The Perfect Weapon: War, Sabotage, and Fear in the Cyber Age

by David E. Sanger

Nobody mentioned North Korea’s cyber skills because no one was really paying attention. And by the time The Interview was being made, the Hermit Kingdom had gone from viewing the Internet as a threat to viewing it as a brilliant invention for leveling the playing field with the West.

What they were up to didn’t seem very scary at the time. But North Korean engineers learn fast—ask any missile scientist—and they got good quickly. “There was an enormous growth in capability from 2009 or so, when they were a joke,” said Ben Buchanan, a researcher at the Cyber Security Project at Harvard who has written extensively on the dilemmas of protecting networks in a world of cyber conflict. “They would execute a very basic attack against a minor web page put up by the White House or an American intelligence agency, and then their sympathizers would claim they’d hacked the US government. But since then, their hackers have gotten a lot better.”

By the time Kim Jong-un came to power, Bureau 121 had been up and running for more than a decade. And while Kim is often caricatured as a buffoon in American pop culture, he deftly seized on an asymmetric capability that his father and grandfather—the Dear Leader and the Great Leader, respectively—had never exploited. At Kim’s direction, the North built up an army of upward of six thousand hackers, mostly based outside the country. (They eventually spread from China to the Philippines, Malaysia, and Thailand, all countries that advertise something in short supply in North Korea: beach resorts.)

Success seemed easy and cheap. “You could argue that they have one of the most successful cyber programs on the planet, not because it’s technically sophisticated, but because it has achieved all of their aims at very low cost,” said Chris Inglis, a former deputy director at the National Security Agency. To some degree the North Koreans learned from the Iranians, with whom they have long shared both missile technology and a belief that the United States is the source of their problems. In the cyber realm, the Iranians taught the North Koreans something important: When confronting an enemy that has Internet-connected banks, trading systems, oil and water pipelines, dams, hospitals, and entire cities, the opportunities to cause trouble are endless.

“It crept up on us,” he said of the North Korean threat. “Because they are such a mix of the weird and absurd and medieval and highly sophisticated, people didn’t take it seriously. How can such an isolated, backward country have this capability? Well, how can such an isolated, backward country have this nuclear ability?”

For Kim Jong-un, the ability to reach an American city with a nuclear warhead was all about survival—but it was also about future power. He accelerated the effort drastically, turning it into the North Korean version of the Manhattan Project. That meant putting equal effort into a missile program that could get the weapons to the other side of the Pacific. And by 2013, for the first time, the missile program looked genuinely threatening.

It would take a year or two, Obama was warned, before anyone would know if the accelerated program could work. Only in retrospect is it clear that in 2014 Obama and Kim were using cyberweapons to go after each other. Obama’s target was North Korea’s missiles; Kim’s was a movie studio intent on humiliating him. Eventually, each would begin to discover what the other was plotting.

He told Clapper that Washington was constantly plotting to overthrow the North Korean regime, a charge that is not entirely without merit.

The day after the dinner, Clapper won the release of the Americans and loaded them onto his plane. But before he left, he had one more encounter with the North Koreans. Along with the newly released Americans, North Korean officials handed Clapper a bill—for his share of dinner with the head of the Reconnaissance General Bureau, along with his room in the state guesthouse and the parking of his aircraft. “I had to pay in greenbacks,” Clapper later told me. “And it wasn’t a small amount.”

Wut?

And unlike his nuclear arsenal, cyberweapons could be used against his greatest enemy—the United States—without fearing that fifty minutes later his country would be a smoking, radioactive cinder just north of Seoul. Kim recognized that the inevitable US threats of imposing additional economic sanctions against the North for malicious cyber activity were largely empty.*3 In short, cyberweapons were tailor-made for North Korea’s situation in the world: so isolated it had little to lose, so short of fuel it had no other way to sustain a conflict with greater powers, and so backward that its infrastructure was largely invulnerable to crippling counterattacks.

