The Perfect Weapon

by David E. Sanger

  Copyright © 2018 by David E. Sanger

  All rights reserved.

  Published in the United States by Crown, an imprint of the Crown Publishing Group, a division of Penguin Random House LLC, New York.

  crownpublishing.com

  CROWN and the Crown colophon are registered trademarks of Penguin Random House LLC.

  Library of Congress Cataloging-in-Publication Data is available upon request.

  ISBN 9780451497895

  Ebook ISBN 9780451497918

  Cover design by Oliver Munday

  v5.3.1

  ep

  For Sherill,

  whose love and talent make all the wonderful things in life happen

  CONTENTS

  Cover

  Title Page

  Copyright

  Dedication

  PREFACE

  PROLOGUE: FROM RUSSIA, WITH LOVE

  CHAPTER I: ORIGINAL SINS

  CHAPTER II: PANDORA’S INBOX

  CHAPTER III: THE HUNDRED-DOLLAR TAKEDOWN

  CHAPTER IV: MAN IN THE MIDDLE

  CHAPTER V: THE CHINA RULES

  CHAPTER VI: THE KIMS STRIKE BACK

  CHAPTER VII: PUTIN’S PETRI DISH

  CHAPTER VIII: THE FUMBLE

  CHAPTER IX: WARNING FROM THE COTSWOLDS

  CHAPTER X: THE SLOW AWAKENING

  CHAPTER XI: THREE CRISES IN THE VALLEY

  CHAPTER XII: LEFT OF LAUNCH

  AFTERWORD

  ACKNOWLEDGMENTS

  NOTES

  PREFACE

  A year into Donald J. Trump’s presidency, his defense secretary, Jim Mattis, sent the new commander-in-chief a startling recommendation: with nations around the world threatening to use cyberweapons to bring down America’s power grids, cell-phone networks, and water supplies, Trump should declare he was ready to take extraordinary steps to protect the country. If any nation hit America’s critical infrastructure with a devastating strike, even a non-nuclear one, it should be forewarned that the United States might reach for a nuclear weapon in response.

  Like most things in Washington, the recommendation leaked immediately. Many declared it a crazy idea, and wild overkill. While nations had turned their cyberweapons against each other dozens of times in recent years, no attack had yet been proven to cost a human life, at least directly. Not the American attacks on Iran’s and North Korea’s weapons programs; not the North Korean attacks on American banks, a famed Hollywood studio, and the British healthcare system; not the Russian attacks on Ukraine, Europe, and then the core of American democracy. That streak of luck was certain to end soon. But why would Donald Trump, or any of his successors, take the huge risk of escalating a cyberwar by going nuclear?

  The Pentagon’s recommendation, it turned out, was the prelude to other proposals—delivered to a president who values toughness and “America First”—to use the nation’s powerful cyberweapons far more aggressively. But it was also a reminder of how quickly the fear of devastating cyberattacks has moved from the stuff of science fiction and Die Hard movies to the center of American defense strategy. Just over a decade before, in 2007, cyberattacks were missing entirely from the global “Threat Assessment” that intelligence agencies prepare each year for Congress. Terrorism topped that list, along with other post-9/11 concerns. Now that hierarchy has been reversed: For several years a variety of cyber threats, ranging from a paralyzing strike on the nation’s cities to a sophisticated effort to undercut public confidence in its institutions, has appeared as the number one threat on the list. Not since the Soviets tested the Bomb in 1949 had the perception of threats facing the nation been revised so quickly. Yet Mattis, who had risen to four-star status in a career focused on the Middle East, feared that the two decades spent chasing al Qaeda and ISIS around the globe had distracted America from its most potent challenges.

  “Great power competition—not terrorism—is now the primary focus of US national security,” he said in early 2018. America’s “competitive edge has eroded in every domain of warfare,” including the newest one, “cyberspace.” The nuclear strategy he handed Trump gave voice to an inchoate fear among many in the Pentagon that cyberattacks posed a threat unlike any other, and one we had completely failed to deter.

  The irony is that the United States remains the world’s stealthiest, most skillful cyberpower, as the Iranians discovered when their centrifuges spun out of control and the North Koreans suspected as their missiles fell out of the sky. But the gap is closing. Cyberweapons are so cheap to develop and so easy to hide that they have proven irresistible. And American officials are discovering that in a world in which almost everything is connected—phones, cars, electrical grids, and satellites—everything can be disrupted, if not destroyed. For seventy years, the thinking inside the Pentagon was that only nations with nuclear weapons could threaten America’s existence. Now that assumption is in doubt.

  In almost every classified Pentagon scenario for how a future confrontation with Russia and China, even Iran and North Korea, might play out, the adversary’s first strike against the United States would include a cyber barrage aimed at civilians. It would fry power grids, stop trains, silence cell phones, and overwhelm the Internet. In the worst-case scenarios, food and water would begin to run out; hospitals would turn people away. Separated from their electronics, and thus their connections, Americans would panic, or turn against one another.

  The Pentagon is now planning for this scenario because it knows many of its own war plans open with similarly paralyzing cyberattacks against our adversaries, reflecting new strategies to try to win wars before a shot is fired. Glimpses of what this would look like have leaked out in recent years, partly thanks to Edward J. Snowden, partly because a mysterious group called the Shadow Brokers—suspected of close links to Russian intelligence—obtained terabytes of data containing many of the “tools” that the National Security Agency used to breach foreign computer networks. It didn’t take long for some of those stolen cyberweapons to be shot back at America and its allies, in attacks whose bizarre-sounding names, like WannaCry, suddenly appeared in the headlines every week.

  Yet the secrecy surrounding these programs obscures most public debate about the wisdom of using them, or the risks inherent in losing control of them. The government’s silence about America’s new arsenal, and its implications, poses a sharp contrast to the first decades of the nuclear era. The horrific scenes of destruction at Hiroshima and Nagasaki not only seared the national psyche, but they made America’s destructive capabilities—and soon Russia’s and China’s—obvious and undeniable. Yet even while the government kept the details classified—how to build atomic weapons, where they are stored, and who has the authority to order their launch—America engaged in a decades-long political debate about when to threaten to use the Bomb and whether to ban it. Those arguments ended up in a very different place from where they began: in the 1950s the United States talked casually about dropping atomic weapons to end the Korean War; by the eighties there was a national consensus that the US would reach for nuclear weapons only if our national survival was at stake.

  So far, there has been no equivalent debate about using cyberweapons, even as their destructive power becomes more evident each year. The weapons remain invisible, the attacks deniable, the results uncertain. Naturally secretive, intelligence officials and their military counterparts refuse to discuss the scope of America’s cyber capabilities for fear of diminishing whatever narrow advantage the country retains over its adversaries.

  The result is that
the United States makes use of this incredibly powerful new weapon largely in secret, on a case-by-case basis, before we fully understand its consequences. Acts that the United States calls “cyber network exploitations” when conducted by American forces are often called “cyberattacks” when American citizens are the target. That word has come to encompass everything from disabling the grid, to manipulating an election, to worrying about that letter arriving in the mail warning that someone—maybe criminals, maybe the Chinese—just grabbed our credit cards, Social Security numbers, and medical histories, for the second or third time.

  During the Cold War, national leaders understood that nuclear weapons had fundamentally changed the dynamics of national security, even if they disagreed on how to respond to the threat. Yet in the age of digital conflict, few have a handle on how this new revolution is reshaping global power. During his raucous 2016 presidential campaign, Trump told me in an interview that America was “so obsolete in cyber,” ignoring, if he was aware of it, that the United States and Israel had deployed the most sophisticated cyberweapon in history against Iran. More concerning was the fact that he showed little understanding of the dynamics of the grinding, daily cyber conflict now under way—the short-of-war attacks that have become the new normal. His refusal to acknowledge Russia’s pernicious role in the 2016 election, for fear it would undercut his political legitimacy, only exacerbates the problem of formulating a national strategy. But the problem goes far beyond the Trump White House. After a decade of hearings in Congress, there is still little agreement on whether and when cyberstrikes constitute an act of war, an act of terrorism, mere espionage, or cyber-enabled vandalism. Technological change wildly outpaces the ability of politicians—and the citizens who have become the collateral damage in the daily combat of cyberspace—to understand what was happening, much less to devise a national response. Making matters worse, when Russia used social media to increase America’s polarization in the 2016 election, the animus between tech companies and the US government—ignited by Snowden’s disclosures four years earlier—only deepened. Silicon Valley and Washington are now the equivalent of a divorced couple living on opposite coasts, exchanging snippy text messages.

  Trump accepted Mattis’s nuclear recommendation without a moment of debate. Meanwhile the Pentagon, sensing Trump’s willingness to demonstrate overwhelming American force in cyberspace as in other military arenas, published a new strategy, envisioning an era of constant, low-level cyber conflict in which America’s newly minted cyber warriors would go deep behind enemy lines every day, attacking foreign computer servers before threats to the United States could materialize. The idea was classic preemption, updated for the cyber age, to “stop attacks before they penetrate our cyber defenses or impair our military forces.” Other proposals suggested the president should no longer have to approve every cyber strike—any more than he would have to approve every drone strike.

  In the chaos of the Trump White House, it was unclear how these weapons would be used, or under what rules. But suddenly we are in new territory.

  * * *

  —

  Cyber conflict remains in the gray area between war and peace, an uneasy equilibrium that often seems on the brink of spinning out of control. As the pace of attacks rises, our vulnerability becomes more apparent each day: in the opening months of 2018, the federal government warned utilities that Russian hackers had put “implants” of malware in the nation’s nuclear plants and power grid and then, a few weeks later, added that they were infesting the routers that control the networks of small enterprises and even individual homes. In previous years there has been similar evidence about Iranian hackers inside financial institutions and Chinese hackers siphoning off millions of files detailing the most intimate details of the lives of Americans seeking security clearances. But figuring out a proportionate yet effective response has now stymied three American presidents. The problem is made harder by the fact that America’s offensive cyber prowess has so outpaced our defense that officials hesitate to strike back.

