The Perfect Weapon: War, Sabotage, and Fear in the Cyber Age

by David E. Sanger

Cyberweapons are so cheap to develop and so easy to hide that they have proven irresistible. And American officials are discovering that in a world in which almost everything is connected—phones, cars, electrical grids, and satellites—everything can be disrupted, if not destroyed. For seventy years, the thinking inside the Pentagon was that only nations with nuclear weapons could threaten America’s existence. Now that assumption is in doubt.

Yet the secrecy surrounding these programs obscures most public debate about the wisdom of using them, or the risks inherent in losing control of them. The government’s silence about America’s new arsenal, and its implications, poses a sharp contrast to the first decades of the nuclear era. The horrific scenes of destruction at Hiroshima and Nagasaki not only seared the national psyche, but they made America’s destructive capabilities—and soon Russia’s and China’s—obvious and undeniable. Yet even while the government kept the details classified—how to build atomic weapons, where they are stored, and who has the authority to order their launch—America engaged in a decades-long political debate about when to threaten to use the Bomb and whether to ban it. Those arguments ended up in a very different place from where they began: in the 1950s the United States talked casually about dropping atomic weapons to end the Korean War; by the eighties there was a national consensus that the US would reach for nuclear weapons only if our national survival was at stake.

The result is that the United States makes use of this incredibly powerful new weapon largely in secret, on a case-by-case basis, before we fully understand its consequences. Acts that the United States calls “cyber network exploitations” when conducted by American forces are often called “cyberattacks” when American citizens are the target. That word has come to encompass everything from disabling the grid, to manipulating an election, to worrying about that letter arriving in the mail warning that someone—maybe criminals, maybe the Chinese—just grabbed our credit cards, Social Security numbers, and medical histories, for the second or third time.

But figuring out a proportionate yet effective response has now stymied three American presidents. The problem is made harder by the fact that America’s offensive cyber prowess has so outpaced our defense that officials hesitate to strike back.

As of this writing, in early 2018, the best estimates suggest there have been upward of two hundred known state-on-state cyberattacks over the past decade or so—a figure that describes only those that have become public.

What’s missing in these debates, at least so far, is any serious effort to design a geopolitical solution in addition to a technological one. In my national security reporting for the New York Times, I’ve often been struck by the absence of the kind of grand strategic debates surrounding cyber that dominated the first nuclear age.

As he regularly reminded them, in the world of cyber conflict, attackers came in five distinct varieties: “vandals, burglars, thugs, spies, and saboteurs.”

Investigators raced to figure out how the Russians had gotten inside. The answer was pretty shocking: The Russians had left USB drives littered around the parking and public areas of a US base in the Middle East. Someone picked one up, and when they put the drive in a laptop connected to SIPRNet, the Russians were inside. By the time Plunkett and her team made their discovery, the bug had spread to all of US Central Command and beyond and begun scooping up data, copying it, and sending it back to the Russians.

Oops

It was a bitter lesson for the Pentagon—they were, in fact, easy pickings for attackers using a technique that the CIA and NSA had often used to get into foreign computer systems. “People worked through the night to come up with a solution,” Plunkett recalled. “We were able to develop what we thought was a reasonable solution that ended up being a very good solution.” The fix—called Operation Buckshot Yankee—was deployed by the Pentagon later that day. Then, to keep a similar breach from happening again, USB ports on Department of Defense computers were sealed with superglue.

While Plunkett was trying to fortify the Pentagon’s networks against the Russians, the NSA’s offensive team, working not far away on the Fort Meade campus, was already making centrifuges blow up in Natanz.

And the centrifuges, the US government’s experts knew from their own bitter experience, were highly sensitive. Because they spun at supersonic speeds, any dramatic change—triggered, say, by a change in current—could send the rotors out of kilter, like a child’s wobbling top. When they became unstable, the centrifuges would blow up, taking out any machinery or people nearby. Uranium gas would be spilled all over the centrifuge hall. In short, to stop the Bomb, America’s new cyber army had made a bomb—a digital one.

