The Perfect Weapon: War, Sabotage, and Fear in the Cyber Age

by David E. Sanger

If the Russians had struck at our election system in some more obvious way—poisoning candidates it opposed, for example, as it has poisoned dissidents—any president would have called them out and responded. Only because the gray zone of cyber conflict gave the Russians cover did Obama hesitate. By the time he responded, after the election, it was too late. We are likely to pay for that failure for years to come. As James Comey said of the Russians: “They will be back.” Some who look back now on the decisions made in the summer and fall of 2016—politicians and national-security staffers, intelligence officials and FBI agents, Russia specialists and journalists—have described the sequence of events as a massive intelligence failure. But it wasn’t a failure in the classic sense of the phrase. It didn’t launch America into a war on false pretenses, and it didn’t underestimate the progress of Russia’s nuclear program, or North Korea’s for that matter. Rather, it was a failure to confront how skillfully and creatively the Russians were using newly minted cyber skills around the world and how potent a weapon they could become in widening America’s political and social fault lines. In our fixation on the types of cyberattacks we thought we understood—against power grids or banks or nuclear centrifuges—we missed the turn toward manipulating voters.

But the Russian attacks exposed more than the Obama administration’s lack of a playbook for cyber conflict, despite years of ever-escalating, ever-more-ingenious attacks. Russia’s multifaceted, Gerasimov-inspired approach underscored the administration’s failure to anticipate that cyberattacks can be used to undermine more than banks, databases, and electrical grids—they can be used to fray the civic threads that hold together democracy itself.

When the executives reviewed the list of what they could no longer keep, they warned the EU representatives that this was just the kind of data—phone numbers and IP addresses—that had enabled them to help the police track down the Paris attackers. If they could not retain it, they could not help when the next attack happened. “They didn’t care,” one of the Facebook executives told me. “They said that’s a problem for the intelligence agencies, not the regulators. And the two clearly weren’t talking to each other.”

If there is one lesson that emerged from years of trying to find, follow, and disrupt terrorists, it is that the same countries that figured out how to destroy centrifuges from afar and disrupt power grids and missile systems were stymied by how to deal with what has come to be called “weaponized social media.”

Given the billions of dollars that governments spend to build offensive cyber forces, and the resources that technology companies devote to protecting their platforms from becoming digital havens for jihadis, it would seem easy to predict quick, satisfying victories in the cyber battle against bands of ill-funded terrorists. The reverse turns out to be true. “It’s the hardest fight we face,” one senior military official told me. Blow up a safe house in Pakistan or a missile base in Syria, and the result is rubble. Aim at the servers sending out beheading videos or recruiting messages, and the videos and messages just reappear elsewhere a few days later.

But while Washington was struggling to understand how to go on the offense against groups that were using social media as a way to organize attacks, Silicon Valley was still unable or unwilling to face the extent of the problem. For years the world’s most brilliant technologists convinced themselves that once they connected the world, a truer, global democracy would emerge. They rejoiced when Twitter and WhatsApp made the Arab Spring possible, and were convinced they had built the weapon that would tear down autocrats and beget new, more transparent democracies.

But the effects were fleeting; the videos started reappearing elsewhere. And the ISIS commanders had backup systems, and quickly switched networks, using servers spread out over three dozen or so countries. One senior official recalled that Cyber Command would show up “with PowerPoints about all the setbacks they had caused, but they couldn’t answer the simple question: ‘How much lasting effect did you have?’ ”

In contrast, the civilians working next door at the NSA spent years developing tools, learning the insides of Russian or North Korean or Iranian networks, and implanting their malware. Often they treated these “implants” like prized bonsais, to be watered, nurtured, and cared for. The culture of the NSA was far more risk-averse, and to them, Cyber Command offensive units were mostly interested in blowing things up, which exposed and rendered useless the implants the NSA had so carefully hidden.

Moreover, the early hopes that Cyber Command would prove to be the military’s new Special Operations Forces turned out to be more hype than reality. “They simply didn’t run at the tempo of Special Forces—they weren’t hitting foreign networks every night the way the Special Forces hit houses in Afghanistan,” said one senior official who was dealing with both the NSA and Cyber Command. “And so they didn’t have a lot of opportunity to learn from their mistakes.”

But that conference call was, essentially, the first time senior Facebook managers had to think like news editors, balancing their rules against history, artistic sensibility, and, most important, news judgment. It was the moment when they realized that no algorithm could do the job. When I said that to a senior official at the company, he grimaced and asked, “You think there will be more?”

