The Perfect Weapon: War, Sabotage, and Fear in the Cyber Age

Operator:  Welcome to The Federalist Society's Practice Group Podcast. The following podcast, hosted by The Federalist Society's International & National Security Law Practice Group, was recorded on Tuesday, September 18, 2018 during a live teleforum conference call held exclusively for Federalist Society members.  

 

Wesley Hodges:  Welcome to The Federalist Society's teleforum conference call. This afternoon we are fortunate to host Mr. David E. Sanger to discuss his new book The Perfect Weapon: War, Sabotage, and Fear in the Cyber Age. This teleforum is being hosted by the International & National Security Law Practice Group here at The Federalist Society. My name is Wesley Hodges, and I'm the Associate Director of Practice Groups.

 

      As always, please note that all expressions of opinion are those of the expert on today's call.

 

      Today our format is an interview with the author. I have several questions prepared and will go through those, but eventually we will open the floor for remarks or questions from our audience, so please keep in mind what questions you have for this subject or for the author today.

 

      As I mentioned, David Sanger is the national security correspondent for the New York Times and is a bestselling author of two other books: The Inheritance and Confront and Conceal. He has been a member of three teams that won the Pulitzer Prize including in 2017 for international reporting. A regular contributor to CNN, he also teaches national security policy at Harvard's Kennedy School of Government.

 

      Thank you very much for being with us here today, David. First off, I just want to ask you, what were your reasons for writing the book?

 

David E. Sanger:  Well, first thanks very much, Wes, for having me here on your podcast, and it's great to be able to talk to you and to your audience. The Perfect Weapon was the result of about 10 years of reporting that I've done on the increasingly central role that cyber has played in American conflict, conflict around the world, and how cyberweapons have emerged as the primary way that governments seek to undercut and influence each other without going to full-scale war. It's been so far a short-of-war weapon, and we've seen that as the United States attacked Iran's centrifuges. We saw it as North Korea attacked Sony Corporation and destroyed 70 percent of their computing power in retaliation for a movie they didn't like that envisioned Kim Jong Un's assassination. We've seen it as the Iranians have attacked Saudi Arabia. We've seen it as the Chinese have begun to make use of cyberweapons, though so far more for espionage and big data collection than for aggressive purposes.

 

      I also had a sense that all Americans, and in fact citizens around the world, feel increasingly vulnerable about the data—their own—that's stored in vast databases and know that much of it has been lost and lost to foreign powers. But they don’t really understand the degree to which they've become the collateral damage in a cyber conflict, a broader cyber conflict, that's taking place 30,000 feet above their heads.

 

      In other words, rather than individuals being targeted, although that sometimes happens by criminals seeking to steal your credit card numbers and so forth, more often than not, you're caught in the crossfire of a much larger cyber war. That would be true of say the 22 million Americans who's most personal secrets stored on forms they filled out to get security clearances were taken by the Chinese. The Chinese weren't seeking to get their credit card numbers; they couldn’t care less about that. They were seeking to understand a set of relationships among people with the most sensitive clearances in the U.S. government and then turn those to other purposes. So what's happened is that more and more people have discovered the degree to which they are caught in this crossfire.

 

Wesley Hodges:  Excellent. Thank you, David. Would you mind providing more details on the distinctions you put between cyber conflicts, cyber warfare, and other things related to the cyber realm, such as intelligence gathering efforts?

 

David E. Sanger:  Sure. So cyber war is a phrase a lot of people throw around without sort of thinking about what a full-scale war looks like. And as I suggested before, what's been interesting so far about the cyber conflict we've seen is they're deliberately short of war. They're done by states that don't want to confront the United States or other adversaries directly, don’t want to let it escalate into a full-scale conflict. So they're calibrating their attacks very carefully in an effort to try to wreak some advantage or wreak some havoc but with the knowledge that no one's going to visit them with a B-52 and start bombing in response.

 

      And so far that's largely been the case. I mean, nobody suggested military options for the Russian interference in the elections. No one suggested using the military to go defend Sony when their computer systems were melted down. Yet in a pre-cyber age, if the North Koreans had sent in saboteurs or bombed the Sony computer systems at their studios in Hollywood, you know there probably would've been a military response.