And even if the United States was willing to retaliate, Kim calculated, doing so would not be easy. To most of the world, the absence of computer networks, of a wired society, is a sign of backwardness and weakness. But to Kim, this absence created a home-field advantage. A country cut off from the world, with few computer networks, is a lousy target: there are simply not enough “attack surfaces,” the entry-points for inserting malicious code, to make a retaliatory cyberattack on North Korea viable.

Or, as one senior official of the US Cyber Command put it at dinner in Washington one night, “How do you turn out the lights in a country that doesn’t have enough power to turn them on?”

Ouch

In short, until the Sony attack Obama believed corporate America should take responsibility for defending its own networks, just as they take responsibility for locking their office doors at night. That approach made sense most of the time: Washington could not go to DEFCON 4 every time someone—even a state—went after part of the private sector. Clearly, the government could not protect against every cyberattack, just as it could not protect against every car theft or house burglary.

But the government is, of course, expected to protect against—or at least respond to—armed attacks on American cities. So what was a cyberattack more like? A home burglary or a missile attack from abroad? Or was it something completely different? And when was the potential peril to the United States so great that the government could no longer rely on companies or individual citizens to defend themselves but had to respond?

(Google engineers thought seriously in 2009 about doing harm to servers in China where attacks on the company had originated, before cooler heads prevailed.) Periodically there have been movements in Congress to make hacking back legal—often under the rubric of “active defense”—as a way of letting cyber victims create some deterrence. Regardless of whether it would work or not, hacking back would certainly be satisfying for companies. It could also start a war.

“It would be a total disaster,” one senior military strategist said to me when the issue came up anew around the JPMorgan and Sony attacks. “Imagine a company takes out a big server in Russia or North Korea,” the official went on. “The Russians or the Koreans see it as a state-sponsored attack. So they escalate…” Before the first meeting on the confrontation is held in the Situation Room, a full-scale conflict ensues, all for a retaliatory strike the president was never so much as consulted about.

In short, in the Sony case, the government and the country got a glimpse of the disturbing, ambiguous nature of cyber conflict. It does not look like war as we know it, nor does it resemble Hollywood’s depictions of a devastating cyberattack. The Sony attack demonstrated how profoundly a new generation of weapons has changed the geography of conflict between states. The new targets will likely be all civilian: even a movie studio, hardly critical infrastructure, makes for a ripe target. “In the end,” one of Obama’s advisers told me with resignation in his voice, “we’re a lot more vulnerable than they are.”

It turned out that Ukraine’s own backwardness—and an archaic remnant of its past—had played into the hands of the attackers. In true post-Soviet style, Ukraine required businesses to use a common piece of accounting software, M.E.Doc. It was clunky, it was old, but it was required by the state. Corrupting the software with malware was ridiculously easy: No one had invested in updating it in years. In fact, it used an outdated “platform” that had not even been supported by its manufacturer since 2013. No updates, no security patches.

Gerisamov described what any historian of Russian war fighting knows well: a battlefield war that merges conventional attacks, terror, economic coercion, propaganda, and, most recently, cyber. Each component enhanced the others. This blended approach had long helped Russia to project power around the globe, even when it was outgunned and outspent. Stalin was a master of information warfare, at home and abroad, and used it to increase his odds of victory in conventional war. If it confused and divided his enemies at home, all the better.

Media accounts suggested that the decision of the parliament to hold a referendum in the first place was achieved by fraud. One indicator of the dubious electoral practices, Forbes later reported, was that 123 percent of registered voters in Sevastopol cast ballots in the referendum.

He then argued, “we’re fighting for the Ukraine, but nobody else is fighting for the Ukraine.” “It doesn’t seem fair,” Trump told us, never lingering on what Putin was doing to the Ukrainian people or the offenses to the country’s sovereignty. “It doesn’t seem logical.” That was the part of the interview, we learned later, that the Russians noticed.