It became an unwinnable game of digital whack-a-mole. As Lisa Monaco, Obama’s homeland security adviser, said, “We are not going to kill our way out of this conflict. And we are not going to delete our way out of it either.”

Nine days later Zuckerberg was in Peru, at a summit that President Obama was also attending. The president took him into a private room and made a direct appeal: He had to take the threat of disinformation more seriously, or it would come to haunt the company, and the country, in the next election. Zuckerberg pushed back, Obama’s aides later told me. Fake news was a problem, but there was no easy fix, and Facebook wasn’t in the business of checking every fact that got posted in the global town square. Both men left the meeting dissatisfied.

Before he became the Pentagon’s resident technology scout and venture capitalist in Silicon Valley, Raj Shah spent twelve years flying an F-16 around Afghanistan and Iraq. Much of that time he wondered why a $30 million aircraft had worse navigation systems than a Volkswagen. The mapping technology was so ancient that it did not, at a glance, show pilots how close they were to national borders, or the features of cities and towns below them. Worse yet, Shah told me one day as we walked around his Pentagon-created start-up—called DIUx for “Defense Innovation Unit, Experimental”—“I had no way of knowing if I was flying into Iran” by mistake, a potentially fatal error.

The urgency arose from the fact that the American coverage of North Korea from space was (and remains) terrible—the United States had eyes on the country less than 30 percent of the time. (The exact figure is classified.) William Perry, the former defense secretary, told me that if the North Koreans rolled out one of their new missiles, “there’s a good chance we’d never see it.”

But the second thing Brown learned was that the Chinese were essentially doing what DIUx was doing—investing in “early-stage” companies. They were just doing it on a far larger scale than the Pentagon had in mind. What made the strategy so brilliant was that the Chinese were flying in under the radar. When they bought an entire company, it triggered an official review in Washington, from a little-known, little-understood group called the Committee on Foreign Investment in the United States. It could recommend that the president block any sale on national-security grounds. And both Obama and Trump did so, several times.

The DIUx report’s findings, which began circulating confidentially around Washington in the spring of 2017, were astounding. They demonstrated that even while the Chinese were paring back on stealing the fruits of American industry—Obama’s agreement with Xi had begun to have some effect—they had found many perfectly legal ways to invest in it. A government that still gave lip service to communism had figured out venture capitalism—and concluded it was the shortest path to get the technologies the country needed.

The numbers that Brown and Singh gathered, all from public sources, told the story. China participated in more than 10 percent of all venture deals in 2015, the report found, focusing on early-stage innovations critical to both commercial and military uses: artificial intelligence, robotics, autonomous vehicles, virtual reality, financial technology, and gene-editing. When they broke down who was investing in US-based venture-backed companies between 2015 and 2017, American investors ranked first, with $59 billion in investment. Europe was second, with $36 billion. And China was right behind, with $24 billion.

Brown and Singh’s DIUx report was soon in the hands of Gen. Paul Selva, who held the vice chairman post at the Joint Chiefs of Staff, the job once occupied by James Cartwright. General Selva had encouraged the study and used it to sound the alarm inside the Pentagon. But the report arrived in the early days of the Trump presidency, and rather than serve as a call for the United States to think in Chinese terms about how best to invest in research and development—and how to integrate those investments with defense projects—the report became another excuse for Trump’s calls for protectionism. The Trump economic team somehow convinced itself that it could cut the Chinese off entirely from investing in sensitive new technologies in the United States—even while China held $1.2 trillion in US debt.

Yet in the United States, the divide is widening. The Cold War model, in which breakthroughs in American military technology and the space program flowed to the commercial sector, is gone forever. The reverse model—using the skills of Silicon Valley to create the next-generation weapons—has run headlong into political and cultural opposition. “Even if the US does have the best AI companies, it is not clear they are going to be involved in national security in a substantive way,” said Gregory Allen of the Center for a New American Security. The effects are already visible: the military edge the United States has grown accustomed to since World War II is eroding.

The post-Snowden opposition to cooperating with the military broke out anew in the early spring of 2018 on the Google campus, just blocks from the DIUx headquarters. News of Google’s plans to participate in “Project Maven,” a pilot Pentagon program that uses artificial intelligence techniques to process “wide area motion imagery” that detects moving vehicles and moving weapons systems, sparked an internal uprising. As word spread through the company, thousands of Google’s employees signed a letter that opened with this declaration: “We believe that Google should not be in the business of war.” The letter rejected the company’s assurances that its work was not helping the Pentagon “operate or fly drones” or launch weapons. Google employees rightly saw those assurances as a dodge—the project might not be aiding current weapons, but clearly the Pentagon intended for the results to be incorporated into future weapons.