 

      So one of the advantages of cyber is that you can exact harm, somewhat invisibly, and not immediately prompt a big response. And the result of that is that you've a lot of more freedom to go use these weapons because they're easily deniable, they're dirt cheap to produce, and tracing them take some time. It's not like you can go into a big cave in Colorado as we could during the Cold War and see where incoming missiles are coming from. It takes weeks, sometimes months, sometimes years to sort out what the true origin of the cyberattack was.

 

      The other thing that has become clear over time is that cyberweapons sit on a spectrum. And so one way to think about this is that some are used for espionage. That's what I discussed before with the Chinese and the Office of Personnel Management. Or China's theft of the F-35 plans or industrial plans. Sometimes it's used for data manipulation. Imagine for a moment that you were able to actually get into the voting machines and change votes. Imagine that you could get into the medical histories of members of the U.S. military and change blood types and the kind of havoc that could have. Data manipulation, which is much more subtle than most other larger attacks, is really something the U.S. government is quite concerned about because, again, it's very hard to track and you begin to lose trust in the systems that run everything. Supposing you got into your autonomous car, programed it to -- told it that you wanted to go to the supermarket, and instead it drove you over a cliff. You're not likely to go trust autonomous cars for very long.

 

      A third is cyber for the use of attack on physical facilities. That's what the United States and Israel did to Iran in the Stuxnet or Olympic Games case. That's what the United States did to North Korea when it was attacking its missile test program. And then sometimes there are mere information warfare attacks that use cyber to broadcast information warfare more broadly. So there's nothing that the Russians were doing on Facebook that differed all that much from what Stalin used to do in the 1930's, except that if you post something on Facebook, you can spread impressions of your propaganda millions of times and you can actually sort of measure who's reading it. You couldn't do that back in Stalin's time when they were placing false stories in foreign newspapers.

 

Wesley Hodges:  Thank you, David. Now, you reference in your book -- well, you make the analogy that you believe that we are in the World War I of cyber threats and conflict. Would you mind commenting on -- you say these factors of anonymity and cost allow for this grey space for this conflict that hasn't yet reached war. Would you mind commenting on as you see this technology progressing, does that anonymity or cost -- do you think that will change much? Will these factors remain consistent or will they -- do your predict any changes there?

 

David E. Sanger:  Well, one of the big reasons that the cost is so low is that it's -- the cost of entry to make cyberweapons has always been very low and if anything it's gotten lower. Think of this: to make nuclear weapons, which only nine countries have done so far, you need to have plutonium or uranium. It's hard to come by. You need to be able to enrich it or reprocess it. That can cost you millions and millions of dollars. So you need a lot of physical infrastructure. For cyber, you need some young talent, maybe some weapons stolen from the NSA—and there're a lot of those around. We can get to that a little bit later on, why the U.S. is having such a hard time keeping its arsenal secure and secret—and maybe a case of Red Bull. That really helps, right? And you're good to go. So that's the reason that it really is the perfect weapon, particularly if you're North Korea or Iran or any place that is short of resources.

 

      The other thing is that it's gotten easier and cheaper, even while our cybersecurity has gotten better. And the reason for that is we have so many more things attached to the internet. So we're better than we were 10 years ago. I mean, most of your listeners use two-factor authentication, or at least I hope they do, when you get that six digits or whatever back to your cellphone before you take money out of your bank account and so forth. So our cybersecurity is improving, but at the same time the attack area, the surface area, of cyberattacks, the opportunities have increased greatly.

 

      Think about your own house. 10 years ago you probably had one or two things attached to the internet—a laptop computer, maybe a desktop computer. Today you've got your Alexa, probably your alarm system, some surveillance cameras if you have them outside your house or your apartment building, your autonomous car, even a lot of non-autonomous cars. I recently replaced an old car and the new one I can lock and unlock from my cell phone and it's not an autonomous vehicle. So each one of these allows a new entry point for anybody looking to get into your networks. And the same is true in our offices, where we're walking in and out of our offices with our cell phones and other devices that you take home. So they can be infected elsewhere and then come into the office and suddenly they're a trusted member on the network. All of these give new opportunities to any adversary.

