War, Sabotage, and Fear in the Cyber Age with New York Times Reporter David Sanger Part 2 - Ep. 88
Part II: New York Times reporter, Pulitzer prize winner and best selling author, David Sanger discusses his latest book, soon to be an HBO special "The Perfect Weapon: War, Sabotage, and Fear in the Cyber Age", which focuses on cyberwarfare. This week gets to David’s list of things we must do when it comes to cyberwarfare and his take on the security of the upcoming elections.
Episode Table of Contents
- [00:30] Who is David Sanger
- [06:17] The Great American Capability Revealed
- [13:47] The Only Effective Element
- [20:35] David Sanger Talks About the Upcoming Election
- About Our Guest
Who is David Sanger
Carolyn: This week, we continue our conversation with David Sanger, New York Time National Security Correspondent and a senior writer. In his 38-year reporting career for the New York Times, he's been on three teams that have won Pulitzer prizes.
Carolyn: He's a two-time bestseller on foreign policy and national security. This week our conversation goes back to his latest book, which in the fall would be an HBO documentary, The Perfect Weapon: War, Sabotage, and Fear in the Cyber Age. We get to David's list of things we must do when it comes to cyberwarfare. And get his take on the security of the upcoming elections.
Carolyn: David, in my mind I have simplified and reduced the damage of major breaches such as Snowden down to the leaked documents, but after reading your book, I believe it is a lot more than that, can you talk about the damage of a breach beyond the documents themselves?
David: There are several. First of all, we've all gotten endured to the letter that you get. You probably got one after OPM saying, "Your data has been breached. I've given you a year's worth of free data breach insurance."
The Subtle Approach of Data Manipulation
Eric: Only if you are a government employee. You just get notified if you were not. I got more with Equifax, Home Depot, and a couple of others than I got from the OPM breach.
David: Well, in the OPM breach, it was a ridiculous letter anyway. They never mentioned that it was China, something you might want to know. As if Xi Jinping was interested in your Visa card, Eric. He's got enough cash to keep himself going for a little while. It told you the government wasn't even thinking correctly.
David: At least in their public outreach to you about what the importance of this breach was. Carolyn, you've raised a really interesting question. The daily breaches just make you feel vulnerable all the time. That's one thing. The data manipulation, that's the stuff I worry about because they're much more subtle.
David: If you redirect that missile, you’re probably not going to discover that your missile has been redirected until you've launched it. If you change that database in the Pentagon with the blood types, you're probably not going to discover that the blood types have been changed until someone dies. That's worrisome.
David: On the offensive stuff, it's great that the United States is figuring out how to make use of this new technology. If everybody else is doing it, we have to. But we are nowhere right now in setting international standards about what's off-limits and what's not.
David: If we want to say let's sit down with the Russians, the Chinese, maybe a few other big actors and come to some sort of arms control agreement that says, what's off-limits, guys? Power grids. Because if you turn it off the power, it's probably going to kill people.
An Attack on Our Every Fiber
David: It's going to kill people, particularly the most vulnerable. People at hospitals, people in nursing homes, people who are shoved into their houses.
Eric: Even people who need food. At some point, the food supply system in a couple of days shuts down.
David: If you saw runs on supermarkets just with the early days with coronavirus, imagine what you would see there.
Eric: We had information, we had power, we had the ability to keep the food at home. It was a great drill, but it was only 20% of the real problem in my opinion.
David: What's happened here now is that if you want to get the arms control agreement, you have to say, okay. We're going to give up attacks on the electric grid. How about election system? Should we all agree that we won't attach election systems? Anyone wants to sign up for that? So forth and so on.
Carolyn: That was where we saw Obama finally say, "You know what? This is an attack on our very fiber."
David: If you can't hold free elections, the core of democracy is undercut.
Carolyn: Didn't we already try this and nobody else got onboard?
David: No, actually the UN tried it. A bunch of countries got onboard early on and then began to walk away. But think about us, supposing you took those proposals to the intelligence agencies. The first thing they might say is, “Then what do we do?”
David: Like no attacks on electric grids? Has anybody briefed you on Nitro Zeus.
The Great American Capability Revealed
David: It was the secret US plan to take out the Iran power grid if we got into a conflict with them in hopes that we wouldn't have to bomb them. It might actually save lives.
Carolyn: That's scary too because doesn't our enemy now have the playbook on Nitro Zeus?
David: Our enemy may, but our enemy knew that we were capable of turning out their power grid. When I hear people say, "Oh, you've revealed a great American capability.” The first thing I say to them is I'm perfectly willing to hold back on publishing something that we have reason to believe the Russians, the Chinese, the Iranians, the North Koreans don't know about.