Ariel Sharon, the Israeli prime minister who had been Dagan’s commander and mentor, famously if crudely declared that “Dagan’s specialty is separating an Arab from his head.” It was a brutal description, even in the macho world of the Mossad, Israel’s best-known intelligence agency, which Dagan ultimately led for nine years—an extraordinarily long tenure. While Dagan pretended to dismiss the stories as mythmaking, he nonetheless seemed to revel in them.

The operation against Iran was a model of how Israel should defend itself in the future, he said. Gone were the days of open demonstrations of military might that invited retaliation, escalation, and international condemnation. Gone were the days of occupying territory. The defense of Israel, he insisted, required subtlety and indirection.

The last time I saw Dagan, he chewed me out for what I had written about Olympic Games. But unlike his American counterparts, he complained that I had written too little, not too much. “You missed a major part of the story,” he said, arguing that the Americans had received far too much credit, and the Israelis—and by extension Dagan himself—had received not nearly enough. I had been seduced by Americans who were intoxicated with advertising their own success, he insisted one evening, rather than giving credit to an ally—he carefully didn’t say which one—that had done the heavy lifting, gotten the code into the centrifuges, and revised it as necessary.

But Cartwright’s direct line to Obama had grated on Robert Gates, the secretary of defense, and Mike Mullen, the chairman of the Joint Chiefs. On a variety of issues they believed he manipulated the Pentagon system, or went around the chain of command. It didn’t help that Cartwright had not spent time in Iraq and Afghanistan. When Mullen was ready to retire, the two successfully argued against promoting Cartwright into Mullen’s role. Suddenly, the man who was among the first to sketch out how the United States could create a dedicated military command to deal with a new dimension of warfare was cast out. With him, I discovered later, went some of the most creative strategic thinking about the use of cyber in offense and defense.

The supreme irony of the Cartwright case is that the man who’d helped propel the federal government into shaping a sophisticated approach to dealing with the world’s most complex weapon was among the first victims of the paranoia about discussing that approach. The government could have responded to the disclosures about Olympic Games by embracing the revelations and reminding adversaries—Iran, Russia, and North Korea among them—that the United States could do far worse to them. It could have explained why cyber was critical to avoiding a shooting war in the Middle East. It could have used the moment to talk about what kind of global rules we should create for using cyberweapons against civilians, against commercial facilities, and against other governments.

“This was an enormous, and enormously complex, program,” the former official said. “Before it was developed, the US had never assembled a combined cyber and kinetic attack plan on this scale.” For the United States’ cyber warriors, Nitro Zeus was a turning point. It exposed many of the tensions between the National Security Agency—which possessed most of the talent needed to pull off the attack—and the military’s newly created US Cyber Command. On paper, the two organizations were complementary. In reality, they had a constant series of spats, typical of arranged marriages, in which the NSA’s talent looked down on Cyber Command, and the military unit regarded the NSA as a bunch of arrogant civilians who never needed to complete a military mission.

“We have seen nation-states spending a lot of time and a lot of effort to try to gain access to the power structure within the United States, to other critical infrastructure, and you have to ask yourself why,” said Adm. Rogers, the director of the NSA and the head of Cyber Command until the spring of 2018. “It’s because in my mind they are doing this with a purpose, doing this as a way to generate options and capabilities for themselves should they decide that they want to potentially do something.” This, of course, is exactly what we were doing to Iran.

A half decade after the Snowden revelations, it is remarkable how many questions the NSA was never forced to answer in public. Its officials were able to hide behind the secrecy that surrounds its operations, even though the Snowden trove gave the world an unparalleled look at their work. Publicly, the intelligence agency leadership treated the entire Snowden insider leak as equivalent to a natural disaster: something you regretted but couldn’t do anything about.

Furthermore, the talk in Washington about cutting down on the use of contractors who dealt with the nation’s deepest secrets fizzled almost immediately. “We had to go to Congress and quietly explain how cyberweapons get developed,” one NSA official said to me. In short, the NSA told Congress, cyberweapons get built the way everything else gets built—by private firms. The Pentagon relies on Lockheed Martin to build the F-35, with a raft of subcontractors and partners. General Atomics builds the Predator and Reaper, the two best-known drones. Boeing builds satellites. Booz Allen, and many firms from the outskirts of Fort Meade to Silicon Valley, build cyberweapons. Those firms hunt for—or surreptitiously purchase—“zero-day” flaws: software flaws in a system that an invader can exploit to spy or destroy. The programming talent required to turn those flaws into weapons is expensive, and contractors can afford top talent. They offer their best coders salaries many times what the government can pay. “People would be shocked,” one young employee of one of the most successful cyber contractors told me, “how much the government relies on contractors to build the weapons and maintain them,” even in foreign systems. That explains why about one-third of the 1.4 million people with top-secret clearances in 2012 were private contractors. (And yes, the background checks for those contractors are often performed by other contractors.)