At the core of these uprisings is a concept of corporate identity that is the complete reverse of the Cold War. Raytheon and General Dynamics flourished because they were part of an American defense establishment that armed the Western alliance. They were serving governments, not consumers, and so of course they willingly picked a side. Google and Microsoft do not share this view. Their customers are global, and the bulk of their revenue comes from outside the United States. They view themselves, understandably, as essentially neutral—loyal to the customer base first and individual governments second. Washington, in contrast, still views them as “American companies,” beneficiaries of American freedoms. In the Pentagon’s view, their expertise and technology should flow first to defend the nation that allowed them to form and flourish. These are two completely distinct worldviews, which, at least in peacetime, will never be aligned.

All told, Kim Jong-un ordered eight Musudan tests between mid-April and mid-October 2016. Seven failed, some spectacularly, before he ordered a full suspension of the effort. An 88 percent failure rate was unheard-of, especially for a proven design. The Musudan was based on a compact but long-range missile the Soviets had built in the 1960s for launching from submarines. Its small size but high power made it perfect for Kim’s new strategy: shipping missiles around the country on mobile launchers and storing them in mountain tunnels, where American satellites would have trouble finding them.

Kim and his scientists were highly aware of what the United States and Israel had done to the Iranian nuclear program, and they had tried to insulate themselves from the same kind of attack. But the high failure rate of the missiles forced the North Korean leader to reassess the possibility that someone—maybe the Americans, maybe the South Koreans—was sabotaging his system. By October 2016, reports emerged that Kim Jong-un had ordered an investigation into whether the United States had somehow incapacitated the electronic guts of the missiles, perhaps getting inside their electronics or their command-and-control systems. And there was always the possibility that an insider was involved, or even several.

It had been more than two years since Obama, alarmed by North Korea’s progress, had pressed the Pentagon in early 2014 to drastically accelerate the effort to bring down North Korea’s missiles—and turned again to cyber and electronic sabotage for the solution to geopolitical tensions. A lot had happened since then. The Sony attack had focused the administration’s attention on North Korea, but on its cyberattacks, not its missile program. The negotiations with Iran—which led to a deal in the summer of 2015 that shipped 97 percent of Iran’s nuclear fuel out of the country, setting back its efforts by a decade or more—consumed the attention of Washington’s nuclear experts. Russia emerged as a far greater aggressor, and China demonstrated, with surprising vigor, that it was in search of influence, economic dominance, and a military presence in places it had never before ventured. The emergence of Donald Trump made for captivating television as he transformed from a late-show punch line to an unstoppable candidate.

Through it all, Obama’s North Korea sabotage effort churned ahead, silently.

“You have to be cautious whenever the enthusiasts of cyberattacks come in and claim victory,” one former official advised me.

But as a matter of international law and geopolitics, “left of launch” was far more fraught. At its core was the idea that the United States was prepared to mount a strike against another nation in peacetime, getting inside their infrastructure to attack their missile and command-and-control systems before they could be used against the United States. Of course, if a president ordered such a strike in the traditional way—say, by sending bombers in to destroy a missile base in peacetime—it would likely trigger a war. The hope was that by turning to cyberweapons or other sabotage, the United States could slip in far more subtly, deny responsibility for whatever happened, and get away without being caught.

Todorov was getting at a critical point that has been periodically debated since President Bush, in 2002, declared that preemption was back as a central American principle for dealing with a hostile world. If the United States saw a missile on a North Korean launch pad being fueled, loaded with a warhead, and seemingly intended for American territory or that of an ally, it would likely be within its rights under international law to take out the missile on the pad. But “left of launch” suggested a different scenario: A preventive strike, the kind that one state executes against another in the absence of an imminent threat. Think Pearl Harbor, or of a strong state that strikes a weaker but rising competitor while it still can. That is largely forbidden by international law.

With cyberstrikes—invisible, deniable—the temptation to conduct preventive war may be higher than it has ever been before. Unsurprisingly, few government officials want to delve too deeply, at least in public, into how the laws of war apply to offensive cyber action. In private they debate these issues constantly. But as Robert Litt, the former general counsel to the director of national intelligence during the Obama years, put it to me one day: “There is no issue on which government lawyers have spent more time, to less productive effect, than on the question of how the laws of war apply to cyber.”

