Episode Table of Contents

• [00:53] War, Sabotage, and Fear in the Cyber Age
• [05:56] Cyber for Espionage Is a Prevalent Fear in the Cyber Age
• [11:36] A Crippling Cyber Attack
• [17:50] The Incompetence of the US Government
• About Our Guest

War, Sabotage, and Fear in the Cyber Age

Carolyn: This week, our guest is David Sanger, New York Times national security correspondent, and a senior writer. In his 38-year reporting career for the New York Times, he has been on three teams that have won Pulitzer prizes.

He's a two times bestseller on foreign policy and national security. This week, our conversation is about his latest book, which in the fall will be an HBO documentary, The Perfect Weapon: War, Sabotage, and Fear in the Cyber Age. Welcome, David.

David: Great to be here with both of you.

Carolyn: Thank you so much for being here and today we're here to talk about your latest book, which in the fall will be an HBO documentary. It's The Perfect Weapon: War, Sabotage, and Fear in the Cyber Age. I want to turn it over to you, Eric, to kick us off.

Eric: I thought I'd kick it off with a reading quickly from the afterword of the book, which I just found incredibly striking. It's actually a General Paul Nakasone's confirmation hearing in March of 2018. He's now the director of NSA. It's Senator Dan Sullivan, Republican from Alaska asking him a series of questions. I just want to read that quickly.

"What do you think our adversaries think right now? If you do a cyber attack on America, what's going to happen to them?" General Nakasone replies with, "So basically I would say right now, they do not think that much will happen to them." Senator Sullivan says, "They don't fear us?" "They don't fear us." "So is that good?" "That is not good, Senator."

The Biggest and the Best Cyber Offensive Operations in the World

Eric: That's right from the director of the NSA in his confirmation hearing. David, I'd love to kick off the interview today with a little commentary there if you wouldn't mind.

David: Sure. First thanks for having me on. Writing the book was a sort of a culmination of more than a decade of reporting in this territory for the Times. I hope you'll enjoy the HBO doc when it's out, we hope in October, just before the election. It'll take you through a lot of these issues, including the one that General Nakasone gets at there.

Which is essentially the question of deterrence, which is, if you take at face value, the American claim that we have the biggest, the best cyber offensive operations in the world. That we're the ones who wiped out the Iranian centrifuges a decade ago in operation Olympic games. What many of your listeners know of is the Stuxnet attack.

David: If we're the ones who went after the Russians in 2018 to disable the IRA. The Internet Research Agency before the midterm elections, and to go after a Russian intelligence. If we're the ones who got into the North Korean missile program, the Iranian missile program. If we put a code in the Russian power grid, as I've reported in an effort to sort of push back at them, then why are we still being attacked?

The answer to that question is, that we haven't figured out this deterrence thing. That cyber attacks happen at the short of war level. We're seeing them happen so much because no one wants to take on the US military directly.

There’s a Lot Less Drama to Do a Cyber Weapon

David: Eric, you're a veteran of all of this. Who wants to like roll up against the Fifth Fleet or something.

Eric: And why would you, if you didn't have to?

David: If you can do something as cheap and as usable as cyber. And cheap and usable are two very different things. Cheap, well, we worry a lot about nuclear weapons. I write a lot for the Times of nuclear that weapons but let's face it. To get nuclear weapons, you need uranium or plutonium. You need a billion dollars or so worth of facilities, you need enrichment, you need the years to make a bomb.

To do a cyber weapon, it's going to have a lot less drama. It's much easier to hide. You need some teenagers or millennials, some laptops, some stolen code from the NSA. God knows there's a lot of that floating around. Some pizza, some Red Bull and you're kind of ready to go.

Carolyn: That was one of the big aha moments for me, David, in your book. Any buffoon really with even just a little bit of money and a little bit of determination can cause a lot of damage. It occurred to me that even I could cause a lot of damage just with the tools that I use every day. Just with my social media tools.

David: You can, but you know, social media, Carolyn is almost a different type. When I think about cyber, I try to divide it up according to how you would use the weapon. For traditional weapons, we think differently about the dangers posed by rocks and arrows, by handguns, automatic weapons, missiles, and nuclear bombs. There's a big spectrum out there.

Cyber for Espionage Is a Prevalent Fear in the Cyber Age

In cyber, you have to think about cyber for espionage. That's really how people begin with this. Then you have to think about cyber for data manipulation. If I could change the targeting of missiles in the Pentagon's arsenal. But also if I could just go into the medical database and change the blood types of every soldier and sailor. Imagine the amount of damage you could do.

Eric: Or change on a COVID vaccine for national advantage.

David: We should come back at that. If you want to use cyber for sabotage, that's the Iran case, that's the North Korea case. That's the Sony hack where the North Koreans came in and not only revealed emails from within Sony.  That is a part a lot of people remember. What they forget is that they destroyed 70% of Sony Pictures Entertainment's computer systems.