The apparent absence of evidence gave birth to “Shotgiant.” That was the name of a covert program, approved by the Bush White House, to bore a way deep into Huawei’s hermetically sealed headquarters in Shenzhen, China’s industrial heart. And while American officials would not describe it this way, the essential idea was to do to Huawei exactly what Americans feared the Chinese were doing to the United States: crawl through the company’s networks, understand its vulnerabilities, and tap the communications of its top executives. But the plan went further: to exploit Huawai’s technology so that when the company sold equipment to other countries—including allies like South Korea and adversaries like Venezuela—the NSA could roam through those nations’ networks.

The simplest way to think about the ANT catalog was that it updated the “bugs” that intelligence agents had been putting into telephones since the 1920s. But that misses the scope of what the equipment can pick up from computer networks, and the opportunities for cyberattack. The catalog revealed a new class of hardware with a scale and sophistication that enabled the NSA to get into—and alter data on—computers and networks that their operators thought were completely sealed off from the Internet, and thus impermeable to outside attack. The NSA had even gone to the trouble of setting up two data centers in China, apparently through front companies, whose main purpose was to insert the malware into computer systems.

Not surprisingly, when the Times prepared to publish some of these details, NSA officials declined to confirm, at least on the record, that the documents described any of their programs. Off the record, they said it was all part of a new doctrine of “active defense” against foreign cyberattacks. In short, it was aimed more at surveillance than at “computer network attack”—NSA-speak for offensive action. The problem, of course, is that the Chinese would never believe this. When Americans find similar “implants” in our gas-distribution network, or financial markets, we immediately assume the worst—that China is preparing to attack. I asked one senior NSA official how they might signal to China, or any other adversary, that these were merely monitoring tools, not digital land mines set to explode in a few years. “That’s the problem,” he said. “We can’t convince them. And they can’t convince us.”

Yep

The lesson of the Merkel affair was that the NSA, in its single-minded passion to pick up every bit of foreign intelligence that it could, failed to consider the damage that might be done if its activities ever became public. No one was reviewing its target list to see if it passed the simple test applied to covert actions at the CIA: if this operation was splashed across the front pages of the Times and the Post, would someone have to resign in disgrace? In fact, a senior Obama national-security official told me that while the CIA’s covert actions were reviewed every year, no one had done the equivalent on a regular basis with the NSA. That quickly changed.

But the government, and the NSA in particular, had missed a major turn in the way Americans viewed the importance of the privacy of the data they now carried on their smartphones and laptops. When phones were landlines, hardwired to the house, and international calls were expensive and rare for ordinary Americans, there was little public outrage if the government kept tabs on international phone lines. And in the years after the September 11 attacks, there was considerable public sympathy for the government’s interest in going after terrorist communications.

All that changed with the invention of the smartphone. Suddenly, the information the NSA was sweeping up wasn’t just telephone traffic. For the first time people were keeping their whole lives in their pockets—their medical data, their banking information and work emails, their texts with spouses, lovers, and friends. It was all being stored in those Google servers, and others like it run by Yahoo! and Microsoft and smaller competitors. And depending on where one was, that data could be stored anywhere. The distinction between “international” communications and “domestic” communications was virtually wiped out. All of a sudden the idea of the government’s getting inside Google’s servers seemed a lot more worrisome.

In addition to laying its own cables, Google had also decided, before the Snowden revelations, to roll out a program to encrypt all the data that ran between its data centers. But as with the cable laying, the encryption effort was still plodding along when the smiley-face document made it clear that the US government was intent on breaking into Google’s networks. Suddenly, making sure no one else was inside those networks became an urgent priority.

Grosse was referring to the huge US intelligence project in the early 1970s to tap into the Soviet Navy’s undersea cables in the Sea of Okhotsk. At significant risk of discovery, the NSA had dispatched a submarine to wrap a secretly developed twenty-foot-long set of devices around the cables to record all the message traffic. Every month or so divers would slip into the waters, descend four hundred feet, and retrieve the recordings. The operation ran with great success until 1980, when a forty-four-year-old NSA communications specialist with a personal bankruptcy problem walked into the Soviet embassy in Washington and blew its cover.

The Snowden affair kicked off a remarkable era in which American firms, for the first time in post–World War II history, broadly refused to cooperate with the American government. They wrapped some of that refusal in Silicon Valley’s typical libertarian ideology. But their real fear was that any open association with the NSA would prompt customers to wonder whether Washington had bored holes into their products.

“It was the kind of thing you couldn’t say no to,” one chief executive said to me. “You have a president saying lives are on the line.” But now that chief executive also had to contemplate the dangers of saying yes. After Snowden, the potential cost of cooperating with Washington was a lot higher. Any country that wanted to keep American firms out of their markets could make an easy national-security argument: buy the American equipment, and you were probably buying a “back door” that the NSA installed to tap into those systems.

That argument struck some as disingenuous. Certainly encrypted communications made it hard to intercept conversations that had previously taken place in the clear. But this ignored the flood of new, Internet-enabled technologies that had given rise to—as more than a few technologists noted—the “golden age of surveillance.” In a world in which one’s car and lost luggage could be tracked electronically, where a Fitbit broadcasts the wearer’s location and people’s watches are connected to the Internet—life is a lot easier for investigators. As one FBI investigator admitted to me: “If you put us in a time machine and took us back ten years, we’d feel like our best tools have been taken away.”

From the other coast, Tim Cook had an answer: the apartment keys and trunk keys belonged to the owner of the apartment and the car, not to the manufacturer of their locks. “It’s our job to provide you with the tools to lock up your stuff,” Cook said. At Apple and Google, company executives told me that Washington had brought these changes on themselves. Because the NSA had failed to police their own insiders, the world was demanding that Apple prove their data was secure, and it was up to Apple to do so. Naturally the government saw this as a deliberate dodge. And to some extent it was. But Cook had a bigger and better argument, one that the government could not so easily parry: if Apple created a back door into its code, that vulnerability would become the target of every hacker on Earth. The FBI was naïve to think that if the tech companies created a lock and gave the FBI a key, no one else would figure out how to pick it. “The problem is,” Cook said, “anyone with any technical skills knows that if you create an opening for the FBI, you create one for China and Russia and everyone else.”

Discreetly, Cook took that argument to Obama himself—in quiet sessions in Washington and Silicon Valley. American spy agencies and police had all kinds of other options, he argued. They could find data in the cloud. They could use Facebook to figure out anyone’s acquaintances. But to give them access to that data inside the phone was to undercut an American expectation of privacy—and to invite the Chinese and others to do the same, for far more nefarious purposes. “The only way I can protect hundreds of millions of people is the way I’m doing it,” Cook told me during one of his Washington visits, fresh from making this case to Obama and his aides. But he knew that despite his admiration for Obama—“I love the guy,” he’d often repeat—he was losing the argument with him.

At the White House, many officials worried about being accused of becoming an accessory to China’s growing crackdowns on dissidents. In fact, the fear paralyzed some of them. But FBI officials quickly waved away this argument. “We’re not the State Department,” one of Comey’s top aides told me. The rest of the intelligence community seemed likewise unconcerned. Just days after the Apple announcement, the director of one of America’s sixteen intelligence agencies invited me to his office to rail against Apple’s top executives.

For the leader of one of the most successful companies on the planet, larger than some European economies, it was a remarkable accusation. Cook was charging an administration that treasured its reputation as a progressive force for civil rights with seeking to undermine a core constitutional principle about individual freedom. With Apple and the FBI at a standoff, Obama dispatched some of his senior intelligence officials to Silicon Valley to talk Cook off the ceiling and look anew for a compromise. Cook wasn’t interested. Though he could not yet reveal it publicly, the FBI’s demand that Apple break into the San Bernardino phone was just one of four thousand law-enforcement requests to the company in the second half of 2015. Comey wasn’t about to back down; he told aides that the publicity around the San Bernardino case would, if anything, remind criminals, child pornographers, and terrorists to use encryption. This was the moment to settle the encryption wars, he said, once and for all.