 

Wesley Hodges:  Excellent. Well, then, as a follow-up to that, I wanted to ask do you believe that the primary threats of cyber warfare are threats to American cybersecurity in general? Do they necessarily come from sovereign actors from states, or do you see similar threats from rogue elements?

 

David E. Sanger:  Well, there certainly can be from rogue elements. This is, as I said before, it's cheap and easy. So that would mean that it would be attractive to terrorist groups and others. So far we haven't seen a lot of that. ISIS used cyber for recruitment, you know, to put up videos to try to suck people up to volunteer. But they didn't use it much as a weapon. And one reason for that is it does take patience to do a cyberattack. The North Korean attackers that went into Sony were in there for months before they attacked. United States was inside the Natanz nuclear enrichment plant with Israel for years before they did very serious attacks. And that's required because you need to go in in a stealthy way, stay hidden, and examine how the system is operating, how computers relate to physical equipment, how it relates to accounting systems, email systems. That takes a while, and usually terror groups and criminals don't have a lot of patience.

 

      So, again, think about your house. The reason you have locks on your doors and the reason you have an alarm system is that you're trying to get rid of 80, 85 percent of the threats that are out there, you know, kids breaking in, random burglary attempts, and so forth, and you want to create a deterrent to that. But you have no expectation that the things that you buy to protect your house are going to protect you against an incoming ICBM or a bomber that comes overhead. You don’t believe that you can protect yourself against a state. And by and large, that's pretty true about cyber as well. You're not going to be able to protect yourself against a dedicated state actor. But 85, 90 percent of the actors are pretty random and not as skilled.

 

Wesley Hodges:  Wonderful. Well, just commenting again on rogue elements versus state actors, the point you made earlier about the anonymity of the cyber realm, I imagine it would be pretty easy for states, even if they were under scrutiny, to pass the ball to rogue elements, say pass them a laptop and a case of Red Bull, like you mentioned earlier. How easy is it for states to identity other states in the present setting?

 

David E. Sanger:  You raise a really good point because, in fact, there's a lot of freelance work going on here. When we did our work about Unit 61398, the Chinese People's Liberation Army unit that was going into so many American companies four or five years ago, it turned out that while a number of them were PLA officers and thus clearly state actors, they also relied on a lot of freelance Chinese groups that were patriotic actors or opportunistic actors or simply a bunch of 20-somethings who needed to make some money moonlighting, right, and got a good contract from the government. They may not have even known that the people who hired them were the government.

 

      So the Russians do this a lot. They hire a lot of outside actors. The North Koreans do it as well. And you're beginning to see that described in some of the indictments that the Justice Department has issued. When you think about it with the indictment two weeks ago of the North Koreans involved in the Sony attack, the U.S. has now indicated Russian, Chinese, North Korean, and Iranian hackers in separate cases over the past three or four years and over two administrations. This began in the Obama administration and it's been followed through in the Trump administration. So you're beginning to see in those indictments these very fuzzy organizations, where things may be state-led but they may simply turn a group of freelance hackers lose.

 

Wesley Hodges:  Wonderful. Well, commenting on that some of the most enjoyable moments I think in your book are the accounts you give of these different stories of cyber infiltration, an example of which taking down Iran's nuclear program with Stuxnet, Snowden and more. Would you mind walking us through the story of the 2008 Russian hack of the internal Pentagon networks and what the Pentagon did to fix that?

 

David E. Sanger:  Sure. So the Russians have been after us in a cyber way long before they got to the DNC hack, and the book takes you through from 2008 really right around the time of the 2008 election, where you saw Senator McCain and Senator Obama going after each other. And in the midst of that, the Pentagon suddenly discovered there were Russians inside a very classified network called the SIPRNet that is used to do military communications and communications elsewhere in the U.S. government.