Panetta had reported to Obama in 2009 and early 2010 that the Iranians were dismantling parts of their enrichment center because of their inability to comprehend what was happening, and their fear of more calamities. In fact, even after Panetta delivered the news to Obama that the Stuxnet worm had gotten loose and was replicating itself across the globe, they agreed to keep the attacks under way for a while. The Iranians probably still hadn’t grasped what was going on, Obama and Panetta bet, so the weapon had some lingering utility.

In its own operations, the United States has also been cautious. Any destructive attack to actually break a foreign system requires many levels of approval, including from the president. There were looser rules about just entering a system and looking around—espionage instead of “preparing the environment” for attack. Yet as Martin Libicki, a cyber expert at the US Naval Academy, noted, to the country or company on the receiving end, that distinction may mean little: “From a psychological perspective, the difference between penetration and manipulation may not matter so much.”

The team came back with a mixed answer. While the Ukrainians did not have defenses as sophisticated as many American utility companies, a quaint oddity in Ukrainian systems ultimately saved them from an even greater disaster. It turned out that their electric grid, built by the Soviets, was so antiquated that it wasn’t entirely dependent on computers. “They still had the big, old metal switches that ran the power grid back in the pre-computer age,” Ozment explained, as if admiring the simplicity of an original Ford Model A engine. The investigators reported that Ukrainian engineers got into their trucks and went scrambling from one substation to another, looking for switches that they could throw to route around the computers and turn the lights back on.

So the Ukrainians shrugged when the Russians hit the power grid again, in December 2016. That attack was briefer, but it hit the capital. And it showed that the Russians were learning. In 2015 they had gone after a distribution system; when they came back they had gone after one of Kiev’s main transmission systems. And when a company called Dragos unpacked the code, they found a new kind of malware, called “Crash Override,” that was designed specifically to take over the equipment in the grid.

He wasn’t surprised when the Democratic National Committee called. “They were an obvious target,” Clarke told me later. But he was amazed when his team discovered how wide-open the committee’s systems were. As it stood, the DNC—despite its Watergate history, despite the well-publicized Chinese and Russian intrusions into the Obama campaign computers in 2008 and 2012—was securing its data with the kind of minimal techniques that you might expect to find at a chain of dry cleaners.

Too expensive, the DNC told Clarke after the company presented the list. “They said all their money had to go into the presidential race,” he recalled. They told him they’d worry about the security issues after Election Day. That response came as no surprise to anyone who knew the DNC as a bailing-wire-and-duct-tape organization held together largely by the labors of recent college graduates working on shoestring budgets. Of the many disastrous misjudgments the Democrats made in the 2016 elections, that one may rank as the worst.

“These DNC guys were like Bambi walking in the woods, surrounded by hunters,” a senior FBI official told me. “They had zero chance of surviving an attack. Zero.”

“It was hard to find a prominent organization in Washington that the Russians weren’t hitting,” another veteran of the FBI’s cyber division told me later. “At the beginning, this just looked like espionage. Everyday, ordinary spying.”

“SA Hawkins added that the FBI thinks that this calling home behavior could be the result of a state-sponsored attack,” Tamene wrote. Implicit in the memo was this reality: The FBI might see the DNC’s data flowing outside its building, but it didn’t have the responsibility to protect privately owned computer networks. That was the job of the DNC itself. That second warning should have set off alarms—but there is no evidence that it did.

He argued that the pro-Western colour revolutions in Georgia, Kyrgyzstan, and Ukraine in the early 2000s, as well as the Arab Spring, similarly arose from soil tilled by the United States and fertilized with American cash. “Put your finger anywhere on a map of the world,” Putin said in 2017, “and everywhere you will hear complaints that American officials are interfering in internal election processes.”

Putin’s moral equivalence didn’t hold much water. While in the bad old days the CIA would have brought bags of cash to Italian politicians and Chilean strongmen, election influence had since become the territory of the State Department, whose techniques were significantly more timid and transparent. When the United States intervened in contemporary elections, it usually did so to assure that more people had access to the vote. Rather than cash, it stuffed suitcases with an “Internet in a box” to defeat crackdowns on information. It sent out “consultants” to teach novice candidates how to campaign, helped build independent courts, and of course monitored election fraud.