Digital warfare was new stuff for him; as the conversation went on, it wasn’t clear he had ever heard of the American cyber operations against Iran. His main interest was to demonstrate, on cyber and all other issues, that he would be tougher and more decisive than Barack Obama, even if he wasn’t quite certain what Obama had done in the cyber arena. He made an argument that, as with so many other things in Trump’s worldview, America was blowing its lead: We’re the ones that sort of were very much involved with the creation, but we’re so obsolete, we just seem to be toyed with by so many different countries, already. And we don’t know who’s doing what. We don’t know who’s got the power, who’s got that capability, some people say it’s China, some people say it’s Russia. But certainly cyber has to be a, you know, certainly cyber has to be in our thought process, very strongly in our thought process. Inconceivable that, inconceivable the power of cyber. But as you say, you can take out, you can take out, you can make countries nonfunctioning with a strong use of cyber. I don’t think we’re there. I don’t think we’re as advanced as other countries are, and I think you probably would agree with that. I don’t think we’re advanced, I think we’re going backwards in so many different ways. I think we’re going backwards with our military…we move forward with cyber, but other countries are moving forward at a much more rapid pace.

While I knew the Obama transition teams had left binders full of briefing materials on North Korea for the new administration, I suspected few people had the clearances—or the time—to go through them all. Flynn, the former director of the Defense Intelligence Agency, was probably the one most current on the North Korean threat. But not only had he just been fired, his handpicked aides—derisively called “The Flynnstones”—were gradually being eased out.

But as I began to describe to McFarland what we had learned about the “left of launch” program, and how it was being used against North Korea, I could see by the look on her face that it seemed to be the first she had heard of it. That was surprising: If there was anything that the new national-security team needed to get up to speed on quickly, it was the full range of American efforts to defang the North Korean threat. Perhaps she was just a good poker player, but the discussion did not suggest the new administration had a full grasp of what it was about to face.

Well, this inspkres confidence…

Trump’s tweet crystallized how his obsessions, and the chaos of the transition in the first six weeks of the new presidency, had prevented the new administration from focusing on what Obama had warned was the central national-security threat the nation faced. They had been left hundreds of pages of briefing materials about North Korea, but it appears little of it was absorbed. The questions swirling around the success or failure of the primary covert program to thwart the missile launches had not been fully engaged by McFarland, who was ousted in a few weeks, and they were entirely new to McMaster, who lasted just a bit more than a year.

It seemed inevitable that Trump would soon face the same challenge his predecessors did: how to deal with North Korea without prompting a broader war. He would confront issues that had been long debated in the Situation Room: whether to order the escalation of the Pentagon’s cyber- and electronic-warfare effort, crack down again on trade with crushing economic sanctions, open negotiations with the North to freeze its nuclear and missile programs, or prepare for direct missile strikes on its nuclear and missile sites. It seemed clear to me that, still lacking a strategy, Trump’s answer would likely be to attempt all four.

As a top cybersecurity official for one of the behemoths of Silicon Valley put it to me, “If there was a ‘most improved’ award for states looking to weaponize the Internet, the North Koreans would win it. Hands down.”

“Cyber is a tailor-made instrument of power for them,” Chris Inglis, a former deputy director of the National Security Agency, told me. “There’s a low cost of entry, it’s largely asymmetrical, there’s some degree of anonymity and stealth in its use. It can hold large swaths of nation-state infrastructure and private-sector infrastructure at risk. It’s a source of income.”

Today the North may be the first state to use cybercrime to finance its state operations.

It is unclear how long the North Korean hacking team spent planning what the United States later charged was an “indiscriminate” attack on hundreds of thousands of computers, many in hospitals and schools. But it is clear how the hackers got inside: with some vulnerabilities in Microsoft software stolen from the NSA by the Shadow Brokers group. It was the ultimate cascading crime: the NSA lost its weapons; the North Koreans shot them back.

In this case, the hacking tool stolen from the NSA went by the name “Eternal Blue.” It was a standard piece of the TAO’s toolbox because it exploited a vulnerability in Microsoft Windows servers—an operating system so widely used that it allowed the malware to spread across millions of computer networks. No one had seen anything like it in nearly a decade, since a computer worm called “Conficker” went wild.

WannaCry, like the Russian attacks on the Ukraine power grid in the previous two years, was among a new generation of attacks that put civilians in the crosshairs. In that regard, it is akin to terrorism. “If you are wondering why you’re getting hacked—or attempted-hacked—with greater frequency,” said Jared Cohen, the former State Department official who now runs Alphabet’s Jigsaw, a part of the Google parent company, which has done pioneering work in how to make people safer on the Internet, “it is because you are getting hit with the digital equivalent of shrapnel in an escalating state-against-state war, way out there in cyberspace.”

