The Perfect Weapon: War, Sabotage, and Fear in the Cyber Age

by David E. Sanger

It feared that Huawei’s equipment and products—everything from cell phones to giant switches that run telephone networks to corporate computer systems—were riddled with secret “back doors.”

Like Cisco has been shown to have!

essential idea was to do to Huawei exactly what Americans feared the Chinese were doing to the United States: crawl through the company’s networks, understand its vulnerabilities, and tap the communications of its top executives. But the plan went further: to exploit Huawai’s technology so that when the company sold equipment to other countries—including allies like South Korea and adversaries like Venezuela—the NSA could roam through those nations’ networks.

How incredibly devious and surely illegal

But when the German weekly Der Spiegel and the Times published the details of Shotgiant, based on Snowden documents, the depth of the hypocrisy struck not only the Chinese but also many American allies. “You are essentially doing to the Chinese exactly what you are accusing them of doing to you,” one European diplomat,

one senior Chinese diplomat assigned to Washington at the time argued to me, the NSA’s real purpose “is to stop Huawei from selling their equipment so that Cisco can sell its own.”

But now that chief executive also had to contemplate the dangers of saying yes. After Snowden, the potential cost of cooperating with Washington was a lot higher. Any country that wanted to keep American firms out of their markets could make an easy national-security argument: buy the American equipment, and you were probably buying a “back door” that the NSA installed to tap into

Then came the core of the argument he had practiced on me and some other reporters at the White House before he left on the trip: “The freest possible flow of information, ideas, and opinions, and a greater respect for divergent political and religious convictions, will actually breed strength and stability going forward.”

But, at least in public, the administration never leveled with the 22 million Americans whose data were lost—except by accident. Federal employees were sent letters telling them some of their information might have been compromised, and they were offered several years of free credit-monitoring—as if the information had been stolen by criminals. (It has never shown up on the black market, another sign the theft was an intelligence operation.)

Clapper pushed back, in one of those rare moments when it became clear that the United States had no intention of agreeing to rules for behavior in cyberspace that could impede our own intelligence agencies. Having previously declared, “If we had the opportunity to do the same thing, we’d probably do it,” Clapper now told the assembled senators: “I think it’s a good idea to at least think about the old saw about people who live in glass houses shouldn’t throw rocks….”

And unlike his nuclear arsenal, cyberweapons could be used against his greatest enemy—the United States—without fearing that fifty minutes later his country would be a smoking, radioactive cinder just north of Seoul. Kim recognized that the inevitable US threats of imposing additional economic sanctions against the North for malicious cyber activity were largely empty.*3 In short, cyberweapons were tailor-made for North Korea’s situation in the world: so isolated it had little to lose,

But to Kim, this absence created a home-field advantage. A country cut off from the world, with few computer networks, is a lousy target: there are simply not enough “attack surfaces,” the entry-points for inserting malicious code, to make a retaliatory cyberattack on North Korea viable.

Ozment knew that the Russians, among others, were littering American power plants, industrial systems, and communications networks with implants that could be used later on to alter data or shut those systems down. Since 2014, intelligence agencies had been warning that Russia was likely already inside the American electric grid. The malware took many forms, often called “BlackEnergy.”

The implants scared the hell out of American defense officials—but they were determined not to show it. In their most benign mode, the implants are useful for surveillance—broadcasting back to their home base news about what is happening inside a network. But what makes cyber threats different is that the same implant that is used for surveillance can be repurposed as a weapon. All it requires is the injection of new code. So on one day, the implant may be sending back blueprints of the electric grid. The next day it can be used to fry that grid. Or wipe out data. Or allow someone in a remote locale to take control of the equipment—and drive it off a cliff, so to speak.

The United States did not exactly have clean hands when it came to influencing elections in other countries. Italy and Iran were notable targets for CIA election manipulation and coup-organizing in the 1950s, and Putin would cite American efforts to kill Castro in Cuba and to mount covert influence campaigns for elections in South Vietnam, Chile, Nicaragua, and Panama.

Using Facebook accounts based in Saint Petersburg, they posed as Americans and lured users to a free hot-dog event in New York. Of course, the trolls in Saint Petersburg didn’t provide the promised food to the New Yorkers whom they watched gather through a publicly accessible webcam in Times Square; rather, it was a successful experiment proving that, from their screens in Russia, they could orchestrate events in the physical world. This seemingly small feat would soon move far beyond hot dogs, and into the realm of inciting clashes among rival American groups at political rallies in the “purple states” that the Russians were learning about.