Eyes rolled. To anyone who had heard the rumors of a Russian intrusion, this reeked of a cover story. The real issue was obviously not maintenance, though the creaky system that connected the nation’s diplomats together seemed at times little better than two paper cups and a string. This sounded more like standard operating procedure for damage control: to conduct a digital exorcism and flush out intruders, the first thing you had to do was bring the system down.

In the end, the Americans won the cyber battle in the State and White House systems, though clearly, as events played out, they did not fully understand how it was part of an escalation of a very long war.

By now the DNC leadership had moved from total ignorance to total panic. They began meeting with senior FBI officials in mid-June, fully nine months after Agent Hawkins had been switched to the help line. Babies had been conceived and born in the time it took the DNC, and the US government, to wake up. Now the debate was over whether to make public what was going on.

By the accounts of three of Obama’s top national security aides, none of these recommendations formally made it to President Obama prior to the 2016 election. (Informally, several were discussed with him.) Those advisers at the top of his national-security pyramid—Susan Rice, the national security adviser; Rice’s deputy, Avril Haines, who was tasked with leading the “deputies process” to sort out the options; and Lisa Monaco, the homeland security adviser—all argued that while pushing back against the Russians was important, ensuring that the electoral process was secure was their first priority.

Jeh Johnson, the former Defense Department general counsel who was by then the secretary of homeland security, began making the case, in private and in public, that America’s election system was “critical infrastructure” and deserved special protection—the way the power grid did, or the Lincoln Memorial. It seemed a convincing argument: if the undergirding of American democracy, its ability to conduct free and fair elections, didn’t constitute “critical infrastructure,” what would? But when Johnson arranged a conference call with state election officials around the country, the disconnect was obvious. He described “troubling reports” he had on his desk of probing and scanning of the election systems in Arizona and other states. But he encountered a wall of suspicion; if he hoped to get support for a federal emergency initiative to help the state election boards address their cyber vulnerabilities, he was badly mistaken. “Let’s just say I didn’t hear much enthusiasm,” he told me when I went to see him with my colleague Charlie Savage at the old naval base that serves as the department’s headquarters and emergency operations center. The secretary of state of Georgia, Brian Kemp, told Johnson that he was certain the so-called evidence of hacking was a pretext for the federal government to try to take over the state-run election systems. (Kemp later accused the Department of Homeland Security of hacking into his state’s systems to scan them for vulnerabilities and left the imp...

In Illinois, there was a deeper panic: the registration system was pierced and voter information siphoned off. The forensics suggested the hack was engineered by known Russian groups. Inside Johnson’s homeland-security headquarters, the cyber teams worried that once hackers got into a registration system, they could change Social Security numbers or delete voters from the rolls. “That’s all it would have taken to create chaos on Election Day,” one senior White House official told me. “You didn’t have to change much.” Few said so at the time, but months after the election Homeland Security said it had seen evidence of similar probes into the systems of roughly three dozen other states. No one would say why they did not reveal that information at the time.

The fears, while rampant, were still based on conjecture: Russian hackers had essentially been caught scouting the systems, but not changing anything. And because none of the state officials had security clearances, Johnson’s phone call, from a vacation spot in the Adirondacks, was a failure. He had been prohibited from providing the state officials with any specifics. The classification rules—presumably intended to keep the Russians from learning that their activities were being watched—impeded Johnson’s ability to make his case. Once again, the reflexive assumption that all evidence of cyberattacks had to be kept highly classified cost America dearly.

Part of thesis

Obama’s first rule of foreign policy, described to my colleague Mark Landler and others on Air Force One during a trip to Asia, was straightforward: “Don’t do stupid shit.” (He made the reporters repeat it in unison.) As a caution, it wasn’t bad; a lot of the worst moves in American foreign policy in the previous two decades had begun with stupid-shit decisions.