 

      And the big mystery was how did they get in, and one of the ways they got in was simply by dropping infected USB cards and USB keys around a parking lot in the Middle East, hoping that someone might pick some of these up, try to figure out what was on them, and put them in their machines. And they did. And that helped the Russians get inside that network because someone was unintentionally basically carrying the code into their computers. That's why when you go around later on after that happened to many Pentagon sites or defense sites around the world, you began to see some people who had not yet gotten replacement machines and they had superglued their USB ports to seal them up so that no outside USB could go into it.

 

      It was a pretty brilliant, incredibly simple, very cheap way to hack into classified networks. A lot of countries think about sealing off their most sensitive computers, as the Iranians did in their nuclear program; in other words, not connect them to internet. But an air gap, which is what that is called, is only as secure as the next idiot who comes along and plugs a USB or some other infected device into the interior part of the network. And people have figured that out.

 

      Now, again, our cybersecurity is better than that now. Just as we've taught people not to go click on suspicions links, we've taught them not to put USBs that they don't know the origin of into their computer systems. But it's amazing how many times foreign powers get into computer systems just by testing enough people and figuring that all it takes is one person to get them into the network.

 

Wesley Hodges:  Well, we would be remiss to talk about Russian hacking attempts without mentioning America's election security. Would you mind commenting on America's election security?

 

David E. Sanger:  Sure. So the first thing to know about the hack of the DNC and the attacks on Arizona and Illinois and all that, which we can't find any evidence actually changed any votes, is that the Russians tested almost all of these practices in other countries, notably the Ukraine, before the DNC hack. And there's a chapter in the book called, about Ukraine, called "Putin's Petri Dish" that basically walks through how they did all of these techniques in the Ukraine, including taking over parts of the utility system by remote control and shutting them down; something they have not done the U.S. but probably could with relative ease.

 

      So the second thing to know is that before the attack on the DNC, the Russians went into the State Department, the Joint Chiefs of Staff, and the White House unclassified systems and fought the NSA, in the case of the White House, for two weeks as the NSA tried to oust them from those systems, not because they were getting anything terribly valuable out of the Obama White House unclassified system, but because they just wanted to show that they could get in and stay in. It was kind of a "we can live here, too" message.

 

      So then comes along the Democratic National Committee as a big target. Well, one of the Russians learned from one of their earlier attacks that they had paid no price for going into the White House and the State Department and the Joint Chiefs of Staff, that they hadn't even been named publicly. So why would they think that there would be a high cost around going after the Democratic National Committee, which is in the end a sort of perpetually underfunded politically organization that's largely staffed by college kids, right?

 

      So they go into those systems. As I describe in the book, the NC had been warned about their cyber vulnerabilities but didn't have the money or didn't think they had the money to go cure them in 2016. The RNC computers were also attacked, not directly but through a contractor they used in Tennessee. This was all reported out later by the FBI. Didn't seem like they got very much that was of interest there. The difference in the DNC hack was that while people initially thought that this was just a scoop up data operation, an espionage operation, it turned, of course, into a doxing operation; that is that they made the emails, particularly the most embarrassing emails, public in an effort to try to sew chaos. And that's been the big difference.

     

      And then, of course, after the election we learned about the Facebook ads that the Internet Research Agency turned out. Again, it's very hard to measure whether any of those changed any votes. Have to assume that some of them did, but you'd have to crawl inside the minds of hundreds of thousands, if not millions, of Americans to know how effective those were.

 

      You asked about election security itself. It's hard to hack the American election system because it's so spread out among so many different states. But there are a handful of states that have no paper backup, and you don’t want to be in any election system where you can have a good audit trail later on if there's a dispute. That's why it was important yesterday, just yesterday, that a judge issued a judgment. There had been an effort to try to force the State of Georgia into not using touchscreen systems that have no paper backup, and while the judge wouldn’t do it ahead of the midterms saying there'd be too much chaos between now and less than two months from now, the judge did say that Georgia's got to change its system. And it's not the only one.

 

Wesley Hodges:  So, David, it looks like this technology has a good analogy for it which is lock picking and code breaking in that -- I'm curious, are we trapped in an endless game of cat and mouse to where we improve one technology only to get bested by another to only get then reversed besting that?