It was a testament to how easy it is to mislead some subgroups of American citizens on the web with a few cheap bots and someone imitating a local resident. But no one was more amazed than the young Russians in Saint Petersburg, who, their own emails later showed, could not believe their targets were so gullible.

Guccifer 2.0 offered a few DNC documents, which he advertised as just a sampling of a vast trove. They included a lengthy piece of opposition research prepared by the DNC as they struggled to understand Trump, with chapter headings like: “Trump Is Loyal Only to Himself” and “Trump Has Repeatedly Proven to Be Clueless on Key Foreign Policy Issues.”

SANGER: My point here is, can the members of NATO, including the new members in the Baltics, count on the United States to come to their military aid if they were attacked by Russia? And count on us fulfilling our obligations— TRUMP: Have they fulfilled their obligations to us? If they fulfill their obligations to us, the answer is yes. HABERMAN: And if not? TRUMP: Well, I’m not saying if not. I’m saying, right now there are many countries that have not fulfilled their obligations to us.

They rejoiced when Twitter and WhatsApp made the Arab Spring possible, and were convinced they had built the weapon that would tear down autocrats and beget new, more transparent democracies. But over time a harsher truth has emerged. Those same networks became ISIS’s most potent tool. They were exploited by Russian trolls and the political targeteers at Cambridge Analytica to manipulate voters. And the subsequent call for a new kind of cyberspace—where we understand the real identities of everyone we are dealing with on the web—delighted the Chinese and the Russians. What better way to hunt down dissidents and doubters, and break up the political opposition?

exercise editorial judgments; instead, like the telephone company, it would carry content but not edit it. Naturally, this was a false analogy: From the start, Facebook made its money not by selling connectivity, but by acting as the world’s seemingly friendly surveillance machine, then selling what it learned about users, individually and collectively. The old phone companies never did that. As my colleague Kevin Roose wrote, “Facebook can’t stop monetizing our personal data for the same reason Starbucks can’t stop selling coffee—it’s the heart of the enterprise.”

In September 2017, ten months after the election, the company finally began to concede the obvious. It said those who had manipulated Facebook “likely operated out of Russia,” and it turned over 3,000 of these ads to Congress. It had found evidence that the Internet Research Agency created 80,000 posts on Facebook that 126 million people may have seen—though whether they absorbed the messages is another question.

Shah and Kirchhoff envisioned something completely different: tiny, backpack-sized, inexpensive civilian satellites that had been developed to count cars in Target parking lots and monitor the growth of crops. They were launched in clusters, and would stay in orbit just a year or two. But they were also so cheap that when they fell out of the sky, the Pentagon could simply launch the newer, higher-resolution replacements.

Capella was one of a number of small satellite firms that had slashed the cost of space-based radars that can see through clouds, rain, snow, camouflage, and foliage, and pick out changes in the ground elevation that can point to hidden tunnels.

The big satellite makers, while faking enthusiasm, felt their multibillion-dollar contracts might be threatened by start-ups they had barely heard of. They were a powerful lobby.

moved around the Valley, exploring possible new technologies, they kept running into a competitor with the same vision, less reluctance, and a much bigger budget: it turned out the Chinese had an informal kind of DIUx of their own under way—on American soil.

They demonstrated that even while the Chinese were paring back on stealing the fruits of American industry—Obama’s agreement with Xi had begun to have some effect—they had found many perfectly legal ways to invest in it.

The rebellion was not limited to Google. At the same moment, Microsoft was quietly getting dozens of other firms to sign on to an agreement that they would never knowingly help any government—the United States or its adversaries—build cyberweapons for use against “innocent civilians.” They vowed to help any country that finds itself attacked.

Washington, in contrast, still views them as “American companies,” beneficiaries of American freedoms. In the Pentagon’s view, their expertise and technology should flow first to defend the nation that allowed them to form and flourish. These are two completely distinct worldviews, which, at least in peacetime, will never be aligned.

While the US government says that it reports to industry more than 90 percent of the software flaws it discovers, so that they can be fixed, “Eternal Blue” was clearly part of the 10 percent it held on to in order to bolster American firepower. Microsoft never heard about the vulnerability until after the weapon based on it was stolen. Yet the US government acted as if it bore no responsibility for the devastating cyberattack. When I asked Bossert, and his deputy, Rob Joyce, who ran the TAO and clearly knew something of what happened to these pilfered weapons, they argued that the fault was entirely with those who used the weapons—not with those who lost control of them. It was a mystifying argument: if someone fails to lock up their guns, and a weapon stolen from their house is used in a school shooting, the gun owner has at least some moral or legal liability.