them have some civil rights origin to them. If you want a perfectly protected internet, you would have everybody who goes on the internet go on as themselves. But that would also play to the Chinese and the Russians who want to lock up everybody.

BAS: Is something like the Treaty on the Prohibition of Nuclear Weapons—which was passed last year and has 14 ratifiers so far—valuable in changing the norm and making a weapon more taboo?

DS: More valuable in the nuclear arena than it would be in cyber. We only have nine states that have nuclear weapons, 70 years after they were first dropped. Which is astounding, because Kennedy thought we would have many more. As you saw from the book, we probably have somewhere between 30 and 40 sophisticated cyber actor states in the world. Then there’s cyber that’s available to non-state actors so cheaply.

For nuclear weapons, you need uranium and plutonium and millions if not billions of dollars’ worth of equipment and facilities. For non-nuclear, for cyber in particular, you just need some good programmers, maybe a few weapons that got stolen out of the National Security Agency’s arsenal to give you a model, some laptops, a case of Red Bull, and you’re good.

BAS: You and others have observed that it may be possible for a government to achieve its political objectives in a conflict by conducting a cyberattack without actually dropping bombs or killing anyone. Is there a way in which cyberwar is superior to bombs and bullets and missiles, in that it could cause less human death and suffering?

DS: Sure. A great thing about cyber is you can dial it up and dial it down. That’s not true for nuclear weapons, and it’s not true for most munitions. You drop them, and you try to make them as precision as you can, but the fact of the matter is, you can’t target them as well as you can target a cyberweapon.

No comments: