For the same reason, the United States needs to open up about some of our own offensive cyber operations, especially if their details have been revealed. To this day the United States has not admitted its role in Olympic Games. It was, after all, a covert operation—and covert operations are not to be discussed, by law. But what if, once the code was traveling around the world and it became widely known that Stuxnet was an American-Israeli creation, both Washington and Jerusalem had publicly owned up to their role? What if they had admitted to it, the way Israel acknowledges, implicitly or explicitly, that it has bombed reactors in Iraq and Syria? We might well have established one of those red lines: if you produce nuclear fuel in violation of UN mandates, expect that something bad could happen to your centrifuges—maybe from the air, maybe from cyberspace.
Most important, just as the United States must show other nations there is a price to pay for truly serious cyberattacks, we must also show that some things are off-limits. And until America discusses publicly—at the presidential level—what we will not do in cyberspace, we have no hope of getting other countries to limit themselves as well.
* * *
—
It will be easier to navigate those decisions when the government acknowledges a few realities.
The first is that our cyber capabilities are no longer unique. Russia and China have nearly matched America’s cyber skills; Iran and North Korea will likely do so soon, if they haven’t already. We have to adjust to that reality. Those countries will no sooner abandon their cyber arsenals than they will abandon their nuclear arsenals or ambitions. The clock cannot be turned back. So it is time for arms control.
Second, we need a playbook for responding to attacks, and we need to demonstrate a willingness to use it. It is one thing to convene a “Cyber Action Group,” as Obama did fairly often, and have them debate when there is enough evidence and enough concern to recommend to the president a “proportional response.” It is another thing to respond quickly and effectively when such an attack occurs.
Third, we must develop our abilities to attribute attacks and make calling out any adversary the standard response to cyber aggression. The Trump administration, in its first eighteen months, began doing just this: it named North Korea as the culprit in WannaCry and Russia as the creator of NotPetya. It needs to do that more often, and faster.
Fourth, we need to rethink the wisdom of reflexive secrecy around our cyber capabilities. Certainly, some secrecy about how our cyberweapons work is necessary—though by now, after Snowden and Shadow Brokers, there is not much mystery left. America’s adversaries have a pretty complete picture of how the United States breaks into the darkest corners of cyberspace.
But the intelligence agency’s insistence on secrecy—the refusal to discuss offensive cyberweapons in any detail—makes it impossible to debate how precisely these weapons can be targeted and whether some should be banned because of their potential threat to civilians. We cannot expect Russian and Iranian hackers to stop implanting malware in our utility grid unless we are willing to talk about giving up our own implants in their power grids. We cannot insist that the US government has the right to a “backdoor” into Apple’s iPhones and encrypted apps unless we are willing to make the Internet less safe for everyone, because any backdoor will become the target of hackers around the globe.
No country likes giving up military or intelligence capabilities. But we have done it before. America swore off chemical and biological weapons when we determined that the cost to civilians of legitimizing them was greater than any military advantage they offered. We limited the kinds of nuclear weapons we would build, and banned some. We can do the same in cyberspace, but only if we are willing to openly discuss our capabilities and to help monitor cyberspace for violators.
Fifth, the world needs to move ahead with setting these norms of behavior even if governments are not yet ready. Classic arms-control treaties won’t work: they take years to negotiate and more to ratify. With the blistering pace of technological change in cyber, they would be outdated before they ever went into effect. The best hope is to reach a consensus on principles that begins with minimizing the danger to ordinary civilians, the fundamental political goal of most rules of warfare. There are several ways to accomplish that goal, all of them with significant drawbacks. But the most intriguing, to my mind, has emerged under the rubric of a “Digital Geneva Convention,” in which companies—not countries—take the lead in the short term. But countries must then step up their games too.