David: Turning off power grids? They've figured that one out. By the way, Stuxnet, which I wrote the first big pieces about how the U.S. government got at it. What tipped the Iranians off to the existence of Stuxnet? The code leaked because we and the Israelis made a coding mistake, or one of us did.
Eric: It's interesting. In cyber, there's almost an equivalency between nation-states at this point. You could argue we're slightly ahead of the Russians or the Chinese and have many more people and more capability and more time on their hands, whatever it is. There's a general equivalency, yet we as a nation have the most to lose.
Eric: That's where we should be incentivized to come to some level of assured deterrence. Because it doesn't get any better for us. We have absolutely the most to lose in my opinion. David, you talk about that in the book. The five things the government must acknowledge as getting to some level.
Achieving a Semblance of a Balance of Power
Eric: I don't know if I call it peace or I don't know what you'd even call it.
David: What I get in the book are the things that we need to do to get a semblance of a balance of power. Look, this is hard. In the early days of the nuclear age, we thought we had a huge lead. Then we woke up one day and the Soviets had just conducted a nuclear test. And then the Chinese did, and then, of course, France-Britain had it. That was fine with us, but then India, Pakistan, Israel got it.
David: We got to a point now where there were nine states that either have declared or undeclared nuclear weapons capability. We have at least 35 states and probably closer to 40 or 45 that have sophisticated cyber capability. Yet, we're acting as if because we've got the latest and greatest, it's not really an issue. I don't get that.
Eric: That's your premise number one. Essentially our cyber capabilities are no longer unique. They're certainly not unique enough to be a difference-maker.
David: Number two issue that you've got to think about is if you believe that you've got a lead but it's diminishing, isn't it in your interest to get to those understandings and agreements and your deterrent capability first? Because as that lead goes away, that vanishes to nothing, nobody else is going to sign up.
Eric: Your negotiation power weakens over time as your adversaries become stronger. This is a hell of a lot cheaper for them to attack or to leverage than buying kinetic weapons.
A Public Health Problem Turned National Security Problem
David: The third thing is we've got the focus of how we spend money on defenses completely wrong. COVID's taught us in the past few months that what we thought was just a public health problem is actually a national security problem. We sent the Pentagon and the NSC, the National Security Council, and others to think about biological weapons that would get dropped on the United States.
David: And we didn't think about the dangers of tourists coming back from Wuhan or teenagers on spring break. Whether or not it can have the same effects. In the cyber realm, we're guilty of the same thing. We are spending the overwhelming amount of our defense budget on weapons systems we will never use. That does not give us a whole lot of defenses.
David: We are spending far too little money but I would argue more importantly, far too little mind share on the vulnerabilities created by things like cyber. Which as you say, Eric, are so cheap. It levels the playing fields for governments that couldn't spend a hundredth or a thousandth of what we spend on our military.
Eric: You often hear about the saying where the military is fighting the last war. One of the things you observe is the people who are in power who are making decisions, they came up through the first Gulf War where there was essentially no cyber or before that.
Eric: They don't have the context, the framework that some people would to understand how the battlefield is shifting. The next war is absolutely going to have cyber. It'll probably have space. We've never had a war in cyber or space, like an all-out declared war.
David Sanger Unpacks the Complexities of Not Naming the Attacks
Eric: That's going to be challenging to us. We have aircraft carrier battle groups everywhere that are ineffective to stop an attack on our power grid.
David: That’s absolutely right. There’s no major military plan for any major military power that doesn't have cyber built into the first 24 hours. That makes a huge difference.
Carolyn: One of your points too is just that we've got to get better with attribution. Like you've said a few times, name who did these attacks. But in your book, you also unpacked the complexities of why we're not naming because then we reveal how we know that it was them.
David: This is a piece of thinking we need to change. That we want to name everybody because you're not going to create your deterrent effect. You're not going to create international alliances that sort of form up against the Russians or the Chinese, the Iranians, the North Koreans, whoever the cyber actor is unless you're willing to get out and attribute the attack.
David: There's only one offender on this that's worse than the U.S. government. I have to give credit to the Trump administration. They’ve done a better job of getting out and naming countries that attacked. They named North Korea on WanaCry, they named Russia on NotPetya. They've done a better job than the Obama administration did on that.
David: They'd been disorganized in the way they've thought about cyber. I think they did well and did it early on. They actually dismantled a pretty good cyber team that they had at the beginning of the White House. That team did get this together. The group that's worse is Corporate America.
The Only Effective Element
David: You guys see this all the time I'm sure. The first time there's a big attack on a company, the first thing the company thinks is how do I hide this from everybody? Because it will undercut confidence in the company.