As soon as they got into the session with twelve congressional leaders, led by Mitch McConnell, it went bad. “It devolved into a partisan debate,” Monaco later told me. “McConnell simply disbelieved what we were telling him.” He chastised the intelligence officials for buying into what he claimed was Obama administration spin, recalled one of the other senators present. Comey tried to make the point that Russia had engaged in this kind of activity before, but this time it was on a far broader scale. The argument made no difference. It became clear that McConnell would not sign on to any statement blaming the Russians. “It was one of the most dispiriting days I ever had in government,” Monaco concluded. A subsequent, smaller session that Obama held in the Oval Office did not end much better.

Arghhhhhhhhhhhh

Only long after the election was over were officials willing to explain the full reason for the switched-off video and the secrecy. In fact, the president’s top advisers had received a detailed plan from the National Security Agency and Cyber Command about possible retaliatory strikes against Russia. Some would have fried the servers used to mount the Russian attacks against US targets; others would have put the Internet Research Agency out of action; still more were designed to embarrass Putin or make his money disappear. “It was strikingly detailed,” one former official said.

Theoretically, it was possible to get inside the software that was downloaded into the machines in advance of an election, but since every locality had a different ballot, and often a mix of voting hardware, it would be a complex operation to pull off. At the White House, the staff was clearly relieved. At least until Clapper spoke up. He warned that if the Russians truly wanted to escalate, they had another easy path: their implants were already deep inside the American electric grid. Forget hacking the voting machines; the most efficient way to turn Election Day into a chaotic, finger-pointing mess would be to plunge key cities into darkness, even for just a few hours. There was “a sort of silence for a moment,” one participant in that meeting recalled, “and you could sense that people were just letting that sink in.”

For all the publicity and media attention around Snowden, a dark if compelling character who could still command headlines from his exile in Russia, the Shadow Brokers were inflicting far more damage. Snowden released code words and PowerPoints describing what amounted to battle plans. The Shadow Brokers had their hands on actual code, the weapons themselves.

“People were stunned,” one former employee of the TAO said. “It was like working at Coca-Cola, and waking up to discover that someone had just put the secret formula on the Internet.”

The worst part was the fear that came from not knowing if the hemorrhaging had stopped. With their implants in foreign systems exposed, the NSA temporarily went dark. At a moment when the White House and the Pentagon were demanding more options on Russia and a stepped-up campaign against ISIS, the agency was busy building new tools because the old ones had been blown.

The Podesta emails dominated the airwaves in the last month of the campaign, but how they became public did not. And Obama decided that any sanctions against Russia should proceed only if it appeared that his warning to Putin—reiterated in a secret letter to the Russian leader that former members of the administration will not discuss—had done no good.

The White House also announced the closure of two Russian diplomatic properties, in Long Island and Maryland. What the administration did not say was that one of them was being used by the Russians to bore underground and tap into a major telephone trunk line that would presumably give them access to both phone conversations and electronic messaging—and perhaps another pathway into American computer networks. But overall it was, as one of Obama’s own aides said, “the perfect nineteenth-century response to a twenty-first-century problem.”

As a secret parting shot, Obama ordered that some code—easy to discover—be placed in Russian systems, a “Kilroy was here” message that was later spun by some as a time bomb left in Russian networks. If so, it was never armed. As a deterrent, it wasn’t much of a success. In fact, the Russians had largely won. As Michael Hayden, the former CIA and NSA director, said, it was “the most successful covert operation in history.”

More than two years later, with the benefit of hindsight, the sequence of missed signals and misjudgments that allowed Russia to interfere in an American election seems incomprehensible and unforgivable—and yet completely predictable for a nation that did not fully comprehend the many varieties of cyber conflict. Many of the initial mistakes were born of bureaucratic inertia and lack of imagination: The FBI fumbled the investigation, and the DNC’s staff was asleep at the wheel. That deadly combination allowed the Russian hackers complete freedom to rummage through the DNC’s files before the party’s leadership and the president of the United States were briefed about what was happening. The lost time proved disastrous.