Carolyn: I didn't realize that. I remember the emails you're right, but I did not realize what they did to their network and their computers.

Eric: It was horrible.

David: When the emails came out, we learned the important national security information that Angelina Jolie's reportedly difficult to work with on the set. National Enquirer had a great time with that. But they didn't do very much with the meltdown of 70% of the computer systems. Think what it would have taken if the North Koreans didn't have cyber. How would they have destroyed Sony's computer systems in response to their release of the interviews.

Eric: They wouldn't have stopped that horrible movie's release. They still didn't in this case.

A Really Bad Comedy

David: I often say to my kids that 100 years from now, when people say, "Grandpa, what started the war between North Korea and the United States?" The answer is going to be, "Well, you have to understand that there was this really bad comedy that came out."

But if you were going to go do this without cyber, what would you have to do? You would have to land, some saboteurs at Long Beach. Grab an Uber up to the Sony studios, hope that the tour was on. It's probably been canceled now for COVID purposes. Slip off of the tour and stick dynamite underneath the computer center and blow it sky-high.

Now, if that had happened, whoever was president, Barack Obama, Donald Trump, Joe Biden, Hillary Clinton, a Martian. They all would have had to go respond with a military response against Kim Jong-un. It would've looked like an international terrorism incident in the middle of LA.

Carolyn: I would contend what they did was more extensive than what they could have done with the scenario you just described.

Eric: And cheaper and easier.

David: And never had to enter the United States.

Eric: David, this is the problem that I get stuck on with the government customers, whether it's in the US or elsewhere. If a plane is flying over the United States, crossing our boundaries, the air force has responsibility. Somebody comes rolling across the borders, it's the army. If they're ships off the coast, it's the navy. If a foreign nation-state enters our power grid and take something down, it's DHS.

The Attack Scenario Instigated Fear in the Cyber Age

Eric: Yes. Sometimes, unless it's Duke power or a private power company, they don't want DHS or NSA or anybody else invited in because they're afraid of their stock price or something. There's nobody, there's no one throat to choke as I like to say. There is nobody that can be held accountable because there's no one entity that's responsible. Even if you get attribution down, which is tough.

David: One of the things I did in reporting for this book, they were kind enough to let me in on the simulation that once every two years, the electric power grid industry, including Duke, participates in for a mass attack on the US power grid. It was a really good simulation the year I sat in. The book came out in 2018. I was probably in, this was either December of 2017 or January of 2018.

In the attack scenario, it was a combined cyber and physical attack. You had cyber attacks happening to take out power stations in the United States. Meanwhile, you had snipers coming in and basically shooting at these facilities so that you couldn't get your computer experts in and out of the buildings to actually bring the cyber attack. Compensate for it and bring it back up, try to remediate it.

It was a really good scenario. Then there's a phone call with all of their CEOs, which the actual CEOs joined of many of the big power companies. I discovered that their response was completely disjointed from whatever was happening in the White House Situation Room. There was just no connection whatsoever.

A Crippling Cyber Attack

Eric: Let me ask you a question and this is going to sound obvious. Why would you expect it to be connected? The entities themselves don't work together typically?

David: They're getting there, they've been spending years trying to get together to work more cooperatively. I would actually have to say that the two industries that have done this the best, have been the electric power industry and the financial industry.

Those are the two that have realized that a crippling cyber attack would be the end of their business. If Bank of America or JP Morgan Chase went down in a full cyber attack, you know that you would pick your money up. Move it to someplace you thought protected it better.

They might not protect it better, but you'd probably pick up your money and move it anyway. They have been so concerned about it that they've spent hundreds of millions of dollars a year on protecting the systems. What I worry about more than that is not the Cyber Pearl Harbor, the phrase that you hear politicians use but the grinding smaller attacks.

The Russians, the Chinese, the North Koreans, the Iranians, they all realize that if you do a mega attack on the US, you're going to probably be visited by some B2s. But if you do short of war attacks, you can get away with a lot.

Eric: That's that low-grade cyber conflict you talk about. I think you call it low level, never-ending cyber conflict would just continue. Your book goes through a decade-plus of examples where it's just a little bit.

An Innovative Russian Attack

Carolyn: Which is what we've been seeing Russia do. They just get right up to the edge.

Eric: Well, Russia, China, Iran, everybody.

David: Look at what we learned last week. All of them. But last week we wrote a story about a really innovative Russian attack. We're not even sure it was a government attack. The Russians looked out and saw everybody working from home.

They said, "Okay, I want to identify employees who work for really big fortune 500 companies. I don't want to spend my time cyber attacking mom and pop stores." Okay? "I want to go right after the biggest fish in the pond."

So what did they do? They looked at who was using VPN, virtual private networks from home into work. They don't have to get into the VPN, they just have to see that that VPN is the New York Times or General Electric or Boeing. And they say, "Oh, Eric and Carolyn, they work for Boeing. So if we can get into their laptop, they will take us through their VPN."