While the US government says that it reports to industry more than 90 percent of the software flaws it discovers, so that they can be fixed, “Eternal Blue” was clearly part of the 10 percent it held on to in order to bolster American firepower. Microsoft never heard about the vulnerability until after the weapon based on it was stolen. Yet the US government acted as if it bore no responsibility for the devastating cyberattack. When I asked Bossert, and his deputy, Rob Joyce, who ran the TAO and clearly knew something of what happened to these pilfered weapons, they argued that the fault was entirely with those who used the weapons—not with those who lost control of them. It was a mystifying argument: if someone fails to lock up their guns, and a weapon stolen from their house is used in a school shooting, the gun owner has at least some moral or legal liability.

The harder question over the next decade will be whether reaching for such weapons with increasing frequency will continue to be a wise choice. By going into the North’s missile systems, the United States set a precedent, just as we did with Olympic Games, that other nations will surely follow. While we talk publicly about setting norms for what should be off-limits for offensive cyber activity—hospitals, emergency responders, and now election systems—we are seen around the world as hypocrites. Every time the United States reaches into another nation’s critical infrastructure, we make our own fair game for retaliation.

Yep

When his successor, General Nakasone, conceded in his confirmation hearing four years later that “they don’t fear us,” he was admitting that after spending billions of dollars on new defenses and new offensive weapons, the United States has still failed to create a deterrent against cyberattacks. Perhaps that is understandable. In the Cold War, nuclear deterrence did not emerge instantly. It took years of collaboration between technologists, strategists, generals, and politicians. It involved a very public debate, which the United States seems unwilling to conduct in the cyber realm—for fear of revealing our capabilities, or having to surrender some of them.

The implications of having our own command-and-control system compromised underscore why sabotaging similar systems in other nations is dangerous business. If American leaders—or Russian leaders—feared their missiles might not lift off when someone hit the button, or that they were programmed to go off-course, it could easily undermine the system of deterrence that has helped reduce the likelihood of nuclear war for the past several decades. It could also encourage countries to build more missiles—as an insurance policy—and perhaps to launch them earlier.

There are simply too many vital networks, growing too quickly, to mount a convincing defense. Offense is still wildly outpacing defense. As Bruce Schneier, a cyber expert whose work is a must-read on the topic, put it so well: “We are getting better. But we are getting worse faster.” Schneier’s point is that even as we build far greater defenses, our vulnerabilities are expanding dramatically.

It was an instinct born of more than a decade of counterterrorism operations, where the United States learned that the best way to take on al Qaeda or ISIS was by destroying them at their bases and in their living rooms. But in cyber it amounts to an admission that our defenses at home are wildly insufficient and that the only way to win is to respond to every perceived threat. As with many of Trump’s new strategies, taken to its logical extreme this approach carries enormous risks of miscalculation and escalation. To pull it off, the United States would have to scrap the requirement that the president authorize every destructive cyberattack. Cyber operations would begin to look more like evening raids conducted by Special Operations Forces. The problem is that when other countries adopt the same strategy, as inevitably they will, the chances rise dramatically that cyberattacks will accelerate and could trigger a shooting war, or worse.

The first step is to recognize the folly of going on offense unless we have a good defense. We would be lucky to seal up three-quarters of the glaring vulnerabilities in American networks today. But the best way to deter attack—and counterattack—is deterrence by denial. That requires a major national effort, far beyond the civil defense projects of the 1950s when the United States built a highway system that could evacuate civilians and dug shelters in large cities. A parallel effort to secure America’s cyber infrastructure has often been discussed, but it has never happened. It is complicated by the fact that the main targets of attack are in private hands.

Given the complexity of the Internet, the government can’t regulate how banks, telecom firms, gas pipeline companies, and Google and Facebook design their cybersecurity. Every one of those systems is radically different.

As Michael Sulmeyer, a former Pentagon official now running a Harvard cyber initiative, has observed, “When it comes to cyberspace…the United States has more to lose than its adversaries because it has gone further in embracing innovation and connectivity without security. But although the societies and infrastructure of Washington’s adversaries are less connected and vulnerable, their methods of hacking can still be disrupted….

And as in everything else in global affairs, red lines matter. So when trolls from the Internet Research Agency began bombarding the United States with fake news from fake accounts—with the intent of meddling in an American election—they needed to be delisted from Facebook. (That happened, but not until well after the election.) If the agency remained undeterred, its servers needed to be melted down, courtesy of our cyberweapons. The servers would be replaced, of course, perhaps quickly. But the message would be sent, and the Russians would know that the United States was able and willing to respond.

Would escalate quickly