 

David E. Sanger:  Well, if we did, then we're going about this wrong. One of the big concerns I have is that when people hear the phrase cybersecurity, they're thinking all about technological solutions to this and rarely, even in the case of state-on-state action, about political solutions. And we know what happens when you get into the technology race. We saw it happen with nuclear arms, which are usually a pretty bad analogy with cyber, but we built nuclear missiles; the Soviets built nuclear missiles. We built ABM systems; they're building systems to try to defeat ABM systems. You get yourself onto an escalating cycle that you frequently can't get off. There's always going to be an element of that to cyber.

 

      But one of the big questions we have for these state-on-state conflicts is is there a form of arms control we can turn to? And here, nuclear is not terribly useful because there were some few states that had nuclear weapons. There were two big ones, the United States and the Soviet Union, and because the chances that you could have so many other outside actors was pretty low. It was pretty much states had a monopoly on the technology. In cyber, if you reach an arms control agreement, what would you do to cover those freelancers that you asked me about before? How would you handle companies that are attacking their rivals? None of that was a case in traditional arms control cases.

 

      There is an argument to be made, and I think people like Brad Smith at Microsoft have made this case and Siemens and some others have, that maybe the way to go is a sort of digital Geneva Convention. The Geneva Conventions were of course designed to protect civilians, and we may well want to protect systems that we think should be off-limits to hackers—election systems, electrical grids that might support hospitals or nursing homes or emergency communication systems. So in other words, protect the most vulnerable. The problem with this is that no state wants to limit its own options, including the U.S., to attack an adversary using a cyberweapon that they think might achieve their goals without firing a single shot. So it's been very hard to get states to even begin to have the conversation.

 

Wesley Hodges:  It's interesting that you mentioned Microsoft and Brad Smith, there, on a digital Geneva Convention. What do you think the prospects are for a civilian corporation-led effort to build a framework of principles to restrain actions in cyber conflict, such as election interference and other things like taking advantage of your smart refrigerator, things that can harm the individual civilian and aren't necessarily tied into the major options of the world powers?

 

David E. Sanger:  Well, you've seen companies at the forefront here because they feel like they're the ones being victimized. You've not seen governments get involved in that discussion very much. There was one effort that was interesting, and I could start at some cyber norms of behavior at the United Nations at something called the Council of Experts, where there was general agreement on avoiding intellectual property theft, not attacking the kind of civilian systems we've discussed in peace time. The theory is in war time, all bets are off. While that effort had a little bit of momentum about a year and a half ago, it has really begun to lose altitude in recent times because the Chinese and the Russians, among others, have not really wanted to play. And frankly, the U.S. intelligence agencies aren't that enthused about it either.

 

      Let me give you an example. The book describes a planned operation against Iran called Nitro Zeus, which was the code name for how we would unplug Iran if we had gotten into a full-scale conflict with them that fortunately was avoided in the 2015 Nuclear Agreement. But imagine that we had a proposal by the United States to avoid getting inside each countries' infrastructure and turning off their electric power to avoid hurting civilians. I suspect the intelligence agencies would come back and say, "Wait a minute. Do you really want to keep the president of the United States from having the option of unplugging Iran rather than attacking it in a full-scale war? Supposing we told you that we could win a conflict with a foreign country without ever firing a shot." So my guess is that among those who would object to a digital Geneva Convention is the U.S. government itself. It hasn’t said one way or the other, and this is an area where we've had a hard time getting the Trump administration to talk very much about where they're headed.

 

Wesley Hodges:  So I guess following up on some of these tech titans, you mentioned Microsoft wanting to create a digital Geneva Convention, what if these companies said, "You know what? We're tired of being the victims here. We're tired of these appeals from our governments, from other governments, for access to their networks." What if they just closed their doors? How much of an effect would kind of a firewall from our tech titans -- how much would that effect the cyber conflict realm? Could the governments go on with most of their efforts?

 

David E. Sanger:  You can't close your doors because the entire concept of the internet is that it ties people and countries together and ties business together. So most of our rules in trade, in most conventional arms, imagine the boundaries of the U.S. government as the area that we can protect and wall off. You've certainly seen those efforts in the Trump administration and everything from immigration to the kind of tariff barriers the President has been imposing on the Chinese.