Eric: That was a great article.

Carolyn: That's one of the things that struck me about the OPM breach. Not technically, my records were part of that breach. I thought about it for a minute and I'm like, "Eh, I'm a low-level marketer. It's not a big deal." But then you start to connect the dots and how these foreign nationals are really mapping out the soft underbelly of our workings. I might be that little thread that they might choose to pull because I do hold a clearance. They can get in with my credentials.

We’re All a Part of a Cyber Tapestry

Carolyn: It became clear to me how we're all part of this cyber tapestry that you weave for us.

David: What's really fascinating about OPM, it’s the Office of Personnel Management. It was a Chinese hack. There are a few really fascinating elements to it. First, the Obama administration never told anybody that it was China. It leaked out, we published it. But they never officially came out and did it which was a huge failure of deterrence, number one.

Number two, we have learned since that the same units that did OPM, also then turned around and did the Anthem healthcare hack. That’s what we call the Marriott hack, but it was actually on the Starwood Hotels, which Marriott later acquired. We've discovered a series of other attacks at the same time. So what was this about?

First, what it was about was collecting a great database of who's got security clearances around America. Second, to get that security clearance, both of you probably had to go fill out this incredibly long form called an SF-86. You probably hated every minute of it.

Eric: I actually go back to my SF-86 sometimes if I want to understand something or remember something about where I was somewhere.  It's so comprehensive, David.

David: It's incredibly comprehensive. What the Chinese got was not just your name and your social security number. They get your kids, your medical history, your financial history, every relationship you have ever been in. Imagine the utility of that. They get every foreigner you have ever met if you could possibly remember.

I was a foreign correspondent in Japan for six years. I'm going to sit there and list every Japanese I ever met for six years? It's incredibly comprehensive.

The Incompetence of the US Government

David: From the Marriott hack, they get where you stayed and maybe who you were traveling with. From the healthcare hack, they get your medical records. It's a pretty fabulous database and what did we discover? As I describe in the book, the CIA actually had to pull back people who they were getting ready to assign to China.

Who had been training for years to go in under some form of deep cover in China. Because suddenly the Chinese either had all their records or when they show up and announced that they're going to be the agricultural secretary in the embassy and they see that their records aren’t there. It's like why didn't they just come in with the letters CIA emblazoned on their forehead.

Eric: When they're burned for life too. An entire generation or more of assets are essentially non-existent at this point.

David: Think about the incompetence of the US government here. For your listeners, I know I work for the New York Times, everybody thinks that they're evident for Donald Trump. This happened during the Obama administration.

The incompetence here was the Pentagon, the intelligence agencies all locked down their personnel records. Nobody thought about the fact that the most boring bureaucracy in Washington, the Office of Personnel Management, held the clearance records for 22 million people.

Carolyn: Were they there because they happen to have a storage room? Am I remembering that right?

David: What you're remembering is OPM did these searches. Congress didn't have enough computer space to keep all of your records. So congress had mandated out of the best of intentions. That before you go off and you buy cloud services and spend the taxpayer's money, you go look around for empty space in the US government.

The Fear in the Cyber Age for the Total Capability of Cyber

David: So great, they found it across the mall at the Department of the Interior where we protected your clearance information with buffalo migration in Yellowstone.

Eric: It just goes to show the cost-effective nature and the total capability of cyber, whether you're doing it for exploitation or offensive actions. It's so powerful. Like you said, David, the deterrence piece. Where is the deterrence?

David: It's missing. To General Nakasone's credit, he has worked really hard on building up American deterrence efforts. One of the ways he has done that is he got the president to sign a fairly secret executive orders, it’s described in the book, in August of 2018. John Bolton discusses it in his new memoir. That begins to put more power into the hands of US Cyber Command and NSA, he commands both.

Enables them to conduct short of war operations without going through lengthy processes to get approval from the president for each strike. That stuff he did against the Russians in 2018, he did under that authority. We don't know how often he's used it, but that is good. It's particularly good because as anybody who has worked for Donald Trump will tell you, getting him to approve doing something that pushes back on the Russians is not the easiest task around.

Carolyn: There was just too much to cover with David for one episode. We're going to continue our conversation with David on next week's episode. We will get to his list of things we must do when it comes to cyber-warfare. And his take on the security of the upcoming elections.

About Our Guest

David Sanger is a national security correspondent and a senior writer. In a 38-year reporting career for The New York Times, he has been on three teams that have won Pulitzer Prizes, most recently in 2017 for international reporting. His latest book, soon to be an HBO documentary: The Perfect Weapon: War, Sabotage, and Fear in the Cyber Age.

It examines the emergence of cyber conflict as the primary way large and small states are competing and undercutting each other, changing the nature of global power. For NYT, Sanger has served as Tokyo bureau chief, Washington economic correspondent, White House correspondent during the Clinton and Bush administrations, and chief Washington correspondent.