Microsoft’s president, Brad Smith, is one of the strongest advocates of the concept. He imagines loosely modeling a cyber accord among companies on traditional warfare conventions that have evolved for more than a century. Over the decades the rules have broadened and deepened, embracing the treatment of prisoners, the banning of chemical weapons, the protection of noncombatants, and the kind of aid that should be provided to the wounded, no matter whose side they fought on.
The analogy to cyberspace is hardly exact. The Geneva Conventions apply in wartime; if there is hope for an analogous set of rules of the road in cyber, they will need to set standards for peacetime. And they must apply to companies as well as countries, since Google, Microsoft, Facebook, and Cisco form the battlespace in which the world’s cyber conflicts are fought.
In the spring of 2018, about three dozen companies—Microsoft, Facebook, and Intel among them—agreed to the most basic set of principles, including an innocent-sounding vow that the signatories would refuse to help any government, including the United States, mount cyberattacks against “innocent civilians and enterprises from anywhere.” The companies also committed to come to the aid of any nation on the receiving end of such attacks, whether the motive for the attack is “criminal or geopolitical.”
It was a start, but a barely satisfying one. No Chinese, Russian, or Iranian companies were part of the initial compact, nor were some of the biggest forces in the technology world, including Google and Amazon, both still struggling between their desires to do vast business with the US military and their desires to avoid alienating their customers. The wording of the accord left lots of maneuvering room for the companies to join attacks against terror groups, or even against governments repressing their own citizens. Moreover, the principles made no mention of supporting democracy, or human rights—meaning that Apple, if it later joined the accord, could still get away with its decision to bow to Beijing by keeping its data on Chinese customers on servers inside China. In other words, the first principles were like the Internet—sprawling and messy.
“I have no illusions this will be easy,” Smith told me in Germany at the beginning of 2018. “We’re going to need laws passed that make clear that certain principles need to be respected around the world, that governments need to refrain from attacking critical infrastructure in times of peace or war, or even when it’s unclear whether we’re at a time of peace or war.” Of course, the Geneva Conventions have been regularly violated, in world wars and civil wars, from Vietnam to Syria.
There’s no such thing as fully protecting civilians. Individual citizens don’t have the option of going on the offense, and most have no interest in becoming combatants in a global cyber conflict. But over time, these principles have made the world more humane.
Still, there are steps individuals should take to protect themselves and help to avoid becoming collateral damage. Awareness—about what phishing campaigns look like, about how to lock up home-network wi-fi routers, and about how to sign up for two-factor authentication—can help to wipe out 80 percent or so of the daily threat. If we wouldn’t leave our doors unlocked when we leave home, or the keys in the ignition of our cars, we shouldn’t leave our lives exposed on our phones, either.
None of that will stop a determined, state-sponsored adversary. Houses can be protected against everyday burglars, but not against incoming ICBMs.
The lesson of the past
decade is that, unless shooting breaks out, it will always be unclear if we are at peace or war. Governments that cannot stand up to far larger powers with conventional armies will have little incentive to give up the advantages that cyberweapons offer. We are living in a gray zone, one of constant digital conflict. That is not a pleasant prospect, but it is the world we have created for ourselves. To survive it, we must make some fundamental decisions, akin to ones we made after the invention of the airplane and the atomic bomb—decisions that enabled us to navigate a constant state of peril.
Now, as then, we have to think more broadly about where our security will be found. Clearly, it is not in an unending cyber arms race where victories over adversaries are fleeting, and where the greatest objective is to break another nation’s encryption or turn off its factories. We need to remember that we built these technologies to enrich our societies and our lives, and not to find yet another way to plunge our adversaries into darkness. The good news is that because we created the technology, we have a chance of controlling it—if we concentrate on how to manage the risks. It has worked in other realms. It can work in cyberspace as well.
ACKNOWLEDGMENTS
The Perfect Weapon grew out of my reporting for The New York Times, but it is also a follow-on to a world I began to explore in Confront and Conceal (Crown, 2012). That book was the first to tell the story of Olympic Games, the American-Israeli cyber effort aimed at Iran’s nuclear program. At the time it was published, it was hard to find more than a handful of examples of cases in which states used cyberweapons against each other. Scarcely six years later, that is a daily occurrence. So, not surprisingly, the ambitions for a book that explained this era grew, and with it so did my indebtedness to editors, researchers, and colleagues.
Let me start at the Times, where I have worked for nearly thirty-six years, in Washington and overseas. Arthur Sulzberger Jr. and A. G. Sulzberger, our previous and current publishers, have been unstintingly generous in letting me roam the world to explain to our readers this new and frightening age. And they never complained about the legal bills. Dean Baquet, our executive editor, and Joe Kahn, the managing editor, have championed these stories, and pressed for more. So have Matt Purdy, Susan Chira, and Rebecca Corbett, who offered ideas, fine editing, and encouragement along the way.
In Washington, Elisabeth Bumiller, the Washington bureau chief, a relentless champion of investigative efforts and a friend since our days in Japan, a quarter century ago, allowed me the free rein to report and the leave to take some time to write the book. Bill Hamilton, an extraordinary national security editor, made every story he touched far better. My thanks as well to Lara Jakes, Amy Fiscus, and Thom Shanker, editors who pressed for more facts, better sources, and clearer explanations.
The daily miracle of the Washington bureau of the Times is the reporting staff, and I have been lucky enough to join forces on many of these stories with colleagues and friends. Eric Lipton and Scott Shane knew it was the moment to tell a bigger story about the Russia investigation in the fall of 2016, and together we produced a lengthy reconstruction of the Russia hack from which the title of this book is borrowed. That story was among the entries for the 2017 Pulitzer Prize in International Reporting, won with a group of Times reporters around the world who delved deeply into Vladimir Putin’s information-warfare techniques. I am indebted to that entire team, whose reporting enriched my understanding of the Russia story.
In Washington, Silicon Valley, and abroad my reporting colleagues Eric Schmitt, Mark Landler, Mark Mazzetti, Peter Baker, Matthew Rosenberg, Matt Apuzzo, Julie Davis, Nicole Perlroth, David Kirkpatrick, Alison Smale, Steve Erlanger, Matt Apuzzo, and Adam Goldman all joined forces on the intersection of foreign policy, cyber, and law enforcement. Maggie Haberman and I teamed up during the presidential campaign for two lengthy interviews with Donald Trump that helped me understand his evolving views on national security—and gave me a chance to raise cyber issues that seemed entirely new to him.
A special thanks to my reporting partner of three decades, Bill Broad, who understood how cyber, nuclear, and missile technology issues converge—and every day brought his reporting skills and unerring instincts to the hardest stories, particularly the American effort to sabotage North Korea’s missile program.
David McCraw, the Times’ exceptional in-house lawyer, got me through the leak investigations surrounding Olympic Games and helped me around others, while offering expert advice about how to tell the story of America’s activities in cyberspace.
Harvard’s Belfer Center for Science and International Affairs at the Kennedy School of Government has long been my intellectual community for grappling with the strategic implications of cyber, and its scholars and former policy makers were generous with their time and their willingness to educate a journalist. I have had the privilege of co-teaching, with Graham Allison and Derek Reveron, “Central Challenges in American National Security, Strategy and the Press.” Graham’s legendary strategic insights, and the course’s mix of graduate students, military and intelligence fellows, and undergraduates led to fascinating explorations of the complexity of cyber conflict. My special thanks to Joseph Nye, Ashton B. Carter, Eric Rosenbach, Michael Sulmeyer, R. Nicholas Burns, Rolf Mowatt-Larssen, and Ben Buchanan. Drew Faust, Harvard’s president for the past decade, provided constant encouragement and asked me to test out my thoughts with a variety of audiences.