 

      In the world of electronic interchange, borders mean nothing. I mean, think about this, the Watergate burglars to break into the Democratic National Committee had to physically jimmy open a door and then they had to break into file cabinets. That was 1972. When the Russians went after the emails in the DNC's servers, they never had to leave Red Square. And the idea that we're going to cut off our internet from the rest of the world is as ludicrous as the thought that you're going to cut off your cell phone service from the rest of the world. It's just not going to happen.

 

Wesley Hodges:  Thank you, David. In your book, you referenced that there are seven main leaders in the cyber conflict realm. That includes the U.S., Russia, China, Britain, Iran, Israel, and North Korea. Would you say that our country has a lead when it comes to cyber technology? How competitive is this realm right now?

 

David E. Sanger:  Well, the United States invented the internet and the United States has been out ahead in offense of cyber even though it doesn’t discuss it very much. So it does have a lead. But it's not a very big lead. You know, history tells us here that the kind of technological leads that we believe we have don’t last all that long. You know, the Wright Brothers invented the airplane, but it didn't take very long for the Germans and everybody else to fuel planes before we did in World War I. We believed in 1949 that we had a big lead in nuclear weapons until the day that the Soviets tested, and then the Chinese had them by the early 60s, and the Indians and Pakistanis in the 70s, 80s, and 90s, and of course our allies. Israel developed its weapons by the 1960s. And that was with something that was harder to do. And as I mentioned before, there are now nine nuclear states that we're aware of, nuclear armed states.

 

      In the world of cyber, there are probably 35, maybe 40 states now that have the capability of launching a sophisticated cyberattack, and that's up from just a handful five or six years ago. So it tells you how quickly this technology can be exploited.

 

Wesley Hodges:  Thank you, David. Would you say have we seen actual cyberwar yet? What would you say is a landmark example of that conflict?

 

David E. Sanger:  We've not seen any full-scale war, where you have attack, counterattack, escalation and so forth. We've seen a lot of short-of-war efforts, and you have seen some attacks that if they were done to us, we would probably view as war. So think for a moment about Olympic Games, the American attack on the Iranian nuclear enrichment plants, and then turn it around the other way. If we discovered that a foreign power had gotten into our nuclear infrastructure, we might well have to have a debate "was this an act of war that requires a military response?" So far for every attack the United States has seen, has absorbed itself on the financial institutions, on Sony, on the Sands Casino in Las Vegas, which was attacked by Iran, by the Russian attacks that I just described, including the activity in the election, we've always said the way to deal with it is either with counter-cyberattacks, with sanctions, with some kind of diplomatic protest and so forth. But so far we haven't seen an escalation to full-scale war. That's good, and our hope is to try to keep it that way. But the reality is that the next time there's a major conflict in the world, the first shots will be fired using cyberweapons because the first thing that states will do is try to paralyze their adversaries and hope for a very quick win. And that's the best way to go do that.

 

      And that's reflected to some degree in President Trump's new Nuclear Posture Review, which came out earlier this year, where for the first time it said that the United States reserves the right to use nuclear weapons in response to a devastating non-nuclear attack on its infrastructure. Well, there are some ways other than cyber to do that, say biological weapons. But by and large, that was a threatening a possible nuclear response to an overwhelming cyberattack.

 

Wesley Hodges:  Thank you, David. Perhaps you can share your perspective on this with us. Say there was a large-scale cyberattack in a city in America. What would a civilian, say in a suburb of that city, experience in such a case?

 

David E. Sanger:  The first message of the book is there's a reason we haven't seen these large-scale attacks because the states are trying to keep this at the sub-war level. If you took out all of the electricity from Boston to Washington or L.A. to San Francisco, it would be seen as an aggressive military event once people concluded that it was, in fact, a cyber event and not just an accident. Remember there was a big blackout on the East Coast a number of years ago that turned out to be caused by a bunch of squirrels that tripped one system and that system tripped others and it resulted in a cascade of events. One of the first things people would be trying to figure out is was this really a cyber event or was this a squirrel event, okay? And a really well-executed cyberattack is designed to make it very hard to answer that question.