They deliberately didn’t ask how it was done—because the White House, under its own rules about disclosing most vulnerabilities to manufacturers, might have been forced to clue in Apple. Obama, the constitutional law professor, never solved this problem. And he never implemented the recommendation from his own advisory panel that the government encourage the use of more and more encryption. He told his aides that years of daily warnings in the President’s Daily Brief about terrorist activity around the world had altered his view: The United States simply could not agree to any rules that locked it out of some conversations. It was a breach with the tech community that he simply never overcame. “If, technologically, it is possible to make an impenetrable device or system, where the encryption is so strong that there is no key, there is no door at all, then how do we apprehend the child pornographer?” Obama asked publicly a few years later. “How do we disrupt a terrorist plot?” If the government cannot crack a smartphone, Obama concluded, “then everyone is walking around with a Swiss bank account in your pocket.” Obama had accurately described—but hadn’t solved—one of the central dilemmas of the cyber age.

I mean, there are two kinds of big companies in the United States. There are those who’ve been hacked by the Chinese and those who don’t know they’ve been hacked by the Chinese. —James Comey, then FBI director, October 5, 2014

One day I sat next to some of Mandia’s team, watching the Unit 61398 hacking corps at work; it was a remarkable sight. My previous mental image of PLA officers was a bunch of stiff old generals sitting around in uniforms with epaulets, reminiscing about the glory days with Mao. But these guys were wearing leather jackets or just undershirts, and probably saw Mao only if they visited his mausoleum in Tiananmen Square. “They were such bros,” Andrew Schwartz, one of Mandia’s communications specialists, recalled later. “But they were prodigious thieves.” They were also thieves with multiple employers: some moonlighted as hackers for Chinese companies, making it unclear whether they were stealing on government or corporate orders.

“I’m not sure this is the smartest thing to do,” he told me. “You know what the Chinese will do: They’ll put a big bull’s-eye on my back.” But Mandia didn’t seem all that worried. The Chinese were different from the Russians. “They are into this stuff for the money, the technology, the military power,” he said to me. “You don’t see Chinese shutting down networks, though if we ever got into a war they certainly know how to do that. For them it’s pretty simple: They want control at home, and access to all the technology they can eat here.”

No one had expected the digital revolution in China to unfold in quite this way. In the 1990s, in the wake of Tiananmen Square and the subsequent government crackdown, it was an article of faith in Washington that the Internet would change China more than China would change the Internet. No one believed this more fervently than Bill Clinton. During a presidential visit to Beijing in 1998, he told students at Beijing University that the digital revolution meant one thing for them: more democracy, albeit with Chinese characteristics.

As it turned out, an uncensored Google made the leadership of the country very nervous. As American intelligence agencies later learned, the leadership were Googling themselves, and the results were not always complimentary.

A secret State Department cable, written on May 18, 2009, and made public the next year in the WikiLeaks trove that Chelsea Manning had taken, reported that Li Changchun, who headed the propaganda department for the Chinese Communist Party and was a top member of the leadership, was astounded to discover that when he typed his name into a Google search bar he found “results critical of him.” Since he was the government’s leading censor, the fact that any Chinese citizen with an Internet connection could read something unpleasant about how he performed his duties was a rude awakening. From that moment, the die was cast.

That conclusion was likely the exact one that Li Changchun, the propaganda chief, wanted Google to reach. Since the Chinese had already replicated Google’s business model with Baidu, the next step, it seemed, would be to force Google out of the market. Schmidt told me afterward that the Aurora attacks had pretty much “ended the debate inside the company about what our future was on the mainland.” If China was willing to go to all that trouble to break into the company’s servers in the United States, it would clearly have no compunctions about demanding every bit of user data in China, and Google wasn’t willing to let that happen. By later in 2010, Google was packing up and moving out of Beijing. There was one more twist to the Aurora story that no Google executive revealed at the time. The Chinese had cracked a Google server that contained a database of court orders delivered to Google—the orders from the United States Foreign Intelligence Surveillance Court and other judges around the country. The FBI’s counterintelligence team knew what this particular theft meant: the Chinese intelligence services were looking for evidence that their own spies in the United States had been compromised and placed under surveillance.