And when I needed a place in Washington to settle in and write, Jane Harman and Robert Litwak opened the doors of the Wilson Center for International Scholars, a remarkable institution of calm and deep thought in a capital that could use a lot more of both. I am grateful to both of them and to Meg King, who has devoted herself to making Wilson a place for Congress to learn about cyber.
This book could not have been written without the aid of a remarkable group of research assistants, drawn from our course at Harvard. The most critical of them has been Alyza Sebenius, an incredibly talented young reporter, writer, and editor. Alyza headed the team, conducting interviews, editing chapters, gracefully pushing me to dig deeper, write more clearly, and think about those readers for whom the subject matter may seem daunting. She investigated, drafted, reorganized, and kept the project going—and is an example of an inspiring generation that is making American journalism as vital, and vitally important, as at any moment in our history.
Mary Brooks devoted nights and weekends to understanding China’s outsized role in cyber conflict, fact-checked and edited, and was indispensable to the process of turning stories into chapters, and chapters into arguments. Ana Moran delved into ISIS’s activities on the web and Silicon Valley’s involvement. Sohum Pawar thought deeply about the lessons of the Ukraine hack and guided us through complex technology, as did Anand Gupta. They started down this path hoping to learn something from me, but I learned far more from each of them—and they made this project possible. Gabrielle Chefitz and Josh Cohen provided helpful research support.
At Stanford, my thanks to Amy Zegart, Herb Lin, Phil Taubman, Michael McFaul, and Condoleezza Rice for counsel, ideas, and a base of operations when I was reporting in the technology world.
Michael Carlisle has been a friend for more than three decades and a remarkable book agent and counselor. He guided me to the Crown imprint at Penguin Random House, where I learned why Kevin Doughten is considered one of the finest editors in the business. It was Kevin who pressed for a book that would explore the geopolitics of this revolution, and it was his energy, insights into how to tell the story, fascination with the new technology, and willingness to work around the clock that made The Perfect Weapon possible. Jon Darga, Annsley Rosner, Rachel Rokicki, Penny Simon, Julie Cepler, Kathleen Quinlan, Courtney Snyder, Mark Birkey, Linnea Knollmueller, Kirsten Clawson, and Elizabeth Rendfleisch made Crown’s magic happen. Amelia Zalcman provided stellar legal advice.
Molly Stern, Crown’s publisher, has never flinched from hard topics, and she ha
s been an enthusiastic advocate of telling this story. I am lucky to be in Crown’s stable of writers.
Alex Gibney, Javier Botero, and Sarah Dowland, documentary-makers extraordinaire at Jigsaw Productions, had the inspiration that the story of Olympic Games told in Confront and Conceal should be a film, and in Zero Days, shown in theaters and on Showtime in 2016, they pushed the story forward. Some of their new reporting, especially on the operation Nitro Zeus, is represented in this book.
None of this—the reporting, the writing, the support—would be possible without my love, Sherill, the best editor and partner possible. Everything she touches in this world she makes better—and her editing skills saved us yet again. Andrew Sanger, our elder son and a recent graduate of Colorado College, delved into fact-checking and turned a critical eye to the explanations of history and technology; his brother Ned, a Harvard undergraduate, reviewed key chapters.
My parents, Ken and Joan Sanger, pushed me to get the best education possible, encouraged my start in journalism, and have been a source of support and love since, along with my sister Ellin and her husband, Mort Agress.
This is a work of current history, in a subject area in which far too much is classified. So, by definition, this account cannot be comprehensive; years from now we will learn about operations, internal disputes, successes and failures that are still cloaked. The best I can offer is that it represents the most accurate understanding of the incidents and debates I have been able to render. The errors of fact or interpretation are, of course, my own.
David E. Sanger
Washington, DC
May 2018
NOTES
PREFACE
startling recommendation: “Nuclear Posture Review,” Office of the Secretary of Defense, February 2018, www.defense.gov/News/SpecialReports/2018NuclearPostureReview.aspx.
The Perfect Weapon Page 35