Eric: And my stock price.
David: The only effective element against this has been the Securities and Exchange Commission. It has required companies to disclose attacks that are big enough that they might actually be material. But companies spend a lot of time figuring out how to hide it. If I was running the world, I would actually require companies to reveal significant cyber attacks.
David: The penalty being that if they fail to do so, jail time for senior executives. That's the only way that you would actually get a real understanding of the nature of the problem. If companies knew they had to reveal it, they would then spend the money to keep it from happening.
Eric: You also have to prevent them. There has to be a regulatory component that prevents litigation also. That's a big fear. You've got to open up things like access to data. Can they allow the government in a healthcare breach to have access to HIPAA data? Who can? There are so many components, but we can do this.
David: The government has access to HIPAA data anyway. It's called Medicare. I mean, we've got tons of access to the data that the U.S. government has anyway. I think there are ways to do it.
Eric: When you're in the middle of this crisis as a corporation, I've seen this. I've watched it from both the government and the corporate side and the interfacing. There's just this unknown and you're in this time crunch.
Five Things David Sanger Recommends the Government to Acknowledge
Eric: You're working and you don't know, can I bring in an SA? Can I bring in DHS? What's the impact of that? Then FBI comes in and who's in charge? It gets very squirrely very quickly. Then what do you tell the board, and how much do we disclose, and when do we disclose?
David: But they've got to disclose. There are a lot of small attacks you don't have to worry about each time. If there's something that's a significant breach, you're not going to begin to get to the deterrent effect until it's revealed. You're not going to get companies to actually spend the money they need to spend on resilience. Not stopping the attack, but recovering from it.
Eric: What we've seen with Sony and Equifax and Starwood, they've all recovered. The share prices have recovered. All of these companies have come back. It's a ding on the risk side. It definitely costs them money and some prestige, but they come back.
Carolyn: David, there are so many things I want to keep talking to you about like quantum computing.
Eric: Did we get through the list of five things that he recommends the government must acknowledge? We talked about attribution. David, you talked about rethinking the wisdom of reflexive security around our capabilities. Want to amplify that a little bit?
David: The more that you explain your capability, the more you're actually going to have some deterrent effect out of it.
Eric: You attack me. This is what I'm capable of doing back.
David: We did this in the nuclear world. Before I went to write this book, I reread a book I had not read since college.
How Nuclear Weapons Changed Our Way of Thinking About Strategy
David: College was a little while ago, and it was called Nuclear Weapons and Foreign Policy. Henry Kissinger wrote it. It’s the first popular book for the American public about how nuclear weapons changed the way we had to think about strategy. Just as cyber changes the way we have to think about it.
David: I went to see Kissinger just as I was getting, going on the writing. And I explained to him what I was doing. He looked at me and he said, "Oh, David, cyber is so much more complicated. Because in the nuclear world, we knew the small number of countries that had the capability. We knew the names of everybody who had launch authority. That's all missing in cyber."
Eric: The world needs to set up norms of cyber behavior focused on principles. It’s kind of how I summarized it.
David: This gets back to what I was describing before. You need to be able to have some principles about what you're not willing to do during peacetime. Then what you're willing to do in wartime, which might be a different list. Get people to sign up to it the way we've signed up to arms control on nuclear weapons. Also the way we've agreed to ban almost all use of landmines.
David: We don't want them planted and kids to step on them a generation later. The way we all agreed on biological weapons, the way we all agreed on chemical weapons. Have there been breaches? Absolutely. But by and large, those systems have worked. There's no immediate evidence that they wouldn't work in the cyber realm if you get the attribution piece of it right.
Setting the Norms and More Forums About Cyber Security
Eric: This is the tough one for me. You just named a bunch of examples where it mostly works, but it's not 100%. My mentality always wants 100%.
David: You're not going to get 100%.
Eric: That's what I have to get used to.
Carolyn: There are always workarounds. Just like how China has come in and just bought shares in companies, so they get to see the tech first. That's how they've worked around not being able to own these companies.
Eric: From an espionage perspective, yes, and maybe even sabotage. You're absolutely right, Carolyn. But the one thing as I thought about this and I thought about it the first time I read the book. I thought about it as I was preparing for this discussion.
Eric: At least if we get to number five, we set up norms, we're communicating. We have a forum. I thought more and more about it. I don't know of any really good forums today where we're discussing cybersecurity. Or cyber attacks with foreign nation-states other than to the press.
David: We're doing it at the United Nations ineffectively.
Eric: That's probably the best I could come up with.