 

      So when the United States went after the Iranian centrifuges, they did it in such a way to mimic failures in the centrifuges that frequently happen for other purposes, leading the Iranians to wonder did they design their centrifuges wrong. Did they make engineering mistakes? Was there an insider? And so these were all hard questions that a good cyber actor is trying to make harder to give them some time and avoid counterattack.

 

      Your question was what would a massive cyberattack look like? And, look, those have been envisioned by Hollywood since Die Hard movies that came out 10 years ago, in which you saw first cascading effects in the electric grid but then follow-on attacks that are meant to sew other chaos. So as soon as auxiliary backup systems came in and generators and so forth, a second wave of attacks to take those out. And this is exactly what we saw in Ukraine where first they turned off the power and then they turned off the capability of the first responders in the utilities in Ukraine to respond to it. When you go to simulations that the U.S. government and the utility industry do about attacks on systems, it's frequently a combination event of a cyberattack on the networks and a physical attack, say snipers who come out to shoot at some of the facilities and substations. And then, of course, you can't bring experts in to solve the cyberattack because the roads have been closed off to go deal with the physical attack.

 

      So you can't think of a cyberattack completely in isolation. It would be most effective in combination with more traditional military or sabotage techniques.

 

Wesley Hodges:  You mentioned, David, a couple of minutes ago that our government is not very forthcoming about its secrets in cybersecurity for obviously many good reasons. You've also mentioned that other authors have breathlessly stated or complaining that officials aren't paying enough attention to the problems you describe in the book. Can you speak more about this dynamic of the silence and about the public appearance of complaint, of not divulging much in this subject to the public?

 

David E. Sanger:  So one of the big arguments of The Perfect Weapon is that we've gotten to the point where the secrecy surrounding cyber by the U.S. government is actually undercutting our own ability to deter cyberattacks and to keep us safe. Now, why would I say that? Because frequently the first instinct is let's keep all of our cyber capability secret. Well, if you keep all of it secret and you don’t show a willingness to go use it, you've undercut the determined effect that comes from making a cyber actor think "what happens if I wake them up enough that they're going to go counterattack to me?"

 

      Now, frequently the answer to a cyberattack is not in the cyber realm. It doesn't make much sense to do a counter-cyberattack on North Korea since North Korea has fewer IP addresses, Internet Protocol addresses, than most city blocks in a major American city. So they can attack us because we're one of the most wired societies on Earth and we have a hard time attacking back in a cyber way because they're one of the least wired societies on Earth. But part of the difficultly that I'm arguing about and I argue in the book is that our unwillingness to both admit to cyberattacks on our facilities and to explain what our own cyber capability is, what we're willing to attack, and the limits of our use on this have made it hard both to deter bad actors and to set some of these norms about what should be on and off limits.

 

      Now, it's not surprising that cyber capability has been kept secret. It's largely a weapon designed by the intelligence agencies and the intelligence agencies are naturally secretive. I get that. But there is a major assumption that you need to keep all of this secret when in fact at times that can get in the way of our own ability to deal with our adversaries and perhaps deter attacks on the United States.

 

Wesley Hodges:  David, do you think that we are giving, I guess, too much of the benefit of the doubt to the government on this front? Not enough? Maybe just a couple more comments on that.

 

David E. Sanger:  Well, my biggest concern is that we're not having the kind of big, strategic debate about how we want to use these weapons that we certainly did have back in the nuclear age. Think about what happened after nuclear weapons became part of the U.S. arsenal. We started off with MacArthur wanting to use nuclear weapons against the North Koreans and the Chinese, General Eisenhower, then-President Eisenhower, saying that nuclear weapons were just another bullet in the arsenal. And we ended up with a big public debate that 20 years later ended up including we're only going to use nuclear weapons as a matter of last resort only to save the state, and that by and large we would not be a first user of nuclear weapons. That's a big change that came out of big public debate.