  “That was our problem with the Russians,” James Clapper, President Obama’s director of national intelligence, told me one winter afternoon at a diner down the road from the CIA headquarters in McLean, Virginia. There were plenty of ideas about how to get back at Putin: unplug Russia from the world’s financial system; reveal Putin’s links to the oligarchs; make some of his own money—and there was plenty hidden around the world—disappear.

  Yet, Clapper noted, “every time someone proposed a way to strike back at Putin for what he was doing in the election, someone else would come back and say, ‘What happens next? What if he gets into the voting system?’ ”

  Clapper’s question drives to the heart of one of the cyberpower conundrums. The United States can’t figure out how to counter Russian attacks without incurring a great risk of escalation. The problem can be paralyzing. Russia’s meddling in the election encapsulates the challenge of dealing with this new form of short-of-war aggression. Large and small powers have gradually discovered what a perfect digital weapon looks like. It is as stealthy as it is effective. It leaves opponents uncertain about where the attack came from, and thus where to fire back. And we struggle to figure out the best form of deterrence. Is it better to threaten an overwhelming counterstrike? A non-cyber response, from economic sanctions to using a nuclear weapon? Or to so harden our defenses—a project that would take decades—that enemies give up attacking?

  Naturally, the first temptation of Washington policy makers is to compare the problem to something more familiar: defending the country against nuclear weapons. But the nuclear comparison is faulty, and as the cyber expert James Lewis has pointed out, the false analogy has kept us from accurately understanding how cyber plays into the daily geopolitical conflict.

  Nuclear arms were designed solely for fighting and winning an overwhelming victory. “Mutually assured destruction’’ deterred nuclear exchanges because both sides understood they could be utterly destroyed. Cyberweapons, in contrast, come in many subtle shades, ranging from the highly destructive to the psychologically manipulative.

  Until recently, Americans were fixated on the most destructive class of cyberweapons, the ones that could turn off a nation’s power or interfere with its nuclear command-and-control systems. That is a risk, but the extreme scenario, and perhaps the easier to defend against. Far more common is the daily use of cyberweapons against civilian targets to achieve a more specific mission—neutralizing a petrochemical plant in Saudi Arabia, melting down a steel mill in Germany, paralyzing a city government’s computer systems in Atlanta or Kiev, or threatening to manipulate the outcome of elections in the United States, France, or Germany. Such “dialed down” cyberweapons are now used by nations every day, not to destroy an adversary but rather to frustrate it, slow it, undermine its institutions, and leave its citizens angry or confused. And the weapons are almost always employed just below the threshold that would lead to retaliation.

  Rob Joyce, Trump’s cyber czar for the first fifteen months of the administration and the first occupant of that office to have once run American offensive cyber operations, described in late 2017 why the United States is particularly vulnerable to these kinds of operations, and why our vulnerabilities won’t go away anytime soon.

  “So much of the fabric of our society rests on the bedrock of our IT,” said Joyce, who spent years running the Tailored Access Operations unit of the NSA, the elite operation charged with breaking into foreign computer networks. “We continue to digitize things; we store our wealth and treasure there; we run operations; we keep our secrets all in that cyber domain.” In short, we are inventing new vulnerabilities faster than we are eliminating old ones.

  Rarely in human history has a new weapon been adapted with such speed, customized to fit so many different tasks, and exploited by so many nations to reshape their influence on global events without turning to outright war. Among th
e fastest adapters has been Putin’s Russia, which deserves credit as a master of the art form, though it is not the only practitioner. Moscow has shown the world how hybrid war works. The strategy is hardly a state secret: Valery Gerasimov, a Russian general, described the strategy in public, and then helped implement it in Ukraine, the country that has become a test-bed for techniques Russia later used against the United States and its allies. The Gerasimov doctrine combines old and new: Stalinist propaganda, magnified by the power of Twitter and Facebook, and backed up by brute force.

  As the story told in this book makes clear, parts of the US government—and many other governments—saw all the signs that our chief adversaries were headed toward a new vector of attack. Yet the United States was remarkably slow to adapt to the new reality. We knew what the Russians had done in Estonia and Georgia a decade ago, the first time they used cyberattacks to help paralyze or confuse an opponent, and we saw what they later attempted from Ukraine to Europe, the testing grounds for cyberweapons of mass disruption and subtle influence. But an absence of imagination kept us from believing that the Russians would dare to leap the Atlantic and apply those same techniques to an election in the United States. And, like the Ukranians, we took months, even years, to figure out what hit us.

  Worse yet, once we began to grasp what happened, a military and intelligence community that prides itself on planning for every contingency had no playbook of ready responses. In early 2018, when asked by the Senate Armed Services Committee how the National Security Agency and US Cyber Command were dealing with the most naked use of cyberpower against American democratic institutions, Adm. Michael S. Rogers, then coming to the end of his term as commander of both organizations, admitted that neither President Obama nor President Trump had given him the authority to respond.