David: There are some well-meaning, but largely academic run operations there. It's a group of experts that meet there. There are some other efforts done in the private sector to get it going. But it doesn't have the energy behind it that we had behind those other examples, nuclear, biological, chemical, and so forth.
Eric: Nor the constraints.
David Sanger Talks About the Upcoming Election
Carolyn: I would love to hear you talk about the upcoming election and the possibility of securing it, David.
David: It's something we're spending a lot of time on. It will be covered in that HBO doc that I mentioned as well. One of the big changes in the election this year is that we're thinking a lot more people are going to be casting ballots. Basically by what we used to call absentee ballots, but you may not be absentee.
David: It may simply be that you don't want to take the virus risk of standing in line in the school gymnasium or church. Or some kind of government office and waiting to press your fingers on a polling machine. The last 150 of your neighbors came in and pressed their fingers on it as well. The good news about that is it will force us to more paper backup, which is great.
David: The bad news is, once you’re in the world of doing a paper ballot from home, a mail-in ballot, you’re more dependent than ever on the integrity of the registration system. Because it's that registration system that is used to send out ballots to your house. To make sure that it's up to date and that you're not sending it to somebody who used to live there.
David: That you recognize that one of you may have changed states in the past four years and so forth. We're worried about that registration system. In 2016, the Russians grabbed data out of Arizona and Illinois out of their systems. We then thought that they were into 21 States. Go into the Intelligence Committees report on the 2016 election, they now believe the Russians were inside all 50 States' registration systems.
A Perception Hack
David: That doesn't mean that they messed with it. We have no evidence that they messed with it. But it doesn't take messing with all of the registration systems.
David: If I can get into a couple of key counties in a couple of swing states and mess with that. I will have conducted what's called a perception hack. This means that you will assume that every other county has been messed with also even if it wasn't.
Eric: Then you question the credibility of the election and that gets to the root of it.
David: What are you hearing president Trump do already?
Eric: Questioning the credibility.
David: He's already said, "This will be the most rigged election ever." Now, if there's an overwhelming vote one way or the other, if Joe Biden wins in a blowout or if Donald Trump wins in a blowout, I don't think it's a particularly big issue. If it's a close election, and most of our recent elections have been close, it could be a huge issue.
David: What I say to that is this, we've been worried about the election machines. I'm a little bit worried about the election machines. But the biggest protection we have on our election machine infrastructure is that it's different in all 50 States. Hacking into that system would require you to have a different hack in all 50 States.
David: Actually every county is different. Some cities are different. The fact that our system is so disparate, so backward, so half analog, half digital, it's actually a form of protection. The registration system worries me because that's the outward-facing part. I can go on a public website. I can go in and attempt, if I was a skillful hacker, to do a ransomware attack.
Why It's Critical to Have Multiple Backups on the Registration System
David: Remember what happened in Atlanta, in Baltimore, in all those cities and towns in Texas last summer. There were ransomware attacks, criminal, not state we think by and large. They just jammed up the system so you couldn't get any data out of it. You couldn't pay your taxes, you couldn't go apply for a building permit, you couldn't pay your parking fines.
Eric: They just shut them down.
David: They've shut them down and issued a ransom demand. That's why it's critical that every city, town, state have multiple backups of their registration system. Print it out, analog version as well as a digital version. DHS has been working really hard on solving that problem. But we don't know how broad and effective that has been. We probably won't know until election day.
Eric: That goes back to your red line that you talked about. Some level somebody's got to draw that.
David: Count the number of presidential speeches you've heard in the past four or eight years on that topic.
Eric: I bet there are dozens.
David: I come up with zero. Presidential speeches warning foreign states not to mess with our election system.
Eric: I'm with you, on the election system.
Carolyn: I'm going to go back to the hopeful note that our systems are so archaic and out of date that we've got some protection there.
David: Let's hope so.
Carolyn: Thank you so much for joining us, David. This has been just a fascinating conversation.
David: This is great guys. I've enjoyed it. I will happily come back when we have our documentary out. We're a little closer to the election. We can pick it up then.
About Our Guest
David Sanger is a national security correspondent and a senior writer. In a 38-year reporting career for The New York Times, he has been on three teams that have won Pulitzer Prizes. Most recently in 2017 for international reporting.
His latest book, soon to be an HBO documentary: The Perfect Weapon: War, Sabotage and Fear in the Cyber Age, examines the emergence of cyber conflict as the primary way large and small states are competing and undercutting each other. Changing the nature of global power.
For NYT, Sanger has served as Tokyo bureau chief, Washington economic correspondent. White House correspondent during the Clinton and Bush administrations, and chief Washington correspondent.