 

      We have not had that in the cyber realm, in part because the subject matter seems too complicated to a lot of people, in part because the physical effects of cyberweapons are nowhere near as dramatic as they are with nuclear weapons, in part because you can dial cyberweapons up and down. It's like they're run on a thermostat not on an on/off switch in a way that you never could with nuclear weapons. I mean, you either detonate a nuclear weapon and end the life of a city or a country, or you don’t. Whereas with cyberweapons, you can target them and you can turn them up and down. And so we've never had the argument about whether or not this is a weapon we really want to go make use of, and how and when we want to go make use of it.

 

Wesley Hodges:  So, David, one of the best uses of your book is just as a one-stop-shop to understand the cyber environment right now, and like you said, encourage that debate to happen on what are the proper uses of cyber tools. And for our listeners today and for the podcast that we're recording, for anyone that reads your book, David, what would you want them to come out with no matter what? What's that message that they should know?

 

David E. Sanger:  Well, the main message they need to know is this is not just a technological problem; this is a geopolitical problem. All states, large and small, have access to cyberweapons. 35 or 40 of them know how to use them in a sophisticated way and a half dozen to a dozen are already using them in a sophisticated way. And yet, we're not having an equally sophisticated discussion about how we want to control this technology, or even the degree to which it can be controlled. What we do know is that we're more and more dependent on these networks to run our daily lives, far more dependent than you would think. After all, people are buying internet connected refrigerators. I can't quite figure out what I'd do with an internet connected refrigerator but maybe if it told me to eat less. But it gives you a sense about the degree to which this technology has all come together to run our daily lives. And just think about how much time you spend on the networks on your phone and your computer and you see the connection there.

 

      And yet, you're not seeing any sophisticated discussion, or very much sophisticated discussion, outside of the computer industry itself, the security industry and so forth about what's on and off limits. And the major theme of this book is this a geopolitical crisis of the kind of that we had in the early days of nuclear weapons, in the early days of controlling chemical biological weapons, in the early days of the airplane—a technology like cyber that was developed for good purposes and got turned to war purposes, and we need to be able to have that debate. I mean, you can't do that unless your governments are willing to engage and unless you've got a citizenry that understands the range of uses of these weapons.

 

Wesley Hodges:  Thank you, David. It doesn't seem like we're going to become Luddites anytime soon. And like you said earlier that we're very much in a World War I phase, chances are this is only going in one direction. And as you also mentioned anonymity is not changing. The cost is probably going to get cheaper to access and utilize these tools. The number of countries 35 is probably going to advance even more day by day. So the timing of this book is certainly pertinent, and I encourage everyone on the call and everyone listening to this podcast to buy a copy.0

 

      So, David, do you have any final remarks for us before we finish our conversation today?

 

David E. Sanger:  Well, only to thank you for giving me this chance to talk a little bit about this, and for people to think about what it is that makes cyber so different from the weapons systems we've seen before that we've tried to control before. And the answer is that while most such systems have been in the hands of the military or the intelligence agencies, this is a system in which we are dependent for each day of our lives, and are dependent more and more each year. And so it's a far more complex question about how we control the misuses of this technology without impeding our own increasing dependence on it. If you want to be completely secure against cyberattack, move to an internet-free log cabin in the middle of Montana in the woods and seal yourself off from the rest of society. But that's not likely to happen. What's much more likely to happen is we're going to go more and more dependent on these systems, and that's why it's all the more vital that we figure out how to control the attacks on them, the misuse, and increasingly the state use of cyber as a weapon before these take over more of our daily life.

 

Wesley Hodges:  Thank you very much, David. Again, our guest today is David E. Sanger and the book that we are discussing is The Perfect Weapon: War, Sabotage, and Fear in the Cyber Age. I encourage everyone to pick up a copy for yourselves, for a friend. You can find it on Amazon. David, thank you so much for being with us here today.

 

David E. Sanger:  Thank you, Wes. I really enjoyed the conversation.

 

Wesley Hodges:  It is mutual. On behalf of The Federalist Society, I would like to thank you for the benefit of your valuable time and expertise. We welcome all listener feedback by email at [email protected]. Thank you all for joining. This call is now adjourned.

 

Operator:  Thank you for listening. We hope you enjoyed this practice group podcast. For materials related to this podcast and other Federalist Society multimedia, please visit The Federalist Society's website at fedsoc.org/multimedia.