It wasn’t until April 2015, when a private computer-security contractor working for OPM flagged an error on a domain name—in this case “opmsecurity.org”—that the agency’s cyber team began to investigate in earnest. The domain had been operating for about a year, but no one at OPM had created it. Worse, it was registered to “Steve Rogers”—a fictional character better known for his exploits as the superhero Captain America, one of the Avengers. A second website, discovered shortly afterward, was registered to his comrade Tony Stark. Connoisseurs of hacking techniques immediately observed that a Chinese military group had, in the past, left similar odes to the Avengers.

Fifty days of radio silence followed as OPM scrambled to understand what had happened. Even other parts of the Obama administration couldn’t get straight answers. The Office of Management and Budget, one senior official recalled, received conflicting information about how big the breach was. “I don’t think they were lying to us,” one of their senior officials said. “I think they didn’t know how many computers they had, much less who was on them.” The security company Cylance helped sort through the wreckage; a technician working on the case wrote a pithy email to the company’s chief executive: “They are fucked btw.”

Clapper pushed back, in one of those rare moments when it became clear that the United States had no intention of agreeing to rules for behavior in cyberspace that could impede our own intelligence agencies. Having previously declared, “If we had the opportunity to do the same thing, we’d probably do it,” Clapper now told the assembled senators: “I think it’s a good idea to at least think about the old saw about people who live in glass houses shouldn’t throw rocks….” “So, it’s okay for them to steal our secrets, that are most important,” Sen. John McCain shot back, “because we live in a glass house. That is astounding.” “I didn’t say it’s a good thing,” Clapper replied. “I’m just saying both nations engage in this.”

When the Times asked Carlin and James Comey, then FBI director, whether the Chinese might retaliate by indicting Americans who hack on behalf of the US government, they said that, naturally, they could not discuss any offensive US cyber operations. But the difference, they both stressed, was that the United States didn’t steal secrets from China and give them to corporations like Google and Microsoft and Apple. They were right, but it was a very American answer. It is a distinction that the Chinese have never bought into: To them, economic security and national security are a seamless web, and building strong, state-owned firms is essential to the defense of the state. And the indictments pointedly didn’t mention Chinese attacks aimed at the Defense Department or major defense contractors: clearly the United States did not want to invite Chinese revelations about American attacks on similar military targets in Beijing, Shanghai, and Hong Kong. UglyGorilla and

The stalemate was broken when American outrage over OPM ran headlong into government pageantry. Xi Jinping, settling into China’s presidency, was heading to Washington in September 2015 for his first state visit—a moment of pomp and circumstance that most Americans tended to ignore but was vital to the status-conscious Chinese leadership. Chris Painter, the head of the State Department’s cyber unit, recalled later that the Chinese officials were “almost pathological in wanting his trip to go perfectly.” Obama’s team realized they had leverage and promptly threatened to impose sanctions on China for a variety of cyber activities, including Unit 61398’s exploits, in the days just before President Xi was scheduled to arrive. They knew that to the Chinese, sanctions would cast a huge pall over the trip and would suggest that Xi wasn’t in command of the relationship. The only way to avoid this embarrassment, they told the Chinese, was to negotiate the bare bones of the first arms-control accord for cyberspace.

The talks ended at three a.m. on the morning the Chinese were scheduled to return to Beijing. Upon landing, Meng acknowledged for the first time that there was a difference between cyber espionage for national-security purposes and cyber espionage for corporate economic benefit. Obama told American business leaders that cyberattacks would “probably be one of the biggest topics,” and his goal was to see “if we and the Chinese are able to coalesce around a process for negotiations” that would “bring a lot of countries along.”

Before Xi left, he and Obama announced an accord that included the first curbs on using the web to steal intellectual property. Oddly, it seemed to work right away: Mandiant and other firms saw a marked drop-off in that kind of hacking by the Chinese. Painter believes that Xi looked into the future and saw that “a few years from now, people are going to be stealing industrial designs from the Chinese, and he had to get ahead of it.” In fact, people have already gone after the Chinese—and most of them are Russian.